Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Vaughan Carey (Senior SOC Analyst).
Top stories – 18 August 2023
- Lolek bulletproof hosting servers seized
- CISA adds Citrix ShareFile flaw to KEV catalogue
- 400,000 proxy botnet built with stealthy malware infections
- Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign
- LinkedIn suffers ‘significant’ wave of account hacks
- Phishing operators make ready use of abandoned websites for bait
Lolek bulletproof hosting servers seized
Key takeaways:
- Law enforcement dismantles Lolek Hosted, a bulletproof hosting service aiding global cyberattacks.
- Five administrators arrested, servers seized, ending LolekHosted.net, which supported malware, DDoS attacks, botnets, and spam distribution.
- Joint European and U.S. efforts target such criminal infrastructure, aiming to curb malicious activities like ransomware, phishing, and DDoS attacks.
The details:
European and U.S. law enforcement agencies have dismantled Lolek Hosted, a bulletproof hosting service that facilitated cyberattacks globally. Five administrators were arrested, and servers seized, halting LolekHosted.net. The service enabled malware distribution, DDoS attacks, fake online shops, botnet management, and spam distribution. The August 8, 2023, seizure highlights increasing government efforts to disrupt cybercriminal networks.
Lolek Hosted focused on privacy and anonymity, offering no-log policies and cryptocurrency payments. Such services have been controversial, providing a platform for criminal groups to disseminate malware, orchestrate attacks, and commit cybercrime. U.S. Department of Justice states Lolek Hosted aided ransomware attacks and money laundering.
Founder Artur Karol Grabowski, accused of allowing false registrations, ignoring abuse complaints, and aiding ransomware attacks, faces 45 years’ imprisonment if convicted. Lolek Hosted allegedly participated in 50 NetWalker ransomware attacks. Recent joint efforts by Europe and the U.S. aim to combat criminal infrastructure supporting malicious activities like DDoS, phishing, and ransomware.
This action follows the sentencing of Mihai Ionut Paunescu in June 2023 for operating the bulletproof hosting service PowerHost[.]ro, facilitating Gozi, BlackEnergy, SpyEye, and Zeus backdoors.
Article link: https://thehackernews.com/2023/08/lolek-bulletproof-hosting-servers.html
CISA adds Citrix ShareFile flaw to KEV catalogue
Key takeaways:
- CISA lists Citrix ShareFile storage zones controller flaw (CVE-2023-24489) in Known Exploited Vulnerabilities due to ongoing attacks.
- The vulnerability, with a CVSS score of 9.8, allows remote compromise through improper access control and flawed cryptographic handling.
- Exploitation surged after initial signs in July, impacting ShareFile versions before 5.11.24. Timely vendor fixes required for Federal Civilian Executive Branch agencies by September 6, 2023.
The details:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a significant security flaw in Citrix ShareFile storage zones controller in its Known Exploited Vulnerabilities (KEV) list, given ongoing real-world attacks. Tracked as CVE-2023-24489 (CVSS score: 9.8), the vulnerability involves improper access control, potentially allowing remote compromise by unauthenticated attackers.
The issue originates from ShareFile’s handling of cryptographic processes, enabling adversaries to upload arbitrary files and trigger remote code execution. This flaw impacts all supported ShareFile storage zones controller versions before 5.11.24. Discovery credit goes to Dylan Pindur of Assetnote, with initial signs of exploitation emerging in late July 2023. While the attackers’ identity remains unknown, the Cl0p ransomware group has previously targeted managed file transfer solutions’ zero-day vulnerabilities.
GreyNoise, a threat intelligence firm, observed a notable surge in exploitation attempts, with up to 75 unique IP addresses targeting the flaw on August 15, 2023. The bug exists in Citrix ShareFile’s Storage Zones Controller, a .NET web application, allowing unauthenticated arbitrary file upload and remote code execution due to incorrect validation of decrypted data using AES encryption with CBC mode and PKCS7 padding.
Federal Civilian Executive Branch agencies are required to apply vendor fixes to address the vulnerability by September 6, 2023.
This development coincides with concerns over active exploitation of CVE-2023-3519, a critical vulnerability in Citrix’s NetScaler product, leveraged to deploy PHP web shells on compromised appliances and establish persistent access.
Article link: https://thehackernews.com/2023/08/cisa-adds-citrix-sharefile-flaw-to-kev.html
400,000 proxy botnet built with stealthy malware infections
Key takeaways:
- Researchers uncover campaign delivering proxy server apps to 400,000 Windows systems, operating as exit nodes without user consent.
- Despite claims of user agreement, proxies were silently installed and evade antivirus detection.
- To protect systems, users should check for specific executables and registry keys, delete them, remove suspicious tasks, and avoid downloading pirated software.
The details:
A widespread campaign delivering proxy server apps to over 400,000 Windows systems has been exposed by researchers. These proxies operate as residential exit nodes without user consent, with a company charging for the proxy traffic passing through them. Cybercriminals find such proxies valuable for large-scale attacks, while they also have legitimate uses like ad verification or data scraping.
AT&T Alien Labs reveals that the proxy network was established through malicious payloads delivering the proxy app. Despite the company’s claim of user consent, evidence suggests the proxy was silently installed. Its signed status enables it to evade antivirus detection. This company controlled exit nodes using the AdLoad payload, targeting macOS systems as reported last week.
The infection begins with a hidden loader in cracked software, automatically downloading and installing the proxy app in the background. Inno Setup with specific parameters conceals the installation process. The proxy client ensures persistence through registry keys and scheduled tasks. It gathers system data, monitoring performance and responsiveness.
To protect systems, AT&T advises checking for the “Digital Pulse” executable and Registry keys, deleting any found. Also, remove the scheduled task named “DigitalPulseUpdateTask” to prevent reintroduction of the infection through client updates. Avoid downloading pirated software and dubious executables. Indicators of proxyware infection include performance degradation, unusual network traffic, and communication with unknown IPs or domains.
Article link: https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet-built-with-stealthy-malware-infections/
Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign
Key takeaways:
- A major campaign targets Citrix NetScaler servers, leading to nearly 2,000 compromised systems through the CVE-2023-3519 flaw.
- Over 1,200 servers were breached post-patch due to administrators not checking successful mitigation.
- Researchers advise administrators to assess systems using provided tools as the threat persists, particularly in Europe.
The details:
A vast campaign targeting Citrix NetScaler servers has resulted in nearly 2,000 compromised servers, exploiting the critical CVE-2023-3519 remote code execution flaw. Around 1,200 servers were compromised even after the vulnerability was patched, as administrators failed to check for successful exploitation. Security researchers from Fox-IT and the Dutch Institute of Vulnerability Disclosure (DIVD) discovered the campaign, wherein webshells were planted on vulnerable servers, allowing unauthorised access.
Despite the patch being available since July 18, attackers initiated exploitation, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighting its use to breach a critical infrastructure organisation. The Shadowserver Foundation also reported over 640 compromised servers with web shells.
Fox-IT and DIVD’s investigation unveiled 1,952 backdoored NetScaler servers, representing over 6% of globally vulnerable instances during the campaign. Europe is particularly impacted, with Germany, France, and Switzerland having the highest number of compromised servers.
While the number of affected servers is decreasing, the threat remains. Researchers advise administrators to perform triage on their systems and offer a Python script for assessment. Mandiant has also released a scanner, though running it twice may result in false positives due to script-related NetScaler log entries.
Article link: https://www.bleepingcomputer.com/news/security/almost-2-000-citrix-netscaler-servers-backdoored-in-hacking-campaign/
LinkedIn suffers ‘significant’ wave of account hacks
Key takeaways:
- LinkedIn accounts are under attack, with hackers demanding ransoms or taking control, causing delays in support.
- Attack scenarios involve temporary locks due to suspicious activity and full control by altering email addresses and passwords.
- Users should promptly verify access, update contact info, and enhance security measures, given LinkedIn’s history of cyber threats.
The details:
Hackers are targeting LinkedIn accounts in a recent campaign, with some victims receiving ransom demands to regain access. The attacks have surged over the past 90 days, causing extended response times from LinkedIn support.
Two attack scenarios have emerged: one where LinkedIn temporarily locks accounts due to suspicious activity, and another where attackers gain full control by altering associated email addresses and passwords. Some victims have received ransom messages, while others have seen their accounts deleted.
LinkedIn has faced previous cyber threats, including phishing attempts and use by North Korean APT Lazarus. Users are urged to confirm their account access promptly, verify contact information, and enhance security measures like two-step verification.
Article link: https://www.darkreading.com/attacks-breaches/linkedin-suffers-significant-wave-of-account-hacks
Phishing operators make ready use of abandoned websites for bait
Key takeaways:
- Abandoned and poorly maintained websites, especially WordPress sites, are targeted for hosting phishing pages.
- Kaspersky found 22,400 compromised WordPress sites, hosting phishing pages attracting over 200,000 visit attempts.
- Attackers exploit known WordPress vulnerabilities to maintain active phishing pages, and users are advised to be vigilant, especially on smaller sites.
The details:
Attackers are increasingly targeting abandoned and poorly maintained websites for hosting phishing pages, with WordPress sites being a prime focus due to their numerous vulnerabilities. Kaspersky discovered 22,400 compromised WordPress websites from mid-May to July, hosting phishing pages that attracted over 200,000 visit attempts.
Hackers often compromise smaller sites that owners can’t immediately detect. The attackers make phishing pages inconspicuous by leaving the main website’s functionality untouched and hiding phishing pages in non-accessible directories.
This strategy is effective since phishing remains a popular attack vector. Attackers capitalize on users’ trust in familiar websites to share sensitive data. Neglected domains are appealing as phishing pages can stay active longer, while attackers exploit known WordPress vulnerabilities to establish control.
Kaspersky advises WordPress operators, especially those running smaller sites, to stay vigilant, offering guidance on detecting and addressing potential breaches. Over 2,370 WordPress and plugin vulnerabilities were disclosed in 2022, making these sites easy targets.
Article link: https://www.darkreading.com/attacks-breaches/-phishing-operators-make-ready-use-of-abandoned-websites-for-bait
