At a Glance
Ransomware, Malware & Phishing
- SEO Poisoning Attacks on Healthcare Sector Rising, HHS Warns
- Cybercrime Group 'Muddled Libra' Targets BPO Sector with Advanced Social Engineering
- Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware
- Microsoft: Hackers hijack Linux systems using trojanized OpenSSH version
- MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans
- Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers
Vulnerabilities
- CISA orders agencies to patch iPhone bugs abused in spyware attacks
- Remotely Exploitable DoS Vulnerabilities Patched in BIND
- Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari
- New Fortinet's FortiNAC Vulnerability Exposes Networks to Code Execution Attacks
Ransomware, Malware & Phishing
SEO Poisoning Attacks on Healthcare Sector Rising, HHS Warns
Analysis: The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center has warned that there has been a recent increase in the usage and frequency of Search Engine Optimization Poisoning Attacks against the U.S healthcare and public health sectors. This type of attack involves threat actors manipulating search engines (like Google, Bing, and more) so that the advertised link shown first leads to the attacker's site. From there, they can try to infect visitors with malware, attempt to steal user credentials, attract more people using ad fraud, or more. To achieve these results, attackers can use spear-phishing, typosquatting, keyword stuffing, cloaking, and private link networks to improve their chances of tricking someone into falling for the fake website.
Spear-phishing enables attackers to target specific users, making the attacks more challenging to identify and defend against. Typosquatting involves registering domain names similar to legitimate ones but with minor spelling errors to deceive users. Keyword stuffing involves inserting irrelevant keywords to manipulate search engine rankings. Cloaking presents different content to search engine crawlers than what users see upon clicking the link. Private link networks connect unrelated websites to create a network of backlinks to boost a website's search engine ranking.
The healthcare industry is becoming an attractive target for such attacks due to its increasing digitization and the highly confidential and valuable data it holds. In addition to the HHS warning, BlackBerry's security researchers have observed a rise in SEO poisoning attacks, particularly in the healthcare sector, between December 2022 and February 2023, with an expectation for this trend to continue.
Access Point urges organizations to remain vigilant and take steps to protect against SEO Poisoning Attacks and other similar social engineering attacks through adequate training to safeguard personal and professional data, along with detection and security software to establish rigorous web filtering procedures.
Training can include:
- Security awareness training
- Safe browsing practices
- Phishing awareness training
For example, teaching individuals to always scan the URL for oddities such as spelling mistakes, a different domain name, strange formatting, and more. They should also be taught to check that a website looks legitimate before entering any credentials and to skip past any links marked as an ad. Detection and security software can include typosquatting detection procedures using digital risk monitoring tools, utilizing indicator of compromise lists to identify malicious URLs, and establishing rigorous web filtering procedures.
Cybercrime Group 'Muddled Libra' Targets BPO Sector with Advanced Social Engineering
Analysis: The threat actor known as Muddled Libra is targeting the business process outsourcing industry with attacks that leverage advanced social engineering techniques to gain unauthorized access. The group gained attention in late 2022 with the release of the 0ktapus phishing kit, a prebuilt hosting framework with bundled templates that enables individuals with basic skills to launch massive attack campaigns. Alongside the 0ktapus phishing kit, Muddled Libra is recognized for consistently targeting the business process outsourcing (BPO) industry, utilizing compromised infrastructure in subsequent attacks, and occasionally focusing on the same victims repeatedly to replenish their dataset.
Regarding their social engineering tactics, the group has displayed an unusually high level of comfort in engaging both help desk personnel and other employees over the phone. Their ability to swiftly adapt and adjust tactics when faced with obstacles makes them a formidable and cunning adversary to defend against. Additionally, the threat actor employs a wide range of legitimate remote management tools to maintain access, tampers with endpoint security solutions to evade detection, and utilizes credential-stealing tools like Mimikatz and Raccoon Stealer to escalate privileges. They also employ various scanners to facilitate network discovery and exfiltrate data from platforms such as Confluence, Jira, Git, Elastic, Microsoft 365, and other internal messaging platforms.
Access Point recommends implementing multi-factor authentication (MFA) and single sign-on (SSO), setting up security alerts and account lockout mechanisms for failed multi-factor authentication attempts, ensuring comprehensive user awareness training for staff, promoting proper credential hygiene, and implementing the principle of least privilege. The use of MFA provides an additional layer of defense in case users' credentials are compromised. User awareness training should emphasize the importance of never disclosing credentials and educate employees on identifying suspicious non-email-based outreach, particularly for help desk staff.
Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware
Analysis: A new strain of JavaScript dropper, tracked as PindOS, has been observed delivering next-stage payloads like Bumblebee and Iced ID. These payloads, namely Bumblebee and IcedID, act as loaders and serve as a means to introduce other malware onto compromised hosts, including ransomware. The dropper is specifically designed to download malicious executables from a remote server. It utilizes two URLs, with one serving as a fallback option in case the first URL fails to retrieve the DLL payload.
Upon execution, the dropper attempts to download the payload from URL1 and executes it by directly calling the specified export through rundll32.exe. In the event of failure, the dropper then tries to download the payload from URL2 and executes it using a combination of PowerShell and rundll32.exe. In both scenarios, the downloaded payload is saved to the path "%appdata%/Microsoft/Templates/<6-char-random-number>.dat". Subsequently, the function is called twice, utilizing four separate URLs, and the retrieved payloads are generated pseudo-randomly on-demand, resulting in a new sample hash each time a payload is fetched.
Access Point recommends that Information Security Teams thoroughly review the technical analysis provided to identify the indicators of compromise (IOCs) and take appropriate action. These IOCs should be cross-referenced against the organization's environments to ensure that no compromise has occurred. Additionally, steps should be taken to block these IOCs in systems wherever possible.
Microsoft: Hackers hijack Linux systems using trojanized OpenSSH version
Analysis: Internet-exposed Linux and Internet of Things (IoT) devices are currently being targeted in brute-force attacks. Once the attackers gain access to the system through a successful brute-force attempt, they proceed to deploy a trojanized Open SSH package, creating a backdoor and stealing SSH credentials to maintain persistence in the system. Furthermore, they enable root login to provide the attackers with elevated privileges. Simultaneously, a shell script is deployed alongside the trojan OpenSSH, adding two public keys to the "authorized_keys" file for future persistent access.
Through this established access, the attackers proceed to install two open-source LKM rootkits, known as "Reptile" and "Diamorphine," as well as an open-source IRC bot, referred to as "ZiggyStarTux." The rootkits serve to obfuscate and conceal their activities on the system, while the IRC bot grants the attackers the ability to execute bash commands. Additionally, by adding new iptables rules and entries to the "etc/hosts" file, the attackers can terminate or block access to other miners that may have been deployed by other adversaries.
The "ZiggyStarTux" bot possesses additional functionality. Through its connection to a command and control (C2) server, the bot can download and execute additional shell scripts to brute-force other hosts within the hacked device's subnet and backdoor additional systems utilizing the OpenSSH package.
These activities have been linked to a recent cryptojacking campaign that involves the installation of the Linux-based Hiveon OS, specifically designed for cryptomining. The attack utilizes a criminal infrastructure that incorporates a subdomain belonging to a Southeast Asian financial institution, serving as the C2 server.
Access Point recommends implementing an IoT security solution that provides visibility and monitoring capabilities for all IoT and OT devices. This solution should be able to detect and respond to threats and vulnerabilities present on these devices and integrate with SIEM/SOAR and XDR platforms. Additionally, any internet-facing devices should undergo hardening measures against potential attacks. This includes ensuring devices have strong passwords, blocking external access to SSH, regularly updating and maintaining devices with the latest firmware and patches, and implementing and maintaining the principle of least privilege on all devices.
MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans
Analysis: A new phishing campaign has been detected in India and the US, utilizing JavaScript files to distribute remote access trojans (RATs) on compromised systems. The attack begins by sending the victim a password-protected ZIP file named "REQUESTS.zip," with the password set as "12345". Once the contents are extracted, a single heavily obfuscated JavaScript file named "REQUEST.js" is revealed. When executed, the file displays a decoy PDF to the user while simultaneously running a Python-based executable in the background.
The Python binary serves several purposes within the attack. It establishes persistence in the Windows Registry, installs the main payload, and deploys a secondary ZIP file containing four files designed to bypass User Account Control and escalate privileges. As a result, the victim's machine becomes infected with multiple unique remote access trojans, such as Warzone RAT and Quasar RAT. Notably, the loader responsible for the initial compromise exhibits striking similarities to DBatLoader, but it is coded in Python, packed using PyInstaller, and employs sophisticated techniques to ensure persistence and evade detection.
Access Point emphasizes the importance of organizations remaining vigilant and implementing measures to protect against phishing attacks while safeguarding personal and professional data. This includes providing comprehensive training to all employees, increasing security awareness, and educating them on how to identify and report phishing emails. Examples of training topics include teaching employees to hover over sender addresses and links, to be cautious of emails from unknown senders if unexpected, and to refrain from installing or running unknown files received via email. Regularly conducting phishing tests within the organization is also crucial to ensure preparedness in the event of a targeted attack.
Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers
Analysis: On June 21, Microsoft issued a series of tweets revealing an increase in credential-stealing attacks carried out by the Russian state-affiliated hacker group known as Midnight Blizzard (formerly known as Nobelium). This group is also tracked under various other names, including APT29, Cozy Bear, Iron Hemlock, and The Dukes. Microsoft stated in their tweets that these credential attacks employ a range of techniques such as password spray, brute-force, and token theft.
Microsoft further disclosed that the attackers have been conducting session replay attacks to gain initial access to cloud resources, utilizing stolen sessions likely obtained through illicit means. The threat actors also employ residential proxy services to mask the source IP addresses of their attacks, a practice that Microsoft specifically called out. The attackers frequently switch IP addresses for short periods, which can present challenges in terms of scoping and remediation efforts. The targets of these attacks have primarily been governments, IT service providers, non-governmental organizations (NGOs), defense sectors, and critical manufacturing industries.
Access Point strongly recommends that organizations enforce strong password policies and implement robust multi-factor authentication (MFA) measures to help mitigate these attacks. Microsoft's suite of security solutions, including Microsoft Defender Antivirus, Defender for Endpoint, Defender for Cloud Apps, and Azure Active Directory, provide protections and detections against these types of attacks.
Vulnerabilities
CISA orders agencies to patch iPhone bugs abused in spyware attacks
Analysis: CISA (Cybersecurity and Infrastructure Security Agency) has issued an order for federal agencies to patch zero-day vulnerabilities that were recently exploited to deploy Triangulation spyware on iPhones via iMessage zero-click exploits. The attacks, referred to as "Operation Triangulation," have been ongoing since 2019 and take advantage of iOS zero-day bugs that have now been patched. Kaspersky discovered the presence of the spyware on iPhones belonging to its employees and determined that it specifically targets iMessage zero-click exploits.
Russia's FSB intelligence agency has claimed that Apple collaborated with the NSA (National Security Agency) to create a backdoor that allows iPhones in Russia to be infiltrated. The FSB alleged that iPhones belonging to Russian government officials and embassy staff in Israel, China, and NATO member nations had been compromised. Apple has strongly denied these allegations, stating that it has never collaborated with any government to insert backdoors into its products.
The vulnerabilities exploited in these attacks include two Kernel and WebKit vulnerabilities (CVE-2023-32434 and CVE-2023-32435), as well as a WebKit zero-day (CVE-2023-32439) that Apple has already fixed. Additionally, CISA has included a critical pre-authentication command injection bug (CVE-2023-27992) affecting Internet-exposed Network-Attached Storage (NAS) devices and a VMware ESXi vulnerability (CVE-2023-20867) exploited by a Chinese-backed hacking group in its known exploited vulnerabilities (KEV) list. Federal agencies are required to patch these vulnerabilities within specific deadlines, and it is recommended that private companies also address the vulnerabilities outlined in CISA's KEV list.
Access Point Technology advises users to closely follow the directives of federal agencies and promptly patch the security vulnerabilities that were recently exploited to deploy Triangulation spyware on iPhones. Both federal agencies and private companies should take immediate action to patch these vulnerabilities, including the zero-days, the pre-authentication command injection bug (CVE-2023-27992), and the VMware ESXi vulnerability (CVE-2023-20867), in order to mitigate the risk of exploitation and enhance overall security.
Remotely Exploitable DoS Vulnerabilities Patched in BIND
Analysis: The Internet Systems Consortium (ISC) has issued patches for three denial-of-service (DoS) vulnerabilities in BIND, the DNS software suite. These vulnerabilities, tracked as CVE-2023-2828, CVE-2023-2829, and CVE-2023-2911, are considered high-severity issues. Exploiting these flaws could lead to memory exhaustion or crashes in named, which serves as both a recursive resolver and an authoritative name server.
CVE-2023-2828 affects a named function responsible for cleaning the memory cache. The cache-cleaning algorithm's effectiveness can be significantly reduced by querying the resolver for specific RRsets in a particular order. An attacker can exploit this vulnerability to exceed the maximum allowed memory usage, potentially causing a DoS condition by depleting all available memory.
CVE-2023-2829 impacts named instances configured as a DNSSEC-validating recursive resolver with the Aggressive Use of DNSSEC-Validated Cache option enabled. By sending specific queries to the resolver, a remote attacker can cause named to terminate unexpectedly. This option is enabled by default in BIND versions 9.18 and newer, but disabling it mitigates the issue.
The third bug, CVE-2023-2911, affects BIND 9 resolvers that reach the quota of recursive clients while configured to return 'stale' cached answers with the 'stale-answer-client-timeout 0;' option. A sequence of serve-stale-related lookups can trigger the flaw, causing named to loop and crash. To prevent this vulnerability, users should modify the value of 'stale-answer-client-timeout'.
At present, no known attacks have exploited these vulnerabilities.
Access Point Technology recommends users update BIND installations to the patched versions (9.16.42, 9.18.16, and 9.19.14, or their supported preview editions) provided by ISC, while also disabling the "Aggressive Use of DNSSEC-Validated Cache" option for instances affected by CVE-2023-2829 and modifying the 'stale-answer-client-timeout' value for instances vulnerable to CVE-2023-2911. Applying these updates and configuration changes will help mitigate the three denial-of-service vulnerabilities and protect systems from potential exploitation.
Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari
Analysis: Apple has recently released updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address several vulnerabilities, including two zero-days that have been actively exploited in the wild. These zero-days, identified as CVE-2023-32434 and CVE-2023-32435, were utilized in a mobile surveillance campaign called Operation Triangulation, which has been ongoing since 2019. The vulnerabilities involve an integer overflow issue in the Kernel that could allow arbitrary code execution with kernel privileges, as well as a memory corruption flaw in WebKit that could lead to arbitrary code execution when processing specially crafted web content. Apple has acknowledged that these issues may have been exploited on iOS versions released before iOS 15.7.
The zero-click attack campaign targeting iOS devices involved a spyware implant called TriangleDB, which operates solely in memory to evade detection. This spyware has extensive capabilities for data collection and tracking, including accessing the device's file system, managing processes, extracting keychain items, and monitoring geolocation. Along with addressing the zero-days, Apple has also patched another zero-day (CVE-2023-32439), which involves a type confusion issue that could result in arbitrary code execution when processing malicious web content.
Apple's updates are available for various platforms, such as iOS, iPadOS, macOS, watchOS, and Safari browser. These patches signify the resolution of nine zero-day vulnerabilities in Apple products since the beginning of the year, highlighting the company's ongoing efforts to address security risks.
Access Point Technology strongly recommends that users apply the updates provided by Apple for iOS, iPadOS, macOS, watchOS, and Safari browser as soon as possible. By updating to the latest versions of the operating systems and browser, users can mitigate the risk of potential attacks that exploit these vulnerabilities. This ensures the overall security and integrity of their devices and data.
New Fortinet's FortiNAC Vulnerability Exposes Networks to Code Execution Attacks
Analysis: Fortinet, a global cybersecurity software company, has recently released updates to address a critical security vulnerability in its network access control solution, FortiNAC. The associated vulnerability is identified as CVE-2023-33299, with a CVSS rating of 9.6. According to Tenable's analysis, this vulnerability is categorized as a deserialization of untrusted data vulnerability. Exploiting this vulnerability would require a remote, unauthenticated attacker to send a specially crafted request on TCP port 1050. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the targeted device.
Another vulnerability, CVE-2023-33300, with a CVSS rating of 4.8, is also addressed in the released fixes. This vulnerability is described as an improper access control issue.
The patches provided by Fortinet apply to the following versions of FortiNAC:
- FortiNAC versions 9.4.0 through 9.4.2
- FortiNAC versions 9.2.0 through 9.2.7
- FortiNAC versions 9.1.0 through 9.1.9
- FortiNAC versions 7.2.0 through 7.2.1
- FortiNAC 8.8 (all versions)
- FortiNAC 8.7 (all versions)
- FortiNAC 8.6 (all versions)
- FortiNAC 8.5 (all versions)
- FortiNAC 8.3 (all versions)
Florian Hauser from the cybersecurity firm CODE WHITE is credited with discovering and reporting both vulnerabilities to Fortinet. If you are interested in the details of his investigation, you can refer to his write-up in the Frycos Security Diary.
This incident serves as a reminder that even cybersecurity companies and their software are not immune to vulnerabilities. It is crucial for users to remain vigilant, regularly check for software updates, and promptly apply patches. Vendor patches are generally the most effective way to ensure the security of your software and environment. Once vulnerabilities become known to the public or specific circles, the risk of exploitation increases significantly.
Access Point Technology strongly recommends that all users of FortiNAC check for updates and ensure they are running the latest version. By doing so, users can protect their systems against potential exploits and maintain a secure environment.
Sources
https://www.bankinfosecurity.com/seo-poisoning-attacks-on-healthcare-sector-rising-hhs-warns-a-22365?&web_view=true
https://thehackernews.com/2023/06/cybercrime-group-muddled-libra-targets.html?&web_view=true
https://www.deepinstinct.com/blog/pindos-new-javascript-dropper-delivering-bumblebee-and-icedid
https://www.bleepingcomputer.com/news/security/microsoft-hackers-hijack-linux-systems-using-trojanized-openssh-version/?&web_view=true
https://thehackernews.com/2023/06/multistorm-campaign-targets-india-and.html?&web_view=true
https://thehackernews.com/2023/06/microsoft-warns-of-widescale-credential.html
https://www.bleepingcomputer.com/news/security/cisa-orders-agencies-to-patch-iphone-bugs-abused-in-spyware-attacks/
https://www.securityweek.com/remotely-exploitable-dos-vulnerabilities-patched-in-bind/
https://thehackernews.com/2023/06/zero-day-alert-apple-releases-patches.html
https://thehackernews.com/2023/06/new-fortinets-fortinac-vulnerability.html
.webp)
.png)
