At a Glance
Ransomware, Malware & Phishing
- Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants
- PowerDrop Malware Targets U.S. Aerospace Industry with Advanced Techniques
- Zacks Investment Research Data Breach: Personal Information Exposed
- Royal Ransomware Gang Tests New Encryptor, BlackSuit
Vulnerabilities
- Microsoft Visual Studio Installer Vulnerability Enables Malicious Extensions
- Fortinet Warns of Exploited Zero-Day Vulnerability in FortiOS
- Critical SQL Injection Vulnerability Exploited by Clop Ransomware Gang in MOVEit Transfer Solution
Ransomware, Malware & Phishing
Microsoft Uncovers Banking AitM Phishing and BEC Attacks Targeting Financial Giants
Analysis: Microsoft has disclosed a new phishing and business email compromise (BEC) attack targeting banking and financial services organizations. The attack, known as Storm-1167, involves a multi-stage process and leverages an adversary-in-the-middle (AitM) technique.
The attackers compromised a trusted vendor to initiate the attack, using an indirect proxy to tailor phishing pages and steal session cookies. Unlike typical AitM campaigns, this attack mimicked the sign-in pages of targeted applications hosted on a cloud service. The attackers redirected victims to spoofed Microsoft sign-in pages, where they harvested credentials and time-based one-time passwords (TOTPs). The stolen information was then used to gain unauthorized access to victims' email inboxes, steal sensitive emails, and orchestrate BEC attacks. The attackers also added SMS-based two-factor authentication to target accounts to avoid detection.
The incident involved a mass spam campaign and subsequent AitM attacks targeting recipients of phishing emails from compromised accounts. Microsoft warned about the complexity of AitM and BEC threats, highlighting the abuse of trusted relationships between vendors and partners. The company previously cautioned about the surge in BEC attacks and evolving tactics, including the use of platforms like BulletProftLink and residential IP addresses to mask the attackers' origin.
Access Point urges organizations to remain vigilant and take steps to protect against phishing attacks with adequate training to safeguard personal and professional data. This includes educating all employees with security awareness training and teaching them how to identify and report phishing emails (e.g., teaching them how to hover over sender addresses and links, and never trusting unknown senders if they were not expecting an email). It is also important to regularly test your organization with phishing tests to ensure they are best prepared should they be targeted. Implementing multi-factor authentication (MFA) for all user accounts as a layered defense is also essential if users' credentials are exposed to attackers.
New PowerDrop Malware Targeting U.S. Aerospace Industry
Analysis: The U.S. aerospace industry has been targeted by an unidentified threat actor using a new PowerShell-based malware called PowerDrop. Adlumin, the company that discovered the malware in May 2023, described PowerDrop as utilizing advanced techniques like deception, encoding, and encryption to avoid detection. The name PowerDrop is derived from its use of Windows PowerShell and the "DROP" string in the code for padding.
PowerDrop is a post-exploitation tool designed to gather information from compromised networks after initial access has been obtained through other means. To establish communication with a command-and-control (C2) server, PowerDrop uses Internet Control Message Protocol (ICMP) echo request messages as beacons. The server responds with an encrypted command that is decoded and executed on the compromised host. Similarly, an ICMP ping message is used for exfiltrating the results of the instruction. PowerDrop leverages the Windows Management Instrumentation (WMI) service to execute the PowerShell command, indicating the threat actor's use of living-off-the-land tactics to evade detection.
While the core nature of the malware is not highly sophisticated, its ability to obfuscate suspicious activity and bypass endpoint defenses suggests the involvement of more advanced threat actors, according to Mark Sangster, Vice President of Strategy at Adlumin.
As we continuously see an evolving threat landscape where actors are improving their malware to evade detection, Access Point recommends having a threat hunting team working around the clock to stay informed about the latest trending tactics, techniques, and procedures. They should proactively hunt for any indicators of compromise associated with trending threat groups within your environment and block wherever necessary.
Have I Been Pwned warns of new Zacks data breach impacting 8 million
Analysis: Zacks Investment Research, a financial research and analytics firm, has reportedly experienced a previously undisclosed data breach that affected 8.8 million customers.
The breached database has been shared on a hacking forum. This breach is separate from a previous one that Zacks disclosed, which occurred between November 2021 and August 2022 and affected around 820,000 customers.
In the previous breach, unauthorized intruders accessed personal and sensitive information. However, Zacks stated that they had no reason to believe credit card information or other financial data was compromised. The newly discovered breach, which predates the previous one, contains a database with email addresses, usernames, unsalted SHA256 passwords, addresses, phone numbers, and names of Zacks customers. Financial information such as credit card and bank account details are not included in the leaked data.
Zacks had previously initiated a password reset procedure for the breach disclosed in January, but it is likely that the remaining 90% of affected accounts were not included in that measure, leaving them vulnerable to account hijacking, credential stuffing, and SIM swapping.
Zacks has not responded to inquiries from BleepingComputer, but they are expected to notify affected users, although no timeline has been provided. Users can check if their email address is in the leaked data by using the Have I Been Pwned service. The leaked Zacks database has also been shared on the Exposed hacking forum, a platform used to distribute and sell stolen data. With the database now public, threat actors may exploit it for phishing or credential stuffing attacks.
Access Point strongly recommends that all Zacks users change their passwords to unique ones used exclusively for the Zacks site. If the same password is used on other sites, it is advisable to change the passwords on those sites to something unique as well. It is essential to have a strong password hygiene policy that forces password reset every 90 days, while following complexity requirements such as a certain number of characters, a mixture of upper and lower case letters, along with symbols. It is also important to educate users on the importance of not using their business credentials for other third-party entities in case of a breach to their systems.
Royal ransomware gang adds BlackSuit encryptor to their arsenal
Analysis: The Royal ransomware gang, believed to be the successor of the Conti operation, has started testing a new encryptor called BlackSuit.
Royal is a private ransomware operation consisting of pen-testers and affiliates from Conti Team 1, and it has become one of the most active ransomware groups since its launch in January 2023, targeting enterprise organizations.
There were initial indications in late April that Royal was planning to rebrand under the name BlackSuit. However, a rebranding did not take place, and Royal continues its attacks while using BlackSuit in limited instances. It is possible that Royal is simply testing the new encryptor, as they have done with other tools in the past, such as loaders and malware like Emotet and IcedID.
Yelisey Bohuslavskiy, Partner and Head of R&D at RedSense, suggests that Royal may be experimenting with new lockers and tools, including BlackSuit, but these experiments might have been unsuccessful. It remains uncertain how BlackSuit will be utilized, whether as a subgroup focusing on specific victim types or for a potential rebranding in the future.
Despite the possibility of a rebrand, a recent report by Trend Micro indicates clear similarities between the BlackSuit and Royal ransomware encryptors, making it challenging to convince others that BlackSuit is an entirely new operation. The similarities include command line arguments, code similarities, file exclusions, and encryption techniques.
BlackSuit has been observed in a small number of attacks, with ransom demands so far under $1 million. Although only one victim is currently listed on their data leak site, this could change if the encryptor is more widely used. The intentions behind BlackSuit, whether it is a failed experiment or the beginning of a new subgroup, are still unclear.
However, it is important for network defenders to be aware that this new operation is backed by Royal, which has demonstrated expertise in breaching networks and deploying ransomware.
Access Point recommends having a tested incident response plan, policy, and procedural run book for data breach incidents like these to minimize the impact. It is also important to be best prepared for any attacks by implementing a number of best practices, including regular data backups, employee training, segregating networks, and timely software patching to protect against ransomware and other cyber threats. Having a multi-layered defense is also important, with multi-factor authentication (MFA) switched on.
Vulnerabilities
Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer
Analysis: Security researchers have discovered a potentially dangerous vulnerability in the Microsoft Visual Studio installer that could be exploited by malicious actors. The flaw allows an attacker to impersonate a trusted publisher and distribute malicious extensions, enabling them to steal sensitive information, modify code, or take control of a system.
The vulnerability, identified as CVE-2023-28299, has been assigned a CVSS score of 5.5 and was addressed by Microsoft in the April 2023 Patch Tuesday updates. The bug involves the Visual Studio user interface, which permits spoofed publisher digital signatures. By adding newline characters to the "DisplayName" tag in the "extension.vsixmanifest" file, an attacker can suppress warnings about the lack of a digital signature and deceive developers into installing the malicious extension.
The exploit could be deployed via a phishing email disguised as a legitimate software update. Once installed, the malicious extension grants unauthorized access to the targeted machine, potentially leading to deeper control over the network and the theft of sensitive data. The simplicity and minimal privileges required to carry out the attack make it easily weaponizable. This vulnerability provides threat actors with an opportunity to issue fake malicious extensions with the aim of compromising systems.
Microsoft has released patches to mitigate this flaw, emphasizing the importance of keeping software up to date to prevent exploitation.
To address the vulnerability in the Microsoft Visual Studio installer (CVE-2023-28299), vulnerability analysts at Access Point Technology recommend that users promptly update the software with the latest patches released by Microsoft. Users should ensure that their Visual Studio installation is up to date to mitigate the risk of exploitation. Regularly checking for updates and applying them promptly is essential to maintain a secure environment and prevent potential malicious attacks leveraging this vulnerability.
Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks
Analysis: Fortinet has warned customers about a potentially exploited zero-day vulnerability, identified as CVE-2023-27997, in its FortiOS operating system.
The critical flaw, described as a heap-based buffer overflow in the SSL-VPN module, can allow remote attackers to execute arbitrary code or commands by sending specially crafted requests. Fortinet confirmed that the flaw was reported by Charles Fol and Dany Bach of Lexfo, and it has released updates to address the vulnerability along with five other FortiOS vulnerabilities discovered during an internal audit triggered by the exploitation of CVE-2022-42475. While the extent of the exploitation of CVE-2023-27997 is limited, Fortinet advises immediate action for customers with SSL-VPN enabled, urging them to upgrade to the latest firmware release.
Regarding the zero-day's potential attacks, Fortinet has not provided specific details, but it clarified that it is unrelated to the recently disclosed Volt Typhoon campaign. The Volt Typhoon campaign, attributed to a Chinese state-sponsored threat group, targeted critical infrastructure organizations in Guam and exploited internet-exposed Fortinet FortiGuard firewalls for initial access. Microsoft previously disclosed this campaign and linked it to the exploitation of CVE-2022-40684, a widely targeted security vulnerability. Fortinet recommends upgrading the firmware even for customers not using SSL-VPN to ensure overall mitigation against potential risks.
Access Point Technology recommends customers using Fortinet's FortiOS operating system take immediate action to mitigate the potential risks associated with the recently patched vulnerability CVE-2023-27997. Fortinet recommends upgrading to the latest firmware release, especially for those with SSL-VPN enabled. Even if SSL-VPN is not in use, upgrading is still recommended to ensure overall security. By promptly applying the available updates, customers can protect their systems from potential exploitation and arbitrary code execution by remote attackers.
Exploit released for MOVEit RCE bug used in data theft attacks
Analysis: Horizon3 security researchers have recently released a proof-of-concept (PoC) exploit code for an SQL injection vulnerability identified as CVE-2023-34362 in the MOVEit Transfer managed file transfer (MFT) solution. This critical flaw allows unauthenticated attackers to gain access to vulnerable MOVEit servers and execute arbitrary remote code. The Clop ransomware gang has been actively exploiting this zero-day vulnerability for data theft attacks.
Progress, the company behind MOVEit Transfer, has responded to this security issue by releasing security updates to patch the bug and has urged customers to apply them promptly. Horizon3 has published the PoC exploit along with a technical analysis and a list of indicators of compromise (IOCs) to assist network defenders in identifying exploitation on vulnerable servers.
The Clop ransomware gang has taken responsibility for the data theft attacks exploiting the CVE-2023-34362 vulnerability. Microsoft has attributed this campaign to the Lace Tempest hacking group, which has connections to FIN11 and TA505. It has been discovered that Clop has been actively searching for opportunities to exploit the patched MOVEit zero-day vulnerability since 2021 and has been looking for ways to extract data from compromised MOVEit servers since April 2022.
Several organizations, including EY, the Irish Health Service Executive (HSE), Zellis, British Airways, Aer Lingus, and the Minnesota Department of Education have reported data breaches as a result of these attacks.
The Clop ransomware gang has a history of targeting vulnerabilities in managed file transfer platforms, including the Accellion FTA servers in 2020, the SolarWinds Serv-U Managed File Transfer in 2021, and the GoAnywhere MFT zero-day in January 2023. Progress has released patches to address newly discovered critical SQL injection vulnerabilities in MOVEit Transfer and has warned customers about the potential theft of information from their databases.
To mitigate the risks associated with the SQL injection vulnerability CVE-2023-34362 in the MOVEit Transfer managed file transfer (MFT) solution, Access Point Technology recommends users take immediate action. It is crucial for customers to apply the security updates and patches provided by Progress to ensure their MOVEit servers are protected against arbitrary code execution and potential data theft attacks. Promptly updating the software is essential to prevent unauthorized access and exploitation of this vulnerability by threat actors. Additionally, organizations should closely monitor their network for any indicators of compromise (IOCs) listed by Horizon3 and implement appropriate security measures to detect and mitigate any exploitation attempts on vulnerable servers.
Sources
https://thehackernews.com/2023/06/microsoft-uncovers-banking-aitm.html
https://thehackernews.com/2023/06/new-powerdrop-malware-targeting-us.html
https://www.bleepingcomputer.com/news/security/royal-ransomware-gang-adds-blacksuit-encryptor-to-their-arsenal/#:~:text=The%20Royal%20ransomware%20gang%20has,shut%20down%20in%20June%202022.
https://thehackernews.com/2023/06/researchers-uncover-publisher-spoofing.html
https://www.securityweek.com/fortinet-warns-customers-of-possible-zero-day-exploited-in-limited-attacks/
https://www.bleepingcomputer.com/news/security/exploit-released-for-moveit-rce-bug-used-in-data-theft-attacks/
https://www.bleepingcomputer.com/news/security/have-i-been-pwned-warns-of-new-zacks-data-breach-impacting-8-million/#:~:text=Zacks%20Investment%20Research%20(Zacks)%20has,shared%20on%20a%20hacking%20forum
.webp)
.png)
