
How we foiled a new customer’s 5-month-hidden cyberattack
In August 2023, a new customer partnered with CloudGuard to enhance their...
Welcome to another week of Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Dafydd Davies (Senior SOC Analyst).
A new Android malware campaign has been discovered, spreading the Anatsa banking trojan to target customers in the US, UK, Germany, Austria, and Switzerland since March 2023. Anatsa aims to steal credentials from mobile banking applications and carry out fraudulent transactions. The malware has been distributed through infected apps on the Google Play Store, accumulating over 30,000 installations. Anatsa, also known as TeaBot and Toddler, disguises itself as utility apps such as PDF readers, QR code scanners, and 2FA apps to steal user credentials. It is a highly prolific banking trojan, targeting approximately 600 financial institutions worldwide.
Anatsa has backdoor capabilities to steal data and uses overlay attacks to capture credentials. It abuses Android’s accessibility services API and can bypass existing fraud control measures for unauthorised fund transfers. Due to transactions being initiated from the victim’s own device, detecting the malware becomes challenging for banking anti-fraud systems. The dropper app in the observed campaign makes a request to a GitHub page, leading to another GitHub URL hosting the malicious payload. Users may be directed to these apps through suspicious advertisements.
The dropper app exploits the restricted “REQUEST_INSTALL_PACKAGES” permission to install additional malware. The specific apps used in this campaign include All Document Reader & Editor, All Document Reader and Viewer, PDF Reader – Edit & View PDF, and PDF Reader & Editor. These apps were updated after initial publication, possibly to bypass app review processes.
Article link: https://thehackernews.com/2023/06/new-mystic-stealer-malware-targets-40.html
Microsoft has disclosed an increase in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard (also known as Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes). These intrusions use residential proxy services to obfuscate the source IP address and primarily target governments, IT service providers, NGOs, defence, and critical manufacturing sectors. Despite being exposed in the SolarWinds supply chain compromise, Midnight Blizzard has continued to carry out targeted attacks against foreign ministries and diplomatic entities.
The attacks involve password spray, brute-force, and token theft techniques, as well as session replay attacks to gain access to cloud resources using stolen sessions. Midnight Blizzard employs residential proxy services for routing malicious traffic, making detection and remediation challenging due to the short duration of IP addresses used.
In a separate development, APT28 (also known as BlueDelta, Forest Blizzard, FROZENLAKE, Iron Twilight, and Fancy Bear) conducted a spear-phishing campaign targeting government and military entities in Ukraine. The campaign exploited vulnerabilities in Roundcube webmail software to gather reconnaissance data and redirect incoming emails of targeted individuals to the attackers’ control. The hackers also leveraged a zero-day vulnerability in Microsoft Outlook (CVE-2023-23397) to carry out limited targeted attacks against European organisations.
These findings highlight the persistent efforts of Russian threat actors to gather intelligence in Ukraine and Europe, particularly following the country’s invasion in 2022. The cyberwarfare operations against Ukrainian targets have involved widespread deployment of wiper malware, indicating a large-scale hybrid conflict. Recorded Future predicts that BlueDelta will continue prioritising Ukrainian government and private sector organisations to support broader Russian military objectives.
Article link: https://thehackernews.com/2023/06/microsoft-warns-of-widescale-credential.html
Researchers at Security Joes have discovered a new process injection technique called “Mockingjay” that enables threat actors to execute malicious code on compromised systems while bypassing Endpoint Detection and Response (EDR) and other security products. The technique utilises legitimate DLLs with read, write, execute (RWX) sections to evade EDR hooks and inject code into remote processes.
Unlike traditional process injection methods that rely on commonly abused Windows API calls, Mockingjay does not use these suspicious actions, such as memory allocation or thread creation, reducing the chances of detection. The researchers found a vulnerable DLL, msys-2.0.dll, inside Visual Studio 2022 Community that already had a default RWX section, allowing them to modify its contents and load malicious code without triggering additional security checks.
The researchers developed two injection methods: self-injection and remote process injection. In the self-injection method, a custom application loads the vulnerable DLL into its memory space, granting direct access to the RWX section without setting permissions or allocating memory. The Hell’s Gate EDR unhooking technique is used to bypass EDR hooks and execute the injected shellcode without detection.
In the remote process injection method, the vulnerable DLL’s RWX section is leveraged to inject a payload into a remote process, specifically the “ssh.exe” process. The custom application launches “ssh.exe” as a child process, opens a handle to the target process, and injects the malicious code into the DLL’s RWX memory space.
Tests have shown that Mockingjay successfully evades EDR solutions by utilising Windows APIs that are not commonly monitored by EDRs. This discovery emphasises the importance of adopting a holistic security approach rather than relying solely on existing EDR solutions. Organisations should be aware of emerging techniques like Mockingjay to enhance their defence against advanced threats.
Article link: https://www.bleepingcomputer.com/news/security/new-mockingjay-process-injection-technique-evades-edr-detection/
Grafana has released security fixes for multiple versions of its application to address a critical vulnerability that allows attackers to bypass authentication and take over Grafana accounts using Azure Active Directory (AD) for authentication. The vulnerability, tracked as CVE-2023-3128, received a severity score of 9.4.
The issue arises from the way Grafana authenticates Azure AD accounts based on the email address configured in the associated ‘profile email’ setting. Since this setting is not unique across all Azure AD tenants, threat actors can create Azure AD accounts with the same email address as legitimate Grafana users and use them to hijack accounts. Exploiting this vulnerability enables attackers to gain complete control of a user’s account, including access to sensitive information and private customer data.
The vulnerability affects all Grafana deployments configured to use Azure AD OAuth for user authentication with a multi-tenant Azure application and without restrictions on which user groups can authenticate. Grafana versions from 6.7.0 and later are impacted. Grafana has released fixes for various branches, including versions 8.5, 9.2, 9.3, 9.5, and 10.0.
To mitigate the issue, Grafana recommends upgrading to the following secure versions:
Grafana Cloud has already been upgraded to the latest versions, and the vendor has coordinated with cloud providers like Amazon and Microsoft to address the issue.
For those unable to upgrade, Grafana suggests two mitigations: registering a single tenant application in Azure AD to prevent login attempts from external tenants, or adding an “allowed_groups” configuration to limit sign-in attempts to members of a whitelisted group, rejecting all attempts using arbitrary email addresses.
Grafana’s advisory also provides guidance for troubleshooting specific use-case scenarios that may arise due to the patch. Users are advised to review the advisory for solutions to errors such as “user sync failed” or “user already exists.”
Article link: https://www.bleepingcomputer.com/news/security/grafana-warns-of-critical-auth-bypass-due-to-azure-ad-integration/