Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Ed Bailey (SOC Intern).
Top stories – 14 July 2023
- Rockwell Automation vulnerability exploited by government hackers, CISA warns
- Surge in USB-delivered malware campaigns targeting various industries
- Microsoft’s July security patch update addresses 130 vulnerabilities, including active zero days
- New vulnerabilities disclosed in SonicWall and Fortinet network security products
- ScarletEel threat actor exploits AWS for data theft, cryptojacking, and DDoS attacks
Rockwell Automation vulnerability exploited by government hackers, CISA warns
- CISA warns of government hackers exploiting Rockwell Automation’s industrial technology vulnerability.
- Vulnerabilities (CVE-2023-3595 and CVE-2023-3596) allow attackers to seize control, steal data, and disrupt industrial processes.
- Cybersecurity firm Dragos urges prompt firmware updates to mitigate risks in critical infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) issued a warning regarding a vulnerability in Rockwell Automation’s industrial technology that is being exploited by government hackers. Rockwell Automation, a major provider of industrial automation and digital transformation technologies, reported the vulnerabilities CVE-2023-3595 and CVE-2023-3596 to CISA after identifying an exploit capability attributed to an unnamed Advanced Persistent Threat (APT) group.
The first vulnerability (CVE-2023-3595) has a CVSS score of 9.8, while the second (CVE-2023-3596) has a score of 7.5. These vulnerabilities affect a line of communication modules and enable attackers to seize control of devices, steal operational data, and manipulate devices to disrupt or destruct industrial processes managed by the ControlLogix system.
Cybersecurity firm Dragos collaborated with Rockwell Automation to assess the threat and urged all operational technology (OT) companies to promptly update their firmware to the latest version. Rockwell Automation has released updates for the affected devices.
Although there is currently no evidence of exploitation in the wild, Dragos emphasised the potential serious risks faced by customers using the affected products. The impacted Rockwell Automation product is commonly used in manufacturing, electric, oil and gas, and liquefied natural gas industries.
The vulnerability allows attackers to execute remote code, potentially impacting critical infrastructure and industrial processes. Exploitation could lead to disruption, destruction, or obfuscation of incident response and recovery efforts. Dragos highlighted similarities between CVE-2023-3595 and the zero-day used in the TRISIS malware attack, which targeted safety instrumented systems (SIS) in 2017.
Rockwell Automation has collaborated with the U.S. government in analysing the exploit capability attributed to APT actors but did not provide further comments. Experts underscore the importance of prompt firmware updates to mitigate risks and protect critical infrastructure.
Surge in USB-delivered malware campaigns targeting various industries
- Mandiant’s report reveals a significant increase in USB-based malware distribution in the first half of 2023.
- The ‘Sogu’ campaign, attributed to the Chinese group ‘TEMP.HEX,’ aggressively targets industries worldwide, encrypting and exfiltrating valuable data.
- The ‘Snowydrive’ campaign deceives victims into launching malware from USB drives, enabling backdoor access for malicious actions. USB attacks remain a prevalent threat, particularly in print shops and hotels, highlighting the need for robust security measures and user vigilance.
A recent report by Mandiant highlights a significant increase in malware distributed through USB drives during the first half of 2023. The study identifies two specific campaigns: ‘Sogu’ attributed to the Chinese espionage group ‘TEMP.HEX’ and ‘Snowydrive’ linked to UNC4698, targeting Asian oil and gas firms.
Sogu is described as an aggressive USB-assisted cyber-espionage campaign targeting industries worldwide. Victims span across countries such as the United States, France, UK, Italy, China, and the Philippines. The malware, named ‘Korplug,’ establishes persistence through registry keys and utilizes Windows Task Scheduler for regular execution. Sogu conducts system reconnaissance, identifies valuable data in MS Office documents and PDFs, encrypts the files, and exfiltrates them to a command and control (C2) server.
Snowydrive, another campaign, infects computers with a backdoor enabling arbitrary payload execution, registry modification, and file manipulation. The victims are deceived into launching an executable file from a USB drive, initiating the execution of malware components stored in a ‘Kaspersky’ folder. The backdoor, loaded into the legitimate ‘CUZ.exe’ process, supports various commands for file operations, data exfiltration, reverse shell, and reconnaissance.
USB-based attacks continue to thrive due to their ability to bypass security measures, gain initial access to corporate networks, and infect air-gapped systems. Print shops and hotels are identified as hotspots for USB malware distribution. With the opportunistic nature of these attacks, any system with a USB port is potentially vulnerable.
Mandiant’s findings emphasise the ongoing importance of safeguarding against USB-based threats through stringent security measures and user awareness.
Microsoft’s July security patch update addresses 130 vulnerabilities, including active zero days
- Microsoft’s July security update addresses 130 vulnerabilities, including five zero-day flaws actively exploited by threat actors.
- The vulnerabilities impact various Microsoft products, covering remote code execution, security bypasses, privilege escalation, and denial-of-service issues.
- Notable zero-day vulnerabilities include an Office and Windows HTML bug, security bypass flaws in Microsoft Outlook and Windows SmartScreen, and privilege escalation vulnerabilities. Prompt patching and implementing security measures are crucial to mitigate risks.
Microsoft’s July security update addresses a staggering 130 unique vulnerabilities, with five of them actively exploited by threat actors.
They classified nine flaws as critical severity, while 121 were deemed moderate or important. The vulnerabilities impact various Microsoft products, including Windows, Office, .Net, Azure Active Directory, Printer Drivers, DMS Server, and Remote Desktop. The update covers remote code execution (RCE) flaws, security bypasses, privilege escalation issues, information disclosure bugs, and denial-of-service vulnerabilities.
Of immediate concern are the five zero-day vulnerabilities disclosed by Microsoft. Notably, CVE-2023-36884, an RCE bug in Office and Windows HTML, has been exploited by the threat group Storm-0978 in phishing campaigns targeting government and defence organisations. Another zero-day involves security bypass flaws affecting Microsoft Outlook (CVE-2023-35311) and Windows SmartScreen (CVE-2023-32049). These vulnerabilities require user interaction, potentially leading to bypassing security features or executing attacks.
Additionally, two zero-days enable privilege escalation: CVE-2023-36874 in the Windows Error Reporting service and CVE-2023-32046 in Microsoft’s Windows MSHTM platform. Three RCE vulnerabilities in Windows Routing and Remote Access Service (RRAS) were also highlighted. SharePoint Server had four RCE vulnerabilities addressed, two of which were rated critical. The update also addressed a Windows Remote Desktop Protocol Security Feature Bypass flaw (CVE-2023-35332) and an advisory regarding the usage of drivers certified under Microsoft’s Windows Hardware Developer Program.
Security researchers urge prompt patching for these vulnerabilities, highlighting the significance of the zero-days and critical flaws. Mitigating actions include applying runtime security measures, implementing cloud security posture management (CSPM), and disabling outdated protocols where necessary. Organisations using affected products are encouraged to update promptly to avoid potential breaches and comply with relevant regulations.
New vulnerabilities disclosed in SonicWall and Fortinet network security products
- SonicWall urges customers to install patches addressing 15 vulnerabilities in its GMS and Analytics software, including critical flaws.
- The vulnerabilities could enable unauthorised access, data manipulation, and changes to application behavior.
- Fortinet discloses a critical flaw in FortiOS and FortiProxy, advising customers to disable HTTP/2 support as a temporary mitigation.
SonicWall has urged customers of its Global Management System (GMS) firewall management and Analytics network reporting engine software to install the latest patches to address 15 security vulnerabilities. These flaws, identified as CVE-2023-34123 through CVE-2023-34137, include four critical, four high, and seven medium-severity vulnerabilities.
The issues affect on-premises versions of GMS 9.3.2-SP1 and earlier, as well as Analytics 188.8.131.52-R7 and earlier. SonicWall has released fixes in GMS version 9.3.3 and Analytics version 2.5.2. Exploiting the vulnerabilities could enable threat actors to bypass authentication and access sensitive data, modify or delete data, and cause persistent changes to the application’s behavior.
Notably, the critical flaws include a web service authentication bypass, multiple unauthenticated SQL injection issues, a password hash read vulnerability, and a cloud app security authentication bypass.
Meanwhile, Fortinet has disclosed a critical flaw (CVE-2023-33308) affecting FortiOS and FortiProxy. This vulnerability, with a CVSS score of 9.8, could allow remote code execution. Fortinet has resolved the issue in previous releases, although it did not provide a separate advisory. Impacted versions include FortiOS 7.2.0 through 7.2.3 and 7.0.0 through 7.0.10, as well as FortiProxy 7.2.0 through 7.2.2 and 7.0.0 through 7.0.9.
To mitigate the risk, Fortinet advises customers to disable HTTP/2 support on SSL inspection profiles used by proxy policies or firewall policies with proxy mode if they are unable to apply the updates immediately.
ScarletEel threat actor exploits AWS for data theft, cryptojacking, and DDoS attacks
- Researchers uncover ScarletEel, a financially motivated threat actor targeting AWS for various malicious activities.
- ScarletEel demonstrates expertise in AWS tools, evades security mechanisms, and expands tactics to include DDoS-as-a-service.
- The threat actor focuses on stealing credentials, intellectual property, crypto mining, and utilises Pandora malware for DDoS campaigns.
Researchers have discovered the financially motivated threat actor ScarletEel targeting Amazon Web Services (AWS) to carry out various malicious activities, including stealing credentials, intellectual property, crypto mining, and distributed denial-of-service (DDoS) attacks.
ScarletEel demonstrates a deep understanding of AWS tools, enabling it to infiltrate cloud environments and move laterally with ease. The threat actor has evolved its tactics, evading cloud security mechanisms and targeting the AWS Fargate compute engine. Additionally, ScarletEel has expanded its techniques to include DDoS-as-a-service.
The intrusion begins by exploiting Jupyter notebook containers in a Kubernetes cluster, followed by running scripts to search for AWS credentials. The attackers cleverly exfiltrate data using built-in shell commands instead of using monitored tools like curl and wget. ScarletEel also leverages open-source pentesting tools, such as Pacu for AWS and Peirates for Kubernetes, to identify privilege escalation opportunities.
To mask their activities, the threat actors utilise a Russian server supporting the AWS protocol, avoiding detection in the victim’s AWS CloudTrail logs. ScarletEel primarily focuses on stealing proprietary software and conducting cryptojacking. In their most recent campaign, the attackers dropped 42 instances of cryptominers, potentially generating $4,000 worth of rewards daily if left undetected.
Furthermore, the group deploys Pandora, a Mirai botnet malware, with the intention of utilising infected devices for a separate DDoS-as-a-service campaign. ScarletEel’s expertise in AWS environments, including its ability to access Fargate, poses challenges for traditional cloud security measures.
Experts recommend implementing preventative measures to thwart attacks and ensuring effective runtime security. Cloud security posture management (CSPM) and cloud infrastructure entitlement management (CIEM) are vital for robust defence against sophisticated threat actors like ScarletEel.