Week in Overview(28 Aug-5 Sep)
Apache Ignition Unauthenticated Remote Code Execution Vulnerability
CVE-2023-37895 Apache Jackrabbit RMI #RCE
Exploitation of MinIO Storage System Vulnerabilities
Phishing Campaign Targeting Italian Audience – RICHIESTA DI PAGAMENTO 04/09/2023
QakBot Takedown – Bot Connections to Active C2s
it is crucial for organizations and individuals to prioritize remediation and patching efforts to safeguard their systems and data. The following key findings highlight the importance of proactive measures to mitigate risks associated with various vulnerabilities and threats:
The exploit for this unauthenticated RCE vulnerability involves manipulating the Apache Ignition system through a complex series of steps. The attacker leverages an unauthorized deserialization point, potentially within JavaSerializationCodec. The exact mechanism and impact of the vulnerability depend on the unverified version of Apache Ignition in use.
Due to the lack of authorized information about this vulnerability, it is challenging to provide specific mitigation steps. However, organizations using Apache Ignition should consider the following general security practices:
In the past, ransomware attacks primarily involved encrypting victims’ data and demanding a ransom in exchange for decryption keys. However, in 2019, a notable change occurred in the tactics employed by ransomware gangs. These groups began stealing sensitive data from their victims before encrypting it and then threatening to leak this data on the dark web if a ransom was not paid. This shift represented a significant escalation in the capabilities and intentions of ransomware actors.
The Trend of Data Theft and Leakage:
3. Emergence of New Ransomware Gangs:
4. Evolving Tactics:
This advisory report outlines several suspicious files, namely “screens013923.zip,” “wdocx.lnk,” “screenshot_1.lnk,” and a potentially malicious IP address “185.225.75[.]63.” These elements have been identified as potential security concerns, warranting immediate attention and investigation.
5. The IP address “185.225.75[.]63” is identified as potentially malicious. It may be associated with a command and control (C2) server, a source of malicious traffic, or other malicious activities. Investigating the purpose and origin of this IP address is crucial.
This advisory report highlights a phishing campaign that specifically targets the Italian audience, masquerading as “RICHIESTA DI PAGAMENTO 04/09/2023.” The campaign involves malicious registry activity, malicious URLs, and an intricate execution chain leading to the delivery of malware. The report aims to raise awareness and provide recommendations for mitigating this threat.
The phishing campaign titled “RICHIESTA DI PAGAMENTO 04/09/2023” is designed to deceive recipients into downloading and executing malicious files, ultimately compromising their systems. This campaign poses a significant threat to Italian users.
Malicious registry modifications have been observed as part of this campaign, including the addition and deletion of registry keys. These actions are indicative of attempts to maintain persistence and execute malicious code.
Several malicious URLs have been identified as part of this campaign:
MalwareBazaar and AnyRun:
MalwareBazaar and AnyRun provide additional information and analysis of this campaign’s artifacts, including execution chains and associated behaviors:
The execution chain involves a series of file types, including .eml, .pdf, .vbs, .exe, .msi, and a potential UAC bypass using fodhelper.exe. This complex chain is designed to evade detection and compromise the victim’s system.
Command and Control (C2):
The identified C2 server, instance-m73xwc-relay.screenconnect[.]com, is used for command and control purposes. C2 servers are often instrumental in the execution of malicious activities.
This incident analysis report delves into a sophisticated Nokoyawa ransomware campaign that utilized HTML smuggling, IcedID malware, Cobalt Strike, and swift execution to compromise target organizations. The attack, which transpired in November 2022, showcases the threat actor’s use of various tactics to achieve a domain-wide ransomware compromise within a remarkably short timeframe. The report offers insights into the attack’s lifecycle, techniques employed, and recommendations for enhancing cybersecurity practices.
Initial Compromise: The attack initiated with the delivery of an HTML file, potentially via email, using HTML smuggling to evade security measures. The HTML file led to the download of a password-protected ZIP file containing an ISO file.
Payload Delivery: Inside the ZIP file, the ISO file held the IcedID malware payload. A LNK file disguised as a document was visible to the user, who interacted with it.
Payload Execution: Clicking the LNK file triggered the execution of malicious commands, copying rundll32 and a malicious DLL from the ISO to the host. The DLL established a connection to IcedID command and control servers.
Lateral Movement: A series of commands led to IcedID establishing persistence on the host via a scheduled task. The malware collected system information using utilities like net, ipconfig, systeminfo, and nltest.
Cobalt Strike Engagement: After a few hours, IcedID spawned a cmd process that connected to a Cobalt Strike server, accessing LSASS and checking domain admins.
Domain Controller Access: The threat actor, using Cobalt Strike, identified domain administrators through net utility and initiated an RDP session to a domain controller. A Cobalt Strike beacon was placed on the domain controller.
Discovery and Lateral Movement: The threat actor conducted Active Directory discovery using AdFind, archived results, and performed nslookup across the network.
SessionGopher Usage: The threat actor employed encoded PowerShell (SessionGopher) on the domain controller to decrypt saved session information. Access to backup servers and file shares ensued.
Network Scan and File Movement: After a network scan, PsExec and WMIC facilitated file movement across systems. Key files included the ransomware binary and an executing batch script.
Ransomware Execution: Nokoyawa ransomware was executed on a domain controller using PsExec to initiate the process on other hosts in the domain. The ransomware attack commenced just over 12 hours after the initial infection.
it was observed that a user fell victim to a phishing attack and subsequently lost a total of 83 $stETH (staked ETH) tokens. The user initially lost 52 $stETH and, inexplicably, transferred an additional 31 $stETH to the same wallet three hours later. Furthermore, the victim had also signed an “increaseAllowance” transaction, suggesting potential vulnerability to further exploitation.
3. “increaseAllowance” Transaction:
On August 31, 2023, a Remote Code Execution (RCE) attempt was detected targeting Lilin DVR (Digital Video Recorder) devices. The attack also involved the spreading of the Mirai malware. This advisory report provides an overview of the incident, including relevant Indicators of Compromise (IOCs) and hashes.
CVE-2023-37895 is a severe security vulnerability discovered in the Apache Jackrabbit RMI service. The vulnerability allows remote attackers to execute arbitrary code on affected systems, potentially leading to unauthorized access, data exfiltration, or complete compromise of the targeted system.
The exploit for CVE-2023-37895 involves leveraging RMI over HTTP. The attacker targets the org.apache.jackrabbit.servlet.remote.RemoteBindingServlet component.
To exploit this vulnerability, the attacker follows a specific sequence of steps:
An unidentified threat actor has exploited vulnerabilities (CVE-2023-28432 and CVE-2023-28434) in the MinIO high-performance object storage system. These vulnerabilities pose a high risk and have been leveraged for unauthorized code execution on compromised servers. The incident has been reported by Security Joes, a cybersecurity and incident response firm.
In the attack chain investigated by Security Joes, the threat actor used these vulnerabilities to gain admin credentials, followed by abuse of the compromised system’s foothold. Specifically, the attacker replaced the legitimate MinIO binary with a malicious version through an update command specifying a MIRROR_URL.
This malicious modification to the binary exposed an endpoint capable of receiving and executing commands via HTTP requests, effectively serving as a backdoor. These commands inherit the system permissions of the user initiating the application.
Furthermore, the altered binary closely resembles an exploit named “Evil MinIO,” published on GitHub in early April 2023. However, there is currently no evidence linking the exploit’s author to the threat actors behind this incident.
Threat Actor Proficiency:
The threat actor involved in this incident demonstrated proficiency in bash scripts and Python. Additionally, they utilized the backdoor access to deliver supplementary payloads from a remote server for post-exploitation via a downloader script. This script can target both Windows and Linux environments and assesses compromised hosts to determine whether execution should be terminated.
This report provides an overview of the Operation Duck Hunt takedown of the QakBot botnet, focusing on the perspective of bot (victim) connections to recently-polled active Command and Control servers (C2s). The operation commenced around 20:30 UTC on Friday evening, August 25. The report draws attention to significant developments and provides relevant resources for further analysis.
Operation Duck Hunt, targeting the QakBot botnet, represents a significant cybersecurity operation aimed at disrupting a well-known banking trojan and information-stealing malware. This operation involved the takedown of C2 infrastructure, thereby crippling the botnet’s ability to communicate with its infected endpoints.