Healthcare System Notifies 180,000 People 1 Year After Hack , Colorado Warns 4 million of Data Stolen in IBM MOVEit Breach, and Hacking ATMs by Exploiting Flaws in ScrutisWeb ATM Fleet Software

At a Glance

Ransomware, Malware & Phishing

1. Healthcare System Notifies 180,000 People 1 Year After Hack
2. The Week in Ransomware – August 11th, 2023 – Targeting Healthcare
3. Colorado warns 4 million of data stolen in IBM MOVEit breach
4. Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives
5. Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization
6. China-Linked Hackers Strike Worldwide: 17 Nations Hit in 3-Year Cyber Campaign
7. New Statc Stealer Malware Emerges: Your Sensitive Data at Risk
8. New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks
9. Researchers Shed Light on APT31's Advanced Backdoors and Data Exfiltration Tactics
10. MoustachedBouncer hackers use AiTM attacks to spy on diplomats
11. Lapsus$ hackers took SIM-swapping attacks to the next level

Vulnerabilities

1. Several Flaws Found in CyberPower and Dataprobe Products
2. Hacking ATMs by exploiting flaws in ScrutisWeb ATM fleet software
3. Multiple Flaws Uncovered in Data Center Systems
4. New Python URL Parsing Flaw Could Enable Command Execution Attacks
5. Microsoft enables Windows Kernel CVE-2023-32019 fix for everyone

Ransomware, Malware & Phishing

Healthcare System Notifies 180,000 People 1 Year After Hack

Analysis: Tift Regional Health System, also known as Southwell, a healthcare system located in Georgia, has alerted more than 180,000 individuals about a data breach resulting from a Hive ransomware attack that was detected a year ago. The breach compromised patient information, including medical and banking details, which were accessed and copied. The healthcare system initially discovered the attack on August 16, 2022, and reported it to the U.S. Department of Health and Human Services' Office for Civil Rights on October 14, 2022. The delayed notification underlines the challenges organizations, particularly in the healthcare sector, face when responding to and reporting breaches.

Tift Regional Health System, a not-for-profit healthcare provider serving multiple counties in Georgia, has not provided additional information regarding the reasons behind the notification delay or the extent of Hive's involvement in the attack.

Access Point recommends the following:

1. Comprehensive Reviews: Conduct thorough cybersecurity reviews and evaluations to identify potential vulnerabilities and weak points in the system.
2. Network Monitoring: Implement robust network and system monitoring to swiftly detect and respond to suspicious activities, minimizing the impact of potential breaches.
3. Skilled Professionals: Ensure the availability of skilled cybersecurity professionals who can effectively manage breach response and investigation efforts.
4. Collaboration with Experts: Collaborate with government agencies and experienced forensic experts to conduct accurate assessments and notifications in the event of a breach.
5. Incident Response Plans: Establish well-defined incident response plans to streamline investigation and notification processes, minimizing delays.
6. Transparent Communication: Communicate with affected individuals promptly and transparently, providing necessary information about the breach and steps taken to address it.
7. Cybersecurity Updates: Regularly update and adapt cybersecurity measures to stay ahead of evolving threats and enhance overall system resilience.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access: T1566 – Phishing
• Execution: T1204 - User Execution, T1035 - Service Execution
• Collection: T1114 - Email Collection, T1115 - Clipboard Data
• Impact: T1486 - Data Encrypted for Impact, T1490 - Inhibit System Recovery

The Week in Ransomware – August 11th, 2023 – Targeting Healthcare

Analysis: Rhysida, a ransomware gang that emerged in May 2023, has gained notoriety for its indiscriminate targeting of diverse sectors, including hospitals, enterprises, and government agencies. Initially making headlines by attacking the Chilean Army and leaking stolen data, Rhysida has more recently turned its attention to healthcare institutions. One notable incident involved a breach at the Prospect Medical Group, impacting 17 hospitals and 166 clinics across the United States. This pattern of activity has prompted various cybersecurity entities, including the U.S. Department of Health and Human Services, Trend Micro, Cisco Talos, and Check Point Research, to issue reports and alerts about the group's actions.

Access Point Recommends the following:

1. Robust Security Protocols: Implement stringent security protocols to safeguard networks, systems, and sensitive data from potential ransomware attacks.
2. Regular Software Updates: Keep software and systems up to date with the latest security patches to address known vulnerabilities that ransomware groups might exploit.
3. Advanced Threat Detection: Utilize advanced threat detection and response solutions to promptly identify and mitigate ransomware activity before it spreads.
4. Incident Response Planning: Develop and implement incident response plans to minimize the impact of ransomware attacks and ensure a rapid recovery process.
5. Secure Backups: Maintain regular backups of critical data and systems, storing them securely and offline to prevent ransomware from encrypting them.
6. Ongoing Training: Conduct continuous cybersecurity training for employees to raise awareness about ransomware threats and encourage safe online practices.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1569.001 - Spearphishing Link.
• T1486 - Data Encrypted for Impact.
• T1568.002 - Dynamic Resolution.
• T1486.001 - Data Encrypted for Impact.

Colorado warns 4 million of data stolen in IBM MOVEit breach

Analysis: The Colorado Department of Health Care Policy & Financing (HCPF) is currently in the process of notifying more than four million individuals about a significant data breach. This breach, which resulted in the exposure of personal and health-related information, was attributed to the exploitation of the MOVEit Transfer zero-day vulnerability (CVE-2023-34362) by the Clop ransomware group as part of a global hacking campaign.

While the breach did not directly compromise HCPF's systems, it occurred through a third-party contractor, IBM, which employed the MOVEit software. The unauthorized access to the contractor's systems led to the likely exfiltration of sensitive data from Health First Colorado (Medicaid) and Child Health Plan Plus (CHP+) program members. The compromised information includes sensitive details such as names, Social Security Numbers (SSNs), medical records, clinical data, contact information, and income details, among others.

HCPF has clarified that the breach didn't impact any other systems and is taking measures to mitigate potential risks for affected individuals. As part of this effort, they are offering two years of credit monitoring services to affected members to help safeguard against potential fraudulent activities.

Access Point recommends the following:

1. Zero-Day Vulnerabilities: Implement and maintain strong cybersecurity measures to prevent the exploitation of zero-day vulnerabilities by threat actors.
2. Software Updates: Regularly update and patch software systems to protect against known vulnerabilities and minimize the risk of exploitation.
3. Third-Party Security: Conduct thorough security assessments of third-party contractors' systems to ensure they adhere to robust cybersecurity standards.
4. Network Segmentation: Implement network segmentation to limit the impact of breaches and unauthorized access to critical systems and data.
5. Incident Response Planning: Establish well-defined incident response plans to detect, respond to, and mitigate breaches efficiently and minimize their impact.
6. Employee Training: Provide comprehensive cybersecurity training to employees and contractors to help them recognize and promptly report potential threats.
7. Cybersecurity Expertise: Collaborate with cybersecurity experts to ensure the security of critical systems and data and stay informed about emerging threats.
8. Multi-Layered Security: Implement multi-layered security controls to reduce the potential impact of breaches and unauthorized access.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access: T1190 - Exploit Public-Facing Application (Zero-Day Exploit)
• Execution: T1204 - User Execution, T1059 - Command and Scripting Interpreter
• Collection: T1114 - Email Collection, T1115 - Clipboard Data
• Exfiltration: T1041 - Exfiltration Over C2 Channel
• Impact: T1486 - Data Encrypted for Impact, T1490 - Inhibit System Recovery

Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives

Analysis: In recent months, a concerning cyber threat has emerged, involving the utilization of a phishing-as-a-service (PhaaS) toolkit called EvilProxy. This toolkit has been employed by threat actors to execute account takeover attacks, with a particular focus on targeting high-ranking executives within prominent companies. The campaign, spanning from March to June 2023, has had a significant impact, compromising thousands of Microsoft 365 user accounts across the globe. Alarmingly, approximately 39% of the compromised users are C-level executives, including CEOs and CFOs. These attackers have also specifically targeted individuals with access to financial assets or sensitive data. Strikingly, at least 35% of the compromised users had additional account protections enabled.

The rise of tools like EvilProxy can be attributed to the growing adoption of multi-factor authentication (MFA), which has prompted threat actors to incorporate advanced techniques to bypass MFA safeguards. These PhaaS toolkits utilize adversary-in-the-middle (AitM) phishing methods to evade MFA protections, enabling them to extract credentials, session cookies, and one-time passwords. The attackers employ sophisticated automation to identify high-profile accounts, swiftly gaining access to lucrative targets. EvilProxy, initially documented in September 2022, is capable of compromising accounts linked to various platforms such as Apple iCloud, Google, Microsoft, Twitter, and more. This toolkit is offered as a subscription service, with a price tag of $400 a month, and varying rates for specific platforms like Google.

The significance of PhaaS toolkits lies in their ability to empower less technically skilled cybercriminals to conduct large-scale phishing attacks with sophistication. These toolkits provide customizable options and reduce barriers to carrying out successful MFA phishing campaigns. The attacks orchestrated by EvilProxy typically commence with phishing emails impersonating trusted services. These emails redirect recipients to malicious URLs, leading to counterfeit Microsoft 365 login pages. Interestingly, the attackers avoid users from Turkish IP addresses, possibly indicating their geographical location. Upon successfully taking over accounts, threat actors add their own MFA method, ensuring persistent remote access and enabling lateral movement. Ultimately, they monetize this access through financial fraud, data exfiltration, or the sale of compromised accounts.

In this evolving cyber landscape, other threats have also emerged, including a Russian-origin phishing campaign targeting credit card and bank information via WhatsApp messages. Additionally, attackers are leveraging LinkedIn to distribute information-stealing malware that targets Facebook Business accounts.

Access Point recommends the following:

1. Email Filtering Solutions: Deploy advanced email filtering solutions to proactively identify and block phishing emails before they reach users' inboxes.
2. Threat Detection and Response: Implement robust threat detection and response mechanisms to swiftly identify and mitigate account takeover attempts.
3. Enhanced Authentication: Explore authentication methods beyond traditional MFA to enhance security, given that sophisticated attackers are adapting to bypass these measures.
4. Cloud Environment Monitoring: Regularly monitor and audit external access to cloud environments to swiftly detect and counteract unauthorized activities.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566.002 - Spearphishing Link.  
• T1553 - Subvert Trust Controls.
• T1134 - Access Token Manipulation.
• T1114 - Email Collection.
• T1565.002 - System Services.

Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization

Analysis: Attackers have shifted their focus towards exploiting Microsoft identities to gain unauthorized access to connected Microsoft applications and federated SaaS applications. Instead of relying on vulnerabilities, they are manipulating native Microsoft functionality to achieve their objectives. The Nobelium attacker group, known for the SolarWinds attacks, has been observed leveraging various native features, including the creation of Federated Trusts, to establish persistent access within a Microsoft tenant.

This article highlights an additional avenue attackers can exploit to gain persistent access and execute lateral movement within a Microsoft cloud tenant. By exploiting misconfigured Cross-Tenant Synchronization (CTS) configurations, attackers can potentially access other connected tenants or implant a rogue CTS configuration for prolonged access within a single tenant. CTS, a Microsoft feature designed to streamline user and group synchronization between source and target tenants, provides a seamless collaboration experience. However, attackers are using CTS for unauthorized lateral movement and to maintain backdoor access.

Access Point recommends the following:

1. Cross-Tenant Synchronization Configuration: Ensure that Cross-Tenant Synchronization (CTS) is properly configured and monitored to prevent misuse by attackers.
2. Privilege Management: Limit privileges for accounts with access to CTS and enforce strict monitoring of privileged accounts to prevent unauthorized actions.
3. Conditional Access Policies: Implement additional conditional access policies to restrict unauthorized access and fortify security measures.
4. Behavioral Analytics: Utilize behavioral analytics to detect abnormal activities and potential privilege abuse within Microsoft cloud environments.
5. Threat Detection Solutions: Deploy advanced threat detection solutions capable of identifying anomalous usage of CTS and other native functionalities.
6. Regular Testing: Periodically test cloud security measures using frameworks like the MAAD-Attack Framework to identify and address vulnerabilities proactively.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1098 - Account Manipulation.
• T1094 - Custom Command and Control.
• T1134 - Access Token Manipulation.
• T1071 - Application Layer Protocol.
• T1547 - Boot or Logon Autostart Execution.
• T1106 - Execution through API.

China-Linked Hackers Strike Worldwide: 17 Nations Hit in 3-Year Cyber Campaign

Analysis: A cyber espionage group attributed to China's Ministry of State Security (MSS), known as RedHotel (previously TAG-22), has been identified as the source of cyberattacks spanning 17 countries across Asia, Europe, and North America between 2021 and 2023. The group's activities align with other known clusters, including Aquatic Panda, Bronze University, Charcoal Typhoon, Earth Lusca, and Red Scylla. Operating since 2019, RedHotel has targeted sectors such as academia, aerospace, government, media, telecommunications, and research. Government organizations have been the primary victims during this period.

RedHotel's objectives encompass both intelligence gathering and economic espionage, focusing on conventional intelligence targets and entities engaged in COVID-19 research and technology development. Recorded Future, a cybersecurity firm, characterizes RedHotel as a skilled and formidable threat actor driven by cyber espionage and financial motivations. The group exploits vulnerabilities like Log4Shell and targets sectors including telecommunications, academia, R&D, and government in regions like Nepal, the Philippines, Taiwan, and Hong Kong.

RedHotel employs a multi-pronged approach involving public-facing applications for initial access. Offensive security tools and custom malware families like Cobalt Strike, Brute Ratel C4 (BRc4), FunnySwitch, ShadowPad, Spyder, and Winnti are used post-initial access. The group establishes long-term network access through command-and-control servers, often registering domains via NameCheap for reconnaissance purposes. In a notable incident, RedHotel used a stolen code signing certificate from a Taiwanese gaming company to sign a DLL file in a campaign during late 2022.

Access Point recommends the following:

1. Bolster Network Security Measures: Organizations targeted by RedHotel should enhance their network security infrastructure. Implement advanced firewalls, intrusion detection and prevention systems (IDPS), and network segmentation to prevent unauthorized access and lateral movement.
2. Enforce Robust Access Controls: Ensure stringent access controls are in place. Implement the principle of least privilege (PoLP) to limit user permissions and access to critical systems. Use strong authentication mechanisms and enforce multi-factor authentication (MFA) for sensitive accounts.
3. Maintain Updated Security Infrastructure: Regularly update and patch all software and systems to address known vulnerabilities. Vulnerable software provides an opportunity for threat actors to gain a foothold in the network.
4. Employ Advanced Threat Detection Solutions: Deploy advanced threat detection tools that can identify and respond to anomalous behavior, unauthorized access, and suspicious activities. Utilize intrusion detection systems (IDS), security information and event management (SIEM), and endpoint detection and response (EDR) solutions.
5. Robust Incident Response Plans: Develop and maintain comprehensive incident response plans tailored to cyber espionage threats like RedHotel. These plans should outline clear steps to detect, isolate, mitigate, and recover from attacks swiftly while minimizing business impact.
6. Monitor Domain Registrations: Stay vigilant by monitoring domain registrations, especially those registered through services like NameCheap. Detecting potentially malicious domains can aid in early threat detection and prevention.
7. Protect Code Signing Certificates: Safeguard code signing certificates from unauthorized use. Regularly monitor their usage and ensure proper controls to prevent misuse by threat actors attempting to sign malicious software.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1190 - Exploit Public-Facing Application.
• T1087 - Account Discovery.
• T1055 - Process Injection.
• T1065 - Uncommonly Used Port.
• T1569 - System Services.

New Statc Stealer Malware Emerges: Your Sensitive Data at Risk

Analysis: A newly identified strain of information-stealing malware named Statc Stealer has emerged, specifically targeting Microsoft Windows devices. This malicious software has been designed with the intent to steal sensitive personal and payment information from its victims. The malware possesses the capability to extract a wide array of data, ranging from login credentials and cookies to web data, cryptocurrency wallets, and messaging app information like that from Telegram. Written in C++, Statc Stealer spreads through seemingly innocuous ads that imitate MP4 video files on popular web browsers such as Google Chrome.

The infection process hinges on enticing victims to click on these deceptive ads, inadvertently leading to the downloading and execution of the malware onto their systems. This two-stage payload involves a downloaded binary fetching the actual stealer malware from a remote server through a PowerShell script. Statc Stealer employs an assortment of tactics to avoid detection, including measures to evade sandboxes and thwart reverse engineering. It establishes connections with a command-and-control server via HTTPS, facilitating the secure transmission of pilfered data. Notably, this malware targets a range of widely used web browsers, including Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, Opera, and Yandex Browser.

This malware's capacity to extract valuable data from web browsers has thrust it into the limelight as a significant threat. Coinciding with this discovery, eSentire has conducted an analysis of an upgraded version of Raccoon Stealer, another information-stealing malware. The enhanced iteration of Raccoon Stealer boasts features such as Signal Messenger data collection, evasion techniques aimed at avoiding detection by security tools like Defender, and an automated brute-forcing capability for cryptocurrency wallets.

Access Point recommends the following:

1. Stay Updated: Maintain up-to-date operating systems, browsers, and security software to effectively mitigate potential vulnerabilities.
2. Ad Blockers: Deploy ad blockers to minimize exposure to potentially malicious ads and deceptive distribution tactics.
3. Layered Security: Implement multi-layered security solutions that proactively detect and prevent malware infections from infiltrating your systems.
4. Browser Extensions: Enhance your defense mechanisms with reputable browser extensions that bolster protection against malicious scripts and ads.
5. Behavioral Analysis: Strengthen your endpoint security with behavioral analysis solutions that swiftly identify and address unusual or suspicious activities.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1055 - Process Injection.
• T1036 - Masquerading.
• T1116 - Code Signing.
• T1027 - Obfuscated Files or Information.
• T1071 - Application Layer Protocol.

New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks

Analysis: In a concerning development, threat actors are harnessing a legitimate Rust-based injector tool called Freeze[.]rs to propagate the XWorm commodity malware across targeted environments. This intricate attack chain was unveiled by Fortinet FortiGuard Labs on July 13, 2023, and revolves around a phishing email strategy that employs a malicious PDF file. The sequence of events encompasses the delivery of the Remcos RAT through a crypter named SYK Crypter, which was initially exposed by Morphisec in May 2022.

The assault commences with a malevolent PDF file embedded in a phishing email. Upon interaction, the PDF redirects to an HTML file, utilizing the "search-ms" protocol to access a remote LNK file. Activation of this LNK file triggers a PowerShell script that sets in motion the deployment of both the Freeze[.]rs injector and the SYK Crypter for further illicit activities. Freeze[.]rs, an openly available red teaming tool introduced on May 4, 2023, serves as a payload creation utility, designed to bypass security solutions and surreptitiously execute shellcode. Employing sophisticated techniques, it circumvents Userland EDR hooks, enabling the discreet execution of shellcode.

In parallel, SYK Crypter comes into play as a distribution tool for various malware families. Employing a .NET loader attached to emails, it retrieves content from the Discord content delivery network (CDN). Attackers craft these emails to masquerade as benign purchase orders, camouflaging their malicious intent. The culmination of this complex assault culminates in the deployment of the XWorm remote access trojan, equipped with capabilities such as data exfiltration, screenshot capture, keystroke logging, and remote control of compromised devices. The conjunction of XWorm and Remcos RAT results in a potent and malicious trojan replete with diverse functionalities.

The attack tactic exploits the "search-ms" URI protocol handler, utilizing HTML or PDF attachments to impersonate LNK files. Executing a PowerShell script from these attachments launches the Rust-based injector, displaying a decoy PDF document to divert suspicion. Notably, this research underscores the rapid adoption of offensive tools by malicious actors, exemplified by the quick uptake of Freeze[.]rs, a tool just three months old at the time of the attack.

Furthermore, additional campaigns leveraging the XWorm malware have come to light, with Trellix disclosing a similar scheme. The campaign, employing social engineering emails housing malicious attachments, targets various sectors and countries

Access Point recommends the following:

1. User Education: Organizations must educate users about the dangers of interacting with attachments from unknown sources and clicking on suspicious links.
2. Email Filtering: Robust email filtering solutions should be implemented to identify and neutralize phishing emails.
3. Software Updates: Regular updates of operating systems and applications are crucial to minimizing vulnerabilities.
4. Multi-Layered Security: Multi-layered security solutions must be in place to detect and prevent malware infiltrations.
5. Behavioral Analysis: Employing behavioral analysis tools aids in the detection of abnormal activities on endpoints.
6. URL Filtration: URL filtering can be employed to obstruct access to known malicious domains.
7. Payload Analysis: Examining payloads in a controlled environment facilitates understanding their behavior and potential impact.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566.001: Phishing: Spearphishing Attachment: The attack initiates with a phishing email containing a malicious PDF attachment.
• T1059.007: Command and Scripting Interpreter: PowerShell is used to execute scripts that trigger the Rust-based injector and the SYK Crypter.
• T1055.012: Process Injection: The Freeze[.]rs injector may employ process injection techniques to execute shellcode stealthily.
• T1059.003: PowerShell: PowerShell scripts are used to execute the various components of the attack.
• T1074.001: Data Staged: The attacker stages the SYK Crypter for deployment.
• T1027: Obfuscated Files or Information: Malicious files and scripts are obfuscated to evade detection.
• T1574: Hijack Execution Flow: The attacker redirects the execution flow to trigger malicious activities.
• T1503: Credentials in Files: The attacker aims to steal credentials stored in various files.
• T1087: Account Discovery: The malware gathers machine information, potentially including account details.
• T1113: Screen Capture: The XWorm malware can capture screenshots.
• T1056: Input Capture: XWorm can record keystrokes to capture sensitive information.
• T1071.001: Application Layer Protocol: The "search-ms" protocol is abused to access remote files and execute payloads.
• T1070.004: File Deletion: The malware may delete temporary files or logs to cover its tracks.

Researchers Shed Light on APT31's Advanced Backdoors and Data Exfiltration Tactics

Analysis: The Chinese threat actor APT31, also known as Bronze Vinewood, Judgement Panda, or Violet Typhoon, has come under scrutiny for its utilization of an advanced set of backdoors designed to exfiltrate harvested sensitive information to Dropbox. This revelation emerged from an in-depth analysis conducted by Kaspersky, shedding light on APT31's previously undisclosed tactics. These backdoors are part of a larger arsenal of more than 15 implants employed by APT31 in targeted attacks on industrial organizations in Eastern Europe during 2022. The primary objective of these attacks was to establish a persistent channel for data exfiltration, even from air-gapped systems.

The attack methodology is organized into a three-stage malware stack, each serving a distinct purpose within the attack chain: initiating persistence, gathering sensitive data, and transmitting the compromised information to a remote server controlled by the threat actor. Notably, APT31 leveraged a command-and-control (C2) server within the corporate perimeter as a proxy for data siphoning from systems lacking direct internet access, indicating a deliberate focus on air-gapped hosts. Kaspersky's analysis further revealed that the threat actor used various tools to manually upload stolen data to commonly used cloud-based storage platforms, including Yandex Disk, extraimage, imgbb, imgshare, schollz, and zippyimage. Additionally, a specific implant was configured to send data through the Yandex email service.

These findings underscore APT31's strategic planning, adaptability, and capacity to develop new capabilities to support its cyber espionage endeavors. By exploiting widely adopted cloud-based data storage services, the attackers can potentially bypass security mechanisms. However, this approach also heightens the risk of data leaks should a third party gain access to the storage used by the threat actors.

Access Point recommends the following:

1. Network Segmentation: Implement network segmentation to isolate critical systems from less secure areas, mitigating the impact of potential breaches.
2. Access Controls: Apply stringent access controls and security measures to air-gapped systems, preventing unauthorized data transfers.
3. Endpoint Protection: Deploy advanced endpoint protection solutions to detect and thwart malicious activities on systems.
4. Network Monitoring: Utilize robust network monitoring solutions to identify suspicious traffic patterns and anomalous behaviors.
5. Cloud Storage Security: Securely configure and continuously monitor cloud-based storage services to prevent unauthorized access and data leakage.
6. Data Encryption: Employ encryption for sensitive data both at rest and during transit to mitigate the potential impact of data breaches.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1003.001 - OS Credential Dumping.
• T1064 - Scripting.
• T1027 - Obfuscated Files or Information.
• T1002 - Data Compressed.
• T1001.001 - Data Obfuscation.
• T1571 - Non-Standard Port.
• T1071.001 - Application Layer Protocol.

MoustachedBouncer hackers use AiTM attacks to spy on diplomats

Analysis: A cyberespionage group dubbed 'MoustachedBouncer' has recently come into focus for its involvement in adversary-in-the-middle (AitM) attacks on internet service providers (ISPs), with a specific focus on targeting foreign embassies within Belarus. According to researchers from ESET, this group has carried out five distinct campaigns, with their activity believed to extend back to at least 2014. Since 2020, 'MoustachedBouncer' has leveraged AitM attacks via Belarusian ISPs to compromise targeted Windows 10 systems. The group's arsenal comprises two notable malware frameworks, namely 'NightClub' and 'Disco,' each tailored to fulfill specific objectives.

The 'NightClub' framework, which has evolved since its inception in 2014, initially facilitated file monitoring, SMTP exfiltration, and command-and-control (C2) communications. In its latest version (2020-2022), it has expanded to include capabilities such as capturing screenshots, recording audio, logging keystrokes, and establishing a DNS-tunneling backdoor for C2 interactions. On the other hand, the 'Disco' framework, introduced in 2020, is propagated through AitM-based attack chains. This framework employs various Go-based plugins to extend its functionality, encompassing activities like taking screenshots, executing PowerShell scripts, exploiting vulnerabilities, and setting up reverse proxies. Notably, the malware employs SMB shares for data exfiltration, adding an extra layer of complexity to detection efforts.

'MoustachedBouncer' maintains a hidden and secluded C2 infrastructure, which complicates access and takedown efforts by security researchers. To counter AitM attacks, ESET recommends diplomats and embassy personnel in Belarus utilize end-to-end encrypted VPN tunnels to secure their internet activities.

Access Point recommends the following:

1. Secure Internet Communications: Implement end-to-end encrypted VPN tunnels to safeguard internet communications against interception and manipulation in AitM attacks.
2. Regular Patching: Ensure operating systems and software are frequently updated with the latest security patches to mitigate vulnerabilities.
3. Network Monitoring: Deploy network monitoring solutions to identify and respond to unusual or unauthorized network activity indicative of AitM attacks.
4. Employee Training: Provide comprehensive training to employees about recognizing phishing attempts, social engineering tactics, and other common attack vectors.
5. Endpoint Security: Utilize robust endpoint security solutions capable of detecting and preventing the execution of malicious payloads.
6. Multi-Factor Authentication (MFA): Enforce MFA for critical accounts to add an additional layer of security against unauthorized access.
7. Incident Response Plan: Develop and maintain a well-defined incident response plan to effectively address potential security incidents.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1565.002: Bypass User Account Control: If MoustachedBouncer exploits vulnerabilities for privilege escalation.
• T1134: Access Token Manipulation: If MoustachedBouncer manipulates access tokens to bypass security controls.
• T1025: Data from Removable Media: If the malware uses removable media for data exfiltration.
• T1055: Process Injection: For the malware's execution using DLL side-loading.
• T1071: Application Layer Protocol: To communicate with C2 infrastructure.
• T1053: Scheduled Task: For establishing persistence.
• T1204: User Execution: As users are likely to initiate the malware by clicking on fake Windows Update prompts.  

Lapsus$ hackers took SIM-swapping attacks to the next level

Analysis: The U.S. Department of Homeland Security's (DHS) Cyber Safety Review Board (CSRB) has recently released a comprehensive report outlining the tactics employed by the Lapsus$ extortion group in breaching organizations that boast strong security postures. The group's targets include prominent entities such as Microsoft, Cisco, and T-Mobile. In a display of ingenuity, Lapsus$ utilized relatively straightforward techniques like SIM swapping to gain unauthorized access to internal networks and pilfer confidential data. The group, composed of loosely-affiliated teenagers hailing from the U.K. and Brazil, appears motivated by a mix of notoriety, financial gain, and sheer amusement. Their unconventional approach fuses techniques of varying complexities, highlighting their creative adaptation.

To counter such threats and bolster cybersecurity measures, several recommendations have been put forth. First and foremost, the transition towards a passwordless environment is encouraged, fortified by robust identity and access management solutions. The use of SMS as a two-step authentication method is advised against, in favor of adopting more resilient authentication alternatives to thwart multi-factor authentication (MFA) phishing attacks. Telecommunication providers are urged to enforce stringent identity verification processes for SIM swaps, along with offering mechanisms for account locking. To ensure more effective oversight and enforcement, it's recommended that regulatory bodies like the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) strengthen their activities in this realm.

For organizations, embracing a zero-trust model and enhancing authentication practices are pivotal steps. Furthermore, building resilience against social engineering tactics, especially the use of Emergency Disclosure (Data) Requests, is paramount. The report underscores the importance of enhanced collaboration with law enforcement agencies, urging prompt reporting of incidents and seeking clear government guidance to efficiently counter emerging cyber threats.

Access Point recommends the following:

1. Transition to Passwordless: Implement secure identity and access management solutions while transitioning towards a passwordless environment.
2. Avoid SMS for Authentication: Discard SMS as a two-step authentication method and opt for more resilient authentication mechanisms.
3. Telecommunication Security: Teleco providers should strengthen identity verification for SIM swaps and provide options for account locking.
4. Regulatory Oversight: Enhance oversight and enforcement activities by bodies such as the FCC and FTC to ensure effective regulation.
5. Zero-Trust and Strong Authentication: Adopt a zero-trust model and reinforce authentication practices within organizations.
6. Resilience against Social Engineering: Build resilience against social engineering tactics, including Emergency Disclosure (Data) Requests.
7. Cooperation with Law Enforcement: Increase collaboration with law enforcement agencies by reporting incidents promptly and seeking government guidance.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Credential Access: T1475 - Supply Chain Compromise.
• Initial Access: T1195 - Supply Chain Compromise, T1190 - Exploit Public-Facing Application.
• Execution: T1027 - Obfuscated Files or Information.
• Defense Evasion: T1055 - Process Injection, T1027 - Obfuscated Files or Information, T1189 - Drive-by Compromise.
• Credential Access: T1110 - Brute Force, T1187 - Forced Authentication.
• Collection: T1115 - Clipboard Data, T1113 - Screen Capture.
• Exfiltration: T1041 - Exfiltration Over C2 Channel, T1002 - Data Compressed.
• Impact: T1486 - Data Encrypted for Impact.

Vulnerabilities

Several Flaws Found in CyberPower and Dataprobe Products

Analysis: Recent security assessments have brought attention to potential vulnerabilities within data center operations, specifically impacting CyberPower's PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe's iBoot power distribution unit (PDU). Identified by Trellix cybersecurity experts, these vulnerabilities have been assigned severity scores ranging from 6.7 to 9.8, indicating their capacity to grant malicious actors considerable control – from immobilizing entire data centers to launching large-scale cyberattacks.

For Dataprobe's iBoot PDU, the vulnerabilities comprise CVE-2023-3259, allowing for authentication bypass; CVE-2023-3260, enabling authenticated remote code execution; CVE-2023-3261, leading to denial-of-service (DoS); CVE-2023-3262, highlighting the risk of hard-coded credentials; and CVE-2023-3263, addressing alternate name authentication bypass. Meanwhile, CyberPower's PowerPanel Enterprise is also susceptible, with vulnerabilities including CVE-2023-3264, involving hard-coded credentials; CVE-2023-3265, linked to authentication bypass; CVE-2023-3266, centered around authentication bypass due to security check failures; and CVE-2023-3267, allowing authenticated remote code execution.

The positive news is that both platforms have addressed these vulnerabilities in their latest releases. While active exploitation of these vulnerabilities has not been observed, it's essential for organizations to proactively apply available patches to bolster data center security. In addition to patching, further protective measures can enhance security, such as isolating PowerPanel Enterprise or iBoot PDU from the broader internet. Specifically, deactivating remote access via Dataprobe's cloud service is recommended.

Access Point recommends the following updates:

1. Version 2.6.9 for PowerPanel Enterprise
2. Version 1.44.08042023 for Dataprobe iBoot PDU firmware

Although active exploitation is not reported at present, businesses should adopt a proactive stance by implementing isolation measures and disabling remote access through Dataprobe’s cloud service. This proactive approach will not only mitigate potential risks but also safeguard data center operations from potential future zero-day exploits.

Hacking ATMs by exploiting flaws in ScrutisWeb ATM fleet software

Analysis: ScrutisWeb, a remote ATM fleet management software developed by Lagona, has been found to possess multiple vulnerabilities following an assessment by the Synack Red Team. These vulnerabilities, categorized as CVE-2023-33871, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189, introduce potential avenues for malicious actors to exploit ATMs remotely. The vulnerabilities encompass Absolute Path Traversal, enabling the download of configurations, logs, and databases; Remote Code Execution, which can grant user access to ATM controllers; Insecure Direct Object Reference, potentially revealing all user data, including administrators'; and a Hardcoded Encryption Key, which could unveil plaintext administrator credentials.

Lagona promptly responded by addressing these vulnerabilities in ScrutisWeb version 2.1.38, released in July 2023. The Absolute Path Traversal flaw (CVE-2023-33871) had implications for sensitive server data downloads. The Remote Code Execution vulnerability (CVE-2023-35189) could be leveraged in conjunction with other issues to attain user-level access to ATM controllers. CVE-2023-38257, characterized as an Insecure Direct Object Reference, could be manipulated to extract information about all system users. The Hardcoded Encryption Key (CVE-2023-35763) posed risks tied to revealing plaintext administrator credentials.

Access Point recommends the following:

1. Update Software: Organizations should promptly update to the latest version, ScrutisWeb 2.1.38, which addresses the identified vulnerabilities.
2. Network Minimization: Adhere to the guidance provided by the US Cybersecurity and Infrastructure Security Agency (CISA) by minimizing network exposure for all control system devices, placing them behind firewalls away from internet access and business networks.
3. Remote Access Security: If remote access is necessary, consider using updated Virtual Private Networks (VPNs), while recognizing the inherent risks associated with VPNs. Ensure that connected devices are secure and updated.

Multiple Flaws Uncovered in Data Center Systems

Analysis: Data centers, which play an integral role in managing and storing vast amounts of digital information, are under a heightened security risk due to several vulnerabilities discovered in their power management systems and technologies. Researchers Sam Quinn and Jesse Chick from Trellix have identified a combined total of nine significant vulnerabilities in CyberPower's PowerPanel Enterprise Data Center Infrastructure Management (DCIM) platform and Dataprobe's iBoot Power Distribution Unit (PDU). These vulnerabilities, if exploited, could grant unauthorized access to attackers, enabling them to establish backdoors, remotely inject code, and even seize control of a larger connected network within data centers.

The vulnerabilities, indexed from CVE-2023-3259 to CVE-2023-3267, vary in their risk magnitude with CVSS scores ranging between 6.7 and 9.8. The CyberPower DCIM vulnerabilities encompass risks from hard-coded credentials to operating system command injections, while Dataprobe's iBoot-PDU flaws involve threats like buffer overflows and authentication bypasses. Both companies' products serve as crucial tools for IT teams to remotely manage, configure, and monitor data center infrastructure. Notably, CyberPower's platform is often utilized by giant cloud providers, including AWS, Google Cloud, and Microsoft Azure, whereas Dataprobe's products are typically found in mid-sized data centers catering to SMBs.

If attackers exploit these vulnerabilities, they could not only disrupt power supplies, leading to significant outages, but also inflict physical damage to the hardware components. Such manipulations could inflict hefty financial losses, given that some data center outages have historically costed anywhere between $100,000 to over $1 million. Additionally, the potential scale of the threat extends beyond mere outages. The vulnerabilities can be leveraged by malicious entities to orchestrate widespread malware attacks, such as ransomware, DDoS, or even attacks mirroring the severity of infamous cyber incidents like StuxNet or WannaCry. As a protective measure, it is urged that all affected entities promptly install the recommended security patches.

Access Point recommends the following:

1. Install Security Patches: Promptly download and install the available security patches provided by CyberPower and Dataprobe to address the identified vulnerabilities in their respective data center management systems.
2. Conduct Thorough Security Assessments: Perform thorough security assessments of data center infrastructure to identify potential vulnerabilities and weaknesses beyond the known issues. This proactive approach can help uncover hidden risks.
3. Regular Maintenance and Updates: Implement a regular maintenance schedule for data center equipment, including power management systems. Keep all components up to date with the latest firmware and software updates to mitigate known vulnerabilities.
4. Implement Network Segmentation: Segment the data center network to minimize the potential impact of a breach or unauthorized access. Isolate critical systems from less secure areas to contain potential threats.
5. Incident Response Planning: Develop and maintain a comprehensive incident response plan tailored to data center operations. This plan should outline clear steps to take in the event of a security breach or unauthorized access.

New Python URL Parsing Flaw Could Enable Command Execution Attacks

Analysis: A significant security vulnerability has been identified in the Python URL parsing function "urlparse." This flaw can be exploited to sidestep domain or protocol filtering mechanisms that utilize a blocklist, potentially enabling attackers to perform arbitrary file reads and command execution. The CERT Coordination Center (CERT/CC) highlighted the parsing issue in "urlparse," especially when a URL begins with blank characters, which compromises both hostname and scheme parsing. This flaw is designated as CVE-2023-24329 with a CVSS score of 7.5. Yebo Cao, a security researcher, detected and reported this vulnerability in August 2022, which has since been rectified in several Python versions, including 3.12, 3.11.4, 3.10.12, 3.9.17, 3.8.17, and 3.7.17.

The "urllib.parse" function, which is commonly used to deconstruct URLs or combine URL components, is central to this vulnerability. Specifically, CVE-2023-24329 is tied to insufficient input validation. Consequently, attackers can navigate around blocklist methods by providing URLs commencing with blank characters, such as " https://youtube[.]com". Although blocklisting is not always the preferred security measure, it remains vital in certain contexts. According to Cao, this vulnerability could assist attackers in evading scheme and host protections established by developers, and it holds the potential to aid in Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE) across various situations.

Furthermore, recent investigations have revealed that Python often addresses security issues through discreet code commits, without corresponding them to specific Common Vulnerabilities and Exposures (CVE) identifiers. This silent approach to security fixes might give malicious individuals an edge, allowing them to exploit yet-to-be-disclosed vulnerabilities in systems that haven't been updated.

Access Point recommends the following:

1. Upgrade to Corrected Versions: If using vulnerable Python versions, promptly upgrade to the corrected versions, which include the security fix. Specifically, consider migrating to Python versions 3.12, 3.11.4, 3.10.12, 3.9.17, 3.8.17, or 3.7.17 to mitigate the CVE-2023-24329 vulnerability.
2. Validate Input Data: Developers should thoroughly validate input data, especially when dealing with URLs and parsing functions. Implement robust input validation mechanisms to prevent the exploitation of vulnerabilities like the one found in "urlparse."
3. Security Best Practices: Follow security best practices when implementing URL filtering mechanisms. While blocklisting might not always be foolproof, it remains a valuable layer of defense in specific contexts. Ensure it's effectively implemented alongside other security measures.
4. Stay Informed: Stay updated on security advisories and alerts related to Python and its libraries. Being aware of vulnerabilities and their fixes is crucial for maintaining a secure development environment.
5. Regular Library Updates: Python developers should adopt a proactive approach to updating libraries and frameworks regularly. This practice helps ensure that known security issues are promptly addressed and mitigated.
6. Monitor Security Announcements: Keep an eye on Python's official announcements and releases related to security updates. Being vigilant about security-related news and updates can aid in staying ahead of potential vulnerabilities.

Microsoft enables Windows Kernel CVE-2023-32019 fix for everyone

Analysis: Microsoft has addressed a Kernel information disclosure vulnerability, labeled as CVE-2023-32019, which was previously treated with caution due to potential breaking changes to the Windows system. This medium severity flaw, rated 4.7/10 and deemed 'important', was found by Google Project Zero's Mateusz Jurczyk. It could allow an authenticated attacker to access privileged process memory for data extraction. Initially, Microsoft offered a security update with the fix in a disabled state, advising users to manually enable it through specific registry values. However, there was hesitation among Windows administrators to implement the fix, concerned about unidentified conflicts it might trigger. Notably, as of the August 2023 Patch Tuesday updates, Microsoft has decided to activate the fix for CVE-2023-32019 by default, removing the need for any additional actions by users. Feedback from Windows administrators post-update has been positive, with no reported complications.

Access Point recommends the following:

1. Install August 2023 Patch Tuesday Updates: Ensure that you have installed the August 2023 Patch Tuesday updates for Windows. These updates include the activation of the fix for the CVE-2023-32019 vulnerability by default.
2. System Security Enhancement: By applying the Patch Tuesday updates, the fix for the vulnerability will be implemented without requiring any manual adjustments. This action enhances the security of your Windows system and prevents potential unauthorized access to privileged process memory.
3. Stay Updated: Keep track of security updates and patches released by Microsoft for your operating system. Staying up-to-date with the latest security fixes is crucial for maintaining a secure computing environment.
4. Test and Rollout: While reports from Windows administrators indicate no complications from the update, it's recommended to follow best practices by testing updates in a controlled environment before rolling them out to production systems. This approach helps ensure compatibility and avoids any unforeseen issues.
5. Regular Patch Management: Develop a routine patch management strategy to consistently apply security updates and patches as they become available. This proactive approach helps mitigate potential vulnerabilities and enhances overall system security.

‍