Friday, September 9th, 2022
Cybersecurity Week in Review (9/9/22)
Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts
A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited. The vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information.
BackupBuddy allows users to back up their entire WordPress installation from within the dashboard, including theme files, pages, posts, widgets, users, and media files, among others.
The plugin is estimated to have around 140,000 active installations, with the flaw (CVE-2022-31474, CVSS score: 7.5) affecting versions 184.108.40.206 to 220.127.116.11. It’s been addressed in version 8.7.5 released on September 2, 2022.
The issue is rooted in the function called “Local Directory Copy” that’s designed to store a local copy of the backups. The vulnerability is the result of the insecure implementation, which enables an unauthenticated threat actor to download any arbitrary file on the server.
Wordfence noted that the targeting of CVE-2022-31474 commenced on August 26, 2022, and that it has blocked nearly five million attacks in the intervening time period. Most of the intrusions have attempted to read the below files –
New Vulnerabilities Reported in Baxter’s Internet-Connected Infusion Pumps
Multiple security vulnerabilities have been disclosed in Baxter’s internet-connected infusion pumps used by healthcare professionals in clinical environments to dispense medication to patients.
Infusion pumps are internet-enabled devices used by hospitals to deliver medication and nutrition directly into a patient’s circulatory system.
The four vulnerabilities in question discovered affect Sigma Spectrum Infusion systems such as Sigma Spectrum v6.x model 35700BAX and Baxter Spectrum IQ (v9.x) model 35700BAX3.
The list of flaws uncovered include –
- CVE-2022-26390 (CVSS score: 4.2) – Storage of network credentials and patient health information (PHI) in unencrypted format
- CVE-2022-26392 (CVSS score: 2.1) – A format string vulnerability when running a Telnet session
- CVE-2022-26393 (CVSS score: 5.0) – A format string vulnerability when processing Wi-Fi SSID information, and
- CVE-2022-26394 (CVSS score: 5.5) – Missing mutual authentication with the gateway server host
Successful exploitation of the above vulnerabilities could cause a remote denial-of-service (DoS), or enable an attacker with physical access to the device to extract sensitive information or alternatively carry out adversary-in-the-middle attacks.
Baxter, in an advisory, emphasized that the issues only affect customers who use the wireless capabilities of the Spectrum Infusion System, but also cautioned it could lead to a delay or interruption of therapy should the flaws be weaponized.
The latest findings are yet another indication of how common software vulnerabilities continue to plague the medical industry, a concerning development given their potential implications affecting patient care.
Some Members of Conti Group Targeting Ukraine in Financially Motivated Attacks
Five different campaigns targeting Ukraine from April to August 2022 have been attributed to former members of the Conti cybercrime cartel.
UAC-0098 is a threat actor that historically delivered the IcedID banking trojan, leading to human-operated ransomware attacks. It is believed to have functioned as an initial access broker for ransomware groups such as Quantum and Conti (aka FIN12, Gold Ulrick, or Wizard Spider), the former of which was subsumed by the latter in April 2022.
The group was also thought to be responsible for the Follina vulnerability (CVE-2022-30190) in the Windows operating system to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts in media and critical infrastructure entities in June of this year.
But this appears to be a part of a series of attacks that commenced way back in late April 2022 distributing IcedID and Cobalt Strike directed against Ukrainian organizations, repeatedly striking the hospitality sector.
UAC-0098 is also said to have leveraged a compromised account of a hotel in India to send malware-laced attachments to organizations working in the hospitality industry in Ukraine, before expanding to humanitarian NGOs in Italy.
UAC-0098 is far from the only Conti-affiliated hacking group to set its sights on Ukraine since the onset of the war. The TrickBot gang orchestrated six different campaigns to systematically target the country with a plethora of malware.
North Korean Hackers Deploying New MagicRAT Malware in Targeted Campaigns
A new remote access trojan called MagicRAT has been linked to prolific North Korean nation-state actor, Lazarus Group.
The malware is deployed in victim networks that were initially breached via successful exploitation of internet-facing VMware Horizon servers.
Lazarus Group, also known as APT38, Dark Seoul, Hidden Cobra, and Zinc, refers to a cluster of financial motivated and espionage-driven cyber activities undertaken by the North Korean government as a means to sidestep sanctions imposed on the country and meet its strategic objectives.
The state-sponsored hacking collective also has spin-off groups such as Bluenoroff and Andariel, which focus on specific kinds of attacks and targets.
A C++-based implant, MagicRAT is designed to achieve persistence by creating scheduled tasks on the compromised system. It’s also rather simple in that it provides the attacker with a remote shell to execute arbitrary commands and carry out file operations.
MagicRAT is also capable of launching additional payloads retrieved from a remote server on infected hosts. One of the executables retrieved from the command-and-control (C2) server takes the form of a GIF image file, but in reality is a lightweight port scanner.
The discovery of MagicRAT in the wild is an indication of Lazarus’ motivations to rapidly build new, bespoke malware to use along with their previously known malware such as TigerRAT to target organizations worldwide.
New Stealthy Shikitega Malware Targeting Linux Systems and IoT Devices
A new piece of stealthy Linux malware called Shikitega has been uncovered. The malware adopts a multi-stage infection chain to compromise endpoints and IoT devices and deposit additional payloads.
An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist adding to a growing list of Linux malware that has been found in the wild in recent months, including BPFDoor, Symbiote, Syslogk, OrBit, and Lightning Framework.
Once deployed on a targeted host, the attack chain downloads and executes the Metasploit’s Mettle meterpreter to maximize control, exploits vulnerabilities to elevate its privileges, adds persistence on the host via crontab, and ultimately launches a cryptocurrency miner on infected devices.
Shikitega is also very evasive in its ability to download next-stage payloads from a command-and-control (C2) server and execute them directly in memory.
Privilege escalation is achieved by means of exploiting CVE-2021-4034 (aka PwnKit) and CVE-2021-3493, enabling the adversary to abuse the elevated permissions to fetch and execute the final stage shell scripts with root privileges to establish persistence and deploy the Monero crypto miner.
Shikitega is also indicative of a trend toward malicious actors expanding their attack reach to accommodate the Linux operating system that’s widely used in cloud platforms and servers across the world, contributing to a surge in LockBit and Cheerscrypt ransomware infections.
Holiday Inn hotels hit by cyber-attack
Holiday Inn owner, Intercontinental Hotels Group (IHG), has confirmed the company has been hit by a cyber-attack.
The UK-based company said its “booking channels and other applications” had been disrupted since Monday. They confirmed it was assessing the nature, extent and impact of the incident and had implemented its response plans, including appointing external specialists to investigate the breach and have notified the authorities.
In a statement, the company said: “We will be supporting hotel owners and operators as part of our response to the ongoing service disruption. IHG’s hotels are still able to operate and to take reservations directly.”
IHG did not say there had been any loss of customer data. It also did not specifically say it was a ransomware attack, but most of the speculation points in that direction.
Critical RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released
Networking equipment maker Zyxel has released patches for a critical security flaw impacting its network-attached storage (NAS) devices.
Tracked as CVE-2022-34747 with a CVSS score of 9.8, the issue relates to a format string vulnerability affecting NAS326, NAS540, and NAS542 models.
The disclosure comes as Zyxel previously addressed local privilege escalation and authenticated directory traversal vulnerabilities (CVE-2022-30526 and CVE-2022-2030) affecting its firewall products in July. In June 2022, it also remediated a security vulnerability (CVE-2022-0823) that left GS1200 series switches susceptible to password-guessing attacks via a timing side-channel attack.
Hacking NAS devices is becoming a common practice. If you don’t take precautions or keep the software up to date, attackers can steal your sensitive and personal data. In some instances, they even manage to permanently delete data.
Mirai Variant MooBot Botnet Exploiting D-Link Router Vulnerabilities
A variant of the Mirai botnet known as MooBot is co-opting vulnerable D-Link devices into an army of denial-of-service bots by taking advantage of multiple exploits.
MooBot has previously targeted LILIN digital video recorders and Hikvision video surveillance products to expand its network.
Four different flaws in D-Link devices, both old and new, have paved the way for the deployment of MooBot samples. These include –
- CVE-2015-2051 (CVSS score: 10.0) – D-Link HNAP SOAPAction Header Command Execution Vulnerability
- CVE-2018-6530 (CVSS score: 9.8) – D-Link SOAP Interface Remote Code Execution Vulnerability
- CVE-2022-26258 (CVSS score: 9.8) – D-Link Remote Command Execution Vulnerability, and
- CVE-2022-28958 (CVSS score: 9.8) – D-Link Remote Command Execution Vulnerability
Successful exploitation of the aforementioned flaws could lead to remote code execution and the retrieval of a MooBot payload from a remote host, which then parses instructions from a command-and-control (C2) server to launch a DDoS attack on a specific IP address and port number.
Source Code of New ‘CodeRAT’ Backdoor Published Online
The developer of the new ‘CodeRAT’ backdoor has released their malware’s source code online. The new remote access trojan (RAT) was seen being deployed via a malicious Word document carrying a Dynamic Data Exchange (DDE) exploit.
Packing support for roughly 50 commands, CodeRAT is designed to monitor a victim’s activity on a local machine (documents, databases, integrated development environments (IDEs)) and online (social networks, games, and pornographic sites), and appears targeted at Iranian users.
The lure document and the targeting of applications specifically designed for Farsi-speaking users suggest that the RAT might be used by Iran’s Islamic regime for the monitoring of illegal/immoral activities of their citizens.
The malware has five modes of operation, generates a unique ID for each victim, and can receive commands via a local file (command.txt, under myPictures folder), via the main user interface, and via the Telegram bot API.
The RAT continuously checks if a boss.txt file exists under the myPictures folder. If the file exists, the malware unhides its main window, allowing the user to perform manual operations. The threat also has a second hidden UI form, which runs if the ‘data’ and ‘zn’ directories exist in its working directory.
SafeBreach was able to identify the developer of CodeRAT as (who uses the moniker of ‘Mr Moded’) the individual behind RoboThief, a Telegram session stealer.
New EvilProxy Phishing Service Allowing Cybercriminals to Bypass 2-Factor Security
A new phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy is being advertised on the criminal underground as a means for threat actors to bypass two-factor authentication (2FA) protections employed against online services.
The platform generates phishing links that are nothing but cloned pages designed to compromise user accounts associated with Apple iCloud, Facebook, GoDaddy, GitHub, Google, Dropbox, Instagram, Microsoft, NPM, PyPI, RubyGems, Twitter, Yahoo, and Yandex, among others.
EvilProxy is similar to adversary-in-the-middle (AiTM) attacks in that users interact with a malicious proxy server that acts as a go-between for the target website, covertly harvesting the credentials and 2FA passcodes entered in the login pages.
It’s offered on a subscription basis per service for a time period of 10, 20, or 31 days, with the kit available for $400 a month and accessed over the TOR anonymity network after the payment is arranged manually with an operator on Telegram. Attacks against Google accounts, in contrast, cost up to $600 per month.
To add to the concerns, the targeting of public-facing code and package repositories such as GitHub, NPM, PyPI, and RubyGems suggests that the operators are also aiming to facilitate supply chain attacks via such operations.
Gaining unauthorized access to accounts and injecting malicious code into widely used projects by trusted developers can be a goldmine for threat actors, significantly widening the impact of the campaigns.
TikTok Denies Data Breach Reportedly Exposing Over 2 Billion Users’ Information
Popular short-form social video service TikTok denied reports that it was breached by a hacking group, after it claimed to have gained access to an insecure cloud server.
The denial follows alleged reports of a hack that surfaced on the Breach Forums message board on September 3, with the threat actor noting that the server holds 2.05 billion records in a humongous 790GB database.
“We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases,” a spokesperson for the company said.
“The samples also appear to contain data from one or more third-party sources not affiliated with TikTok. We do not believe users need to take any proactive actions, and we remain committed to the safety and security of our global community.”
Additionally, the Twitter account of AgainstTheWest has since been suspended and allegations of the break-in have since been modified on Breach Forums to mention that “the breach is not from TikTok, and that he most likely was lying or didn’t even investigate it before making such outrageous claims.”
SharkBot Malware Resurfaces on Google Play to Steal Users’ Credentials
An upgraded version of the SharkBot mobile malware has been spotted on Google’s Play Store, targeting the banking credentials of Android users via apps that have collectively counted 60,000 installations.
The new dropper doesn’t rely on Accessibility permissions to automatically perform the installation of the malware but instead asks the victim to install the malware as a fake update for the antivirus to stay protected against threats.
While the method makes it more difficult for the malware to get installed (as it depends on the user interaction), it is now more challenging to detect before being published in Google Play Store since it doesn’t require accessibility permissions, which are often suspicious.
New command-and-control servers (C2s) are providing a list of targets including banks outside of the United Kingdom and Italy such as Spain, Australia, Poland, Germany, US and Austria. In addition to targeting new countries, the novel version of SharkBot featured an additional capability to steal session cookies from the victims that logged into their bank accounts.
Ransomware Attackers Abuse Genshin Impact Anti-Cheat System to Disable Antivirus
A vulnerable anti-cheat driver for the Genshin Impact video game has been leveraged by a cybercrime actor to disable antivirus programs to facilitate the deployment of ransomware.
The ransomware infection, July 2022, banked on the fact that the driver in question (“mhyprot2.sys”) is signed with a valid certificate, thereby making it possible to circumvent privileges and terminate services associated with endpoint protection applications.
Genshin Impact is a popular action role-playing game that was developed and published by Shanghai-based developer miHoYo in September 2020.
The idea, in a nutshell, is to use the legitimate device driver module with valid code signing to escalate privileges from user mode to kernel mode, reaffirming how adversaries are constantly looking for different ways to stealthily deploy malware.
The goal is to mass-deploy the ransomware to using the domain controller via a batch file that installs the driver, kills antivirus services, and launches the ransomware payload. The game does not need to be installed on a victim’s device for this to work meaning threat actors can simply install the anti-cheat driver as a precursor to ransomware deployment.
Source – https://thehackernews.com/2022/09/ransomware-attackers-abuse-genshin.html