CyberWatch - July 12, 2023

At a Glance

Ransomware, Malware & Phishing

1. Barts NHS hack leaves folks on tenterhooks over extortion
2. The European Union Agency for Cybersecurity (ENISA) released its first cyber threat landscape report for the health sector
3. Mexico-Based Hacker Targets Global Banks with Android Malware
4. Silentbob Campaign: Cloud-Native Environments Under Attack
5. New tool exploits Microsoft Teams bug to send malware to users
6. New ‘Big Head’ ransomware displays fake Windows update alert

Vulnerabilities

1. Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS, iPadOS, macOS, and Safari
2. Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws
3. Mastodon Social Network Patches Critical Flaws Allowing Server Takeover
4. MOVEit Transfer customers warned to patch new critical flaw

Ransomware, Malware & Phishing

Barts NHS hack leaves folks on tenterhooks over extortion

Analysis: The BlackCat ransomware gang has recently targeted Barts Health NHS Trust, one of the largest hospital groups in the UK, stealing approximately 7TB of data. The trust has confirmed the theft and is currently investigating the incident. The stolen data includes personally identifiable information of employees, such as financial details, CVs, passports, and driving licenses. It is uncertain whether patient or medical data is also compromised. BlackCat, also known as AlphaV, has connections to the DarkSide Russian group and has been specifically targeting healthcare providers to obtain sensitive information. Their operation involves infecting machines with malware, encrypting files, and demanding a ransom for their restoration. Additionally, they steal data from compromised systems and threaten to release it if the ransom is not paid.

Notably, BlackCat has previously targeted various organizations, including Reddit, a major Australian law firm, and Western Digital. In this particular case, the focus seems to be on data theft rather than deploying ransomware. Despite the incident, there have been no significant disruptions reported at the hospitals affected, suggesting that this may be a straightforward data breach. The deadline set by the gang for payment has passed, and it remains unclear whether they will follow through with their threat to release the stolen data. The National Cybersecurity Centre of the UK is collaborating with Barts Health NHS Trust and other partners to evaluate the impact of the breach.

To prevent and mitigate ransomware attacks like the BlackCat incident, Access Point recommends implementing several essential measures. Regularly backing up data and ensuring secure storage is crucial. Keeping systems up to date with patches and updates is essential for closing vulnerabilities. Providing comprehensive security awareness training to employees can help them identify and respond to potential threats. Employing multi-factor authentication and enforcing the principle of least privilege adds an extra layer of security. Network segmentation can isolate critical systems, while robust endpoint protection solutions can help defend against malware. Developing an incident response plan is vital for a swift and effective response in the event of an attack. Regular security assessments, along with monitoring for suspicious activity, are crucial for early detection. Finally, maintaining strong security practices throughout the organization coupled with ongoing vigilance and expert guidance, can significantly strengthen the overall security posture and mitigate the risk of ransomware attacks.

The European Union Agency for Cybersecurity (ENISA) released its first cyber threat landscape report for the health sector

Analysis: The European Union Agency for Cybersecurity (ENISA) has published its inaugural cyber threat landscape report for the health sector, analyzing over two years' worth of data from 215 publicly reported incidents in the EU and neighboring countries. The report highlights that ransomware attacks constitute 54% of cybersecurity threats in the health sector, yet a significant 73% of surveyed organizations lack a dedicated program to mitigate such attacks. Healthcare providers are the primary targets, accounting for 53% of incidents, with hospitals being targeted 42% of the time. Patient data, including electronic health records, is the most coveted asset, with 46% of incidents aimed at stealing or leaking healthcare organizations' data. The majority of attacks are financially motivated, driven by the value of patient data. The report underscores the need for robust cybersecurity practices and advocates for a high common level of cybersecurity across the healthcare sector to ensure safe operations. The median cost of a significant security incident in the health sector is estimated at €300,000. ENISA emphasizes the importance of better incident reporting and understanding the cyber threat landscape to identify effective mitigation measures.

In light of these findings, Access Point recommends that organizations in the healthcare sector implement a comprehensive ransomware mitigation program. This should include regular data backups and extensive employee training to enhance awareness and response capabilities. Protecting patient data is of paramount importance, necessitating strong access controls, encryption, and regular vulnerability assessments. Deploying multi-layered security measures, such as firewalls, intrusion detection systems, and robust authentication mechanisms, is crucial to fortify defenses. Monitoring for insider threats and improving incident reporting and information sharing within the sector are also key considerations. Conducting frequent risk assessments, collaborating with cybersecurity experts, and staying updated on emerging threats will aid organizations in strengthening their security posture and ensuring compliance with regulations.

The ENISA report underscores the urgent need for healthcare organizations to prioritize cybersecurity measures, particularly in mitigating the rising threat of ransomware attacks. By implementing the recommended measures and remaining vigilant, the healthcare sector can bolster its defenses against cyber threats and safeguard patient data while maintaining safe and reliable operations.

Mexico-Based Hacker Targets Global Banks with Android Malware

Analysis: A cybercriminal known as Neo_Net, believed to be based in Mexico and associated with a Spanish-speaking actor, has been carrying out an Android mobile malware campaign targeting financial institutions worldwide. Their focus has been primarily on Spanish and Chilean banks, resulting in the theft of over €350,000 and the compromise of Personally Identifiable Information (PII) belonging to thousands of victims. Major banks, including Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING, have been among the targeted institutions. Neo_Net's modus operandi involves SMS phishing, where recipients are tricked into clicking on fraudulent landing pages through scare tactics to collect their login credentials. The attacker also uses rogue Android apps that request SMS permissions to capture two-factor authentication (2FA) codes.

To enhance security against Android mobile malware campaigns like the one attributed to Neo_Net, Access Point recommends that financial institutions take several measures. User education is crucial, and customers should be educated about the risks of SMS phishing while providing them with guidelines on how to identify and avoid such scams. Encouraging customers to use multi-factor authentication (MFA) methods beyond SMS-based 2FA, such as app-based or hardware tokens, can significantly enhance security. Financial institutions should leverage threat intelligence to stay informed about emerging threats and actively monitor for indicators of compromise associated with the identified malware campaign. Implementing robust mobile security solutions that can detect and block malicious apps, phishing attempts, and SMS-based attacks on customers' devices is essential. Finally, having a well-defined incident response plan in place, regularly tested and updated, will enable financial institutions to respond quickly and effectively in case of a breach or compromise.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566.001 (Phishing - Spearphishing via Service)
• T1401.002 (Mobile Malware - Android)
• T1476 (Malicious File - Malicious Mobile Application)
• T1556.002 (Modify Authentication Process - Two-Factor Authentication Interception)
• T1566.002 (Phishing - SMS/MMS/IM)

Silentbob Campaign: Cloud-Native Environments Under Attack

Analysis: Aqua, a cybersecurity research firm, has uncovered a potentially massive campaign targeting cloud-native environments. The attack infrastructure involves an aggressive cloud worm that specifically targets exposed JupyterLab and Docker APIs. The primary objective of this worm is to deploy the Tsunami malware, hijack cloud credentials and resources, and further propagate itself. The activity, known as Silentbob, is suspected to be linked to the cryptojacking group TeamTNT, although the involvement of an advanced copycat cannot be ruled out.

The investigation conducted by Aqua began after their honeypot was attacked in June 2023. During their analysis, they discovered four malicious container images designed to identify exposed Docker and JupyterLab instances. These images were programmed to deploy a cryptocurrency miner and the Tsunami backdoor. Aqua found that 51 servers with exposed JupyterLab instances had been compromised, indicating exploitation.

The attack strategy involves identifying misconfigured servers, deploying containers, or using the Command Line Interface (CLI) to scan for additional victims and spread the malware. The secondary payload includes a crypto miner and the Tsunami backdoor, which provide the attackers with control over the compromised resources.

To enhance security in cloud-native environments, Access Point recommends several measures. First and foremost, it is crucial to regularly update and patch all components, including platforms and APIs, to address any known vulnerabilities. Secure configurations should be implemented for JupyterLab and Docker APIs, and strong access controls should be enforced, following the principle of least privilege. Network segmentation and isolation can limit the attack surface and minimize the potential impact of an attack. Monitoring and auditing the environment for anomalies and unauthorized access are vital for early detection and response. It is also essential to establish a well-defined incident response plan and provide comprehensive security awareness training to employees to ensure they understand the risks and best practices for maintaining security in the cloud-native environment.

By implementing these recommended measures, organizations can enhance the security of their cloud-native environments, mitigate the risk of attacks like Silentbob, and better protect their resources and data from unauthorized access and exploitation.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1190: Exploit Public-Facing Application (Initial Access)
• T1059: Command-Line Interface (Execution)
• T1505: Server Software Component (Persistence)
• T1027: Obfuscated Files or Information (Defense Evasion)
• T1212: Exploitation for Credential Access (Credential Access)
• T1083: File and Directory Discovery (Discovery)
• T1010: Application Layer Protocol (Discovery)
• T1046: Network Service Scanning (Discovery)
• T1005: Data from Local System (Collection)
• T1105: Remote File Copy (Command and Control)
• T1020: Automated Exfiltration (Exfiltration)
• T1490: Inhibit System Recovery (Impact)has context menu

New tool exploits Microsoft Teams bug to send malware to users

Analysis: Researchers have developed a tool called TeamsPhisher that exploits an unresolved security issue in Microsoft Teams, enabling attackers to bypass file-sending restrictions for external users. By leveraging client-side protections in Microsoft Teams, the tool tricks the application into treating external users as internal, potentially leading to the delivery of malware from external accounts. This poses a significant security risk for organizations using Microsoft Teams.

To mitigate the risks associated with this unresolved security issue in Microsoft Teams and the use of the TeamsPhisher tool, Access Point recommends organizations to implement the following security measures:

• Consider disabling communications with external tenants unless it is absolutely necessary for business operations. This can help limit potential exposure to external threats.
• Implement domain allow-listing can restrict communication within Microsoft Teams to trusted domains, reducing the likelihood of interacting with malicious external accounts.
• Educate employees about the risks associated with clicking on links or opening files within Teams, especially when they come from unknown sources. Encouraging caution and providing awareness training on phishing prevention can help employees identify potential threats and avoid falling victim to attacks.

By implementing these security measures, organizations can enhance their overall security posture and reduce the potential impact of attacks that exploit the vulnerability in Microsoft Teams. It is essential to stay vigilant, address unresolved security issues promptly, and keep employees informed and educated about the evolving threat landscape.
MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566: Phishing (Initial Access)
• T1036: Masquerading (Defense Evasion)
• T1096: Alternate Data Streams (Defense Evasion)
• T1105: Remote File Copy (Command and Control)
• T1055: Process Injection (Execution)
• T1070: Indicator Removal on Host (Defense Evasion)
• T1485: Data Destruction (Impact)

New ‘Big Head’ ransomware displays fake Windows update alert

Analysis: Security researchers have conducted an analysis of a ransomware strain named "Big Head" that spreads through malvertising and disguises itself as fake Windows updates and Microsoft Word installers. This malware installs encrypted files on the target system, including components for malware propagation, communication via a Telegram bot, and file encryption. Big Head performs various malicious actions such as creating a registry autorun key, overwriting files, disabling the Task Manager, and deleting shadow copies. It assigns a unique ID to each victim, encrypts files with a ".poop" extension, and displays a fake Windows update during the encryption process. Trend Micro has identified two additional variants of Big Head, one with data-stealing capabilities and another incorporating a file infector known as "Neshta." Although Big Head is not highly sophisticated, the existence of multiple variants suggests ongoing development and experimentation by the threat actors.

To protect against the Big Head ransomware and similar threats, Access Point recommends implementing the following security measures. Exercise caution when downloading files, particularly from untrusted sources, and verify the authenticity of software updates before installation. It is crucial to maintain up-to-date antivirus/antimalware solutions and regularly update operating systems and software to patch vulnerabilities. Implementing a robust backup strategy is essential to ensure critical data can be restored in the event of an attack. Organizations should have a dedicated threat intelligence team that stays informed about the latest ransomware threats and trends. It is also crucial to follow security advisories from trusted sources to enhance awareness and preparedness.

By following these security measures, organizations can enhance their defenses against the Big Head ransomware and similar threats. Remaining vigilant, exercising caution, and maintaining up-to-date security practices are key to mitigating the risk of ransomware attacks and protecting critical data.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1189: Drive-by Compromise (Initial Access)
• T1059: Command-Line Interface (Execution)
• T1060: Registry Run Keys / Startup Folder (Persistence)
• T1566: Phishing (Initial Access)
• T1486: Data Encrypted for Impact (Impact)
• T1105: Remote File Copy (Command and Control)
• T1036: Masquerading (Defense Evasion)
• T1107: File Deletion (Defense Evasion)
• T1486: Data Encrypted for Impact (Impact)has context menu

Vulnerabilities

Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS, iPadOS, macOS, and Safari

Analysis: Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari browser to address a zero-day vulnerability that was actively exploited. The vulnerability, identified as CVE-2023-37450, was a WebKit bug that could allow threat actors to execute arbitrary code when the victim processes specifically crafted web content. Apple resolved the issue with improved checks in the security update.

The affected operating system versions include iOS 16.5.1, iPadOS 16.5.1, macOS Ventura 13.4.1, macOS Big Sur, and macOS Monterey. However, Apple had to pull the patch due to a problem it caused on websites like Facebook, Instagram, and Zoom, where users encountered an "unsupported browser" error when using Safari. Users have the option to downgrade the iOS version by going to Settings > General > About and selecting the desired version to remove the security update.

This incident highlights the importance of testing patches before deployment to avoid unexpected errors that may impact confidentiality, integrity, or availability. It is crucial to have patching cadence and emergency patching and testing procedures in place to ensure information security remains intact.

Access Point recommends reapplying the Rapid Security Response update immediately once it is available again. If the update has already been applied, it is advised not to remove it and instead find workarounds to use the affected websites or website functions. Using applications instead of the browser can be a potential workaround for accessing platforms like Facebook, Zoom, and Instagram. Zero-day vulnerabilities and actively exploited vulnerabilities pose significant threats, and it is essential to patch or mitigate them as soon as possible to maintain a secure environment.

Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws

Analysis: In Microsoft's July 2023 Patch Tuesday rollout, security updates have been released for 132 vulnerabilities, including six actively exploited flaws and 37 Remote Code Execution (RCE) vulnerabilities. The vulnerabilities fall into various categories, such as Elevation of Privilege, Security Feature Bypass, Information Disclosure, Denial of Service, and Spoofing.

The most notable vulnerabilities are the zero-day exploits, five of which are being addressed in this update. These include:

• CVE-2023-32046 - Windows MSHTML Platform Elevation of Privilege Vulnerability
  • Microsoft has fixed an actively exploited privilege elevation vulnerability in Windows MSHTML that was exploited by opening a specially crafted file through email or malicious websites. This would allow the attacker to gain the rights of the user that was running the affected application. The Microsoft Threat Intelligence Center internally discovered the flaw.

• CVE-2023-32049 - Windows SmartScreen Security Feature Bypass Vulnerability
  • Threat actors exploited this vulnerability to prevent the display of the Open File - Security Warning prompt when downloading and opening files from the Internet. A user would have to click on a specifically crafted URL to become compromised. The Microsoft Threat Intelligence Center internally discovered the flaw.
• CVE-2023-36874 - Windows Error Reporting Service Elevation of Privilege Vulnerability
  • This actively exploited elevation of privileges flaw allowed threat actors to gain administrator privileges on the Windows device. An attacker must have local access to the targeted machine and the user must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default. This flaw was discovered by Vlad Stolyarov and Maddie Stone of Googles Threat Analysis Group (TAG).
• CVE-2023-36884 - Office and Windows HTML Remote Code Execution Vulnerability
  • Microsoft has released guidance on a publicly disclosed, unpatched zero-day that allows remote code execution using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.
  • While no security updates are available for this flaw at this time, Microsoft says that users of Microsoft Defender for Office and those using the "Block all Office applications from creating child processes" Attack Surface Reduction Rule are protected from attachments that attempt to exploit this vulnerability.

• CVE-2023-35311 - Microsoft Outlook Security Feature Bypass Vulnerability
  • Microsoft has fixed an actively exploited zero-day vulnerability in Microsoft Outlook that bypasses security warnings and works in the preview pane. The attacker would be able to bypass the Microsoft Outlook Security Notice prompt with exploitation of this vulnerability. According to Microsoft, the Preview Pane is an attack vector, but additional user interaction is required.

Access Point Technology recommends promptly applying the new OS build provided by Microsoft to address these vulnerabilities. It is important to note that Microsoft OS updates can significantly impact your environment, so thorough testing procedures should be conducted before applying any operating system updates. Taking these precautions will help ensure a smooth transition and minimize potential disruptions.

Mastodon Social Network Patches Critical Flaws Allowing Server Takeover

Analysis: Mastodon, a decentralized open-source social network, has released a security update to address critical vulnerabilities that could potentially impact millions of users. One of the vulnerabilities, identified as CVE-2023-36460, allows attackers to exploit Mastodon's media processing code to create arbitrary files at any location. This can lead to Denial of Service attacks and arbitrary Remote Code Execution, enabling attackers to create and overwrite files accessible to Mastodon. The flaw was discovered during a comprehensive penetration testing initiative funded by the Mozilla Foundation and conducted by Cure53.

The security update also addresses another critical vulnerability, CVE-2023-36459. This vulnerability enables attackers to inject arbitrary HTML into oEmbed preview cards, bypassing Mastodon's HTML sanitization process. This creates a new attack vector for Cross-Site Scripting attacks, particularly when users click on preview cards associated with malicious links.

As Mastodon operates in a decentralized manner, it is crucial for users to ensure that their subscribed instances (the primary method of using Mastodon) promptly install all necessary updates. Access Point Technology recommends that owners of Mastodon instances promptly update their Mastodon instances to the latest version (4.1.4). This patch includes critical updates that mitigate potential attacks by malicious actors. Users of Mastodon should verify that the instances they are part of have been properly updated. If unsure, it is advisable to contact the instance owners. It is recommended not to interact with any Mastodon instance that has not been updated until it is confirmed that they are running the latest version.

MOVEit Transfer customers warned to patch new critical flaw

Analysis: Progress, the developer of MOVEit Transfer, has released an update that addresses a critical SQL injection vulnerability and two other vulnerabilities in the software. These vulnerabilities are as follows:

• CVE-2023-36934: This vulnerability could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database by submitting a crafted payload to a MOVEit Transfer application endpoint. This could result in modification and disclosure of database content.
• CVE-2023-36932: An authenticated attacker could exploit this vulnerability by using a specifically crafted payload to gain access to the MOVEit Transfer database through a MOVEit Transfer application endpoint. This could also lead to modification and disclosure of database content.
• CVE-2023-36933: Exploiting this vulnerability can result in an unhandled exception, causing a denial of service. An attacker can invoke a method that triggers the exception.

These vulnerabilities affect various versions of MOVEit Transfer released before specific versions listed for each CVE. The vulnerabilities were discovered by researchers such as Guy Lederfein of Trend Micro, HackerOne contributors, and Jameshorseman from HackerOne.

These updates come after the discovery of a mass-exploited zero-day vulnerability (CVE-2023-34362) in MOVEit Transfer, which was promptly patched. Progress has introduced regular security updates called "Service Packs" in response to the attack, allowing MOVEit Transfer administrators to apply fixes promptly.

Access Point Technology recommends that all users of MOVEit Transfer update their software to the latest version provided through the affected service pack. Additionally, users should remain vigilant and watch for further service packs, as MOVEit Transfer is currently targeted by a ransomware campaign. Keeping software up to date is a crucial defense against cyber threats.

Sources

https://www.theregister.com/2023/07/11/barts_blackcat_theft/?&web_view=true

https://securityaffairs.com/148207/reports/enisa-threat-landscape-report-health-sector.html?web_view=true

https://thehackernews.com/2023/07/mexico-based-hacker-targets-global.html

https://thehackernews.com/2023/07/silentbob-campaign-cloud-native.html

https://www.bleepingcomputer.com/news/security/new-tool-exploits-microsoft-teams-bug-to-send-malware-to-users/

https://www.bleepingcomputer.com/news/security/new-big-head-ransomware-displays-fake-windows-update-alert/

https://thehackernews.com/2023/07/apple-issues-urgent-patch-for-zero-day.html

https://www.bleepingcomputer.com/news/microsoft/microsoft-july-2023-patch-tuesday-warns-of-6-zero-days-132-flaws/

https://thehackernews.com/2023/07/mastodon-social-network-patches.html

https://www.bleepingcomputer.com/news/security/moveit-transfer-customers-warned-to-patch-new-critical-flaw/

https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-July-2023