Cyber Security News

Critical Chatter: Undetectable Malware, APT Intrusions, and Critical Fixes

cloudguard critical chatter

Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Joe Appleby, SOC Analyst.

Top stories – 16 June 2023

Microsoft June 2023 Patch Tuesday fixes 78 flaws, 38 RCE bugs

Key takeaways:

  • Microsoft’s June 2023 Patch Tuesday fixed 78 vulnerabilities, including 38 RCE flaws.
  • Notable fixes: privilege elevation in SharePoint Server (CVE-2023-29357) and remote code execution in Exchange Server (CVE-2023-32031).
  • Updates for Microsoft Office addressed remote code execution via Excel and OneNote documents (CVE-2023-32029, CVE-2023-33133, CVE-2023-33137, CVE-2023-33140, CVE-2023-33131).

The details:

Microsoft’s June 2023 Patch Tuesday addressed 78 vulnerabilities, including 38 remote code execution (RCE) flaws. Among the fixed vulnerabilities, six were labelled as ‘Critical.’ The list of vulnerabilities includes 17 elevation of privilege, 3 security feature bypass, 32 RCE, 5 information disclosure, 10 denial of service, 10 spoofing, and 1 Edge-Chromium vulnerability. Notably, this update did not address any zero-day vulnerabilities or actively exploited bugs.

One of the notable flaws fixed is CVE-2023-29357, an elevation of privilege vulnerability in Microsoft SharePoint Server. This vulnerability allowed attackers to assume the privileges of other users, including administrators. Another notable vulnerability, CVE-2023-32031, was fixed in Microsoft Exchange Server, enabling authenticated remote code execution.

Microsoft also released updates for Microsoft Office, addressing vulnerabilities that allowed threat actors to perform remote code execution using maliciously crafted Excel and OneNote documents. The relevant CVE numbers for these vulnerabilities are CVE-2023-32029, CVE-2023-33133, CVE-2023-33137, CVE-2023-33140, and CVE-2023-33131.

For a complete list of resolved vulnerabilities categorized by the affected systems and their respective CVE numbers and severity ratings, see the full article below.

Article link:

Severe vulnerabilities reported in Microsoft Azure Bastion and Container Registry

Key takeaways:

  • Two vulnerabilities in Azure Bastion and Azure Container Registry exposed to XSS attacks.
  • Weakness in postMessage iframe allowed unauthorized access and potential data disruption.
  • Attackers exploited vulnerabilities through remote server iframe and crafted postMessage payloads. Microsoft issued security fixes.

The details:

Two security vulnerabilities in Microsoft Azure Bastion and Azure Container Registry have been disclosed, posing a risk of cross-site scripting (XSS) attacks.

The vulnerabilities allowed unauthorized access to a user’s session within the compromised Azure service iframe, potentially resulting in unauthorized data access, modifications, and disruption of Azure services iframes. The flaws leverage a weakness in the postMessage iframe, enabling cross-origin communication between Window objects.

Exploiting the weaknesses requires reconnaissance on Azure services to identify vulnerable endpoints lacking X-Frame-Options headers or weak Content Security Policies (CSPs). Attackers embed the iframe in a remote server and focus on the postMessage handler, analysing legitimate postMessages to create appropriate payloads.

When a victim visits the compromised endpoint, a malicious postMessage payload triggers the XSS vulnerability, executing the attacker’s code within the victim’s context. Orca Security demonstrated a proof-of-concept where a specially crafted postMessage manipulated Azure Bastion or Azure Container Registry to execute an XSS payload.

Microsoft addressed the vulnerabilities with security fixes following responsible disclosure. Previously, Microsoft had patched three vulnerabilities in Azure API Management, which could have allowed access to sensitive information or backend services.

Article link:

Cybercriminals using powerful BatCloak engine to make malware fully undetectable

Key takeaways:

  • Trend Micro researchers discover BatCloak, an undetectable malware obfuscation engine used since September 2022.
  • BatCloak allows threat actors to load various malware families through heavily obfuscated batch files, evading antivirus detection.
  • Out of 784 artifacts analyzed, 79.6% remained undetectable, showcasing BatCloak’s effectiveness in bypassing traditional security measures.

The details:

Researchers from Trend Micro have identified a fully undetectable (FUD) malware obfuscation engine called BatCloak, which has been in use since September 2022. The engine allows threat actors to load various malware families and exploits through highly obfuscated batch files, evading antivirus detection. Out of the 784 artifacts discovered, 79.6% were undetectable by all security solutions, demonstrating BatCloak’s ability to bypass traditional detection mechanisms. The BatCloak engine is an integral part of an off-the-shelf batch file builder tool called Jlaive, which includes features to bypass Antimalware Scan Interface (AMSI) and encrypt the primary payload. Although Jlaive was initially available on GitHub and GitLab, it has since been removed. However, it has been cloned and modified by other actors and ported to languages like Rust.

The final payload is concealed using three loader layers: a C# loader, a PowerShell loader, and a batch loader. The batch loader contains an obfuscated PowerShell loader and an encrypted C# stub binary, utilizing BatCloak as a file obfuscation engine. BatCloak has undergone multiple updates and adaptations, with its latest version known as ScrubCrypt, which was linked to a cryptojacking operation conducted by the 8220 Gang.

ScrubCrypt is designed to work with various malware families, including Amadey, AsyncRAT, DarkCrystal RAT, Pure Miner, Quasar RAT, RedLine Stealer, Remcos RAT, SmokeLoader, VenomRAT, and Warzone RAT. The transition from open-source to closed-source was made to protect the project from unauthorized replication and monetize its development.

Article link:

Russian APT ‘Cadet Blizzard’ behind Ukraine wiper attacks

Key takeaways:

  • Microsoft uncovers Cadet Blizzard, a Russian-linked APT group involved in the lead-up to the Russian invasion of Ukraine.
  • Cadet Blizzard exploits web server vulnerabilities, moves laterally, engages in disruptive activities, and collects information.
  • Despite lower success rates, organisations must stay vigilant against Cadet Blizzard’s destructive nature by implementing strong security measures and user training.

The details:

Microsoft has identified an advanced persistent threat (APT) group called Cadet Blizzard, which played a significant role in the lead-up to the Russian invasion of Ukraine. The APT’s activities peaked from January to June of the previous year, including defacing Ukrainian government websites and deploying a wiper called “WhisperGate” to render computer systems inoperable. Microsoft attributed Cadet Blizzard to Russia’s military intelligence agency, the GRU.

Cadet Blizzard gains initial access through known vulnerabilities in web servers and then moves laterally, harvesting credentials and escalating privileges. It uses web shells for persistence and engages in disruptive activities, destruction, and information collection. However, compared to other GRU-affiliated actors like Seashell Blizzard, Cadet Blizzard has a lower success rate and impact.

The APT lacks operational security compared to more advanced Russian groups. Cadet Blizzard operates beyond Ukraine, targeting government agencies, IT service providers, software supply chain manufacturers, NGOs, emergency services, and law enforcement in Europe, Central Asia, and Latin America. The group also operates a hack-and-leak forum called “Free Civilian.”

While the APT may be less successful, organizations need to be concerned about Cadet Blizzard’s destructive nature. Microsoft advises implementing strong authentication, patching vulnerabilities, ensuring security controls are in place, and providing user training. Identifying Cadet Blizzard is a step towards combating Russian state-sponsored cybercrime, but understanding the group’s behaviours and tactics is crucial in defending against their attacks.

Article link:

Fake zero-day PoC exploits on GitHub push Windows, Linux malware

Key takeaways:

  • Hackers impersonate cybersecurity researchers on Twitter and GitHub, distributing fake PoC exploits for zero-day vulnerabilities.
  • The campaign involves creating fake accounts and repositories, using real researchers’ names and photos.
  • Attackers distribute malware downloader scripts through legitimate-looking GitHub repositories. Exercise caution when downloading from unknown sources.

The details:

Hackers are carrying out a campaign in which they impersonate cybersecurity researchers on Twitter and GitHub to distribute fake proof-of-concept (PoC) exploits for zero-day vulnerabilities.

The campaign, discovered by VulnCheck, has been active since at least May 2023. The attackers create fake accounts and repositories, using the names and headshots of real security researchers, to promote the malicious exploits. The GitHub repositories appear legitimate and contain a Python script that acts as a malware downloader for Windows and Linux systems. The script downloads a ZIP archive from an external URL, which contains malware for the respective operating system. The Windows version of the malware is detected by over 60% of antivirus engines on VirusTotal, while the Linux version is detected by only three scanners. Although the type of malware installed is not specified, the Windows version is flagged as a password-stealing Trojan.

The threat actors behind this campaign are persistent, creating new accounts and repositories when existing ones are reported and removed. Security researchers and cybersecurity enthusiasts are advised to exercise caution when downloading scripts from unknown repositories.

Similar impersonation campaigns have been conducted in the past by threat actors such as the North Korean Lazarus group. Access to vulnerability research and cybersecurity companies’ networks can be valuable to attackers, potentially leading to data theft and extortion attacks. Therefore, it is crucial to scrutinize code for malicious behavior when downloading from platforms like GitHub.

Article link:

Thomas Shelton15. Jun 2023