Hackers Storing Malware in Google Drive as Encrypted ZIP Files to Evade Detection
Analysis: Threat actors are using Google Drive to store malicious files as encrypted ZIP files to evade detection.
These files are distributed through phishing emails, and when downloaded, install malware on victims’ machines. The use of encryption makes it challenging for security systems to detect the contents of the ZIP files, as the files are encrypted and not readily visible or scannable by traditional antivirus or security software. This allows threat actors to bypass security measures that may rely on content inspection or signature-based detection methods.
Access Point emphasizes the importance of user education and security awareness training. It is important to teach users to exercise caution when downloading and opening files, especially from unknown sources and suspicious emails.
Teaching users how to hover over links and emails, while also reporting potential phishing emails, are all tactics to ensure your users do not leave you exposed. It is also essential to implement multi-factor authentication for all user accounts as a layered defense should users credentials be exposed to attackers.
Source
Hackers can breach networks using data and resold corporate routers
Analysis: Researchers at cybersecurity company ESET discovered that most of the used corporate-grade routers they purchased on the secondary market still contained sensitive data. More importantly, that data could be used by hackers to breach corporate environments or obtain customer information.
Out of the 18 routers they tested, only five were properly wiped and two had been hardened, making it more difficult to access the data.
Researchers found that the routers contained a trove of details about the owner, how the network was set up, and connections to other systems, including customer information, third-party network connections, and credentials for connecting to other networks as a trusted party. In addition, some of the routers contained router-to-router authentication keys and hashes, as well as complete maps of sensitive applications hosted locally or in the cloud. These included well-known applications such as Microsoft Exchange, Salesforce, SharePoint, and VMware Horizon.
This level of insider information is typically reserved for highly-credentialed personnel such as network administrators and their managers. An attacker with access to this type of information can easily plan an attack path that could go undetected deep inside the network, potentially impersonating network or internal hosts using stolen credentials.
The researchers emphasized the importance of properly wiping network devices before decommissioning them and getting rid of them. They are urging companies to follow the recommendations from the device maker to clean the equipment of potentially sensitive data and bring it to a factory default state.
Using a third-party service for this activity may not always be a good idea, as the researchers found that even after using such a service, sensitive data was still present on the routers they tested.
Access Point recommends having proper procedures in place for the secure destruction and disposal of digital equipment to prevent the exposure of sensitive information on the secondary market.
Source
Raspberry Robin Adopts Unique Evasion Techniques
Analysis: Security Researchers at Check Point Research (CPR) have published an advisory on the Raspberry Robin malware, detailing its unique evasion techniques to avoid detection.
The malware has been observed using methods to avoid being run on virtual machines (VMs), making it harder for defenders to analyze it. CPR also identified two new exploits used by Raspberry Robin to gain higher privileges on infected systems, one of which had been previously used as a zero-day by the Bitter APT group.
The advisory provides technical details on how to defend against these evasion techniques.
Access Point recommends having an active threat hunting program, as the threat landscape is ever changing it is essential to stay in the know with all ways in which operators are targeting organizations. This includes having a dedicated team that is pro-actively searching within your network for any indicators of compromise such as IP ranges, file hashes, email addresses, URLs, etc. It is also essential that your threat team is blocking for IOCs associated with threat groups at all endpoint and network levels.
Source
EvilExtractor — All–in–One Stealer
Analysis: EvilExtractor is a malicious attack tool that targets Windows operating systems and is used to extract data and files from endpoint devices.
The tool includes several modules that work through an FTP service and was developed by a company called Kodex, claiming it is an educational tool. However, research conducted by FortiGuard shows that cybercriminals are actively using it as an info stealer.
The attack method used to deliver EvilExtractor typically involves a phishing email campaign. The phishing email often pretends to be a legitimate file, such as an Adobe PDF or Dropbox file. Once loaded, it leverages PowerShell malicious activities; it may also contain environment checking and anti-VM functions to evade detection.
After gaining access to the victim’s system, EvilExtractor performs several functions. First, it checks the system’s date to see if it falls within a specific time frame. If not, it deletes data in PSReadline and terminates. It also checks the victim’s product model and hostname against a list of known virtual environment and scanner/virtual machine names to determine if its running in a sandbox or virtualized environment.
If the environment check passes, EvilExtractor downloads three components from a remote server. These components are Python programs that are obfuscated using PyArmor. One component is used for stealing browser data from Google Chrome, Microsoft Edge, Opera, and Firefox, including cookies, browser history, and passwords. Another component is a keylogger that captures keystrokes and saves them in a folder.
The third and final component is a webcam extractor that captures webcam snapshots. EvilExtractor also collects system information using a PowerShell script and saves it in a text file called "Credentials.txt.” It downloads files with specific extensions from the Desktop and Download folders, such as jpg, png, mp4, pdf, zip, and xml. It may also capture screenshots using the "CopyFromScreen" command.
The primary purpose of EvilExtractor is to steal data — such as browser information, keystrokes, and system credentials — from compromised endpoints and upload it to the attacker's FTP server. It also includes various anti-analysis techniques, such as obfuscation and environment checking, to evade detection and analysis by security researchers.
Access Point recommends the following protections:
- Keep all software and operating systems up to date with the latest patches and security updates.
- Implement MFA for all user accounts as a layered method of defense.
- Regularly backup critical data and store it securely offline.
- Have a proactive approach to detecting threats, as mentioned above.
Source
Point32Health confirms service disruption due to ransomware
Analysis: Point32Health confirmed a ransomware attack in a statement posted on its website, mentioning that systems used for member services, accounts, brokers, and providers were affected.
While the exact impact and extent of the attack are still unclear, it may have compromised sensitive data stored by Point32Health. The organization has initiated an investigation and is working to restore the impacted systems as quickly and safely as possible.
It is important to note, Point32Health was formed through a merger between Tufts Health Plan and Harvard Pilgrim Health Care, and so far, the affected systems appear to be limited to Harvard Pilgrim Health Care. Other businesses under Point32Health do not currently appear to have been impacted.
Ransomware attacks on healthcare organizations have been a persistent problem in recent years, with multiple government advisories and industry warnings. Microsoft also recently obtained a court order to curb the illegal use of Cobalt Strike, a tool often used in ransomware attacks that have affected healthcare organizations.
Access Point urges you to prioritize the following cybersecurity measures to protect against ransomware attacks:
- Robust threat detection, prevention, and response strategies
- Regular data backups
- Employee training
- Timely software patching
We cannot emphasize enough the need for vigilance and preparation in the face of evolving cyber threats, particularly in the healthcare industry.
Source
Vulnerabilities
Cisco and VMware Release Security Updates to Patch Critical Flaws in their Products
Analysis: Cisco has issued patches for three significant flaws affecting its products, tracked as CVE-2023-1928, CVE-2023-1929, and CVE-2023-1930.
These vulnerabilities affect Cisco's Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. If exploited, these flaws could enable attackers to gain unauthorized access, execute arbitrary code, and cause a denial of service (DoS) on the affected systems.
In addition to addressing these critical vulnerabilities, Cisco included fixes for several moderate and low-severity issues. These updates address multiple vulnerabilities in Cisco's other products, such as its Identity Services Engine, IOS XR Software, and Nexus devices.
VMware has also released updates to resolve two critical vulnerabilities identified as CVE-2023-5426 and CVE-2023-5427.
These security flaws impact VMware vCenter Server, a centralized management utility for VMware vSphere environments. Successful exploitation could allow an attacker to gain unauthorized access, execute arbitrary code, and compromise the confidentiality, integrity, and availability of the affected systems.
VMware's updates also include patches for other vulnerabilities with lower severity ratings.
Both Cisco and VMware have urged users to apply the necessary security updates as soon as possible to prevent potential exploitation. Companies and organizations that utilize these products should prioritize patching their systems to minimize the risk of cyberattacks.
Users of both Cisco and VMware products are advised to review the respective advisories and follow best practices for maintaining a secure network environment. By staying vigilant and applying security updates in a timely manner, organizations can significantly reduce the risk of falling victim to cyber threats.
Source
Windows 10 KB5025297 preview update released with 10 fixes
Analysis: A preview update for Windows 10 has been released. Identified as KB5025297, this update includes ten fixes for various issues. The update is available for Windows 10 versions 1909, 2004, 20H2, and 21H1.
As a preview update, it provides users with an opportunity to test the fixes before they become part of the next mandatory "Patch Tuesday" update. Among the resolved issues are fixes for problems with printer installations, issues affecting Windows Hello face authentication, and problems with the Windows Out of Box Experience (OOBE). Additionally, the update addresses a bug causing devices to lose network connectivity when resuming from hibernation or sleep mode, as well as an issue with the File Explorer search bar not responding to user input.
The update also provides fixes for other issues, including one that may prevent certain Universal Windows Platform (UWP) apps from being launched or installed. Moreover, it resolves a problem that could cause incorrect folder permissions after upgrading the operating system, and an issue that may prevent the Windows Subsystem for Linux (WSL) from starting.
While no new security fixes are included in the KB5025297 update, it does contain all previously released security updates for the affected Windows 10 versions. Users who choose to install this optional update can expect a smoother experience when the next "Patch Tuesday" update is released.
Access Point reminds you that it is important to regularly update your systems, even with non-security updates, to ensure optimal performance and to address any potential issues. Microsoft encourages users to install this preview update to help identify and report any problems so they can be addressed before the next mandatory update rollout.
Source
Exploit released for PaperCut flaw abused to hijack servers, patch now
Analysis: An exploit has been released for a critical vulnerability in PaperCut, a widely used print management software. The flaw, tracked as CVE-2022-22775, allows attackers to hijack servers running the software. In response to the release of this exploit, security researchers and PaperCut have urged users to apply the available patches as soon as possible to protect their systems from potential attacks.
CVE-2022-22775 is a server-side request forgery (SSRF) vulnerability, which enables attackers to send malicious requests from the vulnerable server to other systems, potentially leading to remote code execution. This flaw has been rated 9.1 out of 10 on the CVSS severity scale, indicating its critical nature. Upon discovering the vulnerability, the researchers notified PaperCut, and the company promptly released a patch to address the issue.
The researchers who discovered the vulnerability have now released a working exploit, which increases the risk of potential attacks. As a result, it is crucial for users of PaperCut software to apply the patch without delay. The company has provided detailed instructions on how to implement the security update in their advisory.
In addition to patching the vulnerability, PaperCut has implemented further security measures in the latest version of their software to reduce the potential impact of similar flaws in the future. These measures include enhanced input validation and additional security settings for server communications.
Access Point recommends that organizations using PaperCut prioritize applying the patch and updating their software to mitigate the risk of cyberattacks exploiting this vulnerability. By staying vigilant and applying security updates in a timely manner, organizations can significantly reduce the risk of falling victim to cyber threats.
Source
.webp)
.png)
