Threat Bulletin | September 6

Sources:

• https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cisco-vpns-to-breach-organizations/ 

Affected Entities: Akira ransomware group, Cisco

Attack Vectors: The Akira ransomware group has exploited vulnerabilities in Cisco VPNs to breach corporate networks, authenticate without MFA, and compromise data. The exact method of compromise (brute force or purchased credentials) remains uncertain.

Risk Impact: Corporate networks are at risk of unauthorized access, data theft, and encryption due to the Akira ransomware group’s targeted use of Cisco VPN vulnerabilities.

Detailed Description: 

• Akira ransomware, a relatively new player in the ransomware landscape since March 2023, has adopted a sophisticated strategy targeting Cisco VPN vulnerabilities to breach corporate networks.
• By compromising Cisco VPN accounts, the group can infiltrate networks without leaving conspicuous traces.
• The lack of multi-factor authentication on some accounts has enabled this breach.
• While the exact method of compromise (brute-force or purchased credentials) remains uncertain, the breach’s impact is clear: unauthorized access, potential data theft, and encryption.
• Akira’s unique use of the RustDesk remote access tool bolsters its access capabilities while evading detection. The group has also exhibited evolved tactics, manipulating SQL databases, disabling firewalls, enabling RDP, and more post-infiltration.

Recommendations:

• Organizations using Cisco VPNs should ensure multi-factor authentication is implemented to reduce the risk of unauthorized access.
• Cisco recommends that customers configure logging on Cisco ASA’s to send logging data to a remote syslog server.

Sources:

• https://www.bleepingcomputer.com/news/security/over-3-000-openfire-servers-vulnerable-to-takover-attacks/
• https://discourse.igniterealtime.org/t/cve-2023-32315-openfire-administration-console-authentication-bypass/92869

Affected Entities: Openfire

Attack Vector: Over 3,000 Openfire servers remain vulnerable to an actively exploited path traversal vulnerability (CVE-2023-32315) that allows unauthenticated attackers to create new admin accounts. Exploitation involves uploading malicious Java JAR plugins, posing a significant risk to communication infrastructure and sensitive data.

Risk Impact: Vulnerable Openfire servers are at risk of unauthorized admin account creation and uploading of malicious plugins, potentially leading to unauthorized access, data breaches, and cyberattacks.

Detailed Description: 

• Thousands of Openfire servers are exposed to an actively exploited vulnerability (CVE-2023-32315), allowing unauthorized creation of admin accounts and uploading of malicious Java JAR plugins.
• Openfire developers released security updates, but many servers remain unpatched.
• Exploiting the flaw involves creating admin users or employing a stealthier method to upload plugins without creating an admin account, evading detection.
• Shodan scans indicate a substantial number of internet-facing servers at risk.
• Current exploits are detectable and noisy, while VulnCheck’s Proof of Concept (PoC) demonstrates a stealthier approach that does not leave traces in the security logs.
• A second attack wave fueled by VulnCheck’s PoC is possible as the vulnerability is actively exploited.

Recommendations:

• Admins of Openfire servers should immediately upgrade to patched versions (4.6.8, 4.7.5) to mitigate the vulnerability.
  • https://github.com/igniterealtime/Openfire/releases/tag/v4.6.8
  • https://www.igniterealtime.org/projects/openfire/

Sources:

• https://thehackernews.com/2023/08/lockbit-30-ransomware-builder-leak.html

Affected Entities: LockBit Group

Attack Vector: The leak of the LockBit 3.0 ransomware builder has created numerous new ransomware variants. A ransomware intrusion targeting victims detected a rebranded version of LockBit with a different ransom demand procedure.

Risk Impact: The proliferation of new LockBit variants increases the threat landscape for potential ransomware attacks. Victims face data loss, financial loss, and potential disruptions to operations.

Detailed Description: 

• The leak of the LockBit 3.0 ransomware builder has led to multiple new variants, as observed by cybersecurity researchers at Kaspersky.
• One notable example includes a rebranded LockBit variant with altered ransom note content and communication channels.
• This variant deviates from the LockBit group’s methods, specifying a ransom amount and employing distinct communication channels.
• Kaspersky identified many LockBit samples, which were generated using the leaked builder.
• Moreover, rebranding of ransomware, such as the ADHUBLLKA strain, is a common practice among cybercriminals to launch new campaigns with slight variations.
• The ransomware landscape is evolving, with attackers targeting Linux environments and exploiting VPN software vulnerabilities.

Recommendations:

• Implement multi-factor authentication (MFA) and strong password policies to mitigate the risk of unauthorized access to critical systems.
• Regularly back up critical data to offline storage, ensuring data recovery options are available in case of a ransomware incident.

Sources:

• https://www.bleepingcomputer.com/news/security/attacks-on-citrix-netscaler-systems-linked-to-ransomware-actor/
• https://github.com/sophoslabs/IoCs/blob/master/2023-08-25%20Citrix%20CVE-2023-3519%20attacks.csv

Affected Entities: FIN8 Hacking Group, Sophos

IOCs: C2 IP Addresses: 45.66.248[.]189, 85.239.53[.]49

More IOCs can be found in the link provided below:

• https://github.com/sophoslabs/IoCs/blob/master/2023-08-25%20Citrix%20CVE-2023-3519%20attacks.csv

Attack Vectors: A threat actor linked to the FIN8 hacking group exploits the CVE-2023-3519 vulnerability in unpatched Citrix NetScaler systems for domain-wide attacks. Payload injections, BlueVPS malware, obfuscated PowerShell scripts, and PHP webshells are utilized in this campaign.

Risk Impact: Unpatched Citrix NetScaler systems are at high risk of compromise, leading to potential data breaches, system disruptions, and ransomware attacks.

Detailed Description: 

• A threat actor believed to be affiliated with the FIN8 hacking group is exploiting the CVE-2023-3519 vulnerability in unpatched Citrix NetScaler systems, as reported by Sophos.
• This campaign involves payload injections, using BlueVPS malware, obfuscated PowerShell scripts, and the deployment of PHP webshells.
• Resemblances to a previous attack suggest a link between the two activities, with the threat actor specializing in ransomware attacks.
• The CVE-2023-3519 vulnerability is critical and was actively exploited as a zero-day in mid-July 2023, impacting Citrix NetScaler ADC and Gateway systems.
• Despite security updates released by the vendor, many vulnerable systems remained unpatched, creating opportunities for threat actors.
• The campaign is associated with the FIN8 hacking group based on domain discovery, hosting, scripting methods, and correlation to the group’s previous campaigns.

Recommendations:

• Organizations using Citrix ADC and Gateway appliances should apply the security updates recommended by the vendor to mitigate the CVE-2023-3519 vulnerability.
  • NetScaler ADC and NetScaler Gateway 13.1-49.13  and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13  and later releases of 13.0 
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS 
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS 
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Sources:

• https://thehackernews.com/2023/08/critical-vulnerability-alert-vmware.html
• https://www.vmware.com/security/advisories/VMSA-2023-0018.html

Affected Entities: VMware

Attack Vectors: Two critical vulnerabilities have been identified in VMware Aria Operations for Networks, including an authentication bypass flaw (CVE-2023-34039) and an arbitrary file write vulnerability (CVE-2023-20890). These vulnerabilities could lead to remote code execution and unauthorized access.

Risk Impact: Attackers could exploit the vulnerabilities to bypass authentication and achieve remote code execution, potentially compromising the integrity and security of affected systems.

Detailed Description: 

• VMware has addressed critical security vulnerabilities in its Aria Operations for Networks software, including an authentication bypass flaw and an arbitrary file write vulnerability.
• Attackers with network access could exploit the authentication bypass flaw to gain unauthorized access to the Aria Operations for Networks CLI.
• The arbitrary file write vulnerability could allow adversaries with administrative access to write files to arbitrary locations and potentially execute remote code.
• The vulnerabilities affect multiple software versions, and VMware has released patches to address these issues.

Recommendations:

• Immediately apply the software updates and patches provided by VMware to mitigate the vulnerabilities; the updates can be found in the link below:
  • https://kb.vmware.com/s/article/94152

Sources:

• https://www.bleepingcomputer.com/news/security/hacking-campaign-bruteforces-cisco-vpns-to-breach-networks/

Affected Entities: Cisco VPNs, Akira, and LockBit ransomware groups

IOCs: Most of the attack connections originated from a Windows device named ‘WIN-R84DEUE96RB’ using the IP addresses 176.124.201[.]200 and 162.35.92[.]242 

Attack Vectors: Brute-force attacks on Cisco ASA SSL VPNs

Risk Impact: The hacking campaign focuses on exploiting weak or default credentials in Cisco Adaptive Security Appliance (ASA) SSL VPNs. Breached VPNs have been linked to ransomware attacks, raising the potential for unauthorized access to sensitive corporate networks.

Detailed Description: 

• A hacking campaign targeting Cisco Adaptive Security Appliance (ASA) SSL VPNs has been identified, involving a series of brute-force and password-spraying attacks since March of this year.
• This campaign, highlighted by security researchers at Rapid7, exploits lapses in security defenses, primarily focusing on devices lacking proper multi-factor authentication (MFA) enforcement.
• The attackers attempt to gain unauthorized access by guessing login credentials on vulnerable VPN systems.
• While exact exploitation methods are not clear, reports suggest that compromised networks have led to ransomware attacks by groups like Akira and LockBit.
• Admins are urged to strengthen their defenses by deactivating default credentials, enforcing MFA, and enhancing logging on VPNs.

Recommendations:

• Deactivate default accounts and passwords to thwart brute-force attempts on VPN systems.
• Enforce multi-factor authentication (MFA) for all VPN users to enhance security.
• Enable logging on all VPNs to aid in attack analysis and incident response.

Sources:

• https://www.bleepingcomputer.com/news/security/exploit-released-for-critical-vmware-ssh-auth-bypass-vulnerability/
• https://nvd.nist.gov/vuln/detail/CVE-2023-34039
• https://kb.vmware.com/s/article/94152

Affected Entities: VMware’s Aria Operations for Networks analysis tool (formerly known as vRealize Network Insight)

Attack Vector: SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool

Risk Impact: Remote attackers can bypass SSH authentication and access the tool’s command line interface on unpatched appliances.

Detailed Description: 

• Security analysts at ProjectDiscovery Research identified a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool.
• VMware has since patched the flaw in version 6.11. Successful exploitation of this vulnerability enables remote attackers to bypass SSH authentication and access the tool’s command line interface.
• The proof-of-concept exploit code, targeting multiple versions (6.0 to 6.10), has been published online.

Recommendations:

• VMware strongly recommends applying security patches for Aria Operations for Networks versions 6.2 to 6.10, as listed in the support document (https://kb.vmware.com/s/article/94152).

Sources:

• https://thehackernews.com/2023/09/okta-warns-of-social-engineering.html
• https://www.theregister.com/2023/09/01/okta_scattered_spider/

Affected Entities: Okta, Threat Actors, Social Engineering, IT Service Desk Personnel

Attack Vector: Social engineering attacks, phishing kit (0ktapus), abuse of highly privileged Okta Super Administrator accounts

Risk Impact: Unauthorized access, impersonation of users, potential data breaches, elevated privileges

Detailed Description: 

• Threat actors have been orchestrating social engineering attacks against IT service desk personnel of US-based Okta customers.
• The attackers’ strategy involves convincing personnel to reset all MFA factors enrolled by highly privileged users.
• They use a commercial phishing kit known as 0ktapus, which provides pre-made templates for creating realistic fake authentication portals to harvest credentials and MFA codes. This kit also includes a built-in command-and-control channel via Telegram.
• The attackers then gain access to Super Administrator accounts, assign higher privileges to other accounts, manipulate authentication policies, and even establish an impersonation identity provider to access applications for targeted users.

Recommendations:

• Please review the full recommendations list provided by Okta in the “Prevention” section located in the following article:
  • https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection