Attack Method: Phishing emails with malicious attachments and links.
Impact: Targets users with a deceptive message leading to malware installation.
Mitigation: Educate users, use endpoint protection, and monitor network traffic.
8. Report on Akira Ransomware Intrusion Set and CERT Intrinsec’s Recommendations
Intrusion Set: Analysis of Akira ransomware’s tactics, techniques, and procedures.
Recommendations: Include patch management, multi-factor authentication, and network monitoring.
🚨 Vulnerability of the Week
Two significant vulnerabilities were identified in WebKit, the browser engine used by Apple’s Safari, affecting iOS, iPadOS, macOS, and Safari versions. These vulnerabilities are tracked as CVE-2023-42916 and CVE-2023-42917.
CVE-2023-42916: Sensitive Information Disclosure
Impact: Processing web content may disclose sensitive information due to an out-of-bounds read.
In the first half of 2023, CERT Intrinsec encountered several incidents involving the Akira ransomware group. Companies became aware of the ransomware either through security alerts or by discovering encrypted files on their servers. CERT Intrinsec’s analysis revealed that Akira’s attacks were executed in three distinct phases.
CERT Intrinsec’s Role
CERT Intrinsec, a French incident response team, primarily operates in France and handles about 50 major incidents annually. They specialize in responding to security breaches involving cybercriminality and ransomware attacks. CERT Intrinsec is certified by ANSSI as a State-Certified Security Incident Response Service Provider.
Akira Ransomware Characteristics
Operations Start: March 2023
Targets: Over 140 organizations across various sectors
Techniques: Similar to Conti ransomware and other RaaS actors, including LSASS dumping, creation of schedule tasks, and use of tools like PCHunter64 or Advanced IP Scanner.
Encryption Strategy: Deletes volume shadow copies, targets specific file extensions, and skips system files directories.
Victimology: Predominantly in the USA (73%), followed by the UK and Canada. Targets include manufacturing, education, construction, retail, and consulting sectors.
Initial Infiltration: Utilizing stolen passwords or exploiting vulnerabilities (e.g., CVE-2023-20269 in Cisco ASA and FTD), followed by network discovery and establishing persistence.
Stealth and Preparation: Data study and technical assessment.
Active Encryption: Setting up final persistence points, disabling protections, attempting to destroy backups, and executing the encryption binary.
Tactics, Techniques, and Procedures (TTPs)
Initial Access: Compromised credentials, VPN sessions, and exploitation of vulnerabilities.
Execution: Use of PowerShell, Windows Command Shell, and WMI for various tasks.
Persistence: Creation of local and domain accounts, use of remote administration tools.
Defense Evasion: Disabling or modifying system defenses, deleting evidence.
Discovery: Network scanning and information gathering.
Lateral Movement: Use of Remote Desktop Protocol and administrative shares for movement across the network.
Collection: Archiving collected data for efficiency.
Command and Control: Utilizing remote access software and file sharing services.
Exfiltration: Using software like WinSCP and FileZilla for data exfiltration.
Impact: Data destruction, encryption for impact, and inhibiting system recovery.
💦 Malware Distribution Sites
The Advanced Persistent Threat (APT) group known as “Patchwork,” primarily associated with activities in Pakistan, has been observed deploying a new cyber attack campaign. This campaign involves the use of a malicious PDF document link and a secondary payload hosted on a compromised content delivery network (CDN).
Initial Attack Vector
The attack initiates with a file named Tax_Deduction_Revised_Q1-2024.pdf.lnk, which is a disguised shortcut file (MD5: 218d85723396ddddaf75fc5853338997).
The file masquerades as a legitimate PDF document related to tax deduction, likely targeting individuals or entities interested in financial documents.
Malicious URLs and Payloads
The first stage of the attack involves downloading a file from hxxps://tyfk1.b-cdn.net/dox, which is saved as Tax_Deduction_Revised_Q1-2024.pdf in the C:\Users\Public directory. This file is likely a decoy to maintain the appearance of legitimacy.
The second stage involves downloading an executable from hxxps://tyfk1.b-cdn.net/dix, which is saved as Services.exe in the C:\Windows\Tasks directory (MD5: 6582a4df50948aaf2dcfbc6d8b84a58e). This executable is a malicious payload, potentially a backdoor or other form of malware.
Command and Control (C2) Server
The campaign utilizes kungkao[.]online as a command and control server. This server is likely used for exfiltrating data, receiving commands, or downloading additional payloads.
A new sophisticated Android malware, named FjordPhantom, has been identified by cybersecurity researchers. This malware has been actively targeting users in Southeast Asian countries, including Indonesia, Thailand, and Vietnam, since early September 2023.
Method of Spread: FjordPhantom is primarily disseminated through messaging services, including email, SMS, and various messaging apps. The malware lures victims into downloading a counterfeit banking app, which, while containing legitimate features, also harbors malicious components.
Social Engineering Technique: The malware employs a social engineering strategy similar to telephone-oriented attack delivery (TOAD). Victims are duped into calling a fake call center, where they are guided through the process of setting up and using the fraudulent app.
Technical Details: A notable feature of FjordPhantom is its use of virtualization to execute malicious code within a container, thereby evading Android’s sandbox protections. This technique allows the malware to access sensitive data without needing root access. The malware operates by loading the legitimate banking app in a virtual container, simultaneously employing a hooking framework to manipulate key APIs. This allows it to capture sensitive information from the application’s screen and suppress warning dialogs about malicious activities.
Response from Google: In response to the threat, a Google spokesperson highlighted the role of Google Play Protect in safeguarding users. This system can warn against or block apps exhibiting malicious behavior, even those installed from outside the Google Play Store.
Modularity of the Malware: According to security researcher Benjamin Adolphi, FjordPhantom is modular, meaning it can be tailored to attack various banking apps depending on the specific app embedded within the malware.
Bert-JanP has developed a set of KQL (Kusto Query Language) queries to enhance the tracking and management of vulnerabilities listed by CISA (Cybersecurity and Infrastructure Security Agency) as known exploited vulnerabilities. These queries are designed for use with platforms like Microsoft Defender for Endpoint and Azure Sentinel.
This query is designed to list all the vulnerabilities identified by CISA as exploited.
These KQL queries are crucial for cybersecurity teams to:
Stay updated with the latest vulnerabilities identified by CISA.
Quickly respond to new threats by identifying newly listed exploited vulnerabilities.
Ensure compliance and security by tracking vulnerabilities that have passed their mitigation due dates.
The queries can be integrated into security monitoring systems that support KQL, such as Microsoft Defender for Endpoint and Azure Sentinel. They enable organizations to proactively manage their security posture by aligning with CISA’s advisories and recommendations.
A recent malware campaign has been identified, targeting users with a deceptive message stating “Your #Booking Admin Account #violates our partnership terms.” This campaign involves a multi-stage infection process, leveraging email (EML) files that contain malicious links (LNK), leading to a password-protected Zip file (password: 457697), which ultimately delivers a script (Scr) associated with the Vidar Stealer malware.
MalwareBazaar Database: The MalwareBazaar database was accessed for samples related to this campaign, but it required CAPTCHA verification, preventing detailed analysis.
URLhaus Database: URLhaus provided an overview of malware URLs tagged with bookinggoogledrive. The first sighting of this tag was on September 28, 2023, with the most recent being December 5, 2023, totaling 37 sightings.
ANY.RUN Analysis: An interactive analysis of the malicious activity associated with the campaign was conducted on ANY.RUN. However, specific details of this analysis were not accessible due to website restrictions.
Command and Control (C2) Servers
The campaign utilizes several C2 servers for coordinating the attack and exfiltrating data. Identified C2 server IPs include:
Vidar Stealer Malware
Vidar Stealer is a type of malware known for its capabilities to steal sensitive information from infected systems. It typically targets a wide range of data, including but not limited to credentials, browser history, and financial information.
The Kimsuky threat group, believed to be backed by North Korea, has been active since 2013, initially focusing on South Korean targets related to North Korea and expanding its scope internationally since 2017. This group primarily targets sectors like national defense, media, diplomacy, and academia, aiming to steal sensitive information and technology. Initially reliant on spear phishing for infiltration, Kimsuky has recently shifted to using LNK (shortcut) malware, which is delivered via spear phishing emails containing compressed files. When these files are decompressed, they reveal both legitimate documents and malicious LNK files.
Infiltration and Malware Tactics:
Upon execution, the LNK files release script malware that can steal information and download further payloads. The group has been using a variety of malware, including self-developed ones like AppleSeed and PebbleDash, and others like XRat, HVNC, Amadey, and Metasploit Meterpreter. These tools enable remote control, keylogging, and data theft. Notably, the group has been using Amadey and RftRAT, which have been adapted using AutoIt scripting language, making them harder to detect by security software.
Specific Malware Analysis:
The Kimsuky group’s use of XRat (QuasarRAT) involves encrypted payloads to bypass security measures. This RAT is injected into normal processes for stealthy operation. Amadey, a malware sold on illegal forums, is used for downloading additional malware and stealing information. It is typically installed via a DLL-format dropper, which creates persistence mechanisms and injects the malware into legitimate processes. RftRAT, similar in size and packing to Amadey, is a backdoor malware for executing remote commands.
Conclusion and Recommendations:
The Kimsuky group continues to evolve its cyberattack strategies, now incorporating AutoIt to create more elusive malware. They predominantly target South Korean users through spear phishing and LNK malware, emphasizing the need for heightened vigilance. Users are advised to scrutinize email senders, avoid unknown files, and keep their software, including OS and browsers, updated with the latest security patches to mitigate the risk of such attacks.
A cryptocurrency hacker has successfully executed “address poisoning attacks” on users of Safe Wallet, resulting in the theft of over $2 million in just one week. The total number of victims has now reached 21, with cumulative losses estimated at around $5 million over the past four months.
Details of the Attack:
Method: The attacker employs address poisoning, a technique where they create a crypto address resembling the victim’s regular transaction addresses, particularly matching the beginning and ending characters.
Execution: The hacker sends a small amount of cryptocurrency from this similar-looking address to the target, thereby “poisoning” their transaction history. When the victim makes a transaction, they might mistakenly send a large amount to the hacker’s address.
Recent Impact: According to Scam Sniffer, a Web3 scam detection platform, around ten Safe Wallets lost $2.05 million since November due to these attacks. One of the victims reportedly had $10 million in their Safe Wallet but lost $400,000.
Response and Analysis:
Scam Sniffer’s Report: Scam Sniffer has been actively reporting and compiling data on these attacks using Dune Analytics.
Safe Wallet’s Stance: As of the report, Cointelegraph has reached out to Safe Wallet for comments, but there has been no response yet.
Conclusion: The address poisoning scam targeting Safe Wallet users highlights a growing concern in the crypto community regarding sophisticated hacking techniques. Users are advised to be extra vigilant with their transaction practices and to double-check addresses before sending funds. The situation is developing, and further updates from Safe Wallet are awaited.
A critical remote code execution vulnerability, identified as CVE-2023-44414, has been discovered in D-Link’s D-View software. This vulnerability has a high severity rating with a CVSS score of 9.8.
The vulnerability exists within the coreservice_action_script action of D-Link D-View. It stems from the exposure of a dangerous function that can be exploited by remote attackers. Notably, this vulnerability does not require authentication, making it particularly severe as it allows unauthenticated remote attackers to execute arbitrary code on affected installations.
The exploitation of this vulnerability can lead to code execution in the context of the SYSTEM, providing attackers with high-level control over the affected system.
2022-12-23: The vulnerability was initially reported to the vendor by the Zero Day Initiative (ZDI).
2023-08-25: ZDI requested an update from the vendor.
2023-08-30: The vendor responded, stating they did not have the case on record.
2023-08-31: ZDI forwarded the original report to the vendor.
2023-09-29: ZDI informed the vendor of their intention to publish the advisory as a zero-day on 2023-10-04.
2023-10-04: Coordinated public release of the advisory.
🌶️ Trending Exploit
A recent update in the vulnerability assessment of OwnCloud’s CVE-2023-49103 reveals significant findings regarding the exposure and severity of this vulnerability.
Vulnerable IP Addresses Identified
Approximately 4,100 unique IP addresses vulnerable to CVE-2023-49103 have been identified as exposed on the Internet. This was determined through a scanning process using a modified URL approach, specifically without the ‘/owncloud’ path prepended.
Despite the high number of exposed IP addresses, the severity of CVE-2023-49103 may not be as critical as initially thought.
Out of the 19,453 IP addresses exposed, only 675 were found to be exposing the phpinfo() function. This function displays extensive information about the PHP environment, which can be a significant security risk if publicly accessible.
Implications of Exposing phpinfo()
The exposure of phpinfo() is a concern because it can reveal sensitive information about the server’s PHP environment, potentially aiding attackers in crafting targeted attacks.
However, the fact that a relatively small percentage of the exposed IP addresses are revealing this information suggests a lower overall risk level than if a larger proportion were affected.
Also @Raj_Samani: Our latest @rapid7 advisory details CVE-2023-49103, an unauthenticated information disclosure vulnerability impacting ownCloud. Included are IoCs, and mitigation guidance: https://www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/
Datadog’s “State of Cloud Security” report provides an in-depth analysis of the security posture of thousands of organizations using AWS, Azure, or Google Cloud. The report focuses on common risks leading to cloud security incidents and offers insights into areas such as long-lived credentials, multi-factor authentication (MFA), IMDSv2 enforcement, and over-privileged workloads.
Long-lived Credentials as a Risk
Long-lived credentials, which do not expire and can be easily leaked, continue to pose a major security threat.
In AWS, 76% of IAM users have active access keys, 50% of Azure AD applications have active credentials, and 27% of Google Cloud service accounts have active access keys.
Approximately half of these access keys are over a year old, indicating a tendency for access keys to live longer than they should.
Insufficient Enforcement of MFA
MFA is crucial for securing cloud identities but is not sufficiently enforced.
In AWS, 31% of IAM users with console access have no MFA enforced.
45% of AWS organizations had IAM users authenticate to the AWS console without using MFA.
Only 20% of Azure organizations had all Azure AD users authenticate with MFA.
IMDSv2 Adoption Rising but Unenforced
IMDSv2 enforcement in AWS has increased to 21% of EC2 instances, up from 7% in the previous year.
However, enforcement varies based on the age of deployment, with newer instances more likely to enforce IMDSv2.
4. Increasing Adoption of Public Access Blocks in Cloud Storage
Public storage buckets are a common source of data leakage.
72% of AWS S3 buckets are covered by a public S3 access block, up from 52%.
21% of Azure blob storage containers are in accounts that block public access.
5. Excessive Privileges in Cloud Workloads
A significant portion of cloud workloads have more privileges than necessary.
In AWS, 23% of EC2 instances have administrator or highly sensitive permissions.
In Google Cloud, 37% of VMs have sensitive permissions to a project.
6. Public Exposure of Virtual Machines
7% of EC2 instances, 3% of Azure VMs, and 13% of Google Cloud VMs are publicly exposed to the internet.
Commonly exposed ports include HTTP, HTTPS, SSH, and RDP.