Categories
Cybersecurity Advisories Uncategorized

Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)

Description of the vulnerability per NIST:

“Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting, and modifying the data interaction with this library.”

This vulnerability was intentionally induced by a supply chain attack. Starting in 2021, a suspected Threat Actor started to submit patches to open-source project on GITHUB, eventually focusing on the XZ Utils repository and becoming a co-developer. A fuller timeline of events can be found here. The backdoor/vulnerability was fully introduced in versions 5.6.0 and 5.6.1 of xz utils in February. Most production Linux distributions have not adopted these patches, but please check the following section to confirm that no affected versions are present in your environment.

Affected & Fixed Versions

Recommendations and Mitigations

SecurIT360 Managed SOC Clients:

  • For all active managed SOC EDR clients, we have checked our inventory across products and have already reached out if you have an affected Linux distribution.
  • For all active managed SOC MDR clients, we have also run an external Nessus vulnerability scan looking for affected versions and have again already reached out to any and all affected clients.

Otherwise, if you have any Linux endpoint that we do not monitor that you are concerned may be affected by this vulnerability, you can run a simple command of “xz –version” or “xz ultis –version” on these endpoints to confirm your versioning on the endpoint in question:

If any of your endpoints do presently use 5.6.0 and 5.6.1 of XZ Utils, we would recommend either updating or downgrading packages per the table above. For the case of Fedora 40-41 and Rawhide specifically the recommendation from Red Hat would be to power-down or stop using Rawhide for the time being, and to move to packages 5.4.X for Fedora 40-41. See Red Hat’s blog post on the subject for more information.

Resources & Related Articles

Categories
Cybersecurity Advisories

Russia-linked Midnight Blizzard Cyberattack: Awareness and Guidance

Given the recent report from Microsoft regarding a cyber-attack on their organization by Russian state-sponsored hacking group, Midnight Blizzard, our SOC Team wanted to raise awareness concerning Threat Actor behavior related to Entra ID (formerly Azure ID) app registrations/app consent per what we have been seeing in the news and in the wild.

You can read Microsoft’s report detailing this behavior that was observed during their own recent compromise by this threat actor group: https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

This post explains that the threat actor group “Midnight Blizzard” gained access to an account through a password spray and then leveraged existing OAuth applications and created additional applications to escalate privileges and compromise additional accounts.

Our DFIR team has also seen similar behavior recently during BEC investigations, where compromised account gave consent to a specific third-party application called “PerfectData Software” likely in an attempt to exfil mailbox data.

See the following link for additional information on this specific behavior: How Abuse of ‘PerfectData Software’ May Create a Perfect Storm: An Emerging Trend in Account Takeovers | Darktrace Blog

The following will detail the actions we are detecting on our end to better detect this type of post-compromise behavior related to app consent grants/permissions/registrations and how we recommend you can mitigate this type of attack in your environment.

SecurIT360 SOC Managed Services

Last week, our managed SOC services rolled out a new alert that will detect the creation of a service principal that looks for “PerfectData Software” specifically. A service principal in Entra ID (Formerly Azure AD) is an identify created to manage access for applications, hosted services, and/or automated tools.

We also plan to create an additional rule or rules to provide auditing for application management within our Monthly MDR reports. 

Additionally, as always, we will continue to provide monitoring and alerting concerning initial access by looking for possible password sprays, MFA bombing, suspicious logins, etc. to attempt to prevent this sort of behavior before it happens. However, as we believe in a defense in depth approach, we will continue to expand and refine our post-access detection capabilities through the rules mentioned above. 

Please feel free to contact the SOC via email at soc@securit360.com if you have any questions or concerns.  

Mitigation Recommendations

By default, users are allowed to register applications and give consent to third party applications. This means that if a Threat Actor compromises a standard user account they can give consent to apps or register apps, without having any admin permissions or an admin being notified.

However, you can restrict this behavior by editing default role permissions and require admin consent to be given before a user gives access to an application.  We strongly recommend you adjust this default permission and review all active registrations ASAP.

How to Change Default Permissions

  1. In order to restrict default user role permissions, within the Azure portal you can go to Microsoft Entra ID -> Users -> User settings and change the slider for “Users can register applications” to “No”:

See the following Microsoft KB article to learn more about default user permissions: Default user permissions – Microsoft Entra | Microsoft Learn

  1. To turn off or edit a user’s ability to grant consent to third part applications you can go to the Microsoft Entra admin center -> Identity- > Applications -> Enterprise applications -> Consent and permissions -> User consent settings.

  2. You can also configure a workflow that would allow admins to consent on behalf of users: Configure the admin consent workflow – Microsoft Entra ID | Microsoft Learn

Review Existing App Registrations

Once the permissions have been changed, perform a review of all current App Registrations within your Azure/Entra ID environment and consider disabling all of them that are not approved.

Additionally, as we saw in the Microsoft case, regular auditing of app registrations and permissions in addition to similar auditing for user accounts is always recommended and an important part of lowering the potential impact of an account compromise.

Please let us know if you have additional questions or concerns. We are always happy to help you adjust in response to new or emerging threats.

Ready to make cybersecurity your strength, not your weakness? Contact us today and let’s build a safer, more secure digital future for your business.

Categories
Cybersecurity Advisories

CVE-2023-20198: Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

October 22nd, 2023 Update: Cisco has released fixes for CVE-2023-20198. Customers are advised to upgrade to an appropriate fixed software release.

Cisco is warning of a critical severity zero-day vulnerability affecting Cisco IOS XE that allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then use that account to gain control of the affected system. Tracked as CVE-2023-20198 (CVSSv3 score: 10.0 – Critical), the actively exploited flaw impacts the software’s Web UI feature and affects both physical and virtual devices running IOS XE when they are exposed to the internet and have the HTTP or HTTPS Server feature enabled. At the time of writing, there is no patch available, however Cisco will provide updates on the status and when a software patch is available. Customers are strongly recommended to disable the HTTP Server feature on all internet-facing systems and check for malicious activity in the form of newly created users on its devices.

The issue was discovered after Cisco detected malicious activity on a customer’s device in September 2023, where an authorized user created a local user account under the username “cisco_tac_admin” from a suspicious IP address. This activity ended on October 1, 2023. Another set of related activities occurred on October 12, 2023, where an unauthorized user created a local user account under the name “cisco_support” from a different IP address. This is claimed to have been followed by a series of actions that ended in the deployment of a Lua-based implant that allows the actor to execute arbitrary commands at the system level or IOS level. These clusters of activity were assessed to likely be carried out by the same threat actor.

The installation of the implant is carried out by exploiting an older vulnerability, CVE-2021-1435, which is a patched command injection flaw that impacted the web UI of Cisco IOS XE Software. The vulnerability would allow an authenticated attacker to inject arbitrary code that would be executed as the root user. It was observed that even on devices that were fully patched against CVE-2021-1435, threat actors were still able to deploy their implant. At the time of writing, it is not known how they were able to do so.

No proof-of-concept code was found to be publicly available for CVE-2023-20198. Based on research using the Shodan search engine, there are nearly 40,000 Cisco devices that have web UI exposed to the internet.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity: 

MDR Services 

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection. 

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable. 

Affected Products

This vulnerability affects Cisco IOS XE Software if the web UI feature is enabled. The web UI feature is enabled through the ip http server or ip http secure-server commands.

Recommendations

According to Cisco, customers are strongly recommended to disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature.

The following decision tree can be used to help determine how to triage an environment and deploy protections:

  • Are you running IOS XE?
    • No. The system is not vulnerable. No further action is necessary.
    • Yes. Is ip http server or ip http secure-server configured?
      • No. The vulnerability is not exploitable. No further action is necessary.
      • Yes. Do you run services that require HTTP/HTTPS communication (for example, eWLC)?
        • No. Disable the HTTP Server feature.
        • Yes. If possible, restrict access to those services to trusted networks.

Cisco Advisory

Cisco IOS XE Software Web UI Privilege Escalation Vulnerability

Cisco IOS XE Implant Scanner

VulnCheck has released a scanner to detect the implant on affected devices. See: cisco-ios-xe-implant-scanner

Indicators of Compromise

5.149.249[.]74

154.53.56[.]231

Resources & Related Articles

Categories
Cybersecurity Advisories

Microsoft’s October 2023 Patch Tuesday Addresses 3 Zero-Days and Over 100 Flaws

Microsoft released security updates for 103 vulnerabilities, including forty-five RCE bugs and three actively exploited zero-day flaws. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. Notable vulnerabilities are listed below. For the full list, see Microsoft CVE Summary.

CVE-2023-36563 – Microsoft WordPad Information Disclosure Vulnerability

Microsoft released fixes for an actively exploited information disclosure vulnerability in Microsoft WordPad that can be used to steal NTLM hashes when opening a document. Tracked as CVE-2023-36563 (CVSSv3 score: 6.5 – Medium), an unauthenticated, remote attacker could exploit this vulnerability using social engineering in order to convince a victim to open a link or download a malicious file and run it on the vulnerable system. As an alternative, an attacker could execute a specially crafted application to exploit the flaw after gaining access to a vulnerable system. Successful exploitation could lead to the disclosure of NTLM hashes. Admins should consider blocking outbound NTLM over SMB on Windows 11 to significantly hinder NTLM-relay exploits.

Microsoft announced last month that Word Pad is no longer being updated and will be removed in a future version of Windows, although no specific timeline has yet been given. Microsoft recommends Word as a replacement for WordPad.

  • For more information, see: Microsoft WordPad Information Disclosure Vulnerability

CVE-2023-41763 – Skype for Business Elevation of Privilege Vulnerability

Microsoft has fixed an actively exploited Elevation of Privilege flaw in Skype for Business that can be used by sending a specially crafted network call to a vulnerable Skype for Business server. Tracked as CVE-2023-41763 (CVSSv3 score: 5.3 – Medium), successful exploitation would result in the disclosure of IP addresses and/or port numbers, which could be used to gain access to internal networks.

CVE-2023-44487 – HTTP/2 Rapid Reset Attack

Microsoft released mitigations for a new zero-day DDoS technique called HTTP/2 Rapid Reset Attack. Tracked as CVE-2023-44487, (CVSSv3 score: 5.3 – Medium), attackers can make hundreds of thousands of requests and immediately cancel them with a reset stream. This avoids limits on the number of streams accepted and can lead to CPU exhaustion on the server attempting to clean up the canceled streams. By using the “request, cancel, request, cancel” pattern at scale, threat actors overwhelm websites and can make anything that uses HTTP/2 go offline.

According to Google, the protocol does not require the client and server to coordinate the cancelation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. As the feature is built into the HTTP/2 standard, there is no fix for the technique that can be implemented other than rate limiting or blocking the protocol. While the DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data.

Mitigations

All providers who have HTTP/2 services should assess their exposure to this issue. Software patches and updates for common web servers and programming languages may be available to apply now or in the near future. Microsoft’s mitigation steps in the advisory are to disable the HTTP/2 protocol on your web server. Additional information and protections are detailed in a dedicated article on HTTP/2 Rapid Reset.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to these CVE’s. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

 Resources & Related Articles

Categories
Cybersecurity Advisories

Storm-0324: New Phishing Campaign Targets Corporations via Teams Messages

Microsoft is warning of a new phishing campaign that involves using Teams messages as lures to infiltrate corporate networks. The threat group behind this campaign, tracked as Storm-0324 (aka TA543 and Sagrid), is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors, which frequently lead to ransomware deployment. They are known to have deployed Sage and GandCrab ransomware in the past. Additionally, Storm-0324 has also provided the well-known FIN7 (aka Sangria Tempest) cybercrime gang access to corporate networks after compromising them using JSSLoader, Gozi, and Nymaim.

Storm-0324’s methods have changed over the years. As of July 2023, the phishing lures are sent over Teams with malicious links leading to a malicious ZIP file hosted on SharePoint. To accomplish this activity, the group leverages an open-source tool called TeamsPhisher, which is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. The phishing lures used by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization. This issue was also previously exploited by APT29 in attacks against dozens of organizations, including government agencies worldwide. Details regarding the end goal of Storm-0324’s attacks have not been provided at this time, however, APT29’s attacks are aimed to steal the targets’ credentials after tricking them into approving MFA prompts.

Microsoft says they are taking these phishing campaigns seriously and have rolled out several improvements to better defend against these threats. They have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. Microsoft has rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders. In addition to this, they’ve implemented new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this threat actor. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to this campaign, we will alert you if warranted.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns. 

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Recommendations

As per Microsoft, to harden networks against Storm-0324 attacks, defenders are advised to implement the following:

  • Pilot and start deploying phishing-resistant authentication methods for users.
  • Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
  • Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
  • Understand and select the best access settings for external collaboration for your organization.
  • Allow only known devices that adhere to Microsoft’s recommended security baselines.
  • Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
    • Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
  • Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
  • Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
  • Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
  • Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
  • Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • For additional recommendations on hardening your organization against ransomware attacks, refer to threat overview on human-operated ransomware.

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

Resources & Related Articles

Categories
Cybersecurity Advisories

Flax Typhoon APT Group Using LOLBins for Cyber Espionage

A China-backed hacking group, tracked as Flax Typhoon, is targeting government agencies and education, critical manufacturing, and information technology organizations likely for espionage purposes. The nation-state actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. However, final objectives in this campaign have not been observed. Currently, Taiwanese organizations are exclusively being affected, but the scope of attacks aren’t fully known. Microsoft states that the distinctive pattern of malicious activity could be easily reused in other operations outside the region and would benefit from broader industry visibility. Because of this, enterprises beyond Taiwan should be on alert.

Flax Typhoon has been active since mid-2021 and focuses on persistence, lateral movement, and credential access. The threat actors do not primarily rely on malware to gain and maintain access to the victim network, instead, they prefer using mostly components already available on the operating system, LOLBins, and legitimate software. In the campaign observed, Flax Typhoon gained initial access by exploiting known vulnerabilities in public-facing servers, including VPN, web, Java, and SQL applications. The threat actors dropped China Chopper, a powerful web shell that provides remote code execution capabilities. If necessary, the hackers elevate their privileges to administrator level using the publicly available ‘Juicy Potato’ and ‘BadPotato’ open-source tools that exploit known vulnerabilities to obtain higher permissions.

Flax Typhoon establishes persistence by turning off network-level authentication through registry modifications and exploiting the Windows Sticky Keys accessibility feature to set up an RDP connection. To avoid RDP connectivity restrictions of RDP to internal network, Flax Typhoon installs a legitimate VPN bridge to maintain the link between the compromised system and their external server. The attackers download the open-source SoftEther VPN client using LOLBins like PowerShell Invoke-WebRequest utility, certutil, or bitsadmin, and abuse various built-in Windows tools to set the VPN app to launch automatically on system startup. To avoid being detected, the hackers rename it to legitimate Windows components such as ‘conhost.exe’ or ‘dllhost.exe.’ Additionally, Flax Typhoon uses SoftEther’s VPN-over-HTTPS mode to conceal VPN traffic as standard HTTPS traffic.

Researchers have noted that Flax Typhoon frequently uses the Mimikatz tool to extract credentials from LSASS process memory and the SAM registry. The stolen credentials were not observed to extract additional data, making the adversary’s main objective currently unclear.

Flax Typhoon Attack Chain

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity: 

MDR Services 

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services 

  • In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection. 

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable. 

Mitigation & Protection

  • Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.
  • Affected organizations need to assess the scale of Flax Typhoon activity in their network, remove malicious tools and C2 infrastructure, and check logs for signs of compromised accounts that may have been used for malicious purposes.

Recommendations

  • Microsoft recommends organizations to apply the latest security updates to internet-exposed endpoints and public-facing servers, and MFA should be enabled on all accounts.
  • Registry monitoring could help catch modification attempts and unauthorized changes like those performed by Flax Typhoon to disable NLA.

MITRE Summary

T1003 (OS Credential Dumping)
T1003.001 (LSASS Memory)
T1005 (Data from Local System)
T1018 (Remote System Discovery)
T1041 (Exfiltration Over C2 Channel)
T1068 (Exploitation for Privilege Escalation)
T1105 (Ingress Tool Transfer)


IOCS

 

 

 

 

 

 

Resources & Related Articles

Categories
Cybersecurity Advisories

CVE-2023-3519: Critical Citrix ADC and Gateway Flaw Exploited in the Wild

Citrix is alerting customers of a critical unauthenticated remote code execution vulnerability in NetScaler ADC and NetScaler Gateway. This vulnerability is being exploited in the wild and affected customers are strongly urged to install updated versions as soon as possible.

Tracked as CVE-2023-3519 (CVSSv3 score: 9.8 – Critical), the vulnerability allows unauthenticated remote attackers to execute arbitrary code on the affected appliance. Successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The flaw only affects customer-managed NetScaler ADC and NetScaler Gateway. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are unaffected.

There are approximately 38,000 Citrix Gateway appliances exposed to the public internet. CVE-2023-3519 is one of three vulnerabilities patched that pose significant risks to customers. The others are CVE-2023-3466 (CVSSv3 score: 8.3 – High) and CVE-2023-3467 (CVSSv3 score: 8.0 – High). CVE-2023-3466 is an improper input validation vulnerability resulting in a reflected cross-site scripting (XSS) attack. CVE-2023-3467 is an improper privilege management vulnerability resulting in privilege escalation to the root administrator (nsroot).

At the time of writing, technical details about all three vulnerabilities are not publicly available.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.  

Vulnerable Products

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet. 

  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
  • NetScaler ADC 13.1-FIPS before 13.1-37.159
  • NetScaler ADC 12.1-FIPS before 12.1-65.36
  • NetScaler ADC 12.1-NDcPP before 12.65.36

Recommendation

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet. 

  • NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
  • NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
  • NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
  • NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
  • NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Security Bulletin

Resources & Related Articles 

Categories
Cybersecurity Advisories

AA23-187A: Truebot Malware Infects Networks in U.S. and Canada

The CISA, FBI, MS-ISAC, and CCCS have released a joint cybersecurity advisory regarding cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. These attacks are exploiting a critical remote code execution (RCE) vulnerability, tracked as CVE-2022-31199 (CVSSv3 score: 9.8 – Critical), in the Netwrix Auditor software to deliver Truebot. Threat actors are leveraging this flaw to gain initial access and move laterally within the compromised network. 

Truebot is a botnet that is linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers (associated with the FIN11 group) to deploy Clop ransomware on compromised networks since December 2022. Previous malware variants of Truebot were primarily delivered by cyber threat actors via malicious phishing email attachments. However, recent versions allow them to also gain initial access through exploiting CVE-2022-31199, enabling deployment of the malware at scale within the compromised environment. Based on the nature of observed Truebot operations, the main goal of the adversaries is to steal sensitive information from compromised systems for financial gain. 

The malware has also been used alongside other malware in attacks. In several incidents, shortly after Truebot was executed, the Cobalt Strike tool was deployed for persistence and data exfiltration purposes. In addition, some phishing campaigns consisted of the FlawedGrace RAT being deployed only minutes after the Truebot malware was executed. Researchers have also found Truebot attacks leveraging a custom data exfiltration tool called “Teleport” that was used to steal information. 

When an organization is infected with Truebot, it can quickly escalate to become a bigger infection, similarly to how ransomware spreads throughout a network. The change in delivery vector shows that attacks leveraging the malware are continuing to evolve. 

CVE-2022-3199 Delivery Method for Truebot 

SecurIT360 SOC Managed Services     

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:    

MDR Services    

  • We utilize several threat feeds that are updated frequently on a daily basis.  
  • In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.    

EDR Services    

  • In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.     

Indicators are provided in the Indicators of Compromise section below for your reference.   

As always, if we detect activity related to these exploits, we will alert you when applicable.    

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.     

Mitigations 

  • All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet. 
  • CISA has posted guidelines and recommends organizations to mandate MFA for all staff and services. 

MITRE Summary 

Technique Title 

ID 

Use 

Initial Access 

  

Replication Through Removable Media 

T1091

Cyber threat actors use removable media drives to deploy Raspberry Robin malware. 

Drive-by Compromise 

T1189 

Cyber threat actors embed malicious links or attachments within web domains to gain initial access. 

Exploit Public-Facing Application 

T1190 

Cyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for initial access with follow-on capabilities of lateral movement through remote code execution. 

Phishing 

T1566.002 

Truebot actors can send spear phishing links to gain initial access. 

Execution 

  

Command and Scripting Interpreter 

T1059 

Cyber threat actors have been observed dropping cobalt strike beacons as a reverse shell proxy to create persistence within the compromised network. 

Cyber threat actors use FlawedGrace to receive PowerShell commands over a C2 channel to deploy additional tools. 

Shared Modules 

T1129 

Cyber threat actors can deploy malicious payloads through obfuscated share modules. 

User Execution: Malicious Link 

T1204.001 

Cyber threat actors trick users into clicking a link by making them believe they need to perform a Google Chrome software update. 

Persistence 

  

Hijack Execution Flow: DLL Side-Loading 

T1574.002 

Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence. 

Privilege Escalation 

  

Boot or Logon Autostart Execution: Print Processors 

T1547.012 

FlawedGrace malware manipulates print spooler functions to achieve privilege escalation. 

Defense Evasion 

  

Obfuscated Files or Information 

T1027 

Truebot uses a .JSONIP extension (e.g., IgtyXEQuCEvAM.JSONIP), to create a GUID. 

Obfuscated Files or Information: Binary Padding 

T1027.001 

Cyber threat actors embed around one gigabyte of junk code within the malware string to evade detection protocols. 

Masquerading: Masquerade File Type 

T1036.008 

Cyber threat actors hide Truebot malware as legitimate appearing file formats. 

Process Injection 

T1055 

Truebot malware has the ability to load shell code after establishing a C2 connection. 

Indicator Removal: File Deletion 

T1070.004 

Truebot malware implements self-deletion TTPs throughout its attack cycle to evade detection. 

Teleport exfiltration tool deletes itself after it has completed exfiltrating data to the C2 station. 

Modify Registry 

T1112 

FlawedGrace is able to modify registry programs that control the order that documents are loaded to a print que. 

Reflective Code Loading 

T1620 

Truebot malware has the capability to load shell code and deploy various tools to stealthily navigate an infected network. 

Credential Access 

  

OS Credential Dumping: LSASS Memory 

T1003.001 

Cyber threat actors use cobalt strike to gain valid credentials through LSASS memory dumping. 

Discovery 

  

System Network Configuration Discovery 

T1016 

Truebot malware scans and enumerates the affected system’s domain names. 

Process Discovery 

T1057 

Truebot malware enumerates all running processes on the local host. 

System Information Discovery 

T1082 

Truebot malware scans and enumerates the OS version information, and processor architecture. 

Truebot malware enumerates the affected system’s computer names. 

System Time Discovery 

T1124 

Truebot has the ability to discover system time metrics, which aids in enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks. 

Software Discovery: Security Software Discovery 

T1518.001 

Truebot has the ability to discover software security protocols, which aids in defense evasion. 

Debugger Evasion 

T1622 

Truebot malware scans the compromised environment for debugger tools and enumerates them in effort to evade network defenses. 

Lateral Movement 

  

Exploitation of Remote Services 

T1210 

Cyber threat actors exploit CVE-2022-31199 Netwrix Auditor vulnerability and use its capabilities to move laterally within a compromised network. 

Use Alternate Authentication Material: Pass the Hash 

T1550.002 

Cyber threat actors use cobalt strike to authenticate valid accounts 

Remote Service Session Hijacking 

T1563.001 

Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods. 

Remote Service Session Hijacking: RDP Hijacking 

T1563.002 

Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods. 

Lateral Tool Transfer 

T1570 

Cyber threat actors deploy additional payloads to transfer toolsets and move laterally. 

Collection 

  

Data from Local System 

T1005 

Truebot malware checks the current version of the OS and the processor architecture and compiles the information it receives. 

Screen Capture 

T1113 

Truebot malware takes snapshots of local host data, specifically processor architecture data, and sends that to a phase 2 encoded data string. 

Truebot gathers and compiles compromised system’s host and domain names. 

Command and Control 

  

Application Layer Protocol 

T1071 

Cyber threat actors use teleport exfiltration tool to blend exfiltrated data with network traffic. 

Non-Application Protocol 

T1095 

Cyber threat actors use Teleport and FlawedGrace to send data over custom communication protocol. 

Ingress Transfer Tool 

T1105 

Cyber threat actors deploy various ingress transfer tool payloads to move laterally and establish C2 connections. 

Encrypted Channel: Asymmetric Cryptography 

T1573.002 

Cyber threat actors use Teleport to create an encrypted channel using AES. 

Exfiltration 

  

Scheduled Transfer 

T1029 

Teleport limits the data it collects and syncs with outbound organizational data/network traffic. 

Data Transfer Size Limits 

T1030 

Teleport limits the data it collects and syncs with outbound organizational data/network traffic. 

Exfiltration Over C2 Channel 

T1048 

Cyber threat actors blend exfiltrated data with network traffic to evade detection. 

Cyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol. 

Indicators of Compromise 

Resources & Related Articles 

 

Categories
Cybersecurity Advisories

CVE-2023-27997: Fortinet Patches Critical RCE Flaw in Fortigate SSL-VPN Devices

Fortinet has patched a critical security flaw, tracked as CVE-2023-27997, in its SSL VPN devices that could be used by a threat actor to achieve remote code execution without authentication. By sending a carefully crafted request to the SSL VPN, an attacker can exploit this vulnerability and effectively execute arbitrary code on the compromised system even if the MFA is activated. The flaw affects every SSL VPN appliance, and the issue has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5. Further details about the vulnerability have been withheld.

Fortinet devices are commonly targeted by threat actors because they are among the most popular firewall and VPN devices in the market. SSL-VPN flaws have historically been exploited just days after patches were released. According to a Shodan search, over 255,000 Fortigate firewalls can be reached from the Internet. Since the vulnerability affects all previous versions, the majority of those devices are likely exposed.

How to Patch a Vulnerable Fortinet Fortigate Product

Visit the Fortinet Support site frequently and apply newly released patches to keep your Fortigate VPN secure. To update your device:

  • Check the firmware version: Check the “System Information” section of your device’s dashboard to see the current firmware version.
  • Find the latest firmware: Go to the “Download” section after logging into the support site. In the product list, look for Fortigate VPN and select your Fortigate model. To view all available updates, click the “Firmware Images.” Look for and download the patch addressing CVE-2023-27997.
  • Apply the patch: On the Fortinet Fortigate VPN dashboard, navigate to System > Firmware > Update > Upload File, then select the downloaded patch file. After the update, make sure to test your VPN. Check that all functions are operational and the device is stable.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

  • As always, if we detect activity related to these exploits, we will alert you if warranted.
  • Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

Mitigation

Users are strongly urged to apply the security updates released by Fortinet before the Proof of Concept is released publicly.

Resources & Related Articles

Categories
Cybersecurity Advisories

CVE-2023-34362: MOVEit Transfer Zero-Day Vulnerability Actively Being Exploited

June 15th, 2023 Update: Progress has released patches for the newly discovered vulnerability tracked as CVE-2023-35708.

June 9th, 2023 Update: Additional vulnerabilities have been discovered that could potentially be used by a bad actor to stage an exploit. All MOVEit Transfer customers must apply the new patch, released on June 9. 2023. Details on steps to take can be found in the following knowledge base article.

All MOVEIt Cloud customers, please see the MOVEit Cloud Knowledge Base Article for more information.

Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer software. MOVEit is developed by Ipswitch and is a managed file transfer software that encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics, and failover options. 

Technical Details 

Tracked as CVE-2023-34362, the vulnerability is a severe SQL injection flaw that enables unauthenticated remote attackers to gain access to the application database and execute arbitrary code. According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS.  

The observed exploitation is a webshell disguised with filenames such as “human2.aspx” and “human2.aspx.lnk” in an attempt to masquerade as a legitimate component of the MOVEit Transfer service named human.aspx. On compromised systems, human2.aspx is located in the wwwroot folder of the MOVEit install folder. The webshell allows an attacker to obtain a list of all folders files, and users within MOVEit. In addition to this, it can download any file within MOVEit and insert an administrative backdoor user into MOVEit which would give attackers an active session to allow credential bypass. 

The webshell’s access is protected by a password, so attempts to connect to the webshell without the proper password results in the malicious code showing a 404 Not Found error. Automated exploitation is heavily indicated since the same webshell name was observed in multiple customer environments. Initial compromise may lead to ransomware exploitation, as file transfer solutions have been popular targets for attackers including ransomware threat actors. Currently, there is no proof-of-concept (PoC) for CVE-2023-34362. 

The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions. 

Attribution 

Microsoft has attributed attacks to an affiliate of Clop ransomware under the name of “Lace Tempest” (aka TA505 and FIN11). In recent reports, the Clop Ransomware Gang confirmed that they are behind the MOVEit Transfer data-theft attacks. A Clop representative additionally confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday. This is a common tactic for the Clop ransomware operation, which has performed large-scale exploitation attacks during holidays when staff is at a minimum. Clop did not share how many organizations were breached in the MOVEit Transfer attacks, but stated that victims would be displayed on their data leak site if a ransom was not paid. If affected by the MOVEit Transfer data leaks, Clop is now taking a different approach by telling impacted organizations to contact them if they wish to negotiate a ransom. 

SecurIT360 SOC Managed Services    

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:   

MDR Services   

  • We utilize several threat feeds that are updated frequently on a daily basis.
  • In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.  

EDR Services   

  • In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.   

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything. 

Indicators are provided in the Indicators of Compromise section below for your reference.  

As always, if we detect activity related to these exploits, we will alert you when applicable.   

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.    

Affected Versions 

The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). 

Non-susceptible Products in MOVEit Transfer 

MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely. Currently, no action is necessary for the above-mentioned products. 

Recommendations & Mitigation 

Progress has released immediate mitigation measures to help prevent the exploitation of this vulnerability. 

  • Update MOVEit Transfer to one of these patched versions:
    • MOVEit Transfer 2023.0.1
    • MOVEit Transfer 2022.1.5
    • MOVEit Transfer 2022.0.4
    • MOVEit Transfer 2021.1.4
    • MOVEit Transfer 2021.0.6
  • If updating with the above patch is not feasible for your organization, their suggested mitigation is to disable HTTP(s) traffic to MOVEit Transfer by adding firewall deny rules to ports 80 and 443. Note: this will essentially take your MOVEit Transfer application out of service.
  • If the human2.aspx file or any suspicious .cmdline script is found, it should be deleted. Any newly created or unknown file in the MOVEit folder should be closely analyzed; in addition, .cmdline files in any temporary folder of Windows should be examined.
  • Any unauthorized user account should be removed.
  • View the full recommendations here:

MOVEit Best Practices Guide 

MITRE Summary

Initial Access

  

Technique Title

ID

Use

Exploit Public-Facing Application

T1190

CL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362 affecting MOVEit Transfer software; begins with a SQL injection to infiltrate the MOVEit Transfer web application.

Phishing

T1566

CL0P actors send a large volume of spear-phishing emails to employees of an organization to gain initial access.

Execution

  

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

CL0P actors use SDBot as a backdoor to enable other commands and functions to be executed in the compromised computer.

Command and Scripting Interpreter

T1059.003

CL0P actors use TinyMet, a small open-source Meterpreter stager to establish a reverse shell to their C2 server.

Shared Modules

T1129

CL0P actors use Truebot to download additional modules.

Persistence

  

Technique Title

ID

Use

Server Software Component: Web Shell

T1505.003

DEWMODE is a web shell designed to interact with a MySQL database, and is used to exfiltrate data from the compromised network.

Event Triggered Execution: Application Shimming

T1546.011

CL0P actors use SDBot malware for application shimming for persistence and to avoid detection.

Privilege Escalation

  

Technique Title

ID

Use

Exploitation for Privilege Escalation

T1068

CL0P actors were gaining access to MOVEit Transfer databases prior to escalating privileges within compromised network.

Defense Evasion

  

Technique Title

ID

Use

Process Injection

T1055

CL0P actors use Truebot to load shell code.

Indicator Removal

T1070

CL0P actors delete traces of Truebot malware after it is used.

Hijack Execution Flow: DLL Side-Loading

T1574.002

CL0P actors use Truebot to side load DLLs.

Discovery

  

Technique Title

ID

Use

Remote System Discovery

T1018

CL0P actors use Cobalt Strike to expand network access after gaining access to the Active Directory (AD) servers.

Lateral Movement

  

Technique Title

ID

Use

Remote Services: SMB/Windows Admin Shares

T1021.002

CL0P actors have been observed attempting to compromise the AD server using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity.

Remote Service Session Hijacking: RDP Hijacking

T1563.002

CL0P ransomware actors have been observed using Remote Desktop Protocol (RDP) to interact with compromised systems after initial access.

Collection

  

Technique Title

ID

Use

Screen Capture

T1113

CL0P actors use Truebot to take screenshots in effort to collect sensitive data.

Command and Control

  

Technique Title

ID

Use

Application Layer Protocol

T1071

CL0P actors use FlawedAmmyy remote access trojan (RAT) to communicate with the Command and Control (C2).

Ingress Tool Transfer

T1105

CL0P actors are assessed to use FlawedAmmyy remote access trojan (RAT) to the download of additional malware components.

CL0P actors use SDBot to drop copies of itself in removable drives and network shares.

Exfiltration

  

Technique Title

ID

Use

Exfiltration Over C2 Channel

T1041

CL0P actors exfiltrate data for C2 channels.

Indicators of Compromise

Resources & Related Articles