Friday, November 11th, 2022
Cybersecurity Week in Review (11/11/22)
High-Severity Flaw Reported in Critical System Used by Oil and Gas Companies
A new vulnerability has been discovered in a system used across oil and gas organisations that could be exploited by an attacker to inject and execute arbitrary code. The vulnerability, tracked as CVE-2022-0902 (CVSS score: 8.1), is a path-traversal vulnerability in ABB Totalflow flow computers and remote controllers. The flaw could be exploited to gain root access on an ABB flow computer, read and write files, and remotely execute code.
Flow computers are special-purpose electronic instruments used by petrochemical manufacturers to interpret data from flow meters and calculate and record the volume of substances such as natural gas, crude oils, and other hydrocarbon fluids at a specific point in time. These measurements are critical for process safety as well as being used as inputs when bulk liquid or gas products change hands between parties, making it imperative that the flow measurements are accurately captured. The issue, specifically, concerns a feature that allows for importing and exporting the configuration files, enabling an attacker to leverage an authentication bypass issue to get past the security passcode barrier and upload arbitrary files.
A successful exploit of this issue could impede a company’s ability to bill customers, forcing a disruption of services, similar to the consequences suffered by Colonial Pipeline following its 2021 ransomware attack. ABB, the Swedish-Swiss industrial automation firm, has since released firmware updates as of July 14, 2022, following responsible disclosure.
APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network
APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes has been found leveraging a “lesser-known” Windows feature called Credential Roaming following a successful phishing attack against an unnamed European diplomatic entity. The targeting of diplomatic entities is consistent with Russian strategic priorities as well as historic APT29 targeting. Some of the adversarial collective’s cyber activities are tracked publicly under the moniker Nobelium, a threat cluster responsible for the widespread supply chain compromise through SolarWinds software in December 2020.
Introduced in Windows Server 2003 Service Pack 1 (SP1), Credential Roaming is a mechanism that allows users to access their credentials (i.e., private keys and certificates) in a secure manner across different workstations in a Windows domain. An arbitrary file write vulnerability has also been discovered that could be weaponized by a threat actor to achieve remote code execution in the context of the logged-in victim. The shortcoming, tracked as CVE-2022-30170 (CVSS score 7.3), was addressed by Microsoft as part of Patch Tuesday updates shipped on September 13, 2022, with the company emphasising that exploitation requires a user to log in to Windows.
15,000 sites hacked for massive Google SEO poisoning campaign
A massive black hat search engine optimization (SEO) campaign has been conducted, compromising almost 15,000 websites to redirect visitors to fake Q&A discussion forums. Each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress. It is believed the threat actors’ goal is to generate enough indexed pages to increase the fake Q&A sites’ authority and thus rank better in search engines. The attackers are likely priming these sites for future use as malware droppers or phishing sites, as even a short-term operation on the first page of Google Search, would result in many infections.
It’s not known how the threat actors breached the websites but it likely happens by exploiting a vulnerable plugin or brute-forcing the WordPress admin password. The recommendation is to upgrade all WordPress plugins and website CMS to the latest version and activate two-factor authentication (2FA) on admin accounts.
Several Cyber Attacks Observed Leveraging IPFS Decentralized Network
The decentralized InterPlanetary Filesystem (IPFS) network is hosting malware, phishing campaigns, and facilitating other attacks. Multiple malware families are currently being hosted within IPFS and retrieved during the initial stages of malware attacks. Similar findings were announced in July 2022, which found more than 3,000 emails containing IPFS phishing URLs as an attack vector, calling IPFS the new hotbed for hosting phishing sites.
IPFS as a technology is both resilient to censorship and takedowns, making it a double-edged sword. Underlying it is a peer-to-peer (P2P) network which replicates content across all participating nodes so that even if a file is removed from one machine, requests for the resource can still be served via other systems. It has been put to use to serve rogue landing pages as part of phishing campaigns orchestrated to steal credentials and distribute a wide range of malware comprising Agent Tesla, reverse shells, data wiper, and an information stealer called Hannabi Grabber.
The latest development points to the growing use by attackers of legitimate offerings such as Discord, Slack, Telegram, Dropbox, Google Drive, AWS, and several others to host malicious content or to direct users to it, making phishing one of the lucrative primary initial access vectors.
Malicious extension lets attackers control Google Chrome remotely
A new Chrome browser botnet named ‘Cloud9’ has been discovered in the wild using malicious extensions to steal online accounts, log keystrokes, inject ads and malicious JS code, and enlist the victim’s browser in DDoS attacks. The Cloud9 browser botnet is effectively a remote access trojan (RAT) for the Chromium web browser, including Google Chrome and Microsoft Edge, allowing the threat actor to remotely execute commands.
These vulnerabilities are used to automatically install and execute Windows malware on the host, enabling the attackers to conduct even more significant system compromises. However, even without the Windows malware component, the Cloud9 extension can steal cookies from the compromised browser, which the threat actors can use to hijack valid user sessions and take over accounts. Additionally, the malware features a keylogger that can snoop for key presses to steal passwords and other sensitive information. A “clipper” module is also present in the extension, constantly monitoring the system clipboard for copied passwords or credit cards.
The hackers behind Cloud9 are believed to have ties to the Keksec malware group because the C2 domains used in the recent campaign were seen in Keksec’s past attacks. Keksec is responsible for developing and running multiple botnet projects, including EnemyBot, Tsunamy, Gafgyt, DarkHTTP, DarkIRC, and Necro. The victims of Cloud9 are spread worldwide, and screenshots posted by the threat actor on forums indicate that they target various browsers.
New Laplas Clipper Malware Targeting Cryptocurrency Users via SmokeLoader
A new clipper malware strain dubbed Laplas is targeting cryptocurrency users by means of another malware known as SmokeLoader. SmokeLoader, which is delivered by means of weaponized documents sent through spear-phishing emails, further acts as a conduit for other commodity trojans like SystemBC and Raccoon Stealer 2.0.
SmokeLoader has functioned as a generic loader capable of distributing additional payloads onto compromised systems, such as information-stealing malware and other implants since 2013. Over 180 samples of the Laplas has been identified since October 24, 2022, suggesting a wide deployment. Clippers, also called ClipBankers, fall under a category of malware that Microsoft calls cryware, which are designed to steal crypto by keeping close tabs on a victim’s clipboard activity and swapping the original wallet address, if present, with an attacker-controlled address. The goal of clipper malware like Laplas is to hijack a virtual currency transaction intended for a legitimate recipient to a wallet owned by the threat actor.
The newest clipper malware offers support for a variety of wallets like Bitcoin, Ethereum, Bitcoin Cash, Litecoin, Dogecoin, Monero, Ripple, Zcash, Dash, Ronin, TRON, Cardano, Cosmos, Tezos, Qtum, and Steam Trade URL. It’s priced from $59 a month to $549 a year. It also comes with its own web panel that enables its purchasers to get information about the number of infected computers and the active wallet addresses operated by the adversary, in addition to allowing for adding new wallet addresses.
Azov Ransomware is a wiper, destroying data 666 bytes at a time
Last month, a threat actor began distributing malware called ‘Azov Ransomware’ through cracks and pirated software that pretended to encrypt victims’ files. The ransomware is proven to be a data wiper that intentionally destroys victims’ data and infects other programs and continues to be heavily distributed worldwide. Instead of providing contact info to negotiate a ransom, the ransom note told victims to contact security researchers and journalists to frame them as the developers of the ransomware.
In one example the malware included a trigger time that would cause it to sit dormant on the victim’s devices until October 27th, 2022, at 10:14:30 AM UTC, which would then trigger the corruption of all data on the device. It would overwrite a file’s contents and corrupt data in alternating 666-byte chunks of garbage data. Each cycle worked in a loop where exactly 666 bytes are being overwritten with random (uninitialized data) and the next 666 bytes are left original. The data wiper will infect, or ‘backdoor,’ other 64-bit executables on the Windows device. When backdooring an executable, the malware will inject code that will cause the data wiper to launch when a seemingly harmless executable is launched.
It is unclear why the threat actor is spending money to distribute a data wiper. However, theories range from it being done to cover up other malicious behavior or simply to ‘troll’ the cybersecurity community. Regardless of the reason, victims who are infected with Azov Ransomware will have no way of recovering their files, and as other executables are infected, they should reinstall Windows to be safe.
New ChromeLoader Malware Hijack Chrome Browser to Steal Credentials
A malicious Chrome browser extension known as ChromeLoader, classified as a pervasive browser hijacker has been identified to modify the browser settings and redirect users’ traffic to malicious websites and stealing credentials. The malware has evolved since first arriving in January of this year to include a wide range of malicious variants that were discovered in the wild in the last several months.
The development of ChromeLoader malware involves multiple stages and is primarily designed with the purpose of targeting web browsers. While the early versions of the malware focused efforts on the compromise of credentials and accounts for the most part. The malware has been evolving into a more stealthy interpretation that has become harder to detect. Additionally, it is also equipped with a number of methods for engaging in fraud and redirecting adware to a brand’s website in order to manipulate its traffic. There are numerous different variants of this malware that target both macOS and Windows systems. The threat actors who are behind the malware use a variety of system-level infection vectors in order to spread infection and increase its spread.
However, there are some mitigation tips that the experts have suggested. The steps that have been mentioned below:
- File Hashing – It is possible to block/quarantine this malware if it appears on a device by deploying a hashing detection.
- File Content Rules – YARA is a powerful mechanism for determining whether a file is malicious by searching the contents of the file using pattern matching.
- System Configuration Permissions – By restricting access to a system to a specified group of users, malware and ChromeLoader persistence could be prevented.
- URL Analysis – It is possible to prevent the initial infection by preventing users from visiting malicious URLs.
Robin Banks Phishing Service for Cybercriminals Returns with Russian Server
The phishing-as-a-service (PhaaS) platform, Robin Banks, has relocated its attack infrastructure to DDoS-Guard, a Russian provider of bulletproof hosting services. The switch comes after Cloudflare disassociated Robin Banks phishing infrastructure from its services, causing a multi-day disruption to operations.
In operation since July 2022, the platform’s ability to offer ready-made phishing kits to criminal actors made it possible to steal the financial information of customers of popular banks and other online services. It was also found to prompt users to enter Google and Microsoft credentials on rogue landing pages, suggesting an attempt on part of the malware authors to monetize initial access to corporate networks for post-exploitation activities such as espionage and ransomware.
Cloudflare’s decision to blocklist its infrastructure in the wake of public disclosure has prompted the Robin Banks actor to move its frontend and backend to DDoS-Guard, which has in the past hosted the alt-tech social network Parler and the notorious Kiwi Farms. New updates introduced included a cookie-stealing functionality, in what’s seen as an attempt to serve a broader clientele such as advanced persistent threat (APT) groups that are looking to compromise specific enterprise environments. It’s offered for $1,500 per month.
This is achieved by reusing code from evilginx2, an open source adversary-in-the-middle (AiTM) attack framework employed to steal credentials and session cookies from Google, Yahoo, and Microsoft Outlook even on accounts that have multi-factor authentication (MFA) enabled. Robin Banks is also said to have incorporated a new security measure that requires its customers to turn on two-factor authentication (2FA) to view the stolen information via the service, or, alternatively, receive the data through a Telegram bot.
The findings are just the latest in a series of new PhaaS services that have emerged in the threat landscape, including Frappo, EvilProxy, and Caffeine, making cybercrime more accessible to amateur and experienced bad actors alike.
Iranian actors targeting healthcare via spear-phishing, vulnerability exploit
Iranian nation state actors are targeting the US healthcare sector putting government organisations on high alert. The FBI had averted an Iranian-backed cyberattack against Boston Children’s Hospital back in June 2021. A white paper recently detailed the groups with a primary focus on the healthcare sector, as well as crucial mitigation factors and common exploits.
The HC3 report notes Iranian threat actors are historically risk-averse and infamous for wiper malware as well as retaliatory attack strategies. These actors commonly engage in spear phishing, DDoS attacks, theft of sensitive data, website defacement, and social media-driven operations. These groups seem to have signed agreements with both Russia and China on cybersecurity and information tech, furthering their cyber capabilities and possible impacts. Four groups are known to heavily target the healthcare sector and medical researchers, with spear phishing as the most common initial intrusion vector. One group frequently leverages lures tied to the healthcare sector, as well as job postings, password policies, or resumes.
We saw an example of this when actors sponsored by the Iran government attempted to exploit the Boston Children’s Hospital. The attack was blocked after an intelligence partner alerted the FBI to an impending target, prompting the deployment of its cyber squad.
What is most concerning is the ability of these groups to use fake personas that realistically mimic legitimate entities, including believable CC’d email addresses, which make it difficult for users to detect. The use of email as a pivot point is a common tactic used in healthcare, but also one of its biggest challenges in terms of defense.