Thursday, October 5th, 2023
Cybersecurity Week in Review (06/10/2023)
Atlassian Confluence Hit by New Actively Exploited Zero-Day
Atlassian has released fixes to contain an actively exploited critical zero-day flaw impacting publicly accessible Confluence Data Center and Server instances.
The vulnerability, tracked as CVE-2023-22515, is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and access Confluence servers.
It does not impact Confluence versions prior to 8.0.0. Confluence sites accessed via an atlassian.net domain are also not vulnerable to this issue.
The enterprise software services provider said it was made aware of the issue by “a handful of customers.” It has been addressed in the following versions of Confluence Data Center and Server –
- 8.3.3 or later
- 8.4.3 or later, and
- 8.5.2 (Long Term Support release) or later
The company, however, did not disclose any further specifics about the nature and scale of the exploitation, or the root cause of the vulnerability.
Customers who are unable to apply the updates are advised to restrict external network access to the affected instances.
“Additionally, you can mitigate known attack vectors for this vulnerability by blocking access to the /setup/* endpoints on Confluence instances,” Atlassian said. “This is possible at the network layer or by making the following changes to Confluence configuration files.”
The company has also provided the following indicators of compromise (IoCs) to determine if an on-premise instance has been potentially breached –
- unexpected members of the confluence-administrator group
- unexpected newly created user accounts
- requests to /setup/*.action in network access logs
- presence of /setup/setupadministrator.action in an exception message in atlassian-confluence-security.log in the Confluence home directory
“If it is determined that your Confluence Server/DC instance has been compromised, our advice is to immediately shut down and disconnect the server from the network/Internet,” Atlassian said.
“Also, you may want to immediately shut down any other systems which potentially share a user base or have common username/password combinations with the compromised system.”
With flaws in Atlassian Confluence instances widely exploited by threat actors in the past, it’s recommended that customers update to a fixed version immediately, or implement appropriate mitigations.
Source – https://thehackernews.com/2023/10/atlassian-confluence-hit-by-newly.html?m=1
Hundreds of Malicious Python Packages Found Stealing Sensitive Data
A malicious campaign that researchers observed growing more complex over the past half year, has been planting on open-source platforms hundreds of info-stealing packages that counted about 75,000 downloads. The campaign has been monitored since early April by analysts who discovered 272 packages with code for stealing sensitive data from targeted systems.
The attack has evolved significantly since it was first identified, with the package authors implementing increasingly more sophisticated obfuscation layers and detection evading techniques.
The researchers say that they started seeing a pattern “within the Python ecosystem starting from early April 2023.”One example provided is the “_init_py” file, which loads only after checking it’s running on a target system and not in a virtualized environment – a typical a sign of a malware analysis host.
Once it launches, it targets the following information on the infected systems:
- Antivirus tools running on the device.
- Tasks list, Wi-Fi passwords, and system information.
- Credentials, browsing history, cookies, and payment information stored on web browsers.
- Data in cryptocurrency wallet apps like Atomic and Exodus.
- Discord badges, phone numbers, email addresses, and nitro status.
- Minecraft and Roblox user data.
Additionally, the malware can take screenshots and steal individual files from the compromised system such as the Desktop, Pictures, Documents, Music, Videos, and Downloads directories.
The victim’s clipboard is also monitored constantly for cryptocurrency addresses, and the malware swaps them with the attacker’s address to divert payments to wallets under their control.
The analysts estimate that the campaign has directly stolen approximately $100,000 in cryptocurrency.
The malware used in this campaign goes a step further from typical info-stealing operations, engaging in app data manipulation to perform a more decisive blow. For example, the electron archive of the Exodus cryptocurrency wallet management app is replaced to alter core files, enabling the attackers to bypass Content-Security-Policy and exfiltrate data. On Discord, if certain settings are enabled, the malware injects JavaScript code that executes when the client restarts.
The malware also employs a PowerShell script in an elevated terminal to manipulate Windows “hosts” so that security products running on the breached device cannot contact their servers. According to the researchers, the malicious code from this campaign in packages from April was clearly visible, as it was plain text.
In May, though, the authors of the packages started adding encryption to hinder analysis. In August, the researcher noticed that multi-layer obfuscation had been added to the packages.
In a separate report, it was mentioned that two of the most recent packages used no less than 70 layers of obfuscation. Also in August, the malware developers included the capability to turn off antivirus products, added Telegram to the list of targeted apps, and introduced a fallback data exfiltration system.
The researchers warn that open-source communities and developer ecosystems continue to be susceptible to supply chain attacks, and threat actors upload malicious packages on widely used repositories and version control systems, such as GitHub, or package regitries like PyPi and NPM, daily. Users are recommended to scrutinize the projects and package publishers they trust and be vigilant about typosquatting package names.
US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform
A recent phishing campaign targeting executives in senior roles has been exploiting an open redirection vulnerability in the Indeed website.
Headquartered in the US, Indeed is a popular worldwide job search platform, which claims to have more than 350 million unique visitors each month, and more than 14,000 employees globally.
Given its high popularity, the platform is seen as a trusted source by phishing prevention products, and the newly identified phishing campaign shows how threat actors can abuse that trust.
Starting July 2023, adversaries have been observed exploiting an open redirection flaw in the indeed.com website to take victims to a phishing page designed to steal their Microsoft credentials.
The attacks were mainly focused on C-suite employees and other executives at banking and financial services, insurance, property management and real estate, and manufacturing organizations, mainly in the US.
As part of the attack, the victim would receive a phishing email containing a link seemingly taking the recipient to indeed.com. When clicking the link, however, the victim would be taken to a fake Microsoft login page deployed using the EvilProxy phishing framework.
Fetching all page content dynamically from the legitimate Microsoft domain, the phishing kit acts as a reverse proxy, allowing the attacker to intercept the victim’s credentials before they are sent to the actual login page.
Furthermore, the phishing kit also steals the victim’s session cookies, which the attacker can then use to impersonate the victim and access their Microsoft account, bypassing some multi-factor authentication (MFA) mechanisms.
The attack relied on the fact that the indeed.com website could be abused to redirect visitors to an untrusted external resource.
As part of the campaign, the attackers were seen using the subdomain ‘lmo.’ and hosting their phishing pages on nginx servers that could act as reverse proxies.
The observed malicious activity has been reported to Indeed, but it is unclear whether the employment website has addressed it. An Indeed spokesperson has yet to respond to an inquiry on the matter.
“Account compromise only forms the preliminary stages of an attack chain that could possibly end up in a Business Email Compromise, where the potential impact could range from identity theft, intellectual property theft and massive financial losses,” Menlo notes.
A similar phishing campaign, targeting executives at over 100 organizations using the EvilProxy phishing tool has also been reported. In those attacks, cybercriminals leveraged other legitimate services, such as YouTube, for redirections.
Hackers Attack US healthcare Giant, More Than 190K People Affected
Prospect Medical Holdings admits that it was hacked, with hundreds of thousands of employees and patients left affected.
Prospect Medical Holdings is a healthcare company operating more than 150 clinics and dozens of hospitals in Southern California, Connecticut, Pennsylvania, and Rhode Island.
In a notice sent out to affected clients on September 29th, the company stated that an “unauthorized party gained access to its IT network.”Allegedly, the attack happened between July 31st and August 3rd this year.
The company’s internal investigation showed that threat actors accessed files with data pertaining to the company’s employees and dependents. However, the company claims, it cannot rule out the possibility that patients’ data was also accessed.
The breached data may include full names and Social Security numbers. The Office of the Maine Attorney General reported that, in total, 190,492 people were affected by the hack.
The company has offered affected individuals free credit monitoring and identity theft protection services for one year.
“We take this incident very seriously and sincerely regret any concern this may cause. To help prevent something like this from happening again, we have implemented additional safeguards and technical security measures to further protect and monitor our systems,” said the company in a statement on its website.
Source – https://cybernews.com/news/prospect-medical-holdings-data-leak/
100K Exposed Systems Endanger Power, Traffic, Water Utilities
Nearly 100,000 exposed industrial control systems (ICSs) could allow attackers to take over physical infrastructure such as power grids, traffic light systems, security, and water systems, researchers say.
ICSs are a vital part of everyday modern life, controlling everything from traffic lights to water flow in municipal systems. However, according to a recent report, thousands of vital systems are exposed all over the world.
“Critical infrastructure sectors heavily rely on ICSs to control cyber-physical systems, compounding concerns that the exposed systems identified in this research could present significant risks to organizations and communities around the world,” researchers claim.
Exposed ICSs pose significant risks to organizations and communities in general since disruption of these systems could impact human safety and pose national security risks. Theoretically, attackers could alter water treatment systems or disrupt the energy supply.
Researchers studied systems communicating via the most commonly used ICS protocols, such as Modbus, KNX, BACnet, Niagara Fox, and others.
According to the report, nearly 100K ICSs are public-facing, which means attackers can pinpoint where the systems are and what they do – vital information for persistent attackers.
USA topped the list with the largest number of exposed organizations. Canada was deemed the second most exposed nation, with Italy, the UK, and France trailing behind.
The report shows that education sector organizations had the most exposed ICSs, with technology, government, business services, and manufacturing sectors lining up further.
“Manufacturers of industrial control systems and other operational technology must take action to increase the cybersecurity of their devices. This includes improving device security prior to deployment and working with clients to ensure the proper configuration and security of already deployed devices,” the report concludes.
Source – https://cybernews.com/news/exposed-systems-endanger-power-traffic-water/
Silent Skimmer: A Year-Long Web Skimming Campaign Targeting Online Payment Businesses
A financially motivated campaign has been targeting online payment businesses in the Asia Pacific, North America, and Latin America with web skimmers for more than a year.
The activity, tracked under the name Silent Skimmer, is being attributed to an actor who is knowledgeable in the Chinese language. Prominent victims include online businesses and point-of-sale (PoS) service providers.
The campaign operators exploit vulnerabilities in web applications, particularly those hosted on Internet Information Services (IIS). Their primary objective is to compromise the payment checkout page, and swipe visitors’ sensitive payment data.
A successful initial foothold is followed by the threat actors leveraging multiple open-source tools and living-off-the-land (LotL) techniques for privilege escalation, post-exploitation, and code execution.
The attack chain leads to the deployment of a PowerShell-based remote access trojan (server.ps1) that allows for remotely controlling the host, which, in turn, connects to a remote server that hosts additional utilities, including downloading scripts, reverse proxies and Cobalt Strike beacons.
The end goal of the intrusion is to infiltrate the web server and drop a scraper in the payment checkout service by means of a web shell and stealthily capture the financial information entered by victims on the page.
An examination of the adversary’s infrastructure reveals that the virtual private servers (VPS) used for command-and-control (C2) are chosen based on the geolocation of the victims in an effort to evade detection.
The diversity of industries and regions targeted, coupled with the kind of servers breached, points to an opportunistic campaign rather than a deliberate approach.
The disclosure comes as disclosed details of a pig butchering scam were recently reported in which potential targets are lured into investing in bogus cryptocurrency investment schemes after being approached on dating apps like MeetMe, netting the actors millions in illicit profits.
What sets the latest operation apart is the use of liquidity mining lures, promising users regular income at high rates of return for investment in a liquidity pool, where the virtual assets are parked to facilitate trades on decentralized exchanges.
Source – https://thehackernews.com/2023/10/silent-skimmer-year-long-web-skimming.html
LastPass Employees and Customers Targeted in “Pervasive” Phishing Campaign
A convincing phishing campaign has targeted LastPass in two waves.
On September 13th, LastPass customers began reporting phishing attempts. A variety of industries, including LastPass’s own 87 employees, were targeted in what the company called a widespread, pervasive, and convincing phishing campaign.
Victims first got emails from the address marketing@sbito.co[.]th, associated with a domain that wasn’t previously linked to malicious activity.
The email contained a link to phishing pages that were hosted on the subdomains of customer-lastpass[.]su.
“By the time the first reports started coming in from our customers, a takedown request to each respective service provider for the two suspicious domains was already underway.”
Unfortunately, the attackers registered a similar domain for credential phishing and began a second wave of attacks on September 19th. Several malicious subdomains were taken down within 16 hours from the start of the campaign.
Recently, LastPass was under fire again as a well-known crypto pundit blamed the company for crypto losses. Crypto enthusiasts were reporting unexplained cryptocurrency wallet depletions and linking these crypto heists to the 2022 breaches of the widely-used password manager.
Source – https://cybernews.com/news/lastpass-phishing-campaign/
New BunnyLoader Threat Emerges as a Feature-rich Malware-as-a-service
Security researchers discovered a new malware-as-a-service (MaaS) named ‘BunnyLoader’ advertised on multiple hacker forums as a fileless loader that can steal and replace the contents of the system clipboard.
The malware is under rapid development, with updates adding new features and bug fixes. It can currently download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands.
The first version of BunnyLoader emerged on September 4. Since then, its developers added more functions, like multiple anti-detection mechanisms and extra info-stealing capabilities, releasing a second major version towards the end of the month.
Researchers note that BunnyLoader is quickly becoming popular among cybercriminals as a feature-rich malware available for a low price.
BunnyLoader’s command and control panel allows even low-skilled cybercriminals set a second-stage payload, enable keylogging, credential stealing, clipboard manipulation (for stealing cryptocurrency), and running remote commands on infected devices.
In a recent report, researchers say that after being executed on a compromised device, BunnyLoader creates a new value in the Windows Registry for persistence, hides its window, sets a mutex to avoid multiple instances of itself, and registers the victim into the control panel.
The malware performs several checks to determine if it’s running on a sandbox or simulated environment and throws a fake architecture incompatibility error if the result is positive.
Apart from the mentioned functions, the malware also features modules to steal data stored on web browsers (passwords, credit cards, browsing history), cryptocurrency wallets, VPNs, messaging apps, and more, essentially acting as a standard info-stealer.
All stolen data are compressed into a ZIP archive before they are exfiltrated to the threat actor’s command and control (C2) server.
According to the researchers, BunnyLoader supports writing payloads to the disk before executing them, and can also run them from the system memory (fileless) using the process hollowing technique.
Researchers monitored the malware’s development and announcements on multiple hacking forums and noticed that it went through numerous updates since its initial release.
Here’s a summary of BunnyLoader’s development timeline:
- v1.0 (Sept 4): Initial release.
- v1.1 (Sept 5): Fixed client bug, introduced log compression before upload, and added ‘pwd’ command for reverse shell.
- v1.2 (Sept 6): Enhanced stealer with browser history recovery, NGRok auth-token recovery, and supported additional Chromium browser paths.
- v1.3 (Sept 9): Added credit card recovery for 16 card types and fixed C2 bugs.
- v1.4 (Sept 10): Implemented AV evasion.
- v1.5 (Sept 11): Introduced VPN recovery to stealer, fileless loader bug fixes, and log loading optimizations.
- v1.6 (Sept 12): Added downloads history viewer and anti-sandbox techniques.
- v1.7 (Sept 15): Enhanced AV evasion.
- v1.8 (Sept 15): Implemented keylogger functionality and resolved various bugs.
- v1.9 (Sept 17): Enhanced stealer with game recovery, more Chromium browser paths, and added a desktop wallet recovery.
- v2.0 (Sept 27): Updated C2 GUI, fixed critical vulnerabilities, including SQL injection and XSS, introduced exploit attempt detection, and further optimized stealer and fileless loader functionalities.
In its current state, BunnyLoader is sold for $250, while the “private stub” version, which features stronger anti-analysis, in-memory injection, AV evasion, and additional persistence mechanisms, sells for $350.
This low price, combined with the rapid development cycle, make BunnyLoader a lucrative choice for cybercriminals seeking early-bird deals on emerging malware projects before they gain prominence and increase their rates.
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations
Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah.
The malware is designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware. The victimology of the attacks is not immediately known, although the use of decoys indicates at least one of the targets is an organization located in Saudi Arabia.
Also tracked under the names APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, OilRig is an Iranian advanced persistent threat (APT) group that specializes in covert intelligence gathering operations to infiltrate and maintain access within targeted networks.
The revelation builds on recent findings, which uncovered an OilRig phishing attack resulting in the deployment of a new variant of SideTwist malware, indicating that it’s under continuous development.
In the latest infection chain, the lure document is used to create a scheduled task for persistence and drop an executable (“Menorah.exe”) that, for its part, establishes contact with a remote server to await further instructions. The command-and-control server is currently inactive.
The .NET malware, an improved version of the original C-based SideTwist implant discovered in 2021, is armed with various features to fingerprint the targeted host, list directories and files, upload selected files from the compromised system, execute shell commands, and download files to the system.
Typical of APT groups, APT34 demonstrates their vast resources and varied skills, and will likely persist in customizing routines and social engineering techniques to use per targeted organization to ensure success in intrusions, stealth, and cyber espionage.
Source – https://thehackernews.com/2023/09/iranian-apt-group-oilrig-using-new.html
FBI Warns of Rising Trend of Dual Ransomware Attacks Targeting U.S. Companies
The U.S. Federal Bureau of Investigation (FBI) is warning of a new trend of dual ransomware attacks targeting the same victims, at least since July 2023.
“During these attacks, cyber threat actors deployed two different ransomware variants against victim companies from the following variants: AvosLocker, Diamond, Hive, Karakurt, LockBit, Quantum, and Royal,” the FBI said in an alert. “Variants were deployed in various combinations.”
Not much is known about the scale of such attacks, although it’s believed that they happen in close proximity to one another, ranging from anywhere between 48 hours to within 10 days.
Another notable change observed in ransomware attacks is the increased use of custom data theft, wiper tools, and malware to exert pressure on victims to pay up.
“This use of dual ransomware variants resulted in a combination of data encryption, exfiltration, and financial losses from ransom payments,” the agency said. “Second ransomware attacks against an already compromised system could significantly harm victim entities.”
It’s worth noting that dual ransomware attacks are not an entirely novel phenomenon, with instances observed as early as May 2021.
Last year, it was revealed that an unnamed automotive supplier had been hit by a triple ransomware attack comprising Lockbit, Hive, and BlackCat over a span of two weeks between April and May 2022.
Then, earlier this month, a 3AM ransomware attack targeting an unnamed victim following an unsuccessful attempt to deliver LockBit in the target network.
The shift in tactics boils down to several contributing factors, including the exploitation of zero-day vulnerabilities and the proliferation of initial access brokers and affiliates in the ransomware landscape, who can resell access to victim systems and deploy various strains in quick succession.
Organizations are advised to strengthen their defenses by maintaining offline backups, monitoring external remote connections and remote desktop protocol (RDP) use, enforcing phishing-resistant multi-factor authentication, auditing user accounts, and segmenting networks to prevent the spread of ransomware.
Source – https://thehackernews.com/2023/09/fbi-warns-of-rising-trend-of-dual.html
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.