Category: Cybersecurity Advisories

Storm-0324: New Phishing Campaign Targets Corporations via Teams Messages

Post author By Victor Kuciel
Post date September 18, 2023

Microsoft is warning of a new phishing campaign that involves using Teams messages as lures to infiltrate corporate networks. The threat group behind this campaign, tracked as Storm-0324 (aka TA543 and Sagrid), is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors, which frequently lead to ransomware deployment. They are known to have deployed Sage and GandCrab ransomware in the past. Additionally, Storm-0324 has also provided the well-known FIN7 (aka Sangria Tempest) cybercrime gang access to corporate networks after compromising them using JSSLoader, Gozi, and Nymaim.

Storm-0324’s methods have changed over the years. As of July 2023, the phishing lures are sent over Teams with malicious links leading to a malicious ZIP file hosted on SharePoint. To accomplish this activity, the group leverages an open-source tool called TeamsPhisher, which is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. The phishing lures used by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization. This issue was also previously exploited by APT29 in attacks against dozens of organizations, including government agencies worldwide. Details regarding the end goal of Storm-0324’s attacks have not been provided at this time, however, APT29’s attacks are aimed to steal the targets’ credentials after tricking them into approving MFA prompts.

Microsoft says they are taking these phishing campaigns seriously and have rolled out several improvements to better defend against these threats. They have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. Microsoft has rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders. In addition to this, they’ve implemented new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant.

SecurIT360 SOC Managed Services

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this threat actor. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to this campaign, we will alert you if warranted.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Recommendations

As per Microsoft, to harden networks against Storm-0324 attacks, defenders are advised to implement the following:

Pilot and start deploying phishing-resistant authentication methods for users.
Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
Understand and select the best access settings for external collaboration for your organization.
Allow only known devices that adhere to Microsoft’s recommended security baselines.
Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
- Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
For additional recommendations on hardening your organization against ransomware attacks, refer to threat overview on human-operated ransomware.

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

Resources & Related Articles

Tags phishing, teams

Cybersecurity Advisories

Flax Typhoon APT Group Using LOLBins for Cyber Espionage

Post author By Victor Kuciel
Post date September 1, 2023

A China-backed hacking group, tracked as Flax Typhoon, is targeting government agencies and education, critical manufacturing, and information technology organizations likely for espionage purposes. The nation-state actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible. However, final objectives in this campaign have not been observed. Currently, Taiwanese organizations are exclusively being affected, but the scope of attacks aren’t fully known. Microsoft states that the distinctive pattern of malicious activity could be easily reused in other operations outside the region and would benefit from broader industry visibility. Because of this, enterprises beyond Taiwan should be on alert.

Flax Typhoon has been active since mid-2021 and focuses on persistence, lateral movement, and credential access. The threat actors do not primarily rely on malware to gain and maintain access to the victim network, instead, they prefer using mostly components already available on the operating system, LOLBins, and legitimate software. In the campaign observed, Flax Typhoon gained initial access by exploiting known vulnerabilities in public-facing servers, including VPN, web, Java, and SQL applications. The threat actors dropped China Chopper, a powerful web shell that provides remote code execution capabilities. If necessary, the hackers elevate their privileges to administrator level using the publicly available ‘Juicy Potato’ and ‘BadPotato’ open-source tools that exploit known vulnerabilities to obtain higher permissions.

Flax Typhoon establishes persistence by turning off network-level authentication through registry modifications and exploiting the Windows Sticky Keys accessibility feature to set up an RDP connection. To avoid RDP connectivity restrictions of RDP to internal network, Flax Typhoon installs a legitimate VPN bridge to maintain the link between the compromised system and their external server. The attackers download the open-source SoftEther VPN client using LOLBins like PowerShell Invoke-WebRequest utility, certutil, or bitsadmin, and abuse various built-in Windows tools to set the VPN app to launch automatically on system startup. To avoid being detected, the hackers rename it to legitimate Windows components such as ‘conhost.exe’ or ‘dllhost.exe.’ Additionally, Flax Typhoon uses SoftEther’s VPN-over-HTTPS mode to conceal VPN traffic as standard HTTPS traffic.

Researchers have noted that Flax Typhoon frequently uses the Mimikatz tool to extract credentials from LSASS process memory and the SAM registry. The stolen credentials were not observed to extract additional data, making the adversary’s main objective currently unclear.

Flax Typhoon Attack Chain

SecurIT360 SOC Managed Services

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:

MDR Services

We utilize several threat feeds that are updated frequently on a daily basis.
In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services

In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable.

Mitigation & Protection

Defending against techniques used by Flax Typhoon begins with vulnerability and patch management, particularly on systems and services exposed to the public internet. The credential access techniques used can also be mitigated with proper system hardening.
Affected organizations need to assess the scale of Flax Typhoon activity in their network, remove malicious tools and C2 infrastructure, and check logs for signs of compromised accounts that may have been used for malicious purposes.

Recommendations

Microsoft recommends organizations to apply the latest security updates to internet-exposed endpoints and public-facing servers, and MFA should be enabled on all accounts.
Registry monitoring could help catch modification attempts and unauthorized changes like those performed by Flax Typhoon to disable NLA.

MITRE Summary

T1003 (OS Credential Dumping)
T1003.001 (LSASS Memory)
T1005 (Data from Local System)
T1018 (Remote System Discovery)
T1041 (Exfiltration Over C2 Channel)
T1068 (Exploitation for Privilege Escalation)
T1105 (Ingress Tool Transfer)

IOCS

Resources & Related Articles

Cybersecurity Advisories

CVE-2023-3519: Critical Citrix ADC and Gateway Flaw Exploited in the Wild

Post author By Victor Kuciel
Post date July 20, 2023

Citrix is alerting customers of a critical unauthenticated remote code execution vulnerability in NetScaler ADC and NetScaler Gateway. This vulnerability is being exploited in the wild and affected customers are strongly urged to install updated versions as soon as possible.

Tracked as CVE-2023-3519 (CVSSv3 score: 9.8 – Critical), the vulnerability allows unauthenticated remote attackers to execute arbitrary code on the affected appliance. Successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. The flaw only affects customer-managed NetScaler ADC and NetScaler Gateway. Citrix-managed cloud services or Citrix-managed Adaptive Authentication are unaffected.

There are approximately 38,000 Citrix Gateway appliances exposed to the public internet. CVE-2023-3519 is one of three vulnerabilities patched that pose significant risks to customers. The others are CVE-2023-3466 (CVSSv3 score: 8.3 – High) and CVE-2023-3467 (CVSSv3 score: 8.0 – High). CVE-2023-3466 is an improper input validation vulnerability resulting in a reflected cross-site scripting (XSS) attack. CVE-2023-3467 is an improper privilege management vulnerability resulting in privilege escalation to the root administrator (nsroot).

At the time of writing, technical details about all three vulnerabilities are not publicly available.

SecurIT360 SOC Managed Services

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this CVE. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

Vulnerable Products

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet.

NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
NetScaler ADC 13.1-FIPS before 13.1-37.159
NetScaler ADC 12.1-FIPS before 12.1-65.36
NetScaler ADC 12.1-NDcPP before 12.65.36

Recommendation

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet.

NetScaler ADC and NetScaler Gateway 13.1-49.13 and later releases
NetScaler ADC and NetScaler Gateway 13.0-91.13 and later releases of 13.0
NetScaler ADC 13.1-FIPS 13.1-37.159 and later releases of 13.1-FIPS
NetScaler ADC 12.1-FIPS 12.1-55.297 and later releases of 12.1-FIPS
NetScaler ADC 12.1-NDcPP 12.1-55.297 and later releases of 12.1-NDcPP

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End Of Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Security Bulletin

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-3519, CVE-2023-3466, CVE-2023-3467

Resources & Related Articles

Cybersecurity Advisories

AA23-187A: Truebot Malware Infects Networks in U.S. and Canada

Post author By Victor Kuciel
Post date July 11, 2023

The CISA, FBI, MS-ISAC, and CCCS have released a joint cybersecurity advisory regarding cyber threat actors leveraging newly identified Truebot malware variants against organizations in the United States and Canada. These attacks are exploiting a critical remote code execution (RCE) vulnerability, tracked as CVE-2022-31199 (CVSSv3 score: 9.8 – Critical), in the Netwrix Auditor software to deliver Truebot. Threat actors are leveraging this flaw to gain initial access and move laterally within the compromised network.

Truebot is a botnet that is linked to the Russian-speaking Silence cybercrime group and used by TA505 hackers (associated with the FIN11 group) to deploy Clop ransomware on compromised networks since December 2022. Previous malware variants of Truebot were primarily delivered by cyber threat actors via malicious phishing email attachments. However, recent versions allow them to also gain initial access through exploiting CVE-2022-31199, enabling deployment of the malware at scale within the compromised environment. Based on the nature of observed Truebot operations, the main goal of the adversaries is to steal sensitive information from compromised systems for financial gain.

The malware has also been used alongside other malware in attacks. In several incidents, shortly after Truebot was executed, the Cobalt Strike tool was deployed for persistence and data exfiltration purposes. In addition, some phishing campaigns consisted of the FlawedGrace RAT being deployed only minutes after the Truebot malware was executed. Researchers have also found Truebot attacks leveraging a custom data exfiltration tool called “Teleport” that was used to steal information.

When an organization is infected with Truebot, it can quickly escalate to become a bigger infection, similarly to how ransomware spreads throughout a network. The change in delivery vector shows that attacks leveraging the malware are continuing to evolve.

CVE-2022-3199 Delivery Method for Truebot

SecurIT360 SOC Managed Services    

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:   

MDR Services   

We utilize several threat feeds that are updated frequently on a daily basis. 
In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.

EDR Services   

In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.

Indicators are provided in the Indicators of Compromise section below for your reference.  

As always, if we detect activity related to these exploits, we will alert you when applicable.   

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.    

Mitigations

All Netwrix Auditor customers are advised to upgrade to version 10.5.10977.0 and ensure that no Netwrix Auditor systems are exposed to the internet.
CISA has posted guidelines and recommends organizations to mandate MFA for all staff and services.

MITRE Summary

Technique Title	ID	Use
Initial Access
Replication Through Removable Media	T1091	Cyber threat actors use removable media drives to deploy Raspberry Robin malware.
Drive-by Compromise	T1189	Cyber threat actors embed malicious links or attachments within web domains to gain initial access.
Exploit Public-Facing Application	T1190	Cyber threat actors are exploiting Netwrix vulnerability CVE-2022-31199 for initial access with follow-on capabilities of lateral movement through remote code execution.
Phishing	T1566.002	Truebot actors can send spear phishing links to gain initial access.
Execution
Command and Scripting Interpreter	T1059	Cyber threat actors have been observed dropping cobalt strike beacons as a reverse shell proxy to create persistence within the compromised network. Cyber threat actors use FlawedGrace to receive PowerShell commands over a C2 channel to deploy additional tools.
Shared Modules	T1129	Cyber threat actors can deploy malicious payloads through obfuscated share modules.
User Execution: Malicious Link	T1204.001	Cyber threat actors trick users into clicking a link by making them believe they need to perform a Google Chrome software update.
Persistence
Hijack Execution Flow: DLL Side-Loading	T1574.002	Cyber threat actors use Raspberry Robin, among other toolsets to side-load DLLs to maintain persistence.
Privilege Escalation
Boot or Logon Autostart Execution: Print Processors	T1547.012	FlawedGrace malware manipulates print spooler functions to achieve privilege escalation.
Defense Evasion
Obfuscated Files or Information	T1027	Truebot uses a .JSONIP extension (e.g., IgtyXEQuCEvAM.JSONIP), to create a GUID.
Obfuscated Files or Information: Binary Padding	T1027.001	Cyber threat actors embed around one gigabyte of junk code within the malware string to evade detection protocols.
Masquerading: Masquerade File Type	T1036.008	Cyber threat actors hide Truebot malware as legitimate appearing file formats.
Process Injection	T1055	Truebot malware has the ability to load shell code after establishing a C2 connection.
Indicator Removal: File Deletion	T1070.004	Truebot malware implements self-deletion TTPs throughout its attack cycle to evade detection. Teleport exfiltration tool deletes itself after it has completed exfiltrating data to the C2 station.
Modify Registry	T1112	FlawedGrace is able to modify registry programs that control the order that documents are loaded to a print que.
Reflective Code Loading	T1620	Truebot malware has the capability to load shell code and deploy various tools to stealthily navigate an infected network.
Credential Access
OS Credential Dumping: LSASS Memory	T1003.001	Cyber threat actors use cobalt strike to gain valid credentials through LSASS memory dumping.
Discovery
System Network Configuration Discovery	T1016	Truebot malware scans and enumerates the affected system’s domain names.
Process Discovery	T1057	Truebot malware enumerates all running processes on the local host.
System Information Discovery	T1082	Truebot malware scans and enumerates the OS version information, and processor architecture. Truebot malware enumerates the affected system’s computer names.
System Time Discovery	T1124	Truebot has the ability to discover system time metrics, which aids in enables synchronization with the compromised system’s internal clock to facilitate scheduling tasks.
Software Discovery: Security Software Discovery	T1518.001	Truebot has the ability to discover software security protocols, which aids in defense evasion.
Debugger Evasion	T1622	Truebot malware scans the compromised environment for debugger tools and enumerates them in effort to evade network defenses.
Lateral Movement
Exploitation of Remote Services	T1210	Cyber threat actors exploit CVE-2022-31199 Netwrix Auditor vulnerability and use its capabilities to move laterally within a compromised network.
Use Alternate Authentication Material: Pass the Hash	T1550.002	Cyber threat actors use cobalt strike to authenticate valid accounts
Remote Service Session Hijacking	T1563.001	Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods.
Remote Service Session Hijacking: RDP Hijacking	T1563.002	Cyber threat actors use cobalt strike to hijack remote sessions using SSH and RDP hijacking methods.
Lateral Tool Transfer	T1570	Cyber threat actors deploy additional payloads to transfer toolsets and move laterally.
Collection
Data from Local System	T1005	Truebot malware checks the current version of the OS and the processor architecture and compiles the information it receives.
Screen Capture	T1113	Truebot malware takes snapshots of local host data, specifically processor architecture data, and sends that to a phase 2 encoded data string. Truebot gathers and compiles compromised system’s host and domain names.
Command and Control
Application Layer Protocol	T1071	Cyber threat actors use teleport exfiltration tool to blend exfiltrated data with network traffic.
Non-Application Protocol	T1095	Cyber threat actors use Teleport and FlawedGrace to send data over custom communication protocol.
Ingress Transfer Tool	T1105	Cyber threat actors deploy various ingress transfer tool payloads to move laterally and establish C2 connections.
Encrypted Channel: Asymmetric Cryptography	T1573.002	Cyber threat actors use Teleport to create an encrypted channel using AES.
Exfiltration
Scheduled Transfer	T1029	Teleport limits the data it collects and syncs with outbound organizational data/network traffic.
Data Transfer Size Limits	T1030	Teleport limits the data it collects and syncs with outbound organizational data/network traffic.
Exfiltration Over C2 Channel	T1048	Cyber threat actors blend exfiltrated data with network traffic to evade detection. Cyber threat actors use the Teleport tool to exfiltrate data over a C2 protocol.

Indicators of Compromise

AA23-187A Truebot IOCs

Resources & Related Articles

Tags malware, truebot

Cybersecurity Advisories

CVE-2023-27997: Fortinet Patches Critical RCE Flaw in Fortigate SSL-VPN Devices

Post author By Victor Kuciel
Post date June 12, 2023

Fortinet has patched a critical security flaw, tracked as CVE-2023-27997, in its SSL VPN devices that could be used by a threat actor to achieve remote code execution without authentication. By sending a carefully crafted request to the SSL VPN, an attacker can exploit this vulnerability and effectively execute arbitrary code on the compromised system even if the MFA is activated. The flaw affects every SSL VPN appliance, and the issue has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5. Further details about the vulnerability have been withheld.

Fortinet devices are commonly targeted by threat actors because they are among the most popular firewall and VPN devices in the market. SSL-VPN flaws have historically been exploited just days after patches were released. According to a Shodan search, over 255,000 Fortigate firewalls can be reached from the Internet. Since the vulnerability affects all previous versions, the majority of those devices are likely exposed.

How to Patch a Vulnerable Fortinet Fortigate Product

Visit the Fortinet Support site frequently and apply newly released patches to keep your Fortigate VPN secure. To update your device:

Check the firmware version: Check the “System Information” section of your device’s dashboard to see the current firmware version.
Find the latest firmware: Go to the “Download” section after logging into the support site. In the product list, look for Fortigate VPN and select your Fortigate model. To view all available updates, click the “Firmware Images.” Look for and download the patch addressing CVE-2023-27997.
Apply the patch: On the Fortinet Fortigate VPN dashboard, navigate to System > Firmware > Update > Upload File, then select the downloaded patch file. After the update, make sure to test your VPN. Check that all functions are operational and the device is stable.

SecurIT360 SOC Managed Services

As always, if we detect activity related to these exploits, we will alert you if warranted.
Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

Mitigation

Users are strongly urged to apply the security updates released by Fortinet before the Proof of Concept is released publicly.

Resources & Related Articles

Cybersecurity Advisories

CVE-2023-34362: MOVEit Transfer Zero-Day Vulnerability Actively Being Exploited

Post author By Victor Kuciel
Post date June 8, 2023

June 15th, 2023 Update: Progress has released patches for the newly discovered vulnerability tracked as CVE-2023-35708.

MOVEit Transfer Knowledge Base Article (June 15, 2023)

June 9th, 2023 Update: Additional vulnerabilities have been discovered that could potentially be used by a bad actor to stage an exploit. All MOVEit Transfer customers must apply the new patch, released on June 9. 2023. Details on steps to take can be found in the following knowledge base article.

MOVEit Transfer Knowledge Base Article (June 9, 2023)

All MOVEIt Cloud customers, please see the MOVEit Cloud Knowledge Base Article for more information.

MOVEit Cloud Knowledge Base Article (June 9, 2023)

—

Threat actors are actively exploiting a zero-day vulnerability in the Progress MOVEit Transfer file transfer software. MOVEit is developed by Ipswitch and is a managed file transfer software that encrypts files and uses secure File Transfer Protocols to transfer data with automation, analytics, and failover options.

Technical Details

Tracked as CVE-2023-34362, the vulnerability is a severe SQL injection flaw that enables unauthenticated remote attackers to gain access to the application database and execute arbitrary code. According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS.

The observed exploitation is a webshell disguised with filenames such as “human2.aspx” and “human2.aspx.lnk” in an attempt to masquerade as a legitimate component of the MOVEit Transfer service named human.aspx. On compromised systems, human2.aspx is located in the wwwroot folder of the MOVEit install folder. The webshell allows an attacker to obtain a list of all folders files, and users within MOVEit. In addition to this, it can download any file within MOVEit and insert an administrative backdoor user into MOVEit which would give attackers an active session to allow credential bypass.

The webshell’s access is protected by a password, so attempts to connect to the webshell without the proper password results in the malicious code showing a 404 Not Found error. Automated exploitation is heavily indicated since the same webshell name was observed in multiple customer environments. Initial compromise may lead to ransomware exploitation, as file transfer solutions have been popular targets for attackers including ransomware threat actors. Currently, there is no proof-of-concept (PoC) for CVE-2023-34362.

The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). According to the company, depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database and execute SQL statements that alter or delete database elements. Exploitation of unpatched systems can occur via HTTP or HTTPS. All versions (e.g., 2020.0 and 2019x) before the five explicitly mentioned versions are affected, including older unsupported versions.

Attribution

Microsoft has attributed attacks to an affiliate of Clop ransomware under the name of “Lace Tempest” (aka TA505 and FIN11). In recent reports, the Clop Ransomware Gang confirmed that they are behind the MOVEit Transfer data-theft attacks. A Clop representative additionally confirmed that they started exploiting the vulnerability on May 27th, during the long US Memorial Day holiday. This is a common tactic for the Clop ransomware operation, which has performed large-scale exploitation attacks during holidays when staff is at a minimum. Clop did not share how many organizations were breached in the MOVEit Transfer attacks, but stated that victims would be displayed on their data leak site if a ransom was not paid. If affected by the MOVEit Transfer data leaks, Clop is now taking a different approach by telling impacted organizations to contact them if they wish to negotiate a ransom.

SecurIT360 SOC Managed Services   

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:  

MDR Services  

We utilize several threat feeds that are updated frequently on a daily basis.
In addition to our automatic threat feeds, we have added known indicators of compromise related to this threat into our MDR solution, FortiSIEM.

EDR Services  

In addition to ongoing vendor IoC updates, we have added known indicators of compromise related to this threat into our EDR solutions to help with detection.

Additionally, we are running a Nessus external scan to search for any affected hosts and will report if we find anything.

Indicators are provided in the Indicators of Compromise section below for your reference. 

As always, if we detect activity related to these exploits, we will alert you when applicable.  

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

Affected Versions

The vulnerability affects Progress MOVEit Transfer versions before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1).

Non-susceptible Products in MOVEit Transfer

MOVEit Automation, MOVEit Client, MOVEit Add-in for Microsoft Outlook, MOVEit Mobile, WS_FTP Client, WS_FTP Server, MOVEit EZ, MOVEit Gateway, MOVEit Analytics, and MOVEit Freely. Currently, no action is necessary for the above-mentioned products.

Recommendations & Mitigation

Progress has released immediate mitigation measures to help prevent the exploitation of this vulnerability.

Update MOVEit Transfer to one of these patched versions:
- MOVEit Transfer 2023.0.1
- MOVEit Transfer 2022.1.5
- MOVEit Transfer 2022.0.4
- MOVEit Transfer 2021.1.4
- MOVEit Transfer 2021.0.6
If updating with the above patch is not feasible for your organization, their suggested mitigation is to disable HTTP(s) traffic to MOVEit Transfer by adding firewall deny rules to ports 80 and 443. Note: this will essentially take your MOVEit Transfer application out of service.
If the human2.aspx file or any suspicious .cmdline script is found, it should be deleted. Any newly created or unknown file in the MOVEit folder should be closely analyzed; in addition, .cmdline files in any temporary folder of Windows should be examined.
Any unauthorized user account should be removed.
View the full recommendations here:
- Progress Customer Community: MOVEit Transfer Critical Vulnerability (May 2023)

MOVEit Best Practices Guide

Progress Customer Community: MOVEit Security Best Practices Guide

MITRE Summary

Initial Access
Technique Title	ID	Use
Exploit Public-Facing Application	T1190	CL0P ransomware group exploited the zero-day vulnerability CVE-2023-34362 affecting MOVEit Transfer software; begins with a SQL injection to infiltrate the MOVEit Transfer web application.
Phishing	T1566	CL0P actors send a large volume of spear-phishing emails to employees of an organization to gain initial access.
Execution
Technique Title	ID	Use
Command and Scripting Interpreter: PowerShell	T1059.001	CL0P actors use SDBot as a backdoor to enable other commands and functions to be executed in the compromised computer.
Command and Scripting Interpreter	T1059.003	CL0P actors use TinyMet, a small open-source Meterpreter stager to establish a reverse shell to their C2 server.
Shared Modules	T1129	CL0P actors use Truebot to download additional modules.
Persistence
Technique Title	ID	Use
Server Software Component: Web Shell	T1505.003	DEWMODE is a web shell designed to interact with a MySQL database, and is used to exfiltrate data from the compromised network.
Event Triggered Execution: Application Shimming	T1546.011	CL0P actors use SDBot malware for application shimming for persistence and to avoid detection.
Privilege Escalation
Technique Title	ID	Use
Exploitation for Privilege Escalation	T1068	CL0P actors were gaining access to MOVEit Transfer databases prior to escalating privileges within compromised network.
Defense Evasion
Technique Title	ID	Use
Process Injection	T1055	CL0P actors use Truebot to load shell code.
Indicator Removal	T1070	CL0P actors delete traces of Truebot malware after it is used.
Hijack Execution Flow: DLL Side-Loading	T1574.002	CL0P actors use Truebot to side load DLLs.
Discovery
Technique Title	ID	Use
Remote System Discovery	T1018	CL0P actors use Cobalt Strike to expand network access after gaining access to the Active Directory (AD) servers.
Lateral Movement
Technique Title	ID	Use
Remote Services: SMB/Windows Admin Shares	T1021.002	CL0P actors have been observed attempting to compromise the AD server using Server Message Block (SMB) vulnerabilities with follow-on Cobalt Strike activity.
Remote Service Session Hijacking: RDP Hijacking	T1563.002	CL0P ransomware actors have been observed using Remote Desktop Protocol (RDP) to interact with compromised systems after initial access.
Collection
Technique Title	ID	Use
Screen Capture	T1113	CL0P actors use Truebot to take screenshots in effort to collect sensitive data.
Command and Control
Technique Title	ID	Use
Application Layer Protocol	T1071	CL0P actors use FlawedAmmyy remote access trojan (RAT) to communicate with the Command and Control (C2).
Ingress Tool Transfer	T1105	CL0P actors are assessed to use FlawedAmmyy remote access trojan (RAT) to the download of additional malware components. CL0P actors use SDBot to drop copies of itself in removable drives and network shares.
Exfiltration
Technique Title	ID	Use
Exfiltration Over C2 Channel	T1041	CL0P actors exfiltrate data for C2 channels.

Indicators of Compromise

CVE-2023-34362 MOVEit IOCs

Resources & Related Articles

Cybersecurity Advisories

Volt Typhoon Detection and Mitigation

Post author By Victor Kuciel
Post date May 26, 2023

Alert Code: AA23-144A

The NSA, CISA, FBI, ACSC, CCCS, NCSC-NZ, and NCSC-UK have released a joint cybersecurity advisory regarding a recently unveiled adversary activity of the China-linked nation-backed APT group tracked as Volt Typhoon. The state-sponsored group has been reported spying on a range of U.S. critical infrastructure organizations, from telecommunications to transportation hubs and is part of a U.S. disinformation campaign.

Although espionage seems to be the goal, Microsoft assesses with moderate confidence that this campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

The initial attack vector is the compromise of Internet-exposed Fortinet FortiGuard devices by exploiting an unknown zero-day vulnerability. A primary TTP used by the actor is living off the land which utilizes built-in network administration tools to perform their objectives. This allows the actor to evade detection by blending in with normal Windows system and network activities, avoid endpoint detection and response (EDR) products that would alert on the introduction of third-party applications to the host, and limit the amount of activity that is captured in default logging configurations. Built-in tools that are used by the actor include wmic, ntdsutil, netsh, and PowerShell. However, threat actors were also seen using open-source tools such as Fast Reverse Proxy (frp), the Mimikatz credential-stealing tool, and the Impacket networking framework.

To blend in with legitimate network traffic and evade detection, Volt Typhoon employs compromised small office and home office (SOHO) network equipment from ASUS, Cisco, D-Link, Netgear, FatPipe, and Zyxel, such as routers, firewalls, and VPN appliances. If privileged access is obtained after compromising the Fortinet devices, the attackers can dump credentials through the LSASS. This allows them to deploy Awen-based web shells for data exfiltration and persistence on the hacked systems.

Persistent focus on critical infrastructure indicates preparation for disruptive or destructive cyber-attacks and hints at a collective effort to provide China with access in the event of a future conflict between the two countries. Microsoft proactively reached out to all customers that were either targeted or compromised in these attacks to provide them with the information required to secure their networks from future hacking attempts.

Volt Typhoon attack flow

SecurIT360 SOC Managed Services

If you utilize our SOC Managed Services, here are the actions we are taking to help detect this activity:

MDR Services

We utilize several threat feeds that are updated frequently on a daily basis
In addition to our automatic threat feeds, we have added indicators related to known malicious threat actors into our MDR solution, FortiSIEM.

EDR Services

Carbon Black and Defender for Endpoint have announced Volt Typhoon related detections
In addition to ongoing vendor IoC updates, we have implemented known IoC information to help with detection.

Indicators are provided in the Indicators of Compromise section below for your reference.

As always, if we detect activity related to these exploits, we will alert you when applicable.

Victimology

Targets and breached entities span a wide range of critical sectors including government, maritime, communications, manufacturing, information technology, utilities, transportation, construction, and education.

Recommended Mitigations

Harden domain controllers and monitor event logs for ntdsutil.exe and similar process creations. Additionally, any use of administrator privileges should be audited and validated to confirm the legitimacy of executed commands.
Administrators should limit port proxy usage within environments and only enable them for the period of time in which they are required.
Investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs to identify other hosts that are potentially involved in actor actions.
In addition to host-level changes, review perimeter firewall configurations for unauthorized changes and/or entries that may permit external connections to internal hosts.
Look for abnormal account activity, such as logons outside of normal working hours and impossible time-and-distance logons (e.g., a user logging on from two geographically separated locations at the same time).
Forward log files to a hardened centralized logging server, preferably on a segmented network.

MITRE Summary

Initial Access
Technique Title	ID	Use
Exploit Public-facing Application	T1190	Actor used public-facing applications to gain initial access to systems; in this case, Earthworm and PortProxy.
Execution
Windows Management Instrumentation	T1047	The actor executed WMIC commands to create a copy of the SYSTEM registry.
Command and Scripting Interpreter: PowerShell	T1059.001	The actor used a PowerShell command to identify successful logons to the host.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	The actor used this primary command prompt to execute a query that collected information about the storage devices on the local host.
Persistence
Server Software Component: Web Shell	T1505.003	The actor used backdoor web servers with web shells to establish persistence to systems, including some of the webshells being derived from Awen webshell.
Defense Evasion
Hide Artifacts	T1546	The actor selectively cleared Windows Event Logs, system logs, and other technical artifacts to remove evidence of their intrusion activity.
Indicator Removal: Clear Windows Event Logs	T1070.001	The actor cleared system event logs to hide activity of an intrusion.
Credential Access
OS Credential Dumping: NTDS	T1003.003	The actor may try to exfiltrate the ntds.dit file and the SYSTEM registry hive out of the network to perform password cracking.
Brute Force	T1110	The actor attempted to gain access to accounts with multiple password attempts.
Brute Force: Password Spraying	T1110.003	The actor used commonly used passwords against accounts to attempt to acquire valid credentials.
OS Credential Dumping	T1003	The actor used additional commands to obtain credentials in the environment.
Credentials from Password Stores	T1555	The actors searched for common password storage locations.
Discovery
System Information Discovery	T1082	The actors executed commands to gather information about local drives.
System Owner/User Discovery	T1033	The actors gathered information about successful logons to the host using a PowerShell command.
Permission Groups Discovery: Local Groups	T1069.001	The actors attempt to find local system groups and permission settings.
Permission Groups Discovery: Doman Groups	T1069.002	The actors used commands to enumerate the active directory structure.
System Network Configuration Discovery	T1016	The actors used commands to enumerate the network topology.
Command and Control
Proxy	T1090	The actors used commands to enable port forwarding on the host.
Proxy: External Proxy	T1090.002	The actors used compromised SOHO devices (e.g. routers) to obfuscate the source of their activity.

IOCS

f4dd44bc19c19056794d29151a5b1bb76afd502388622e24c863a8494af147dd

ef09b8ff86c276e9b475a6ae6b54f08ed77e09e169f7fc0872eb1d427ee27d31

d6ebde42457fe4b2a927ce53fc36f465f0000da931cfab9b79a36083e914ceca

472ccfb865c81704562ea95870f60c08ef00bcd2ca1d7f09352398c05be5d05d

66a19f7d2547a8a85cee7a62d0b6114fd31afdee090bd43f36b89470238393d7

3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

41e5181b9553bbe33d91ee204fe1d2ca321ac123f9147bb475c0ed32f9488597

c7fee7a3ffaf0732f42d89c4399cbff219459ae04a81fc6eff7050d53bd69b99

3a9d8bb85fbcfe92bae79d5ab18e4bca9eaf36cea70086e8d1ab85336c83945f

fe95a382b4f879830e2666473d662a24b34fccf34b6b3505ee1b62b32adafa15

ee8df354503a56c62719656fae71b3502acf9f87951c55ffd955feec90a11484

baeffeb5fdef2f42a752c65c2d2a52e84fb57efc906d981f89dd518c314e231c

b4f7c5e3f14fb57be8b5f020377b993618b6e3532a4e1eb1eae9976d4130cc74

4b0c4170601d6e922cf23b1caf096bba2fade3dfcf92f0ab895a5f0b9a310349

c0fc29a52ec3202f71f6378d9f7f9a8a3a10eb19acb8765152d758aded98c76d

d6ab36cb58c6c8c3527e788fc9239d8dcc97468b6999cf9ccd8a815c8b4a80af

9dd101caee49c692e5df193b236f8d52a07a2030eed9bd858ed3aaccb406401a

450437d49a7e5530c6fb04df2e56c3ab1553ada3712fab02bd1eeb1f1adbc267

93ce3b6d2a18829c0212542751b309dacbdc8c1d950611efe2319aa715f3a066

7939f67375e6b14dfa45ec70356e91823d12f28bbd84278992b99e0d2c12ace5

389a497f27e1dd7484325e8e02bbdf656d53d5cf2601514e9b8d8974befddf61

c4b185dbca490a7f93bc96eefb9a597684fdf532d5a04aa4d9b4d4b1552c283b

e453e6efc5a002709057d8648dbe9998a49b9a12291dee390bb61c98a58b6e95

6036390a2c81301a23c9452288e39cb34e577483d121711b6ba6230b29a3c9ff

cd69e8a25a07318b153e01bba74a1ae60f8fc28eb3d56078f448461400baa984

17506c2246551d401c43726bdaec800f8d41595d01311cf38a19140ad32da2f4

8fa3e8fdbaa6ab5a9c44720de4514f19182adc0c9c6001c19cf159b79c0ae9c2

d17317e1d5716b09cee904b8463a203dc6900d78ee2053276cc948e4f41c8295

3e9fc13fab3f8d8120bd01604ee50ff65a40121955a4150a6d2c007d34807642

Resources & Related Articles

Cybersecurity Advisories

KeePass Flaw Lets Attackers Recover Master Passwords from Memory

Post author By Victor Kuciel
Post date May 24, 2023

An issue was discovered impacting the popular KeePass password manager which affects KeePass versions 2.x for Windows, Linux, and macOS, and is expected to be patched in version 2.54. Tracked as CVE-2023-32784, the vulnerability allows recovery of the cleartext master password from a memory dump, even when the database is locked or the program is closed.

It is important to note that successful exploitation of the flaw requires an attacker to have already compromised a potential target’s computer. Additionally, it also requires that the password is typed on a keyboard, and not copied from the device’s clipboard. 

The developer of KeePass promises to push a fix for CVE-2023-32784 on version 2.54, expected to be released in June or July 2023. 

Proof of Concept 

KeePass 2.X Master Password Dumper (CVE-2023-32784)

Affected Versions 

All existing versions of KeePass 2.x (e.g., 2.53.1) are affected. Meanwhile, KeePass 1.x (an older edition of the program that’s still being maintained), KeePassXC, and Strongbox, which are other password managers compatible with KeePass database files, are not affected. 

Recommendations:

Users are advised to update to KeePass 2.54 once it becomes available. 
Restarting the computer, clearing your swap file and hibernation files, and not using KeePass until the new version is released are reasonable safety measures for the time being. 
For the best protection, be vigilant about not downloading programs from untrusted sites and beware of phishing attacks that may infect your devices, giving threat actors remote access to your device and your KeePass database.

Technical Details
The memory dump can be a KeePass process dump, swap file (pagefile.sys), hibernation file (hiberfil.sys), or RAM dump of the entire system. 

The master password encrypts the KeePass password database and prevents it from being opened without first entering the password. If that master password becomes compromised, a threat actor can access every credential stored in the database. A proof-of-concept tool was made available that could be exploited to recover a victim’s master password in cleartext under specific circumstances. BleepingComputer tested this tool by installing KeePass on a test device and created a new database with “password123” being the master password.  

After locking the workspace, Process Explorer was used in tests to dump the memory of the KeePass project but required a full memory dump to work correctly. No elevated privileges were needed to dump the process’ memory. The PoC tool was later compiled and executed against their memory dump and recovered most of the cleartext password, with only a few letters missing. Master passwords used in the past can remain in memory, so they can still be retrieved even if KeePass is no longer running on the breached computer. 

Resources & Related Articles 

Cybersecurity Advisories

CVE-2023-21554: Microsoft Patches Critical RCE Vulnerability in MSMQ Service

Post author By Victor Kuciel
Post date April 19, 2023

Microsoft has released a set of security updates to fix a total of 97 flaws impacting its software; 45 of which are RCE vulnerabilities. Researchers have discovered three vulnerabilities in the Microsoft Message Queuing service (MSMQ) and were patched in Microsoft’s Patch Tuesday update. The most severe flaw out of the three is CVE-2023-21554 (known as QueueJumper; CVSSv3 Score: 9.8 – Critical) which allows remote code execution after sending a single package through the TCP port 1801.

According to Microsoft, MSMQ is a message infrastructure and development platform for creating distributed, loosely-coupled messaging applications for the Microsoft Windows operating system. Message Queuing applications can use the Message Queuing infrastructure to communicate across heterogeneous networks and with computers that may be offline. Message Queuing provides guaranteed message delivery, efficient routing, security, transaction support, and priority-based messaging.

QueueJumper Vulnerability & Impact

CVE-2023-21554 allows an attacker to execute code remotely and without authorization by reaching the TCP port 1801. A threat actor could gain control of the process through a single packet to the 1801/tcp port with the exploit. By doing this, it gives hackers control over mqsvc.exe.

A full internet scan showed that more than 360,000 IPs have 1801/tcp open to the internet and are running the MSMQ service. This includes the number of hosts facing the internet and does not account for computers hosting the MSMQ service on internal networks. Some popular software relies on MSMQ, so when a user installs that software, the MSMQ service is enabled on Windows and may be done without the user’s knowledge. It is important to note that MSMQ is disabled by default in all operating systems. Full technical details will be released later this month.

Mitigation

All Windows admins are recommended to check their servers and clients to see if the MSMQ service is installed. You can check if there is a service running named ‘Message Queuing’, and TCP port 1801 is listening on the computer. If it is installed, double-check if you need it. Closing unnecessary attack surfaces is always a very good security practice.
Users are recommended to install Microsoft’s official patch as soon as possible. If your business requires MSMQ but is unable to apply Microsoft’s patch right now, you may block the inbound connections for 1801/tcp from untrusted sources with Firewall rules (for example, blocking Internet connections to 1801/tcp for Internet-facing machines), as a workaround.

SecurIT360 SOC Managed Services 

Additionally, we are running a Nessus external scan on internet facing servers and will report if we find anything.

As always, if we detect activity related to these exploits, we will alert you if warranted.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns.

Microsoft Customer Guidance

CVE-2023-21554 – Security Update Guide – Microsoft Security Response Center

Resources & Related Articles

Cybersecurity Advisories

CVE-2023-28252: Windows Zero-Day Vulnerability Exploited in Nokoyawa Ransomware Attacks

Post author By Victor Kuciel
Post date April 12, 2023

Microsoft has patched an actively exploited zero-day vulnerability in the Windows Common Log File System (CLFS) that allows attackers to elevate privileges to SYSTEM on target machines and deploy Nokoyawa ransomware payloads. CISA added the flaw, tracked as CVE-2023-28252 (CVSSv3 score: 7.8 – High), to its KEV and orders FCEB agencies to secure their systems against it. The vulnerability affects all supported Windows server and client versions and can be exploited by local attackers in low-complexity attacks without user interaction.

Exploited with Nokoyawa ransomware

This zero-day was utilized by a sophisticated cybercrime group that carries out ransomware attacks. Security researchers have found that the gang has used other exploits targeting the CLFS driver since June 2022 with similar but unique characteristics that were likely developed by the same exploit author. Researchers have identified five different CLFS exploits used by the group in attacks on retail & wholesale, energy, manufacturing, healthcare, software development and other industries.

Nokoyawa ransomware surfaced in February 2022 as a strain that is capable of targeting 64-bit Windows-based systems in double extortion attacks. The threat actors would also steal sensitive files from compromised networks and threaten to leak them online unless a ransom is paid. Nokoyawa shares code with JSWorm, Karma, and Nemty ransomware, and has been rewritten in Rust. The CVE-2023-28252 zero-day was used to deploy the Nokoyawa ransomware, which has been developed from its early variants based on the JSWorm codebase.

Victimology

The vulnerability has been weaponized by a cybercrime group to deploy Nokoyawa ransomware against small and medium-sized businesses in the Middle East, North America, and Asia.

Recommendation

Organizations are urged to apply the patch released by Microsoft for CVE-2023-28252 to protect their systems from potential attacks.

Security Update Guide – Microsoft Security Response Center

IOCS

Resources & Related Articles

Flax Typhoon Attack Chain

Volt Typhoon attack flow

Our Offices

Industries

Company

Help