CyberWatch - May 24, 2023

At a Glance

Ransomware, Malware & Phishing

1. Iowa Hospital discloses breach following Royal ransomware leak
2. Notorious Cyber Gang FIN7 Returns with Cl0p Ransomware in New Wave of Attack
3. PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted
4. Malicious Windows kernel drivers used in BlackCat ransomware attacks
5. The Rising Threat of Secrets Sprawl and the Need for Action

Vulnerabilities

1. Samsung Smartphone Users Warned of Actively Exploited Vulnerability
2. WebKit Under Attack: Apple Issues Emergency Patches for 3 New Zero-Day Vulnerabilities
3. Pimcore Platform Flaws Exposed Users to Code Execution

Ransomware, Malware & Phishing

Iowa Hospital discloses breach following Royal ransomware leak

Analysis: Clarke County Hospital in Iowa has disclosed a data breach after the Royal ransomware gang claimed responsibility for the attack.

The hospital’s information was found on the Royal ransomware data leak site on April 24. Security researchers later discovered that the attackers had reposted the hospital’s listing and were actively leaking data, including an alleged video of a patient collapsing.

On May 17, Clarke County Hospital issued a data breach notification stating that personal information of current and former patients may have been exposed.

The compromised data included the following:

• Full names
• Addresses
• Dates of birth
• Health insurance information
• Medical record numbers
• Diagnostic information and specific health conditions

However, electronic medical records, Social Security numbers, banking information, credit card information, and financial information were not involved in the breach. The hospital did not address the ransomware claim specifically but confirmed that the attack began on April 14, leading to a network shutdown. CCH’s Facebook page provided status updates during the network disruption, mentioning outages with phone and internet systems. However, the network outage was not mentioned on social media again after April 20.

As of Monday, Clarke County Hospital’s listing on the Royal ransomware data leak site has been removed. Ransomware groups typically list victim organizations on their sites with leaked data to pressure them into paying the demanded ransom. The incident highlights the increasing risks faced by the healthcare sector, with threat actors targeting sensitive medical data for theft and ransom.

In a similar attack in February, ransomware operators threatened to leak medical information and patient images after breaching Lehigh Valley Health Network.

Access Point recommends organizations focus on prevention and mitigation strategies, such as robust backups, segregated networks, defense mechanisms and a tried and tested disaster recovery plan. You should never pay ransom demand as it will only highlight you as a future target to other attacks.

Source

Notorious Cyber Gang FIN7 Returns with Cl0p Ransomware in New Wave of Attack

Analysis: The cybercrime group FIN7, also known as Carbanak, ELBRUS, or ITG14, has recently launched a ransomware campaign using the Cl0p (Clop) ransomware. This marks FIN7’s first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the group under the name Sangria Tempest.

In the recent attacks, Sangria Tempest — the threat actor associated with FIN7 — utilizes the PowerShell script POWERTRASH to load the Lizar post-exploitation tool, gaining initial access to the target network. They then employ OpenSSH and Impacket to move laterally within the network and deploy Clop ransomware. FIN7 has previously been linked to other ransomware families, including Black Basta, DarkSide, REvil, and LockBit. The group has been active since at least 2012 and has targeted a wide range of organizations in industries such as software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities.

One notable tactic employed by FIN7 is the creation of fake security companies — such as Combi Security and Bastion Secure — to recruit employees for conducting ransomware attacks and other operations. The group’s use of the POWERTRASH script to deliver Lizar was recently highlighted in connection with attacks exploiting a high-severity vulnerability in Veeam Backup and Replication Software (CVE-2023-27532) to gain initial access.

FIN7’s shift towards ransomware campaigns signifies a change in its monetization strategy, moving away from stealing payment card data and focusing on extortion instead. These developments indicate that threat actors are continuously evolving and customizing their ransomware to bypass cybersecurity measures and adapt to the changing security landscape.

Access Point advises that your organization have a dedicated threat hunting program that focuses on pro-active hunting within your network for any indicators of compromise associated with threat groups that may have evaded detection. Constantly monitoring threat groups and their latest tactics, techniques, and procedures will help keep your organization safe as you stay in the know with the latest news. It is also essential that while you are hunting for any indicators of compromise, you are also blocking where possible for any IOCs such as URLs, IP ranges, email addresses, file hashes, etc.

Source

PyPI Repository Under Attack: User Sign-Ups and Package Uploads Temporarily Halted

Analysis: The Python Package Index (PyPI), the official repository for third party Python software, has temporarily disabled user signups and the ability to upload new packages due to an influx of malicious users and projects.

PyPI administrators cited the inability to respond promptly to the rising number of threats and the absence of multiple administrators on leave. The specific details regarding the malware and the threat actors behind the rogue packages uploaded to PyPI were not disclosed. This action follows a pattern of software registries being targeted by attackers to compromise developer environments and tamper with the software supply chain.

In a recent incident, Israeli cybersecurity firm Phylum uncovered a malware campaign that used OpenAI ChatGPT-themed lures to entice developers into downloading a malicious Python module capable of stealing clipboard content to hijack cryptocurrency transactions.

ReversingLabs has also discovered multiple NPM packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent in the NPM repository that distributed a trojan called TurkoRat. The PyPI maintainers have resumed new user and project registrations after a temporary pause over the weekend.

As mentioned previously, Access Point recommends that organizations have a proactive threat hunting team who search your network for indicators of compromise that may have evaded detection to ensure these events are avoided. Staying in the know with all threat actors’ latest tactics, techniques, and procedures will allow for you to stay better informed and protected.

Source

Malicious Windows kernel drivers used in BlackCat ransomware attacks

Analysis: The ALPHV ransomware group, also known as BlackCat, has been observed using signed malicious Windows kernel drivers to evade detection during their attacks.

Trend Micro discovered an improved version of the malware called 'POORTRY,' which was previously spotted in ransomware attacks by Microsoft, Mandiant, Sophos, and SentinelOne. The POORTRY malware is a Windows kernel driver that was signed using stolen keys from legitimate accounts in Microsoft's Windows Hardware Developer Program.

The UNC3944 hacking group, also known as 0ktapus and Scattered Spider, used this driver to terminate security software on Windows devices, enabling them to avoid detection. While security software is typically protected from termination or tampering, Windows kernel drivers run with the highest privileges in the operating system, allowing them to terminate almost any process. The ALPHV ransomware group initially attempted to use the Microsoft-signed POORTRY driver, but its detection rates were high due to the publicity it received and the revocation of the code-signing keys.

To overcome this, the hackers deployed an updated version of the POORTRY kernel driver, which was signed using a stolen or leaked cross-signing certificate. This new driver, identified as 'ktgn.sys' in previous attacks, helps the BlackCat ransomware operation elevate privileges on compromised machines and terminate security-related processes. The malicious kernel driver exposes an IOCTL (Input/Output Control) interface that allows a user mode program named 'tjr.exe' to issue commands executed with Windows kernel privileges. The driver supports various commands including killing processes, deleting files, copying files, registering process/thread notification callbacks, and rebooting the system. While the digital signature of ktgn.sys has been revoked, the driver can still load on 64-bit Windows systems with enforced signing policies.

Access Point recommends that system administrators use the indicators of compromise provided by Trend Micro to add the malicious drivers to the Windows driver blocklist. Also, enabling 'Driver Signature Enforcement' is also recommended to block the installation of drivers without a valid digital signature.

Source

The Rising Threat of Secrets Sprawl and the Need for Action

Analysis: The 2023 State of Secrets Sprawl report highlights the increasing challenge of maintaining secrets in the information age.

The report reveals a 67% year-over-year increase in the number of secrets found, with 10 million hard-coded secrets detected in 2022 alone. This secrets sprawl refers to the appearance of secrets in plain text in various sources, posing a risk of leaks and breaches. The dangers of secret sprawl were underscored by high-profile cybersecurity incidents at Uber and Toyota. Uber fell victim to an attack where a bad actor used hard-coded admin credentials found in a PowerShell script, while Toyota exposed credentials granting access to customer data in a public GitHub repository for almost five years. These incidents emphasize the importance of prioritizing secrets and investing in solutions to address this issue.

The report identifies secrets management as a major blind spot in application security. Approximately 1 in 10 code authors exposed a secret in 2022, indicating that developers of all experience levels are susceptible to this issue. Cybersecurity teams have traditionally focused on vulnerabilities rather than poorly secured credentials, leaving many applications vulnerable. To combat secrets sprawl, organizations need to prioritize the protection of secrets and invest in solutions for detection and remediation.

While the risk of secrets exposure cannot be entirely eliminated, organizations can mitigate it by addressing poor secrets hygiene practices and implementing remediation playbooks. Embracing proactive measures and implementing end-to-end security measures within the software development life cycle can help mitigate the risks associated with leaked and exploited secrets.

Access Point urges organizations to aggressively address secrets sprawl and ensure the safety and security of their secrets. By investing in appropriate tools and strategies, companies can reduce the risks associated with leaked and exploited secrets while safeguarding valuable information in the digital age.

Source

Vulnerabilities

Samsung Smartphone Users Warned of Actively Exploited Vulnerability

Analysis: Samsung smartphone users have been alerted to a recent vulnerability identified as CVE-2023-21492, which has been patched and is currently being exploited.

This vulnerability, related to a kernel pointer exposure issue tied to log files, could allow an attacker with local access and elevated privileges to bypass the ASLR (Address Space Layout Randomization) exploit mitigation technique. This suggests that the flaw could be used in conjunction with other bugs to compromise a device.

Samsung addressed the issue in their May 2023 security update after learning about the flaw in mid-January and stated that specific devices running Android 11, 12, and 13 are affected.

The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, instructing government agencies to implement the patch by June 9th.

Google’s Threat Analysis Group initially identified the vulnerability and suggested that a commercial spyware vendor likely exploited it. In fact, Google has reported that this vulnerability and several others have been leveraged in campaigns to infiltrate Samsung smartphones through a variety of zero-day and n-day vulnerabilities.

Google identified a particular attack in December 2022, where attackers tried to infect users in the United Arab Emirates with Android spyware via the Samsung Internet Browser. This attack was linked to Variston, a Spanish commercial spyware vendor. Throughout 2021, Google reported nine Samsung vulnerabilities that had been exploited in attacks, with details of several Samsung phone vulnerabilities still holding a zero-day status being disclosed.

In addition to the Samsung vulnerability, CISA also highlighted two Cisco IOS vulnerabilities in its KEV catalog.

• CVE-2016-6415: First revealed in 2016 as part of the Shadow Brokers leaks
• CVE-2004-1464: DoS vulnerability that Cisco warned about and released patches for back in 2004

Access Point Technology recommends that users apply all the relevant patches provided by Samsung and Cisco for the identified vulnerabilities, specifically the following:

• CVE-2023-21492
• CVE-2016-6415
• CVE-2004-1464

This needs to be done systematically, prioritizing systems that are most exposed or deal with sensitive data. Simultaneously, a comprehensive risk assessment should be conducted to grasp the potential impact of these vulnerabilities on your infrastructure.

It is critical to maintain an up-to-date asset inventory to determine which devices require these patches. Enhance monitoring and logging on potentially affected systems to detect any anomalous activity, given the likelihood that these vulnerabilities might already have been exploited. Users should be made aware of these vulnerabilities and advised to exercise caution, particularly with downloading apps from unknown sources and handling unsolicited links or attachments.

Ensure that any third-party vendors or partners that interact with your network are aware of these vulnerabilities and are taking remediation steps. Finally, integrate these steps into an ongoing, proactive vulnerability management program that includes a robust incident response plan and continuous scanning for unpatched systems or new vulnerabilities.

Source

WebKit Under Attack: Apple Issues Emergency Patches for 3 New Zero-Day Vulnerabilities

Analysis: Vulnerability analysts here at Access Point Technology have been prioritizing the application and research of a slew of security updates released by Apple across multiple platforms including iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser, to address numerous vulnerabilities.

Of the resolved issues, the following three new zero-day vulnerabilities are reported to be actively exploited in the wild:

1. CVE-2023-32409, a WebKit flaw that allows a malicious actor to breach the Web Content sandbox.
2. CVE-2023-28204, an out-of-bounds read issue in WebKit that could disclose sensitive information.
3. CVE-2023-32373, a use-after-free bug in WebKit that could potentially enable arbitrary code execution.

Clément Lecigne of Google's Threat Analysis Group (TAG) and Donncha Ó Cearbhaill of Amnesty International's Security Lab reported CVE-2023-32409, while an anonymous researcher reported the other two vulnerabilities.

Both CVE-2023-28204 and CVE-2023-32373 were patched as part of Rapid Security Response updates – iOS 16.4.1 (a) and iPadOS 16.4.1 (a) – released earlier this month. No additional technical details about the vulnerabilities, the nature of the attacks, or potential threat actors are currently available. However, these types of vulnerabilities have historically been used in highly-targeted attacks, often to deploy spyware on the devices of journalists, activists, and human rights defenders.

The recent updates are applicable to a range of devices and operating systems, including:

• iOS 16.5 for iPhone 8 and later models
• iPadOS 16.5 for iPad Pro, iPad Air (3rd generation and later), iPad (5th generation and later), and iPad mini (5th generation and later)

Updates for iOS 15.7.6 and iPadOS 15.7.6 are also available for earlier iPhone models and other devices. Additionally, updates were released for macOS Ventura 13.4, tvOS 16.5, watchOS 9.5, and Safari 16.5. This adds to a total of six actively exploited zero-days that Apple has addressed since the start of 2023.

Access Point Technology recommends that immediate action be taken to apply the security updates released by Apple across all relevant platforms, specifically addressing the three new zero-day vulnerabilities. Ensure that all devices running iOS, iPadOS, macOS, tvOS, watchOS, and Safari browser are promptly updated to the latest versions. These updates should prioritize devices that are most at risk, such as those used in sensitive operations, those with access to critical data, or those exposed to untrusted networks.

Our team also recommends that users continue to monitor the security advisories from Apple and other trusted sources for any updates on these vulnerabilities and any new ones that may emerge. Implement improved logging and monitoring to swiftly identify any abnormal behavior potentially indicating exploitation attempts. Be vigilant about potential phishing or social engineering attacks that may attempt to exploit these vulnerabilities or distract from them. Lastly, conduct awareness programs to inform users about these vulnerabilities and urge them to apply updates as soon as possible.

Source

Pimcore Platform Flaws Exposed Users to Code Execution

Analysis: Security researchers have highlighted that the open-source Pimcore platform patched two vulnerabilities in its March 2023 release, version 10.5.19, that could have enabled the execution of arbitrary code upon clicking a link.

These vulnerabilities, identified as a path traversal bug and an SQL injection flaw, were found in a GET request endpoint accessible only to administrators. However, this endpoint lacked Cross-Site Request Forgery (CSRF) protections. An attacker could exploit this situation, controlling the CSV output file path, name, and extension, resulting in the creation of PHP files on the server.

The twin vulnerabilities, collectively tracked as CVE-2023-28438, could be exploited by creating a malicious link that, if clicked by an administrator, could lead to the deployment of a web shell on the server. When combined, these vulnerabilities could be used to execute arbitrary PHP code on the server with the permissions of the web server.

Access Point Technology recommends users of the the Pimcore platform update to version 10.5.19 as soon as possible. This version resolves the two vulnerabilities that could potentially allow arbitrary code execution. If users are unable to automatically update to the latest version, they should manually apply the available patches to mitigate the risks associated with these vulnerabilities.

In addition to applying these updates, organizations should consider enhancing their security controls around administrator accounts, as the identified vulnerabilities are exploitable through an endpoint accessible only to administrators. Implementing strong phishing protection and user awareness training can reduce the risk of administrators falling for malicious links that could exploit these vulnerabilities. Regular security audits and penetration testing can also help to identify and remediate any vulnerabilities or misconfigurations that might be present in the platform or the wider environment.

Source

‍