Category: Cybersecurity Advisories

Categories
Cybersecurity Advisories

Remediation Plan: Strict Transport Security Not Enforced (RFC 6797 – CWE-523)

Finding: Strict Transport Security Not Enforced (RFC 6797) – CWE-523

Description:
The web server is not enforcing HTTP Strict Transport Security (HSTS), a critical web security policy mechanism defined in RFC 6797. HSTS allows web servers to declare that user agents (e.g., browsers) should only interact with it over secure HTTPS connections, thereby preventing downgrade attacks and cookie hijacking over insecure HTTP.

Risk:
Without HSTS, users may unknowingly make HTTP requests, exposing session cookies and sensitive data to interception via man-in-the-middle (MITM) attacks. Attackers can exploit this gap especially on open or public Wi-Fi networks.

CWE-523: Unprotected Transport of Credentials
This vulnerability is related to the transport of credentials and other sensitive data without enforcing a secure channel.

Remediation Plan for IIS

Objective:
Enable and enforce HTTP Strict Transport Security (HSTS) on IIS-hosted websites to ensure all communication occurs over HTTPS.

Step 1: Prerequisites

– Confirm the site is already served over HTTPS with a valid SSL/TLS certificate.
– Ensure all HTTP requests are redirected to HTTPS to avoid mixed content or accessibility issues.

Step 2: Add HSTS via HTTP Response Headers

  • Option A: Using IIS Manager (GUI)
  1. Open IIS Manager.
    2. Navigate to your site under ‘Sites’.
    3. Double-click HTTP Response Headers.
    4. Click Add… and input:
    – Name: Strict-Transport-Security
    – Value: max-age=31536000; includeSubDomains; preload
    5. Click OK to apply.
  • Option B: Using Web.config

Add the following inside the <system.webServer> section of your Web.config:

<httpProtocol>
  <customHeaders>
    <add name=”Strict-Transport-Security” value=”max-age=31536000; includeSubDomains; preload” />
  </customHeaders>
</httpProtocol>

Explanation of Header Components:
– max-age=31536000: Enforce HTTPS for 1 year (in seconds).
– includeSubDomains: Apply policy to all subdomains.
– preload: Indicates intent to submit the domain to HSTS preload lists.

Step 3: Redirect HTTP to HTTPS

  • Option A: HTTP Redirect in IIS

– Select the site, go to HTTP Redirect, enable it, and set the destination to your HTTPS URL.

  • Option B: Rewrite Rules

Use the URL Rewrite module:

<rewrite>
  <rules>
    <rule name=”Redirect to HTTPS” stopProcessing=”true”>
      <match url=”(.*)” />
      <conditions>
        <add input=”{HTTPS}” pattern=”off” ignoreCase=”true” />
      </conditions>
      <action type=”Redirect” url=”https://{HTTP_HOST}/{R:1}” redirectType=”Permanent” />
    </rule>
  </rules>
</rewrite>

Step 4: Test Implementation

Use tools such as:
– SSL Labs (https://www.ssllabs.com/ssltest/)
– curl -I https://yourdomain.com (Confirm presence of the Strict-Transport-Security header)

Step 5: (Optional) Submit Domain to HSTS Preload List

Once the policy is stable, you may submit the domain at:
https://hstspreload.org/

Verification: How to Confirm HSTS is Properly Enforced

After implementing the HSTS policy, it’s important to validate that the configuration is correctly applied and functioning as intended. Use the following steps to confirm the remediation:

  1. Use curl to inspect the response headers:

Run the following command:
`curl -I https://yourdomain.com`
Look for the `Strict-Transport-Security` header in the output. It should match the expected value:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

  1. Use SSL Labs Test:

– Visit: https://www.ssllabs.com/ssltest/
– Enter your domain and start the test.
– Check the ‘HTTP Strict Transport Security (HSTS)’ section to verify correct setup.

  1. Use a browser with developer tools:

– Open your site in Chrome or Firefox.
– Open Developer Tools (F12), go to the Network tab.
– Refresh the page and click on your HTTPS request.
– Check the ‘Response Headers’ for the presence of `Strict-Transport-Security`.

  1. Test HTTP to HTTPS redirection:

– Navigate to http://yourdomain.com (without HTTPS).
– Confirm that it automatically redirects to https://yourdomain.com using a 301 or 302 status code.

  1. Optional: Check HSTS preload status:

– Visit: https://hstspreload.org/
– Enter your domain to check preload status or submit it for inclusion.

Categories
Cybersecurity Advisories

Remediation Guidance: SWEET32 Vulnerability on IIS (Windows Server 2019)

Finding: SWEET32 (CVE-2016-2183) 

The SWEET32 vulnerability affects SSL/TLS protocols that use 64-bit block ciphers, specifically 3DES (Triple DES) and IDEA. These ciphers are susceptible to birthday attacks when large volumes of data are transmitted over a persistent connection, potentially allowing an attacker to recover parts of plaintext traffic. IIS servers with 3DES enabled are affected. 

Remediation for IIS on Windows Server 2019 

Windows Server 2019 supports TLS 1.2 and 1.3 by default, along with modern AES-based cipher suites. However, 3DES may still be enabled for legacy compatibility and must be disabled to fully remediate SWEET32. 

Step 1: Disable 3DES via the Windows Registry 

Navigate to the following registry key and create or set the value as below: 
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersTriple DES 168nnSet the DWORD value ‘Enabled’ to 0. 

Alternatively, create a .reg file with the following content and import it: 

Windows Registry Editor Version 5.00 
 
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNELCiphersTriple DES 168] 
“Enabled”=dword:00000000 

A system reboot is required for changes to take effect. 

Step 2: (Optional) Use IIS Crypto Tool 

To simplify cipher and protocol management, use the free Nartac IIS Crypto tool: 
• Download from https://www.nartac.com/Products/IISCrypto 
• Run the tool on the server 
• Select the ‘Best Practices’ template 
• Ensure 3DES and TLS 1.0/1.1 are disabled 
• Apply the changes and reboot the server 

Step 3: Verify Remediation and Confirm SWEET32 Is No Longer Present 

After applying the remediation steps and rebooting the server, verify that the SWEET32 vulnerability has been resolved. Use one of the following tools to confirm that 3DES is no longer supported: 

  • SSL Labs Server Test (recommended for public-facing servers):
    Visit https://www.ssllabs.com/ssltest/ and enter the domain name of the affected server. 
      Review the results to ensure 3DES is not listed among the supported cipher suites. 
  • Nmap (quick CLI-based check):
    Run the following command: 
      nmap –script ssl-enum-ciphers -p 443 [hostname or IP] 
      Look for 3DES or other 64-bit ciphers in the output. 
  • testssl.sh (thorough internal scan):
    Run the following command: 
      testssl.sh –vulnerable –cipher-per-proto –html customerDomain.com 
      This generates an HTML report showing all supported ciphers and any related vulnerabilities, including SWEET32. 
Categories
Cybersecurity Advisories

Phishing Campaigns Exploit Trusted MS Infrastructure

Threat actors are orchestrating highly targeted phishing campaigns that exploit Microsoft 365’s own trusted infrastructure to bypass traditional email security tools. Leveraging legitimate Exchange Online IPs and services like SharePoint, OneDrive, and Office 365-branded login portals, these campaigns are particularly effective at evading detection and deceiving end-users.

Key Tactics Observed Across Campaigns

Abuse of Microsoft IP Space

Attackers are sending phishing emails directly from compromised or attacker-owned Microsoft 365 tenants, making the emails appear legitimate to email security gateways and email filters. Since these emails originate from Microsoft’s IP ranges and pass SPF, DKIM, and DMARC, they’re often automatically trusted.

Use of Microsoft Services in Payload Delivery

Phishing emails frequently include links to:

  • SharePoint-hosted documents with embedded phishing links
  • OneDrive URLs leading to weaponized files or credential-harvesting sites
  • Office 365 login pages that look pixel-perfect but harvest credentials

These links are hosted on Microsoft domains, which makes them especially hard to detect and block. URLs such as 1drv.ms, sharepoint.com, and *.onmicrosoft.com are widely seen in these campaigns.

Targeting and Credential Theft

The campaigns are increasingly targeting high-value users—like executives, financial officers, and IT administrators. Once credentials are harvested, attackers often:

  • Pivot within the organization
  • Launch internal phishing using trusted email threads
  • Access sensitive data or set up OAuth apps for persistent access

Campaign Variants Identified

  • “Fax” or “Voicemail” notifications leading to credential harvesting pages
  • “Encrypted document” or “shared invoice” baits, hosted on SharePoint
  • OAuth abuse where victims grant permissions to malicious apps that maintain access without re-authentication

Why This Works So Well

  • Microsoft infrastructure is trusted by default in many organizations
  • Authentication headers are valid (SPF, DKIM, DMARC all green)
  • URL scanning often skips known-good domains
  • Users are trained to trust Microsoft-branded emails

What Organizations Should Do

Harden Microsoft 365

  • Enable Safe Links and Safe Attachments
  • Use Mail Flow (Transport) Rules to flag external use of Microsoft domains
  • Configure Defender for Office 365 with aggressive anti-phishing and impersonation policies

Educate End Users

  • Provide real-world examples of SharePoint/OneDrive abuse
  • Train users to treat “legitimate-looking” Microsoft prompts with caution
  • Highlight red flags like unexpected MFA requests or login prompts after clicking shared files

Monitor for Suspicious OAuth Activity

  • Review App registrations and third-party app consent
  • Enable consent governance policies and block risky app behaviors

Leverage Threat Intelligence & Hunting

  • Monitor Microsoft logs for anomalous login patterns
  • Watch for emails with links to sharepoint.com, onmicrosoft.com, or 1drv.ms
  • Utilize advanced hunting queries in Defender or Sentinel

These attacks demonstrate that relying solely on default trust settings is no longer a viable security strategy. Organizations must fundamentally shift their mindset, treating even familiar Microsoft services with a degree of skepticism. A proactive approach, combining technical controls with user awareness, is essential to effectively defend against these sophisticated and rapidly evolving phishing tactics.

Categories
Cybersecurity Advisories Uncategorized

Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)

Description of the vulnerability per NIST:

“Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting, and modifying the data interaction with this library.”

This vulnerability was intentionally induced by a supply chain attack. Starting in 2021, a suspected Threat Actor started to submit patches to open-source project on GITHUB, eventually focusing on the XZ Utils repository and becoming a co-developer. A fuller timeline of events can be found here. The backdoor/vulnerability was fully introduced in versions 5.6.0 and 5.6.1 of xz utils in February. Most production Linux distributions have not adopted these patches, but please check the following section to confirm that no affected versions are present in your environment.

Affected & Fixed Versions

Recommendations and Mitigations

SecurIT360 Managed SOC Clients:

  • For all active managed SOC EDR clients, we have checked our inventory across products and have already reached out if you have an affected Linux distribution.
  • For all active managed SOC MDR clients, we have also run an external Nessus vulnerability scan looking for affected versions and have again already reached out to any and all affected clients.

Otherwise, if you have any Linux endpoint that we do not monitor that you are concerned may be affected by this vulnerability, you can run a simple command of “xz –version” or “xz ultis –version” on these endpoints to confirm your versioning on the endpoint in question:

If any of your endpoints do presently use 5.6.0 and 5.6.1 of XZ Utils, we would recommend either updating or downgrading packages per the table above. For the case of Fedora 40-41 and Rawhide specifically the recommendation from Red Hat would be to power-down or stop using Rawhide for the time being, and to move to packages 5.4.X for Fedora 40-41. See Red Hat’s blog post on the subject for more information.

Resources & Related Articles

Categories
Cybersecurity Advisories

Russia-linked Midnight Blizzard Cyberattack: Awareness and Guidance

Given the recent report from Microsoft regarding a cyber-attack on their organization by Russian state-sponsored hacking group, Midnight Blizzard, our SOC Team wanted to raise awareness concerning Threat Actor behavior related to Entra ID (formerly Azure ID) app registrations/app consent per what we have been seeing in the news and in the wild.

You can read Microsoft’s report detailing this behavior that was observed during their own recent compromise by this threat actor group: https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

This post explains that the threat actor group “Midnight Blizzard” gained access to an account through a password spray and then leveraged existing OAuth applications and created additional applications to escalate privileges and compromise additional accounts.

Our DFIR team has also seen similar behavior recently during BEC investigations, where compromised account gave consent to a specific third-party application called “PerfectData Software” likely in an attempt to exfil mailbox data.

See the following link for additional information on this specific behavior: How Abuse of ‘PerfectData Software’ May Create a Perfect Storm: An Emerging Trend in Account Takeovers | Darktrace Blog

The following will detail the actions we are detecting on our end to better detect this type of post-compromise behavior related to app consent grants/permissions/registrations and how we recommend you can mitigate this type of attack in your environment.

SecurIT360 SOC Managed Services

Last week, our managed SOC services rolled out a new alert that will detect the creation of a service principal that looks for “PerfectData Software” specifically. A service principal in Entra ID (Formerly Azure AD) is an identify created to manage access for applications, hosted services, and/or automated tools.

We also plan to create an additional rule or rules to provide auditing for application management within our Monthly MDR reports. 

Additionally, as always, we will continue to provide monitoring and alerting concerning initial access by looking for possible password sprays, MFA bombing, suspicious logins, etc. to attempt to prevent this sort of behavior before it happens. However, as we believe in a defense in depth approach, we will continue to expand and refine our post-access detection capabilities through the rules mentioned above. 

Please feel free to contact the SOC via email at soc@securit360.com if you have any questions or concerns.  

Mitigation Recommendations

By default, users are allowed to register applications and give consent to third party applications. This means that if a Threat Actor compromises a standard user account they can give consent to apps or register apps, without having any admin permissions or an admin being notified.

However, you can restrict this behavior by editing default role permissions and require admin consent to be given before a user gives access to an application.  We strongly recommend you adjust this default permission and review all active registrations ASAP.

How to Change Default Permissions

  1. In order to restrict default user role permissions, within the Azure portal you can go to Microsoft Entra ID -> Users -> User settings and change the slider for “Users can register applications” to “No”:

See the following Microsoft KB article to learn more about default user permissions: Default user permissions – Microsoft Entra | Microsoft Learn

  1. To turn off or edit a user’s ability to grant consent to third part applications you can go to the Microsoft Entra admin center -> Identity- > Applications -> Enterprise applications -> Consent and permissions -> User consent settings.

  2. You can also configure a workflow that would allow admins to consent on behalf of users: Configure the admin consent workflow – Microsoft Entra ID | Microsoft Learn

Review Existing App Registrations

Once the permissions have been changed, perform a review of all current App Registrations within your Azure/Entra ID environment and consider disabling all of them that are not approved.

Additionally, as we saw in the Microsoft case, regular auditing of app registrations and permissions in addition to similar auditing for user accounts is always recommended and an important part of lowering the potential impact of an account compromise.

Please let us know if you have additional questions or concerns. We are always happy to help you adjust in response to new or emerging threats.

Ready to make cybersecurity your strength, not your weakness? Contact us today and let’s build a safer, more secure digital future for your business.

Categories
Cybersecurity Advisories

CVE-2023-20198: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

October 22nd, 2023 Update: Cisco has released fixes for CVE-2023-20198. Customers are advised to upgrade to an appropriate fixed software release.

Cisco is warning of a critical severity zero-day vulnerability affecting Cisco IOS XE that allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. Tracked as CVE-2023-20198 (CVSSv3 score: 10.0 – Critical), the actively exploited flaw impacts the software’s Web UI feature and affects both physical and virtual devices running IOS XE when they are exposed to the internet and have the HTTP or HTTPS Server feature enabled. At the time of writing, there is no patch available, however Cisco will provide updates on the status and when a software patch is available. Customers are strongly recommended to disable the HTTP Server feature on all internet-facing systems and check for malicious activity in the form of newly created users on its devices.

The issue was discovered after Cisco detected malicious activity on a customer’s device in September 2023, where an authorized user created a local user account under the username “cisco_tac_admin” from a suspicious IP address. This activity ended on October 1, 2023. Another set of related activities occurred on October 12, 2023, where an unauthorized user created a local user account under the name “cisco_support” from a different IP address. This is claimed to have been followed by a series of actions that ended in the deployment of a Lua-based implant that allows the actor to execute arbitrary commands at the system level or IOS level. These clusters of activity were assessed to likely be carried out by the same threat actor.

The installation of the implant is carried out by exploiting an older vulnerability, CVE-2021-1435, which is a patched command injection flaw that impacted the web UI of Cisco IOS XE Software. The vulnerability would allow an authenticated attacker to inject arbitrary code that would be executed as the root user. It was observed that even on devices that were fully patched against CVE-2021-1435, threat actors were still able to deploy their implant. At the time of writing, it is not known how they were able to do so.

No proof-of-concept code was found to be publicly available for CVE-2023-20198. Based on research using the Shodan search engine, there are nearly 40,000 Cisco devices that have web UI exposed to the internet.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity: 

MDR Services 

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection. 

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable. 

Affected Products

This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.

Recommendations

According to Cisco, customers are strongly recommended to disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

The following decision tree can be used to help determine how to triage an environment and deploy protections:

  • Are you running IOS XE?
    • No. The system is not vulnerable. No further action is necessary.
    • Yes. Is ip http server or ip http secure-server configured?
      • No. The vulnerability is not exploitable. No further action is necessary.
      • Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
        • No. Disable the HTTP Server feature.
        • Yes. If possible, restrict access to those services to trusted networks.

Cisco Advisory

Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

Cisco IOS XE Implant Scanner

VulnCheck has released a scanner to detect the implant on affected devices. See: cisco-ios-xe-implant-scanner

Indicators of Compromise

5.149.249[.]74

154.53.56[.]231

Resources & Related Articles

Categories
Cybersecurity Advisories

Microsoft’s October 2023 Patch Tuesday Addresses 3 Zero-Days and Over 100 Flaws

Microsoft released security updates for 103 vulnerabilities, including forty-five RCE bugs and three actively exploited zero-day flaws. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. Notable vulnerabilities are listed below. For the full list, see Microsoft CVE Summary.

CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability

Microsoft released fixes for an actively exploited information disclosure vulnerability in Microsoft WordPad that can be used to steal NTLM hashes when opening a document. Tracked as CVE-2023-36563 (CVSSv3 score: 6.5 – Medium), an unauthenticated, remote attacker could exploit this vulnerability using social engineering in order to convince a victim to open a link or download a malicious file and run it on the vulnerable system. As an alternative, an attacker could execute a specially crafted application to exploit the flaw after gaining access to a vulnerable system. Successful exploitation could lead to the disclosure of NTLM hashes. Admins should consider blocking outbound NTLM over SMB on Windows 11 to significantly hinder NTLM-relay exploits.

Microsoft announced last month that Word Pad is no longer being updated and will be removed in a future version of Windows, although no specific timeline has yet been given. Microsoft recommends Word as a replacement for WordPad.

  • For more information, see: Microsoft WordPad Information Disclosure Vulnerability

CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability

Microsoft has fixed an actively exploited Elevation of Privilege flaw in Skype for Business that can be used by sending a specially crafted network call to a vulnerable Skype for Business server. Tracked as CVE-2023-41763 (CVSSv3 score: 5.3 – Medium), successful exploitation would result in the disclosure of IP addresses and/or port numbers, which could be used to gain access to internal networks.

CVE-2023-44487 – HTTP/2 Rapid Reset Attack

Microsoft released mitigations for a new zero-day DDoS technique called HTTP/2 Rapid Reset Attack. Tracked as CVE-2023-44487, (CVSSv3 score: 5.3 – Medium), attackers can make hundreds of thousands of requests and immediately cancel them with a reset stream. This avoids limits on the number of streams accepted and can lead to CPU exhaustion on the server attempting to clean up the canceled streams. By using the “request, cancel, request, cancel” pattern at scale, threat actors overwhelm websites and can make anything that uses HTTP/2 go offline.

According to Google, the protocol does not require the client and server to coordinate the cancelation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. As the feature is built into the HTTP/2 standard, there is no fix for the technique that can be implemented other than rate limiting or blocking the protocol. While the DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data.

Mitigations

All providers who have HTTP/2 services should assess their exposure to this issue. Software patches and updates for common web servers and programming languages may be available to apply now or in the near future. Microsoft’s mitigation steps in the advisory are to disable the HTTP/2 protocol on your web server. Additional information and protections are detailed in a dedicated article on HTTP/2 Rapid Reset.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to these CVE’s. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

 Resources & Related Articles

Categories
Cybersecurity Advisories

Storm-0324: New Phishing Campaign Targets Corporations via Teams Messages

Microsoft is warning of a new phishing campaign that involves using Teams messages as lures to infiltrate corporate networks. The threat group behind this campaign, tracked as Storm-0324 (aka TA543 and Sagrid), is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors, which frequently lead to ransomware deployment. They are known to have deployed Sage and GandCrab ransomware in the past. Additionally, Storm-0324 has also provided the well-known FIN7 (aka Sangria Tempest) cybercrime gang access to corporate networks after compromising them using JSSLoader, Gozi, and Nymaim.

Storm-0324’s methods have changed over the years. As of July 2023, the phishing lures are sent over Teams with malicious links leading to a malicious ZIP file hosted on SharePoint. To accomplish this activity, the group leverages an open-source tool called TeamsPhisher, which is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. The phishing lures used by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization. This issue was also previously exploited by APT29 in attacks against dozens of organizations, including government agencies worldwide. Details regarding the end goal of Storm-0324’s attacks have not been provided at this time, however, APT29’s attacks are aimed to steal the targets’ credentials after tricking them into approving MFA prompts.

Microsoft says they are taking these phishing campaigns seriously and have rolled out several improvements to better defend against these threats. They have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. Microsoft has rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders. In addition to this, they’ve implemented new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this threat actor. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to this campaign, we will alert you if warranted.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns. 

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Recommendations

As per Microsoft, to harden networks against Storm-0324 attacks, defenders are advised to implement the following:

  • Pilot and start deploying phishing-resistant authentication methods for users.
  • Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
  • Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
  • Understand and select the best access settings for external collaboration for your organization.
  • Allow only known devices that adhere to Microsoft’s recommended security baselines.
  • Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
    • Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
  • Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
  • Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
  • Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
  • Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
  • Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • For additional recommendations on hardening your organization against ransomware attacks, refer to threat overview on human-operated ransomware.

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

Resources & Related Articles

Categories
Cybersecurity Advisories

Flax Typhoon APT Group Using LOLBins for Cyber Espionage

A China-backed hacking group, tracked as Flax Typhoon, is targeting government agencies and education, critical manufacturing, and information technology organizations likely for espionage purposes. The nation-state actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. However, final objectives in this campaign have not been observed. Currently, Taiwanese organizations are exclusively being affected, but the scope of attacks aren’t fully known. Microsoft states that the distinctive pattern of malicious activity could be easily reused in other operations outside the region and would benefit from broader industry visibility. Because of this, enterprises beyond Taiwan should be on alert.

Flax Typhoon has been active since mid-2021 and focuses on persistence, lateral movement, and credential access. The threat actors do not primarily rely on malware to gain and maintain access to the victim network, instead, they prefer using mostly components already available on the operating system, LOLBins, and legitimate software. In the campaign observed, Flax Typhoon gained initial access by exploiting known vulnerabilities in public-facing servers, including VPN, web, Java, and SQL applications. The threat actors dropped China Chopper, a powerful web shell that provides remote code execution capabilities. If necessary, the hackers elevate their privileges to administrator level using the publicly available ‘Juicy Potato’ and ‘BadPotato’ open-source tools that exploit known vulnerabilities to obtain higher permissions.

Flax Typhoon establishes persistence by turning off network-level authentication through registry modifications and exploiting the Windows Sticky Keys accessibility feature to set up an RDP connection. To avoid RDP connectivity restrictions of RDP to internal network, Flax Typhoon installs a legitimate VPN bridge to maintain the link between the compromised system and their external server. The attackers download the open-source SoftEther VPN client using LOLBins like PowerShell Invoke-WebRequest utility, certutil, or bitsadmin, and abuse various built-in Windows tools to set the VPN app to launch automatically on system startup. To avoid being detected, the hackers rename it to legitimate Windows components such as ‘conhost.exe’ or ‘dllhost.exe.’ Additionally, Flax Typhoon uses SoftEther’s VPN-over-HTTPS mode to conceal VPN traffic as standard HTTPS traffic.

Researchers have noted that Flax Typhoon frequently uses the Mimikatz tool to extract credentials from LSASS process memory and the SAM registry. The stolen credentials were not observed to extract additional data, making the adversary’s main objective currently unclear.

Flax Typhoon Attack Chain

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity: 

MDR Services 

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection. 

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable. 

Mitigation & Protection

  • Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.
  • Affected organizations need to assess the scale of Flax Typhoon activity in their network, remove malicious tools and C2 infrastructure, and check logs for signs of compromised accounts that may have been used for malicious purposes.

Recommendations

  • Microsoft recommends organizations to apply the latest security updates to internet-exposed endpoints and public-facing servers, and MFA should be enabled on all accounts.
  • Registry monitoring could help catch modification attempts and unauthorized changes like those performed by Flax Typhoon to disable NLA.

MITRE Summary

T1003 (OS Credential Dumping)
T1003.001 (LSASS Memory)
T1005 (Data from Local System)
T1018 (Remote System Discovery)
T1041 (Exfiltration Over C2 Channel)
T1068 (Exploitation for Privilege Escalation)
T1105 (Ingress Tool Transfer)


IOCS

 

 

 

 

 

 

Resources & Related Articles

Categories
Cybersecurity Advisories

CVE-2023-3519: Critical Citrix ADC and Gateway Flaw Exploited in the Wild

Citrix is alerting customers of a critical unauthenticated remote code execution vulnerability in NetScaler ADC and NetScaler Gateway. This vulnerability is being exploited in the wild and affected customers are strongly urged to install updated versions as soon as possible.

Tracked as CVE-2023-3519 (CVSSv3 score: 9.8 – Critical), the vulnerability allows unauthenticated remote attackers to execute arbitrary code on the affected appliance. Successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The flaw only affects customer-managed NetScaler ADC and NetScaler Gateway. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are unaffected.

There are approximately 38,000 Citrix Gateway appliances exposed to the public internet. CVE-2023-3519 is one of three vulnerabilities patched that pose significant risks to customers. The others are CVE-2023-3466 (CVSSv3 score: 8.3 – High) and CVE-2023-3467 (CVSSv3 score: 8.0 – High). CVE-2023-3466 is an improper input validation vulnerability resulting in a reflected cross-site scripting (XSS) attack. CVE-2023-3467 is an improper privilege management vulnerability resulting in privilege escalation to the root administrator (nsroot).

At the time of writing, technical details about all three vulnerabilities are not publicly available.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.  

Vulnerable Products

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet. 

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.65.36

Recommendation

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet. 

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Security Bulletin

Resources & Related Articles