Thursday, March 16th, 2023
Cybersecurity Week in Review (17/03/23)
Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S.
The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
“Exploitation of this vulnerability allowed malicious actors to successfully execute remote code on a federal civilian executive branch (FCEB) agency’s Microsoft Internet Information Services (IIS) web server,” the agencies said.
The indicators of compromise (IoCs) associated with the digital break-in were identified from November 2022 through early January 2023. Tracked as CVE-2019-18935 (CVSS score: 9.8), the issue relates to a .NET deserialization vulnerability affecting Progress Telerik UI for ASP.NET AJAX that, if left unpatched, could lead to remote code execution.
CVE-2019-18935 has previously found a place among some of the most commonly exploited vulnerabilities abused by various threat actors in 2020 and 2021. CVE-2019-18935, in conjunction with CVE-2017-11317, has also been weaponised by a threat actor tracked as Praying Mantis (aka TG2021) to infiltrate the networks of public and private organizations in the U.S.
Last month, CISA also added CVE-2017-11357 – another remote code execution bug affecting Telerik UI – to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
In the intrusion recorded against the FCEB agency in August 2022, the threat actors are said to have leveraged CVE-2019-18935 to upload and execute malicious dynamic-link library (DLL) files masquerading as PNG images via the w3wp.exe process. The DLL artifacts are designed to gather system information, load additional libraries, enumerate files and processes, and exfiltrate the data back to a remote server.
Another set of attacks, observed as early as August 2021 and likely mounted by a cybercriminal actor dubbed XE Group, entailed the use of aforementioned evasion techniques to sidestep detection. These DLL files dropped and executed reverse (remote) shell utilities for unencrypted communications with a command-and-control domain to drop additional payloads, including an ASPX web shell for persistent backdoor access. The web shell is equipped to “enumerate drives; to send, receive, and delete files; and to execute incoming commands” and “contains an interface for easily browsing files, directories, or drives on the system, and allows the user to upload or download files to any directory.”
To counter such attacks, it’s recommended that organizations upgrade their instances of Telerik UI ASP.NET AJAX to the latest version, implement network segmentation, and enforce phishing-resistant multi-factor authentication for accounts that have privileged access.
Source – https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html
ChatGPT may be a bigger cybersecurity risk than an actual benefit
ChatGPT made a splash with its user-friendly interface and believable AI-generated responses. Powered by a massive dataset that ChatGPT had been trained on, the breadth and variety of topics it could address quickly amazed the tech industry and the public.
However, with capabilities to generate a multitude of realistic responses, ChatGPT could be used to create a host of responses capable of tricking an unassuming reader into thinking a real human is behind the content. This may lead to the weaponisation of such technology in the tech world.
Many phishing emails are easily recognisable, particularly when written by non-native speakers. However, ChatGPT could make the task significantly easier and more convincing. The speed of generation and response quality opens the door to much more believable phishing emails and even simple exploit code generation.
Furthermore, since the ChatGPT model is open-source, an enterprising individual could create a dataset of existing company-generated emails to create a tool that quickly and easily produces phishing emails.
Though the existing ChatGPT interface has protections against requesting sensitive information, you can see how the AI model helps to inform the flow and dialog that a Microsoft helpdesk technician may use, lending authenticity to a request.
From fake support requests, to caller ID spoofing, and now even scripting with ChatGTP. The internet is full of resources to help promote successful social engineering schemes. Threat actors are advancing social engineering attacks by combining multiple attack vectors together, using ChatGPT alongside other social engineering methods. ChatGPT can help attackers better create a fake identity, making their attacks more likely to succeed.
There are tools available that can make sure that a user is who they say they are with a secure verification approach, that goes beyond security questions, which can be easily sourced by cyber criminals in a targeted social engineering attack. For example, in the event that a user calls the service desk for a password reset, the tool will require service desk agents to verify the identity of the user before resetting their password. The user can be verified with a one-time code sent to the mobile number associated with their account. Organisations can also layer these options to enforce MFA at the service desk.
With vishing scams showing no signs of slowing down, and ChatGTP set to evolve with AI technology, the investment and introduction of these tools could be a vital step for organisations looking to protect themselves.
ChatGPT is a game-changer, providing an easy-to-use and powerful tool for AI-generated conversations. While there are numerous potential applications, organisations should be aware of how attackers can use this tool to improve their tactics, and the additional risks it can pose to their organisation.
Source – https://www.bleepingcomputer.com/news/security/chatgpt-may-be-a-bigger-cybersecurity-risk-than-an-actual-benefit/
YoroTrooper Stealing Credentials and Information from Government and Energy Organisations
A previously undocumented threat actor dubbed YoroTrooper has been targeting government, energy, and international organisations across Europe as part of a cyber espionage campaign that has been active since at least June 2022.
Information stolen from successful compromises include credentials from multiple applications, browser histories and cookies, system information and screenshots. Prominent countries targeted include Azerbaijan, Tajikistan, Kyrgyzstan, Turkmenistan, and other Commonwealth of Independent States (CIS) nations.
The threat actor is believed to be Russian-speaking owing to the victimology patterns and the presence of Cyrillic snippets in some of the implants. That said, the YoroTrooper intrusion set has been found to exhibit tactical overlaps with the PoetRAT team that was documented in 2020 as leveraging coronavirus-themed baits to strike government and energy sectors in Azerbaijan.
YoroTrooper’s data gathering is achieved through a combination of commodity and open source stealer malware such as Ave Maria (aka Warzone RAT), LodaRAT, Meterpreter, and Stink, with the infection chains using malicious shortcut files (LNKs) and decoy documents wrapped in ZIP or RAR archives that are propagated via spear-phishing. The LNK files function as simple downloaders to execute an HTA file retrieved from a remote server, which is then used to display a lure PDF document, while stealthily launching a dropper to deliver a custom stealer that uses Telegram as an exfiltration channel.
The use of LodaRAT is notable as it indicates that the malware is being employed by multiple operators despite its attribution to another group called Kasablanka, which has also been observed distributing Ave Maria in recent campaigns targeting Russia.
Other auxiliary tools deployed by YoroTrooper consist of reverse shells and a C-based custom keylogger that’s capable of recording keystrokes and saving them to a file on disk.
Source – https://thehackernews.com/2023/03/yorotrooper-stealing-credentials-and.html
Tick APT Targeted High-Value Customers of East Asian Data-Loss Prevention Company
A cyberespionage actor known as Tick has been attributed with high confidence to a compromise of an East Asian data-loss prevention (DLP) company that caters to government and military entities.
The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanised installers of legitimate tools used by the company, which eventually resulted in the execution of malware on the computers of the company’s customers.
Tick, also known as Bronze Butler, REDBALDKNIGHT, Stalker Panda, and Stalker Taurus, is a suspected China-aligned collective that has primarily gone after government, manufacturing, and biotechnology firms in Japan. It’s said to be active since at least 2006. Other lesser-known targets include Russian, Singaporean, and Chinese enterprises. Attack chains orchestrated by the group have typically leveraged spear-phishing emails and strategic web compromises as an entry point.
In late February 2021, Tick emerged as one of the threat actors to capitalise on the ProxyLogon flaws in Microsoft Exchange Server as a zero-day to drop a Delphi-based backdoor in a web server belonging to a South Korean IT company.
Around the same time, the adversarial collective is believed to have gained access to the network of an East Asian software developer company through unknown means. The name of the company was not disclosed. This was followed by the deployment of a tampered version of a legitimate application called Q-Dir to drop an open source VBScript backdoor named ReVBShell, in addition to a previously undocumented downloader named ShadowPy. ShadowPy is a Python downloader that’s responsible for executing a Python script retrieved from a remote server.
Also delivered during the intrusion were variants of a Delphi backdoor called Netboy (aka Invader or Kickesgo) that comes with information gathering and reverse shell capabilities as well as another downloader codenamed Ghostdown.
To maintain persistent access, the attackers deployed malicious loader DLLs along with legitimate signed applications vulnerable to DLL search-order hijacking. The purpose of these DLLs was to decode and inject a payload into a designated process.
Subsequently, in February and June 2022, the trojanised Q-Dir installers were transferred via remote support tools like helpU and ANYSUPPORT to two of the company’s customers, an engineering and a manufacturing firm located in East Asia. The goal here was not to perform a supply chain attack against its downstream customers, but rather that the rogue installer was unknowingly used as part of technical support activities.
The incident is also likely related to another unattributed cluster detailed by AhnLab in May 2022 that involved the use of Microsoft Compiled HTML Help (.CHM) files to drop the ReVBShell implant.
Source – https://thehackernews.com/2023/03/tick-apt-targeted-high-value-customers.html
GoBruteforcer: New Golang-Based Malware Breaches Web Servers Via Brute-Force Attacks
A new Golang-based malware dubbed GoBruteforcer has been found targeting web servers running phpMyAdmin, MySQL, FTP, and Postgres to corral the devices into a botnet.
GoBruteforcer’s uses a Classless Inter-Domain Routing (CIDR) block for scanning the network during the attack, and it targeted all IP addresses within that CIDR range. The threat actor chose CIDR block scanning as a way to get access to a wide range of target hosts on different IPs within a network instead of using a single IP address as a target.
GoBruteforcer is mainly designed to single out Unix-like platforms running x86, x64 and ARM architectures, with the malware attempting to obtain access via a brute-force attack using a list of credentials hard-coded into the binary. If the attack proves to be successful, an internet relay chat (IRC) bot is deployed on the victim server to establish communications with an actor-controlled server. GoBruteforcer also leverages a PHP web shell already installed in the victim server to glean more details about the targeted network.
That said, the exact initial intrusion vector used to deliver both GoBruteforcer and the PHP web shell is undetermined as yet. Artifacts collected suggest active development efforts to evolve its tactics and evade detection. The findings are yet another indication of how threat actors are increasingly adopting Golang to develop cross-platform malware. What’s more, GoBruteforcer’s multi-scan capability enables it to breach a broad set of targets, making it a potent threat.
Source – https://thehackernews.com/2023/03/gobruteforcer-new-golang-based-malware.html
A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates.
In April 2022, Magniber was seen distributed as a Windows 10 update via a network of malicious websites. In January, its operators used Chrome and Edge browser updates to push malicious Windows application package files (.APPX).
These files are obfuscated and use a variation of the “DotNetToJScript” technique to execute a .NET file in the system memory, lowering the risk of detection by antivirus products available on the host. The .NET file decodes shellcode that uses its own wrapper to make stealthy syscalls, and injects it into a new process before terminating its own. The shellcode deletes shadow copy files via WMI and disables backup and recovery features through “bcdedit” and “wbadmin.” This increases the chances of getting paid as victims have one less option to recover their files.
To perform this action, Magniber uses a bypass for the User Account Control (UAC) feature in Windows. It relies on a mechanism that involves creating of a new registry key that allows specifying a shell command. In a later step, the “fodhelper.exe” utility is executed to run a script for deleting the shadow copies. Finally, Magniber encrypts the files on the host and drops the ransom notes containing instructions for the victim to restore their files.
While Magniber attempts to limit the encryption only to specific file types, the pseudohash it generates during the enumeration isn’t perfect, which results in hash collisions and collateral damage such as encrypting non-targeted file types as well.
Home users can defend against a ransomware attack by making regular backups for their files and to keep them on an offline storage device. This allows recovery of the data onto a freshly installed operating system. Before restoring the data, users should make sure that their backups have not been infected.
Zoll Medical Data Breach Impacts 1 Million Individuals
Medical technology developer Zoll Medical is notifying roughly one million individuals that their personal information might have been compromised in a recent data breach. Zoll develops and markets medical equipment and software for advanced emergency care, including cardiac monitoring, oxygen therapy, ventilation, data management, and more.
The data breach, the company says, was identified at the end of January, when it discovered unusual activity on its internal network.
“We determined that your information may have been affected on or about February 2, 2023. Our investigation into the incident is ongoing,” Zoll wrote in a notification letter, a copy of which was submitted to the Maine Attorney General’s office.
According to Zoll, the compromised information included names, addresses, birth dates, and Social Security numbers. Zoll says it has no indication that the exposed information was misused. However, it is not uncommon for cybercriminals to share or trade stolen personal information on underground forums, and then use it in attacks such as phishing, identity theft, and the like.
The company informed the Maine Attorney General’s office that just over one million individuals were impacted by the breach, all of whom have been offered free identity protection services.
It’s unclear what type of cyberattack Zoll fell victim to and whether ransomware was deployed on its systems.
Source – https://www.securityweek.com/zoll-medical-data-breach-impacts-1-million-individuals/
KamiKakaBot Malware Used in Latest Dark Pink APT Attacks on Southeast Asian Targets
The Dark Pink advanced persistent threat (APT) actor has been linked to a fresh set of attacks targeting government and military entities in Southeast Asian countries with a malware called KamiKakaBot.
Dark Pink, also called Saaiwc, was extensively profiled by Group-IB earlier this year, describing its use of custom tools such as TelePowerBot and KamiKakaBot to run arbitrary commands and exfiltrate sensitive information. The threat actor is suspected to be of Asia-Pacific origin and has been active since at least mid-2021, with an increased tempo observed in 2022.
The main difference in the February campaign compared to previous attacks is that the malware’s obfuscation routine has improved to better evade anti-malware measures. The attacks play out in the form of social engineering lures that contain ISO image file attachments in email messages to deliver the malware.
The ISO image includes an executable (Winword.exe), a loader (MSVCR100.dll), and a decoy Microsoft Word document, the latter of which comes embedded with the KamiKakaBot payload. The loader, for its part, is designed to load the KamiKakaBot malware by leveraging the DLL side-loading method to evade security protections and load it into the memory of the Winword.exe binary.
KamiKakaBot is primarily engineered to steal data stored in web browsers and execute remote code using Command Prompt (cmd.exe), while also embracing evasion techniques to blend in with victim environments and hinder detection. Persistence on the compromised host is achieved by abusing the Winlogon Helper library to make malicious Windows Registry key modifications. The gathered data is subsequently exfiltrated to a Telegram bot as a ZIP archive.
The use of legitimate web services as a command-and-control (C2) server, such as Telegram, remains the number one choice for different threat actors, ranging from regular cyber criminals to advanced persistent threat actors.
Source – https://thehackernews.com/2023/03/kamikakabot-malware-used-in-latest-dark.html
Medusa ransomware gang picks up steam as it targets companies worldwide
A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands. The Medusa operation started in June 2021 but had relatively low activity, with few victims. However, in 2023 the ransomware gang increased in activity and launched a ‘Medusa Blog’ used to leak data for victims who refused to pay a ransom.
Medusa gained media attention this week after they claimed responsibility for an attack on the Minneapolis Public Schools (MPS) district and shared a video of the stolen data.
Many malware families call themselves Medusa, including a Mirai-based botnet with ransomware capabilities, a Medusa Android malware, and the widely known MedusaLocker ransomware operation. Due to the commonly used name, there has been some confusing reporting about this ransomware family, with many thinking it’s the same as MedusaLocker. However, the Medusa and MedusaLocker ransomware operations are entirely different.
The MedusaLocker operation launched in 2019 as a Ransomware-as-a-Service, with numerous affiliates, a ransom note commonly named How_to_back_files.html, and a wide variety of file extensions for encrypted files. The MedusaLocker operation uses a Tor website at qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion for negotiation.
However, the Medusa ransomware operation launched around June 2021 and has been using a ransom note named !!!READ_ME_MEDUSA!!!.txt and a static encrypted file extension of .MEDUSA. The Medusa operation also uses a Tor website for ransom negotiations, yet their’s is located at medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion.
The Windows encryptor will accept command-line options that allow the threat actor to configure how files will be encrypted on the device. In a regular run, without command line arguments, the Medusa ransomware will terminate over 280 Windows services and processes for programs that may prevent files from being encrypted. These include Windows services for mail servers, database servers, backup servers, and security software.
The ransomware will then delete Windows Shadow Volume Copies to prevent them from being used to recover files. When encrypting files, the ransomware will append the .MEDUSA extension to encrypted file names. In each folder, the ransomware will create a ransom note named !!!READ_ME_MEDUSA!!!.txt that contains information about what happened to the victim’s files. The ransom note will also include extension contact information, including a Tor data leak site, a Tor negotiation site, a Telegram channel, a Tox ID, and the firstname.lastname@example.org email address.
As an extra step to prevent the restoration of files from backups, the Medusa ransomware will run a command to delete locally stored files associated with backup programs, like Windows Backup. This command will also delete virtual disk hard drives (VHD) used by virtual machines. The Tor negotiation site calls itself “Secure Chat,” where each victim has a unique ID that can be used to communicate with the ransomware gang.
Like most enterprise-targeting ransomware operations, Medusa has a data leak site named ‘Medusa Blog.’ This site is used as part of the gang’s double-extortion strategy, where they leak data for victims who refuse to pay a ransom. When a victim is added to the data leak, their data is not immediately published. Instead, the threat actors give the victims paid options to extend the countdown before data is released, to delete the data, or to download all of the data. Each of these options has different prices, as shown below.
These three options are done to apply extra pressure on the victim to scare them into paying a ransom. Unfortunately, no known weaknesses in the Medusa Ransomware encryption allow victims to recover their files for free.
Source – https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-worldwide/
Clop ransomware gang begins extorting GoAnywhere zero-day victims
The Clop ransomware gang has begun extorting companies whose data was stolen using a zero-day vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution.
In February, the GoAnywhere MFT file transfer solution developers warned customers that a zero-day remote code execution vulnerability was being exploited on exposed administrative consoles. GoAnywhere is a secure web file transfer solution that allows companies to securely transfer encrypted files with their partners while keeping detailed audit logs of who accessed the files.
While no details were publicly shared on how the vulnerability was exploited, a proof-of-concept exploit was soon released, followed by a patch for the flaw. The day after the release of the GoAnywhere patch, the Clop ransomware gang said they were responsible for the attacks. The extortion group said they used the flaw over ten days to steal data from 130 companies.
Since then, two companies, Community Health Systems (CHS) and Hatch Bank, disclosed that data was stolen in the GoAnywhere MFT attacks. Last night, the Clop ransomware gang began publicly exploiting victims of the GoAnywhere attacks by adding seven new companies to their data leak site. Only one of the victims, Hatch Bank, is publicly known to have been breached using the vulnerability. The entries on the data leak site all state that the release of data is “coming soon” but include screenshots of allegedly stolen data.
While it is unclear how much the threat actors are demanding, they had previously demanded $10 million in ransoms in similar attacks using an Accellion FTA zero-day vulnerability in December 2020. During these attacks, the extortion group stole large amounts of data from nearly 100 companies worldwide, with the threat actors slowly leaking data from companies while demanding million-dollar ransoms.
Organisations that had their Accellion servers hacked include, among others, energy giant Shell, cybersecurity firm Qualys, supermarket giant Kroger, and multiple universities worldwide such as Stanford Medicine, University of Colorado, University of Miami, University of California, and the University of Maryland Baltimore (UMB).
Source – https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-begins-extorting-goanywhere-zero-day-victims/
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide
An updated version of a botnet malware called Prometei has infected more than 10,000 systems worldwide since November 2022. The infections are both geographically indiscriminate and opportunistic, with a majority of the victims reported in Brazil, Indonesia, and Turkey.
Prometei, first observed in 2016, is a modular botnet that features a large repertoire of components and several proliferation methods, some of which also include the exploitation of ProxyLogon Microsoft Exchange Server flaws. It’s also notable for avoiding striking Russia, suggesting that the threat actors behind the operation are likely based in the country.
The cross-platform botnet’s motivations are financial, primarily leveraging its pool of infected hosts to mine cryptocurrency and harvest credentials. The latest variant of Prometei (called v3) improves upon its existing features to challenge forensic analysis and further burrow its access on victim machines.
The attack sequence proceeds once gaining a successful foothold, a PowerShell command is executed to download the botnet malware from a remote server. Prometei’s main module is then used to retrieve the actual crypto-mining payload and other auxiliary components on the system. Some of these support modules function as spreader programs designed to propagate the malware through Remote Desktop Protocol (RDP), Secure Shell (SSH), and Server Message Block (SMB).
Prometei v3 is also noteworthy for using a domain generation algorithm (DGA) to build out its command-and-control (C2) infrastructure. It further packs in a self-update mechanism and an expanded set of commands to harvest sensitive data and commandeer the host. Last but not least, the malware deploys an Apache web server that’s bundled with a PHP-based web shell, which is capable of executing Base64-encoded commands and carrying out file uploads.
This recent addition of new capabilities aligns with previous assertions that the Prometei operators are continuously updating the botnet and adding functionality.
Source – https://thehackernews.com/2023/03/new-version-of-prometei-botnet-infects.html