In August 2023, a new customer partnered with CloudGuard to enhance their...
Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Joe Appleby (SOC Analyst).
Top stories – 25 August 2023
- New Akira ransomware targets businesses via exploited CISCO VPNs
- New stealthy techniques let hackers gain Windows SYSTEM privileges
- Over 3,000 Openfire servers vulnerable to takover attacks
- Threat actor exploits zero-day in WinRAR to target crypto accounts
- Sneaky Amazon Google ad leads to Microsoft support scam
New Akira ransomware targets businesses via exploited CISCO VPNs
- Akira ransomware targets corporate networks by exploiting vulnerabilities in Cisco VPNs, particularly those without MFA.
- The group likely uses brute force attacks or dark web access purchases to compromise VPN accounts.
- Akira’s Linux variant affects various sectors, including education, healthcare, and manufacturing, highlighting the need for MFA and password policies to prevent unauthorised access.
The Akira ransomware, a group that targets corporate entities, has gained attention for exploiting vulnerabilities in Cisco VPNs. The group focuses on infiltrating corporate networks without multi-factor authentication (MFA) for VPN access.
Suspected use of a zero-day vulnerability has allowed unauthorised access to VPN accounts. Akira targets various sectors, including education, healthcare, manufacturing, and more. Cisco VPN products are a popular choice for businesses, making them a lucrative target.
Research indicates that Akira likely used brute force attacks or purchased access from the dark web to compromise VPN accounts. SentinelOne’s research published on 23 August suggest a zero-day vulnerability impacting accounts without MFA might have been exploited.
The ransomware’s Linux variant, based on the Crypto++ library, targets educational, real estate, healthcare, manufacturing, and corporate sectors. However, the command set lacks options to shut down virtual machines before encryption. The encryption speed influences data recovery chances.
Akira was first detected by Arctic Wolf in March 2023, with a focus on small to medium-sized businesses, particularly in the US and Canada. Avast released an Akira decryptor, but the ransomware operators updated the encryptor. Organisations are advised to prioritise two-factor authentication for VPNs to prevent unauthorised access, and to implement policies against password reuse to minimise risks of credential breaches
New stealthy techniques let hackers gain Windows SYSTEM privileges
- Researchers created NoFilter, a tool that exploits Windows Filtering Platform (WFP) to elevate privileges to SYSTEM level.
- NoFilter utilises access token duplication via WFP, stealthily avoiding DuplicateHandle detection.
- The tool abuses IPSec and Print Spooler to attain SYSTEM tokens and enables lateral movement through logged-in users’ processes.
- Despite reporting, Microsoft considers the behavior intended, so detection measures are suggested by Deep Instinct, the tool’s creator.
Security researchers have developed NoFilter, a tool that exploits the Windows Filtering Platform (WFP) to escalate user privileges to the SYSTEM level, the highest on Windows. This is particularly useful for attackers in post-exploitation scenarios who need to execute malicious code with elevated permissions or move laterally within a network. The tool takes advantage of three techniques:
- Access Token Duplication: NoFilter uses WFP to duplicate access tokens, enabling privilege escalation. By calling the NtQueryInformationProcess function, handles to tokens held by a process are duplicated for another process to escalate to SYSTEM. This method avoids DuplicateHandle, enhancing stealth to evade detection.
- Getting SYSTEM Access Token: The tool triggers an IPSec connection and abuses the Print Spooler service to insert a SYSTEM token into the table. This technique is stealthier as IPSec policy configuration is typical for privileged users, and network monitoring tools tend to ignore local host connections.
- Lateral Movement: The tool can obtain tokens of logged-in users for lateral movement. By identifying processes running as domain admins with RPC interfaces, NoFilter abuses the OneSyncSvc service and SyncController.dll to launch processes with logged-in user permissions.
Despite reporting these techniques to Microsoft, the company deemed the behaviour as intended, implying no fix or mitigation. Deep Instinct, the cybersecurity company behind NoFilter, suggests detection measures including identifying new IPSec policies, monitoring RPC calls to Spooler and OneSyncSvc during IPSec policies, brute-forcing token LUIDs, and monitoring device IO requests to WfpAle by non-BFE service processes.
Over 3,000 Openfire servers vulnerable to takover attacks
- Openfire servers are at risk from CVE-2023-32315, enabling unauthenticated users to create admin accounts.
- Despite security updates in newer versions, 50% of internet-facing servers remain vulnerable.
- Researchers reveal an exploit method allowing malicious plugin upload without admin accounts, urging prompt upgrades for unpatched servers.
Thousands of Openfire servers are still vulnerable to CVE-2023-32315, a path traversal vulnerability that allows unauthenticated users to create admin accounts. Openfire, a widely used Java-based open-source chat server, was impacted by an authentication bypass issue in versions 3.10.0 and earlier.
Security updates in versions 4.6.8, 4.7.5, and 4.8.0 were released, but many servers remain unpatched. The flaw has been actively exploited to create admin users and upload malicious plugins. VulnCheck researcher Jacob Baines revealed a method to exploit the flaw without creating admin accounts, making it more attractive to cybercriminals.
VulnCheck reported that among 6,324 internet-facing Openfire servers, 50% (3,162 servers) are still vulnerable. Only 20% have patched, while 25% use versions older than 3.10.0 when the vulnerability was introduced. Some use forks of the project, which might be impacted.
The current exploits are noisy, leaving traces in security logs. However, VulnCheck’s PoC demonstrates a stealthier method using ‘plugin-admin.jsp’ to upload a malicious plugin without admin accounts, avoiding detection in security logs. As the vulnerability is already under active exploitation, unpatched Openfire server admins are strongly advised to upgrade promptly.
Threat actor exploits zero-day in WinRAR to target crypto accounts
- A threat actor, possibly linked to the Evilnum group, targets trading forums using a patched WinRAR vulnerability (CVE-2023-38831).
- The bug allowed malicious code to hide in harmless formats within zip archives, affecting cryptocurrency forums since April.
- The attacker delivered malware like DarkMe, GuLoader, and Remcos RAT to compromise trading accounts, urging WinRAR users to update to prevent further exploitation.
A threat actor potentially linked to the Evilnum group is targeting users on trading forums using a now-patched vulnerability in WinRAR (CVE-2023-38831).
This bug allowed them to hide malicious code in seemingly harmless file formats like “.jpg” and “.txt” within zip archives, distributed across cryptocurrency trading forums. The campaign started in April, with Group-IB discovering the vulnerability and reporting it to WinRAR’s developer, Rarlab.
Though a patch was issued, at least 130 systems remain infected. Group-IB advises the estimated 500 million WinRAR users to update immediately. The attacker, possibly connected to Evilnum, used the vulnerability to deliver malware like DarkMe, GuLoader, and Remcos RAT via weaponised zip archives in forum posts and private messages. The malware compromised trading accounts, executing unauthorised transactions. Despite forum administrators’ warnings, the attacker continued spreading malicious files.
Sneaky Amazon Google ad leads to Microsoft support scam
- A deceptive Amazon ad in Google search redirects users to a Microsoft Defender tech support scam, falsely appearing as a legitimate Amazon URL.
- This scam traps users in full-screen mode, necessitating Chrome termination to exit, and it resurfaces upon relaunch, showcasing persistence.
- Google has faced backlash for permitting ads that imitate real URLs for scams; Google and Amazon’s lack of response raises concerns amid ongoing malicious ad distribution, including ransomware and Cobalt Strike beacon deployment by threat actors.
A deceptive Amazon ad appearing in Google search results redirects users to a Microsoft Defender tech support scam. The ad, seemingly legitimate, features Amazon’s URL but leads to a tech support scam mimicking Microsoft Defender alerts about malware infection.
The scam forces full-screen mode, requiring users to terminate Chrome to exit, yet reopening the scam upon relaunch. A similar incident occurred in June 2022 involving a YouTube ad.
Google has faced criticism for allowing ads to impersonate legitimate URLs for convincing scams. Google and Amazon haven’t responded to inquiries about this malvertising issue. Malicious actors have frequently misused Google ads to distribute malware, including ransomware.
These actors create counterfeit sites with altered download links to spread trojanized programs. Additionally, the Royal ransomware operation employs Google ads to promote sites installing Cobalt Strike beacons, granting initial network access for ransomware attacks.