Top stories – 01 March 2024

• ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware
• 8,000+ Domains of Trusted Brands Hijacked for Massive Spam Operation
• LockBit Reemerges, a Week After ‘Complete Compromise’
• Russia’s ‘Midnight Blizzard’ Targets Service Accounts for Initial Cloud Access

ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware

A critical vulnerability in the ConnectWise ScreenConnect remote desktop service has raised alarms for potentially being the precursor to a major cybersecurity incident in 2024. The vulnerability allows hackers remote access to a vast number of servers and endpoints, with the potential to affect hundreds of thousands of devices. The CEO of Huntress, Kyle Hanslovan, has highlighted the severity of this threat, likening its potential impact to the widespread Kaseya attacks in 2021.

ConnectWise ScreenConnect is widely used by managed service providers (MSPs) to access customer systems, raising fears of a supply chain attack. Two specific vulnerabilities have been identified: an authentication bypass bug (CVE-2024-1709, CVSS score 10) and a path-traversal issue (CVE-2024-1708, CVSS score 8.4). These vulnerabilities allow for the creation of new administrator accounts and unauthorised file access, respectively.

The Shadowserver Foundation reports over 8,200 vulnerable instances online, mainly in the US, with CVE-2024-1709 being exploited widely. This situation has led to instances of ransomware deployment, including on systems potentially linked to critical services like 911.

Mitigation efforts include patching vulnerable systems with ScreenConnect version 23.9.8 and monitoring for indicators of compromise, especially in the ScreenConnect extensions folder. Despite ConnectWise’s efforts to revoke licenses for unpatched servers, the vulnerabilities remain a significant concern for unpatched or slowly patched systems.

Article Link: www.darkreading.com/remote-workforce/connectwise-screenconnect-mass-exploitation-delivers-ransomware

8,000+ Domains of Trusted Brands Hijacked for Massive Spam Operation

A sophisticated cyber operation named SubdoMailing, orchestrated by a threat actor dubbed ResurrecAds, which has been active since at least September 2022. Guardio Labs has uncovered this scheme that involves hijacking over 8,000 domains and 13,000 subdomains of legitimate brands and institutions, including ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Swatch, Symantec, The Economist, UNICEF, and VMware.

The attackers exploit these domains to distribute spam and malicious phishing emails, leveraging the domains’ credibility to bypass security measures like SPF, DKIM, and DMARC, which are email authentication methods designed to prevent spoofing and spam. These emails, cleverly disguised as images to evade text-based spam filters, redirect users through various domains based on their device type and location, leading to potential scams, phishing sites, or malware downloads.

The campaign is sophisticated, using techniques such as CNAME record aliasing for email spoofing and DNS SPF record manipulation to send emails as if they were from the legitimate domain. This operation not only targets maximising click monetisation through deceptive ads but also poses a risk of phishing and malware distribution. Guardio Labs has responded by creating a SubdoMailing Checker tool to help domain administrators and site owners identify potential compromises.

Article Link: https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html

LockBit Re-emerges, a Week After ‘Complete Compromise’

The LockBit ransomware-as-a-service operation quickly rebounded by relaunching its leak site only a week after a global law enforcement takedown, dubbed the “Operation Cronos Taskforce.” This taskforce, including the FBI, Europol, and the UK’s National Crime Agency, dismantled LockBit’s infrastructure, seized data, and arrested individuals in a coordinated effort across three countries.

Despite these efforts, LockBit’s leader acknowledged the loss of their primary infrastructure but highlighted the survival of backup systems due to a critical PHP bug, CVE-2023-3824, with a 9.8 out of 10 CVSS score, which allowed them to swiftly recover.

The revived leak site displayed stolen data from various victims, illustrating the group’s resilience. Experts like former FBI agent Michael McPherson and ransomware negotiator Kurtis Minder acknowledged the blow to LockBit but cautioned against underestimating the group’s capability to bounce back. The operation’s success in accessing affiliates’ information creates distrust within the ransomware ecosystem, potentially disrupting future collaborations.

However, to effectively combat ransomware, experts suggest that high-profile raids need to be supplemented with comprehensive policies and programs that focus on prevention, response, and repair, emphasising the significant economic impact of ransomware on the economy.

Article Link: https://www.darkreading.com/threat-intelligence/lockbit-leak-site-reemerges-week-after-complete-compromise-

Russia’s ‘Midnight Blizzard’ Targets Service Accounts for Initial Cloud Access

The UK’s National Cyber Security Center (NCSC), alongside the US Cybersecurity and Infrastructure Security Agency (CISA) and international counterparts, issued a warning regarding a shift in tactics by “Midnight Blizzard,” a threat group linked to Russian intelligence services (SVR).

Known for its involvement in high-profile attacks on entities such as SolarWinds, Microsoft, and HPE, Midnight Blizzard is now exploiting automated cloud services and dormant accounts to infiltrate cloud environments of targeted organisations. This marks a significant evolution in the approach of the threat actor, also known as APT29, Cozy Bear, and Dukes, in response to the increasing shift of organisations towards cloud services.

Midnight Blizzard, active since at least 2009 and attributed with high confidence to Russia’s SVR, has historically targeted government, healthcare, energy, law enforcement, aviation, and military sectors through software vulnerabilities and network weaknesses. The group’s pivot to cloud services involves brute-force and password spraying attacks on cloud service accounts, which are challenging to secure with two-factor authentication, thereby offering privileged access to networks. They also exploit dormant accounts and employ tactics like the use of stolen OAuth tokens and MFA fatigue attacks to maintain persistent access within cloud environments.

To combat these threats, the NCSC recommends implementing multifactor authentication, creating strong passwords, applying the principle of least privilege to service accounts, shortening authentication token session lifetimes, and preventing unauthorised device registrations. Additionally, the advisory suggests the creation of “canary” service accounts as a detection method for unauthorised access.

Article Link: https://www.darkreading.com/cloud-security/russia-s-midnight-blizzard-targeting-service-accounts-for-initial-cloud-access

If you like what you’ve read, subscribe on LinkedIn so you don’t miss next week’s roundup!

Top stories – 23 February 2024

• New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers
• Critical Flaws Found in ConnectWise ScreenConnect Software
• CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers

Two authentication bypass flaws have been uncovered in open-source Wi-Fi software used across Android, Linux, and ChromeOS systems. These vulnerabilities, named CVE-2023-52160 and CVE-2023-52161, were detected in wpa_supplicant and Intel’s iNet Wireless Daemon (IWD) respectively.

These flaws enable attackers to deceive users into connecting to malicious networks or gaining entry to trusted networks without passwords. The research was conducted by Top10VPN in collaboration with Mathy Vanhoef, renowned for revealing Wi-Fi attacks like KRACK. CVE-2023-52161 permits unauthorised access to secured Wi-Fi networks, potentially resulting in malware infections and data breaches. However, CVE-2023-52160, which affects wpa_supplicant, is considered more severe as it is the default software for network logins in Android devices.

Exploiting CVE-2023-52160 necessitates prior knowledge of the SSID from a previous connection and physical proximity to the target. Several Linux distributions, including Debian, Red Hat, SUSE, and Ubuntu, have issued advisories with fixes available for ChromeOS but still pending for Android. As a precautionary measure, Android users are advised to manually configure CA certificates for saved enterprise networks.

Article Link: New Wi-Fi Vulnerabilities Expose Android and Linux Devices to Hackers (thehackernews.com)

Critical Flaws Found in ConnectWise ScreenConnect Software

ConnectWise has addressed two security vulnerabilities in its ScreenConnect remote desktop software, including a critical bug with potential remote code execution.

The vulnerabilities are:

· CVE-2024-1708: Path traversal flaw

· CVE-2024-1709: Authentication bypass

Deemed critical, these flaws impact ScreenConnect versions 23.9.7 and earlier, with fixes available in version 23.9.8, released after reports on February 13, 2024. While there’s no evidence of exploitation yet, users of self-hosted or on-premise versions are urged to update promptly. ConnectWise will also offer updates for versions 22.4 through 23.9.7.

HuntressLabs discovered over 8,800 vulnerable servers, with a proof-of-concept exploit demonstrated. ConnectWise revised its advisory after detecting attacks from specific IP addresses, suggesting active exploitation. Huntress warned of easy exploitation, facilitating the deployment of Cobalt Strike for post-exploitation activities. These flaws could allow the creation of rogue administrator accounts, granting full control over ScreenConnect, and access to other directories, enabling arbitrary code execution.

WatchTowr Labs and Horizon3 ai released proof-of-concept exploits for the authentication bypass, exploiting vulnerabilities in the SetupWizard component to create administrative users. These vulnerabilities follow a trend of recent flaws allowing attackers to reinitialise applications or create initial users post-setup.

Article Link: Critical Flaws Found in ConnectWise ScreenConnect Software – Patch Now (thehackernews.com)

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a now-patched security flaw, CVE-2020-3259, affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, in its Known Exploited Vulnerabilities catalogue.

This vulnerability, with a CVSS score of 7.5, permits high-severity information disclosure, patched by Cisco in May 2020. Reports suggest the vulnerability has likely been exploited in Akira ransomware attacks. Although no public exploit code is available, Akira ransomware actors may have weaponised it to compromise Cisco Anyconnect SSL VPN appliances. Akira ransomware is linked to approximately 200 public victims, with connections to the Conti syndicate.

Federal Civilian Executive Branch agencies must address identified vulnerabilities by March 7, 2024, to fortify network security. CVE-2020-3259 is among flaws exploited for ransomware delivery. Recently, CVE-2023-22527 in Atlassian Confluence Data Center and Confluence Server was abused to distribute C3RB3R ransomware.

The U.S. State Department offers rewards for information on BlackCat ransomware gang members, highlighting the lucrative ransomware market. New players like Alpha, potentially linked to NetWalker, have emerged, prompting calls for enhanced oversight into ransomware mitigation practices across critical sectors.

Article Link: CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability (thehackernews.com)

If you like what you’ve read, subscribe on LinkedIn so you don’t miss next week’s roundup!

Top stories – 16 February 2024

• New critical Microsoft Outlook RCE bug is trivial to exploit
• Hackers used new Windows Defender zero-day to drop DarkMe malware
• Chinese Hackers Using Deepfakes in Advanced Mobile Banking Malware Attacks
• PikaBot Resurfaces with Streamlined Code and Deceptive Tactics
• 200,000 Facebook Marketplace user records leaked on hacking forum

New critical Microsoft Outlook RCE bug is trivial to exploit 

Key takeaways:

• Microsoft warns of a critical vulnerability in Outlook (CVE-2024-21413), enabling remote code execution by attackers.
• Check Point discovers flaw allowing bypass of Office Protected View, granting access to malicious files in Outlook 2016 and Office 2019.
• Attackers exploit flaw remotely, potentially leading to NTLM credential theft and arbitrary code execution. Immediate patching recommended due to active exploitation.

The details:

Microsoft warned of a critical Outlook vulnerability, CVE-2024-21413, allowing remote unauthenticated attackers to exploit it easily, resulting in remote code execution (RCE). Discovered by Check Point, the flaw lets attackers bypass Office Protected View, accessing and editing malicious Office files. The vulnerability affects various Microsoft Office products, including Outlook 2016 and Office 2019.

Attackers can exploit it remotely without user interaction, potentially gaining high privileges. Check Point’s report outlines how attackers can exploit the flaw by adding an exclamation mark to URLs in malicious emails, bypassing Outlook’s security restrictions. The flaw stems from the MkParseDisplayName API, potentially impacting other software. Successful attacks could lead to NTLM credential theft and arbitrary code execution. Check Point advises applying official patches promptly, as the vulnerability was actively exploited as a zero-day before a recent patch update. Microsoft retracted initial statements about active exploitation.

Article link: https://www.bleepingcomputer.com/news/security/new-critical-microsoft-outlook-rce-bug-is-trivial-to-exploit/

Hackers used new Windows Defender zero-day to drop DarkMe malware 

Key takeaways:

• Microsoft patches zero-day (CVE-2024-21412) exploited by Water Hydra and DarkCasino for DarkMe trojan distribution via Windows Defender SmartScreen bypass.
• Water Hydra targets forex traders using spearphishing with malicious stock charts, leveraging English and Russian messages on trading platforms.
• Trend Micro highlights the flaw’s bypass of another SmartScreen vulnerability (CVE-2023-36025) and Microsoft’s additional patching of CVE-2024-21351, allowing code injection.

The details:

Microsoft has addressed a zero-day vulnerability, CVE-2024-21412, in Windows Defender SmartScreen, exploited by the Water Hydra and DarkCasino threat group to distribute the DarkMe remote access trojan. This flaw allows attackers to bypass security checks by convincing users to click on specially crafted files. Trend Micro’s Peter Girnus disclosed that CVE-2024-21412 bypasses another SmartScreen vulnerability, CVE-2023-36025, used previously to deploy the Phemedrone malware.

Water Hydra targeted forex traders with spearphishing attacks, luring victims with malicious stock charts linked to compromised websites. Their tactics include posting messages in English and Russian on trading forums and Telegram channels. This campaign aimed at data theft or ransomware deployment. The attackers have a history of exploiting zero-day vulnerabilities, like CVE-2023-38831 in WinRAR. Today, Microsoft also patched CVE-2024-21351, another SmartScreen zero-day allowing code injection.

Article link: https://www.bleepingcomputer.com/news/security/hackers-used-new-windows-defender-zero-day-to-drop-darkme-malware/

Chinese Hackers Using Deepfakes in Advanced Mobile Banking Malware Attacks

Key takeaways:

• GoldFactory, a Chinese cybercrime group, created sophisticated banking trojans like GoldPickaxe targeting Asia-Pacific.
• They use social engineering to distribute malware through smishing and phishing.
• Users should avoid suspicious links, apps, and review permissions to stay safe.

The details:

A Chinese-speaking cybercrime group named GoldFactory is behind the development of sophisticated banking trojans, including the newly discovered iOS malware GoldPickaxe, capable of harvesting personal data and intercepting SMS. GoldFactory, linked to Gigabud, targets the Asia-Pacific region, particularly Thailand and Vietnam, using social engineering to distribute malware via smishing and phishing.

GoldPickaxe for iOS exploits Apple’s TestFlight platform, while the Android version poses as various applications to steal login credentials. GoldPickaxe even employs deepfake technology to bypass facial recognition measures. GoldDigger, an Android trojan related to GoldPickaxe, targets Vietnamese financial apps. GoldFactory’s tactics include impersonation, keylogging, and fake websites.

To protect against such threats, users are advised to avoid suspicious links and untrusted apps and review app permissions regularly.

Article link: https://thehackernews.com/2024/02/chinese-hackers-using-deepfakes-in.html#:~:text=A%20Chinese%2Dspeaking%20threat%20actor,recognition%20data%2C%20and%20intercepting%20SMS

PikaBot Resurfaces with Streamlined Code and Deceptive Tactics

Key takeaways:

• Developers have simplified PikaBot malware, making it less complex but still threatening.
• It infiltrates networks via phishing, with recent versions employing simpler encryption methods.
• Additionally, there’s an ongoing campaign targeting Microsoft Azure, compromising user accounts through personalized phishing tactics.

The details:

The PikaBot malware, previously known for its complexity, has undergone significant simplification, described as “devolution,” by its developers. Zscaler’s analysis reveals version 1.18.32, which has reduced complexity by removing advanced obfuscation techniques and altering network communications.

PikaBot, a loader and backdoor, targets networks via phishing, with recent versions simplifying encryption algorithms and storing bot configuration in plaintext. Despite these changes, it remains a significant cyber threat, capable of executing commands and injecting payloads from a command-and-control server.

Additionally, Proofpoint has warned of an ongoing cloud account takeover campaign targeting Microsoft Azure environments, compromising hundreds of user accounts through individualized phishing lures and malicious links for credential harvesting and financial fraud.

Article link: https://thehackernews.com/2024/02/pikabot-resurfaces-with-streamlined.html

200,000 Facebook Marketplace user records leaked on hacking forum

Key takeaways:

• IntelBroker leaked 200,000 records of Facebook Marketplace users’ personal data from a Meta contractor’s breach.
• The leaked info, verified by BleepingComputer, includes names, phone numbers, emails, and Facebook IDs.
• This adds to Meta’s history of breaches, including a €265 million fine in 2022 for failing to protect user data after a 533 million account leak in 2021.

The details:

A threat actor known as IntelBroker leaked 200,000 records on a hacker forum, purportedly containing personal information of Facebook Marketplace users, acquired through a breach of a Meta contractor’s systems.

The leaked data includes names, phone numbers, email addresses, Facebook IDs, and profile information. BleepingComputer verified the authenticity of the leak. The exposed information can be used for phishing and mobile phishing attacks, as well as SIM swap attacks to hijack accounts. IntelBroker has been linked to previous breaches, including DC Health Link, Hewlett Packard Enterprise, General Electric Aviation, and Weee! grocery service.

This incident adds to Meta’s history of data breaches, with a €265 million fine in November 2022 for failing to protect user data after a 533 million Facebook account data leak in April 2021, which included phone numbers and other personal details.

Article link: https://www.bleepingcomputer.com/news/security/200-000-facebook-marketplace-user-records-leaked-on-hacking-forum/

Thanks for reading, stay tuned for next week’s cybersecurity round up!

Subscribe to Critical Chatter on LinkedIn so you never miss an update.

Top stories – 09 February 2024

• AnyDesk says hackers breached its production servers, reset passwords
• Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs
• Microsoft Azure HDInsight Bugs Expose Big Data to Breaches
• Google says spyware vendors behind most zero-days it discovers
• ‘ResumeLooters’ Attackers Steal Millions of Career Records

AnyDesk says hackers breached its production servers, reset passwords 

Key takeaways:

• AnyDesk suffered a cyberattack, losing source code and keys, prompting urgent updates and password changes.
• AnyDesk swiftly responded by replacing stolen certificates and urging users to adopt the latest version.
• The incident highlights the escalating threat landscape, joining recent cyberattacks on major companies.

The details:

AnyDesk, a popular remote access solution, confirmed a recent cyberattack resulting in the theft of source code and code signing keys. The attack was detected after signs of compromise were noticed on production servers. With 170,000 customers including notable enterprises, activated a response plan with cybersecurity firm CrowdStrike. Although no ransomware was involved, the attackers stole critical assets.

AnyDesk assured customers of safety but recommended updating to the latest version with new code signing certificates. While no authentication tokens were taken, AnyDesk advised password changes as a precaution. The company swiftly replaced stolen certificates, with version 8.0.8 reflecting the change. Although the breach date wasn’t disclosed, a four-day outage occurred starting January 29th, relating to the incident. AnyDesk urged users to adopt the new version and change passwords.

This incident adds to a string of recent cyberattacks, including Cloudflare and Microsoft, highlighting the escalating threat landscape.

Article link: https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/

Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs 

Key takeaways:

• Cloudflare faced a nation-state cyberattack, compromising its Atlassian server between November 14 and 24, 2023, resulting in the theft of documentation and source code.
• Cloudflare responded by rotating over 5,000 credentials, segmenting systems, and conducting forensic triages on nearly 5,000 systems to contain the intrusion.
• The attack exploited stolen credentials from a previous hack, highlighting the importance of credential rotation, and was limited to the Atlassian environment, with the threat actor targeting network architecture and security information.

The details:

Cloudflare disclosed a likely nation-state cyberattack between November 14 and 24, 2023, where threat actors used stolen credentials to access its Atlassian server, obtaining documentation and some source code.

The sophisticated attacker aimed for persistent access to Cloudflare’s global network. Cloudflare took extensive measures, rotating over 5,000 credentials, segmenting systems, and performing forensic triages on 4,893 systems. The intrusion involved reconnaissance to access Atlassian Confluence and Jira portals, followed by creating a rogue user account to establish persistent access and access to Bitbucket source code repositories. Approximately 120 code repositories were viewed, with 76 estimated to be exfiltrated, mostly concerning backups, network configuration, identity management, and cloud infrastructure. The attacker also attempted to access a console server in São Paulo unsuccessfully.

The attack exploited stolen credentials from the Okta support case management system hack in October 2023, emphasising Cloudflare’s failure to rotate these credentials. Cloudflare terminated malicious connections and engaged CrowdStrike for an independent assessment.

The attack was confined to the Atlassian environment, with the threat actor seeking information on network architecture and security.

Article link: https://thehackernews.com/2024/02/cloudflare-breach-nation-state-hackers.html

Microsoft Azure HDInsight Bugs Expose Big Data to Breaches

Key takeaways:

• Orca Security found three critical vulnerabilities in Microsoft Azure’s HDInsight service, allowing unauthorized access and system slowdowns.
• CVE-2023-38156 lets attackers gain root access in Hadoop clusters via Apache Ambari.
• Microsoft fixed the bugs, but users need to create new clusters with updates for full protection.

The details:

Orca Security recently uncovered three high-risk vulnerabilities in Microsoft Azure’s HDInsight big-data analytics service, posing potential security risks.

One vulnerability, CVE-2023-38156, affects Apache Ambari, allowing attackers to gain root access in a Hadoop cluster via manipulation of the JDBC endpoint. The other two vulnerabilities, CVE-2023-36419 and a moderate-severity bug, affect Apache Oozie, enabling XML External Entity (XXE) injection attacks and causing system slowdowns respectively.

These vulnerabilities could lead to unauthorised access and performance issues, compromising sensitive data. HDInsight, used by major corporations for big-data analysis, necessitates diligent patching to safeguard valuable information.

Microsoft has since fixed the bugs, but HDInsight users must create new clusters with the latest updates for full protection, as in-place upgrades are not supported.

Article link: https://www.darkreading.com/cloud-security/microsoft-azure-hdinsight-bugs-expose-big-data-to-breaches

Google says spyware vendors behind most zero-days it discovers

Key takeaways:

• Google found that 80% of 2023 zero-day vulnerabilities were used by spyware vendors to target individuals like journalists and activists.
• These vendors, such as Cy4Gate and NSO Group, offer sophisticated tools for millions of dollars, exploiting both known and unknown vulnerabilities in Android and iOS devices.
• Google calls for stronger regulations and collaboration to combat the spyware industry while enhancing security measures like Safe Browsing and Gmail security.

The details:

Google’s Threat Analysis Group (TAG) discovered that 80% of zero-day vulnerabilities in 2023 were exploited by commercial spyware vendors (CSV) to spy on devices globally, often targeting journalists, activists, and political figures. These vendors, including Cy4Gate, RCS Lab, Intellexa, Negg Group, NSO Group, and Variston, offer sophisticated espionage tools for millions of dollars, using undocumented exploits for Android or iOS devices.

While some exploits leverage known flaws, others target unknown vulnerabilities, with at least 33 exploits developed between 2019 and 2023. The majority of zero-days impact Google Chrome, Android, Apple iOS, and Windows. Although white-hat researchers and Google’s security efforts disrupt CSV operations, demand for spyware remains high, prompting Google to call for stronger collaboration among governments, strict regulations, and diplomatic efforts to curb the spyware industry’s proliferation.

Google continues to counter spyware threats through various security measures, including Safe Browsing, Gmail security, and Google Play Protect, while advocating for transparency and information sharing within the tech community.

Article link: https://www.bleepingcomputer.com/news/security/google-says-spyware-vendors-behind-most-zero-days-it-discovers/

‘ResumeLooters’ Attackers Steal Millions of Career Records

Key takeaways:

• “ResumeLooters” used SQL injection and XSS to target 65 websites, stealing 2 million records, mainly in Asia-Pacific.
• They employed tools like Acunetix and Metasploit and sold stolen data on Chinese-speaking Telegram channels.
• The incident highlights the need for cybersecurity measures like parameterised statements and web application firewalls to prevent such attacks.

The details:

A cybercrime group named “ResumeLooters” employed SQL injection and cross-site scripting (XSS) techniques to target at least 65 job-recruitment and retail websites, stealing databases containing over 2 million email addresses and other personal records within a month.

Operating since early 2023, the group mainly targeted victims in the Asia-Pacific region but also compromised companies in other regions. They utilised publicly available penetration-testing tools like Acunetix and Metasploit to inject malicious scripts into websites, aiming to steal data from job seekers. The attackers put the stolen data up for sale on Chinese-speaking Telegram channels. Group-IB’s Threat Intelligence Unit discovered similarities between ResumeLooters’ tactics and those of another group, GambleForce, highlighting the damage that can be caused with readily available tools. Group-IB’s investigation revealed the attackers’ methods, including SQL injection via tools like sqlmap and injection of XSS scripts into legitimate job-search sites.

The campaign underscores the importance of cybersecurity for organisations and highlights preventive measures against SQL injection and XSS attacks, such as using parameterised statements, implementing web application firewalls, and validating user inputs.

Article link: https://www.darkreading.com/remote-workforce/-resumelooters-attackers-steal-millions-career-records

The story of the British Library Cyber Attack so far

In October 2023, the British Library cyber attack was orchestrated by the Rhysida ransomware group, resulting in the compromise of employee data. The attackers claimed responsibility for the breach and threatened to auction off the stolen information, which included passport scans, for a price of 20 Bitcoin (£596,459).

Despite the library’s assurance that there was no evidence of user data compromise, the incident led to a month-long downtime for the library’s website. The National Cyber Security Centre (NCSC) is actively collaborating with the institution to assess the full impact of the attack.

The Rhysida group, known for targeting various sectors, set a deadline for an auction of the “exclusive and impressive” data, prompting concerns about potential identity fraud risks for affected employees. The FBI and the US Cybersecurity & Infrastructure Security Agency issued a warning on the threat posed by Rhysida, emphasising its tendency to target sectors such as education, healthcare, manufacturing, information technology, and government.

The British Library, a symbol of knowledge and culture, now faces the challenging task of restoring services while taking protective measures and investigating the attack with the support of cybersecurity experts.

6 lessons to learn from the British Library Cyber Attack

Now that we understand the background to the British Library Cyber Attack, we can start to unpick potential lessons that can be learnt from this unfortunate situation. Learning now is better than waking up to a compromise in the future.

1. Ransomware is pervasive – Prioritise robust defenses

The British Library’s run-in with the Rhysida ransomware gang proves the scary and pervasive nature of ransomware threats. The lesson here is clear: regardless of an organisation’s size or prestige, prioritising robust defenses against ransomware is imperative.

IT decision-makers must recognise that these threats evolve continually, requiring constant updates to cybersecurity protocols. By investing in advanced security measures and staying ahead of emerging threats, you can create a robust defense system that protects sensitive data and ensures operational continuity.

2. Public institutions are not exempt – Bolster cybersecurity measures

The British Library, a public institution and the UK’s largest library, is proof that cybercriminals target entities across sectors. As an IT decision-maker, don’t underestimate the value of your organisation’s data. Bolster cybersecurity measures to safeguard against potential attacks. Implementing the advice of law enforcement agencies and the NCSC is crucial in building a resilient defense against ransomware and other cyber threats.

3. Refusing ransom pays off – Don’t fuel the cybercrime industry

The age-old advice from law enforcement agencies holds true: refusing to pay a ransom is essential. Despite the temptation to quickly resolve the situation by paying up, this only serves to fuel the cybercrime industry.

The British Library’s decision not to cave to the cybercriminals’ demands sends a powerful message. IT decision-makers must resist the urge to pay ransoms and instead invest in proactive cybersecurity measures. This includes regular updates to security protocols, employee training, and maintaining a robust incident response plan to mitigate the impact of potential breaches.

4. Prepare for the aftermath – Safeguard employee and user data

In the aftermath of a cyber attack, the well-being of employees and users should be a top priority. The British Library’s prompt communication and recommendation for users to change passwords as a precautionary measure is a sound, proactive approach.

IT decision-makers must have a well-thought-out plan for handling the aftermath of a breach. Transparent communication with stakeholders, providing guidance on security measures, and offering support to those affected are crucial steps. By prioritising the protection of employee and user data, you can mitigate potential risks and demonstrate commitment to their stakeholders’ security.

5. Continuous monitoring is key – Stay one step ahead

The broad impact of the Rhysida ransomware group across various sectors proves the need for continuous monitoring. IT decision-makers must recognise that cyber threats are ever-evolving and invest in advanced threat detection and response capabilities.

Regularly updating the cybersecurity strategy to adapt to emerging threats and vulnerabilities is essential. Staying one step ahead of cybercriminals requires a proactive stance, and continuous monitoring is key to identifying and mitigating potential threats before they escalate.

6. Collaborate with cybersecurity experts – Seek external support

In the face of a cyber attack, collaboration is key. The British Library’s collaboration with the NCSC, the Metropolitan Police, and cybersecurity specialists is a great, real-world example.

IT decision-makers should proactively seek external support and establish partnerships with cybersecurity experts. These experts can provide valuable insights, guidance, and support in investigating and mitigating the impact of a cyber incident. Recognising the value of external expertise strengthens your ability to respond effectively to cyber threats and enhances overall cybersecurity resilience.

A Call to Action for IT Decision Makers

The British Library cyber attack should serve as a wake-up call for IT decision-makers. Ransomware is an ever-present threat, and the key to resilience lies in proactive measures, collaboration, and a commitment to not fueling the cybercrime industry. Take this incident as an opportunity to reassess and strengthen your organisation’s cybersecurity posture.

By learning from the lessons presented by the British Library cyber attack, you can navigate the complex cybersecurity landscape with confidence, ensuring the safety of your data and the trust of your stakeholders.

Top stories – 8 September 2023

• Apple zero-click iMessage exploit used to infect iPhones with spyware
• Cisco BroadWorks impacted by critical authentication bypass flaw
• CISA warning: Nation-state hackers exploit Fortinet and Zoho vulnerabilities
• Zero-day alert: Latest Android patch update includes fix for newly actively exploited flaw
• W3LL Gang compromises thousands of Microsoft 365 accounts

Apple zero-click iMessage exploit used to infect iPhones with spyware

Key takeaways:

• Apple has patched two zero-day vulnerabilities exploited by NSO Group’s Pegasus spyware in an emergency update. These flaws allowed attackers to compromise fully-patched iPhones running iOS 16.6 via iMessage attachments.
• CVE-2023-41064, a buffer overflow issue, and CVE-2023-41061, a validation problem, enabled attackers to execute arbitrary code on various Apple devices.
• Apple quickly fixed these issues in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2. Users should update their devices immediately, and those at risk should activate Lockdown Mode. This incident highlights the importance of timely security updates.

The details:

In an emergency security update, Apple has patched two zero-day vulnerabilities actively exploited by the NSO Group’s Pegasus spyware. These vulnerabilities, identified as CVE-2023-41064 and CVE-2023-41061, enabled attackers to compromise fully-patched iPhones running iOS 16.6 without any user interaction.

The attack, known as BLASTPASS, exploited PassKit attachments containing malicious images sent via iMessage. Citizen Lab, alongside Apple, discovered these vulnerabilities in the Image I/O and Wallet frameworks.

CVE-2023-41064 is a buffer overflow flaw triggered by maliciously crafted images, while CVE-2023-41061 is a validation issue that attackers can exploit via malicious attachments. Both vulnerabilities allowed threat actors to execute arbitrary code on unpatched iPhones, iPads, Macs running macOS Ventura, and Apple Watch Series 4 and later.

Apple swiftly addressed these issues in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2, improving logic and memory handling. Citizen Lab urged Apple users to update their devices immediately and recommended activating Lockdown Mode for individuals at risk of targeted attacks due to their identity or profession.

This marks the latest in a series of zero-day vulnerabilities that Apple has patched this year, totaling 13 across iOS, macOS, iPadOS, and watchOS, highlighting the ongoing need for vigilant security measures and timely updates.

Article link: https://www.bleepingcomputer.com/news/security/apple-zero-click-imessage-exploit-used-to-infect-iphones-with-spyware/

Cisco BroadWorks impacted by critical authentication bypass flaw

Key takeaways:

• A critical vulnerability (CVE-2023-20238) in Cisco BroadWorks platforms allows remote attackers to forge credentials and bypass authentication, potentially gaining extensive control.
• Exploiting this flaw could enable attackers to execute commands, access data, and commit toll fraud within Cisco’s cloud communication services.
• Cisco advises users to update to specific versions to address the issue promptly, as there are no current reports of active exploitation.

The details:

A critical vulnerability affecting Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform has been discovered, tracked as CVE-2023-20238, with a maximum CVSS score of 10.0 (critical). This vulnerability allows remote attackers to forge credentials and bypass authentication, potentially granting them extensive control over affected systems.

The impacted platforms are integral to Cisco’s cloud communication services for businesses and consumers. Threat actors exploiting this flaw can execute commands, access confidential data, modify user settings, and commit toll fraud.

The vulnerability is linked to the validation of Single Sign-On (SSO) tokens. Attackers can authenticate to the application using forged credentials. The extent of their access depends on the privilege level of the compromised account, with “administrator” accounts posing the greatest risk.

Notably, attackers need a valid user ID linked to the targeted Cisco BroadWorks system, which limits the potential attackers but does not eliminate the risk.

To address this issue, Cisco recommends updating to specific versions: AP.platform.23.0.1075.ap385341 for users of the 23.0 branch and versions 2023.06_1.333 or 2023.07_1.332 for users of the release-independent (RI) edition. However, users of the 22.0 branch will not receive a security update and should consider migrating to a fixed release.

While there are no current reports of active exploitation, system administrators are advised to apply the provided updates promptly to mitigate the risk.

Article link: https://www.bleepingcomputer.com/news/security/cisco-broadworks-impacted-by-critical-authentication-bypass-flaw/

CISA warning: Nation-state hackers exploit Fortinet and Zoho vulnerabilities

Key takeaways:

• CISA warns of nation-state actors exploiting CVE-2022-47966, a critical remote code execution vulnerability, in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus.
• In a recent incident response case, attackers gained root-level access, downloaded malware, collected credentials, and moved laterally after exploiting CVE-2022-47966.
• The attackers also leveraged CVE-2022-42475 in Fortinet FortiOS SSL-VPN and attempted to exploit CVE-2021-44228 (Log4Shell). To mitigate these risks, organisations should apply updates, monitor remote access software, and eliminate unnecessary accounts and groups.

The details:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding multiple nation-state actors exploiting vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus. These attacks involve the use of CVE-2022-47966, a critical remote code execution flaw, to gain unauthorised access and establish persistence on compromised systems. This vulnerability has a high severity score.

In one incident response engagement at an unnamed aeronautical sector organisation from February to April 2023, it was discovered that the attackers had started their malicious activities as early as January 18, 2023. After exploiting CVE-2022-47966, threat actors gained root-level access to the web server, downloaded additional malware, collected administrative user credentials, and moved laterally through the network.

A second initial access vector involved the exploitation of CVE-2022-42475, a severe vulnerability in Fortinet FortiOS SSL-VPN, to access the firewall. The attackers used disabled legitimate administrative account credentials from a previously hired contractor, taking advantage of the disabled user’s credentials.

The attackers also initiated Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses, indicating data transfer from the firewall device. They disabled administrative account credentials and deleted logs on critical servers to conceal their activities. Additionally, they installed AnyDesk on multiple hosts, with the method of installation remaining unknown.

The threat actors attempted to exploit CVE-2021-44228 (Log4Shell) in the ServiceDesk system but were unsuccessful. They also utilised ConnectWise ScreenConnect to download and run the credential dumping tool Mimikatz.

While the identity of the threat groups is undisclosed, U.S. Cyber Command hinted at Iranian nation-state involvement. To mitigate these risks, organisations are advised to apply the latest updates, monitor remote access software for unauthorised use, and eliminate unnecessary accounts and groups to prevent their misuse.

Article link: https://thehackernews.com/2023/09/cisa-warning-nation-state-hackers.html

Zero-day alert: Latest Android patch update includes fix for newly actively exploited flaw

Key takeaways:

• Google’s monthly Android security patches include fixes for multiple vulnerabilities, including a possibly exploited zero-day bug (CVE-2023-35674) in the Android Framework, raising concerns about targeted attacks.
• The update addresses a critical security flaw in the System component, which could result in remote code execution without user interaction.
• In total, 14 vulnerabilities in the System module and two in the MediaProvider component were fixed, emphasizing the importance of these updates for Android users to protect their devices.

The details:

Google has released its monthly Android security patches, addressing multiple vulnerabilities, including a zero-day bug, possibly already exploited in targeted attacks. The high-severity vulnerability, tracked as CVE-2023-35674, is a privilege escalation issue within the Android Framework, though Google provided limited details about its exploitation. Three additional privilege escalation flaws in Framework were also addressed, with one considered highly severe, allowing local privilege escalation without user interaction.

Another critical security vulnerability was fixed in the System component, potentially leading to remote code execution without user interaction. Google evaluated severity based on potential device impact if platform and service mitigations were bypassed. In total, 14 flaws in the System module and two in the MediaProvider component were resolved, with the latter addressed through a Google Play system update.

These updates are essential for Android users to safeguard their devices against potential security risks, especially the zero-day vulnerability that might have been actively exploited.

Article link: https://thehackernews.com/2023/09/zero-day-alert-latest-android-patch.html

W3LL Gang compromises thousands of Microsoft 365 accounts

Key takeaways:

• Cyber group W3LL has compromised 8,000+ corporate Microsoft 365 accounts in 10 months, targeting diverse sectors globally.
• W3LL operates 850+ unique phishing sites and provides a phishing kit, W3LL Panel, to 500+ cybercriminals. The kit targets Microsoft 365 accounts, enabling MFA bypass and facilitating BEC attacks.
• This highlights the need for stronger email security. Experts advise monitoring logins, regular password changes, enforcing multi-factor authentication, employee training, and proactive communication from platform providers like Microsoft to counter evolving cyber threats.

The details:

A cyber threat actor known as W3LL has been operating a vast phishing network, successfully compromising over 8,000 corporate Microsoft 365 business accounts in Australia, Europe, and the US in the past 10 months. Group-IB’s investigation reveals that W3LL has targeted at least 56,000 Microsoft 365 accounts since October, boasting a 14.3% success rate.

This cybercriminal group operates nearly 850 unique phishing websites, targeting various industries. W3LL has also established a secretive underground marketplace called W3LL Store, providing a highly sophisticated phishing kit called W3LL Panel to over 500 cybercriminals for launching their campaigns.

The W3LL Panel specifically targets Microsoft 365 accounts, offering multifactor authentication bypass capabilities and 16 other customised tools for business email compromise (BEC) attacks. The market shares profits with affiliates and provides a 10% referral bonus, collectively accumulating $500,000 since last October. W3LL consistently updates its tools, enhancing anti-detection measures and adding new features.

Phishers using W3LL Panel can misuse compromised email accounts for data theft, fake invoice scams, account impersonation, or malware distribution, causing severe consequences for victimised companies.

The rise of W3LL’s sophisticated phishing ecosystem highlights the need for organisations to bolster their email security measures. Experts emphasise the importance of a layered cybersecurity approach, including monitoring login activity, regular password resets, enforcing multi-factor authentication, and employee training.

Additionally, they call for platform providers like Microsoft to proactively communicate updates and issues to protect their customers from such threats. The W3LL threat underscores the evolving sophistication of cybercrime, necessitating increased vigilance and preparedness.

Article link: https://www.darkreading.com/endpoint/w3ll-gang-compromises-thousands-of-microsoft-365-accounts

Top stories – 25 August 2023

• New Akira ransomware targets businesses via exploited CISCO VPNs
• New stealthy techniques let hackers gain Windows SYSTEM privileges
• Over 3,000 Openfire servers vulnerable to takover attacks
• Threat actor exploits zero-day in WinRAR to target crypto accounts
• Sneaky Amazon Google ad leads to Microsoft support scam

New Akira ransomware targets businesses via exploited CISCO VPNs

Key takeaways:

• Akira ransomware targets corporate networks by exploiting vulnerabilities in Cisco VPNs, particularly those without MFA.
• The group likely uses brute force attacks or dark web access purchases to compromise VPN accounts.
• Akira’s Linux variant affects various sectors, including education, healthcare, and manufacturing, highlighting the need for MFA and password policies to prevent unauthorised access.

The details:

The Akira ransomware, a group that targets corporate entities, has gained attention for exploiting vulnerabilities in Cisco VPNs. The group focuses on infiltrating corporate networks without multi-factor authentication (MFA) for VPN access.

Suspected use of a zero-day vulnerability has allowed unauthorised access to VPN accounts. Akira targets various sectors, including education, healthcare, manufacturing, and more. Cisco VPN products are a popular choice for businesses, making them a lucrative target.

Research indicates that Akira likely used brute force attacks or purchased access from the dark web to compromise VPN accounts. SentinelOne’s research published on 23 August suggest a zero-day vulnerability impacting accounts without MFA might have been exploited.

The ransomware’s Linux variant, based on the Crypto++ library, targets educational, real estate, healthcare, manufacturing, and corporate sectors. However, the command set lacks options to shut down virtual machines before encryption. The encryption speed influences data recovery chances.

Akira was first detected by Arctic Wolf in March 2023, with a focus on small to medium-sized businesses, particularly in the US and Canada. Avast released an Akira decryptor, but the ransomware operators updated the encryptor. Organisations are advised to prioritise two-factor authentication for VPNs to prevent unauthorised access, and to implement policies against password reuse to minimise risks of credential breaches

Article link: https://www.hackread.com/akira-ransomware-hack-cisco-vpns-business/

New stealthy techniques let hackers gain Windows SYSTEM privileges

Key takeaways:

• Researchers created NoFilter, a tool that exploits Windows Filtering Platform (WFP) to elevate privileges to SYSTEM level.
• NoFilter utilises access token duplication via WFP, stealthily avoiding DuplicateHandle detection.
• The tool abuses IPSec and Print Spooler to attain SYSTEM tokens and enables lateral movement through logged-in users’ processes.
• Despite reporting, Microsoft considers the behavior intended, so detection measures are suggested by Deep Instinct, the tool’s creator.

The details:

Security researchers have developed NoFilter, a tool that exploits the Windows Filtering Platform (WFP) to escalate user privileges to the SYSTEM level, the highest on Windows. This is particularly useful for attackers in post-exploitation scenarios who need to execute malicious code with elevated permissions or move laterally within a network. The tool takes advantage of three techniques:

1. Access Token Duplication: NoFilter uses WFP to duplicate access tokens, enabling privilege escalation. By calling the NtQueryInformationProcess function, handles to tokens held by a process are duplicated for another process to escalate to SYSTEM. This method avoids DuplicateHandle, enhancing stealth to evade detection.
2. Getting SYSTEM Access Token: The tool triggers an IPSec connection and abuses the Print Spooler service to insert a SYSTEM token into the table. This technique is stealthier as IPSec policy configuration is typical for privileged users, and network monitoring tools tend to ignore local host connections.
3. Lateral Movement: The tool can obtain tokens of logged-in users for lateral movement. By identifying processes running as domain admins with RPC interfaces, NoFilter abuses the OneSyncSvc service and SyncController.dll to launch processes with logged-in user permissions.

Despite reporting these techniques to Microsoft, the company deemed the behaviour as intended, implying no fix or mitigation. Deep Instinct, the cybersecurity company behind NoFilter, suggests detection measures including identifying new IPSec policies, monitoring RPC calls to Spooler and OneSyncSvc during IPSec policies, brute-forcing token LUIDs, and monitoring device IO requests to WfpAle by non-BFE service processes.

Article link: https://thehackernews.com/2023/08/cisa-adds-citrix-sharefile-flaw-to-kev.html

Over 3,000 Openfire servers vulnerable to takover attacks

Key takeaways:

• Openfire servers are at risk from CVE-2023-32315, enabling unauthenticated users to create admin accounts.
• Despite security updates in newer versions, 50% of internet-facing servers remain vulnerable.
• Researchers reveal an exploit method allowing malicious plugin upload without admin accounts, urging prompt upgrades for unpatched servers.

The details:

Thousands of Openfire servers are still vulnerable to CVE-2023-32315, a path traversal vulnerability that allows unauthenticated users to create admin accounts. Openfire, a widely used Java-based open-source chat server, was impacted by an authentication bypass issue in versions 3.10.0 and earlier.

Security updates in versions 4.6.8, 4.7.5, and 4.8.0 were released, but many servers remain unpatched. The flaw has been actively exploited to create admin users and upload malicious plugins. VulnCheck researcher Jacob Baines revealed a method to exploit the flaw without creating admin accounts, making it more attractive to cybercriminals.

VulnCheck reported that among 6,324 internet-facing Openfire servers, 50% (3,162 servers) are still vulnerable. Only 20% have patched, while 25% use versions older than 3.10.0 when the vulnerability was introduced. Some use forks of the project, which might be impacted.

The current exploits are noisy, leaving traces in security logs. However, VulnCheck’s PoC demonstrates a stealthier method using ‘plugin-admin.jsp’ to upload a malicious plugin without admin accounts, avoiding detection in security logs. As the vulnerability is already under active exploitation, unpatched Openfire server admins are strongly advised to upgrade promptly.

Article link: https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet-built-with-stealthy-malware-infections/

Threat actor exploits zero-day in WinRAR to target crypto accounts

Key takeaways:

• A threat actor, possibly linked to the Evilnum group, targets trading forums using a patched WinRAR vulnerability (CVE-2023-38831).
• The bug allowed malicious code to hide in harmless formats within zip archives, affecting cryptocurrency forums since April.
• The attacker delivered malware like DarkMe, GuLoader, and Remcos RAT to compromise trading accounts, urging WinRAR users to update to prevent further exploitation.

The details:

A threat actor potentially linked to the Evilnum group is targeting users on trading forums using a now-patched vulnerability in WinRAR (CVE-2023-38831).

This bug allowed them to hide malicious code in seemingly harmless file formats like “.jpg” and “.txt” within zip archives, distributed across cryptocurrency trading forums. The campaign started in April, with Group-IB discovering the vulnerability and reporting it to WinRAR’s developer, Rarlab.

Though a patch was issued, at least 130 systems remain infected. Group-IB advises the estimated 500 million WinRAR users to update immediately. The attacker, possibly connected to Evilnum, used the vulnerability to deliver malware like DarkMe, GuLoader, and Remcos RAT via weaponised zip archives in forum posts and private messages. The malware compromised trading accounts, executing unauthorised transactions. Despite forum administrators’ warnings, the attacker continued spreading malicious files.

Article link: https://www.darkreading.com/attacks-breaches/threat-actor-exploits-zero-day-in-winrar-to-target-crypto-accounts

Sneaky Amazon Google ad leads to Microsoft support scam

Key takeaways:

• A deceptive Amazon ad in Google search redirects users to a Microsoft Defender tech support scam, falsely appearing as a legitimate Amazon URL.
• This scam traps users in full-screen mode, necessitating Chrome termination to exit, and it resurfaces upon relaunch, showcasing persistence.
• Google has faced backlash for permitting ads that imitate real URLs for scams; Google and Amazon’s lack of response raises concerns amid ongoing malicious ad distribution, including ransomware and Cobalt Strike beacon deployment by threat actors.

The details:

A deceptive Amazon ad appearing in Google search results redirects users to a Microsoft Defender tech support scam. The ad, seemingly legitimate, features Amazon’s URL but leads to a tech support scam mimicking Microsoft Defender alerts about malware infection.

The scam forces full-screen mode, requiring users to terminate Chrome to exit, yet reopening the scam upon relaunch. A similar incident occurred in June 2022 involving a YouTube ad.

Google has faced criticism for allowing ads to impersonate legitimate URLs for convincing scams. Google and Amazon haven’t responded to inquiries about this malvertising issue. Malicious actors have frequently misused Google ads to distribute malware, including ransomware.

These actors create counterfeit sites with altered download links to spread trojanized programs. Additionally, the Royal ransomware operation employs Google ads to promote sites installing Cobalt Strike beacons, granting initial network access for ransomware attacks.

Article link: https://www.bleepingcomputer.com/news/security/sneaky-amazon-google-ad-leads-to-microsoft-support-scam/

Top stories – 18 August 2023

• Lolek bulletproof hosting servers seized
• CISA adds Citrix ShareFile flaw to KEV catalogue
• 400,000 proxy botnet built with stealthy malware infections
• Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign
• LinkedIn suffers ‘significant’ wave of account hacks
• Phishing operators make ready use of abandoned websites for bait

Lolek bulletproof hosting servers seized

Key takeaways:

• Law enforcement dismantles Lolek Hosted, a bulletproof hosting service aiding global cyberattacks.
• Five administrators arrested, servers seized, ending LolekHosted.net, which supported malware, DDoS attacks, botnets, and spam distribution.
• Joint European and U.S. efforts target such criminal infrastructure, aiming to curb malicious activities like ransomware, phishing, and DDoS attacks.

The details:

European and U.S. law enforcement agencies have dismantled Lolek Hosted, a bulletproof hosting service that facilitated cyberattacks globally. Five administrators were arrested, and servers seized, halting LolekHosted.net. The service enabled malware distribution, DDoS attacks, fake online shops, botnet management, and spam distribution. The August 8, 2023, seizure highlights increasing government efforts to disrupt cybercriminal networks.

Lolek Hosted focused on privacy and anonymity, offering no-log policies and cryptocurrency payments. Such services have been controversial, providing a platform for criminal groups to disseminate malware, orchestrate attacks, and commit cybercrime. U.S. Department of Justice states Lolek Hosted aided ransomware attacks and money laundering.

Founder Artur Karol Grabowski, accused of allowing false registrations, ignoring abuse complaints, and aiding ransomware attacks, faces 45 years’ imprisonment if convicted. Lolek Hosted allegedly participated in 50 NetWalker ransomware attacks. Recent joint efforts by Europe and the U.S. aim to combat criminal infrastructure supporting malicious activities like DDoS, phishing, and ransomware.

This action follows the sentencing of Mihai Ionut Paunescu in June 2023 for operating the bulletproof hosting service PowerHost[.]ro, facilitating Gozi, BlackEnergy, SpyEye, and Zeus backdoors.

Article link: https://thehackernews.com/2023/08/lolek-bulletproof-hosting-servers.html

CISA adds Citrix ShareFile flaw to KEV catalogue

Key takeaways:

• CISA lists Citrix ShareFile storage zones controller flaw (CVE-2023-24489) in Known Exploited Vulnerabilities due to ongoing attacks.
• The vulnerability, with a CVSS score of 9.8, allows remote compromise through improper access control and flawed cryptographic handling.
• Exploitation surged after initial signs in July, impacting ShareFile versions before 5.11.24. Timely vendor fixes required for Federal Civilian Executive Branch agencies by September 6, 2023.

The details:

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a significant security flaw in Citrix ShareFile storage zones controller in its Known Exploited Vulnerabilities (KEV) list, given ongoing real-world attacks. Tracked as CVE-2023-24489 (CVSS score: 9.8), the vulnerability involves improper access control, potentially allowing remote compromise by unauthenticated attackers.

The issue originates from ShareFile’s handling of cryptographic processes, enabling adversaries to upload arbitrary files and trigger remote code execution. This flaw impacts all supported ShareFile storage zones controller versions before 5.11.24. Discovery credit goes to Dylan Pindur of Assetnote, with initial signs of exploitation emerging in late July 2023. While the attackers’ identity remains unknown, the Cl0p ransomware group has previously targeted managed file transfer solutions’ zero-day vulnerabilities.

GreyNoise, a threat intelligence firm, observed a notable surge in exploitation attempts, with up to 75 unique IP addresses targeting the flaw on August 15, 2023. The bug exists in Citrix ShareFile’s Storage Zones Controller, a .NET web application, allowing unauthenticated arbitrary file upload and remote code execution due to incorrect validation of decrypted data using AES encryption with CBC mode and PKCS7 padding.

Federal Civilian Executive Branch agencies are required to apply vendor fixes to address the vulnerability by September 6, 2023.
This development coincides with concerns over active exploitation of CVE-2023-3519, a critical vulnerability in Citrix’s NetScaler product, leveraged to deploy PHP web shells on compromised appliances and establish persistent access.

Article link: https://thehackernews.com/2023/08/cisa-adds-citrix-sharefile-flaw-to-kev.html

400,000 proxy botnet built with stealthy malware infections

Key takeaways:

• Researchers uncover campaign delivering proxy server apps to 400,000 Windows systems, operating as exit nodes without user consent.
• Despite claims of user agreement, proxies were silently installed and evade antivirus detection.
• To protect systems, users should check for specific executables and registry keys, delete them, remove suspicious tasks, and avoid downloading pirated software.

The details:

A widespread campaign delivering proxy server apps to over 400,000 Windows systems has been exposed by researchers. These proxies operate as residential exit nodes without user consent, with a company charging for the proxy traffic passing through them. Cybercriminals find such proxies valuable for large-scale attacks, while they also have legitimate uses like ad verification or data scraping.

AT&T Alien Labs reveals that the proxy network was established through malicious payloads delivering the proxy app. Despite the company’s claim of user consent, evidence suggests the proxy was silently installed. Its signed status enables it to evade antivirus detection. This company controlled exit nodes using the AdLoad payload, targeting macOS systems as reported last week.

The infection begins with a hidden loader in cracked software, automatically downloading and installing the proxy app in the background. Inno Setup with specific parameters conceals the installation process. The proxy client ensures persistence through registry keys and scheduled tasks. It gathers system data, monitoring performance and responsiveness.

To protect systems, AT&T advises checking for the “Digital Pulse” executable and Registry keys, deleting any found. Also, remove the scheduled task named “DigitalPulseUpdateTask” to prevent reintroduction of the infection through client updates. Avoid downloading pirated software and dubious executables. Indicators of proxyware infection include performance degradation, unusual network traffic, and communication with unknown IPs or domains.

Article link: https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet-built-with-stealthy-malware-infections/

Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign

Key takeaways:

• A major campaign targets Citrix NetScaler servers, leading to nearly 2,000 compromised systems through the CVE-2023-3519 flaw.
• Over 1,200 servers were breached post-patch due to administrators not checking successful mitigation.
• Researchers advise administrators to assess systems using provided tools as the threat persists, particularly in Europe.

The details:

A vast campaign targeting Citrix NetScaler servers has resulted in nearly 2,000 compromised servers, exploiting the critical CVE-2023-3519 remote code execution flaw. Around 1,200 servers were compromised even after the vulnerability was patched, as administrators failed to check for successful exploitation. Security researchers from Fox-IT and the Dutch Institute of Vulnerability Disclosure (DIVD) discovered the campaign, wherein webshells were planted on vulnerable servers, allowing unauthorised access.

Despite the patch being available since July 18, attackers initiated exploitation, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighting its use to breach a critical infrastructure organisation. The Shadowserver Foundation also reported over 640 compromised servers with web shells.

Fox-IT and DIVD’s investigation unveiled 1,952 backdoored NetScaler servers, representing over 6% of globally vulnerable instances during the campaign. Europe is particularly impacted, with Germany, France, and Switzerland having the highest number of compromised servers.

While the number of affected servers is decreasing, the threat remains. Researchers advise administrators to perform triage on their systems and offer a Python script for assessment. Mandiant has also released a scanner, though running it twice may result in false positives due to script-related NetScaler log entries.

Article link: https://www.bleepingcomputer.com/news/security/almost-2-000-citrix-netscaler-servers-backdoored-in-hacking-campaign/

LinkedIn suffers ‘significant’ wave of account hacks

Key takeaways:

• LinkedIn accounts are under attack, with hackers demanding ransoms or taking control, causing delays in support.
• Attack scenarios involve temporary locks due to suspicious activity and full control by altering email addresses and passwords.
• Users should promptly verify access, update contact info, and enhance security measures, given LinkedIn’s history of cyber threats.

The details:

Hackers are targeting LinkedIn accounts in a recent campaign, with some victims receiving ransom demands to regain access. The attacks have surged over the past 90 days, causing extended response times from LinkedIn support.

Two attack scenarios have emerged: one where LinkedIn temporarily locks accounts due to suspicious activity, and another where attackers gain full control by altering associated email addresses and passwords. Some victims have received ransom messages, while others have seen their accounts deleted.

LinkedIn has faced previous cyber threats, including phishing attempts and use by North Korean APT Lazarus. Users are urged to confirm their account access promptly, verify contact information, and enhance security measures like two-step verification.

Article link: https://www.darkreading.com/attacks-breaches/linkedin-suffers-significant-wave-of-account-hacks

Phishing operators make ready use of abandoned websites for bait

Key takeaways:

• Abandoned and poorly maintained websites, especially WordPress sites, are targeted for hosting phishing pages.
• Kaspersky found 22,400 compromised WordPress sites, hosting phishing pages attracting over 200,000 visit attempts.
• Attackers exploit known WordPress vulnerabilities to maintain active phishing pages, and users are advised to be vigilant, especially on smaller sites.

The details:

Attackers are increasingly targeting abandoned and poorly maintained websites for hosting phishing pages, with WordPress sites being a prime focus due to their numerous vulnerabilities. Kaspersky discovered 22,400 compromised WordPress websites from mid-May to July, hosting phishing pages that attracted over 200,000 visit attempts.

Hackers often compromise smaller sites that owners can’t immediately detect. The attackers make phishing pages inconspicuous by leaving the main website’s functionality untouched and hiding phishing pages in non-accessible directories.

This strategy is effective since phishing remains a popular attack vector. Attackers capitalize on users’ trust in familiar websites to share sensitive data. Neglected domains are appealing as phishing pages can stay active longer, while attackers exploit known WordPress vulnerabilities to establish control.

Kaspersky advises WordPress operators, especially those running smaller sites, to stay vigilant, offering guidance on detecting and addressing potential breaches. Over 2,370 WordPress and plugin vulnerabilities were disclosed in 2022, making these sites easy targets.

Article link: https://www.darkreading.com/attacks-breaches/-phishing-operators-make-ready-use-of-abandoned-websites-for-bait