Friday, August 5th, 2022
Cybersecurity Week in Review (5/8/22)
LockBit Ransomware Abuses Windows Defender to Deploy Cobalt Strike Payload
A ransomware-as-a-service operation, with ties to Lockbit 3.0, has been observed abusing the Windows Defender command-line tool to decrypt and load Cobalt Strike payloads.
The incident occurred on an unpatched VMware Horizon Server having gained access through the Log4Shell vulnerability. Having obtained entry a series of enumeration commands and multiple post-exploitation tools, including Meterpreter, PowerShell Empire, and a new way to side-load Cobalt Strike were all employed.
Lockbit 3.0 is the latest iteration of the Lockbit RaaS series, that emerged in June of this year having worked on weaknesses discovered in previous operations. Besides featuring a revamped leak site to name-and-shame non-compliant targets and publish extracted data, it also includes a new search tool to make it easier to find specific victim data.
Although a similar attack occurred in April 2022 a different command-line tool was used in MpCmdRun.exe. MpCmdRun.exe is a command-line tool for carrying out various functions in Microsoft Defender Antivirus, including scanning for malicious software, collecting diagnostic data, and restoring the service to a previous version, among others.
The initial access was followed by downloading a Cobalt Strike payload from a remote server, which was subsequently decrypted and loaded using the Windows Defender utility.
The findings come as initial access brokers (IABs) are actively selling access to company networks, including managed service providers (MSPs), to fellow threat actors for profit, in turn offering a way to compromise downstream customers.
North Korean Hackers Uses Malicious Browser Extension To Steal Emails From Chrome
A malicious browser extension called SHARPEXT. is being used to hack major web browsers by Kimsuky, the North Korean hacker group.
The extension is used to intercept and steal emails and is compatible with three different Chromium-based web browsers in Google Chrome, Microsoft Edge and Whale.
As a result of using a custom VBS script to compromise a target’s system, attackers then install this malicious extension on the system. They do this by replacing preference and secure preference files with the files that were downloaded from the malware’s C2 server.
It is very difficult to detect as the attacker uses the already-logged-in session of the target to steal emails and a suspicious activity alert won’t be triggered on the accounts of victims as a result of the extension’s workflow.
The threat user can garner a lot of information while remaining undetected such as contact info, any domain that the victim visited as well as being able to upload data.
Source – https://cybersecuritynews.com/north-korean-hacker-browser-extension/
Android Apps on Google Play Store to Distribute Banking Malware as Document Scanners
A malicious campaign utilising banking malware has compromised users’ devices by exploiting the Google Play Store’s Android apps.
17 seemingly harmless Android dropper apps have been used to carry out the campaign. Masquerading as apps such as document scanners, VPN services and QR code readers they have been tracked together as DAWDropper. The affected apps have been removed.
To evade detection and obtain a payload download address dynamically, DAWDropper relies on a third-party cloud service called Firebase Realtime Database. Security checks are then bypassed to allow more powerful and invasive malware, such as Octo and Hydra, to be downloaded on a device without being detected by the Google Play Store.
A similar dropper, known as Clast82, was identified in March of last year. Clast82 and DawDropper, both of which operate as C&C servers, use Firebase Realtime Databases to make their operations as seamless as possible.
Thousands of Apps Leaking Twitter API Keys
Over 3200 mobile apps have been found to be leaking Twitter API keys, potentially enabling threat actors to perform account takeovers.
Designed to allow developers to access the social media apps in order to embed various bits of its functionality into their own software, Twitter API authentication is done via keys or tokens. However, on many occasions, developers with limited security know-how have accidentally left those keys embedded in the Twitter API.
The thousands of affected apps leaked a valid Consumer Key and Consumer Secret, potentially allowing malicious actors to build a large army of bot accounts. This could be abused to perform a range of sensitive actions including reading direct messages; retweeting; liking; deleting; removing followers; following accounts; and changing display pictures.
The attacker could utilise this to spread misinformation globally, run large-scale malware campaigns designed to infect compromised account followers, launch spamming campaigns designed to facilitate investment fraud or automate phishing designed to enable follow-on social engineering campaigns.
Source – https://www.infosecurity-magazine.com/news/thousands-of-apps-leaking-twitter?utm_source=twitterfeed&utm_medium=twitter
Chinese Hackers Using New Manjusaka Hacking Framework Similar to Cobalt Strike
A new offensive framework called Manjusaka is being referred to as a “Chinese sibling of Sliver and Cobalt Strike.”
A fully functional version of the command-and-control (C2), written in Golang with a User Interface in Simplified Chinese, is freely available and can generate new implants with custom configurations with ease, increasing the likelihood of wider adoption of this framework by malicious actors.
Believed to be developed in the GuangDong region of China and written in Rust, Manjusaka is being sold as an equivalent to Cobalt Strike with the ability to target both Windows and Linux systems.
A multitude of remote access trojan (RAT) capabilities are used including some standard functionality and a dedicated file management module. Features used include executing arbitrary commands, harvesting browser credentials, gathering Wi-Fi passwords, capturing screenshots, and obtaining comprehensive system information. It’s also designed to launch the file management module to carry out a wide range of activities such as enumerating files as well as managing files and directories on the compromised system.
Also part of the Chinese language framework is a C2 server executable that’s coded in Golang and is available on GitHub at “hxxps://github[.]com/YDHCUI/manjusaka.” A third component is an admin panel built on the Gin web framework that enables an operator to create customized versions of the Rust implant. The server binary, for its part, is engineered to monitor and administer an infected endpoint, in addition to generating the appropriate Rust implants depending on the operating system and issuing the necessary commands
The discovery of the attack along with similar software such as Brute Ratel is an indication of the popularity of widely available offensive technologies with both crimeware and APT operators being written in the most modern and portable programming languages.
Ukraine takes down 1,000,000 bots used for disinformation
A massive bot farm of 1,000,000 bots used to spread disinformation on social networks has been shut down by the Ukrainian cyber police (SSU).
The aim of the bot farm was to destabilize the social and political situation in the country, creating internal strife by discrediting information coming from official Ukrainian sources.
The operators are believed to be members of the Russian special service with the criminal group’s leader, a Russian “political expert” who in the past lived in Kyiv. As activities ordered by this leader were being carried out by domestic forces an investigation of the Ukrainian police is still underway to uncover any other participants who will be charged for violations of Article 361.2 of the country’s criminal code.
The now dismantled bot farm was located in Kyiv, Kharkiv, and Vinnytsia and relied on 1,000,000 bots to spread disinformation. To create this online army, the threat actors used 5,000 SIM cards to register new social media accounts. 200 proxy servers were then used to spoof the actual IP addresses and evade detection of fraudulent activity and blocking by the social media platforms. According to SSU, the bot farm operators developed and deployed custom software to remotely manage the pseudonymous social media accounts, coordinating them to push the required propaganda messages.
This is the latest attempt of disinformation by Russian forces since the invasion this year. From the start of the war, the SSU has identified and neutralized over 1,200 cyberattacks against the state and other critical entities and has reported and taken down 500 YouTube channels that collectively had 15 million subscribers. On top of that the agency has reported 1,500 Telegram channels and bots and another 1,500 Facebook, Instagram, and TikTok accounts for spreading Russian propaganda.
Source – https://www.bleepingcomputer.com/news/security/ukraine-takes-down-1-000-000-bots-used-for-disinformation/
Hackers steal almost $200 million from crypto firm Nomad
Hackers have stolen $190m worth of cryptocurrency from users of crypto firm Nomad.
On August 1, Nomad confirmed the theft in a tweet that said: “We are aware of the incident involving the Nomad token bridge. We are currently investigating and will provide updates when we have them.”
Nomad develops software that connects different blockchains such as Bitcoin and Ethereum with the goal being to help cryptocurrency investors securely swap their digital assets across the various blockchains without having to use a third party as a go-between known as a token bridge.
This adds to the more than $1 Billion stolen from other bridges just this year such as the $100m worth of tokens taken from crypto firm Harmony in June or the whopping $615 million worth of cryptocurrency from Ronin Bridge back in March. These thefts point to the vulnerabilities of blockchain token bridges and the difficulties in trying to secure cryptocurrency transactions.
On August 2, Nomad posted a follow-up tweet with updates on the incident. The company said that it’s working with leading chain analysis and intelligence firms as well as law enforcement to trace and try to recover the stolen funds. It also said that it’s developing technical fixes and an action plan, presumably to try to prevent future such thefts.
Nomad is now relying on the good graces of white hat hackers to return some of the stolen currency. The company said that it’s working with custodian bank Anchorage Digital to accept and secure Ethereum and ERC-20 (Ethereum Request for Comments 20) at a specific digital wallet. The home page for Nomad’s website is even displaying a notice calling on “White Hat Hacker Friends” to return ETH or ERC-20 to the wallet address. Otherwise, recovering the stolen funds may be difficult.
Microsoft accounts targeted with new MFA-bypassing phishing kit
Using a custom proxy-based phishing kit to bypass multi-factor authentication a new large-scale phishing campaign is targeting credentials for Microsoft email services.
The campaign is targeting the finance sector such as accounting and lending organisations in the US, UK, Australia, and NZ with Business Email Compromise (BEC) attacks diverting payments to bank accounts under their control using falsified documents.
Starting in June 2022, the campaign is using typo-squatted versions of legitimate Federal Credit Unions in the United States such as crossvalleyfcv[.]org and Triboro-fcv[.]org to gain access. Another set of phishing sites used domains names that focus on using password reset lures as part of their email campaigns such as expiryrequest-mailaccess[.]com and expirationrequest-passwordreminder[.]com
With organisations becoming more aware of their security needs and adopting multi-factor authentication having user’s credentials is no longer enough to gain access. To bypass MFA, threat actors are turning to tools like Evilginx2, Muraena, and Modilshka.
The email server requests the MFA code during the login process, and the phishing kit relays that request to the victim, who then enters the OTP on the phishing box. The data is forwarded to the email service, allowing the threat actor to log in to the stolen account. However, the phishing proxy sitting in the middle of this exchange can steal the resulting authentication cookies, allowing the threat actors to use these stolen cookies to login and bypass MFA for the particular account.
What makes this campaign stand out is the use of a custom proxy-based phishing kit that has the peculiarity of using the “Beautiful Soup” HTML and XML parsing tool allowing the kit to easily modify legitimate login pages pulled from corporate logins and add their own phishing elements.
Hackers Exploited Atlassian Confluence Bug to Deploy Ljl Backdoor for Espionage
Its highly likely that a security flaw in an outdated Atlassian Confluence server has been exploited to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector.
Occurring at the end of May over a 7 day period has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch as TAC-040. Malicious commands with a parent process of tomcat9.exe in Atlassian’s Confluence directory are carried out before the threat actors enumerate the local system, network, and Active Directory environment.
The Atlassian vulnerability suspected to have been exploited is CVE-2022-26134, an Object-Graph Navigation Language (OGNL) injection flaw that paves the way for arbitrary code execution on a Confluence Server or Data Center instance.
It is thought the attack was espionage-related but financial gain has not been ruled out after the presence of a loader for an XMRig crypto miner on the system was identified. While there is no evidence that the miner was executed in this incident, the Monero address owned by the threat actors has netted at least 652 XMR ($106,000) by hijacking the computing resources of other systems to illicitly mine cryptocurrency.
A previously undocumented implant called Ljl Backdoor had been deployed exfiltrating roughly 700mbof archived data before the server was taken offline. The malware, for its part, is a fully-featured trojan virus designed to gather files and user accounts, load arbitrary .NET payloads, and amass system information as well as the victim’s geographic location.
Source – https://thehackernews.com/2022/08/hackers-exploited-atlassian-confluence.html