CyberWatch - July 19, 2023

At a Glance

Ransomware, Malware & Phishing

1. Microsoft Bug Allowed Hackers to Breach Over Two Dozen Organizations via Forged Azure AD Tokens
2. WormGPT: New AI Tool Allows Cybercriminals to Launch Sophisticated Cyber Attacks
3. New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries
4. TeamTNT’s Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud
5. Malicious USB Drives Targeting Global Targets with SOGU and SNOWYDRIVE Malware
6. FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks
7. VirusTotal Data Leak Exposes Some Registered Customers’ Details

Vulnerabilities

1. Two New Adobe ColdFusion Vulnerabilities Exploited in Attacks
2. CISA orders govt agencies to mitigate Windows and Office zero-days
3. New critical Citrix ADC and Gateway flaw exploited as zero-days

Ransomware, Malware & Phishing

Microsoft Bug Allowed Hackers to Breach Over Two Dozen Organizations via Forged Azure AD Tokens

Analysis: In a recent disclosure, Microsoft revealed a security incident involving a malicious actor named Storm-0558. This threat actor took advantage of a validation error in Microsoft's source code to forge Azure Active Directory (Azure AD) tokens. By obtaining an inactive Microsoft account (MSA) consumer signing key, Storm-0558 created authentication tokens for Azure AD, gaining unauthorized access to the emails of around 25 organizations. These targets included government entities and consumer accounts. The actor is suspected to be based in China, conducting espionage activities aimed at U.S., European, and other geopolitical interests. The breach was carried out through various methods, including phishing, credential harvesting, and the use of web shells and tools like PowerShell and Python scripts to extract email data.

To enhance security against espionage campaigns and similar threats, Access Point recommends several measures for organizations. First, enabling enhanced logging features, such as MS Purview Audit or MS 365 Unified Audit Logging, can help track and detect suspicious activities in cloud environments. Establishing baseline patterns and searching for outliers can assist in distinguishing abnormal traffic from regular behavior. Implementing multi-factor authentication (MFA) and enforcing strict access controls can effectively prevent unauthorized access to email accounts and sensitive data. Regular security awareness training for employees is also crucial to educate them about common phishing and social engineering tactics frequently used in espionage campaigns. Lastly, organizations must maintain a vigilant detection team to monitor for potential threats and respond promptly in the event of a breach.

WormGPT: New AI Tool Allows Cybercriminals to Launch Sophisticated Cyber Attacks

Analysis: A concerning development in the world of cybercrime is the emergence of a new generative AI tool called WormGPT. This malicious tool is being advertised on underground forums as a means for cybercriminals to conduct sophisticated phishing and business email compromise (BEC) attacks. WormGPT is designed to automate the creation of highly convincing fake emails personalized to the recipient, greatly increasing the chances of a successful attack. What's particularly alarming is that this tool is being targeted at performing illegal activities and has been described as the "biggest enemy of the well-known ChatGPT," showcasing the ongoing cat-and-mouse game between attackers and anti-abuse measures in language models.

With more language models implementing anti-abuse measures, cybercriminals are turning to tools like WormGPT to bypass these restrictions and exploit generative AI for cybercrime, even without requiring advanced technical skills. This use of generative AI has the potential to democratize the execution of BEC attacks, making them accessible to a broader range of cybercriminals and posing a significant threat to cybersecurity.

To address the emerging threats posed by generative AI cybercrime tools like WormGPT, Access Point recommends organizations must take proactive steps to enhance their email security measures. This includes implementing robust spam filters and anti-phishing solutions to detect and prevent sophisticated phishing attacks. Additionally, it is crucial to conduct regular employee awareness training to educate users about the dangers of phishing and how to recognize phishing emails. Simple practices like hovering over links and sender addresses, checking for spelling mistakes or incorrect logos, and knowing how to report a phishing email can go a long way in preventing successful attacks.

Organizations should also regularly review and update their security protocols and tools to stay ahead of new and evolving threats. Implementing multi-factor authentication (MFA) and other identity verification measures can strengthen the security of email accounts and prevent unauthorized access. Having a team of threat hunters continuously monitoring for suspicious activities and implementing robust logging and monitoring mechanisms will help detect and respond to potential security breaches promptly. Staying informed about the latest cyber threats and considering partnering with cybersecurity experts to develop proactive defense strategies is crucial in this constantly evolving threat landscape.

New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries

Analysis: A concerning new malware strain known as AVrecon has been identified, targeting small office/home office (SOHO) routers for a staggering period of over two years. This insidious malware has infected more than 70,000 devices, forming a massive botnet of 40,000 nodes across 20 different countries. The primary goal of AVrecon is to clandestinely enable criminal activities, including password spraying and digital advertising fraud. The most heavily affected countries are the U.K. and the U.S., but significant numbers of infections have been reported in other nations as well.

To operate stealthily, AVrecon establishes communication with command-and-control (C2) servers and employs a tiered C2 infrastructure, a technique previously seen in other notorious botnets. The malware is written in C programming language, making it easily adaptable to different architectures and devices. The botnet is suspected to be involved in advertising fraud and data exfiltration, utilizing compromised systems to interact with Facebook and Google ads and Microsoft Outlook.

To safeguard against SOHO router-targeting malware like AVrecon, Access Point recommends implementing the following security measures:

1. Ensure that SOHO routers are regularly updated with the latest firmware to patch known vulnerabilities and defend against potential exploits. Changing default router credentials to strong, unique passwords and enabling robust encryption protocols (e.g., WPA3) for Wi-Fi networks is essential to bolster security. Regularly monitoring router activity and reviewing logs for any signs of suspicious behavior can help detect and respond to potential threats promptly.
2. Deploy network security solutions that have the capability to detect and block malicious traffic. Firewalls and intrusion detection systems (IDS) can be valuable tools in identifying and stopping malware like AVrecon from spreading further.

TeamTNT’s Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud

Analysis: A dangerous cloud credential stealing campaign named SCARLETEEL has been uncovered, targeting Azure, Google Cloud Platform (GCP), and AWS services. The campaign bears similarities to tools used by the TeamTNT cryptojacking group and primarily focuses on public-facing Docker instances to deploy a worm-like propagation module. Over the course of June and July 2023, the malware has evolved with the discovery of eight incremental versions of the credential harvesting script. These newer versions are capable of gathering credentials from various cloud services, Docker, Git, Kubernetes, Linux, and more, exfiltrating them to a remote server under the attacker's control. Additionally, the actor behind the campaign employs a Golang-based ELF binary for scanning and propagating the malware, demonstrating active tuning and improvement of their tools in preparation for larger scale attacks.

To defend against cloud credential stealing campaigns like SCARLETEEL, organizations must implement a series of security recommendations. First and foremost, a strong password policy should be enforced, with passwords resetting every 90 days and incorporating complexity in terms of length, numbers, symbols, and characters, while avoiding repetition. Regularly reviewing and updating cloud service configurations is crucial to ensuring proper security settings and avoiding exploitable misconfigurations.

Enforcing robust authentication mechanisms, such as multi-factor authentication (MFA), is vital to protect cloud accounts from unauthorized access. To detect and thwart malicious activities, organizations should continuously monitor their cloud environments for anomalous behaviors. Implementing intrusion detection systems (IDS) and network scanning solutions can aid in detecting and blocking malicious traffic.

Regular security audits and vulnerability assessments on cloud infrastructure will help identify and address potential weaknesses before they can be exploited by attackers. Educating employees about security best practices, particularly regarding the safe handling of credentials and the recognition of phishing attempts and social engineering attacks, can significantly enhance an organization's overall security posture.

Malicious USB Drives Targeting Global Targets with SOGU and SNOWYDRIVE Malware

Analysis: The first half of 2023 has seen a significant increase in cyber-attacks using infected USB drives as an initial access vector, with incidents surging three-fold. Two notable campaigns, SOGU and SNOWYDRIVE, have been identified by Mandiant, targeting both public and private sector entities worldwide. The SOGU campaign, attributed to the China-based cluster TEMP.Hex, is a prominent USB-based cyber espionage attack, aggressively targeting various industries in Europe, Asia, and the U.S. The infection chain involves a malicious USB flash drive triggering the execution of PlugX, which then launches a C-based backdoor called SOGU to exfiltrate files, keystrokes, and screenshots. The second cluster, UNC4698, employs USB infiltration to target Asian oil and gas organizations, delivering the SNOWYDRIVE malware for remote system control and propagation across networks.

To mitigate the risks posed by USB-based cyber espionage attacks, Access Point recommends organizations should consider implementing the following security protocols. Firstly, strict access restrictions on external devices, such as USB drives, should be enforced to minimize the risk of introducing malware to internal networks. Regular security awareness training for employees is essential to educate them about the dangers of plugging in unknown or untrusted USB drives and to raise awareness about phishing attempts that may trick victims into clicking on malicious files.

Deploying robust endpoint protection solutions with USB scanning capabilities can detect and prevent malware on removable devices before they are connected to internal systems. By utilizing network segmentation and implementing strong access controls, organizations can limit the lateral movement of malware across the network in the event of a breach through an infected USB drive.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Replication Through Removable Media – T1091
• Shortcut Modification – T1023
• Process Injection – T1055
• Indicator Removal on Host – T1070
• File and Directory Discovery – T1083
• Alternate Data Streams - T1096

FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks

Analysis: Financially motivated threat actor FIN8 has recently been observed using a revamped version of the Sardonic backdoor to deliver the BlackCat ransomware. The intrusion attempt occurred in December 2022. FIN8, also known as Syssphinx, has a history of targeting point-of-sale (PoS) systems. After resurfacing in March 2021 with an updated version of BADHATCH, they followed up with the bespoke implant Sardonic in August 2021.

To counter the threats posed by FIN8 and similar threat actors, Access Point strongly recommends that organizations prioritize software and operating system updates with the latest security patches. Vulnerabilities in outdated software can be exploited by attackers like FIN8, and timely updates can significantly reduce these risks.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Spear-phishing Attachment – T1193
• PowerShell – T1086
• Scripting – T1064
• Registry Run Keys / Startup Folder – T1060
• Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1060
• Boot or Logon Autostart Execution: WMI Event Subscription - T1546.003
• Bypass User Account Control – T1088
• Timestomp – T1099
• File Deletion – T1107
• Deobfuscate/Decode Files or Information – T1140
• Credential Dumping – T1003
• System Information Discovery – T1082
• Query Registry – T1012
• Data from Local System – T1005
• Data Encrypted for Impact – T1486

VirusTotal Data Leak Exposes Some Registered Customers’ Details

Analysis: A security incident has been reported involving VirusTotal, where data associated with a subset of registered customers was inadvertently exposed. The breach occurred when an employee unintentionally uploaded the information to the malware scanning platform. The exposed data included names and email addresses of 5,600 customers, stored in a 313KB file. Google, the owner of VirusTotal, swiftly confirmed the breach and took immediate action to remove the data from the platform.

Among the affected accounts were those of official U.S. bodies, including the Cyber Command, Department of Justice, FBI, and NSA, as well as government agencies in Germany, the Netherlands, Taiwan, and the U.K. In response to the incident, Google is conducting a thorough review of internal processes and technical controls to enhance security and prevent similar occurrences in the future.

To prevent such incidents from happening in other organizations, Access Point emphasizes the importance of implementing stringent data handling procedures. Regular employee training on data security awareness can significantly reduce the risk of accidental data exposure. Employing data loss prevention (DLP) solutions and access controls is crucial to protect sensitive information from unintentional disclosure.

Furthermore, conducting regular audits of internal processes and technical controls can help identify potential vulnerabilities and ensure that data protection measures are robust and up to date. By proactively addressing data security and adopting these best practices, organizations can safeguard sensitive information and maintain the trust of their customers and clients.

Vulnerabilities

Two New Adobe ColdFusion Vulnerabilities Exploited in Attacks

Analysis: Recently, Adobe disclosed multiple vulnerabilities in Adobe ColdFusion, and it has been indicated that at least two of them have been exploited in real-world attacks. These vulnerabilities include improper access control and deserialization flaws, which can enable attackers to bypass security features and execute arbitrary code. Although Adobe has issued patches, there are concerns among security experts that one vulnerability remains inadequately addressed.

Cybersecurity firm Rapid7 confirmed that two of the vulnerabilities, CVE-2023-29298 and CVE-2023-38203, were indeed exploited in real-world attacks. Analysis suggests that attackers combined these vulnerabilities, potentially chaining them together, and utilized PowerShell commands to create a webshell for unauthorized access. While Adobe mistakenly claimed that CVE-2023-29300 was targeted in attacks, evidence supporting this is lacking.

Rapid7 pointed out that Adobe's fix for CVE-2023-29298 is incomplete, with slightly modified exploits still functioning against the latest ColdFusion version. They have alerted Adobe to this issue and recommend updating ColdFusion to the latest version containing the fix for CVE-2023-38203 to prevent the observed attacker behavior. Rapid7's blog post offers indicators of compromise (IoCs) and mitigation guidance.

This is the second time in 2023 that users have been warned about ColdFusion vulnerabilities, with a zero-day vulnerability exploited in limited attacks earlier in March. While limited attacks could suggest state-sponsored cyberspies, cybercrime groups have also targeted ColdFusion vulnerabilities. Interestingly, the recently disclosed flaws are not currently listed among the nine ColdFusion vulnerabilities in CISA's Known Exploited Vulnerabilities Catalog.

To effectively manage these vulnerabilities, Access Point recommends promptly applying available patches from Adobe to address the disclosed vulnerabilities. Additionally, it is essential to update ColdFusion software to the latest version with the fix for CVE-2023-38203 to prevent potential attacks. Monitoring Rapid7's mitigation guidance and indicators of compromise (IoCs) can enhance detection and response capabilities. Staying vigilant for future security updates from Adobe and promptly implementing them will help protect against potential cyber threats targeting ColdFusion.

CISA orders govt agencies to mitigate Windows and Office zero-days

Analysis: The Cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies in the United States to address critical vulnerabilities in Windows and Office products. These vulnerabilities, collectively identified as CVE-2023-36884, were exploited by the RomCom cybercriminal group based in Russia during NATO phishing attacks. CISA has included these flaws in its list of Known Exploited Vulnerabilities.

To comply with the binding operational directive BOD 22-01 issued in November 2021, U.S. Federal Civilian Executive Branch Agencies (FCEB) must secure their Windows devices against attacks leveraging CVE-2023-36884. The agencies have been given a deadline of August 8th to implement mitigation measures provided by Microsoft.

While Microsoft is working on patches, customers can protect themselves by using Defender for Office 365, Microsoft 365 Apps (Versions 2302 and later), and enabling the "Block all Office applications from creating child processes" Attack Surface Reduction Rule. Alternatively, those without these protections can modify the FEATURE_BLOCK_CROSS_PROTOCOL_FILE_NAVIGATION registry key by adding specific process names as values of type REG_DWORD with data 1. However, it's important to note that this modification may affect the functionality of some Microsoft Office apps.

Private companies are also strongly advised to prioritize patching vulnerabilities listed in CISA's Known Exploited Vulnerabilities catalog, as these flaws are commonly exploited by malicious actors and pose significant risks.

Microsoft confirmed that the CVE-2023-36884 zero-days were exploited in targeted attacks against government entities in North America and Europe. The RomCom cybercriminal group, also known as Storm-0978 or DEV-0978, operates out of Russia and is involved in opportunistic ransomware and extortion, as well as targeted credential-gathering campaigns. Their recent campaign in June 2023 used CVE-2023-36884 to deliver a backdoor similar to RomCom. The attackers used malicious Office documents posing as the Ukrainian World Congress organization to trick their targets into deploying malware payloads, including the MagicSpell loader and the RomCom backdoor.

Access Point recommends that private companies follow federal agencies by promptly addressing the CVE-2023-36884 vulnerabilities affecting Windows and Office products, which were exploited by the RomCom cybercriminal group. Federal agencies must implement mitigation measures provided by Microsoft within three weeks, while private companies are strongly advised to prioritize patching all vulnerabilities listed in CISA's catalog. In the meantime, customers can utilize specific protections offered by Microsoft or modify the registry key to mitigate the risk of phishing attacks. It is crucial to prioritize cybersecurity measures to safeguard systems and data from potential threats.

New critical Citrix ADC and Gateway flaw exploited as zero-days

Analysis: Citrix has issued an urgent warning to its customers regarding a critical-severity vulnerability, CVE-2023-3519, in NetScaler ADC and NetScaler Gateway. This vulnerability has been exploited in the wild and poses a significant threat. Immediate action is strongly advised, and Citrix recommends the prompt installation of updated versions to address the issue.

The vulnerability allows for remote code execution without the need for authentication but only impacts appliances configured as gateways or authentication virtual servers. Along with CVE-2023-3519, Citrix has also addressed two other vulnerabilities, CVE-2023-3466 (reflected cross-site scripting) and CVE-2023-3467 (privilege escalation) in the newly released versions.

Users, especially those on NetScaler ADC and Gateway version 12.1, are urged to prioritize updating their systems to protect against potential exploits. In July, a zero-day vulnerability targeting Citrix ADC was advertised, potentially related to the security bulletin. It's essential for organizations to remain vigilant as defenders expect continued exploitation until Citrix releases a fix.

Access Point's vulnerability analysts strongly advise users of Citrix NetScaler ADC and NetScaler Gateway to take immediate action by installing the updated versions to mitigate the critical-severity vulnerability. To investigate potential compromises, organizations should search for newer web shells, review HTTP error logs for anomalies, and examine shell logs for unusual commands.

Sources

https://thehackernews.com/2023/07/microsoft-bug-allowed-hackers-to-breach.html

https://thehackernews.com/2023/07/wormgpt-new-ai-tool-allows.html

https://thehackernews.com/2023/07/new-soho-router-botnet-avrecon-spreads.html

https://thehackernews.com/2023/07/teamtnts-cloud-credential-stealing.html

https://thehackernews.com/2023/07/malicious-usb-drives-targetinging.html

https://thehackernews.com/2023/07/fin8-group-using-modified-sardonic.html

https://thehackernews.com/2023/07/virustotal-data-leak-exposes-some.html

https://www.securityweek.com/two-new-adobe-coldfusion-vulnerabilities-exploited-in-attacks/

https://www.bleepingcomputer.com/news/security/new-critical-citrix-adc-and-gateway-flaw-exploited-as-zero-days/

https://www.bleepingcomputer.com/news/security/cisa-orders-govt-agencies-to-mitigate-windows-and-office-zero-days/