Welcome to Critical Chatter, CloudGuard’s weekly cyber news update. This week’s news flash has been curated by Vaughan Carey (SOC Leader).
Top stories – 01 March 2024
- ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware
- 8,000+ Domains of Trusted Brands Hijacked for Massive Spam Operation
- LockBit Reemerges, a Week After ‘Complete Compromise’
- Russia’s ‘Midnight Blizzard’ Targets Service Accounts for Initial Cloud Access
ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware
A critical vulnerability in the ConnectWise ScreenConnect remote desktop service has raised alarms for potentially being the precursor to a major cybersecurity incident in 2024. The vulnerability allows hackers remote access to a vast number of servers and endpoints, with the potential to affect hundreds of thousands of devices. The CEO of Huntress, Kyle Hanslovan, has highlighted the severity of this threat, likening its potential impact to the widespread Kaseya attacks in 2021.
ConnectWise ScreenConnect is widely used by managed service providers (MSPs) to access customer systems, raising fears of a supply chain attack. Two specific vulnerabilities have been identified: an authentication bypass bug (CVE-2024-1709, CVSS score 10) and a path-traversal issue (CVE-2024-1708, CVSS score 8.4). These vulnerabilities allow for the creation of new administrator accounts and unauthorised file access, respectively.
The Shadowserver Foundation reports over 8,200 vulnerable instances online, mainly in the US, with CVE-2024-1709 being exploited widely. This situation has led to instances of ransomware deployment, including on systems potentially linked to critical services like 911.
Mitigation efforts include patching vulnerable systems with ScreenConnect version 23.9.8 and monitoring for indicators of compromise, especially in the ScreenConnect extensions folder. Despite ConnectWise’s efforts to revoke licenses for unpatched servers, the vulnerabilities remain a significant concern for unpatched or slowly patched systems.
Article Link: www.darkreading.com/remote-workforce/connectwise-screenconnect-mass-exploitation-delivers-ransomware
8,000+ Domains of Trusted Brands Hijacked for Massive Spam Operation
A sophisticated cyber operation named SubdoMailing, orchestrated by a threat actor dubbed ResurrecAds, which has been active since at least September 2022. Guardio Labs has uncovered this scheme that involves hijacking over 8,000 domains and 13,000 subdomains of legitimate brands and institutions, including ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Swatch, Symantec, The Economist, UNICEF, and VMware.
The attackers exploit these domains to distribute spam and malicious phishing emails, leveraging the domains’ credibility to bypass security measures like SPF, DKIM, and DMARC, which are email authentication methods designed to prevent spoofing and spam. These emails, cleverly disguised as images to evade text-based spam filters, redirect users through various domains based on their device type and location, leading to potential scams, phishing sites, or malware downloads.
The campaign is sophisticated, using techniques such as CNAME record aliasing for email spoofing and DNS SPF record manipulation to send emails as if they were from the legitimate domain. This operation not only targets maximising click monetisation through deceptive ads but also poses a risk of phishing and malware distribution. Guardio Labs has responded by creating a SubdoMailing Checker tool to help domain administrators and site owners identify potential compromises.
Article Link: https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html
LockBit Re-emerges, a Week After ‘Complete Compromise’
The LockBit ransomware-as-a-service operation quickly rebounded by relaunching its leak site only a week after a global law enforcement takedown, dubbed the “Operation Cronos Taskforce.” This taskforce, including the FBI, Europol, and the UK’s National Crime Agency, dismantled LockBit’s infrastructure, seized data, and arrested individuals in a coordinated effort across three countries.
Despite these efforts, LockBit’s leader acknowledged the loss of their primary infrastructure but highlighted the survival of backup systems due to a critical PHP bug, CVE-2023-3824, with a 9.8 out of 10 CVSS score, which allowed them to swiftly recover.
The revived leak site displayed stolen data from various victims, illustrating the group’s resilience. Experts like former FBI agent Michael McPherson and ransomware negotiator Kurtis Minder acknowledged the blow to LockBit but cautioned against underestimating the group’s capability to bounce back. The operation’s success in accessing affiliates’ information creates distrust within the ransomware ecosystem, potentially disrupting future collaborations.
However, to effectively combat ransomware, experts suggest that high-profile raids need to be supplemented with comprehensive policies and programs that focus on prevention, response, and repair, emphasising the significant economic impact of ransomware on the economy.
Article Link: https://www.darkreading.com/threat-intelligence/lockbit-leak-site-reemerges-week-after-complete-compromise-
Russia’s ‘Midnight Blizzard’ Targets Service Accounts for Initial Cloud Access
The UK’s National Cyber Security Center (NCSC), alongside the US Cybersecurity and Infrastructure Security Agency (CISA) and international counterparts, issued a warning regarding a shift in tactics by “Midnight Blizzard,” a threat group linked to Russian intelligence services (SVR).
Known for its involvement in high-profile attacks on entities such as SolarWinds, Microsoft, and HPE, Midnight Blizzard is now exploiting automated cloud services and dormant accounts to infiltrate cloud environments of targeted organisations. This marks a significant evolution in the approach of the threat actor, also known as APT29, Cozy Bear, and Dukes, in response to the increasing shift of organisations towards cloud services.
Midnight Blizzard, active since at least 2009 and attributed with high confidence to Russia’s SVR, has historically targeted government, healthcare, energy, law enforcement, aviation, and military sectors through software vulnerabilities and network weaknesses. The group’s pivot to cloud services involves brute-force and password spraying attacks on cloud service accounts, which are challenging to secure with two-factor authentication, thereby offering privileged access to networks. They also exploit dormant accounts and employ tactics like the use of stolen OAuth tokens and MFA fatigue attacks to maintain persistent access within cloud environments.
To combat these threats, the NCSC recommends implementing multifactor authentication, creating strong passwords, applying the principle of least privilege to service accounts, shortening authentication token session lifetimes, and preventing unauthorised device registrations. Additionally, the advisory suggests the creation of “canary” service accounts as a detection method for unauthorised access.
Article Link: https://www.darkreading.com/cloud-security/russia-s-midnight-blizzard-targeting-service-accounts-for-initial-cloud-access
If you like what you’ve read, subscribe on LinkedIn so you don’t miss next week’s roundup!