North Korean Hackers Deploy Malicious Python Packages, Okta Warns of Social Engineering Attacks, and ASUS Routers Vulnerable to Critical Remote Code Execution Flaws

At a Glance

Ransomware, Malware & Phishing

1. Earth Estries' Espionage Campaign Targets Governments and Tech Titans Across Continents
2. North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository
3. SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations
4. Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware
5. Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges
6. Chinese-Speaking Cybercriminals Launch Large-Scale iMessage Smishing Campaign in U.S.
7. Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus
8. LogicMonitor Customers Hacked in Reported Ransomware Attacks
9. Chrome Extensions Can Steal Plaintext Passwords from Websites

Vulnerabilities

1. Mysterious Microsoft Edge Vulnerability Allows Taking Control of Machine With a Click
2. CVE-2023-38831 Detection: UAC-0057 Group Exploits a WinRAR Zero-Day to Spread a PicassoLoader Variant and CobaltStrike Beacon via Rabbit Algorithm
3. Chrome Extensions can Steal Plaintext Passwords from Websites  
4. Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers
5. ASUS Routers Vulnerable to Critical Remote Code Execution Flaws
6. Critical Vulnerability Alert: VMware Aria Operations Networks at Risk from Remote Attacks

Ransomware, Malware & Phishing

Earth Estries' Espionage Campaign Targets Governments and Tech Titans Across Continents

Analysis: A hacking group known as Earth Estries is conducting an ongoing cyber espionage campaign targeting government and technology sectors in various countries, including the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S. The group, active since at least 2020, possesses advanced cyber espionage skills and is linked to another nation-state group called FamousSparrow. Earth Estries employs various tactics, including leveraging vulnerabilities and deploying sophisticated malware, to infiltrate and maintain control over compromised systems. They are known for using techniques like DLL side-loading and PowerShell downgrade attacks to evade detection. Additionally, the group abuses public services like Github and Gmail for communication and command transfer.

Access Point recommends the following:

1. Regular Patching and Updates: Ensure all systems and software are regularly patched and updated to mitigate vulnerabilities that threat actors like Earth Estries may exploit.
2. Network Segmentation: Implement network segmentation to limit lateral movement within your network, containing potential breaches and preventing adversaries from accessing critical systems.
3. Advanced Endpoint Protection: Use advanced endpoint protection solutions capable of detecting and responding to sophisticated malware like Cobalt Strike and various backdoors used by Earth Estries.
4. Monitoring and Logging: Establish robust monitoring and logging mechanisms to detect suspicious activities and potential breaches promptly, including monitoring for DLL side-loading and PowerShell downgrade attacks.
5. Email Security: Enhance email security measures to prevent phishing attacks, as email is often an initial entry point for threat actors.
6. Access Controls and Least Privilege: Implement strict access controls and least privilege principles to limit exposure and movement of adversaries within your network.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Spearphishing Attachment (T1193)
• PowerShell (T1059)
• DLL Side-Loading (T1073)
• Registry Run Keys / Startup Folder (T1060)
• Bypass User Account Control (T1088)
• Obfuscated Files or Information (T1027)
• Disabling Security Tools (T1089)
• Credential Dumping (T1003)
• Query Registry (T1012)
• System Information Discovery (T1082)
• Data Staging (T1074)
• Exfiltration Over Alternative Protocol (T1048)
• Inhibit System Recovery (T1490)

North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository

Analysis: Three rogue Python packages have been discovered in the Package Index (PyPI) repository, constituting a part of the ongoing malicious software supply chain campaign named VMConnect. These packages, tablediter, request-plus, and requestspro, exhibit signs indicating the involvement of North Korean state-sponsored threat actors. The packages mimic popular open-source Python tools, including typosquatting techniques to impersonate legitimate packages like prettytable and requests, thereby deceiving developers. The tablediter package runs an endless execution loop, periodically polling a remote server to retrieve and execute a Base64-encoded payload. This payload's exact nature remains unknown, and the package no longer triggers malicious code upon installation to evade security software detection.

The other two packages, request-plus and requestspro, collect information about the infected machine and transmit it to a command-and-control (C2) server. Subsequently, the server responds with a token, leading to the retrieval of a double-encoded Python module and a download URL, suspected to be the next stage of the malware.

These tactics, particularly the token-based approach, align with a previous npm campaign associated with North Korean actors. The connections to North Korea are further supported by infrastructure overlaps between the npm campaign and a JumpCloud hack from June 2023. Additionally, ReversingLabs identified a Python package named py_QRcode, exhibiting similar malicious functionality to VMConnect. This package was used in a separate attack targeting cryptocurrency exchange developers in May 2023 and attributed to another North Korean group known as SnatchCrypto. Furthermore, macOS systems targeted by these attacks saw the deployment of JokerSpy, a novel backdoor first reported in June 2023.

Additionally, SentinelOne revealed a third malware named QRLog in the same context, suggesting a threat actor proficient in crafting functional malware across various programming languages and operating systems. The use of PyPI as a distribution point for malware underscores the ongoing threats to users of the Python Package Index.

Access Point Recommends the following:

1. Package Source Verification: Developers should exercise caution when using packages from public repositories like PyPI. Verify the authenticity of packages and their sources before installation.
2. Vulnerability Scanning: Employ vulnerability scanning tools to detect malicious code or suspicious behavior in packages and dependencies. Regularly scan your dependencies for potential security issues.
3. Keep Packages Updated: Keep packages and dependencies up to date, as vulnerabilities are often patched in newer versions. Regularly review and update your software dependencies.
4. Stay Informed: Developers should stay informed about emerging threats and follow best practices for secure coding and package management. Subscribe to security mailing lists and keep an eye on security advisories for your dependencies.
5. Threat Intelligence Sharing: Share threat intelligence with the community and relevant authorities to enhance collective defense against state-sponsored threat actors. Report any suspicious or malicious packages you encounter to the appropriate authorities or security organizations.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Supply Chain Compromise (T1195)
• Execution through API (T1106)
• Registry Run Keys / Startup Folder (T1060)
• Data from Local System (T1005)
• Exfiltration Over C2 Channel (T1041)
• Masquerading (T1036)

SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations

Analysis: SapphireStealer, an open-source .NET-based information-stealing malware, has recently gained notoriety in the cybersecurity landscape. This malicious software has become a preferred tool for various threat actors, enabling them to bolster their capabilities and craft tailored versions for their nefarious purposes. Within the realm of cybercrime-as-a-service (CaaS), SapphireStealer plays a pivotal role, catering to both financially motivated cybercriminals and nation-state actors alike. This versatile malware exhibits classic information-stealing characteristics, including the collection of host data, browser information, files, screenshots, and the subsequent exfiltration of this data in the form of a ZIP file via Simple Mail Transfer Protocol (SMTP). What makes SapphireStealer particularly concerning is the release of its source code to the public in late December 2022, empowering malicious actors to experiment with the malware and elude detection. Notably, this release includes the integration of adaptable data exfiltration methods via Discord webhooks or the Telegram API. Multiple variants of SapphireStealer have already emerged, with threat actors continually enhancing its efficacy.

Additionally, the malware's author has made available a .NET malware downloader known as FUD-Loader, facilitating the retrieval of supplementary binary payloads from attacker-controlled distribution servers. This downloader has been observed distributing various remote administration tools, such as DCRat, njRAT, DarkComet, and Agent Tesla.

This revelation follows closely on the heels of another information-stealing malware disclosure by Zscaler, which unveiled the Agniane Stealer. This malware specializes in pilfering credentials, system information, session details, and cryptocurrency-related data. Notably, Agniane Stealer is available for purchase on dark web forums and Telegram channels, with a subscription fee of $50 per month.

Access Point recommends the following:

1. Safeguard Software Development: In response to the proliferation of SapphireStealer, organizations should prioritize securing their software development processes. This includes conducting thorough code reviews, vulnerability assessments, and implementing robust security practices to prevent the creation of similar open-source malware.
2. User Education and Awareness: Educating users and employees about the risks associated with downloading and executing unknown files or software, especially from untrusted sources, is paramount. Implement comprehensive cybersecurity training programs to keep personnel informed and vigilant against evolving threats.
3. Regular System Updates and Patching: Maintaining a strong cybersecurity posture requires organizations to regularly update and patch their systems. This practice is critical in addressing vulnerabilities that may be exploited by malware like SapphireStealer.
4. Antivirus Software and Intrusion Detection: Deploy reliable antivirus software and intrusion detection and prevention systems to detect and respond to information-stealing malware. Continuously update these security tools to stay ahead of emerging threats.
5. Threat Intelligence Sharing: Organizations should actively participate in sharing threat intelligence and indicators of compromise (IOCs) with relevant cybersecurity communities and authorities. Collaborative efforts are essential in collectively combating evolving cyber threats.
6. Monitoring for Agniane Stealer: Given the emergence of Agniane Stealer in the cybercrime landscape, organizations should be vigilant for signs of this malware. Establish monitoring systems to detect and respond to potential Agniane Stealer infections promptly.
7. Dark Web Awareness: Stay informed about developments on the dark web, where malware like Agniane Stealer is sold and distributed. Monitoring these channels can provide insights into potential threats and the evolving cybercriminal landscape.
8. Compliance and Incident Response Plans: Ensure compliance with industry-specific cybersecurity standards and regulations, and have well-defined incident response plans in place. Being prepared to react swiftly to security incidents can help mitigate their impact.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Phishing (T1566)
• PowerShell (T1059)
• Command and Scripting Interpreter (T1059)
• Data from Local System (T1005)
• Screen Capture (T1113)
• Input Capture (T1056)
• Exfiltration Over Alternative Protocol (T1048)
• Data Encrypted (T1022)
• Obfuscated Files or Information (T1027)
• Masquerading (T1036)
• Inhibit System Recovery (T1490)

Threat Actors Targeting Microsoft SQL Servers to Deploy FreeWorld Ransomware

Analysis: Threat actors have launched a campaign known as DB#JAMMER, actively targeting Microsoft SQL (MS SQL) servers with weak security measures. This campaign stands out due to its extensive toolkit and infrastructure, encompassing enumeration software, Remote Access Trojan (RAT) payloads, exploitation tools, credential theft software, and the FreeWorld ransomware strain. The attackers initiate their intrusion through brute-force attacks on MS SQL servers, progressing to database enumeration and the use of the xp_cmdshell configuration to execute shell commands and gather intelligence. Subsequently, the threat actors compromise the system firewall, establish persistence, and connect to remote SMB shares, enabling the transfer of malicious tools like Cobalt Strike. This paves the way for the deployment of AnyDesk software and, ultimately, the FreeWorld ransomware. The campaign also includes attempts at lateral movement within the victim network, including unsuccessful endeavors to establish Remote Desktop Protocol (RDP) persistence via Ngrok.

The initial success of this campaign was attributed to a brute-force attack targeting exposed MS SQL servers. Researchers stress the critical importance of implementing robust passwords for publicly exposed services to thwart such attacks. This incident underscores an ongoing trend wherein poorly managed MS SQL servers become prime targets for threat actors aiming to deploy malware. It follows reports of cyberattacks deploying LoveMiner and projacking software on compromised MS SQL servers. Additionally, this disclosure aligns with the activities of the Rhysida ransomware group, which has victimized 41 organizations, primarily in Europe. Rhysida is a relatively new ransomware variant known for encrypting and exfiltrating sensitive data, demanding ransoms under the threat of data exposure.

Access Point recommends the following:

1. Password Strength: Utilize strong and complex passwords, incorporating length, symbols, and numbers. Consider implementing multi-factor authentication (MFA) for access control.
2. Regular Updates: Keep MS SQL servers and related software up to date with the latest security patches to address known vulnerabilities.
3. Network Segmentation: Implement network segmentation to restrict lateral movement and unauthorized access within the network, mitigating potential intrusions.
4. Monitoring and Detection: Deploy robust monitoring and intrusion detection systems capable of identifying and responding to unauthorized access attempts and suspicious activities.
5. Data Backup and Recovery: Regularly back up critical data and systems to enable swift recovery in the event of a ransomware attack. Ensure the effectiveness of backup restoration procedures through testing.
6. Phishing Awareness: Provide training to employees and users to help them recognize phishing attempts and emphasize the importance of strong password management.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Brute Force (T1110)
• Command and Scripting Interpreter (T1059)
• Registry Run Keys / Startup Folder (T1060)
• Exploitation for Privilege Escalation (T1068)
• Data from Local System (T1005)
• Screen Capture (T1113)
• Exfiltration Over Alternative Protocol (T1048)
• Data Encrypted (T1022)

Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges

Analysis: Identity services provider Okta has issued a warning regarding a series of social engineering attacks that targeted IT service desk personnel with the goal of obtaining elevated administrator permissions. Several U.S.-based Okta customers reported incidents following a consistent pattern. In these attacks, threat actors sought to convince service desk staff to reset all multi-factor authentication (MFA) factors associated with highly privileged user accounts. Once successful, the adversaries leveraged Okta Super Administrator accounts within the compromised organizations to impersonate users. These attacks took place between July 29 and August 19, 2023.

While Okta did not identify the responsible threat actor, the tactics employed bear similarities to the Muddled Libra activity cluster, which has connections to Scattered Spider and Scatter Swine. Central to these attacks is the use of a commercial phishing kit known as 0ktapus. This kit allows for the creation of convincing fake authentication portals and the harvesting of credentials and MFA codes. It also includes a built-in command-and-control (C2) channel via Telegram. The use of the 0ktapus phishing kit had been previously highlighted by Palo Alto Networks Unit 42, although its use alone does not necessarily classify a threat actor as Muddled Libra. Additionally, there is limited data to confirm a direct link between this actor and UNC3944, an uncategorized group tracked by Mandiant, which employs similar tradecraft.

In these recent attacks, threat actors likely obtained passwords for privileged user accounts or manipulated delegated authentication flows via Active Directory (AD) before contacting the IT help desk to request a reset of all MFA factors associated with the compromised account. Once access to Super Administrator accounts was secured, the attackers assigned higher privileges to other accounts, reset enrolled authenticators in existing administrator accounts, and sometimes removed second-factor authentication requirements.

Access Point recommends the following:

1. Implement Resistant Authentication Methods: Utilize authentication methods like hardware tokens or biometrics that are resistant to phishing attacks.
2. Strengthen Identity Verification: Enhance identity verification processes for help desks to ensure the legitimacy of account change requests.
3. Enhance Security Awareness: Enable notifications for end-users regarding new device logins and suspicious activities to raise security awareness.
4. Limit Highly Privileged Roles: Review and restrict the use of highly privileged roles, such as Super Administrator, to minimize the potential for misuse.
5. Cybersecurity Training: Provide comprehensive cybersecurity training to employees and help desk personnel to effectively recognize and respond to social engineering attacks.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Phishing (T1566)
• Execution through API (T1106)
• Credential Dumping (T1003)
• Registry Run Keys / Startup Folder (T1060)
• Exploitation for Privilege Escalation (T1068)
• Obfuscated Files or Information (T1027)
• Data from Local System (T1005)
• Active Directory Enumeration (T1018)

Chinese-Speaking Cybercriminals Launch Large-Scale iMessage Smishing Campaign in U.S.

Analysis: A widespread smishing (SMS phishing) campaign has come to light, primarily targeting the United States, with the Smishing Triad at the helm. These threat actors have launched a sophisticated operation involving compromised Apple iCloud accounts to perpetrate identity theft and financial fraud. The campaign unfolds with the Smishing Triad sending iMessages aimed at collecting personally identifying information (PII) and payment credentials from unsuspecting victims, with the intention of conducting identity theft and credit card fraud. Notably, the Smishing Triad is associated with a "fraud-as-a-service" offering, selling ready-to-use smishing kits via Telegram for a monthly fee of $200. These kits impersonate popular postal and delivery services across various countries, including the U.S., the U.K, Poland, Sweden, Italy, Indonesia, Malaysia, Japan, among others.

A noteworthy element of this campaign is the exploitation of compromised Apple iCloud accounts as a delivery mechanism for fraudulent package delivery failure messages. Victims are coerced into clicking on a link to reschedule a delivery, leading them to a fake form where they are prompted to enter their credit card information. An investigation into the smishing kit revealed an SQL injection vulnerability that enabled the attackers to access more than 108,044 records of victim data. The Smishing Triad likely maintains a covert channel to collect intercepted personal and payment data from other members and clients using their kit, a common practice among cybercriminals to profit from their clients' activities or monitor their actions through an administration panel.

The Telegram group associated with the Smishing Triad comprises a range of professionals, including graphic designers, web developers, and salespeople who collaboratively produce high-quality phishing kits marketed on dark web cybercrime forums. Furthermore, the group collaborates with financially motivated actors, including Vietnamese-speaking individuals, to expand their illicit operations. Beyond package tracking text scams, the Smishing Triad is also involved in Magecart-like attacks that target online shopping platforms, utilizing malicious code injections to intercept customer data.

Access Point recommends the following:

1. Exercise Caution: Encourage users to exercise caution when receiving SMS or iMessage communications, particularly when prompted to click on links or provide personal and financial information.
2. Identity Verification: Implement robust identity verification processes for any requests involving sensitive information or actions, especially those related to rescheduling deliveries or making payments.
3. Security Patching: Secure web applications against SQL injection vulnerabilities by adhering to secure coding practices and regularly updating and patching software.
4. Monitoring and Detection: Employ advanced monitoring and detection tools to swiftly identify and respond to suspicious SMS and iMessage campaigns.
5. User Education: Educate users about the risks associated with phishing and social engineering attacks via SMS and iMessage, emphasizing skepticism and the importance of verifying message legitimacy.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Phishing (T1566)
• Execution through API (T1106)
• Data from Local System (T1005)
• Exfiltration Over Alternative Protocol (T1048)
• Data Encrypted (T1022)
• Registry Run Keys / Startup Folder (T1060)

Beware of MalDoc in PDF: A New Polyglot Attack Allowing Attackers to Evade Antivirus

Analysis: Cybersecurity researchers have brought to light a novel antivirus evasion technique dubbed "MalDoc in PDF," which was employed in a real-world attack that transpired in July 2023. This method involves the insertion of a malicious Microsoft Word file into a PDF file, resulting in a polyglot file capable of functioning as both a PDF and a Word document. When opened in Word, the embedded VBS macro executes, facilitating malicious activities. Although the specific malware distributed through this technique is undisclosed, it is engineered to download and install an MSI malware file when opened as a .DOC file in Microsoft Office. The first instances of real-world attacks utilizing MalDoc in PDF were identified approximately a month ago, with evidence indicating that experimentation with this technique commenced as early as May.

Coinciding with this discovery is a surge in phishing campaigns employing QR codes to disseminate malicious URLs, a tactic known as "qishing." Threat actors are employing social engineering attacks that blend vishing (voice phishing) and phishing tactics to gain unauthorized access to targeted systems. These attacks are associated with groups such as LAPSUS$ and Muddled Libra.

Access Point recommends the following:

1. Caution with Email Attachments: Organizations should encourage users to exercise caution when downloading and opening email attachments, particularly if they originate from unknown or untrusted sources.
2. Email Security Measures: Implement robust email security measures to identify and filter out malicious attachments and content. This can significantly reduce the risk of users inadvertently opening malicious files.
3. Macro Settings: Disable macros by default in Microsoft Office applications and enable them only when necessary, subject to strict verification processes. This minimizes the risk associated with macro-based attacks.
4. QR Code Awareness: Educate users about the potential risks of scanning QR codes, especially in emails and messages, and emphasize the importance of verifying the legitimacy of the sender before taking any action.
5. DNS Security: Consider implementing DNS security measures to detect and block suspicious domain names and DNS-based attacks, adding an extra layer of protection against phishing attempts.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Phishing (T1566)
• Spearphishing Attachment (T1566.001)
• User Execution (T1204)
• Exploitation for Client Execution (T1203)
• Registry Run Keys / Startup Folder (T1060)
• Scripting (T1059)
• Obfuscated Files or Information (T1027)
• Data from Local System (T1005)
• Exfiltration Over Alternative Protocol (T1048)

LogicMonitor customers hacked in reported ransomware attacks

Analysis: LogicMonitor, a network monitoring company, has confirmed a recent cyberattack affecting a subset of its SaaS platform users. Although the company referred to this incident as impacting only a "small number" of users, it is actively collaborating with affected parties to mitigate the consequences. While LogicMonitor did not explicitly mention ransomware in its statement, undisclosed sources familiar with the situation have asserted that threat actors infiltrated customer accounts, established local accounts, and executed ransomware attacks.

According to these sources, the deployment of ransomware was facilitated through LogicMonitor Collector sensors. These sensors are integral to monitoring user infrastructure and possess scripting capabilities. It is reported that malicious actors exploited the platform's cloud-based scripting functionality to propagate and execute scripts on on-premise Collectors. These attacks are said to have occurred during the previous week. Initially, LogicMonitor detected "technical abnormalities" affecting customer accounts, prompting an active investigation. Subsequently, the company announced that the issue had been resolved.

In addition, it was disclosed by another source that compromised customer accounts had weak default passwords assigned by LogicMonitor to new users. Furthermore, these passwords were automatically assigned to other users within the organizations until they were changed. To address this potential breach and associated risks, LogicMonitor reportedly proactively contacted its customers.

Access Point recommends the following:

1. Use Strong Passwords: Always set strong, unique passwords for user accounts and avoid using default or easily guessable passwords. Passwords should include a combination of letters, numbers, and special characters.
2. Password Management: Employ password management best practices, including regular password changes and avoiding password reuse across accounts.
3. Multi-Factor Authentication (MFA): Enable MFA wherever possible to provide an additional layer of security to user accounts. This can significantly enhance account protection.
4. Password Rotation Policy: Implement a policy for regularly changing passwords, especially for critical accounts and systems. Periodic password changes can reduce the risk of unauthorized access.
5. Effective Communication: Ensure clear communication with customers or users in the event of a security incident. Provide essential information while maintaining transparency to build trust and keep users informed.
6. Network Monitoring: Employ network monitoring solutions to detect suspicious activities and security breaches in real-time. This proactive approach can help identify and respond to potential threats promptly.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Credential Stuffing (T1110)
• Brute Force (T1111)  
• Ransomware (T1486)                    
• Initial Access via Weak or Default Passwords (T1078)
• Scripting (T1064)
• Probing or Scanning (T1046)
• Lateral Movement (T1072)
• Data Encryption (T1022)

Chrome Extensions Can Steal Plaintext Passwords from Websites

Analysis: Researchers at the University of Wisconsin-Madison have unveiled a proof-of-concept Chrome extension designed to highlight security vulnerabilities pertaining to Chrome extensions and plaintext password storage on websites. The research sheds light on issues concerning Chrome's permission model, which grants extensions unrestricted access to various website elements, including user input fields. This level of access potentially exposes sensitive data within the HTML source code, including plaintext passwords. Despite the introduction of Manifest V3, which curtails certain extension capabilities, it fails to establish a clear security boundary between extensions and web pages. The researchers even uploaded their proof-of-concept extension to the Chrome Web Store and found it passed security checks, revealing potential security gaps in the platform.

Access Point recommends the following:

1. Careful Permissions: Developers should meticulously consider the permissions they request and adhere to the principle of least privilege. Only request access to resources essential for the extension's intended functionality.
2. Avoid Plaintext Passwords: Website owners should refrain from storing plaintext passwords in the HTML source code of their web pages. Implement robust password security practices, such as encryption and hashing, to safeguard user credentials.
3. Extension Auditing: Regularly audit and review the permissions and activities of installed Chrome extensions. Remove any extensions that are not actively used or trusted.
4. Trustworthy Sources: Exercise caution when installing extensions and exclusively install those from reputable and trusted sources. Thoroughly review the permissions requested by extensions and evaluate their necessity.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• T1566 - Phishing.
• T1059 - Command and Scripting Interpreter.
• T1044 - Windows Management Instrumentation.
• T1055 - Process Injection.
• T1497 - Virtualization/Sandbox Evasion.

Vulnerabilities

Mysterious Microsoft Edge Vulnerability Allows Taking Control of Machine With a Click

Analysis: The Federal Office for Security in Information Technology (BSI) has recently raised concerns about a security flaw affecting Microsoft Edge, which was reported on August 28, 2023. This vulnerability has the potential to impact computers running Linux, MacOS X, and Windows, specifically within the Microsoft Edge software. Microsoft had previously addressed two other vulnerabilities on August 21, 2023, identified as CVE-2023-38158 and CVE-2023-36787, which pertained to information disclosure and elevation of privileges. Fixes for these issues were included in Microsoft Edge version 116.0.1938.54 for both the stable and extended stable channels.

In a more recent update, Microsoft identified an additional vulnerability, named CVE-2023-36741, characterized as an Elevation of Privileges issue. This marks the fourth adjustment to Microsoft's patching approach within the month. While comprehensive details about this vulnerability are not yet available, Microsoft has indicated in their security alert that it poses a risk to the Confidentiality, Integrity, and Availability (CIA) of the affected software and its surrounding environment.

Access Point recommends the following:

1. Update Microsoft Edge: Users of Microsoft Edge, particularly those using the Chromium-based version, should promptly update to the latest software version to address the identified vulnerability, CVE-2023-36741. This action is crucial for safeguarding against potential security threats.
2. Regular Software Updates: Regularly check for and apply software updates as a fundamental practice for maintaining a secure computing environment. Keeping your software up to date helps protect against known vulnerabilities.

CVE-2023-38831 Detection: UAC-0057 Group Exploits a WinRAR Zero-Day to Spread a PicassoLoader Variant and CobaltStrike Beacon via Rabbit Algorithm

Analysis: WinRAR has been identified with a zero-day vulnerability, labeled as CVE-2023-38831, which has been exploited from April to August 2023. When users attempt to view a benign file from a ZIP archive compromised with CVE-2023-38831, the flaw is triggered, leading to the execution of various files on the target system. This vulnerability has been linked to the delivery of the PicassoLoader and Cobalt Strike Beacon malware. Notably, these malicious tools were deployed against the Ukrainian government and educational entities during the summer of 2023.

The CERT-UA team has raised the alarm about the exploitation of this vulnerability, especially concerning its use in attacks against Ukraine. Once exploited, the chain of infection involves running multiple file types, eventually resulting in the distribution of Cobalt Strike Beacon malware on vulnerable systems. To counter these malicious endeavors, the SOC Prime Platform offers tools for cybersecurity professionals. The SOC Prime's Threat Detection Marketplace provides Sigma rules specifically curated to detect attempts that exploit the CVE-2023-38831 WinRAR flaw. These rules, aligned with the MITRE ATT&CK framework, can be integrated into a variety of SIEM, EDR, XDR, and Data Lake systems.

For professionals seeking to understand the depth of the vulnerability and its associated attack vectors, the CERT-UA#7435 alert provides insights. The alert details tactics and techniques based on the MITRE ATT&CK framework, ranging from "Initial Access" to "Defense Evasion," with each technique corresponding to a specific Sigma rule. This comprehensive overview aids security teams in understanding the vulnerability's potential impact and formulating defense strategies accordingly.  

Access Point recommends the following:

1. Update WinRAR: Users and organizations currently using WinRAR software versions prior to 6.23 should update immediately. This action is essential to mitigate the risk posed by the CVE-2023-38831 vulnerability.
2. Implement Sigma Rules: Cybersecurity teams should incorporate the Sigma rules provided by the SOC Prime's Threat Detection Marketplace into their SIEM, EDR, XDR, and Data Lake systems. These rules are specifically curated to detect and respond to potential exploitation attempts related to the WinRAR vulnerability.
3. Continuous Monitoring: Establish a practice of continuous monitoring to detect and respond to potential threats promptly. Proactive monitoring can help identify suspicious activities and potential exploitation attempts in real-time.
4. Employee Training: Conduct employee training programs to educate staff about phishing attempts and best practices for avoiding them. Employees play a crucial role in preventing social engineering attacks.
5. Review CERT-UA Alert: Security teams should review the details provided in the CERT-UA#7435 alert, which offers insights into the vulnerability's attack vectors and potential impact. This understanding can inform defense strategies effectively.

Chrome extensions can steal plaintext passwords from websites  

Analysis: Researchers from the University of Wisconsin-Madison have unveiled a significant vulnerability in Chrome's extension system. Their investigations showed that the permission model for Chrome extensions has weaknesses that could allow these extensions to access and steal plaintext passwords directly from a website's HTML source code. This issue stems from the unrestricted access given to browser extensions to a website's Document Object Model (DOM) tree, which can contain sensitive information such as plaintext passwords. Despite Google introducing the Manifest V3 protocol to minimize malicious extensions, it doesn't introduce a security boundary between extensions and web pages, leaving content scripts problematic.  

To demonstrate the gravity of this vulnerability, the researchers developed a proof-of-concept Chrome extension capable of extracting passwords and uploaded it to the Chrome Web Store. This extension, which was designed to evade static detection and adhere to Manifest V3's guidelines, successfully passed Google's review process. The research revealed that out of the top 10,000 websites, approximately 1,100 stored user passwords in plaintext within the HTML DOM, while another 7,300 were susceptible to DOM API access and direct extraction of user inputs. Several notable websites, including Gmail, Cloudflare, Facebook, and Citibank, were shown to have inadequate protections.  

Highlighting the prevalence of the issue, the researchers found that roughly 12.5% of extensions in the Chrome Web Store, including many with millions of installations, have the necessary permissions to extract sensitive data. This translates to around 17,300 extensions. Additionally, the analysis found 190 extensions, some with more than 100,000 downloads, that directly accessed password fields, hinting at possible active exploitation attempts. In response to the research, Amazon stressed the importance of customer security and encouraged best practices, while Google mentioned they were examining the concerns raised.  

Access Point recommends the following:

1. Exercise Caution with Extensions: Users should exercise caution when installing Chrome extensions, particularly those requesting permissions to access website content. Only install extensions from trusted sources and review their requested permissions.
2. Secure Data Storage: Web developers should consider more secure methods for storing sensitive information, avoiding plaintext storage within the HTML DOM. Implement encryption and hashing for sensitive data, especially user passwords.
3. Enhanced Security Measures: Major websites that store sensitive data in plaintext or vulnerable formats should implement stricter security measures to protect user data. This includes adopting stronger encryption practices and access controls.
4. Reinforce Security Boundaries: Browser and extension developers should adopt best practices and reinforce security boundaries between extensions and web content. This is critical to prevent unauthorized data extraction and maintain user privacy.

Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

Analysis: A cybersecurity firm, Security Joes, has observed an unidentified threat actor exploiting serious vulnerabilities in the MinIO object storage system, allowing for unauthorized code execution on impacted servers. The intrusions employed an exploit chain to backdoor the MinIO instance, using CVE-2023-28432 (with a CVSS score of 7.5) and CVE-2023-28434 (with a CVSS score of 8.8). The first of these vulnerabilities was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog on April 21, 2023. These vulnerabilities can potentially expose sensitive information and enable remote code execution on the host running the MinIO application. During the observed attack, the threat actor weaponized these vulnerabilities to gain admin credentials, using this access to replace the legitimate MinIO client with a compromised version by triggering a specific update command. This effectively permitted the attacker to deploy a deceptive update, supplanting the genuine MinIO binary with a malicious counterpart, resulting in the system being compromised. The modified binary acts as a backdoor, enabling it to receive and execute commands through HTTP requests. Interestingly, this manipulated binary is akin to an exploit titled "Evil MinIO" shared on GitHub in early April 2023, although there's no confirmed link between the exploit's developer and the attackers. The attacker's proficiency is evident in their adept use of bash scripts and Python. They utilize the backdoor access to deploy additional malicious payloads from a distant server for further exploitation through a downloader script.

This script, compatible with both Windows and Linux, acts as an entry point to analyze the compromised systems, after which a decision is made on whether to proceed with or halt the execution. Security Joes highlighted the threat actor's strategic methodology, as they refine their actions depending on the perceived significance of the breached system.  

Access Point recommends the following:

1. Assess for Compromise: Organizations using the MinIO object storage system should immediately assess their systems for signs of compromise, given the reported vulnerabilities and potential unauthorized code execution.
2. Apply Patches and Updates: Ensure that all available patches or updates are applied to address the identified vulnerabilities, specifically CVE-2023-28432 and CVE-2023-28434. Keeping your software up to date is critical to mitigating known vulnerabilities.
3. Strengthen Security Configurations: Review and strengthen security configurations for the MinIO system. Ensure that admin credentials are secure, and consider implementing regular rotation of credentials for added security.
4. Monitor for Changes: Implement robust monitoring to detect any unexpected or unauthorized changes to the MinIO client or other system binaries. This proactive approach can help identify potential compromises early.
5. Network Segmentation: Consider implementing network segmentation and disabling unnecessary external connections to reduce the potential attack surface. This can help isolate critical systems from potential threats.
6. Backup and Monitoring: Regularly back up critical data and implement continuous monitoring for suspicious activity. Timely detection is crucial for responding to potential breaches effectively.
7. Incident Response: Establish clear incident response procedures, and if any signs of a breach are detected, organizations should swiftly engage in incident response protocols to mitigate further damage.

ASUS routers vulnerable to critical remote code execution flaws

Analysis: ASUS, a popular manufacturer of computer hardware has had three critical remote code execution vulnerabilities impact several of their router products. These include the ASUS RT-AX55, RT-AX56U_V2, and the RT-AC86U routers which are popular with users which require high performance networking speeds.

The three vulnerabilities which each have a CVSS 3.1 rating of 9.8 are listed below:

• CVE-2023-39238 - Lack of proper verification of the input format string on the iperf-related API module ‘ser_iperf3_svr.cgi’.
• CVE-2023-39239 - Lack of proper verification of the input format string in the API of the general setting function.
• CVE-2023-39240 - Lack of proper verification of the input format string on the iperf-related API module ‘ser_iperf3_cli.cgi’.

The affected firmware versions:

• RT-AX55: 3.0.0.4.386_50460
• RT-AX56U_V2:  3.0.0.4.386_50460
• RT-AC86U: 3.0.0.4_386_51529

Access Point recommends the following:

1. Patch the firmware for the prior devices: For the RT-AX55 update to 3.0.0.4.386_51948 or later, RT-AX56U_V2 update to 3.0.0.4.386_51948 or later, and for the RT-AC86U update to 3.0.0.4.386_51915 or later. This is because each of these vulnerabilities are high severity with remote code execution capability.
2. Disable Remote Administration Features: To prevent attacks against consumer routers, disable remote administration features on your router or limit the IPs which are allowed to access remote administration to known IP addresses only.

Critical Vulnerability Alert: VMware Aria Operations Networks at Risk from Remote Attacks

Analysis: VMware, an American cloud computing and virtualization technology company, has released software updates to patch two security vulnerabilities in Aria Operations for Networks which could be exploited to bypass authentication and perform remote code execution.

The two vulnerabilities are listed below:

• CVE-2023-34039 (CVSS: 9.8) – Aria Operations for Networks contains an Authentication Bypass vulnerability due to lack of unique cryptographic key generation. This could allow a malicious actor with network access to circumvent the SSH authentication to gain access to the Aria Operations for Networks CLI.
• CVE-2023-20890 (CVSS: 7.2) – Aria Operations for Networks contains an arbitrary file write vulnerability which can allow an authenticated malicious actor with administrative access to VMware Aria Operations Networks to write files to arbitrary locations which results in remote code execution.

Both of these vulnerabilities which affect VMware Aria Operations Networks version 6.2-6.10 have been addressed in patches. Updating to version 6.11.0 will remediate this vulnerability according to VMware.

Access Point recommends the following:

Apply Patches and Updates: All users of Aria Operations to update to version 6.11.0 or later to remediate these vulnerabilities. VMware has been a target for threat actors in the past and keeping up-to-date software is one of the best defenses against them.

‍

Sources

https://thehackernews.com/2023/08/earth-estries-espionage-campaign.html

https://thehackernews.com/2023/08/north-korean-hackers-deploy-new.html

https://thehackernews.com/2023/08/sapphirestealer-malware-gateway-to.html

https://thehackernews.com/2023/09/threat-actors-targeting-microsoft-sql.html

https://thehackernews.com/2023/09/okta-warns-of-social-engineering.html

https://thehackernews.com/2023/09/chinese-speaking-cybercriminals-launch.html

https://thehackernews.com/2023/09/beware-of-maldoc-in-pdf-new-polyglot.html

https://www.bleepingcomputer.com/news/security/logicmonitor-customers-hacked-in-reported-ransomware-attacks/

https://www.bleepingcomputer.com/news/security/chrome-extensions-can-steal-plaintext-passwords-from-websites/

https://www.exploitone.com/vulnerabilities/mysterious-microsoft-edge-vulnerability-allows-taking-control-of-machine-with-a-click/

https://socprime.com/blog/cve-2023-38831-detection-uac-0057-group-exploits-a-winrar-zero-day-to-spread-a-picassoloader-variant-and-cobaltstrike-beacon-via-rabbit-algorithm/

https://www.bleepingcomputer.com/news/security/chrome-extensions-can-steal-plaintext-passwords-from-websites/

https://thehackernews.com/2023/09/hackers-exploit-minio-storage-system.html

https://www.bleepingcomputer.com/news/security/asus-routers-vulnerable-to-critical-remote-code-execution-flaws/

https://thehackernews.com/2023/08/critical-vulnerability-alert-vmware.html

‍