
How we foiled a new customer’s 5-month-hidden cyberattack
In August 2023, a new customer partnered with CloudGuard to enhance their...
Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Vaughan Carey (Senior SOC Analyst).
European and U.S. law enforcement agencies have dismantled Lolek Hosted, a bulletproof hosting service that facilitated cyberattacks globally. Five administrators were arrested, and servers seized, halting LolekHosted.net. The service enabled malware distribution, DDoS attacks, fake online shops, botnet management, and spam distribution. The August 8, 2023, seizure highlights increasing government efforts to disrupt cybercriminal networks.
Lolek Hosted focused on privacy and anonymity, offering no-log policies and cryptocurrency payments. Such services have been controversial, providing a platform for criminal groups to disseminate malware, orchestrate attacks, and commit cybercrime. U.S. Department of Justice states Lolek Hosted aided ransomware attacks and money laundering.
Founder Artur Karol Grabowski, accused of allowing false registrations, ignoring abuse complaints, and aiding ransomware attacks, faces 45 years’ imprisonment if convicted. Lolek Hosted allegedly participated in 50 NetWalker ransomware attacks. Recent joint efforts by Europe and the U.S. aim to combat criminal infrastructure supporting malicious activities like DDoS, phishing, and ransomware.
This action follows the sentencing of Mihai Ionut Paunescu in June 2023 for operating the bulletproof hosting service PowerHost[.]ro, facilitating Gozi, BlackEnergy, SpyEye, and Zeus backdoors.
Article link: https://thehackernews.com/2023/08/lolek-bulletproof-hosting-servers.html
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a significant security flaw in Citrix ShareFile storage zones controller in its Known Exploited Vulnerabilities (KEV) list, given ongoing real-world attacks. Tracked as CVE-2023-24489 (CVSS score: 9.8), the vulnerability involves improper access control, potentially allowing remote compromise by unauthenticated attackers.
The issue originates from ShareFile’s handling of cryptographic processes, enabling adversaries to upload arbitrary files and trigger remote code execution. This flaw impacts all supported ShareFile storage zones controller versions before 5.11.24. Discovery credit goes to Dylan Pindur of Assetnote, with initial signs of exploitation emerging in late July 2023. While the attackers’ identity remains unknown, the Cl0p ransomware group has previously targeted managed file transfer solutions’ zero-day vulnerabilities.
GreyNoise, a threat intelligence firm, observed a notable surge in exploitation attempts, with up to 75 unique IP addresses targeting the flaw on August 15, 2023. The bug exists in Citrix ShareFile’s Storage Zones Controller, a .NET web application, allowing unauthenticated arbitrary file upload and remote code execution due to incorrect validation of decrypted data using AES encryption with CBC mode and PKCS7 padding.
Federal Civilian Executive Branch agencies are required to apply vendor fixes to address the vulnerability by September 6, 2023.
This development coincides with concerns over active exploitation of CVE-2023-3519, a critical vulnerability in Citrix’s NetScaler product, leveraged to deploy PHP web shells on compromised appliances and establish persistent access.
Article link: https://thehackernews.com/2023/08/cisa-adds-citrix-sharefile-flaw-to-kev.html
A widespread campaign delivering proxy server apps to over 400,000 Windows systems has been exposed by researchers. These proxies operate as residential exit nodes without user consent, with a company charging for the proxy traffic passing through them. Cybercriminals find such proxies valuable for large-scale attacks, while they also have legitimate uses like ad verification or data scraping.
AT&T Alien Labs reveals that the proxy network was established through malicious payloads delivering the proxy app. Despite the company’s claim of user consent, evidence suggests the proxy was silently installed. Its signed status enables it to evade antivirus detection. This company controlled exit nodes using the AdLoad payload, targeting macOS systems as reported last week.
The infection begins with a hidden loader in cracked software, automatically downloading and installing the proxy app in the background. Inno Setup with specific parameters conceals the installation process. The proxy client ensures persistence through registry keys and scheduled tasks. It gathers system data, monitoring performance and responsiveness.
To protect systems, AT&T advises checking for the “Digital Pulse” executable and Registry keys, deleting any found. Also, remove the scheduled task named “DigitalPulseUpdateTask” to prevent reintroduction of the infection through client updates. Avoid downloading pirated software and dubious executables. Indicators of proxyware infection include performance degradation, unusual network traffic, and communication with unknown IPs or domains.
Article link: https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet-built-with-stealthy-malware-infections/
A vast campaign targeting Citrix NetScaler servers has resulted in nearly 2,000 compromised servers, exploiting the critical CVE-2023-3519 remote code execution flaw. Around 1,200 servers were compromised even after the vulnerability was patched, as administrators failed to check for successful exploitation. Security researchers from Fox-IT and the Dutch Institute of Vulnerability Disclosure (DIVD) discovered the campaign, wherein webshells were planted on vulnerable servers, allowing unauthorised access.
Despite the patch being available since July 18, attackers initiated exploitation, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighting its use to breach a critical infrastructure organisation. The Shadowserver Foundation also reported over 640 compromised servers with web shells.
Fox-IT and DIVD’s investigation unveiled 1,952 backdoored NetScaler servers, representing over 6% of globally vulnerable instances during the campaign. Europe is particularly impacted, with Germany, France, and Switzerland having the highest number of compromised servers.
While the number of affected servers is decreasing, the threat remains. Researchers advise administrators to perform triage on their systems and offer a Python script for assessment. Mandiant has also released a scanner, though running it twice may result in false positives due to script-related NetScaler log entries.
Article link: https://www.bleepingcomputer.com/news/security/almost-2-000-citrix-netscaler-servers-backdoored-in-hacking-campaign/
Hackers are targeting LinkedIn accounts in a recent campaign, with some victims receiving ransom demands to regain access. The attacks have surged over the past 90 days, causing extended response times from LinkedIn support.
Two attack scenarios have emerged: one where LinkedIn temporarily locks accounts due to suspicious activity, and another where attackers gain full control by altering associated email addresses and passwords. Some victims have received ransom messages, while others have seen their accounts deleted.
LinkedIn has faced previous cyber threats, including phishing attempts and use by North Korean APT Lazarus. Users are urged to confirm their account access promptly, verify contact information, and enhance security measures like two-step verification.
Article link: https://www.darkreading.com/attacks-breaches/linkedin-suffers-significant-wave-of-account-hacks
Attackers are increasingly targeting abandoned and poorly maintained websites for hosting phishing pages, with WordPress sites being a prime focus due to their numerous vulnerabilities. Kaspersky discovered 22,400 compromised WordPress websites from mid-May to July, hosting phishing pages that attracted over 200,000 visit attempts.
Hackers often compromise smaller sites that owners can’t immediately detect. The attackers make phishing pages inconspicuous by leaving the main website’s functionality untouched and hiding phishing pages in non-accessible directories.
This strategy is effective since phishing remains a popular attack vector. Attackers capitalize on users’ trust in familiar websites to share sensitive data. Neglected domains are appealing as phishing pages can stay active longer, while attackers exploit known WordPress vulnerabilities to establish control.
Kaspersky advises WordPress operators, especially those running smaller sites, to stay vigilant, offering guidance on detecting and addressing potential breaches. Over 2,370 WordPress and plugin vulnerabilities were disclosed in 2022, making these sites easy targets.
Article link: https://www.darkreading.com/attacks-breaches/-phishing-operators-make-ready-use-of-abandoned-websites-for-bait