Thursday, November 2nd, 2023
Cybersecurity Week in Review (03/11/2023)
HelloKitty Ransomware Group Exploiting Apache ActiveMQ Vulnerability
Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution.
In both instances, the adversary attempted to deploy ransomware binaries on target systems in an effort to ransom the victim organizations. Based on the ransom note and available evidence, the activity has been attributed to the HelloKitty ransomware family, whose source code was leaked on a forum in early October.
The intrusions are said to involve the exploitation of CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ that allows a threat actor to run arbitrary shell commands. It’s worth noting that the vulnerability carries a CVSS score of 10.0, indicating maximum severity. It has been addressed in ActiveMQ versions 5.15.16, 5.16.7, 5.17.6, or 5.18.3 released late last month.
The vulnerability affects the following versions –
- Apache ActiveMQ 5.18.0 before 5.18.3
- Apache ActiveMQ 5.17.0 before 5.17.6
- Apache ActiveMQ 5.16.0 before 5.16.7
- Apache ActiveMQ before 5.15.16
- Apache ActiveMQ Legacy OpenWire Module 5.18.0 before 5.18.3
- Apache ActiveMQ Legacy OpenWire Module 5.17.0 before 5.17.6
- Apache ActiveMQ Legacy OpenWire Module 5.16.0 before 5.16.7
- Apache ActiveMQ Legacy OpenWire Module 5.8.0 before 5.15.16
Since the bugs’ disclosure, a proof-of-concept (PoC) exploit code and additional technical specifics have been made publicly available, the behavior observed in the two victim networks is “similar to what would be expected from exploitation of CVE-2023-46604.
Successful exploitation is followed by the adversary attempting to load remote binaries named M2.png and M4.png using the Windows Installer (msiexec).
Both the MSI files contain a 32-bit .NET executable named dllloader that, in turn, loads a Base64-encoded payload called EncDLL that functions akin to ransomware, searching and terminating a specific set of processes before commencing the encryption process and appending the encrypted files with the “.locked” extension.
The Shadowserver Foundation said it found 3,326 internet-accessible ActiveMQ instances that are susceptible to CVE-2023-46604 as of November 1, 2023. A majority of the vulnerable servers are located in China, the U.S., Germany, South Korea, and India.
In light of the active exploitation of the flaw, users are recommended to update to the fixed version of ActiveMQ as soon as possible and scan their networks for indicators of compromise.
Source – https://thehackernews.com/2023/11/hellokitty-ransomware-group-exploiting.html
Boeing Confirms Impact From ‘Cyber Incident,’ Vanishes From LockBit Ransom List
The Boeing Company has confirmed that some operations have been impacted due to a ‘cyber incident’ previously claimed by the LockBit ransom gang. This comes as the company and its logo have mysteriously disappeared off LockBit’s official victim leak page.
“We are aware of a cyber incident impacting elements of our parts and distribution business,” a Boeing spokesperson stated Wednesday evening.
The spokesperson made it clear that the cyber issue “does not affect flight safety.”
“We are actively investigating the incident and coordinating with law enforcement and regulatory authorities. We are notifying our customers and suppliers,” the Boeing spokesperson concluded.
The so-called “cyber incident” was claimed by the LockBit ransomware group on its dark leak site October 27th. The company of nearly 150 thousand employees worldwide was given a deadline of six days to make contact with LockBit before the gang said it would publish all the data it had stolen in the alleged attack.
The Russian-linked threat actors did not say how much data it may have, but did claim it had a “tremendous amount.”
LockBit also said it was purposefully not providing leak samples of the data on its site – as is normally the case with ransomware crooks – “to protect” Boeing.
In an update to the story, sometime between October 30th and October 31st, Boeing was removed from LockBit’s leak page, leading to industry speculation that the US-based commercial jetliner manufacturer and military defense contractor has entered into negotiations with the group.
There is no word from either side about a possible ransom demand and/or what amount of money, if any, has been asked of Boeing or paid to LockBit.
According to the malware repository vx-underground, attackers say they breached the company via a zero-day exploit, with no other details about the purported attack. The researchers also noted that Lockbit gave Boeing only six days to make contact, while typically victim’s are given ten day to reach out to cybercriminals.
The LockBit group was first clocked by security insiders sometime late 2019. Since then, the gang has topped many lists in terms of victimized organizations. The threat actors are said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa.
The gang’s evasive ransomware variant LockBit 3.0 shares similarities with two other Russian-linked ransomware; BlackMatter and BlackCat (ALPHV/BlackCat), according to the US department of Justice.
Source – https://cybernews.com/news/boeing-confirms-cyber-attack-lockbit-ransom/
Iran’s MuddyWater Targets Israel in New Spear-Phishing Cyber Campaign
The Iranian nation-state actor known as MuddyWater has been linked to a new spear-phishing campaign targeting two Israeli entities to ultimately deploy a legitimate remote administration tool from N-able called Advanced Monitoring Agent.
The campaign exhibits updated TTPs to previously reported MuddyWater activity, which has, in the past, used similar attack chains to distribute other remote access tools like ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.
While the latest development marks the first time MuddyWater has been observed using N-able’s remote monitoring software, it also underscores the fact that the largely unchanged modus operandi continues to yield some level of success to the threat actor.
The state-sponsored group is a cyber espionage crew that’s said to be a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS), joining other MOIS-affiliated clusters like OilRig, Lyceum, Agrius, and Scarred Manticore. It has been active since at least 2017.
Prior attack sequences have entailed sending spear-phishing emails with direct links as well as HTML, PDF, and RTF attachments containing links to archives hosted on various file-sharing platforms that ultimately drop one of the aforementioned remote administration tools.
The latest tactics and tools represent in some ways a continuation, and in other ways an evolution, for the group variously known as Mango Sandstorm and Static Kitten. What’s different this time around is the use of a new file-sharing service called Storyblok to initiate a multi-stage infection vector.
It contains hidden files, an LNK file that initiates the infection, and an executable file designed to unhide a decoy document while executing Advanced Monitoring Agent, a remote administration tool. After the victim has been infected, the MuddyWater operator will connect to the infected host using the legitimate remote administration tool and will start doing reconnaissance on the target.
The lure document displayed to the victim is an official memo from the Israeli Civil Service Commission, which can be publicly downloaded from its official website.
In a further sign of Iran’s fast improving malicious cyber capabilities, the MuddyWater actors are also leveraging a new command-and-control (C2) framework called MuddyC2Go, a successor to MuddyC3 and PhonyC2.
Source – https://thehackernews.com/2023/11/irans-muddywater-targets-israel-in-new.html
Ransomware Crooks SIM Swap Medical Research Biz Execs, Threaten to Leak Stolen Data
Ransomware crooks claim they’ve stolen data from a firm that helps other organizations run medical trials after one of its executives had their cellphone number and accounts hijacked.
It is understood one or more people close to or affiliated with the notorious Alphv, aka BlackCat, extortion gang managed to get into a work account of an exec at Advarra and may have copied out at least some information from the business. This was done by SIM swapping the victim – transferring their cellphone number to a SIM controlled by the criminals, who could then receive and use one-time authentication codes to change account passwords, login, and root around in profiles and documents.
This is why it is recommended not to use text message or call-based methods for authentication and password resets.
The intruders earlier claimed on Alphv’s official dark-web site to have stolen from Advarra more than 120GB of confidential data concerning customers, patients, and employees – both past and present. If a ransom demand is not paid, the thieves may leak or sell that information, presumably. Whether the crims actually managed to make off with that data has yet to be confirmed.
Alongside their data-theft claim, the attackers shared some people’s personal info in an attempt to prove the intrusion did indeed occur: a file containing the name, date of birth, and social security number of a 17-year-old in the US, and the passport scan of an Advarra executive. They also alleged a senior manager at Advarra contacted the gang telling them to, in harsher terms, go screw.
Those boasts have since vanished from the dark-web site, and it is believed the aforementioned alleged interaction never actually occurred. All the leak site says now is: “Advarra must reach out within 24 hours, or this will post will reflect the exfiltrated data in its entirety.”
The gang earlier warned: “This is their last chance to reach out to us before we leak the data. Patients from clinical research studies are also affected.”
Based in Columbia, Maryland, Advarra provides services to those carrying out medical research and clinical trials.
A spokesperson stated: “An Advarra colleague was the victim of a compromise of their phone number. The intruder used this to access some of the employee’s accounts, including LinkedIn, as well as their work account.”
The rep went on, playing down the extent of the claimed intrusion:
We have taken containment actions to prevent further access and are investigating with third-party cyber experts. We also notified federal law enforcement. At this time we believe the matter is contained. We further believe that the intruder never had access to our clients’ or partners’ systems and it is safe to connect to Advarra’s systems.
Importantly, we have no evidence that the Advarra systems and products that clients use to interface with us were compromised or accessed. At this time, our business operations have not been disrupted as a result of this activity and we continue to operate as normal. In addition, we continue to take steps to enhance the overall security of our systems in line with industry best practices.
They added its “investigation remains ongoing, and we will provide additional updates as appropriate.”
Word of the alleged attack on Advarra comes just days after Alphv criminals leaked 8.6TB worth of data from another US healthcare organization. Morrison Community Hospital in Illinois was posted by the group on October 13 and like Advarra, reportedly refused to negotiate with the group.
Some ransomware groups have historically been known to operate with a claimed degree of morality. Attacks on hospitals, for example, were reversed due to those institutions being perceived as off limits, while others, including BlackCat, have shown no such remorse.
Hackers Exploit Recent F5 BIG-IP Flaws in Stealthy Attacks
F5 is warning BIG-IP admins that devices are being breached by “skilled” hackers exploiting two recently disclosed vulnerabilities to erase signs of their access and achieve stealthy code execution.
F5 BIG-IP is a suite of products and services offering load balancing, security, and performance management for networked applications. The platform has been widely adopted by large enterprises and government organizations, making any flaws in the product a significant concern.
Last week, F5 urged admins to apply available security updates for two newly discovered vulnerabilities:
- CVE-2023-46747 – Critical (CVSS v3.1 score: 9.8) authentication bypass flaw allowing an attacker to access the Configuration utility and perform arbitrary code execution.
- CVE-2023-46748 – High-severity (CVSS v3.1 score: 8.8) SQL injection flaw allowing authenticated attackers with network access to the Configuration utility to execute arbitrary system commands.
On October 30, the software vendor updated the bulletins for CVE-2023-46747 and CVE-2023-46748 to alert about active exploitation in the wild.
“This information is based on the evidence F5 has seen on compromised devices, which appear to be reliable indicators,” reads the update on the bulletin.
“It is important to note that not all exploited systems may show the same indicators, and, indeed, a skilled attacker may be able to remove traces of their work.”
“It is not possible to prove a device has not been compromised; when there is any uncertainty, you should consider the device compromised.”
CISA (Cybersecurity & Infrastructure Security Agency) has added the two vulnerabilities to its KEV (Known Exploited Vulnerabilities) catalog, urging federal government agencies to apply the available updates until November 21, 2023.
Impacted and fixed versions are given below:
- 17.1.0 (affected), fixed on 17.1.0.3 + Hotfix-BIGIP-17.1.0.3.0.75.4-ENG and later
- 16.1.0 – 16.1.4 (affected), fixed on 16.1.4.1 + Hotfix-BIGIP-16.1.4.1.0.50.5-ENG and later
- 15.1.0 – 15.1.10 (affected), fixed on 15.1.10.2 + Hotfix-BIGIP-15.1.10.2.0.44.2-ENG and later
- 14.1.0 – 14.1.5 (affected), fixed on 14.1.5.6 + Hotfix-BIGIP-14.1.5.6.0.10.6-ENG and later
- 13.1.0 – 13.1.5 (affected), fixed on 13.1.5.1 + Hotfix-BIGIP-13.1.5.1.0.20.2-ENG and later
F5 has also published a script that helps mitigate the RCE flaw, the usage instructions for which can be found here. They have observed threat actors using the two flaws in combination, so even applying the mitigation for CVE-2023-46747 could be enough to stop most attacks.
IoCs concerning CVE-2023-46748 specifically are entries in the /var/log/tomcat/catalina.out file that have the following form:
{…}
java.sql.SQLException: Column not found: 0.
{…)
sh: no job control in this shell
sh-4.2$ <EXECUTED SHELL COMMAND>
sh-4.2$ exit.
Given that attackers can erase their tracks using these flaws, BIG-IP endpoints that haven’t been patched until now should be treated as compromised. Out of an abundance of caution, admins of exposed BIG-IP devices should proceed straight to the clean-up and restoration phase.
800m Indians Reportedly Exposed in Massive Data Breach
Highly sensitive personal information belonging to more than 800 million Indians is being offered online for $80,000. Over half of more than 1.4 billion people in the world’s most populous nation may have been affected by the alleged breach, which could be India’s biggest if confirmed.
The personal data offered online reportedly includes Aadhaar biometric ID cards and passport information, as well as names, phone numbers, and addresses.
Aadhaar is the world’s largest biometric ID system, with an estimated number of 1.4 billion cards issued by government authorities since the program’s launch in 2009. The cards hold biometric information such as fingerprints and iris scans.
Both citizen and non-citizen residents of India can be issued an Aadhaar card, which is voluntary but can function as a digital ID for online payments. There are also plans to link it with voter registration, and 60% of India’s 945 million eligible voters have already done so.
According to Indian media reports, the data was extracted from COVID-19 test details of citizens registered with the Indian Council of Medical Research (ICMR), the country’s leading medical research institution.
As reported by The Hindu, a Chennai-based daily, the ICMR has faced multiple cyberattacks since February. In June, a Telegram chat allowed people to fetch entries from the CoWIN vaccination portal’s database, potentially leading to the Aadhaar or passport number leak, it said.
At the time, India’s government denied reports of the leak, which experts described as potentially one of the country’s worst digital security breaches. The episode is reportedly being probed.
A spike in incidents involving Aadhaar IDs has recently been observed creating a significant risk of digital identity theft, with the potential to leverage the stolen information in cyber-enabled financial crimes, such as online banking or tax refund frauds.
Source – https://cybernews.com/news/800-million-indians-data-breach/
Iranian Cyber Espionage Group Targets Financial and Government Sectors in Middle East
A threat actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS) has been observed waging a sophisticated cyber espionage campaign targeting financial, government, military, and telecommunications sectors in the Middle East for at least a year.
The campaign is being tracked under the name Scarred Manticore, which is said to closely overlap with an emerging cluster dubbed Storm-0861, one of the four Iranian groups linked to destructive attacks on the Albanian government last year.
Victims of the operation span various countries such as Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.
Scarred Manticore also exhibits some degree of overlap with OilRig, another Iranian nation-state crew that was recently attributed to an attack on an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign.
Another set of tactical overlaps have been discovered between the adversary and an intrusion set codenamed ShroudedSnoope. Attack chains orchestrated by the threat actor have singled out telecom providers in the Middle East using a stealthy backdoor known as HTTPSnoop.
The activity represented by Scarred Manticore is characterized by the use of a previously unknown passive malware framework referred to as LIONTAIL that’s installed on Windows servers. The threat actor is believed to be active since at least 2019.
An advanced piece of malware, LIONTAIL is a collection of custom shellcode loaders and memory resident shellcode payloads. A noteworthy component of the framework is a lightweight-yet-sophisticated implant written in C that enables attackers to execute commands remotely via HTTP requests.
The attack sequences entail infiltrating publicly facing Windows servers to kick off the malware delivery process and systematically harvest sensitive data from infected hosts.
“Instead of using the HTTP API, the malware uses IOCTLs to interact directly with the underlying HTTP.sys driver,” the researchers said, detailing the command-and-control (C2) mechanism.
“This approach is stealthier as it doesn’t involve IIS or HTTP API, which are usually closely monitored by security solutions, but is not a straightforward task given that the IOCTLs for HTTP.sys are undocumented and require additional research efforts by the threat actors.”
From a technical standpoint, one intriguing facet of the operation is that the threat actor employs a tailor-made implant for each compromised server, allowing the malicious activities to blend into the victim environment and make it hard to distinguish between suspicious and legitimate network traffic. Also deployed alongside LIONTAIL include various web shells and a web forwarder tool called LIONHEAD, a web forwarder.
Historical activity of Scarred Manticore indicates a continuous evolution of the group’s malware arsenal, what with the threat actor previously relying on web shells such as Tunna and a bespoke version called FOXSHELL for backdoor access.
Since mid-2020, the threat actor is also said to have used a .NET-based passive backdoor called SDD that establishes C2 communication through an HTTP listener on the infected machine with the ultimate goal of executing arbitrary commands, uploading and downloading files, and running additional .NET assemblies.
The progressive updates to the threat actor’s tactics and tools is typical of advanced persistent threat (APT) groups and demonstrates their resources and varied skills. This is best exemplified by Scarred Manticore’s use of a malicious kernel driver called WINTAPIX that was uncovered by Fortinet earlier this May.
In a nutshell, WinTapix.sys acts as a loader to execute the next stage of the attack, injecting an embedded shellcode into a suitable user mode process that, in turn, executes an encrypted .NET payload specifically designed to target Microsoft Internet Information Services (IIS) servers.
The targeting of Israel comes amid the ongoing Israel-Hamas war, prompting low-sophistication hacktivist groups to attack various organizations in the country, as well as nations like India and Kenya, suggesting nation-state actors’ reliance on information operations aimed at influencing the global perception of the conflict.
The U.S. Federal Bureau of Investigation (FBI), in a statement to the Senate Committee on Homeland Security and Governmental Affairs (HSGAC) earlier this week, warned that the situation has the potential to worsen the “cyber targeting of American interests and critical infrastructure” by Iran and non-state actors alike.
Source – https://thehackernews.com/2023/11/iranian-cyber-espionage-group-targets.html
Summit Health Network Hit by Possible Ransom Attack
The northeast healthcare network Summit Health of thousands of medical providers has allegedly also been breached in an attack by the LockBit ransomware gang.
Summit Health consists of more than 370 locations throughout the New York, New Jersey, Pennsylvania, and Connecticut region, plus has nine other medical clinics located in Central Oregon.
Besides the thousands of patients seen through its urgent care, specialty and primary offices, Summit network includes more than 2,800 medical providers. The company has around 13,000 employees whose data could be at risk.
The LockBit ransomware gang posted the healthcare conglomerate on its dark leak site Wednesday afternoon. According to LockBit, Summit Health has until November 8th to make contact and begin negotiations. Otherwise, the Russian-linked ransomware gang says it will publish all available data.
Lockbit did not disclose how much data or the categories of sensitive information it may have exfiltrated from the healthcare entity.
The healthcare conglomerate also runs its own charitable organization Summit Health Cares, which provides free health screenings and education to underserved communities across New York, New Jersey, and Oregon. Part of its mission includes supporting cancer patients and their families by offering resources and personalized navigation services, according to the company.
The company is a subsidiary of the nationwide primary care platform provider Village MD.
Besides Summit Health, Village MD also owns the NY/NJ urgent care network CityMD, and the in-home primary care network Village Medical, and Village Medical at Home with locations in about a dozen US states.
The LockBit group first appeared on the ransomware scene sometime in late 2019, according to industry insiders. Since then, the gang has climbed to the top of the food chain, topping many lists in terms of victimized organizations.
LockBit is said to have executed over 1,400 attacks against victims in the US and around the world, including Asia, Europe, and Africa.
The gang’s notorious ransomware variant LockBit 3.0 – also known as LockBit Black – is now in its third iteration and is considered the most evasive version of all previous strains, a US Department of Justice report said. The variant also happens to share similarities with two other Russian-linked ransomware; BlackMatter and BlackCat (ALPHV/BlackCat), the DOJ said.
Source – https://cybernews.com/news/summit-health-lockbit-ransomware-/
Hackers use Citrix Bleed Flaw in Attacks on Govt Networks Worldwide
Threat actors are leveraging the ‘Citrix Bleed’ vulnerability, tracked as CVE-2023-4966, to target government, technical, and legal organizations in the Americas, Europe, Africa, and the Asia-Pacific region.
Researchers report that four ongoing campaigns target vulnerable Citrix NetScaler ADC and Gateway appliances, with attacks underway since late August 2023. They have seen post-exploitation activity related to credential theft and lateral movement, warning that exploitation leaves behind limited forensic evidence, making these attacks particularly stealthy.
The Citrix Bleed CVE-2023-4966 vulnerability was disclosed on October 10 as a critical severity flaw impacting Citrix NetScaler ADC and NetScaler Gateway, allowing access to sensitive information on the devices.
A week after a fix was made available, it was revealed that the flaw was a zero-day under active exploitation since late August, with hackers leveraging it to hijack existing authenticated sessions and bypass multifactor protection.
Attackers used specially crafted HTTP GET requests to force the appliance to return system memory contents, which include a valid Netscaler AAA session cookie issued post-authentication and after MFA checks.
Hackers who steal these authentication cookies can then access the device without performing an MFA verification again.
Citrix followed up with a second warning to admins, urging them to secure their systems against the ongoing attacks, which were low-complexity and didn’t require any user interaction.
On October 25, researchers released a proof-of-concept (PoC) exploit demonstrating how to hijack a NetScaler account via session token theft.
The lack of logging on the appliances makes investigating the exploitation of CVE-2023-3966 challenging, requiring web application firewalls (WAF) and other network traffic monitoring appliances to log traffic and determine if a device was exploited.
Unless a network uses this type of monitoring before an attack, it prevents any historical analysis and limits researchers to real-time observations.
Even post-exploitation, the attackers remain stealthy, employing living-off-the-land techniques and common administrative tools like net.exe and netscan.exe to blend with daily operations.
Researchers were able to identify exploitation attempts and session hijacking via one of the following pathways:
- WAF request analysis: Requests to the vulnerable endpoint can be logged by WAF tools.
- Login patterns monitoring: Client and source IP address mismatches and multiple sessions from the same IP address written in ns.log files are signs of potential unauthorized access.
- Windows Registry correlation: Correlating Windows Registry entries on Citrix VDA systems with ns.log data makes it possible to trace the attacker’s origin.
- Memory dump inspection: NSPPE process memory core dump files can be analyzed for unusually long strings containing repetitive characters, which may indicate exploitation attempts.
After exploiting CVE-2023-4966, the attackers engaged in network reconnaissance, stealing account credentials and moving laterally via RDP.
The tools the threat actors use at this phase are the following:
- net.exe – Active Directory (AD) reconnaissance
- netscan.exe – internal network enumeration.
- 7-zip – create an encrypted segmented archive for compressing reconnaissance data
- certutil – encode (base64) and decode data files and deploy backdoors
- e.exe and d.dll – load into the LSASS process memory and create memory dump files
- sh3.exe – run the Mimikatz LSADUMP command for credential extraction
- FREEFIRE – novel lightweight .NET backdoor using Slack for command and control
- Atera – Remote monitoring and management
- AnyDesk – Remote desktop
- SplashTop – Remote desktop
Although many of the above are commonly found in enterprise environments, their combined deployment may be a sign of compromise, and tools like FREEFIRE are clear indications of a breach.
The researchers have released a Yara rule that can be used to detect FREE FIRE on a device. The four threat actors that exploit CVE-2023-4966 in various campaigns show some overlap in the post-exploitation stage. All four extensively used csvde.exe, certutil.exe, local.exe, and nbtscan.exe, while two activity clusters were seen using Mimikatz.
Applying the available security updates does not address existing breaches, and thus, a full incident response is required.
Massive Cybercrime URL Shortening Service Uncovered via DNS Data
An actor that security researchers call Prolific Puma has been providing link shortening services to cybercriminals for at least four years while keeping a sufficiently low profile to operate undetected. In less than a month, Prolific Puma has registered thousands of domains, many on the U.S. top-level domain (usTLD), to help with the delivery of phishing, scams, and malware.
Researchers first observed Prolific Puma activity six months ago, after detecting a registered domain generation algorithm (RDGA) to create the domain names for the malicious URL shortening service. Using specialized DNS detectors, they were able to track the malicious network as it evolved and abused the usTLD to facilitate crime on the internet.
Because of the nature of link shortening services, they could track the short links but not the final landing page, despite detecting a large number of interconnected domains exhibiting suspicious behavior.
Some of the short links from Prolific Puma led directly to the final destination but others pointed to multiple redirects, even other shortened links, before getting to the landing page. There were also cases where accessing the short link took the user to a CAPTCHA challenge, likely to protect from automated scans.
Because of this inconsistency in what Prolific Puma’s short links loaded next, the researchers believe that multiple actors are using the service.
The delivery method for these links also varies and includes social media and advertisements but evidence points to text messages as the main channel.
The size of the Prolific Puma operation is impressive. The actor registered up to 75,000 unique domain names since April 2022. Looking at the unique domains in the actor’s network, the researchers saw at the beginning of the year a peak of close to 800 domains of up to four characters created in a single day.
Prolific Puma domains are spread across 13 TLDs. Since May this year, though, the actor used the usTLD for more than half of the total domains created, the daily average being 43. Since mid-October, the researchers noticed closed to 2,000 domains in the usTLD indicating Prolific Puma activity that are behind private registration protection.
It is worth mentioning that private registrations is not permitted in the .US namespace under the current policy and the registrant is required to provide accurate and true information. Furthermore, registrars have an obligation to not offer private domain registrations to .US domain name registrants.
Typically, Prolific Puma domains are alphanumeric, pseudo-random, and vary in size, three or four-character ones being the most common. However, the researchers observed domains as long as seven characters. Examples of 3 to 4 characters long domains registered by Prolific Puma on different TLDs
In the last three years, the actor used hosting mainly from NameSilo, a cheap internet domain registrar that is often abused by cybercriminals, that offers an API for bulk registration.
To avoid scrutiny and detection, Prolific Puma ages its domains by leaving them inactive or parked for a several weeks. During this period, the actor makes a few DNS queries to gain reputation.
When ready for use, the actor transfers the domains to a bulletproof hosting provider, paying in Bitcoin cryptocurrency for a virtual private server with service with a dedicated IP address.
The researchers believe that Prolific Puma only provides the short link service and does not control the landing pages but do not exclude the possibility that the same actor runs the entire operation.
Uncovering Prolific Puma started with automated analytics, which revealed a few related domains. When they deployed algorithms for RDGA discovery earlier this year, domains used were identified in groups. Another algorithm correlated the domain clusters and attributed them to a single DNS threat actor.
The report provides a set of indicators for Prolific Puma activity that includes links shortener hosting IP addresses and domains, redirection and landing pages, and an email address found in domain registration data.
SEC Charges SolarWinds and Its CISO With Fraud and Cybersecurity Failures
In a surprising development on Monday that is spooking the cybersecurity community, the Securities and Exchange Commission (SEC) filed charges against SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, alleging that the software company misled investors about its cybersecurity practices and known risks.
The charges stem from alleged fraud and internal control failures related to known cybersecurity weaknesses that took place between the company’s October 2018 initial public offering (IPO) and its December 2020 revelation of a sophisticated cyberattack dubbed “SUNBURST.”
The software supply chain cyberattack involved Russia-linked threat actors breaching SolarWinds systems in 2019, or possibly even earlier. The hackers compromised the automated build environment for the company’s Orion monitoring software, and in the spring of 2020 they pushed out malicious Orion updates to SolarWinds customers.
According to the complaint filed by the SEC, Austin, Texas-based SolarWinds and Brown are accused of deceiving investors by overstating the company’s cybersecurity practices while understating or failing to disclose known risks. The SEC alleges that SolarWinds misled investors by disclosing only vague and hypothetical risks while internally acknowledging specific cybersecurity deficiencies and escalating threats.
A key piece of evidence cited in the complaint is a 2018 internal presentation prepared by a SolarWinds engineer that was shared internally, including with Brown. The presentation stated that SolarWinds’ remote access setup was “not very secure” and that exploiting the vulnerability could lead to “major reputation and financial loss” for the company. Similarly, presentations by Brown in 2018 and 2019 indicated concerns about the company’s cybersecurity posture.
The SEC’s complaint also points to internal communications among SolarWinds employees, including Brown, in 2019 and 2020, which raised questions about the company’s ability to protect its critical assets from cyberattacks. In June 2020, Brown expressed concerns that an attacker may use SolarWinds’ software in larger attacks, noting that “our backends are not that resilient.” Additionally, a September 2020 internal document shared with Brown and others stated that “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”
The SEC alleges that despite being aware of these cybersecurity risks and vulnerabilities, Brown failed to address them adequately within the company. As a result, the company was unable to provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.
SolarWinds’ incomplete disclosure about the SUNBURST attack in a December 14, 2020, Form 8-K filing resulted in a significant drop in the company’s stock price, falling approximately 25 percent over the next two days and approximately 35 percent by the end of the month.
Gurbir Grewal, Director of the SEC’s Division of Enforcement, stated, “We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company.’ Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
The SEC’s complaint, filed in the Southern District of New York, charges SolarWinds and Brown with violating the antifraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934. SolarWinds is also accused of violating reporting and internal controls provisions of the Exchange Act, while Brown is alleged to have aided and abetted the company’s violations. The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.
Sudhakar Ramakrishna, President and Chief Executive Officer of SolarWinds, claims the company did maintain appropriate cybersecurity controls prior to the SUNBURST incident and said the company will “vigorously oppose this action by the SEC.”
Ramakrishna sees it as alarming that the SEC “has now filed what we believe is a misguided and improper enforcement action” against the company, which he says is a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.
“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security,” Ramakrishna noted in a blog post addressing the charges. “They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines. I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.”
“We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” a SolarWinds spokesperson told SecurityWeek. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
Pro-Hamas Hacktivists Targeting Israeli Entities with Wiper Malware
A pro-Hamas hacktivist group has been observed using a new Linux-based wiper malware dubbed BiBi-Linux Wiper, targeting Israeli entities amidst the ongoing Israeli-Hamas war.
The malware is an x64 ELF executable, lacking obfuscation or protective measures. It allows attackers to specify target folders and can potentially destroy an entire operating system if run with root permissions.
Some of its other capabilities include multithreading to corrupt files concurrently to enhance its speed and reach, overwriting files, renaming them with an extension containing the hard-coded string “BiBi” (in the format “[RANDOM_NAME].BiBi[NUMBER]”), and excluding certain file types from being corrupted.
While the string ‘bibi’ (in the filename), may appear random, it holds significant meaning when mixed with topics such as politics in the Middle East, as it is a common nickname used for the Israeli Prime Minister, Benjamin Netanyahu.
The destructive malware, coded in C/C++ and carrying a file size of 1.2 MB, allows the threat actor to specify target folders via command-line parameters, by default opting for the root directory (“/”) if no path is provided. However, performing the action at this level requires root permissions.
Another notable aspect of BiBi-Linux Wiper is its use of the nohup command during execution so as to run it unimpeded in the background. Some of the file types that are skipped from being overwritten are those with the extensions .out or .so.
The development comes as it was revealed that the suspected Hamas-affiliated threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, Gaza Cyber Gang, and Molerats) is likely organized as two sub-groups, with each cluster focused on cyber espionage activities against Israel and Palestine, respectively.
Attack chains orchestrated by the group include social engineering and phishing attacks as initial intrusion vectors to deploy a wide variety of custom malware to spy on its victims. This comprises Micropsia, PyMicropsia, Arid Gopher, and BarbWire, and a new undocumented backdoor called Rusty Viper that’s written in Rust.
Collectively, Arid Viper’s arsenal provides diverse spying capabilities such as recording audio with the microphone, detecting inserted flash drives and exfiltrating files from them, and stealing saved browser credentials, to name just a few.
Source – https://thehackernews.com/2023/10/pro-hamas-hacktivists-targeting-israeli.html
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.