New Telegram Bot "Telekopye" Powering Large-scale Phishing Scams from Russia, Ransomware Hackers Dwell Time Drops to 5 Days, and Easy-to-exploit Skype Vulnerability Reveals Users’ IP Address.

At a Glance

Ransomware, Malware & Phishing

1. Major Mississippi hospital system takes services offline after cyberattack
2. Rhysida claims ransomware attack on Prospect Medical, threatens to sell data
3. Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead
4. New "Whiffy Recon" Malware Triangulates Infected Device Location via Wi-Fi Every Minute
5. New Telegram Bot "Telekopye" Powering Large-scale Phishing Scams from Russia
6. Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware
7. The MOVEit hack and what it taught us about application security
8. New stealthy techniques let hackers gain Windows SYSTEM privileges
9. Ransomware hackers dwell time drops to 5 days, RDP still widely used
10. Microsoft: Stealthy Flax Typhoon hackers use LOLBins to evade detection

Vulnerabilities

1. Exploit released for Juniper firewall bugs allowing RCE attacks
2. Urgent FBI Warning: Barracuda Email Gateways Vulnerable Despite Recent Patches
3. Easy-to-exploit Skype vulnerability reveals users’ IP address
4. CISCO Fixes 3 High-Severity Dos Flaws In NX-OS and FXOS Software
5. Multiple Notepad++ Flaws Let Attackers Execute Arbitrary Code
6. DreamBus Botnet Exploiting RCE Flaw in Apache RocketMQ Servers

Ransomware, Malware & Phishing

Major Mississippi hospital system takes services offline after cyberattack

Analysis: Singing River Health System, a prominent hospital network in Mississippi, recently fell victim to a cyberattack, prompting the institution to take several internal services offline. The attack, initially detected as unusual network activity, led to the hospital's adoption of downtime procedures as it worked diligently to investigate and address the situation. While specific details regarding the nature of the attack remain unconfirmed, certain internal systems were temporarily shut down to preserve their integrity during the ongoing investigation. To maintain essential business operations, the hospital implemented temporary workaround solutions. Patients were also notified about potential delays in services such as lab test results and radiology exams due to the incident.

This cyberattack on Singing River Health System is emblematic of a larger trend of healthcare institutions becoming targets of malicious cyber activities. Access Point strongly advises hospitals and healthcare organizations to establish comprehensive incident response plans designed to effectively manage cyberattacks. These plans should encompass procedures for isolating affected systems, communicating with stakeholders, and ultimately restoring normal operations. It is imperative for institutions to regularly back up critical data and systems, ensuring that they are prepared to restore data without succumbing to ransom demands in the event of an attack. These backups should also be periodically tested to verify their effectiveness.

Access Point recommends the following:

1. Implement Strong Access Controls: Ensure stringent access controls are in place, limiting access to sensitive systems and data only to authorized personnel.
2. Regular Data Backups: Maintain frequent and secure data backups to minimize the impact of ransomware attacks and facilitate rapid recovery.
3. Supply Chain Assessment: Conduct thorough assessments of your supply chain partners' cybersecurity practices to identify and address vulnerabilities.
4. IoT Security: Strengthen security measures for IoT devices through regular patching, network segmentation, and monitoring.
5. Incident Response Plan: Develop a comprehensive incident response plan that outlines steps for isolating affected systems, communicating with stakeholders, and restoring normal operations.
6. Backup Testing: Periodically test backups to verify their effectiveness in case of a cyberattack.
7. Network Segmentation: Implement proper network segmentation to contain the impact of cyberattacks by isolating critical systems from less critical ones.
8. Multi-Factor Authentication (MFA): Implement MFA wherever possible to add an extra layer of security to user accounts, preventing unauthorized access even if credentials are compromised.

Rhysida claims ransomware attack on Prospect Medical, threatens to sell data

Analysis: The Rhysida ransomware gang has claimed responsibility for a significant cyberattack on Prospect Medical Holdings (PMH). During this attack, sensitive data, including 500,000 social security numbers, patient records, and corporate documents, was allegedly stolen. The breach occurred on August 3rd, and ransom notes appeared on employees' screens, notifying them of the network breach and the encryption of devices.

Prospect Medical Holdings, a US healthcare company operating 16 hospitals and numerous clinics across multiple states, promptly responded by shutting down IT networks to contain the attack. They temporarily reverted to paper-based record keeping. While the hospital network's systems are now being restored, the process of inputting paper records into the electronic medical record (EMR) system is ongoing.

Rhysida has a history of high-profile attacks, including targeting the Chilean Army, and has recently been linked to attacks on healthcare organizations. The gang claims to have stolen a substantial amount of sensitive data and is threatening to sell it unless a ransom of 50 Bitcoins (approximately $1.3 million) is paid.

Access Point Recommends the following:

1. Implement strong data encryption practices to safeguard sensitive patient information and corporate documents. This helps mitigate the impact of data breaches even if attackers gain network access.
2. Maintain up-to-date and tested backups of critical data to ensure recovery in case of a ransomware attack. This reduces the likelihood of paying ransoms to retrieve data.
3. Provide cybersecurity training to employees to raise awareness about phishing attacks and other social engineering tactics. Employees should exercise caution when interacting with emails or messages that may contain malicious links or attachments.
4. Implement network segmentation to limit lateral movement for attackers within the network. Critical systems should be isolated from less critical ones to minimize the potential impact of a breach.
5. Keep software and systems updated with the latest security patches to address known vulnerabilities that attackers might exploit. This proactive approach helps protect against known threats.

Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead

Analysis: Between June 15, 2023, and July 11, 2023, Permiso Security's p0 Labs team observed an attacker conducting an incremental campaign focused on deploying credential-harvesting malware and developing infrastructure for targeting cloud services. The primary objective of this campaign was to illicitly obtain cloud credentials for malicious purposes. The attacker demonstrated adaptability by employing a set of evolving tools and techniques, with multiple versions of their credential harvesting utility named "aws.sh."

This campaign showcased an agile development approach, with each iteration of the malware introducing modifications and enhancements. The attacker's ultimate goal was to harvest credentials from various cloud services, including AWS, Azure, and GCP.

Access Point recommends the following:

1. Strong Credential Hygiene: Organizations should prioritize strong credential hygiene practices. This includes using unique and complex passwords that incorporate length, diverse characters, numbers, and symbols. Multi-factor authentication (MFA) should also be enforced. Regularly rotating credentials adds an additional layer of security.
2. Continuous Monitoring: Implement continuous monitoring of network activity to detect suspicious or unauthorized access to cloud resources. Anomalous activities, such as credential harvesting attempts, should trigger prompt investigation.
3. Behavior-Based Detection: Employ behavior-based detection mechanisms to identify unusual or suspicious activities within the network. This proactive approach can help identify unauthorized access attempts and potential credential harvesting activities.
4. Security Awareness Training: Conduct regular security awareness training for employees to help them recognize phishing attempts, which often serve as initial attack vectors for credential harvesting campaigns.
5. Zero-Trust Architecture: Consider adopting a zero-trust architecture, which assumes no trust by default. This framework requires strong authentication and authorization for all access attempts, enhancing overall security.
6. Patch and Update: Ensure that all software and systems are regularly patched and updated to address vulnerabilities that could be exploited by attackers. Proactive patch management is crucial in preventing exploitation.

New "Whiffy Recon" Malware Triangulates Infected Device Location via Wi-Fi Every Minute

Analysis: A novel strain of Wi-Fi scanning malware called Whiffy Recon has come to light, and it is distributed through the SmokeLoader malware, which is notorious for delivering payloads onto compromised Windows systems. Whiffy Recon operates by periodically triangulating the positions of infected systems. It achieves this by scanning nearby Wi-Fi access points and utilizing Google's geolocation API. The acquired location data is then transmitted back to the attacker.

The exact purpose behind this malware's operation remains uncertain. However, its repetitive scanning and collection of geolocation data raise concerns about potential malicious activities.

Access Point recommends the following:

1. Keep Systems Updated: Ensure that all Windows systems are up to date with the latest security patches. This practice helps mitigate vulnerabilities that malware like SmokeLoader might exploit during the initial compromise.
2. Cybersecurity Training: Since SmokeLoader is commonly distributed through phishing emails, provide cybersecurity training to users. This training will empower them to recognize and report suspicious emails, preventing the initial infection vector.
3. Firewall and Network Monitoring: Implement strong firewall rules and network monitoring to identify and block any suspicious outgoing traffic from compromised systems to command-and-control servers.
4. Endpoint Protection: Employ reliable endpoint protection solutions capable of detecting and blocking the execution of malware like SmokeLoader and Whiffy Recon. Ensure that these security tools are regularly updated and maintained.
5. Startup Folder Review: Periodically inspect the Windows Startup folder for unauthorized or suspicious shortcuts. Doing so helps prevent persistence mechanisms used by malware.
6. Geolocation Permissions: Review and manage geolocation permissions on Windows systems to limit unauthorized applications from accessing sensitive location information.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566.001 - Spearphishing Attachment  
• T1204 - User Execution  
• T1022 - Malicious File  
• T1543.003 - Create or Modify System Process  
• T1160 - Startup Items  
• T1012 - Query Registry  
• T1082 - System Information Discovery  
• T1016 - System Network Configuration Discovery  
• T1005 - Data from Local System
• T1119 - Automated Collection  
• T1436 - Commonly Used Port  
• T1071 - Standard Application Layer Protocol  
• T1105 - Remote File Copy

New Telegram Bot "Telekopye" Powering Large-scale Phishing Scams from Russia

Analysis: A financially motivated cyber operation known as "Telekopye" has been identified, employing a malicious Telegram bot to facilitate scams. This toolkit is used to create phishing web pages using preconfigured templates and subsequently sends the generated URLs to potential victims.

The criminals orchestrating this operation, often referred to as "Neanderthals," adopt a multi-step approach to their scams. First, they establish rapport with their victims, humorously dubbed "Mammoths." Once trust is built, they proceed to share the phishing links via various channels, including emails, SMS, or direct messages.

Victims are lured into entering their payment details on fake credit/debit card gateways, leading to the unauthorized withdrawal of funds. These stolen funds are then funneled to a centralized account managed by the Telekopye administrator and subsequently laundered through cryptocurrency.

Access Point recommends the following:

1. Phishing Education: Organizations and individuals should educate themselves about phishing threats and the tactics employed by scammers. Understanding how these scams work can help individuals recognize and avoid falling victim to them.
2. URL Verification: Encourage individuals to verify the legitimacy of URLs, particularly those shared through messaging platforms. Avoid clicking on suspicious links, especially when they are unsolicited or seem too good to be true.
3. Two-Factor Authentication (2FA): Promote the use of 2FA for online accounts. This additional layer of security can significantly reduce the risk of unauthorized access, even if login credentials are compromised.
4. In-Person Transactions: Whenever possible, advocate for in-person exchanges of money and goods, especially for transactions involving secondhand goods on online marketplaces. Meeting face-to-face can help verify the legitimacy of the transaction.
5. Stay Informed: Stay updated on the latest cybersecurity threats and trends. Being informed about emerging scams and threats enables individuals and organizations to respond effectively and protect themselves against cybercriminals.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566.002 - Spearphishing Link  
• T1204 - User Execution  
• T1056 - Input Capture  
• T1113 - Screen Capture  
• T1537 - Data Transfer to Cloud Account  
• T1531 - Account Access Removal

Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware

Analysis: The Lazarus Group, a threat actor with ties to North Korea, has been detected exploiting a previously patched critical security vulnerability in Zoho ManageEngine ServiceDesk Plus. This exploitation is used as a means to distribute a remote access trojan known as QuiteRAT. The Lazarus Group has focused its efforts on targeting critical entities in Europe and the U.S., particularly in the fields of internet backbone infrastructure and healthcare.

This discovery has also shed light on another threat actor referred to as CollectionRAT. Despite the exposure of their attack techniques, the Lazarus Group continues to utilize these methods, underscoring their confidence in their operations.

QuiteRAT is considered the successor to MagicRAT, sharing several capabilities while maintaining a smaller file size. CollectionRAT seems to have ties to the EarlyRAT implant

Access Point recommends the following:

1. Regular Software Updates: Keep all software up to date with the latest security patches to minimize the risk of exploitation through known vulnerabilities.
2. Network Segmentation: Implement strong network segmentation and access controls to restrict lateral movement within the network. This can help contain the impact of an intrusion.
3. Email and Web Filtering: Deploy robust security measures for email and web filtering to block phishing attempts and prevent the download of malicious content.
4. Network Monitoring: Continuously monitor network traffic and behavior to detect any unusual or suspicious activities that may indicate a cyberattack.
5. Stay Informed: Stay informed about emerging threats and vulnerabilities in the cybersecurity landscape to proactively strengthen defenses.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1190 - Exploit Public-Facing Application  
• T1059 - Command and Scripting Interpreter  
• T1002 - Data Compressed  
• T1074 - Data Staged  
• T1048 - Exfiltration Over Alternative Protocol  
• T1041 - Exfiltration Over Unencrypted/Obfuscated Non-Standard Protocol  
• T1222 - File and Directory Permissions Modification  
• T1036 - Masquerading  
• T1082 - System Information Discovery  
• T1113 - Screen Capture  
• T1119 - Automated Collection  
• T1485 - Data Destruction

The MOVEit hack and what it taught us about application security

Analysis: The 2023 MOVEit hack, orchestrated by the Russian-affiliated ransomware group Clop, targeted Progress Software's MOVEit transfer tool. This corporate file-sharing solution, widely used in the United States, fell victim to a zero-day vulnerability exploited by Clop. The attack resulted in the compromise of personal data belonging to approximately 16 million individuals, highlighting a shift towards data theft and extortion as opposed to traditional ransomware tactics.

Access Point recommends the following:

1. Software Supply Chain Awareness: Gain a comprehensive understanding of your software supply chain, including suppliers, components, and potential vulnerabilities.
2. Vulnerability Identification: Actively identify vulnerabilities that could be exploited by attackers.
3. Third-Party Due Diligence: Strengthen third-party due diligence and compliance efforts, aligning with cybersecurity frameworks.
4. Zero Trust Implementation: Implement Zero Trust principles to continuously verify identities and permissions.
5. Least Privilege Access: Embrace the principle of least privilege access, along with network microsegmentation and continuous verification of unusual behavior.
6. Breach Impact Reduction: Reduce the impact of potential breaches by limiting an attacker's access and capabilities.
7. Penetration Testing Best Practices: Conduct thorough penetration testing on applications to identify vulnerabilities like SQL injection. Make pen testing an ongoing process rather than a one-time effort.
8. Continuous Penetration Testing (CPT): Consider utilizing Continuous Penetration Testing (CPT) services for real-time vulnerability detection and remediation.
9. Automated Scanning: Utilize automated scanning in conjunction with regular manual testing for improved vulnerability detection..

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1190 - Exploit Public-Facing Application  
• T1059 - Command and Scripting Interpreter  
• T1074 - Data Staged  
• T1537 - Data Transfer to Cloud Account  
• T1048 - Exfiltration Over Alternative Protocol  
• T1567 - Exfiltration Over Web Service
• T1027 - Obfuscated Files or Information  
• T1036 - Masquerading  
• T1486 - Data Encrypted for Impact  
• T1003 - Credential Dumping  
• T1012 - Query Registry  
• T1082 - System Information Discovery  
• T1088 - Bypass User Account Control

New stealthy techniques let hackers gain Windows SYSTEM privileges

Analysis: Security researchers have developed a potent tool called NoFilter, designed to exploit the Windows Filtering Platform (WFP) for elevating user privileges to the coveted SYSTEM level, the highest permission tier in the Windows ecosystem. NoFilter's practical application is particularly valuable in post-exploitation scenarios where attackers seek to run malicious code with elevated permissions or laterally move through a compromised network, masquerading as another authenticated user.

Access Point recommends the following:

1. Keep Systems Updated: Regularly update both operating systems and applications to patch known vulnerabilities, reducing potential entry points for attackers.
2. Implement Least Privilege: Follow the principle of least privilege, limiting user and system permissions strictly to what is essential for their intended tasks.
3. Network Segmentation: Isolate critical systems and limit lateral movement by employing network segmentation practices.
4. Network Monitoring: Utilize network monitoring and intrusion detection systems to detect and respond to unusual or suspicious network activities.
5. User Access Review: Periodically review user access permissions, ensuring users only possess the resources and privileges necessary for their roles.
6. Behavioral Analysis: Deploy behavioral analysis tools that can identify activities deviating from normal user behavior, a valuable defense against potential threats.
7. IPSec Policy Configuration: Exercise caution when configuring new IPSec policies, ensuring they align with the known network configuration. Continuously monitor and review IPSec policy changes for potential anomalies.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1134 - Access Token Manipulation  
• T1134.002 - Token Impersonation/Theft  
• T1134.003 - Token Duplication  
• T1134.004 - Create Process with Token  
• T1012 - Query Registry  
• T1082 - System Information Discovery  
• T1063 - Indicator Removal from Tools  
• T1097 - Pass the Ticket  
• T1005 - Data from Local System  
• T1059 - Command-Line Interface  
• T1064 - Scripting  
• T1059.001 - PowerShell  
• T1140 - Deobfuscate/Decode Files or Information

Ransomware hackers dwell time drops to 5 days, RDP still widely used

Analysis: Ransomware threat actors are spending less time on compromised networks before security solutions detect their activities. In the first half of the year, the median dwell time for ransomware attacks dropped to five days from nine days in 2022. Statistics from cybersecurity company Sophos reveal that the overall median dwell time for all cyberattacks was eight days in H1 2023, down from ten days in the previous year. Ransomware attacks accounted for 68.75% of all cyberattacks recorded by Sophos during this period.

Access Point recommends the following:

1. Secure RDP Access: Prioritize the security of Remote Desktop Protocol (RDP) to prevent easy access for potential attackers. Implement strong authentication mechanisms, use complex passwords, and consider limiting RDP access to trusted IP addresses.
2. Data Retention and Monitoring: Store data for a reasonable period and establish regular checks to detect potential threat actors on the network before their attacks can progress further. Monitoring network traffic and user activities can aid in early threat detection.
3. Enhance Cybersecurity Measures: Recognize the decreasing dwell time for ransomware attacks as a signal to bolster overall cybersecurity measures. This includes implementing advanced threat detection and response solutions, conducting regular security audits, and staying up-to-date with the latest security practices and threat intelligence.
4. Median Dwell Time: Ransomware attackers are acting more swiftly, with a median dwell time of five days. On the other hand, non-ransomware incidents saw a longer median dwell time of 13 days, suggesting that other cybercriminals tend to linger and wait for opportunities.
5. Data Exfiltration: Data exfiltration occurred in 43.42% of cases, a slight increase from the previous year. However, the number of incidents with confirmed data exfiltration decreased from 42.76% to 31.58%.
6. Days and Times of Attacks: Threat actors, including ransomware operators, tend to target organizations on Tuesdays, Wednesdays, and Thursdays. Ransomware incidents were most common on Fridays and Saturdays, likely because companies are slower to respond over the weekend.
7. Remote Desktop Protocol (RDP): RDP is frequently abused by attackers, and it was used in 95% of intrusions. However, attackers mostly used RDP for internal activity (93% of cases) and less frequently externally (18% of cases).

Microsoft: Stealthy Flax Typhoon hackers use LOLBins to evade detection

Analysis: Microsoft has identified a hacking group called Flax Typhoon, which focuses on conducting likely espionage activities by targeting government agencies, education institutions, critical manufacturing companies, and information technology organizations. This group employs sophisticated techniques that minimize their reliance on traditional malware, instead utilizing legitimate software and living-off-the-land binaries (LOLBins) already present on the victim's operating system. Flax Typhoon's primary targets have been located in Taiwan, but victims have also been identified in Southeast Asia, North America, and Africa.

The tactics, techniques, and procedures (TTPs) employed by Flax Typhoon include the exploitation of known vulnerabilities, the use of web shells, privilege escalation, establishing persistence, installing VPNs, and lateral movement within compromised networks.

Access Point recommends the following:

1. Apply Security Updates: Promptly apply the latest security updates to both public-facing servers and internet-exposed endpoints to prevent attackers from exploiting known vulnerabilities.
2. Implement Multi-Factor Authentication (MFA): Enable MFA on all accounts to add an extra layer of security. Even if an attacker gains access to credentials, MFA can prevent unauthorized entry.
3. Monitor Registry Changes: Implement registry monitoring to detect any attempts at modification or unauthorized changes, such as those executed by Flax Typhoon to disable network-level authentication (NLA).
4. Comprehensive Network Examination: Organizations suspecting a breach by Flax Typhoon should conduct a thorough examination of their networks. The group's extended dwell periods enable them to compromise multiple accounts and alter system configurations for prolonged access.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1189 - Exploit Public-Facing Application  
• T1190 - Exploit Public-Facing Application Vulnerability  
• T1100 - Web Shell  
• T1100 - Exploitation for Privilege Escalation  
• T1060 - Registry Run Keys / Start Folder  
• T1015 - Sticky Keys
• T1076 - Remote Desktop Protocol  
• T1036 - Masquerading  
• T1204 - VPN  
• T1027 - Obfuscated Files or Information  
• T1105 - Remote File Copy  
• T1028 - Windows Remote Management  
• T1077 - Windows Admin Shares  
• T1003 - Credential Dumping  
• T1098 - Account Manipulation

Vulnerabilities

Exploit released for Juniper firewall bugs allowing RCE attacks

Analysis: Proof-of-concept (PoC) exploit code has been made public for vulnerabilities present in Juniper SRX firewalls. Combined, these vulnerabilities grant unauthenticated intruders the capability for remote code execution in Juniper's JunOS operating system on devices that remain unpatched. Juniper acknowledged four vulnerabilities of medium severity in its EX switches and SRX firewalls, subsequently rolling out security patches for them. These flaws are localized in the PHP-based J-Web interface, a tool used by administrators for device management and configuration within their networks. Specific requests that bypass the need for authentication enable attackers to upload arbitrary files through J-Web. This compromises the integrity of certain parts of the file system, potentially leading to other vulnerabilities being chained together.

WatchTowr Labs' team of security experts formulated and released a PoC exploit, interlinking the vulnerabilities found in the SRX firewall. They focused on a lack of authentication for a critical function (CVE-2023-36846) and a PHP external variable modification flaw (CVE-2023-36845). The researchers provided a comprehensive review of their vulnerability assessment and the process of developing the PoC. According to their findings, CVE-2023-36846 allows for unauthorized PHP file uploads to specific directories under randomized names. Following this, a PHP configuration file gets uploaded, setting the stage for the initial file to be loaded. By leveraging the CVE-2023-36845 flaw, attackers can modify HTTP-requested environment variables, facilitating the loading of the configuration file and instigating the execution of the previously uploaded PHP file.

Although Juniper has not reported any instances of these vulnerabilities being actively exploited, WatchTowr Labs foresees imminent large-scale attacks targeting any unpatched Juniper devices. The ease of exploitation, combined with the central role that JunOS devices play in networks, make widespread exploitation a looming threat. It's worth noting that the Cybersecurity and Infrastructure Security Agency (CISA) earlier mandated U.S. federal entities to secure vulnerable or misconfigured networking equipment, including Juniper's products, within a fortnight of identifying them.  

Access Point recommends the following:

1. Implement Security Patches or Upgrade: Urgently apply the security patches provided by Juniper or upgrade to the latest release of JunOS. This action is crucial to address the vulnerabilities effectively and prevent potential exploitation.
2. Consider Temporary Measures: If immediate upgrading or patching is not feasible, administrators should consider temporarily disabling access to the J-Web interface. This measure can help reduce the risk of exploitation while working towards a more permanent solution.
3. Stay Informed and Vigilant: Administrators should stay informed about potential widescale exploitation attempts targeting JunOS devices, especially considering their strategic position within network infrastructures. Being vigilant and proactive can help detect and respond to threats promptly.

Urgent FBI Warning: Barracuda Email Gateways Vulnerable Despite Recent Patches

Analysis: The FBI has issued a warning regarding Barracuda Networks Email Security Gateway (ESG) appliances, stating that even those patched against a recent critical flaw remain vulnerable to suspected Chinese hacking groups. The flaw, identified as CVE-2023-2868 with a high CVSS score of 9.8, had been exploited for over seven months before the vulnerability was addressed. This remote command injection vulnerability affects versions 5.1.3.001 to 9.2.0.006 of the ESG product and grants unauthorized users the ability to execute system commands with administrative privileges. Successful exploitation has been linked to the deployment of various malware strains, such as SALTWATER, SEASIDE, SEASPY, and others, leading to arbitrary command execution and evasion of defenses. The threat intelligence firm identifies the group responsible for this activity as UNC4841, described as both aggressive and skilled.

Barracuda has responded to the FBI's warning by urging customers to replace any affected ESG devices. They are offering free replacements to customers who have been impacted by this vulnerability. The company's guidance to its users remains steadfast, advocating for the proactive replacement of compromised appliances as part of a broader containment strategy. To assist with this, they have been directly contacting those affected. Additionally, if an ESG appliance showcases a specific notification in its User Interface, it is an indicator of compromise. However, the company assures that if there's no such notification, there's no current evidence to suggest the appliance has been compromised.

Access Point recommends the following:

1. Isolate and Replace Affected Devices: If you are using Barracuda ESG appliances and they are affected, follow the FBI's advice and immediately isolate and replace these devices.
2. Network Scanning: Conduct thorough network scans to detect any unusual outgoing traffic. Identifying and neutralizing potential threats promptly is crucial for network security.
3. Heed User Interface Notifications: Pay close attention to User Interface notifications. If you receive any alerts or warnings, take them seriously, as they may indicate security vulnerabilities or compromises.
4. Contact Technical Support: If you encounter any suspicious activity or receive alerts, contact Barracuda's technical support team for assistance and guidance in addressing potential security issues.

Easy-to-exploit Skype vulnerability reveals users’ IP address

Analysis: A security flaw in Skype's mobile apps potentially exposes users' IP addresses, posing risks to individuals who depend on their location staying private. The vulnerability was discovered by a security researcher named Yossi, who informed Microsoft about it and demonstrated its use to journalist Joseph Cox. Although specifics about the flaw haven't been disclosed due to the absence of a patch, it is reportedly easy to exploit. Attackers can send a message containing a specific link to users. When the recipient opens the message, their IP address is revealed, without any need to click on the link. Microsoft initially downplayed the issue, stating that it didn't classify as a pressing security vulnerability. However, they later confirmed plans to rectify the issue in an upcoming product update. The vulnerability is particularly concerning for individuals like political activists, journalists, law enforcement agents, and domestic violence victims who may want to keep their locations concealed. While IP addresses don't specify an exact address, they can indicate a user's general geographical area. Combining this with other data could lead to the determination of an individual's precise location.

Access Point recommends the following:

1. Exercise Caution: Users of Skype's mobile apps should exercise caution due to a vulnerability that can expose their IP addresses and potentially reveal their general geographical location.
2. At-Risk Users: This flaw poses a particular risk to individuals who need to keep their locations confidential, such as activists, journalists, and domestic violence victims.
3. Avoid Skype Mobile App: Until Microsoft releases a fix for this issue, at-risk users should refrain from using the Skype mobile app.
4. VPN Not Effective: It's important to note that using a virtual private network (VPN) while accessing Skype does not offer protection against this vulnerability.

CISCO Fixes 3 High-Severity Dos Flaws In NX-OS and FXOS Software

Analysis: This week, Cisco addressed several vulnerabilities in its products, particularly three high-severity flaws in its NX-OS and FXOS software which, when exploited, can lead to a denial-of-service (DoS) condition.

Among the vulnerabilities addressed, the most critical is the CVE-2023-20200 with a CVSS score of 7.7. This flaw is in the Simple Network Management Protocol (SNMP) service of Cisco's FXOS Software designed for the Firepower 4100 Series and Firepower 9300 Security Appliances, as well as the Cisco UCS 6300 Series Fabric Interconnects. When exploited, it allows an authenticated, remote attacker to induce a DoS condition on the vulnerable device. Another significant vulnerability is the CVE-2023-20169, scoring 7.4, affecting the Nexus 3000 and 9000 Series Switches, due to an issue with insufficient input validation. The last high-severity flaw, CVE-2023-20168 with a CVSS score of 7.1, impacts TACACS+ and RADIUS remote authentication mechanisms in NX-OS software. Furthermore, other vulnerabilities of medium severity were identified in the software: CVE-2023-20115 and CVE-2023-20234. As a routine, Cisco releases bundles of FXOS and NX-OS Software Security Advisories biannually, in February and August. Currently, there's no indication of these vulnerabilities being exploited in real-world scenarios.

Access Point recommends the following:

1. Review Vulnerabilities: Users of Cisco's NX-OS and FXOS software should promptly review the identified vulnerabilities, paying special attention to the three high-severity flaws that can lead to a denial-of-service condition.
2. Apply Patches and Updates: It's imperative to apply the patches and updates provided by Cisco for these vulnerabilities to safeguard the systems.
3. Stay Informed: Monitor for any updates or advisories from Cisco to ensure you're aware of the latest security information.
4. Implement Security Best Practices: Ensure that security best practices are in place to further mitigate potential risks.
5. Regular Audits and Monitoring: Conduct regular system audits and monitor for unusual activities to facilitate early detection of potential exploitation.

Multiple Notepad++ Flaws Let Attackers Execute Arbitrary Code

Analysis: Notepad++ a popular open source text and code editor has been found to have multiple buffer overflow vulnerabilities. Jaroslav Lobačevski, a Gitlab security researcher, has found that these vulnerabilities are based on the heap buffer write overflow and heap buffer read overflow on some functions and libraries used by Notepad++.

The vulnerabilities in question are as follows:

• CVE-2023-40031 (CVSS 3.1: 7.8) – In a certain Notepad++ function there is a flaw where it assumes that for every two UTF16 encoded bytes, three UTF8 encoded bytes are needed. If the chunk of bytes is set to an odd value, it will result in an incompatible calculation which will cause a buffer overflow.
• CVE-2023-40036 (CVSS 3.1: 5.5) – Potential vulnerability can be used to leak internal memory allocation information by using a threat actor specifically crafting a malicious file.
• CVE-2023-40164 (CVSS 3.1: 5.5) – A malicious actor can specifically craft a file to abuse the uchardet library (an encoding detector) used in Notepad++ to cause a global buffer read overflow.
• CVE-2023-40166 (CVSS 3.1: 5.5) – A vulnerability exists in notepad++ which results in a heap buffer read overflow in ‘FileManager::detectLanguageFromTextBegining’. It can potentially be used to leak internal memory allocation information. Exploitability is unknown at this time.

Currently, Notepad++ has not released any patches regarding these potential vulnerabilities nor have they confirmed any fixes.

Access Point recommends keeping up to date with news on this software in the meantime and patch when one is made available. Currently, all of the vulnerabilities related to Notepad++ are being processed and are proof of concept at the moment; the method of exploitability for some are unknown. Staying vigilant when downloading files from the internet or any emails as the only way these vulnerabilities can be exploited is from specifically crafted files.

DreamBus Botnet Exploiting RCE Flaw in Apache RocketMQ Servers

Analysis: Apache RocketMQ servers have been hit with a publicly disclosed vulnerability in May 2023 which allows for remote code execution through a gateway. It currently affects RocketMQ version 5.1.0 and below.

The vulnerability known as CVE-2023-33246 (CVSS: 9.8) allows a remote, unauthenticated user to exploit this vulnerability by using the update configuration function to execute commands with the same access level as that of the RocketMQ user process. This CVE is used to perpetuate the installation of DreamBus bot malware which delivers a cryptocurrency miner to the infected computers.

Access Point recommends the following:

1. Immediate Patch: Due to the severity of this vulnerability and its potential for infection, Access Point Technology recommends an immediate patch for all users running Apache RocketMQ servers.
2. Identify Affected Versions: Check your Apache RocketMQ version; if you're running version 5.1.0 or below (for version 5.x) or 4.9.5 or below (for version 4.x), you are at risk.
3. Apply Vendor Patch: The vendor has released patches to remediate this vulnerability. Install version 5.1.1 if you're using version 5.x or version 4.9.6 if you're using version 4.x.
4. Prioritize Security: Given the active exploitation of this vulnerability, treat it as an emergency and prioritize the patching process.

‍

Sources

https://therecord.media/mississippi-hospital-system-takes-services-offline-after-cyberattack

https://www.bleepingcomputer.com/news/security/rhysida-claims-ransomware-attack-on-prospect-medical-threatens-to-sell-data/

https://thehackernews.com/2023/08/agile-approach-to-mass-cloud-credential.html

https://thehackernews.com/2023/08/new-telegram-bot-telekopye-powering.html

https://thehackernews.com/2023/08/lazarus-group-exploits-critical-zoho.html

https://www.bleepingcomputer.com/news/security/the-moveit-hack-and-what-it-taught-us-about-application-security/

https://www.bleepingcomputer.com/news/security/new-stealthy-techniques-let-hackers-gain-windows-system-privileges/

https://www.bleepingcomputer.com/news/security/ransomware-hackers-dwell-time-drops-to-5-days-rdp-still-widely-used/

https://www.bleepingcomputer.com/news/security/exploit-released-for-juniper-firewall-bugs-allowing-rce-attacks/

https://thehackernews.com/2023/08/urgent-fbi-warning-barracuda-email.html

https://www.helpnetsecurity.com/2023/08/29/skype-vulnerability-ip-address/

https://securityaffairs.com/149906/security/cisco-nx-os-and-fxos-software-flaws.html

https://cybersecuritynews.com/multiple-notepad-flaw/

https://cybersecuritynews.com/dreambus-botnet-rocketmq-servers/

‍