Normal view
Last Week in Security (LWiS) - 2024-04-22
Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools and exploits from the past week. This post covers 2024-04-16 to 2024-04-22.
News
- VASA-1: Lifelike Audio-Driven Talking Faces Generated in Real Time - Just when you thought you could trust the CFO ordering you to transfer all that money via Zoom...
- Build the future of AI with Meta Llama 3 - The best "open source" (sort of) model yet. Local AI just got a big boost.
- How we built the new Find My Device network with user security and privacy in mind - Google enters the "Find My" crowdsourced device-locating network game with the similarly named "Find My Device" network. It support the standard which allows trackers to be detected by iOS devices (and vice-versa) so unwanted trackers will alert users.
- GitHub comments abused to push malware via Microsoft repo URLs - The fact that GitHub will upload a file to a publically accessable URL during comment editing, actors don't need to publish comments to get files hosted under trusted projects URLs. If you're ok with giving your payload to Microsoft (GitHub), this is a pretty sneaky way to host it.
- Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects - Echos of the XZ backdoor are still being felt.
- SSO tax, cut - Tailscale is the best VPN solution there is (unsponsored opinion). Between this change and Tailnet lock, they have eliminated all issues I had with their service. If you're a self-hosting true purist, there is still headscale.
- MITRE Response to Cyber Attack in One of Its R&D Networks - MITRE was hit with the Ivanti 0day. Good transparency on what took place. Additional details here.
- An Introduction to the Canadian Program for Cyber Security Certification (CPCSC) - Starting at the end of 2024, Canadian defense industry suppliers will need to be certified under the Canadian Program for Cyber Security Certification (CPCSC) to bid on certain government contracts, an initiative designed to enhance security measures within the nation's federal contracting processes.
- What We Learned Inside a North Korean Internet Server: How Well Do You Know Your Partners? - A misconfigured North Korean internet server exposes the nation's outsourcing of animation work. Is your "IT partner" North Korea?
Techniques and Write-ups
- ouned.py: Exploiting Hidden Organizational Units Acl Attack Vectors in Active Directory - You know "GenericAll" but what other OU permissions can be abused in Active Directory? Read this post to learn about gPLink poisoning. OUned is the tool.
- CVE-2023-6345: Integer overflow in Skia MeshOp::onCombineIfPossible - An intiger overflow in the Skia graphics library has been used to exploit Chrome. The fact that it would not appear in debug builds due to assert calls that are not compiled with release builds is interesting. Make sure you are fuzzing release binaries!
- Element Android CVE-2024-26131, CVE-2024-26132 - Never Take Intents From Strangers - A very in-depth post on Android app Intents and how they can be exploited, especially in "high security" apps like chat or cyptocurrency apps.
- CVE-2024-20356: Jailbreaking a Cisco appliance to run DOOM - The out-of-band management chips on enterprise servers are nutorious for being vulnerable. Cisco's is no exception.
- LSA Whisperer - Some seriously indepth research into the local security authority (LSA) of Windows which leads to all kinds of functionality. My favorite is the possible use of CacheLogon to cache a specific NT hash into an active logon session which will allow for stable Pass-the-hash without having to patch LSASS memory (but will require injection into LSASS). I can only imagine the amount of reverse-engineering it took to get to the lsa-whisperer.
- A Crash Course in Hardware Hacking Methodology: The Ones and Zeros - A good primer on IoT hacking.
- Passbolt: a bold use of HaveIBeenPwned - Passbolt is a password manager that uses the HaveIBeenPwned API to check if a password has been compromised. This post goes into the details of how they implemented it.
- Patch Diffing CVE-2024-3400 from a Palo Alto NGFW Marketplace AMI - Saving some of the commands here for future use. Those AWS AMIs can certainly come in handy.
- ROPGadget: Writing a ROPDecoder - This post discusses creating a ROPDecoder from scratch, detailing the selection and use of ROP gadgets to encode and decode shellcode, and automating the process to handle bad characters effectively in exploit dev.
- The Windows Registry Adventure #1: Introduction and research results - Wild. Mateusz Jurczyk of Google Project Zero audited the Windows Registry for local privilege escalation bugs over 20 months, identifying multiple vulnerabilities now fixed as 44 CVEs by Microsoft, utilizing methods from fuzzing to manual review in an extensive security research effort.
- State of DevSecOps - Datadog's State of DevSecOps report is out. TLDR - Java/JS account for tons of issues, automated security scanners are just noise, the industry sucks at prioritizing what to fix, manual cloud deployments (no IaC) is still very common, and more.
Tools and Exploits
- CVE-2024-21111 - Oracle VirtualBox Elevation of Privilege (Local Privilege Escalation) Vulnerability.
- lsa-whisperer - Tools for interacting with authentication packages using their individual message protocols.
- KExecDD - Admin to Kernel code execution using the KSecDD driver.
- CloudConsoleCartographer - Released at Black Hat Asia on April 18, 2024, Cloud Console Cartographer is a framework for condensing groupings of cloud events (e.g. CloudTrail logs) and mapping them to the original user input actions in the management console UI for simplified analysis and explainability.
- PasteBomb - PasteBomb C2-less RAT. The creator of this project is only 13 years old. Impressive! Great work.
- poutine - poutine is a security scanner that detects misconfigurations and vulnerabilities in the build pipelines of a repository. It supports parsing CI workflows from GitHub Actions and Gitlab CI/CD.
- panos-scanner - Determine the Palo Alto PAN-OS software version of a remote GlobalProtect portal or management interface.
- LetMeowIn - A sophisticated, covert Windows-based credential dumper using C++ and MASM x64.
- MagicDot - A set of rootkit-like abilities for unprivileged users, and vulnerabilities based on the DOT-to-NT path conversion known issue.
New to Me and Miscellaneous
This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!
- smugglefuzz - A rapid HTTP downgrade smuggling scanner written in Go.
- netz - Discover internet-wide misconfigurations while drinking coffee.
- cognito-scanner - A simple script which implements different Cognito attacks such as Account Oracle or Privilege Escalation.
- Amplified exposure: How AWS flaws made Amplify IAM roles vulnerable to takeover - A deep dive into AWS Amplify and how it can be abused.
- Elastic Universal Profiling agent, a continuous profiling solution, is now open source - Elastic has open sourced their profiling agent.
- Active Directory Hardening Series - Part 4 - Enforcing AES for Kerberos - Part 4 of the Active Directory Hardening Series.
- The Ultimate Guide for BloodHound Community Edition (BHCE) - A guide to BloodHound Community Edition. Also gives the background of the project for those that are new to Bloodhound in general.
- Living Off the Pipeline - "....to inventory how development tools (typically CLIs), commonly used in CI/CD pipelines, have lesser-known RCE-By-Design features ("foot guns"), or more generally, can be used to achieve arbitrary code execution by running on untrusted code changes or following a workflow injection. "
- BAADTokenBroker post-exploitation tool designed to leverage device-stored keys (Device key, Transport key etc..) to authenticate to Microsoft Entra ID.
Techniques, tools, and exploits linked in this post are not reviewed for quality or safety. Do your own research and testing.
- Security Affairs
- Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw
Russia-linked APT28 used post-compromise tool GooseEgg to exploit CVE-2022-38028 Windows flaw
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler service flaw.
Microsoft reported that the Russia-linked APT28 group (aka “Forest Blizzard”, “Fancybear” or “Strontium” used a previously unknown tool, dubbed GooseEgg, to exploit the Windows Print Spooler flaw CVE-2022-38028.
Since at least June 2020, and possibly earlier, the cyberespionage group has used the tool GooseEgg to exploit the CVE-2022-38028 vulnerability. This tool modifies a JavaScript constraints file and executes it with SYSTEM-level permissions. Microsoft has observed APT28 using GooseEgg in post-compromise activities against various targets, including government, non-governmental, education, and transportation sector organizations in Ukraine, Western Europe, and North America.
While GooseEgg is a simple launcher application, threat actors can use it to execute other applications specified at the command line with elevated permissions. In a post-exploitation scenario, attackers can use the tool to carry out a broad range of malicious activities such as remote code execution, installing backdoors, and moving laterally through compromised networks.
The vulnerability CVE-2022-38028 was reported by the U.S. National Security Agency and Microsoft addressed it with the release of Microsoft October 2022 Patch Tuesday security updates.
APT28 deployed GooseEgg to gain elevated access to target systems and steal credentials and sensitive information.
GooseEgg is usually deployed with a batch script, commonly named execute.bat or doit.bat. This script creates a file named servtask.bat, which includes commands for saving or compressing registry hives. The batch script then executes the GooseEgg executable and establishes persistence by scheduling a tack that runs the servtask.bat.
The GooseEgg binary supports four commands, each with different run paths.
Microsoft researchers noted that an embedded malicious DLL file often contains the phrase “wayzgoose” in its name, such as wayzgoose23.dll.
“wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code.” reads the report published by Microsoft.
Microsoft reports include instructions for detecting, hunting, and responding to GooseEgg.
The APT28 group (aka Forest Blizzard, Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
Most of the APT28s’ campaigns leveraged spear-phishing and malware-based attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, APT28)
Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites. The protection scheme was exposed in 2022 when Russian authorities arrested six members of the group, which sold millions of stolen payment cards at flashy online shops like Trump’s Dumps.
A now-defunct carding shop that sold stolen credit cards and invoked 45’s likeness and name.
As reported by The Record, a Russian court last week sentenced former FSB officer Grigory Tsaregorodtsev for taking a $1.7 million bribe from a cybercriminal group that was seeking a “roof,” a well-placed, corrupt law enforcement official who could be counted on to both disregard their illegal hacking activities and run interference with authorities in the event of their arrest.
Tsaregorodtsev was head of the counterintelligence department for a division of the FSB based in Perm, Russia. In February 2022, Russian authorities arrested six men in the Perm region accused of selling stolen payment card data. They also seized multiple carding shops run by the gang, including Ferum Shop, Sky-Fraud, and Trump’s Dumps, a popular fraud store that invoked the 45th president’s likeness and promised to “make credit card fraud great again.”
All of the domains seized in that raid were registered by an IT consulting company in Perm called Get-net LLC, which was owned in part by Artem Zaitsev — one of the six men arrested. Zaitsev reportedly was a well-known programmer whose company supplied services and leasing to the local FSB field office.
The message for Trump’s Dumps users left behind by Russian authorities that seized the domain in 2022.
Russian news sites report that Internal Affairs officials with the FSB grew suspicious when Tsaregorodtsev became a little too interested in the case following the hacking group’s arrests. The former FSB agent had reportedly assured the hackers he could have their case transferred and that they would soon be free.
But when that promised freedom didn’t materialize, four the of the defendants pulled the walls down on the scheme and brought down their own roof. The FSB arrested Tsaregorodtsev, and seized $154,000 in cash, 100 gold bars, real estate and expensive cars.
At Tsaregorodtsev’s trial, his lawyers argued that their client wasn’t guilty of bribery per se, but that he did admit to fraud because he was ultimately unable to fully perform the services for which he’d been hired.
The Russian news outlet Kommersant reports that all four of those who cooperated were released with probation or correctional labor. Zaitsev received a sentence of 3.5 years in prison, and defendant Alexander Kovalev got four years.
In 2017, KrebsOnSecurity profiled Trump’s Dumps, and found the contact address listed on the site was tied to an email address used to register more than a dozen domains that were made to look like legitimate Javascript calls many e-commerce sites routinely make to process transactions — such as “js-link[dot]su,” “js-stat[dot]su,” and “js-mod[dot]su.”
Searching on those malicious domains revealed a 2016 report from RiskIQ, which shows the domains featured prominently in a series of hacking campaigns against e-commerce websites. According to RiskIQ, the attacks targeted online stores running outdated and unpatched versions of shopping cart software from Magento, Powerfront and OpenCart.
Those shopping cart flaws allowed the crooks to install “web skimmers,” malicious Javascript used to steal credit card details and other information from payment forms on the checkout pages of vulnerable e-commerce sites. The stolen customer payment card details were then sold on sites like Trump’s Dumps and Sky-Fraud.
ToddyCat Hacker Group Uses Advanced Tools for Industrial-Scale Data Theft
- Security Affairs
- Hackers threaten to leak a copy of the World-Check database used to assess potential risks associated with entities
Hackers threaten to leak a copy of the World-Check database used to assess potential risks associated with entities
A financially motivated group named GhostR claims the theft of a sensitive database from World-Check and threatens to publish it.
World-Check is a global database utilized by various organizations, including financial institutions, regulatory bodies, and law enforcement agencies, for assessing potential risks associated with individuals and entities. It compiles information from diverse sources like public records, regulatory filings, and proprietary databases to create profiles of entities susceptible to financial crime, terrorism, or corruption. World-Check aids organizations in conducting due diligence and adhering to regulatory standards concerning anti-money laundering (AML) and counter-terrorism financing (CTF).
World-Check is currently owned by LSEG (London Stock Exchange Group).
A financially motivated threat actor, called GhostR, announced the theft of a confidential database containing 5.3 million records from the World-Check.
The threat actor said that he stole the database in March and threatened to publish the data online.
The hackers told TechCrunch that they stole the database from a Singapore-based company that has access to the sensitive database, however, they did not name the victim organization.
The threat actors shared a portion of the stolen data with TechCrunch as proof of the hack, it includes records on current and former government officials, diplomats, and politically exposed people. The list also includes criminals, suspected terrorists, intelligence operatives and a European spyware firm.
Compromised data vary by individuals and organizations, it includes names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers, and more.
World-Check had different owners across the years, it was originally founded as an independent company. Curiously, in 2011, Thomson Reuters acquired World-Check, then in October 2018, Thomson Reuters closed a deal with The Blackstone Group. As a result of this merger, World-Check became part of the new company, Refinitiv. LSEG acquired Refinitiv is 2021.
The disclosure of data in the archive poses a threat to the individuals whose data it contains. This is sensitive information that could lead to discrimination, persecution, or otherwise cause harm to individuals by violating their privacy and exposing them to various types of cyberattacks.
The database was criticized because it includes names of people and organizations that are mistakenly considered terrorists.
In June 2016, security researcher Chris Vickery found a copy of the World-Check database dated 2014 that was accidentally exposed online.
In August 2015, journalists from BBC’s Radio 4 gained 30 minutes of access thanks to the support of a disgruntled customer and demonstrated that the designations in the archive were inaccurate.
The Vice News also gained access to the World-Check archive in February 2016 arriving at the same conclusion after it analyzed some profiles in the database
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, GhostR)
- The Hacker News
- Pentera's 2024 Report Reveals Hundreds of Security Events per Week, Highlighting the Criticality of Continuous Validation
Pentera's 2024 Report Reveals Hundreds of Security Events per Week, Highlighting the Criticality of Continuous Validation
MITRE Corporation Breached by Nation-State Hackers Exploiting Ivanti Flaws
Ransomware Double-Dip: Re-Victimization in Cyber Extortion
- Security Affairs
- Windows DOS-to-NT flaws exploited to achieve unprivileged rootkit-like capabilities
Windows DOS-to-NT flaws exploited to achieve unprivileged rootkit-like capabilities
Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve rootkit-like capabilities.
SafeBreach researcher Or Yair devised a technique, exploiting vulnerabilities in the DOS-to-NT path conversion process, to achieve rootkit-like capabilities on Windows.
When a user executes a function with a path argument in Windows, the DOS path of the file or folder is converted to an NT path. However, a known issue arises during this conversion process where the function removes trailing dots from any path element and trailing spaces from the last path element. This behavior is consistent across most user-space APIs in Windows.
The expert exploiting this known issue discovered the following vulnerabilities:
- CVE-2023-36396 Windows Compressed Folder Remote Code Execution Vulnerability – The RCE issue resides in Windows’s new extraction logic for all newly supported archive types. The expert craft a malicious archive that would write anywhere he chose on a remote computer once extracted, leading to code execution.
- CVE-2023-32054 Volume Shadow Copy Elevation of Privilege Vulnerability – An can exploit this issue to gain the rights of the user that is running the affected application. The researchers discovered two elevation of privilege (EoP) vulnerabilities. The CVE-2023-32054 allowed him to write into files without the required privileges by manipulating the restoration process of a previous version from a shadow copy and another that allowed him to delete files without the required privileges.
“In addition to leading me to these vulnerabilities, the MagicDot paths also granted me rootkit-like abilities that were accessible to any unprivileged user.” wrote Or Yair. “I discovered how a malicious actor—without admin privileges—could hide files and processes, hide files in archives, affect prefetch file analysis, make Task Manager and Process Explorer users think a malware file was a verified executable published by Microsoft, disable Process Explorer with a denial of service (DoS) vulnerability, and more.”
A user-space rootkit aims to intercept user-space API calls, execute the original function, filter out malicious data, and return altered information to the caller. An attacker needs Admin privileges to run such rootkits, as they need to conceal their presence from users, including administrators, by operating within processes with elevated privileges.
A kernel rootkit operates within the kernel and attempts to intercept system calls, altering the information returned to user-space processes that request it.
Running a kernel rootkit requires access to the kernel, typically requiring administrative privileges and overcoming various security measures such as Patch Guard, Driver Signature Enforcement, Driver Blocklist, and HVCI. Consequently, the prevalence of kernel rootkits has decreased significantly.
The expert reported to the Microsoft Security Response Center (MSRC) in 2023. The IT giant acknowledged these issues and took the following action:
- Remote Code Execution (CVE-2023-36396, CVSS: 7.8): fixed by Microsoft.
- Elevation of Privilege (Write) (CVE-2023-32054, CVSS: 7.3): fixed by Microsoft.
- Elevation of Privilege (Deletion): The vulnerability was reproduced and confirmed by Microsoft. However, the company did not issue a CVE or a fix. Below is the response provided by Microsoft. “Thank you again for submitting this issue to Microsoft. We determined that this issue does not require immediate security service but did reveal unexpected behavior. A fix for this issue will be considered in a future version of this product or service.”
- Process Explorer Unprivileged DOS for Anti-Analysis (CVE-2023-42757): fixed by the engineering team of Process Explorer in version 17.04. CVE-2023-42757 was reserved for this vulnerability by MITRE. MITRE confirmed the vulnerability with Microsoft and will publish the CVE once online publication of the details is available.
“This research is the first of its kind to explore how known issues that appear to be harmless can be exploited to develop vulnerabilities and, ultimately, pose a significant security risk. We believe the implications are relevant not only to Microsoft Windows, which is the world’s most widely used desktop OS, but also to all software vendors, most of whom also allow known issues to persist from version to version of their software.” Yair concluded.
The report includes video PoCs for these vulnerabilities-
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Microsoft)
Researchers Uncover Windows Flaws Granting Hackers Rootkit-Like Powers
A flaw in the Forminator plugin impacts hundreds of thousands of WordPress sites
Japan’s CERT warns of a vulnerability in the Forminator WordPress plugin that allows unrestricted file uploads to the server.
Japan’s CERT warned that the WordPress plugin Forminator, developed by WPMU DEV, is affected by multiple vulnerabilities, including a flaw that allows unrestricted file uploads to the server.
Forminator is a popular WordPress plugin that allows users to easily create various forms for their website without needing any coding knowledge. The plugin is installed in over 500,000.
One of these vulnerabilities is a critical issue, tracked as CVE-2024-28890 (CVSS v3: 9.8) that a remote attacker can exploit to upload malicious code on WordPress sites using the plugin.
“A remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin and cause a denial-of-service (DoS) condition (CVE-2024-28890)” read the security bulletin published by the JPCERT.
The bulletin also warns of the following these vulnerabilities:
- CVE-2024-31077 (CVSS score 7.2) – SQL injection flaw – An administrative user may obtain and alter any information in the database and cause a denial-of-service (DoS) condition
- CVE-2024-31857 (CVSS score 6.1) – Cross-site scripting flaw – A remote attacker may obtain user information etc. and alter the page contents on the user’s web browser
Forminator versions 1.29.3 addressed all the vulnerabilities, admins are recommended to update their installs asap
At the time of this writing, researchers have reports of attacks in the wild exploiting the vulnerability CVE-2024-28890.
According to statistics provided by WordPress.org, the plugin has over 500,000 active installations, but only 55,9% (over 279) are running version 1.29.
This means that more than 200,000 sites are vulnerable to cyber attacks.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, WordPress)
Microsoft Warns: North Korean Hackers Turn to AI-Fueled Cyber Espionage
Akira ransomware received $42M in ransom payments from over 250 victims
Government agencies revealed that Akira ransomware has breached over 250 entities worldwide and received over $42 million in ransom payments.
A joint advisory published by CISA, the FBI, Europol, and the Netherlands’ National Cyber Security Centre (NCSC-NL) revealed that since early 2023, Akira ransomware operators received $42 million in ransom payments from more than 250 victims worldwide.
The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple organizations in multiple industries, including education, finance, and real estate. Like other ransomware gangs, the group has developed a Linux encryptor to target VMware ESXi servers.
The Akira ransomware operators implement a double extortion model by exfiltrating victims’ data before encrypting it.
Earlier versions of the ransomware were written in C++ and the malware added the .akira extension to the encrypted files. However, from August 2023 onwards, certain Akira attacks began utilizing Megazord, which employs Rust-based code and encrypts files with a .powerranges extension. Akira threat actors have persisted in employing both Megazord and Akira, including Akira_v2, identified by independent investigations, interchangeably.
The cybersecurity researchers observed threat actors obtaining initial access to organizations through a virtual private network (VPN) service without multifactor authentication (MFA) configured. The attackers mostly used Cisco vulnerabilities CVE-2020-3259 and CVE-2023-20269.
Akira operators were also observed using external-facing services such as Remote Desktop Protocol (RDP), spear phishing, and the abuse of valid credentials.
Following initial access, threat actors were observed exploiting domain controller’ functions by generating new domain accounts to establish persistence. In some attacks, threat actors created an administrative account named itadm.
“According to FBI and open source reporting, Akira threat actors leverage post-exploitation attack techniques, such as Kerberoasting, to extract credentials stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Akira threat actors also use credential scraping tools like Mimikatz and LaZagne to aid in privilege escalation.” reads the report. “Tools like SoftPerfect and Advanced IP Scanner are often used for network device discovery (reconnaissance) purposes and net
Windows commands are used to identify domain controllers and gather information on domain trust relationships.
Akira operators have been observed deploying two distinct ransomware variants against different system architectures within the same attack. It was this first time that the operators adopted this tactic.
The operators frequently disable security software to evade detection and for lateral movement. The government experts observed the use of PowerTool by Akira threat actors to exploit the Zemana AntiMalware driver and terminate antivirus-related processes.
Threat actors use FileZilla, WinRAR, WinSCP, and RClone for data exfiltration. The attackers use AnyDesk, Cloudflare Tunnel, RustDesk, Ngrok, and Cloudflare Tunnel to communicate with the command-and-control (C&C).
“Akira threat actors utilize a sophisticated hybrid encryption scheme to lock data. This involves combining a ChaCha20 stream cipher with an RSA public-key cryptosystem for speed and secure key exchange. This multilayered approach tailors encryption methods based on file type and size and is capable of full or partial encryption.” concludes the advisory that includes indicators of compromise (IoCs).”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Akira ransomware)
DuneQuixote campaign targets the Middle East with a complex backdoor
Threat actors target government entities in the Middle East with a new backdoor dubbed CR4T as part of an operation tracked as DuneQuixote.
Researchers from Kaspersky discovered the DuneQuixote campaign in February 2024, but they believe the activity may have been active since 2023.
Kaspersky discovered over 30 DuneQuixote dropper samples used in the campaign. The experts identified two versions of the dropper, regular droppers (in the form of an executable or a DLL file) and tampered installer files for a legitimate tool named “Total Commander.”
The droppers were employed to download a backdoor tracked as “CR4T”. The experts detected only two CR4T implants, but they speculate the existence of many other variants which may be completely different malware.
The threat actors behind the DuneQuixote campaign took steps to prevent collection and analysis the implants through the implementation of practical and well-designed evasion methods.
The dropper connects to an embedded command-and-control (C2), whose address is hardcoded in the malicious code and is decrypted using a unique technique to prevent its exposure to automated malware analysis tools.
“The initial dropper is a Windows x64 executable file, although there are also DLL versions of the malware sharing the same functionality. The malware is developed in C/C++ without utilizing the Standard Template Library (STL), and certain segments are coded in pure Assembler.” reads the analysis published by Kaspersky. “The dropper then proceeds to decrypt the C2 (Command and Control) address, employing a unique technique designed to prevent the exposure of the C2 to automated malware analysis systems. This method involves first retrieving the filename under which the dropper was executed, then concatenating this filename with one of the hardcoded strings from Spanish poems. Following this, the dropper calculates the MD5 hash of the concatenated string, which is then used as a key for decrypting the C2 string.”
The threat actors used strings in these functions consisting of excerpts from Spanish poems. The strings differ from one sample to another, altering the signature of each sample to avoid detection through conventional methods. Then, after executing decoy functions, the malware constructs a framework for the required API calls. This framework is filled with offsets of Windows API functions, resolved through various techniques.
The dropper calculates the MD5 hash of the combined string and uses it as the key to decode the C2 server address. Then the dropper connects with the C2 server and downloads a next-stage payload.
The researchers noticed that the payload can only be downloaded once per victim or is only accessible for a short period after a malware sample is released, for this reason, researchers were unable to obtain most of the payload implants from active C2 servers.
The Total Commander installer dropper is designed to appear like a genuine Total Commander software installer but includes additional malicious components. These alterations invalidate the official digital signature of the Total Commander installer. This version of the dropper maintains the core functionality of the initial dropper but excludes Spanish poem strings and decoy functions. Additionally, it incorporates anti-analysis measures and checks to prevent connections to C2 resources.
The experts also spotted a Golang version of the CR4T implant that shares similar capabilities with the C version. It includes a command line console for machine interaction, file download/upload functions, and command execution capabilities. Notably, the malware can create scheduled tasks using the Golang Go-ole library, which interfaces with the Windows Component Object Model (COM) for Task Scheduler service interaction.
The malware achieves persistence through the COM objects hijacking technique. The malware uses the Telegram API for C2 communications, implementing the public Golang Telegram API bindings. All the interactions are similar to the C/C++ version.
“The “DuneQuixote” campaign targets entities in the Middle East with an interesting array of tools designed for stealth and persistence. Through the deployment of memory-only implants and droppers masquerading as legitimate software, mimicking the Total Commander installer, the attackers demonstrate above average evasion capabilities and techniques.” concludes the report. “The discovery of both C/C++ and Golang versions of the CR4T implant highlights the adaptability and resourcefulness of the threat actors behind this campaign.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
- Security Affairs
- Security Affairs newsletter Round 468 by Pierluigi Paganini – INTERNATIONAL EDITION
Security Affairs newsletter Round 468 by Pierluigi Paganini – INTERNATIONAL EDITION
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
International Press Newsletter
Cybercrime
AFP traps alleged RAT developer
Ransomware Group Claims Theft of Data From Chipmaker Nexperia
International investigation disrupts phishing-as-a-service platform LabHost
Threat Group FIN7 Targets the U.S. Automotive Industry
Chinese Organized Crime’s Latest U.S. Target: Gift Cards
Ransomware Victims Who Pay a Ransom Drops to Record Low
840-bed hospital in France postpones procedures after cyberattack
Malware
Unpacking the Blackjack Group’s Fuxnet Malware
LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India
Cerber Ransomware: Dissecting the three heads
Kapeka: A novel backdoor spotted in Eastern Europe
OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal
Hacking
Hacker claims Giant Tiger data breach, leaks 2.8M records online
PuTTY vulnerability vuln-p521-bias
Palo Alto – Putting The Protecc In GlobalProtect (CVE-2024-3400)
Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials
Cisco discloses root escalation flaw with public exploit code
SteganoAmor campaign: TA558 mass-attacking companies and public institutions all around the world
CrushFTP Virtual Filesystem Escape Vulnerability in the Wild
Intelligence and Information Warfare
Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400
Misinformation And Hacktivist Campaigns Target The Philippines Amidst Rising Tensions With China
FBI says Chinese hackers preparing to attack US infrastructure
Cybersecurity
United Nations Agency Investigating Ransomware Attack Involving Data Theft
House passes bill banning Uncle Sam from snooping on citizens via data brokers
UNDP Investigates Cyber-Security Incident
ICS Network Controllers Open to Remote Exploit, No Patches Available
Advanced Cyber Threats Impact Even the Most Prepared
Government Releases Guidance on Securing Election Infrastructure
Warrantless spying powers extended to 2026 with Biden’s signature
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
New RedLine Stealer Variant Disguised as Game Cheats Using Lua Bytecode for Stealth
Critical CrushFTP zero-day exploited in attacks in the wild
Threat actors exploited a critical zero-day vulnerability in the CrushFTP enterprise in targeted attacks, Crowdstrike experts warn.
CrushFTP is a file transfer server software that enables secure and efficient file transfer capabilities. It supports various features such as FTP, SFTP, FTPS, HTTP, HTTPS, WebDAV, and WebDAV SSL protocols, allowing users to transfer files securely over different networks. CrushFTP also provides support for automation, scripting, user management, and extensive customization options to meet the diverse needs of businesses and organizations.
CrushFTP has notified users of a virtual file system escape vulnerability impacting their FTP software, which could potentially enable users to download system files.
“CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0. Customers using a DMZ in front of their main CrushFTP instance are protected with its protocol translation system it utilizes.” reads the advisory.
Simon Garrelou from the Airbus CERT discovered the vulnerability.
Crowdstrike researchers discovered that threat actors exploited the critical zero-day vulnerability in targeted attacks in the wild.
“On April 19, 2024, CrushFTP advised of a virtual file system escape present in their FTP software that could allows users to download system files. Falcon OverWatch and Falcon Intelligence have observed this exploit being used in the wild in a targeted fashion.” reads a post published by Crowdstrike on Reddit.
The vulnerability has yet to receive CVE.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, zero-day)
A French hospital was forced to reschedule procedures after cyberattack
A French hospital was forced to return to pen and paper and postpone medical treatments after a cyber attack.
A cyber attack hit Hospital Simone Veil in Cannes (CHC-SV) on Tuesday, impacting medical procedures and forcing personnel to return to pen and paper.
The Hospital Simone Veil in Cannes is a public hospital located in Cannes, France. The hospital provides a range of medical services and healthcare facilities to the local community and surrounding areas.
CHC-SV has more than 2,000 employees and has a capacity of more than 800 beds.
The website of the hospital states that “Cyberattack in progress! All non-urgent consultations should be reconsidered.”
Non-urgent surgical procedures and consultations scheduled for this week have been postponed.
The French hospital was forced to take all computers offline while the telephone lines were not impacted The hospital is investigating the incident with the help of ANSSI, Cert Santé, Orange CyberDéfense, and GHT06.
The organization hasn’t received any ransom demands and hasn’t identified a data breach.
“CHC-SV was the target of a cyber attack on Tuesday morning. General cybercontainment was one of the first decisions of the crisis unit. This radical decision was taken very quickly in all sectors. All computer access was consequently cut off. Telephony continues to work.” reads the announcement. “There have been no ransom demands or data theft identified at this stage. Investigations remain ongoing.”
The hospital ensured continuity of operations in emergency care, internal medicine, surgery, obstetrics, geriatrics, pediatrics, psychiatry, home hospitalization, and rehabilitation.
“The CHC-SV had never been the victim of a cyberattack of this type. Cyber risk is one of the priority risks identified in the establishment’s risk map. Exercises have been held over the past few months, allowing for strong responsiveness to the event.” concludes the announcement.
“The return to normal will depend on technical investigations and the necessary catch-up. Feedback from other hospitals that have been the subject of a cyberattack shows that this return to normal can take a long time.”
In December 2022, the Hospital Centre of Versailles was hit by a cyber attack that forced it to cancel operations and transfer some patients in other hospitals.
In August 2022, the Center Hospitalier Sud Francilien (CHSF), a hospital southeast of Paris, suffered a ransomware attack over the weekend. The attack disrupted the emergency services and surgeries and forced the hospital to refer patients to other structures. According to local media, threat actors demand a $10 million ransom to provide the decryption key to restore encrypted data.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, French hospital)
Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack
Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks
MITRE revealed that nation-state actors breached its systems via Ivanti zero-days
The MITRE Corporation revealed that a nation-state actor compromised its systems in January 2024 by exploiting Ivanti VPN zero-days.
In April 2024, MITRE disclosed a security breach in one of its research and prototyping networks. The security team at the organization promptly launched an investigation, logged out the threat actor, and engaged third-party forensics Incident Response teams to conduct independent analysis in collaboration with internal experts.
According to the MITRE Corporation, a nation state actor breached its systems in January 2024 by chaining two Ivanti Connect Secure zero-day vulnerabilities.
“Starting in January 2024, a threat actor performed reconnaissance of our networks, exploited one of our Virtual Private Networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities, and skirted past our multi-factor authentication using session hijacking. From there, they moved laterally and dug deep into our network’s VMware infrastructure using a compromised administrator account.” reads a post published by the organization on Medium. “They employed a combination of sophisticated backdoors and webshells to maintain persistence and harvest credentials.”
MITRE spotted a foreign nation-state threat actor probing its Networked Experimentation, Research, and Virtualization Environment (NERVE), used for research and prototyping. The organization immediately started mitigation actions which included taking NERVE offline. The investigation is still ongoing to determine the extent of information involved.
The organization notified authorities and affected parties and is working to restore operational alternatives for collaboration.
Despite MITRE diligently following industry best practices, implementing vendor recommendations, and complying with government guidance to strengthen, update, and fortify its Ivanti system, they overlooked the lateral movement into their VMware infrastructure.
The organization said that the core enterprise network or partners’ systems were not affected by this incident.
“No organization is immune from this type of cyber attack, not even one that strives to maintain the highest cybersecurity possible,” said Jason Providakes, president and CEO, MITRE. “We are disclosing this incident in a timely manner because of our commitment to operate in the public interest and to advocate for best practices that enhance enterprise security as well necessary measures to improve the industry’s current cyber defense posture. The threats and cyber attacks are becoming more sophisticated and require increased vigilance and defense approaches. As we have previously, we will share our learnings from this experience to help others and evolve our own practices.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ivanti)
BlackTech Targets Tech, Research, and Gov Sectors New 'Deuterbear' Tool
How Attackers Can Own a Business Without Touching the Endpoint
Akira Ransomware Gang Extorts $42 Million; Now Targets Linux Servers
FBI chief says China is preparing to attack US critical infrastructure
China-linked threat actors are preparing cyber attacks against U.S. critical infrastructure warned FBI Director Christopher Wray.
FBI Director Christopher Wray warned this week that China-linked threat actors are preparing an attack against U.S. critical infrastructure, Reuters reported.
According to the FBI chief, the Chinese hackers are waiting “for just the right moment to deal a devastating blow.”
In February, US CISA, the NSA, the FBI, along with partner Five Eyes agencies, published a joint advisory to warn that China-linked APT Volt Typhoon infiltrated a critical infrastructure network in the US and remained undetected for at least five years.
“the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years,” reads the alert.
The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
The APT group is using almost exclusively living-off-the-land techniques and hands-on-keyboard activity to evade detection.
In December 2023, Microsoft first noticed that to conceal malicious traffic, the threat actor routes it through compromised small office and home office (SOHO) network devices, including routers, firewalls, and VPN hardware. The group also relies on customized versions of open-source tools for C2 communications and to stay under the radar.
The Chinese cyberespionage group has successfully breached the networks of multiple US critical infrastructure organizations. Most of the impacted organizations are in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems sectors.
“The group also relies on valid accounts and leverage strong operational security, which combined, allows for long-term undiscovered persistence. In fact, the U.S. authoring agencies have recently observed indications of Volt Typhoon actors maintaining access and footholds within some victim IT environments for at least five years.” continues the alert. “Volt Typhoon actors conduct extensive pre-exploitation reconnaissance to learn about the target organization and its environment; tailor their tactics, techniques, and procedures (TTPs) to the victim’s environment; and dedicate ongoing resources to maintaining persistence and understanding the target environment over time, even after initial compromise.”
U.S. agencies fear the possibility that these actors could gain access to the networks of critical infrastructure to cause disruptive effects in the event of potential geopolitical tensions and/or military conflicts.
The Volt Typhoon’s activities suggest that the group primarily aims to establish a foothold within networks to secure access to Operational Technology (OT) assets.
The US agencies also released a technical guide containing recommendations to identify and mitigate living off the land techniques adopted by the APT group.
A Chinese Foreign Ministry spokesperson recently stated that the Volt Typhoon activity is not associated with Beijing, but linked it to a cybercrime operation.
Wray confirmed that Volt Typhoon’s campaign is still ongoing and breached numerous American companies in telecommunications, energy, water and other critical sectors.
The state-sponsored hackers also targeted 23 pipeline operators, Wray revealed during a speech at Vanderbilt Summit on Modern Conflict and Emerging Threats.
The FBI Director remarked that China is developing the “ability to physically wreak havoc on US critical infrastructure at a time of its choosing,” “Its plan is to land low blows against civilian infrastructure to try to induce panic.”
Wray explained that it is difficult to determine the purpose behind the cyber pre-positioning, however, the activity is part of a broader strategy to dissuade the U.S. from defending Taiwan.
Wray added that the China-linked actors employed a series of botnets in their activities.
In December, the Black Lotus Labs team at Lumen Technologies linked a small office/home office (SOHO) router botnet, tracked as KV-Botnet to the operations of China-linked threat actor Volt Typhoon. The botnet is comprised of two complementary activity clusters, the experts believe it has been active since at least February 2022. The threat actors target devices at the edge of networks.
The KV-Botnet is composed of end-of-life products used by SOHO devices. In early July and August of 2022, the researchers noticed several Cisco RV320s, DrayTek Vigor routers, and NETGEAR ProSAFEs that were part of the botnet. Later, in November 2022, most of the devices composing the botnet were ProSAFE devices, and a smaller number of DrayTek routers. In November 2023, the experts noticed that the botnet started targeting Axis IP cameras, such as the M1045-LW, M1065-LW, and p1367-E.
The researchers pointed out that the use of the KV-Botnet is limited to China-linked actors. Thus far the victimology aligns primarily with a strategic interest in the Indo-Pacific region, the experts observed a focus on ISPs and government organizations.
About the author: Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
United Nations Development Programme (UNDP) investigates data breach
The United Nations Development Programme (UNDP) has initiated an investigation into an alleged ransomware attack and the subsequent theft of data.
The United Nations Development Programme (UNDP) is investigating an alleged ransomware attack that resulted in data theft.
The United Nations Development Programme (UNDP) is a United Nations agency tasked with helping countries eliminate poverty and achieve sustainable economic growth and human development.
The cyber attack recently targeted the IT infrastructure of the Agency in UN City, Copenhagen.
On March 27, UNDP became aware that a data-extortion threat actor had stolen data, including human resources and procurement information.
“On March 27, UNDP received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information.” reads the statement published by the Agency. “Actions were immediately taken to identify a potential source and contain the affected server as well as to determine the specifics of the exposed data and who was impacted.”
UNDP is investigating the security incident to determine the scope of the cyberattack. The agency is keeping individuals affected by the breach updated and sharing information with other stakeholders, including its partners across the UN system.
“UNDP takes this incident extremely seriously and we reiterate our dedication to data security. We are committed to continue working to detect and minimize the risk of cyber-attacks.” continues the statement.
UNDP did not share details about the attack, however, on March 27, 2024, the ransomware group 8base added the agency to its Tor leak site (the Tor leak site is unavailable at the time of this writing).
The extortion group as yet to publish the stolen data.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, United Nations Development Programme)
Hackers Target Middle East Governments with Evasive "CR4T" Backdoor
FIN7 targeted a large U.S. carmaker with phishing attacks
BlackBerry reported that the financially motivated group FIN7 targeted the IT department of a large U.S. carmaker with spear-phishing attacks.
In late 2023, BlackBerry researchers spotted the threat actor FIN7 targeting a large US automotive manufacturer with a spear-phishing campaign. FIN7 targeted employees who worked in the company’s IT department and had higher levels of administrative rights.
The attackers employed the lure of a free IP scanning tool to infect the systems with the Anunak backdoor and gain an initial foothold using living-off-the-land binaries, scripts, and libraries (lolbas).
FIN7 is a Russian criminal group (aka Carbanak) that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.
Fin7 was observed using the PowerShell script POWERTRASH, which is a custom obfuscation of the shellcode invoker in PowerSploit.
In the attacks analyzed by BlackBarry, threat actors used a typosquatting technique, they used a malicious URL “advanced-ip-sccanner[.]com” masquerading as the legitimate website “advanced-ip-scanner[.]com”, which is a free online scanner.
Upon visiting the rogue site, visitors are redirected to “myipscanner[.]com”, which in turn redirected them to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto their systems.
Upon execution, the executable initiates a complex multi-stage process comprising DLLs, WAV files, and shellcode execution. This process culminates in the loading and decryption of a file called ‘dmxl.bin,’ which contains the Anunak payload.
The threat actors used WsTaskLoad.exe to install OpenSSH to maintain persistence, they used scheduled task to persist OpenSSH on the victim’s machine.
While historical data demonstrate that FIN7 often employs OpenSSH for lateral movement, no such activity was detected in this particular campaign. OpenSSH is also used for external access.
“While the tactics, techniques, and procedures (TTPs) involved in this campaign have been well documented over the past year, the OpenSSH proxy servers utilized by the attackers have not been disseminated.” concludes the report that also includes recommendations for Mitigation and IoCs (Indicators of Compromise). “BlackBerry thinks it prudent to enable individuals and entities to also identify these hosts and protect themselves.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, FIN7)