Threat Bulletin | July 13

Sources:

• https://thehackernews.com/2023/06/new-mockingjay-process-injection.html 
• https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution  

Affected Entities: Windows APIs

Detailed Description: 

• A new process injection technique dubbed Mockingjay could be exploited by threat actors to bypass security solutions to execute malicious code on compromised systems. 
• The injection is executed without space allocation, setting permissions, or even starting a thread. The uniqueness of this technique is that it requires a vulnerable DLL and copying code to the right section. 
• What sets Mockingjay stands apart is that it subverts these security layers by eliminating the need to execute Windows APIs usually monitored by security solutions by leveraging pre-existing Windows portable executable files that contain a default memory block protected with Read-Write-Execute (RWX) permissions. 

• This differentiation sets this strategy apart from other existing techniques and makes it challenging for Endpoint Detection and Response (EDR) systems to detect this method. 

Recommendations: Organizations should employ dynamic analysis techniques to detect and analyze runtime behaviors, leverage behavioral analysis to identify anomalous activities.

Sources:

• https://www.bleepingcomputer.com/news/security/cisco-warns-of-bug-that-lets-attackers-break-traffic-encryption/ 
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-aci-cloudsec-enc-Vs5Wn2sX

   

Affected Entities: Cisco Nexus 9000 Series Fabric Switches

Detailed Description: 

• Cisco warns of a high-severity vulnerability impacting some data center switch models and allowing attackers to tamper with encrypted traffic. 
• A vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode could allow an unauthenticated, remote attacker to read or modify intersite encrypted traffic. 
• This vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches.  
• An attacker with an on-path position between the ACI sites could exploit this vulnerability by intercepting intersite encrypted traffic and using cryptanalytic techniques to break the encryption.  A successful exploit could allow the attacker to read or modify the traffic that is transmitted between the sites. Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability. 
•  

Recommendations: There are no workarounds that address this vulnerability. Customers who are currently using the Cisco ACI Multi-Site CloudSec encryption feature for the Cisco Nexus 9332C and Nexus 9364C Switches and the Cisco Nexus N9K-X9736C-FX Line Card are advised to disable it and to contact their support organization to evaluate alternative options. 

Sources:

• https://www.bleepingcomputer.com/news/security/new-stackrot-linux-kernel-flaw-allows-privilege-escalation/ 
• https://github.com/lrh2000/StackRot 
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9471f1f2f50282b9e8f59198ec6bb738b4ccc009
   

Affected Entities: Linux kernel

Detailed Description: 

• Technical information has emerged for a serious vulnerability affecting multiple Linux kernel versions that could be triggered with “minimal capabilities.”  
• The security issue is being referred to as StackRot (CVE-2023-3269) and can be used to compromise the kernel and elevate privileges. 
• A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka “Stack Rot”. The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues.  
• An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. 
• As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger. However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging. 

Recommendations: Apply patches per vendors instructions.

Sources:

• https://www.akamai.com/blog/security-research/proxyjacking-new-campaign-cybercriminal-side-hustle  
• https://thehackernews.com/2023/06/cybercriminals-hijacking-vulnerable-ssh.html 
  
  

Affected Entities: Vulnerable SSH servers, Compromised web servers, Users/installers of proxyware services

Detailed Description: 

• A new Proxyjacking campaign has been discovered, these attackers are specifically focusing on SSH servers that are vulnerable, meaning they have security weaknesses that can be exploited. 
• The main objective of the campaign is to secretly enlist the compromised servers into a peer-to-peer proxy network, such as Peer2Profit or Honeygain. This allows the attackers to utilize the unused bandwidth of the victim servers for their own purposes. 
• Proxyjacking, unlike cryptojacking, involves using the victim’s unused bandwidth to run different services as a P2P node. This offers the attackers two advantages: the ability to monetize the bandwidth with reduced resource load and a lower risk of detection compared to cryptojacking. 
• The use of proxyware services provides anonymity to threat actors, allowing them to obfuscate the source of their attacks by routing traffic through intermediary nodes. This anonymity can be advantageous for attackers but can also be abused by malicious actors. 

• The attackers deploy an obfuscated Bash script on the compromised SSH servers, camouflaging it as a CSS file (“csdark.css”). This script fetches necessary dependencies from a compromised web server, including the curl command-line tool, and terminates competing instances of bandwidth-sharing programs before launching Docker services. 
• The examination of the web server hosting the campaign reveals that it is also being used to host a cryptocurrency miner. This suggests that the threat actors are involved in both cryptojacking and proxyjacking attacks. 

Recommendations: Ensure that your organization is following standard security practices, such as using strong passwords, implementing patch management, and maintaining meticulous logging. These practices can serve as effective prevention mechanisms against such attacks.

Sources:

• https://www.uptycs.com/blog/what-is-meduza-stealer-and-how-does-it-work 

• https://thehackernews.com/2023/07/evasive-meduza-stealer-targets-19.html 

Affected Entities: Windows users, Users of password managers, crypto wallets, and web browsers, Users of Discord and Steam 

Detailed Description: 

• A new Windows-based information stealer called Meduza Stealer, is actively being developed by its author to avoid detection by software solutions. 

• Meduza Stealer’s objective is to steal a wide range of data from users. It targets browsing activities and extracts various browser-related data, including login credentials, browsing history, bookmarks, crypto wallet extensions, password managers, and 2FA extensions. 
• Meduza Stealer has an operational design that aims to be “crafty.” It avoids obfuscation techniques and terminates its execution if the connection to the attacker’s server fails. It also aborts if the victim’s location is in a predefined list of excluded countries. 
• In addition to data gathering, Meduza Stealer harvests miner-related Windows Registry entries and a list of installed games, indicating a broader financial motive beyond data theft. 
• Meduza Stealer is being offered for sale on underground forums such as XSS and Exploit.in, as well as through a dedicated Telegram channel. It is available as a recurring subscription, with prices ranging from $199 per month to $1,199 for a lifetime license. 
• The stolen information collected by Meduza Stealer is made accessible through a user-friendly web panel. Subscribers can download or delete the stolen data directly from the web page, providing them with a high level of control over the stolen information. 

• The researchers highlight the sophisticated nature of Meduza Stealer and the efforts its creators are making to ensure its success. This indicates a significant commitment to developing and maintaining malware for financial gain. 
  

Recommendations:

• Regularly install updates for your operating system, browsers, and installed applications to patch vulnerabilities that malware can exploit. 
• Only install browser extensions from trusted sources. Regularly review and remove unnecessary or suspicious extensions to minimize the risk of malware interference. 

Sources:

• https://www.bleepingcomputer.com/news/security/linux-version-of-akira-ransomware-targets-vmware-esxi-servers/ 
• https://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-platform/ 

Affected Entities: VMware ESXI

Detailed Description: 

• Akira Ransomware, which was initially focused on Windows systems, has now expanded its target range to include Linux platforms.  
• This shift in tactics reflects a growing trend among ransomware groups, indicating an upcoming surge in attacks targeting Linux environments. 
• The malicious Linux executable is a 64-bit Linux Executable and Linkable Format (ELF) file with SHA256 as 1d3b5c650533d13c81e325972a912e3ff8776e36e18bca966dae50735f8ab296. 

• In order to execute the Akira executable, specific parameters need to be provided. The required parameters for running the Akira executable are as follows: 

• • “-p” / “–encryption_path” – Path of files/folder to be encrypted. 
  • “-s” / “–share_file” – Path of the shared network drive to be encrypted. 
  • “-n” / “–encryption_percent” – Percentage of the files to be encrypted. 
  • “-fork” – Creating a child process for encryption. 

• The ransomware incorporates routines associated with multiple symmetric key algorithms, including AES, CAMELLIA, IDEA-CB, and DES. 
• To successfully encrypt the files, the ransomware adds the “.akira” file extension to each compromised file and deposits a pre-defined ransom note onto the victim’s system.

Recommendations:

• Conduct regular backup practices and keep those backups offline or in a separate network. 
• Refrain from opening untrusted links and email attachments without verifying their authenticity. 

SOC Response: The indicators of compromise known at this time are malicious via OSINT, the SOC is monitoring this threat for any updates and will create detections around this activity as needed 

Sources:

• https://thehackernews.com/2023/06/critical-security-flaw-in-social-login.html 
• https://www.wordfence.com/blog/2023/06/miniorange-addresses-authentication-bypass-vulnerability-in-wordpress-social-login-and-register-wordpress-plugin/ 

Affected Entities: WordPress Social Login Plugin

Detailed Description: 

• A critical security flaw has been disclosed in miniOrange’s Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known. 
• The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address. 
• The issue is rooted in the fact that the encryption key used to secure the information during login using social media accounts is hard-coded, thus leading to a scenario where attackers could create a valid request with a properly encrypted email address used to identify the user.
  

Recommendations: Users are advised to verify that their sites are updated to the latest patched version of WordPress Social Login and Register as soon as possible. 

Sources:

• https://thehackernews.com/2023/06/newly-uncovered-thirdeye-windows-based.html 
• https://www.fortinet.com/blog/threat-research/new-fast-developing-thirdeye-infostealer-pries-open-system-information 

Affected Entities: Windows

Detailed Description: 

• A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts. 
• The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. 

• The ThirdEye infostealer has relatively simple functionality. It harvests various system information from compromised machines, such as BIOS and hardware data.  
• It also enumerates files and folders, running processes, and network information. Once the malware is executed, it gathers all this data and sends it to its command-and-control (C2) server hosted at (hxxp://shlalala[.]ru/general/ch3ckState). And unlike most other malware, it does nothing else. 
• One interesting string unique to the ThirdEye infostealer family is “3rd_eye”, which it decrypts and uses with another hash value to identify itself to the C2. 
• There are no signs to suggest that ThirdEye has been utilized in the wild.  
• That having said, given that most of the stealer artifacts were uploaded to VirusTotal from Russia, it’s likely that the malicious activity is aimed at Russian-speaking organizations. 

Recommendations: Refrain from opening untrusted links and email attachments without verifying their authenticity.

Sources:

• https://thehackernews.com/2023/06/microsoft-warns-of-widescale-credential.html  
• https://twitter.com/MsftSecIntel/status/1671579358031486991  

Affected Entities: Windows

Detailed Description: 

• Microsoft has disclosed that it’s detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard. 
• The intrusions, which make use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant’s threat intelligence team said. 
• “These credential attacks use a variety of password spray, brute-force, and token theft techniques, “Microsoft said in a series of tweets, adding the actor “also conducted session replay attacks to gain initial access to cloud resources leveraging stolen sessions likely acquired via illicit sale”. 
• The privilege escalation vulnerability was addressed as part of Patch Tuesday updates rolled out in March 2023 

Recommendations:

• Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. 
• Implement conditional access control for users connecting from unmanaged devices. 

Sources:

• https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid 
• https://github.com/deepinstinct/PindOS-JS-Dropper/blob/main/IOCs_PindOS_JS_Dropper.csv 

Detailed Description: 

• A new strain of JavaScript dropper has been observed delivering next-stage payloads like Bumblebee and IcedID. 
• Deep Instinct’s source code analysis of PindOS shows that it contains comments in Russian, raising the possibility of a continued partnership between the e-crime groups. 
• Described as a “surprisingly simple” loader, it’s designed to download malicious executables from a remote server. It makes use of two URLs, one of which functions as a fallback in the event the first URL fails to fetch the DLL payload. 
• The retrieved payloads are generated pseudo-randomly ‘on-demand’, resulting in a new sample hash each time a payload is fetched. 
• Whether PindOS is permanently adopted by the actors behind Bumblebee and IcedID remains to be seen. 

• If this ‘experiment’ is successful for each of these ‘companion’ malware operators it may become a permanent tool in their arsenal and gain popularity among other threat actors. 

Recommendations:

• Please follow the CISA Ransomware guidelines found in the link below 

• • https://www.cisa.gov/stopransomware/ransomware-guide 

Sources:

• https://www.sonicwall.com/support/product-notification/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/?mkt_tok=NDExLU5BSy05NzAAAAGM7ut8VWf7Ydn086xVhac4SwZDekqwXkzEzsjYgt_rAtjnS5yPusLBFGickDgkEAVbTRPuR8k-fcxLdXpEezTX0Y0Yvxza_XcGx-Flizfw1yhXyMo 
• https://thehackernews.com/2023/07/new-vulnerabilities-disclosed-in.html 

Affected Products: 

• GMS (9.3.2-SP1 and before)
• Analytics (2.5.0.4-R7 and before)

Detailed Description: 

• There is a total of 15 security vulnerabilities, these are disclosed in a Coordinated Vulnerability Disclosure (CVD) report in conjunction with NCCGroup. 
• The status of exploitation of these vulnerabilities in the wild is not clear according to SonicWall PSIRT. There have also been no reports of a PoC and/or malicious use of the vulnerability. 
• The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior. 
• The CVE List can be found in the SonicWall Link to the threat above, but here are the four Critical CVEs: 

• CVE-2023-34124 (CVSS score: 9.4) – Web Service Authentication Bypass 
• CVE-2023-34133 (CVSS score: 9.8) – Multiple Unauthenticated SQL Injection Issues and Security Filter Bypass 
• CVE-2023-34134 (CVSS score: 9.8) – Password Hash Read via Web Service 
• CVE-2023-34137 (CVSS score: 9.4) – Cloud App Security (CAS) Authentication Bypass 

Recommendations:

• SonicWall PSIRT strongly suggests that organizations using the GMS/Analytics On-Prem version outlined below should upgrade to the respective patched version immediately. 
• Patched Versions: 

• • GMS 9.3.3 
  • Analytics 2.5.2