Threat Bulletin | August 2

Sources:

• https://thehackernews.com/2023/07/cybercriminals-exploit-microsoft-word.html

Affected Entities: Microsoft Office

Detailed Description: 

• The article discusses an ongoing malware campaign that utilizes Microsoft Word documents as phishing lures to deliver the LokiBot malware to compromised systems.
• LokiBot, also known as Loki PWS, is an information-stealing Trojan active since 2015. It primarily targets Windows systems and aims to gather sensitive information from infected machines.
• The attackers behind the campaign take advantage of two known remote code execution vulnerabilities, namely CVE-2021-40444 and CVE-2022-30190 (also known as Follina), to achieve code execution on targeted systems.
• The Word file used in the attacks contains an external GoFile link that leads to the download of an HTML file, which then exploits CVE-2022-30190 (Follina) to download a next-stage payload. This next-stage payload is an injector module written in Visual Basic that decrypts and launches LokiBot on the compromised system.
• The injector module incorporates evasion techniques to check for debuggers and detect virtualized environments, possibly to avoid detection and analysis.
• The article mentions an alternative chain discovered in May, where a Word document with a VBA script executes a macro immediately upon opening the document. This macro acts as a conduit to deliver an interim payload from a remote server, which also serves as an injector to load LokiBot and connect to a command-and-control (C2) server.
• LokiBot is a versatile malware that can log keystrokes, capture screenshots, gather login credentials from web browsers, and steal data from various cryptocurrency wallets.
• LokiBot has been active for many years, and its functionalities have evolved. This adaptability allows cybercriminals to efficiently use it for stealing sensitive data and continually update their methods to spread and infect systems.
  
  

Recommendations:

• Ensure that Microsoft Office has been patched with the latest security updates, as the vulnerabilities used by this exploit were patched in a June 14, 2022 security update.

Sources:

• https://www.darkreading.com/cloud/microsoft-365-breach-risk-widens-millions-of-azure-ad-apps
• https://thehackernews.com/2023/07/microsoft-bug-allowed-hackers-to-breach.html

Affected Entities: Approximately two dozen organizations (Government entities, Media companies, Think tanks, Telecommunications equipment, and service providers.)

Detailed Description: 

• Microsoft discovered a validation error in its source code that allowed a malicious actor known as Storm-0558 to forge authentication tokens for Azure Active Directory (Azure AD) using a Microsoft account (MSA) consumer signing key. The key was originally intended for MSA accounts, but the validation issue enabled it to be trusted for signing Azure AD tokens.
• Storm-0558 used the forged tokens to breach approximately two dozen organizations, including government entities and associated consumer accounts. The attacker gained unauthorized email access and exfiltrated mailbox data from the targeted organizations.
• The hacking crew behind Storm-0558 primarily targeted U.S. and European diplomatic, economic, and legislative governing bodies, individuals connected to Taiwan and Uyghur geopolitical interests, media companies, think tanks, and telecommunications equipment and service providers.
• Storm-0558 demonstrated a high degree of technical tradecraft and operational security. The actors were well-resourced and fully understood various authentication techniques and applications.
• The attack tactics employed by Storm-0558 included phishing, exploiting security flaws in public-facing applications, deploying web shells for backdoor access, credential theft using tools like Cigril, and using PowerShell and Python scripts to extract email data.
• The campaign has operated since at least August 2021, and the breach went undetected for at least a month before it was uncovered in June 2023.
• After discovering the campaign, Microsoft identified the root cause, disrupted malicious activities, hardened the environment, and coordinated with multiple government entities. They also mitigated the issue for affected customers.
•  

Recommendations:

• No customer action is required to mitigate the token forgery technique or validation error in OWA or Outlook.com. Microsoft has mitigated this issue on customers’ behalf.

Sources:

• https://www.rapid7.com/blog/post/2023/07/17/etr-active-exploitation-of-multiple-adobe-coldfusion-vulnerabilities/
• https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html
• https://www.bleepingcomputer.com/news/security/critical-coldfusion-flaws-exploited-in-attacks-to-drop-webshells/

Affected Entities: ColdFusion Servers

IOCs:

• IP Addresses:
  • 62.233.50.13
  • 5.182.36.4
  • 195.58.48.155
• Domains:
  • Oastify[.]com
  • cfm (SHA256 08D2D815FF070B13A9F3B670B2132989C349623DB2DE154CE43989BB4BBB2FB1)

Detailed Description: 

• Hackers are actively exploiting two vulnerabilities in ColdFusion to bypass authentication and remotely execute commands to install webshells on vulnerable servers.
• The exploited vulnerabilities are an access control bypass vulnerability (CVE-2023-29298) and a critical remote code execution vulnerability (CVE-2023-38203).
• CVE-2023-29300 is a deserialization vulnerability that allows unauthenticated visitors to remotely execute commands on vulnerable ColdFusion servers.
• Adobe released an out-of-band security update for CVE-2023-38203 on July 14th, which was discovered by Project Discovery. The fix involved updating the deny list to prevent a gadget through the ‘com.sun.rowset. JdbcRowSetImpl’ class.
• Attackers are chaining exploits for the vulnerabilities and using them to install webshells on vulnerable ColdFusion servers, gaining remote access to devices.
  • CVE-2023-29298: This is the access control bypass vulnerability identifier in ColdFusion.
  • CVE-2023-29300: This is the identifier for the critical deserialization vulnerability in ColdFusion.
  • CVE-2023-38203: This is the identifier for another critical remote code execution vulnerability in ColdFusion.
  • Webshell Locations: `.\ColdFusion11\cfusion\wwwroot\CFIDE\ckeditr.cfm`. folder containing Webshell.
• These highlight the severity of the vulnerabilities and the urgent need for administrators to take necessary measures to secure their ColdFusion installations.

Recommendations:

• Adobe ColdFusion customers should immediately update to the latest version of ColdFusion and block domain oastify[.]com. Please update using the following Adobe Security Bulletin link found below:
  • https://helpx.adobe.com/security/products/coldfusion/apsb23-41.html

SOC Response: The SOC is actively tracking this threat, and we have created an ATH rule for the relevant indicators of compromise provided in the articles listed.

Sources:

• https://www.rapid7.com/blog/post/2023/07/18/etr-critical-zero-day-vulnerability-in-citrix-netscaler-adc-and-netscaler-gateway/
• https://support.citrix.com/article/CTX561482/citrix-adc-and-citrix-gateway-security-bulletin-for-cve20233519-cve20233466-cve20233467

Affected Entities:

• NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
• NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
• NetScaler ADC 13.1-FIPS before 13.1-37.159
• NetScaler ADC 12.1-FIPS before 12.1-55.297
• NetScaler ADC 12.1-NDcPP before 12.1-55.297

Detailed Description: 

• Citrix has released a critical security bulletin addressing multiple vulnerabilities in NetScaler ADC and NetScaler Gateway.
• The affected versions are 13.1 before 13.1-49.13, 13.0 before 13.0-91.13, 13.1-FIPS before 13.1-37.159, 12.1-FIPS before 12.1-55.297, and 12.1-NDcPP before 12.1-55.297 (12.1 version is End Of Life).
• The vulnerabilities include Reflected Cross-Site Scripting (CVE-2023-3466), Privilege Escalation (CVE-2023-3467), and Unauthenticated Remote Code Execution (CVE-2023-3519).
• Specific releases have been provided to address the vulnerabilities. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication are not affected.
•  

Recommendations:

• Customers using the affected versions are urged to install the relevant updated versions found below, as soon as possible:
  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Sources:

• https://thehackernews.com/2023/07/new-openssh-vulnerability-exposes-linux.html
• https://nvd.nist.gov/vuln/detail/CVE-2023-38408

Affected Entities: OpenSSH Linux Systems

Detailed Description: 

• A vulnerability in OpenSSH could be exploited to run arbitrary commands remotely on compromised hosts under specific conditions.
• The vulnerability is being tracked under the CVE identifier CVE-2023-38408 and impacts all versions of OpenSSH before 9.3p2.
• Successful exploitation requires the presence of certain libraries on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system.

Recommendations:

• Users of OpenSSH are strongly advised to update to the most recent version to safeguard against potential cyber threats.
• In addition to this vulnerability, OpenSSH maintainers have also released updates to address two other security issues in recent months. To address this issue, please upgrade to OpenSSH 9.3p2 or later.

Sources:

• https://www.bleepingcomputer.com/news/security/new-nitrogen-malware-pushed-via-google-ads-for-ransomware-attacks/
• https://news.sophos.com/en-us/2023/07/26/into-the-tank-with-nitrogen/
• https://github.com/sophoslabs/IoCs/blob/master/Nitrogen%202023-07.csv

Affected Entities: Primarily technology and non-profit organizations located in North America

Detailed Description: 

• The Nitrogen Malware Campaign is using Google and Bing search ads to distribute fake software sites, targeting technology and non-profit organizations primarily in North America.
• These fake sites impersonate popular software like AnyDesk, Cisco AnyConnect VPN, TreeSize Free, and WinSCP.
• Once users click on the links, they are led to compromised WordPress hosting pages where they unknowingly download trojanized ISO installers.
• These installers contain the Nitrogen initial access malware, which installs a malicious DLL file (“msi.dll”) and a Python package.
• The malware ensures persistence through a registry run key and establishes communication with the threat actor’s command-and-control server.
• It then launches a Meterpreter shell and Cobalt Strike Beacons, with some instances involving manual commands for further activity.
• The goal of the campaign is suspected to be staging compromised systems for potential ransomware deployment.

Recommendations:

• To protect against this, users should avoid clicking on “promoted” search results for software downloads and be cautious of ISO files for software distribution.

SOC Response: The indicators of compromise known at this time are malicious via OSINT, the SOC is monitoring this threat for any updates and will create detections around this activity as needed 

Sources:

• https://www.bleepingcomputer.com/news/security/almost-40-percent-of-ubuntu-users-vulnerable-to-new-privilege-elevation-flaws/
• https://ubuntu.com/security/notices/USN-6250-1

Affected Entities: Users and Organizations that utilize Ubuntu as their Linux distribution.

Detailed Description: 

• Recently, two Linux vulnerabilities were discovered in the Ubuntu kernel, posing a risk of elevated privileges for unprivileged local users.
• These flaws, tracked as CVE-2023-32629 and CVE-2023-2640, were introduced into the operating system and impact approximately 40% of Ubuntu’s userbase.
  • CVE-2023-2640 is a high-severity vulnerability caused by inadequate permission checks, allowing a local attacker to gain elevated privileges.
  • CVE-2023-32629 is a medium-severity flaw in the Linux kernel memory management subsystem, enabling a local attacker to execute arbitrary code through a use-after-free condition.
• These vulnerabilities were found due to discrepancies in implementing the OverlayFS module onto the Linux kernel.
• Ubuntu has released a security bulletin and updates to address the issues, urging users to update their systems promptly.
• The risk of exploitation is significant as proof-of-concept exploits for these flaws are publicly available.
• Other Linux distributions not using the OverlayFS module’s custom modifications are unaffected.

Recommendations:

• Users are advised to update their Ubuntu systems via the package manager and perform a reboot for the updates to take effect. Follow the instructions listed by the following Ubuntu Security Notice:
  • https://ubuntu.com/security/notices/USN-6250-1

Sources:

• https://thehackernews.com/2023/07/hackers-target-apache-tomcat-servers.html
• https://blog.aquasec.com/tomcat-under-attack-investigating-the-mirai-malware

Affected Entities: Apache Tomcat servers

Detailed Description: 

• Aqua Security has reported a new campaign targeting misconfigured and poorly secured Apache Tomcat servers to deliver the Mirai botnet malware and cryptocurrency miners.
• Over two years, Aqua detected over 800 attacks on its Tomcat server honeypots, with 96% linked to the Mirai botnet.
• The threat actor used a web shell script named “neww” to gain access to the Tomcat web application manager via brute force attacks.
• Once in, they deployed a malicious web shell class ‘cmd.jsp’ to execute arbitrary commands on the server, including downloading and running the “neww” script for deploying malware tailored to the server’s architecture.
• The final stage malware is a variant of Mirai, enabling distributed denial-of-service (DDoS) attacks.
• To mitigate the campaign, organizations are advised to secure their environments and follow credential hygiene to prevent brute-force attacks

Recommendations:

• Properly configure your environments – avoid default settings, and ensure the passwords align with best practices. Regularly rotate secrets and passwords to secure your environment further.

Sources:

• https://thehackernews.com/2023/07/cybersecurity-agencies-warn-against.html
• https://www.cisa.gov/news-events/alerts/2023/07/27/cisa-and-partners-release-joint-cybersecurity-advisory-preventing-web-application-access-control

Affected Entities:

• A wide range of users and organizations, including businesses, government entities, educational institutions, and other users utilize web applications that may be vulnerable to IDOR flaws.

Detailed Description: 

• Australian and U.S. cybersecurity agencies issued a joint advisory warning about security flaws in web applications that could lead to data breaches and data theft.
• The advisory specifically highlights Insecure Direct Object Reference (IDOR) flaws, which occur when applications allow unauthorized access to internal resources without proper validation.
• Malicious actors exploit these vulnerabilities to modify, delete, or access sensitive data of other users.
• A recent analysis by CISA found that “Valid Accounts” were the most common successful attack technique, emphasizing the importance of strong password policies and monitoring access logs to detect abnormal access.

Recommendations:

• The agencies recommend adopting secure-by-design principles and conducting authentication and authorization checks for every sensitive data request.

Sources:

• https://thehackernews.com/2023/07/icedid-malware-adapts-and-expands.html
• https://unit42.paloaltonetworks.com/wireshark-quiz-icedid-answers/#post-128267-_v8176g40kstn 

IOCs: 

• SHA256 fc96c893a462660e2342febab2ad125ce1ec9a90fdf7473040b3aeb814ba7901
• SHA256 bd24b6344dcde0c84726e620818cb5795c472d9def04b259bf9bff1538e5a759
• 149.176[.]100:443 – BackConnect traffic.

Detailed Description:

• The threat actors linked to the IcedID malware have updated the BackConnect (BC) module used for post-compromise activity on hacked systems, new findings from Team Cymru reveal.
• The IcedID malware, initially a banking trojan in 2017, evolved into an initial access facilitator for other malware payloads, with recent versions prioritizing ransomware delivery.
• It employs a BackConnect (BC) module with a proprietary C2 protocol and VNC remote access.
• According to Team Cymru’s findings, the BC module has been updated, and the number of BC C2 servers increased from 11 to 34 since January 23, 2023, with reduced server uptime.
• To evade detection, the BC module shifted its activity from TCP port 8080 to TCP port 443.
• Multiple IcedID victims have been observed communicating with three or more BC C2s for an extended period, suggesting concurrent access by the same operator or affiliate.
• IcedID victims are used as proxies in spamming operations, further spreading the malware.
• Two IcedID forks without the BC module and banking fraud functionality emerged briefly but have not been seen recently, indicating they might have been short-lived experiments.

Recommendations: 

• Keep Software and Systems Up to Date: This practice can help protect against known vulnerabilities, such as the zero-day bug exploited by the IcedID threat actors.
• Segment Networks: Use network segmentation to separate critical systems and sensitive data from less critical ones. This can limit the lateral movement of attackers in case of a successful compromise.

SOC Response:

• The SOC is actively monitoring for the IOC’s listed above and will alert any client to activity that is associated with this threat.

Sources:

• https://thehackernews.com/2023/07/apple-rolls-out-urgent-patches-for-zero.html
• https://support.apple.com/en-us/HT201222

Affected Entities:

• iPhone, iPads, Mac computers, Apple Watches, and Apple TVs

Detailed Description: 

• Apple has released security updates for iOS, iPadOS, macOS, tvOS, watchOS, and Safari, addressing several security vulnerabilities, including an actively exploited zero-day bug, tracked as CVE-2023-38606.
• This flaw allows a malicious app to modify a sensitive kernel state. The update also addresses two other zero-days, CVE-2023-32434 and CVE-2023-32435, connected to Operation Triangulation, a mobile cyber espionage campaign targeting iOS devices since 2019.
• Updates resolve a total of 11 zero-day vulnerabilities in Apple software since the beginning of 2023 and come after emergency fixes for a remote code execution bug in WebKit (CVE-2023-37450)

Recommendations:

• • Update all Apple devices (iPhone, iPad, Mac, Apple Watch, and Apple TV) to the latest available software versions.
    • iOS and iPadOS – iOS 16.6 and iPadOS 16.6
    • macOS – macOS Ventura 13.5
    • tvOS – tvOS 16.6
    • watchOS – watchOS 9.6

Sources:

• https://www.bleepingcomputer.com/news/security/vmware-fixes-bug-exposing-cf-api-admin-credentials-in-audit-logs/
• https://community.pivotal.io/s/article/How-to-Change-the-Admin-Password-for-UAA?language=en_US

Affected Entities:

• Tanzu Application Service for VMs (TAS for VMs)

Detailed Description: 

• VMware has addressed an information disclosure vulnerability, CVE-2023-20891, in VMware Tanzu Application Service for VMs (TAS for VMs) and Isolation Segment.
• TAS for VMs helps enterprises automate the deployment of applications across on-premises or public and private clouds (e.g., vSphere, AWS, Azure, GCP, OpenStack).
• The flaw allowed remote attackers with low privileges to access Cloud Foundry API admin credentials on unpatched systems, which were logged in system audit logs.
• Exploiting this vulnerability could enable threat actors to push malicious versions of applications using the stolen credentials.
• However, standard deployment configurations restrict non-admin users’ access to system audit logs, reducing the risk of exploitation.

Recommendations:

• Follow the detailed instructions on changing the Cloud Foundry User Account and Authentication admin credentials to protect from potential exploitation provided in the following link: https://community.pivotal.io/s/article/How-to-Change-the-Admin-Password-for-UAA?language=en_US

Sources:

• https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/

Affected Entities:

• VMware ESXI Servers

Detailed Description: 

• The Abyss Locker ransomware operation has developed a Linux encryptor that targets VMware ESXi virtual machines. This is the latest in a series of ransomware operations that have targeted VMware ESXi servers, as the platform is becoming increasingly popular.
• The Abyss Locker encryptor first lists all available virtual machines on the target system and then terminates them. This lets the encryptor properly encrypt all associated virtual disks, snapshots, and metadata. The encryptor also encrypts all other files on the device and appends the .crypt extension to their filenames.
• For each file, the encryptor creates a ransom note with a .README_TO_RESTORE extension. This ransom note contains information on what happened to the files and a link to the threat actor’s Tor negotiation site.
• Ransomware expert Michael Gillespie says that the Abyss Locker Linux encryptor is based on Hello Kitty, using ChaCha encryption instead. This means that the ransomware is likely to be very difficult to decrypt without paying the ransom.
• The Abyss Locker operation is a relatively new ransomware operation that already targets VMware ESXi servers. This is a worrying trend, as VMware ESXi servers are becoming increasingly popular targets for ransomware attacks.

Recommendations:

• Organizations should follow the CISA recommendations for prevention and response best practices found in the link below
  • https://www.cisa.gov/stopransomware/ransomware-guide

SOC Response:

• The SOC actively monitors this threat and will update clients with any detections implemented as more information becomes available.