Cyber Security News

Critical Chatter: Wide-scale credential stealing, evading EDR and Grafana fixes

cloudguard critical chatter

Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Dafydd Davies (Senior SOC Analyst).

Top stories – 30 June 2023

Anatsa banking trojan targeting users in US, UK, Germany, Austria, and Switzerland

Key takeaways:

  • Android malware campaign spreads Anatsa banking trojan to target customers in the US, UK, Germany, Austria, and Switzerland since March 2023.
  • Anatsa disguises itself as utility apps on the Google Play Store, accumulating over 30,000 installations, and aims to steal credentials from mobile banking applications.
  • Anatsa uses backdoor capabilities, overlay attacks, and exploits Android’s accessibility services API to bypass fraud control measures and initiate unauthorized fund transfers.

The details:

A new Android malware campaign has been discovered, spreading the Anatsa banking trojan to target customers in the US, UK, Germany, Austria, and Switzerland since March 2023. Anatsa aims to steal credentials from mobile banking applications and carry out fraudulent transactions. The malware has been distributed through infected apps on the Google Play Store, accumulating over 30,000 installations. Anatsa, also known as TeaBot and Toddler, disguises itself as utility apps such as PDF readers, QR code scanners, and 2FA apps to steal user credentials. It is a highly prolific banking trojan, targeting approximately 600 financial institutions worldwide.

Anatsa has backdoor capabilities to steal data and uses overlay attacks to capture credentials. It abuses Android’s accessibility services API and can bypass existing fraud control measures for unauthorised fund transfers. Due to transactions being initiated from the victim’s own device, detecting the malware becomes challenging for banking anti-fraud systems. The dropper app in the observed campaign makes a request to a GitHub page, leading to another GitHub URL hosting the malicious payload. Users may be directed to these apps through suspicious advertisements.

The dropper app exploits the restricted “REQUEST_INSTALL_PACKAGES” permission to install additional malware. The specific apps used in this campaign include All Document Reader & Editor, All Document Reader and Viewer, PDF Reader – Edit & View PDF, and PDF Reader & Editor. These apps were updated after initial publication, possibly to bypass app review processes.

Article link:

Microsoft warns of widescale credential stealing attacks by Russian hackers

Key takeaways:

  • Microsoft reports increase in credential-stealing attacks by Russian hacker group Midnight Blizzard targeting governments, IT service providers, NGOs, defense, and critical manufacturing sectors.
  • Midnight Blizzard utilises residential proxy services to obfuscate IP addresses, making detection and remediation challenging.
  • APT28 conducts spear-phishing campaign targeting government and military entities in Ukraine, leveraging vulnerabilities in Roundcube webmail and a zero-day in Microsoft Outlook.

The details:

Microsoft has disclosed an increase in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard (also known as Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes). These intrusions use residential proxy services to obfuscate the source IP address and primarily target governments, IT service providers, NGOs, defence, and critical manufacturing sectors. Despite being exposed in the SolarWinds supply chain compromise, Midnight Blizzard has continued to carry out targeted attacks against foreign ministries and diplomatic entities.

The attacks involve password spray, brute-force, and token theft techniques, as well as session replay attacks to gain access to cloud resources using stolen sessions. Midnight Blizzard employs residential proxy services for routing malicious traffic, making detection and remediation challenging due to the short duration of IP addresses used.

In a separate development, APT28 (also known as BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear) conducted a spear-phishing campaign targeting government and military entities in Ukraine. The campaign exploited vulnerabilities in Roundcube webmail software to gather reconnaissance data and redirect incoming emails of targeted individuals to the attackers’ control. The hackers also leveraged a zero-day vulnerability in Microsoft Outlook (CVE-2023-23397) to carry out limited targeted attacks against European organisations.

These findings highlight the persistent efforts of Russian threat actors to gather intelligence in Ukraine and Europe, particularly following the country’s invasion in 2022. The cyberwarfare operations against Ukrainian targets have involved widespread deployment of wiper malware, indicating a large-scale hybrid conflict. Recorded Future predicts that BlueDelta will continue prioritising Ukrainian government and private sector organisations to support broader Russian military objectives.

Article link:

New Mockingjay process injection technique evades EDR detection

Key takeaways:

  • Security Joes uncovers “Mockingjay,” a new process injection technique enabling threat actors to bypass EDR and security products.
  • Mockingjay utilses legitimate DLLs with RWX sections to inject malicious code into remote processes, evading detection.
  • The technique does not rely on commonly abused Windows API calls, reducing chances of detection and highlighting the need for holistic security approaches.

The details:

Researchers at Security Joes have discovered a new process injection technique called “Mockingjay” that enables threat actors to execute malicious code on compromised systems while bypassing Endpoint Detection and Response (EDR) and other security products. The technique utilises legitimate DLLs with read, write, execute (RWX) sections to evade EDR hooks and inject code into remote processes.

Unlike traditional process injection methods that rely on commonly abused Windows API calls, Mockingjay does not use these suspicious actions, such as memory allocation or thread creation, reducing the chances of detection. The researchers found a vulnerable DLL, msys-2.0.dll, inside Visual Studio 2022 Community that already had a default RWX section, allowing them to modify its contents and load malicious code without triggering additional security checks.

The researchers developed two injection methods: self-injection and remote process injection. In the self-injection method, a custom application loads the vulnerable DLL into its memory space, granting direct access to the RWX section without setting permissions or allocating memory. The Hell’s Gate EDR unhooking technique is used to bypass EDR hooks and execute the injected shellcode without detection.

In the remote process injection method, the vulnerable DLL’s RWX section is leveraged to inject a payload into a remote process, specifically the “ssh.exe” process. The custom application launches “ssh.exe” as a child process, opens a handle to the target process, and injects the malicious code into the DLL’s RWX memory space.

Tests have shown that Mockingjay successfully evades EDR solutions by utilising Windows APIs that are not commonly monitored by EDRs. This discovery emphasises the importance of adopting a holistic security approach rather than relying solely on existing EDR solutions. Organisations should be aware of emerging techniques like Mockingjay to enhance their defence against advanced threats.

Article link:

Grafana warns of critical auth bypass due to Azure AD integration

Key takeaways:

  • Grafana releases security fixes for a critical vulnerability (CVE-2023-3128) allowing authentication bypass and account takeover via Azure AD.
  • Attackers exploit the vulnerability by creating Azure AD accounts with the same email as legitimate Grafana users, gaining complete control over accounts.
  • Mitigation involves upgrading to secure versions or implementing mitigations such as single tenant applications or allowed groups configuration.

The details:

Grafana has released security fixes for multiple versions of its application to address a critical vulnerability that allows attackers to bypass authentication and take over Grafana accounts using Azure Active Directory (AD) for authentication. The vulnerability, tracked as CVE-2023-3128, received a severity score of 9.4.

The issue arises from the way Grafana authenticates Azure AD accounts based on the email address configured in the associated ‘profile email’ setting. Since this setting is not unique across all Azure AD tenants, threat actors can create Azure AD accounts with the same email address as legitimate Grafana users and use them to hijack accounts. Exploiting this vulnerability enables attackers to gain complete control of a user’s account, including access to sensitive information and private customer data.

The vulnerability affects all Grafana deployments configured to use Azure AD OAuth for user authentication with a multi-tenant Azure application and without restrictions on which user groups can authenticate. Grafana versions from 6.7.0 and later are impacted. Grafana has released fixes for various branches, including versions 8.5, 9.2, 9.3, 9.5, and 10.0.

To mitigate the issue, Grafana recommends upgrading to the following secure versions:

  • Grafana 10.0.1 or later
  • Grafana 9.5.5 or later
  • Grafana 9.4.13 or later
  • Grafana 9.3.16 or later
  • Grafana 9.2.20 or later
  • Grafana 8.5.27 or later

Grafana Cloud has already been upgraded to the latest versions, and the vendor has coordinated with cloud providers like Amazon and Microsoft to address the issue.

For those unable to upgrade, Grafana suggests two mitigations: registering a single tenant application in Azure AD to prevent login attempts from external tenants, or adding an “allowed_groups” configuration to limit sign-in attempts to members of a whitelisted group, rejecting all attempts using arbitrary email addresses.

Grafana’s advisory also provides guidance for troubleshooting specific use-case scenarios that may arise due to the patch. Users are advised to review the advisory for solutions to errors such as “user sync failed” or “user already exists.”

Article link:

Thomas Shelton30. Jun 2023