
How we foiled a new customer’s 5-month-hidden cyberattack
In August 2023, a new customer partnered with CloudGuard to enhance their...
Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Joe Appleby (SOC Analyst).
The Akira ransomware, a group that targets corporate entities, has gained attention for exploiting vulnerabilities in Cisco VPNs. The group focuses on infiltrating corporate networks without multi-factor authentication (MFA) for VPN access.
Suspected use of a zero-day vulnerability has allowed unauthorised access to VPN accounts. Akira targets various sectors, including education, healthcare, manufacturing, and more. Cisco VPN products are a popular choice for businesses, making them a lucrative target.
Research indicates that Akira likely used brute force attacks or purchased access from the dark web to compromise VPN accounts. SentinelOne’s research published on 23 August suggest a zero-day vulnerability impacting accounts without MFA might have been exploited.
The ransomware’s Linux variant, based on the Crypto++ library, targets educational, real estate, healthcare, manufacturing, and corporate sectors. However, the command set lacks options to shut down virtual machines before encryption. The encryption speed influences data recovery chances.
Akira was first detected by Arctic Wolf in March 2023, with a focus on small to medium-sized businesses, particularly in the US and Canada. Avast released an Akira decryptor, but the ransomware operators updated the encryptor. Organisations are advised to prioritise two-factor authentication for VPNs to prevent unauthorised access, and to implement policies against password reuse to minimise risks of credential breaches
Article link: https://www.hackread.com/akira-ransomware-hack-cisco-vpns-business/
Security researchers have developed NoFilter, a tool that exploits the Windows Filtering Platform (WFP) to escalate user privileges to the SYSTEM level, the highest on Windows. This is particularly useful for attackers in post-exploitation scenarios who need to execute malicious code with elevated permissions or move laterally within a network. The tool takes advantage of three techniques:
Despite reporting these techniques to Microsoft, the company deemed the behaviour as intended, implying no fix or mitigation. Deep Instinct, the cybersecurity company behind NoFilter, suggests detection measures including identifying new IPSec policies, monitoring RPC calls to Spooler and OneSyncSvc during IPSec policies, brute-forcing token LUIDs, and monitoring device IO requests to WfpAle by non-BFE service processes.
Article link: https://thehackernews.com/2023/08/cisa-adds-citrix-sharefile-flaw-to-kev.html
Thousands of Openfire servers are still vulnerable to CVE-2023-32315, a path traversal vulnerability that allows unauthenticated users to create admin accounts. Openfire, a widely used Java-based open-source chat server, was impacted by an authentication bypass issue in versions 3.10.0 and earlier.
Security updates in versions 4.6.8, 4.7.5, and 4.8.0 were released, but many servers remain unpatched. The flaw has been actively exploited to create admin users and upload malicious plugins. VulnCheck researcher Jacob Baines revealed a method to exploit the flaw without creating admin accounts, making it more attractive to cybercriminals.
VulnCheck reported that among 6,324 internet-facing Openfire servers, 50% (3,162 servers) are still vulnerable. Only 20% have patched, while 25% use versions older than 3.10.0 when the vulnerability was introduced. Some use forks of the project, which might be impacted.
The current exploits are noisy, leaving traces in security logs. However, VulnCheck’s PoC demonstrates a stealthier method using ‘plugin-admin.jsp’ to upload a malicious plugin without admin accounts, avoiding detection in security logs. As the vulnerability is already under active exploitation, unpatched Openfire server admins are strongly advised to upgrade promptly.
Article link: https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet-built-with-stealthy-malware-infections/
A threat actor potentially linked to the Evilnum group is targeting users on trading forums using a now-patched vulnerability in WinRAR (CVE-2023-38831).
This bug allowed them to hide malicious code in seemingly harmless file formats like “.jpg” and “.txt” within zip archives, distributed across cryptocurrency trading forums. The campaign started in April, with Group-IB discovering the vulnerability and reporting it to WinRAR’s developer, Rarlab.
Though a patch was issued, at least 130 systems remain infected. Group-IB advises the estimated 500 million WinRAR users to update immediately. The attacker, possibly connected to Evilnum, used the vulnerability to deliver malware like DarkMe, GuLoader, and Remcos RAT via weaponised zip archives in forum posts and private messages. The malware compromised trading accounts, executing unauthorised transactions. Despite forum administrators’ warnings, the attacker continued spreading malicious files.
Article link: https://www.darkreading.com/attacks-breaches/threat-actor-exploits-zero-day-in-winrar-to-target-crypto-accounts
A deceptive Amazon ad appearing in Google search results redirects users to a Microsoft Defender tech support scam. The ad, seemingly legitimate, features Amazon’s URL but leads to a tech support scam mimicking Microsoft Defender alerts about malware infection.
The scam forces full-screen mode, requiring users to terminate Chrome to exit, yet reopening the scam upon relaunch. A similar incident occurred in June 2022 involving a YouTube ad.
Google has faced criticism for allowing ads to impersonate legitimate URLs for convincing scams. Google and Amazon haven’t responded to inquiries about this malvertising issue. Malicious actors have frequently misused Google ads to distribute malware, including ransomware.
These actors create counterfeit sites with altered download links to spread trojanized programs. Additionally, the Royal ransomware operation employs Google ads to promote sites installing Cobalt Strike beacons, granting initial network access for ransomware attacks.
Article link: https://www.bleepingcomputer.com/news/security/sneaky-amazon-google-ad-leads-to-microsoft-support-scam/