Friday, August 12th, 2022
Cybersecurity Week in Review (12/8/22)
Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen
Cisco confirmed that their network was breached last May by the Yanluowang ransomware group who tried to extort them under the threat of leaking stolen files online.
However, only non-sensitive data from a Box folder linked to a compromised employee’s account was stolen.
“Cisco did not identify any impact to our business as a result of this incident, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.’’
Access was gained using an employee’s stolen credentials after hijacking the employee’s personal Google account containing credentials synced from their browser. They bypassed the MFA measure by getting to employee to accept push notifications through MFA fatigue and a series of sophisticated voice phishing attacks initiated by the gang that impersonated trusted support organizations.
After gaining domain admin, they used enumeration tools like ntdsutil, adfind, and secretsdump to collect more information and installed a series of payloads onto compromised systems, including a backdoor malware.
“The threat actor was successfully removed from the environment and displayed persistence, repeatedly attempting to regain access in the weeks following the attack; however, these attempts were unsuccessful.”
Two new ClamAV detections for the backdoor and a Windows exploit used for privilege elevation: Win.Exploit.Kolobko-9950675-0 and Win.Backdoor.Kolobko-9950676-0, were created to help other organisations detect similar attacks.
Cisco provided some information on the backdoor and how it was used to remotely execute commands but did not mention any info on the exploit executable that was discovered. However, it is considered to be the exploit CVE-2022-24521, a Windows Common Log File System Driver Elevation of Privilege vulnerability.
For a list of Indicators of Compromise (IOCs), please contact us at – firstname.lastname@example.org
CISA warns of Windows and UnRAR flaws exploited in the wild
Two more flaws have been added to the catalogue of Known Exploited Vulnerabilities, based on evidence of active exploitation, by CISA.
Both issues are directory traversal vulnerabilities that could help attackers plant malware on a target system and have received a high severity score.
Referred to as DogWalk, the first security flaw, officially CVE-2022-34713, allows an attacker to place a malicious executable into the
Windows Startup folder. In an email attack scenario, the attacker exploits the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack, the attacker hosts a website containing a file designed to exploit the vulnerability. Microsoft addressed CVE-2022-34713 today as part of the August 2022 security updates for Windows. The company notes that the issue has been exploited in attacks.
Second vulnerability added to CISA’s Catalog is tracked as CVE-2022-30333 and is a path traversal bug in the UnRAR utility for Linux and Unix systems. Leveraging it to plant a malicious file on the target system the attacker extracted it to an arbitrary location during the unpack operation. it could be used for remote code execution to compromise a Zimbra email server without authentication.
Exploit code has been added to the Metasploit penetration testing software earlier this month. For both vulnerabilities, federal agencies in the U.S. are expected to apply the updates from the vendors by August 30.
Researchers Warn of Ongoing Mass Exploitation of Zimbra RCE Vulnerability
CISA announced a further two flaws to be added to its Known Exploited Vulnerabilities Catalog after the Windows and UnRAR exploits at the beginning of the week.
Both are related to weaknesses in Zimbra Collaboration and could be chained to achieve unauthenticated remote code execution on the underlying server by uploading arbitrary files.
CVE-2022-27925 (CVSS score: 7.2) – Remote code execution (RCE) through mboximport from authenticated user (fixed in versions 8.8.15 Patch 31 and 9.0.0 Patch 24 released in March)
CVE-2022-37042 – Authentication bypass in MailboxImportServlet (fixed in versions 8.8.15 Patch 33 and 9.0.0 Patch 26 released in August)
Over 1,000 instances globally were backdoored and compromised using this attack vector, some of which belong to government departments and ministries; military branches; and companies with billions of dollars of revenue as recently as the end of June in countries such as the US, Italy, Germany and Indonesia.
SolidBit Ransomware Targets Gamers and Social Media Users with New Variant
Malware uploaded to GitHub, masquerading as different applications like a League of Legends accounts checker tool and an Instagram follower bot, are being attributed to a new SolidBit Ransomware variant.
This new version of ‘SolidBit ransomware’ is a.NET compiled binary shares similarities with Lockbit in their chat support sites’ formatting and the file names of their ransom note. When the application is ran malicious PowerShell codes drop the ransomware. Another file that comes with the ransomware is named “Source code,” but seems to be different from the compiled binary.
Upon clicking this executable file, it will drop and execute Lol Checker x64.exe, which runs the malicious PowerShell codes that drop and execute the ‘SolidBit Ransomware’. Further, this file disables the Windows Defender’s scheduled scans by using PowerShell command. Finally, the file will drop and execute the file Runtime64.exe, called ‘SolidBit ransomware’. The SolidBit Ransomware targets social media users and is utilized for ransomware-as-a-service (RaaS) activities.
Chinese Hackers Targeted Dozens of Industrial Enterprises and Public Institutions
Industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries and Afghanistan have come under a wave of targeted attacks since January 2022 to steal confidential data.
Simultaneously making use of six different backdoors the attacks have been attributed to a China-linked threat actor tracked as TA428, based on tactics, techniques, and procedures (TTPs) used. TA428, also known by the names Bronze Dudley, Temp.Hex, and Vicious Panda, has a history of striking entities in Ukraine, Russia, Belarus, and Mongolia. It’s believed to share connections with another hacking group called Mustang Panda (aka Bronze President).
Utilising carefully crafted phishing emails to trick recipients into opening rogue Microsoft Word documents, the decoy files come with exploits for a 2017 memory corruption flaw in the Equation Editor component (CVE-2017-11882) that could lead to the execution of arbitrary code in the affected systems, ultimately leading to the deployment of a backdoor called PortDoor.
Once the domain controller has been hijacked and the hacker has gained control, they leverage the privileged access to exfiltrate files of interest in the form of compressed ZIP archives to a remote server located in China. Other backdoors utilized in the attacks include nccTrojan, Cotx, DNSep, Logtu, and a previously undocumented malware dubbed as CotSam, so named owing to its similarities with Cotx.
7-Eleven stores in Denmark closed due to a cyberattack
A cyberattack in Denmark caused all 7-Eleven stores to be shut down as payment and checkout systems were disrupted. The company confirmed this with a Facebook post on August 8th.
“Unfortunately, we suspect that we have been exposed to a hacker attack today, Monday 8 August 2022. This means that we cannot use checkouts and/or receive payment. We are therefore keeping the stores closed until we know the extent. We naturally hope that we can open the stores again soon.” – 7-Eleven DK.
An alleged 7-Eleven employee also confirmed this on a now deleted Reddit post.
“Working at the 7-eleven at Strøget and our checkout system does not work, all the country’s 7-eleven run with the same system, so all 7-eleven in Denmark are “closed” right now,” said the 7-Eleven employee on Reddit.
At this time, there are no further details about the attack, including whether ransomware was involved, which has become the most common cyberattack causing wide-scale outages.
deBridge Finance crypto platform targeted by Lazarus hackers
North Korean Lazarus group are suspected of stealing cryptocurrency from deBridge Finance, a cross-chain protocol that enables the decentralized transfer of assets between various blockchains.
A phishing email is thought to have been the method of attack tricking victims into launching malware that collected various information from Windows systems and allowed the delivery of additional malicious code for subsequent stages of the attack.
The email, purporting to be from the company co-founder, Alex Smirnov, reached multiple employees and included an HTML file named ‘New Salary Adjustments’ that pretended to be a PDF file along with a Windows shortcut file (.LNK) that poses as a plain text file containing a password. Clicking the fake PDF opened a cloud storage location claiming to provide a password-protected archive containing the PDF, thus bringing the target to launching the fake text file to obtain the password.
If security defences were not present, the generated malicious file was saved in the startup folder, to ensure persistence allowing the malware to send out requests to the attacker’s command and control server for further instructions. The threat actor then collected details about the infected system like username, operating system, CPU, network adapters, and running processes.
North Korea’s Lazarus group has been focusing on hitting companies that rely in their business on blockchain technology and decentralization concepts. The threat actor uses social engineering tricks to establish a foothold on the victim computer and then tries to find a way to syphon cryptocurrency funds and assets.
Windows devices with newest CPUs are susceptible to data damage
Devices using Windows with the newest supported processors are susceptible to “data damage” on Windows 11 and Windows Server 2022 warned Microsoft.
“Windows devices that support the newest Vector Advanced Encryption Standard (AES) (VAES) instruction set might be susceptible to data damage,” the company revealed.
Affected devices by this newly acknowledged known issue use AES-XTS (AES XEX-based tweaked-codebook mode with ciphertext stealing) or AES-GCM (AES with Galois/Counter Mode) block cipher modes on new hardware.
Although addressed in preview and security releases issued on May 24 and June 14, respectively these Windows updates also come with a performance hit since AES-based operations might be two times (2x) slower after installing them on affected systems running Windows Server 2022 and Windows 11 (original release). Scenarios impacted by the performance hit might include BitLocker, Transport Layer Security (TLS) (specifically load balancers), and disk throughput (especially for enterprise customers).
Customers experiencing performance degradation are advised to install June 23 preview update (Windows 11, Windows Server 2022) or the July 12 security update (Windows 11, Windows Server 2022) for their OS version as a workaround.
Conti extortion gangs behind surge of BazarCall phishing attacks
BazarCall phishing tactics have become the primary method for three groups split from the Conti ransomware operation, allowing them to deploy highly-targeted attacks that are more difficult to detect and stop because of the social engineering component.
Emerging in early last year the BazarCall method, also referred to as call-back phishing, was used by the Ryuk ransomware operation, which later rebranded into Conti. Attacks start with an email informing that a subscription the recipient is allegedly paying for is about to be renewed automatically and canceling the payment is possible by calling a specific number. Victims calling the provided phone number reach a threat actor versed in social engineering, who convinces the caller to start a remote access session via legitimate software controlled by a network intruder.
The three groups identified are Silent Ransom Group, Quantum, and Roy/Zeon. Switching to social engineering was caused by a dwindling in profits due to a robust defensive response by organisations to more predictable attacks. However, tricking humans would allow for a more flexible approach that could change from one campaign to another, making attacks more difficult to identify and defend against.
The initial group engaging in these campaigns separated from the Conti syndicate in March 2022 and formed Silent Ransom Group (SRG), also tracked as Luna Moth. Over three months, they targeted at least 94 organizations, focusing only on stealing data and extorting the victims. They typically send fake subscription notices impersonating Duolingo language-learning and the MasterClass online education platforms in their phishing campaigns. The group had a heavy focus on entities in the healthcare sector but victims also included the likes of an NBA team and a large IT solutions provider.
In mid-June 2022, Quantum ransomware, started employing their version of BazarCall in an operation named “Jörmungandr” (Midgard Serpent or World Serpent in Norse Mythology), after being taken over by hackers in Conti Team Two. The actors developed the operation by hiring individuals specialized in spamming, OSINT, design, and call center operators. targeted high-profile companies based on exclusive email datasets they purchased. Their campaigns impersonated a much larger number of brands such as Oracle and Hello Fresh.
The third group splintered from Conti that adopted BazarCall-like techniques is referred to as Roy/Zeon, after the names of the two lockers (Roy and Zeon) they use to encrypt victim networks. Roy/Zeon is the most adept at social engineering and very selective with their targets, choosing companies with a high annual revenue or from sensitive industries. They started leveraging BazarCall techniques on June 20 in elaborate operations that impersonated vendors of software used by companies in a particular industry such as Sygnal Partners and iWired.
AdvIntel researchers note that the BazarCall campaigns they attributed to SRG, Quantum, and Roy/Zeon in a little over three months led to 20 high-profile accesses and ransom demands as large as tens of millions of U.S. dollars.
While detecting the initial stage of the attack may be difficult, defenders could track unusual signals from communication with the command and control server and the beacons planted on machines that indicate an infection.