Welcome to Critical Chatter: CloudGuard’s weekly cyber news flash

Welcome to Critical Chatter! This is CloudGuard’s new weekly cyber news flash.  What will you find here? It’s simple. A roundup of some of the week’s most interesting cyber news curated by our very own Guardian Analysts.

Top stories – 2nd June 2023

Click the headlines to go straight to the the news that interests you.

• File Archiver In The Browser’ phishing trick uses ZIP domain
• Barracuda zero-day abused since 2022
• Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking
• ScarCruft Hackers Exploit LNK Files to Spread RokRAT
• Salesforce ‘Ghost Sites’ Expose Sensitive Corporate Data
• Mirai Variant Opens Tenda, Zyxel Gear to RCE, DDoS

‘File Archiver In The Browser’ phishing trick uses ZIP domains

Key takeaways:

• Phishing kit “File Archivers in the Browser” deceives users by displaying fake WinRAR/File Explorer windows on ZIP domains
• The kit removes address bar and scrollbar, making the fake window appear genuine, and includes a fake security scan button
• The phishing technique enables credential theft and malware delivery through redirecting users and disguising executable files as PDFs

The detail:

A new phishing kit called “File Archivers in the Browser” has been discovered, which exploits ZIP domains to display fake WinRAR or Windows File Explorer windows in the browser. The toolkit, developed by security researcher mr.d0x, creates convincing in-browser instances of WinRAR or File Explorer on ZIP domains to deceive users into thinking they are opening a ZIP file. By simulating legitimate file archiver software and using a .zip domain, the phishing kit appears more authentic.

The toolkit can be customised to remove the address bar and scrollbar, making it look like a genuine WinRAR window. Additionally, a fake security scan button is implemented to convince users that the files are safe. This phishing technique can be used for credential theft and malware delivery. For example, when a user clicks on a PDF file within the fake WinRAR window, they may be redirected to a page that requests login credentials. The toolkit can also deliver malware by tricking users into downloading executable files disguised as PDF files.

The abuse of ZIP domains in this manner demonstrates the potential for clever phishing attacks and the delivery of malware or credential theft.

Full article link: https://www.bleepingcomputer.com/news/security/clever-file-archiver-in-the-browser-phishing-trick-uses-zip-domains/

Barracuda zero-day abused since 2022

Key takeaways:

• Barracuda’s ESG appliances were exploited for seven months via a zero-day vulnerability (CVE-2023-2868), resulting in data theft and persistent access
• Barracuda patched the vulnerability, blocked attackers, and advised customers to check for intrusions
• The U.S. CISA listed CVE-2023-2868, urging updates, discontinuation of compromised systems, credential changes, and log analysis

The detail:

Barracuda, a network and email security firm, has disclosed the exploitation of a zero-day vulnerability (CVE-2023-2868) in its Email Security Gateway (ESG) appliances. The vulnerability was actively exploited for seven months starting from October 2022.

Attackers deployed custom malware to backdoor the compromised systems, granting them persistent access and stealing data from the affected ESG appliances. Barracuda became aware of the issue on May 19 when suspicious traffic was detected, prompting an investigation in collaboration with cybersecurity firm Mandiant. The company promptly released a security patch on May 20 and implemented a script to block the attackers’ access to the compromised devices. Barracuda advised customers on May 24 to investigate their environments, as lateral movement within their networks may have occurred. The company is deploying security patches to all affected appliances and has notified impacted users. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the CVE-2023-2868 vulnerability in its list of known exploited vulnerabilities, urging federal agencies to check for intrusions originating from compromised ESG appliances.

The investigation also revealed several custom-tailored malware strains, including trojanized modules and backdoors, used in the attack. Barracuda recommends customers ensure their appliances are up-to-date, discontinue use of breached appliances, request new appliances, change credentials associated with the compromised systems, and analyse network logs for indicators of compromise.

Full article link: https://www.bleepingcomputer.com/news/security/barracuda-zero-day-abused-since-2022-to-drop-new-malware-steal-data/

Critical OAuth vulnerability in Expo framework allows account hijacking

Key takeaways:

• Critical OAuth vulnerability (CVE-2023-28131) in Expo.io exposes credentials and allows account hijacking
• Affected sites/apps using AuthSession Proxy for third-party SSO (e.g., Facebook, Google)
• Expo issued a hotfix and advised migrating from AuthSession API proxies to direct registration with authentication providers

The detail:

A critical security vulnerability (CVE-2023-28131) has been disclosed in the Open Authorization (OAuth) implementation of the Expo.io application development framework. The vulnerability, with a severity rating of 9.6 on the CVSS scoring system, could lead to credential leakage and account hijacking. The flaw affects sites and applications using Expo that have configured the AuthSession Proxy setting for single sign-on (SSO) with third-party providers like Facebook and Google.

By tricking a user into clicking on a specially crafted link, an attacker could send the secret token associated with a sign-in provider to a domain under their control and take control of the victim’s account. Expo released a hotfix shortly after the responsible disclosure in February 2023 and advised users to migrate from using AuthSession API proxies to directly registering deep link URL schemes with third-party authentication providers.

This disclosure follows recent similar OAuth issues discovered in Booking.com and Kayak.com, as well as vulnerabilities in the Pimcore content management system and LibreNMS network management system.

Full article link: https://thehackernews.com/2023/05/critical-oauth-vulnerability-in-expo.html

ScarCruft hackers exploit LNK files to spread RokRAT

Key takeaways:

• North Korean group ScarCruft uses RokRAT for cyber espionage, targeting South Korea
• RokRAT is distributed through spear-phishing and exploits software vulnerabilities
• RokRAT enables data extraction, remote commands, and file exfiltration, as seen in recent deceptive attacks by ScarCruft

The detail:

The RokRAT remote access trojan (RAT), employed by the North Korean state-sponsored group ScarCruft, has been analyzed by cybersecurity researchers. ScarCruft is a cyber espionage group operating on behalf of the North Korean government, primarily targeting entities in South Korea. RokRAT is a sophisticated RAT used by ScarCruft to gain unauthorised access, extract sensitive information, and maintain control over compromised systems.

The group utilizes social engineering techniques, such as spear-phishing, to deliver the RokRAT malware. The malware has been observed beingdistributed through the exploitation of vulnerabilities in Hancom’s Hangul Word Processor (HWP), a commonly used software in South Korea. RokRAT, also known as DOGCALL, is actively developed and maintained, and it has been ported to other operating systems like macOS and Android. Recent attacks by ScarCruft have utilized LNK files to trigger multi-stage infection sequences that ultimately result in the deployment of RokRAT. The RAT enables the threat actors to collect system metadata, capture screenshots, execute remote commands, enumerate directories, and exfiltrate files of interest.

A recent ScarCruft attack discovered by ASEC revealed the use of a Windows executable posing as a Hangul document to drop malware that establishes contact with an external URL every 60 minutes, which includes a web shell.

Full article link: https://thehackernews.com/2023/06/n-korean-scarcruft-hackers-exploit.html

Salesforce ‘Ghost Sites’ expose sensitive corporate data

Key takeaways:

• Abandoned Salesforce Communities create “ghost sites” exposing sensitive data when companies switch providers without deactivation
• Ghost sites retain intact data, and automated sharing rules may continue data distribution
• Malicious actors exploit ghost sites by indexing DNS records and manipulating headers, necessitating deactivation to protect data

The detail:

Salesforce customers are leaving behind abandoned “ghost sites” in their Communities, exposing sensitive corporate, vendor, and user data. These ghost sites occur when companies move from Salesforce to other providers but fail to deactivate their Communities, leaving the data accessible to anyone.

The issue arises because while the URL is redirected, the site continues to exist with all the potentially sensitive information intact. Additionally, Salesforce’s automated data sharing rules may still apply to ghost sites, leading to the continued distribution of data. Malicious actors can exploit these sites, aided by tools that index and archive DNS records to identify ghost sites easily. By manipulating the host header, attackers can trick Salesforce into serving the site to them, even if the direct URL does not work.

Abandoned sites are also less maintained and thus more vulnerable to attacks. It is essential for companies to deactivate Salesforce sites that are no longer active or needed to protect their data as well as the data of partners and users connected to their Communities.

Full article link: https://www.darkreading.com/application-security/salesforce-ghost-sites-expose-sensitive-corporate-data

Mirai variant opens Tenda, Zyxel Gear to RCE, DDoS

Key takeaways:

• Mirai variant IZ1H9 exploits device vulnerabilities to build botnets for DDoS attacks
• Vulnerabilities include command injection and remote code execution flaws
• Mitigation: update software, use firewall protection, block ports; IoT manufacturers should improve security measures

The detail:

A variant of the Mirai botnet, named IZ1H9, has been observed exploiting four different device vulnerabilities to add Linux-based servers and IoT devices to botnets for conducting network-based attacks, including DDoS attacks.

The vulnerabilities exploited are two command injection vulnerabilities (CVE-2023-27076 affecting Tenda G103 devices and CVE-2023-26801 affecting LB-Link devices) and two remote code execution (RCE) flaws (CVE-2023-26802 affecting DCNDCBI-Netlog-LAB and another without a CVE affecting Zyxel devices). Although the IZ1H9 variant primarily focuses on DDoS attacks, the impact can be more severe as the exploits can lead to RCE. The variant has been used in multiple attacks since November 2021, with the same malware shell script downloaders, XOR decryption key, and infrastructure, indicating the involvement of the same threat actor or group.

In an attack on April 10, the shell script downloader deployed bot clients to accommodate different Linux architectures and blocked network connections from various ports to prevent remote recovery of compromised devices. The botnet client avoids executing on specific IP blocks, indicating a desire for longevity. Mitigation strategies include updating vulnerable devices with the latest software patches, using advanced firewall and threat protection tools, implementing URL filtering and DNS security, and blocking public-facing ports 80 (HTTP), 22 (SSH), and 23 (TELNET). However, the responsibility also lieswith IoT device manufacturers to improve security measures and be held accountable for devices becoming part of botnets.

Full article link: https://www.darkreading.com/endpoint/mirai-variant-tenda-zyxel-rce-ddos

Wrap up

That’s all, folks! Thanks for checking out this week’s Critical Chatter. We’ll be posting every Friday, so look out for our next cyber news flash.