Cybersecurity Week in Review (22/03/24) 

AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials 

Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st that’s used to target Laravel applications and steal sensitive data. 

AndroxGh0st has been detected in the wild since at least 2022, with threat actors leveraging it to access Laravel environment files and steal credentials for various cloud-based applications like Amazon Web Services (AWS), SendGrid, and Twilio. 

Attack chains involving the Python malware are known to exploit known security flaws in Apache HTTP Server, Laravel Framework, and PHPUnit to gain initial access and for privilege escalation and persistence. 

In January of this year, American cybersecurity and intelligence organizations cautioned about the use of AndroxGh0st malware by attackers to establish a botnet “for the purpose of identifying and exploiting victims within specific networks”. 

Androxgh0st is designed to exfiltrate sensitive data from various sources, including .env files, databases, and cloud credentials. This allows threat actors to deliver additional payloads to compromised systems. 

Juniper Threat Labs reported an increase in activity linked to the exploitation of CVE-2017-9841, emphasizing the urgency for users to promptly update their instances to the most recent version. 

A majority of the attack attempts targeting its honeypot infrastructure originated from the U.S., U.K., China, the Netherlands, Germany, Bulgaria, Kuwait, Russia, Estonia, and India, it added. 

The development comes as the AhnLab Security Intelligence Center (ASEC) revealed that vulnerable WebLogic servers located in South Korea are being targeted by adversaries and used them as download servers to distribute a cryptocurrency miner called z0Miner and other tools like fast reverse proxy (FRP). 

It also follows the discovery of a malicious campaign that infiltrates AWS instances to create over 6,000 EC2 instances within minutes and deploy a binary associated with a decentralized content delivery network (CDN) known as Meson Network. 

The Singapore-based company, which aims to create the “world’s largest bandwidth marketplace,” works by allowing users to exchange their idle bandwidth and storage resources with Meson for tokens (i.e., rewards). 

With cloud environments increasingly becoming a lucrative target for threat actors, it is critical to keep software up to date and monitor for suspicious activity. 

Threat intelligence firm Permiso has also released a tool called CloudGrappler, that’s built on top of the foundations of cloudgrep and scans AWS and Azure for flagging malicious events related to well-known threat actors. 

Source- https://thehackernews.com/2024/03/androxgh0st-malware-targets-laravel.html 

Microsoft confirms Windows Server issue behind domain controller crashes 

Microsoft confirmed that a memory leak introduced with the March 2024 Windows Server security updates is behind a widespread issue causing Windows domain controllers to crash. 

As BleepingComputer first reported on Wednesday and as many admins have warned over the last week, affected servers are freezing and restarting unexpectedly due to a Local Security Authority Subsystem Service (LSASS) process memory leak introduced with this month’s cumulative updates. 

The known issue impacts all domain controller servers with the latest Windows Server 2012 R2, 2016, 2019, and 2022 updates. 

It also only affects enterprise systems using the impacted Windows Server platform; home users are not affected. According to Microsoft, “after installing the security update released on March 12, 2024 (KB5035857) for March 2024, the Local Security Authority Subsystem Service (LSASS) could potentially encounter a memory leak issue on domain controllers (DCs)”. 

“This occurs when both on-premises and cloud-based Active Directory Domain Controllers handle Kerberos authentication requests. Severe memory leaks may lead to LSASS crashing, prompting an unscheduled reboot of the underlying domain controllers (DCs)” 

Microsoft has identified the root cause and is working on a fix, which will be released soon. 

Temporary workaround 

Until Microsoft releases a fix for this severe memory leak issue and if they’re unwilling to monitor affected systems’ memory usage and reboot them when needed, Windows admins are advised to remove the troublesome updates from their domain controllers. 

To remove these buggy updates, open an elevated command prompt from the Start menu by typing ‘cmd,’ right-clicking the Command Prompt application, and then clicking ‘Run as Administrator.’ 

Next, depending on what update you have installed on affected domain controllers, run one of the following commands: 

wusa /uninstall /kb:5035855 

wusa /uninstall /kb:5035849 

wusa /uninstall /kb:5035857 

In December 2022, Microsoft resolved another LSASS memory leak affecting domain controllers. After installing Windows Server updates released during the November 2022 Patch Tuesday, impacted servers would freeze and restart. 

Additionally, in March 2022, Microsoft fixed one more LSASS crash that caused unexpected reboots of Windows Server domain controllers. 

Source- https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-windows-server-issue-behind-domain-controller-crashes/ 

Vans warns customers of fraud risk after data breach 

Vans informed its customers about an elevated risk of identity theft, phishing, and fraud after attackers accessed customer data during the December 13th, 2022, breach. 

The attack, since claimed by the ALPHV/BlackCat ransomware gang, forced VF Corp to shut down parts of its IT infrastructure, creating holiday season havoc for the global manufacturer of brands like The North Face, Vans, Timberland, and more. 

Vans told customers that cybercriminals accessed personal customer information, such as email addresses, full names, phone numbers, billing addresses, and shipping addresses. In some cases, the attackers also accessed order histories, total order values, and information about what payment method was used for the purchases. 

Vans customers are advised to stay vigilant, carefully considering emails, SMS, and other instant messages, as well as phone calls, even if they seem to be coming from the company. 

Customers were instructed to watch out for emails with embedded hyperlinks, as those could lead to malicious websites. Moreover, individuals should be wary of email attachments and any suspicious emails, even if they appear to come from people they know. 

The breach of VF Group has impacted the personal information of over 35 million individuals, a breach disclosure that the company amended with the US Securities and Exchange Commission (SEC) revealed. 

The publicly traded company has more than 1265 retail stores and a revenue of $11 billion, according to its website. 

Soon after the attack on VF Corp, the Russian-linked ALPHV/BlackCat group had its own operational problems after the FBI seized one of its domain controllers, shutting down its dark leak blog (which VF Corp had been listed on by the end of December). 

Known for its triple-extortion tactics, ALPHV/BlackCat joined forces with Scattered Spider to carry out the September 2023 attacks on two Las Vegas casino giants, MGM Resorts and Caesars International. 

Source- https://cybernews.com/news/vans-data-breach-fraud-risk/ 

300,000 Systems Vulnerable to New Loop DoS Attack 

Academic researchers describe a new application-layer loop DoS attack affecting Broadcom, Honeywell, Microsoft and MikroTik. 

The experts have demonstrated a loop DoS attack where an attacker uses IP spoofing to get two servers to communicate with each other indefinitely over a protocol they both use.  

In addition to allowing an attacker to cause a targeted service to become unstable or unusable, or cause a network outage by targeting the network’s backbone, the technique can be used for DoS or DDoS attack amplification.  

The list of protocols confirmed to be impacted includes NTP, DNS and TFTP, as well as legacy protocols such as Echo, Chargen and QOTD. However, the experts believe several others are likely impacted as well.  

The researchers estimate that there are roughly 300,000 impacted internet hosts, including nearly 90,000 for their use of NTP, 63,000 for DNS, 56,000 for Echo, and roughly 20,000 each for TFTP, Chargen and QOTD. In the case of NTP, vulnerable systems are likely ones that use a version of ntpd released before 2010, which are known to be impacted by a DoS vulnerability tracked as CVE-2009-3563. 

There is currently no evidence that this attack method has been used in the wild for malicious purposes, but the researchers warned that exploitation is easy and urged impacted entities to take action.  

The new CVE identifiers CVE-2024-1309 and CVE-2024-2169 have been assigned to the vulnerabilities involved in the new loop DoS attack. 

As indicated in an advisory from the CERT Coordination Center at Carnegie Mellon University, CVE-2024-2169 has been validated to affect products manufactured by Broadcom, Honeywell, Microsoft, and MikroTik. Vendors potentially affected were informed in December 2023. 

In addition, Cisco confirmed impact from CVE-2009-3563, which it addressed back in 2009. Zyxel confirmed that some end-of-life products are impacted, but they will not receive patches. 

In an advisory published by the researchers, they recommend several preventive and reactive measures.  

As for reactive measures, they advised defenders to disrupt the DoS loop in case of an attack. 

Source- https://www.securityweek.com/300000-systems-vulnerable-to-new-loop-dos-attack/ 

Over 800 npm Packages Found with Discrepancies, 18 Exploitable to ‘Manifest Confusion’ 

New research has discovered over 800 packages in the npm registry which have discrepancies from their registry entries, out of which 18 have been found to exploit a technique called manifest confusion. 

The findings come from cybersecurity firm JFrog, which said the issue could be exploited by threat actors to trick developers into running malicious code. 

Manifest confusion was first documented in July 2023, when security researcher Darcy Clarke found that mismatches in manifest and package metadata could be weaponized to stage software supply chain attacks. 

The problem stems from the fact that the npm registry does not validate whether the manifest file contained in the tarball (package.json) matches the manifest data provided to the npm server during the publishing process via an HTTP PUT request to the package URI endpoint. 

As a result, a threat actor could take advantage of this lack of cross verification to supply a different manifest containing hidden dependencies that’s processed during package installation to stealthily install malicious dependencies onto the developer’s system. 

The company said it identified more than 800 packages where there was a mismatch between the manifest in the npm registry and the package.json file inside the tarball. 

While many of these mismatches are the result of protocol specification differences or variations in the scripts section of the package file, 18 of them are said to have been designed to exploit manifest confusion. 

A notable package in question is yatai-web-ui, which is designed to send an HTTP request to a server with information about the IP address of the machine in which the package was installed. 

The findings show that the attack vector seems to have never been put to use by threat actors. That said, it’s crucial that developers take steps to ensure the packages are free of suspicious behaviors. 

Source- https://thehackernews.com/2024/03/over-800-npm-packages-found-with.html 

Biltmore attackers steal user credit card details 

Biltmore, a US-based estate owned by the Vanderbilt family, had its online wine store penetrated, the company revealed in a breach notification letter. According to Biltmore, it was notified about the attack in mid-February. 

A subsequent investigation revealed that from December 5th, 2023, the attackers used the malicious code injection to steal credit card data used to purchase wine on the online store as well as other information that users submitted to the website. 

According to the Biltmore, malicious actors accessed: 

• Names 
• Addresses 
• Email addresses 
• Payment card numbers 
• Card expiration dates 

• Card Verification Values (CVV) and similar security codes 

Exposing payment card data, including expiration dates and CVV values, poses severe risks to users whose data was exposed. Malicious actors can use the information to make unauthorized payments and drain the victim’s funds. Moreover, attackers may try to mask their illicit activities using stolen card details. 

Biltmore emphasized that the attack solely targeted the online store, and that its other systems, such as those for ticket sales, hotel reservations, and in-person purchases made at Biltmore, were unaffected by the incident. 

The organization further mentioned that it has fully substituted its transaction environment and eliminated the malicious code used by attackers to acquire user information. 

The company said it will provide affected individuals with complimentary identity theft and credit monitoring services. 

The Biltmore company controls Biltmore Estate, a historic house museum in North Carolina, USA. The mansion was established in the late 1800s by George Washington Vanderbilt II. The Estate is still controlled by the Vanderbilts. 

Source- https://cybernews.com/news/biltmore-attackers-steal-card-details/ 

Johnson Matthey suffers a third-party breach 

The British multinational chemical and sustainable technology company headquartered in London released a letter on March 18th revealing that it had suffered a third-party breach that occurred months prior. 

The company claims to “value its employees” while being committed to guarding employees’ personal information. Yet the company suffered a cybersecurity incident involving human error. 

The data involved included “employment-related documents” containing employees’ names, Social Security numbers, and dates of birth. 

Johnson Matthey found on February 15th, 2024, that files containing the personal information of US employees had been stored on a third-party storage system. 

In the breach notification letter, the company seems to suggest that it was unaware that this data had been stored on a third-party platform. 

Once the company knew of the incident, it retrieved the files, removed them from the external platform, and investigated the incident. 

Johnson Matthey hasn’t found any evidence to suggest that these files were accessed or downloaded during the four-year period. 

However, the lack of access controls on the external platform implies that adversaries could have easily accessed the data. 

Furthermore, the company has searched external websites and repositories for the data and hasn’t identified any copied or stolen employee information. 

Johnson Matthey is offering two years of identity protection as compensation for the incident. 

The company responded to our request for comment stating that “the incident relates to the personal information of our JM workforce based in the US that was inadvertently left on a third-party storage platform by a contractor hired to work for JM. Upon learning of the situation, all files were immediately located and removed.” 

Moreover, the company is “implementing measures to prevent such occurrences in the future, which includes examining our third-party data management protocols and identifying any supplementary measures required to strengthen our existing safeguards.” 

Source- https://cybernews.com/news/johnson-matthey-suffers-third-party-breach/ 

Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver 

On the first day of Pwn2Own Vancouver 2024, contestants demoed Windows 11, Tesla, and Ubuntu Linux zero-day vulnerabilities and exploit chains to win $732,500 and a Tesla Model 3 car. 

The competition started with Haboob SA’s Abdul Aziz Hariri using an Adobe Reader exploit that combined an API restriction bypass and a command injection bug to gain code execution on macOS to earn $50,000. 

Synacktiv won the Tesla Model 3 and $200,000 after hacking the Tesla ECU with Vehicle (VEH) CAN BUS Control in under 30 seconds using an integer overflow. 

Theori security researchers Gwangun Jung and Junoh Lee earned $130,000 after escaping a VMware Workstation VM to gain code execution as SYSTEM on the host Windows OS using a chain targeting an uninitialized variable bug, a UAF weakness, and a heap-based buffer overflow. 

Reverse Tactics’ Bruno PUJOS and Corentin BAYET collected $90,000 by exploiting two Oracle VirtualBox bugs and a Windows UAF to escape the VM and elevate privileges to SYSTEM. 

The first day of the contest ended with Manfred Paul hacking the Apple Safari, Google Chrome, and Microsoft Edge web browsers, exploiting three zero-day vulnerabilities and winning $102,500. 

Other attempts from the first day of Pwn2Own include: 

• DEVCORE Research Team earned a $30,000 award after escalating privileges to SYSTEM on a fully patched Windows 11 system using an exploit that targeted two bugs, including a TOCTAU race condition. They were also awarded $10,000 for demoing an already-known Ubuntu Linux local privilege escalation (LPE) exploit. 
• The KAIST Hacking Lab’s Seunghyun Lee hacked the Google Chrome web browser using a Use-After-Free (UAF) vulnerability to collect $60,000. 
• Kyle Zeng from ASU SEFCOM demoed another LPE exploit targeting Ubuntu Linux via a race condition to earn $20,000. 
• Cody Gallagher also won $20,000 for an Oracle VirtualBox out-of-bounds (OOB) write zero-day vulnerability. 
• Viettel Cyber Security’s Dungdm also hacked Oracle’s VirtualBox using a two-bug exploit chain for $20,000.   

After the zero-days are demoed at Pwn2Own, vendors have 90 days to create and release security patches for all reported flaws before Trend Micro’s Zero Day Initiative discloses them publicly. 

​​Throughout Pwn2Own Vancouver 2024, security researchers will target fully patched products in the web browser, cloud-native/container, virtualization, enterprise applications, server, local escalation of privilege (EoP), enterprise communications, and automotive categories. 

On the second day, Pwn2Own competitors will attempt to exploit zero-day bugs in Windows 11, VMware Workstation, Oracle VirtualBox, Mozilla Firefox, Ubuntu Desktop, Google Chrome, Docker Desktop, and Microsoft Edge. 

After the two days of the hacking competition, the hackers can earn over $1,300,000, including a Tesla Model 3 car. The top award for hacking a Tesla is now $150,000, and the car itself. 

Competitors can win a maximum award of $500,000 and a Tesla Model 3 car for an exploit that gives complete remote control with unconfined root when targeting the Tesla Autopilot. 

Using a Windows kernel vulnerability, they can also get a $300,000 award for a successful Hyper-V Client guest-to-host escape and a privilege escalation on the host OS. 

Source- https://www.bleepingcomputer.com/news/security/windows-11-tesla-and-ubuntu-linux-hacked-at-pwn2own-vancouver/ 

Spa Grand Prix email account hacked to phish banking info from fans 

Hackers hijacked the official contact email for the Belgian Grand Prix event and used it to lure fans to a fake website promising a €50 gift voucher. 

The Spa Gran Prix is a Formula 1 World Championship race held at the Circuit de Spa-Francorchamps in Stavelot, Belgium. This year, the race will take place between July 26 and 28 and tickets are available through the official website. 

The circuit’s challenging layout, historical significance, and dynamic weather conditions make the event one of the most prestigious on the Formula 1 calendar, attracting fans from all over the world. 

In a statement provided to BleepingComputer, the race organizer clarifies that the email account was compromised on Sunday, March 17, 2024, and subsequently, the threat actor sent deceptive emails to an unspecified number of individuals. 

The message informed the recipient that a €50 voucher for purchasing tickets for the F1 Grand Prix could be claimed by clicking on an embedded link. 

The link redirected to a fake website that resembled the official portal of the Spa Grand Prix, where they were asked for personal details, including banking info. 

SPA GP reacted to the situation “within a few hours” and sent a round of emails to alert customers that the previous message was a phishing attempt, warning them not to click on any links. 

Furthermore, the organization requested its IT security subcontractor to enact supplementary security measures to deter future occurrences. Subsequently, on March 18, a complaint was lodged with the Belgian cyber police. 

Users who purchased tickets previously and are worried about the possibility of their data having been exposed to cybercriminals are advised to contact SPA GP’s secretariat. 

The organization finally emphasized that this incident did not impact its website at “spagrandprix.com” and the official ticketing system remains fully secure.

 

Source- https://www.bleepingcomputer.com/news/security/spa-grand-prix-email-account-hacked-to-phish-banking-info-from-fans/ 

New Phishing Attack Uses Clever Microsoft Office Trick to Deploy NetSupport RAT 

A new phishing campaign is targeting U.S. organizations with the intent to deploy a remote access trojan called NetSupport RAT. 

Israeli cybersecurity company Perception Point is tracking the activity under the moniker Operation PhantomBlu. 

NetSupport RAT is a malicious offshoot of a legitimate remote desktop tool known as NetSupport Manager, allowing threat actors to conduct a spectrum of data gathering actions on a compromised endpoint. 

The starting point is a salary-themed phishing email that purports to be from the accounting department and urges recipients to open the attached Microsoft Word document to view the “monthly salary report.” 

A closer analysis of the email message headers – particularly the Return-Path and Message-ID fields – shows that the attackers use a legitimate email marketing platform called Brevo (formerly Sendinblue) to send the emails. 

The Word document, upon opening, instructs the victim to enter a password provided in the email body and enable editing, followed by double-clicking a printer icon embedded in the doc to view the salary graph. 

Doing so opens a ZIP archive file (“Chart20072007.zip”) containing one Windows shortcut file, which functions as a PowerShell dropper to retrieve and execute a NetSupport RAT binary from a remote server. 

The development comes as Resecurity revealed that threat actors are increasingly abusing public cloud services like Dropbox, GitHub, IBM Cloud, and Oracle Cloud Storage, as well as Web 3.0 data-hosting platforms built on the InterPlanetary File System (IPFS) protocol such as Pinata to generate fully undetectable (FUD) phishing URLs using off-the-shelf kits. 

Such FUD links are offered on Telegram by underground vendors like BulletProofLink, FUDLINKSHOP, FUDSENDER, ONNX, and XPLOITRVERIFIER for prices starting at $200 per month as part of a subscription model. These links are further secured behind antibot barriers to filter incoming traffic and evade detection. 

Also complementing these services are tools like HeartSender that make it possible to distribute the generated FUD links at scale. The Telegram group associated with HeartSender has nearly 13,000 subscribers. 

Source- https://thehackernews.com/2024/03/new-phishing-attack-uses-clever.html 

Smarttech247