CyberWatch - May 31, 2023

Ransomware, Malware & Phishing

1. MCNA Dental data breach impacts 8.9 million people after ransomware attack
2. China’s Stealthy Hackers Infiltrate U.S. and Guam Critical Infrastructure Undetected.
3. Google Cloud Platforms (GCP) Cloud SQL Service Vulnerability Exploited by Attackers
4. New Phishing Technique "File Archiver in the Browser" Targets Users
5. Lazarus Group Targets Vulnerable Windows Internet Information Services (IIS) Servers
6. ABB Confirms Ransomware Attack and Takes Remedial Actions
7. QBot Malware Exploits DLL Hijacking Vulnerability in Windows 10 WordPad

Vulnerabilities

1. Critical OAuth Vulnerability Discovered in Expo.io Application Development Framework
2. Apple Addresses SIP Bypass Vulnerability Allowing Access to Private Data
3. GitLab Addresses Critical File Read Vulnerability in GitLab CE/EE

Ransomware, Malware & Phishing

MCNA Dental data breach impacts 8.9 million people after ransomware attack

Analysis: Managed Care of North America (MCNA) Dental, a prominent dental care and oral health insurance provider in the United States, has disclosed a data breach affecting approximately 9 million patients.

Unauthorized access to MCNA’s computer system was detected on March 6, 2023, after an investigation revealed that hackers had gained entry to the network on February 26, 2023. The stolen data includes a wide range of personal information, such as full names, addresses, dates of birth, government-issued ID numbers, health insurance details, dental records, and billing information.

MCNA Dental has taken steps to address the situation and enhance the security of its systems to prevent future incidents. Law enforcement authorities have been engaged to aid in preventing the misuse of compromised information, and affected individuals have been provided with instructions on obtaining 12 months of free identity theft protection and credit monitoring services. Due to incomplete address records, not all impacted individuals will receive direct notifications, and a substitute notice has been published on the IDX website for 90 days.

The LockBit ransomware group has claimed responsibility for the cyberattack on MCNA Dental. On April 7, 2023, the group released all the stolen data — totaling 700GB — on its website for public download. Considering the possibility that other threat actors may possess the data, affected users are advised to monitor their credit reports for any signs of fraudulent activity or identity theft. It is also important for individuals to exercise caution regarding targeted phishing attempts that may exploit the leaked information to trick recipients into divulging additional sensitive data or credentials.

Access Point recommends prioritizing cybersecurity measures, including robust threat detection, prevention, and response strategies, regular data backups, employee training, and timely software patching to protect against ransomware and other cyber threats. Having a tried and tested incident response plan is essential to ensuring that you are mitigating against the attack as quickly as possible with the least amount of business impact.

Source

China’s Stealthy Hackers Infiltrate U.S. and Guam Critical Infrastructure Undetected

Analysis: According to Microsoft and the "Five Eyes" nations, a sophisticated China-based group has successfully infiltrated critical infrastructure organizations in the United States and Guam without being detected.

Microsoft's threat intelligence team has been tracking the activity of this state-sponsored actor, known as Volt Typhoon. The group's focus is on espionage and information gathering; it has been active since June 2021. To remain undetected, Volt Typhoon leverages tools already present on infected machines and primarily utilizes living-off-the-land (LotL) techniques to exfiltrate data from local web browser applications and gain backdoor access using stolen credentials. The sectors targeted by Volt Typhoon include communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education.

Microsoft also assessed with moderate confidence that the campaign aims to develop capabilities that could disrupt critical communications infrastructure between the United States and the Asian region during future crises.

The group's attacks exhibit a strong emphasis on maintaining a low profile by blending in with regular Windows systems and network activities. They achieve this by routing traffic through compromised small office and home office (SOHO) network equipment, such as routers, firewalls, and VPN hardware. Volt Typhoon also employs custom versions of open-source tools and compromised servers in a command-and-control (C2) proxy network to obfuscate the source of the attacks.

In one notable incident, the group breached telecommunications networks on the island of Guam, a sensitive US military outpost in the Pacific Ocean, and installed a malicious web shell. The initial entry vector involves exploiting unknown zero-day vulnerabilities on Internet-facing Fortinet FortiGuard devices. Additionally, Volt Typhoon has been observed exploiting flaws in Zoho ManageEngine servers to steal credentials and gain access to other devices on the network.

Microsoft has directly notified targeted or compromised customers and provided them with guidance on securing their environments. However, mitigating these risks can be challenging when threat actors employ valid accounts and living-off-the-land binaries (LOLBins) in their attacks.

SecureWorks — monitoring the threat group under the name Bronze Silhouette — noted the group's careful consideration for operational security and its reliance on compromised infrastructure to avoid detection and attribution.

Access Point recommends the importance of having a dedicated threat hunting team who work around the clock to scour your network for any indicators of compromise associated with threat groups and their latest tactics, techniques, and procedures. Often groups can evade security systems, so proactively hunting for IOCs that may have evaded detection is essential. Staying in the know with the latest trending news surrounding threat groups and their attacks is equally important to keep your organization safe.

Source

Severe Flaw in Google Cloud’s Cloud SQL Service Exposed Confidential Data

Analysis: A security vulnerability has been discovered in Google Cloud Platforms (GCP) Cloud SQL service, potentially allowing unauthorized access to sensitive data.

Israeli cloud security firm Dig identified a multi-stage attack chain that exploited a gap in the security layer associated with SQL Server in Cloud SQL. This allowed an attacker to escalate privileges from a basic user to a sysadmin role, enabling access to internal GCP data, customer data, secrets, sensitive files, and passwords. By exploiting another misconfiguration, the attacker could gain system administrator rights and take full control of the database server, accessing all hosted files and extracting passwords.

The disclosure of the vulnerability led to Google addressing the issue in April 2023. Concurrently, Google announced the availability of its Automatic Certificate Mangement Environment (ACME) API, allowing Google Cloud users to automatically acquire and renew TLS certificates for free.

Access Point recommends keeping all software and operating systems up to date with the latest patches and security updates. It is also important to have regular pen-testing / red and blue team exercises completed within your environment to identify any potential security risks or gaps in your organization.

Source

Don’t Click That ZIP FILE! Phishers Weaponizing .ZIP Domains to trick Victims

Analysis: A new phishing technique called "file archiver in the browser" has been discovered, which can trick victims into thinking they are using legitimate file archiver software in a web browser.

The technique involves creating a realistic-looking phishing landing page that mimics file archive software, hosted on a .zip domain to appear more legitimate. When a victim clicks on a file within the fake ZIP archive, they may be redirected to a credential harvesting page or unknowingly download malware. Additionally, the search bar in Windows File Explorer can be exploited, as searching for a non-existent .ZIP file can open the phishing page directly in the web browser.

The introduction of new top-level domains (TLDs), including ".zip" and ".mov", by Google has raised concerns about potential phishing and scams.

Phishing attacks are becoming more sophisticated, with an increase in the use of Telegram for collecting stolen data and the incorporation of detection evasion techniques in phishing kits. The number of advanced phishing attacks attempted by threat actors rose significantly in 2022, and attackers are exploiting compromised Microsoft accounts and encrypted emails to harvest credentials. Another example involves abusing legitimate features in Microsoft Teams to facilitate phishing and malware delivery by manipulating links in sent messages.

Access Point emphasizes the importance of user education and security awareness training. It is important to teach users to exercise caution when downloading and opening files, especially from unknown sources and suspicious emails. Teaching users how to hover over links and emails, while also reporting potential phishing emails, are all tactics to ensure your users do not leave you exposed. Implementing multi-factor authentication (MFA) for all user accounts as a layered defense is also essential should users' credentials be exposed to attackers.

For more information on security awareness training, please visit the Access Point Resource Center.

Source

Lazarus hackers target Windows IIS web servers for initial access

Analysis: The Lazarus Group, a notorious state-backed hacking group from North Korea, is now targeting vulnerable Windows Internet Information Services (IIS) web servers to gain initial access to corporate networks, according to South Korean researchers at the AhnLab Security Emergency Response Center (ASEC).

Windows IIS servers, commonly used by organizations for hosting web content, can serve as network entry points for hackers if poorly managed or outdated. The Lazarus Group exploits known vulnerabilities or misconfigurations in IIS servers to create files using the w3wp.exe process. They drop a legitimate file called 'Wordconv.exe' and a malicious DLL ('msvcr100.dll') on the server, along with an encoded file named 'msvcr100.dat'. The 'Wordconv.exe' launches, loading and executing the malicious code in the DLL, which is decrypted from 'msvcr100.dat' in memory, evading detection by antivirus tools.

In the second phase of the attack, Lazarus creates a second malware ('diagn.dll') by exploiting a Notepad++ plugin. This second malware decrypts a new payload using the RC6 algorithm and executes it in memory. The payload's specific purpose is unknown, but signs of LSASS dumping indicate credential theft activity. The Lazarus Group then performs network reconnaissance and lateral movement using valid user credentials, likely stolen in the previous step, through port 3389 (Remote Desktop). However, no further malicious activities have been observed by ASEC after lateral movement.

As the Lazarus Group heavily relies on DLL side-loading in their attacks, Access Point recommends that organizations monitor for abnormal process execution and take proactive measures to prevent information exfiltration and lateral movement, including enabling MFA and segregating your networks.

It is also essential for organizations to ensure robust security measures, regularly audit and monitor their systems, and promptly address any misconfigurations or vulnerabilities to protect sensitive data and prevent breaches.

Source

US government contractor ABB confirms ransomware attack, data theft

Analysis: ABB, a Swiss tech multinational and US government contractor, has confirmed that it was hit by a ransomware attack.

The company acknowledged that unauthorized third parties accessed certain ABB systems, deployed ransomware, and exfiltrated data. ABB stated that it would communicate with affected parties, including customers, suppliers, and individuals whose personally identifiable information was impacted. The investigation is still ongoing, but there is no evidence that any customer systems have been directly impacted.

ABB reported that the breach has been contained, disrupted services have been restored, and additional security measures have been implemented.

The ransomware attack, conducted by the Black Basta gang, led to operations disruption, project delays, and impacts on ABB's factories. ABB is a major provider of industrial control systems and SCADA systems, serving high-profile customers and government agencies, including the US Department of Defense.

Access Point advises against paying ransom, as it encourages further attacks and funds more criminal activity with no guarantee of the data’s decryption upon payment. Instead, we recommend organizations focus on prevention and mitigation strategies, such as robust backup and disaster recovery plans. Having a tried and tested incident response plan is important to mitigating any attack as quickly as possible with the least amount of business disruption.

Source

QBot malware abuses Windows WordPad EXE to infect devices

Analysis: The QBot malware operation has been exploiting a DLL hijacking vulnerability in the Windows 10 WordPad program to infect computers.

DLL hijacking involves placing a malicious DLL file with the same name as a legitimate one in the search path of the program. When the program is launched, it loads the malware DLL instead of the legitimate one, allowing the threat actors to execute malicious commands.

QBot, also known as Qakbot, is a Windows malware that started as a banking trojan but evolved into a malware dropper. It has collaborated with ransomware groups like Black Basta, Egregor, and Prolock to gain initial access to corporate networks for extortion attacks. In the recent QBot phishing campaign, the attackers utilized the DLL hijacking vulnerability in the Windows 10 WordPad executable.

Phishing emails contain a link that downloads a zip archive containing two files: 1) A renamed copy of the legitimate WordPad executable (document.exe); and 2) the DLL file named edputil.dll for the DLL hijack. When document.exe is launched, it attempts to load the legitimate edputil.dll file. However, it doesn’t check for the DLL in a specific folder and loads any DLL with the same name found in the same folder as the executable. The threat actors take advantage of this by placing a malicious version of edputil.dll in the same folder.

Once the malicious DLL is loaded, the malware uses curl.exe to download a disguised DLL file (camouflaged as a PNG file) from a remote host. This DLL is executed using rundll32.exe, allowing QBot to run silently in the background, steal emails for phishing attacks, and download other payloads like Cobalt Strike for further exploitation and potential ransomware attacks. By leveraging a trusted program like WordPad, QBot aims to evade detection by security software.

However, this infection method only works on Windows 10 and later versions, and earlier versions lack the necessary Curl program. Although QBot operation has shifted to other infection methods recently, it’s not uncommon for them to revert to previous tactics in later campaigns.

Access Point urges organizations to remain vigilant and take steps to protect against phishing attacks with adequate training to safeguard personal and professional data.

Source

Vulnerabilities

Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking

Analysis: A critical security vulnerability, assigned the CVE identifier CVE-2023-28131, has been discovered in the Open Authorization (OAuth) implementation of the Expo.io application development framework.

The vulnerability has a severity rating of 9.6 and could potentially lead to credential leakage and account hijacking. Threat actors could exploit this flaw to perform unauthorized actions on behalf of compromised users on platforms like Facebook, Google, or Twitter.

For the attack to succeed, websites and applications using Expo should have configured the AuthSession Proxy setting for single sign-on (SSO) with third-party providers like Google and Facebook. The vulnerability allowed attackers to capture secret tokens associated with sign-in providers and gain control of victims' accounts by tricking them into clicking on malicious links sent via email, SMS, or dubious websites.

Expo promptly deployed a hotfix after the vulnerability was responsibly disclosed on February 18, 2023. They recommend users to migrate from using AuthSession API proxies to registering deep link URL schemes directly with third-party authentication providers to enable SSO features. Expo's advisory acknowledged that the vulnerability could have allowed attackers to deceive users into visiting a malicious link and unintentionally revealing their third-party authentication credentials.

This discovery follows similar OAuth issues found in Booking.com and Kayak.com, which could have enabled account takeover and unauthorized access to personal and payment-card data. Additionally, Swiss cybersecurity company Sonar recently revealed security flaws in the Pimcore enterprise content management system and the LibreNMS network monitoring tool, which could be exploited for remote code execution and unauthorized access, respectively.

Access Point Technology recommends that users promptly apply the hotfix deployed by Expo.io to address the disclosed OAuth vulnerability. Additionally, migrating to direct registration with third-party authentication providers and raising user awareness about the risks of clicking on suspicious links can enhance security.

Conducting regular security assessments and staying informed about updates and emerging threats will help mitigate the risk of credential leakage, account hijacking, and unauthorized access to sensitive data.

Source

Microsoft finds macOS bug that lets hackers bypass SIP root restrictions

Analysis: Apple has addressed a vulnerability, tracked as CVE-2023-32369 and named Migraine, that allows attackers with root privileges to bypass System Integrity Protection (SIP) and access a victim's private data by circumventing Transparency, Consent, and Control (TCC) security checks. The flaw was discovered and reported by Microsoft security researchers.

Apple has released security updates for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7 to patch the vulnerability. SIP is a macOS security mechanism that restricts the root user account and its capabilities to prevent unauthorized modifications to protected areas of the operating system. However, attackers with root permissions can abuse the macOS Migration Assistant utility to bypass SIP security enforcement and execute arbitrary code in a security context that bypasses SIP checks.

The bypassing of SIP comes with significant risks as it allows for the creation of SIP-protected malware that cannot be easily removed. It also expands the attack surface and enables attackers to tamper with system integrity, execute arbitrary kernel code, install rootkits to hide malicious processes and files, and bypass TCC policies, granting unrestricted access to the victim's private data.

Microsoft researchers previously reported a similar vulnerability called Shrootless in 2021, which allowed arbitrary operations on compromised Macs, privilege escalation to root, and potential installation of rootkits. Additionally, a security researcher discovered the Achilles vulnerability that enabled malware deployment through untrusted apps bypassing Gatekeeper execution restrictions, and another bug called powerdir that allowed bypassing TCC technology to access protected user data.

Access Point Technology recommends that users promptly apply the latest security updates provided by Apple for macOS Ventura 13.4, macOS Monterey 12.6.6, and macOS Big Sur 11.7.7 to address the SIP bypass vulnerability.

Enabling System Integrity Protection (SIP) and maintaining physical security over compromised devices are essential measures. Additionally, implementing a multi-layered defense strategy with endpoint protection, firewalls, intrusion detection systems, and monitoring solutions is recommended. Staying informed about security updates and emerging threats in macOS is important to take necessary precautions and mitigate the risk of unauthorized access to private data through SIP bypass vulnerabilities.

Source

GitLab Security Update Patches Critical Vulnerability

Analysis: GitLab has addressed a critical-severity vulnerability, tracked as CVE-2023-2825, affecting both GitLab Community Edition (CE) and Enterprise Edition (EE).

The vulnerability allows an unauthenticated malicious user to perform arbitrary file reads on the server through a path traversal vulnerability. The flaw was introduced in GitLab CE/EE version 16.0.0 and was resolved with the release of version 16.0.1.

The bug was reported by a researcher named 'pwnie' through GitLab's bug bounty program. While there have been no reports of the vulnerability being exploited in malicious attacks, GitLab strongly advises all users running version 16.0.0 to upgrade to the latest version, 16.0.1, to mitigate the risk.

Access Point Technology recommends all GitLab users running version 16.0.0 of GitLab CE or EE upgrade to the latest version, 16.0.1, as soon as possible. This upgrade will address the critical vulnerability (CVE-2023-2825) and help mitigate the risk of exploitation. By keeping the software up to date, users can enhance the security of their GitLab deployments and protect their data.

Source

‍