Friday, November 18th, 2022
Cybersecurity Week in Review (18/11/22)
Iranian hackers use Log4Shell to mine crypto on a federal computer system
An attack on a U.S. government agency’s network in early 2022 has been attributed to Iranian state-sponsored actors. This is according to a joint advisory from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation. The attackers utilised a well-known open-source library flaw to install cryptocurrency mining software and compromise credentials.
By exploiting the Log4Shell vulnerability, the Iranian-backed hackers broke into an unpatched VMware Horizon server in February and then used that access to move laterally within the network of an unidentified federal agency. The vulnerability affects the open-source software Log4j, which is a nearly ubiquitous tool that software developers have built into a huge range of software. Following the disclosure of the flaw in Log4j, CISA ordered agencies under its jurisdiction to carry out an emergency patching operation, and state-backed hackers immediately began scanning for vulnerable systems to target.
According to the advisory, the attackers relied on common software to exploit the Log4Shell vulnerability and carry out the operation, including XMRig, for cryptocurrency mining, PsExec, Mimikatz, and Ngrok. However, they did not name the group within Iran believed to be responsible for the breach, just blaming Iranian government-sponsored APT actors.
New RapperBot Campaign Aims to Launch DDoS Attacks at Game Servers
New samples of malware called RapperBot have been found being used to build a botnet capable of launching Distributed Denial of Service (DDoS) attacks against game servers. First discovered in August of this year, Rapperbot is known to exclusively brute-force SSH servers configured to accept password authentication. This campaign is less like RapperBot than an older campaign that appeared in February and then mysteriously disappeared in the middle of April.
The malware is heavily inspired by the Mirai botnet, whose source code leaked in October 2016, leading to the rise of several variants. What’s notable about the updated version of RapperBot is its ability to perform Telnet brute-force and support DoS attacks using the Generic Routing Encapsulation (GRE) tunneling protocol UDP floods targeting game servers running Grand Theft Auto: San Andreas. This list of hard-coded plaintext credentials, which are default credentials associated with IoT devices, are embedded into the binary instead of retrieving it from a command-and-control (C2) server. A successful break-in is followed by reporting the credentials used back to the C2 server and installing the RapperBot payload on the hacked device.
The malware is designed to only target appliances that run on ARM, MIPS, PowerPC, SH4, and SPARC architectures, and halt its self-propagation mechanism should they be running on Intel chipsets. This new campaign has been found to share overlaps with other operations involving the malware as far back as May 2021, with the Telnet spreader module making its first appearance in August 2021, only to be removed in later samples and reintroduced last month.
Magento stores targeted in massive surge of TrojanOrders attacks
A massive surge in ‘TrojanOrders’ attacks targeting Magento 2 websites is being attributed to at least 7 different hacking groups. Almost 40% of Magento 2 websites are being targeted by the attacks, exploiting a vulnerability that allows the threat actors to compromise vulnerable servers.
There are multiple reasons believed to be behind the surge in attacks targeting this vulnerability. First, a large number of Magento 2 sites remain vulnerable to these attacks, even ten months after the patches became available. Second, PoC (proof of concept) exploits have been available for a long time, allowing exploit kit authors to incorporate them into their tools and profit by selling them to low-skilled hackers. These Magento exploits are so abundant they are sold for as low as $2,500, whereas in early 2022, they cost between $20,000 and $30,000. The timing is also ideal for these attacks, as websites are seeing increased traffic due to the holiday season, meaning malicious orders and code injections may be more likely to be overlooked.
In order to mitigate against these attacks you should apply for the security update that addresses CVE-2022-24086. Scrutinise orders to find signs of a TrojanOrder attack, like template code in order forms or orders submitted by anonymous email accounts using Protonmail, Tutanota, and finally, use a backend malware scanner to discover potential past infections that have resulted in RAT injections on your site.
Russia-based Pushwoosh tricks US Army and others into running its code
Apps utilising Pushwoosh, a software company that provides code and data analysis for developers, have been pulled by US agencies such as the Army and Centres for Disease Control and Prevention. This is as a result of discovering that the company, which presents itself as American is actually Russian.
Pushwoosh can automate custom push notifications based on smartphone users’ online activity. This is the same kind of tracking data – aka commercial surveillance – that major US tech companies like Google and Meta have come under fire for collecting by privacy advocates and watchdog agencies alike. However, in this case, it’s a Russian company collecting and processing this data sparking national security concerns. The app was first developed in 2016 with the National Training Center (NTC) using a free version of Pushwoosh. The app was discovered during a routine review in March of this year and removed due to new regulations and guidance as well as the fact that they do not authorise the use of free software when paid is available.
In addition to the US government agencies, consumer goods giant Unilever, the Union of European Football Associations, American gun lobby group National Rifle Association, and Britain’s Labour Party also installed Pushwoosh code in their apps. Apps running Pushwoosh code are available on Google Play and Apple’s App Store, and the company claims its code runs on more than 2.3 billion connected devices, according to its website.
While it doesn’t list a company address anywhere on the website – it notes offices in multiple countries but doesn’t name any of them. According to its Twitter profile, the company is based in Washington, DC, and on LinkedIn and in press releases it claims to be based in Maryland. Pushwoosh’s founder, Max Konev, is quoted as saying: “I am proud to be Russian and I would never hide this.” He added that his company “has no connection with the Russian government of any kind” and stores its data in the US and Germany. However, as tensions have escalated between the US and Russia following the illegal Russian invasion of Ukraine earlier this year, Russian software companies have come under increasing scrutiny from the Feds.
North Korean hackers target European orgs with updated malware
A new version of the DTrack backdoor being used to attack organisations in Europe and Latin America has been linked to North Korean hackers. DTrack is a modular backdoor featuring a keylogger, a screenshot snapper, a browser history retriever, a running processes snooper, an IP address and network connection information snatcher, and more. Apart from spying, it can also run commands to perform file operations, fetch additional payloads, steal files and data, and execute processes on the compromised device.
DTrack activity has been reported in Germany, Brazil, India, Italy, Mexico, Switzerland, Saudi Arabia, Turkey, and the United States. The targeted sectors include government research centers, policy institutes, chemical manufacturers, IT service providers, telecommunication providers, utility service providers, and education. In the new campaign, DTrack is distributed using filenames commonly associated with legitimate executables .One sample is distributed under the ‘NvContainer.exe’ file name, which is the same name as a legitimate NVIDIA file. DTrack continues to be installed by breaching networks using stolen credentials or exploiting Internet-exposed servers, as seen in previous campaigns. When launched, the malware goes through multiple decryption steps before its final payload is loaded via process hollowing into an “explorer.exe” process, running directly from memory.
The attacks are being attributed to the North Korean Lazarus hacking group with claims the threat actors use DTrack whenever they see the potential for financial gains.
PCspooF: New Vulnerability Affects Networking Tech Used by Spacecraft and Aircraft
A novel attack method, dubbed PCspooF, is being used against a crucial piece of technology called time-triggered ethernet (TTE) that’s used in safety-critical infrastructure, potentially causing the failure of systems powering spacecraft and aircraft. The technique is designed to break TTE’s security guarantees and induce TTE devices to lose synchronisation for up to a second, a behavior that can even lead to uncontrolled maneuvers in spaceflight missions and threaten crew safety. It is one among the networking technologies that’s part of what’s called a mixed-criticality network wherein traffic with different timing and faults tolerance requirements coexist in the same physical network. This means that both critical devices, which, say, enable vehicle control, and non-critical devices, which are used for monitoring and data collection, share the same network.
There are lesser weight and power requirements as well as lower development and time costs stemming as a result of relying on just one technology. However, this mixed-criticality approach puts a lot more pressure on the design of the network to provide isolation. While critical devices in the network are subjected to thorough vetting, the non-critical counterparts are not only commercial-off-the-shelf (COTS) devices but also lack the same rigorous process, leading to possible avenues for supply chain compromises that could be weaponized to activate the attack by integrating a rogue third-party component into the system. This is where a mixed-criticality network helps ensure that even if the COTS device is malicious, it cannot interfere with critical traffic.
PCspooF allows for a malicious non-critical device to break this isolation guarantee in a TTE network. This, in turn, is achieved by using the nefarious device to inject electromagnetic interference (EMI) into a TTE switch over an Ethernet cable, effectively tricking the switch into sending authentic-looking synchronization messages (i.e., protocol control frames or PCFs) and get them accepted by other TTE devices. Such an electrical noise generation circuit can take up as little as 2.5cm × 2.5cm on a single-layer printed circuit board, requiring only minimal power and which can be concealed in a best-effort device and integrated into a TTE system without raising any red flags.
As mitigations, it is recommended to use optocouplers or surge protectors to block electromagnetic interference, check the source MAC addresses to ensure they’re authentic, hide key PCF fields, using a link-layer authentication protocol like IEEE 802.1AE, increase the number of sync masters, and disabling dangerous state transitions.
Whoosh confirms data breach after hackers sell 7.2M user records
Scooter-sharing service Whoosh has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. Whoosh is Russia’s leading urban mobility service platform, operating in 40 cities with over 75,000 scooters.
The data allegedly contains promotion codes that can be used to access the service for free, as well as partial user identification and payment card data. Whoosh has confirmed that there is a data leak and has informed its user base they are working with law enforcement authorities to take all measures to stop the distribution of the data.
On Friday, a user on the ‘Breached’ hacking forums posted a database containing details about 7.2 million Whoosh customers, including email addresses, phone numbers, and first names. The database also contained partial payment card details for a subset of 1,900,000 users. The seller also claimed that the stolen data included 3,000,000 promo codes, which people can use to rent Whoosh scooters without paying. They say they are selling the data to only five buyers for $4,200 each, or .21490980 bitcoins, and according to the SatoshiDisk platform used for the transaction, no one has yet to purchase the database.
42,000 sites used to trap users in brand impersonation scheme
A massive network of over 42,000 web domains that impersonate well-known brands has been created by a group known as Fangxiao. The imposter domains are used as part of what appears to be a massive traffic generation scheme that creates ad revenue for Fangxiao’s own sites or more visitors for ‘customers’ who purchase traffic from the group.
The threat actors are thought to be based out of China and have been operating since 2017, spoofing over 400 renowned brands from the retail, banking, travel, pharmaceuticals, transport, financial, and energy sector including McDonalds, Coca Cola and Unilever. Often, Fangxiao victims are redirected to sites that infect them with the Triada trojan or other malware. However, a connection between the operators of these sites and Fangxiao has yet to be established.
Since the start of March 2022, the malicious operators have used at least 24,000 landing and survey domains to promote their fake prizes to victims. Most of these sites use the “.top” TLD, followed by “.cn”, “.cyou”, “.xyz”, “.work”, and “.tech”. The sites are hidden behind Cloudflare and registered through GoDaddy, Namecheap, and Wix. Users arrive on these sites through mobile advertisements or after receiving a WhatsApp message containing the link, typically making a special offer or informing the recipient they won something.
These landing domains redirect visitors to a survey domain with a timer that adds urgency to help keep the victims concentrated away from the signs of fraud. The landing sites also host advertisements from ylliX, which Google and Facebook have marked as “suspicious” while clicking on them results in a separate redirection chain. The redirection path depends on the user’s location (IP address) and user agent, leading to Triada trojan downloads, Amazon via affiliate links, fake dating sites, and SMS micropayment scams.
The app does not feature malicious functionality, but it asks users to approve access to risky permissions, and it serves above average amount of ads through hard-to-close popups. The app’s publisher, LocoMind, shares an IP address with another app developer named Holacode, who has been previously linked to adware distribution. There are indications that Fangxiao is a Chinese operator, like using Mandarin on one of the exposed controlled panels. However, apart from some email addresses linked to hacking forums like OGUsers, there are no further clues about the identity of the threat actors.
Researchers Sound Alarm on Dangerous BatLoader Malware Dropper
A new malware loader has been identified with the ability to determine whether it’s on a business system or a personal computer and has been infecting systems worldwide over the past few months. The threat, dubbed BatLoader, distributes a variety of malware tools including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. The threat actor’s tactic has been to host the malware on compromised websites and lure users to those sites using search engine optimiwzation (SEO) poisoning methods.
BatLoader relies heavily on batch and PowerShell scripts to gain an initial foothold on a victim machine and to download other malware onto it. This has made the campaign hard to detect and block, especially in the early stages. Nine of the victims identified were organisations in the business services sector, seven were financial services companies, and five were in manufacturing. Other victims included organisations in the education, retail, IT, and healthcare sectors.
BatLoader’s operator was observed luring victims to websites masquerading as download pages for popular business software such as LogMeIn, Zoom, TeamViewer, and AnyDesk. The threat actor distributed links to these websites via ads that showed up prominently in search engine results when users searched for any of these software products.
While there are several aspects of the BatLoader campaign that are unique, there are also several attributes of the attack chain that have a resemblance with the Conti ransomware operation. The overlaps include an IP address that the Conti group used in a campaign leveraging the Log4j vulnerability, and the use of a remote management tool called Atera that Conti has used in previous operations. In addition to the similarities with Conti, BatLoader also has several overlaps with Zloader, a banking Trojan that appears derived from the Zeus banking Trojan of the early 2000s. The biggest similarities there include the use of SEO poisoning to lure victims to malware-laden websites, the use of Windows Installer for establishing an initial foothold and the use of PowerShell, batch scripts, and other native OS binaries during the attack chain.
New “Earth Longzhi” APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders
A previously undocumented subgroup of APT41, a prolific Chinese advanced persistent threat (APT), has been targeting entities in Asia and Ukraine since 2020. The operation now dubbed as Earth Longzhi, can have their long-running campaign split into two based on the toolset deployed to attack its victims.
The first wave from May 2020 to February 2021 is said to have targeted government, infrastructure, and healthcare industries in Taiwan and the banking sector in China, whereas the succeeding set of intrusions from August 2021 to June 2022 infiltrated high-profile victims in Ukraine and several countries in Asia. The victimology patterns and the targeted sectors overlap with attacks mounted by a distinct subordinate group of APT41 (aka Winnti) known as Earth Baku. Some of Earth Baku’s malicious cyber activities have been tied to groups under the names SparklingGoblin and Grayfly, respectively. The actor also shares links to a third subgroup dubbed GroupCC (aka APT17, Aurora Panda, or Bronze Keystone).
Attacks orchestrated by the hacker group leverage spear-phishing emails as the initial entry vector. These messages are known to embed password-protected archives or links to files hosted on Google Drive that, when opened, launches a Cobalt Strike loader dubbed CroxLoader. In some cases, the group has been observed weaponising remote code execution flaws in publicly exposed applications to deliver a web shell capable of dropping a next-stage loader referred to as Symatic that’s engineered to deploy Cobalt Strike. Also put to use as part of its post-exploitation activities is an “all in one tool,” which combines several publicly available and custom functions in one package and is believed to have been available since September 2014.
The recent attacks further stand out for the use of bespoke tools that can disable security software, dump credentials using a modified version of Mimikatz, and leverage flaws in the Windows Print Spooler component (i.e., PrintNightmare) to escalate privileges.
Incapacitating the installed security solutions is pulled off by a method called bring your own vulnerable driver (BYOVD), which entails the exploitation of a known flaw in the RTCore64.sys driver (CVE-2019-16098). This is carried out using ProcBurner, a tool for killing specific running processes, while another custom malware called AVBurner is used to unregister the endpoint detection and response (EDR) system by removing process creation callbacks. The outdated version of the RTCore64.sys driver, which still has a valid digital signature, has been put to use by multiple threat actors like BlackByte and OldGremlin over the past few months.