CTI Digest: ProxyShell, Sardonic from FIN8, & Telecom Giant’s Breach to Proliferation of NSO Spyware.
Proliferation of NSO Spyware
Late June, leak uncovers global abuse of cyber-surveillance weapon from the NSO group, th e popular hacking spyware called Pegasus.
Report has it that NSO group have sold ,the product to some authoritarian regime using it to spy on dissident, activist and journalist.
The investigation by the Guardian and 16 other media organisations suggests widespread and continuing abuse of NSO’s hacking spyware, Pegasus, which the company insists is only intended for use against criminals and terrorists.
Recently, activist in Bahrain has become the target of zero-day exploits from the Israeli surveillance vendor NSO group whom tools have become favourite patronage of Government planning to spy on activist, journalist and dissident.
NSO group have been found to be abusing an undisclosed zero-click exploit in Apple’s iMessage to circumvent iOS security protection and target some Bahrain activists.
Proxy..) in Microsoft Exchange Servers.
Hackers have been reported to be actively looking for unpatched Microsoft Exchange Servers, in what is called opportunistic scanning and exploitation. A new RCE flaw dubbed ProxyShell following the popular ProxyLogon Vulnerabilities which was massively exploited in the year. We should not forget ProxyOracle as part of the series of vulnerabilities that may be exploited in the process as well, which exposes adversaries to recover user’s password in plaintext
Over 3K machines have been reported to be affected by the vulnerabilities through a Shodan scan performed. A honeypot infrastructure set up for Exchange ProxyShell Vulnerabilities from the NCC Groups also captures an exploit attempt indicating the deployment of a C# aspx web shell in the /aspnet_client/directory.
While ProxyLogon can enable server-side request forgery vulnerability in Exchange Server that permits an attacker to take control of a vulnerable server as an administrator, and which can be chained with another post-authentication arbitrary-file-write vulnerability, CVE-2021-27065, to achieve code execution. ProxyShell could be used to bypass ACL controls, allow privilege escalation leading to full authentication of threat actors to execute code remotely on victim systems.
For all of these Proxy vulnerabilities, family be it Logon, Oracle and Shell, organizations are HIGHLY advised to install updates released by Microsoft to prevent exploitation.
You can read more about CVEs.
CVE-2021-31207,CVE-2021-34473,CVE-2021-34523 – ProxyShell
CVE-2021-31195, CVE-2021-31196 – ProxyOracle
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 – ProxyLogon
Secret terrorist watchlist got exposed due to misconfiguration
US Government secret terrorist watchlist got exposed leaving nearly 2 million records to possible unauthorized access due to misconfiguration in the server. The unusual thing in this incident is the server was found to be hosted on a Bahrain IP instead of the US.
Alleged AT&T database with over 70+ million records found on the dark web
An alleged AT&T database with over 70+ million records found on the dark web is being sold from a starting price of $200,000. A notorious underground threat actor with the moniker ShinyHunters claimed he has access to this data which he currently put up for sale. Databases like this cab are bought off by government-backed hacking groups, spy agencies, ransomware gangs or scammers to further their initial access gain in subsequent or future attacks. AT& T maintain in a statement that the information which appears on the chat room as claimed by the hacker does not appear to have come from our systems.
A week earlier, a hacker claims to have hacked T-Mobile’s production, development, and staging servers around two weeks back, including its Oracle database server and put up a sale call in an underground chat forum.
CISA warn of active exploitation of Microsoft Exchange server using ProxyShell
The US Cybersecurity and Infrastructure Security Agency have recently sounded a note of warning on active exploitation attempts of the Microsoft Exchange vulnerabilities dubbed ProxyShell, with the possible inclusion of LockFile ransomware on compromised systems. Researchers from Huntress Labs also confirmed that there at least more than 140 web shells deployed to vulnerable Exchange servers, with more than 100 incidents reported, as web shells continue to grant access to the compromised servers.
FIN8’ has appeared with a new backdoor targeting the financial sector.
FIN8 which has a history with retail, hospitality and entertainment industries has been recently found to be deploying a new set of backdoors targeting the financial sector. In a recent forensic investigation conducted by BitDefender in the wake of a failed attempt by FIN8 to compromise a financial institution.
This newly identify backdoor by FIN8 has been dubbed Sardonic, which is said to be under active development and is extremely potent and has a wide range of capabilities that help the threat actor leverage new malware on the fly with no changes to underlying components.
Sardonic is written in C++ with several capabilities against compromised systems such as establishing persistence, system information gathering, execution of arbitrary commands where results are often sent to remote C2 servers.
FIN8 is in the process of continuous retooling their malware arsenal for continuous evasion & detection. They have been seen to leverage several techniques in the past such as spear-phishing and other malicious software to steal payment card info from POS systems.
VMware Security Update
VMware this week released security updates to address vulnerabilities in multiple products that could be potentially exploited by an attacker to take control of an affected system.
Products affected are as follows:
VMware vRealize Operations(prior to version 8.5.0)
VMware Cloud Foundation(versions 3.x and 4.x)
vRealize Suite Lifecycle Manager(version 8.x)
- CVE-2021-22022 (CVSS score: 4.4) – Arbitrary file read vulnerability in vRealize Operations Manager API, leading to information disclosure
- CVE-2021-22023 (CVSS score: 6.6) – Insecure direct object reference vulnerability in vRealize Operations Manager API, enabling an attacker with administrative access to alter other users’ information and seize control of an account
- CVE-2021-22024 (CVSS score: 7.5) – Arbitrary log-file read vulnerability in vRealize Operations Manager API, resulting in sensitive information disclosure
- CVE-2021-22025 (CVSS score: 8.6) – Broken access control vulnerability in vRealize Operations Manager API, allowing an unauthenticated malicious actor to add new nodes to the existing vROps cluster
- CVE-2021-22026 and CVE-2021-22027 (CVSS score: 7.5) – Server Side Request Forgery vulnerability in vRealize Operations Manager API, leading to information disclosure
Emerging Ransomware Groups To watch out for
In a report recently released by Palo Alto’s Unit42 on some emerging ransomware groups to watch out for, AvosLocker, HelloKitty, Hive and Lockbit2.0
- AvosLocker is ransomware as a service (RaaS) that started operations in late June, using a blue beetle logo to identify itself in communications with victims and “press releases” aimed at recruiting new affiliates. AvosLocker was observed promoting its RaaS program and looking for affiliates on dark web discussion forums and other forums. Like many of its competitors, AvosLocker offers technical support to help victims recover after they’ve been attacked with encryption software that the group claims is “fail-proof,” has low detection rates and is capable of handling large files. This ransomware also has an extortion site, which claims to have impacted six organizations in the following countries: the U.S., the U.K., the U.A.E., Belgium, Spain and Lebanon. We have observed initial ransom demands ranging from $50,000 to $75,000.
- Hive Ransomware is double-extortion ransomware that started operations in June. Since then, Hive has impacted 28 organizations that are now listed on the group’s extortion site, including a European airline company and three U.S.-based organizations. Hive uses all tools available in the extortion toolset to create pressure on the victim, including the date of initial compromise, countdown, the date the leak was actually disclosed on their site, and even the option to share the disclosed leak on social media.
- HelloKitty is not a new ransomware group; it can be tracked as early as 2020, mainly targeting Windows systems. However, in July, we observed a Linux variant of HelloKitty targeting VMware’s ESXi hypervisor, which is widely used in cloud and on-premises data centers. We also observed two clusters of activity. Across the observed samples, some threat actors preferred email communications, while others used TOR chats for communication with the victims. The observed variants impacted five organizations in Italy, Australia, Germany, the Netherlands and the U.S. The highest ransom demand observed from this group was $10 million, but at the time of writing, the threat actors have only received three transactions that sum up to about $1.48 million.
- LockBit 2.0 (previously known as ABCD ransomware) is a three-year-old RaaS operator that has been linked to some high-profile attacks lately following the June launch of a slick marketing campaign to recruit new affiliates. It claims to offer the fastest encryption on the ransomware market. LockBit 2.0 has impacted multiple industries – 52 victims are listed on the group’s leak site. Its victims include organizations in the U.S., Mexico, Belgium, Argentina, Malaysia, Australia, Brazil, Switzerland, Germany, Italy, Austria, Romania and the U.K.
Leave a Reply