Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Palo Alto Networks' Unit 42. Show all posts

Industrial Solar Panels Face Critical RCE Bugs

Several critical Remote Code Execution (RCE) vulnerabilities have recently emerged, posing a significant threat to industrial solar panels and potentially endangering grid systems. These vulnerabilities, if exploited, could have severe consequences for energy organizations and their critical infrastructure. Security experts are raising alarms and urging immediate attention to address these vulnerabilities before they can be exploited by malicious actors.

The discovery of these critical vulnerabilities has prompted concern among industry experts. One of the primary sources of information on this issue comes from a report by Dark Reading, a leading cybersecurity news platform, which highlights the severity of the situation. According to the report, three critical RCE bugs have been identified that specifically target industrial solar panels. These bugs, if successfully exploited, could allow attackers to gain unauthorized access and control over the panels, potentially leading to widespread disruption of the power grid.

The vulnerabilities have caught the attention of prominent cybersecurity research organizations, such as Palo Alto Networks' Unit 42. In their analysis, they mention the emergence of a new variant of the infamous Mirai botnet that specifically targets Internet of Things (IoT) devices, including solar panels. This variant utilizes known exploits, including those related to the identified RCE bugs, to compromise vulnerable systems and recruit them into its network of compromised devices.

The implications of these vulnerabilities are far-reaching. SolarView, a company that specializes in monitoring and managing solar energy systems, acknowledged the existence of RCE vulnerabilities in their product. They have promptly taken action to address the issue and have released patches to mitigate the risks. In an official blog post, SolarView emphasizes the importance of promptly applying these updates to protect against potential attacks.

Energy organizations and critical infrastructure providers must recognize the gravity of these vulnerabilities. According to a report from GreyNoise Intelligence, the cyber threat intelligence company, the impact of these RCE bugs extends beyond SolarView systems, potentially affecting other industrial solar panel solutions as well. The report urges heightened vigilance and emphasizes the importance of sharing intelligence to protect against attacks that exploit these vulnerabilities.

The severity of these vulnerabilities and their potential impact on critical infrastructure has prompted industry experts to issue warnings and urge organizations to prioritize vulnerability management. As Ryan Olson, Vice President of Threat Intelligence at Palo Alto Networks, stated, "Energy organizations must remain vigilant and take immediate steps to identify and patch any vulnerable solar panels to prevent potential attacks."

Grid systems and energy companies are seriously at risk due to the appearance of three key RCE viruses that target industrial solar panels. Companies must act quickly to patch these vulnerabilities and implement effective vulnerability management procedures. Organizations can protect their crucial infrastructure and reduce the risks brought on by these exploitable vulnerabilities by taking proactive measures.

JsonWebToken Library Security Flaw: Used in 20,000+ Projects

In the widely-used open-source project, JavaScript library JsonWebToken researchers from Palo Alto Networks unit 42 found a new high-severity vulnerability   CVE-2022-23529. 

Palo Alto Networks released a security advisory on Monday highlighting how the weakness could be used by an attacker to execute code remotely on a server that was verifying a maliciously constructed JSON web token (JWT) request. 

The JSON web token JavaScript module, designed and maintained by Okta's Auth0, enables users to decode, validate, and create JSON web tokens as a way of securely communicating information among two entities enabling authorization and authentication. The npm software registry receives more than 10 million downloads per week and is used in more than 22,000 projects.

Therefore, the capability of running malicious code on a server could violate confidentiality and integrity guarantees, enabling a bad actor to alter any files on the host and carry out any operation of its choice using a contaminated private key. However, Unit 42 cautions that to exploit it, malicious actors would need to first breach the secret management procedure with an app and a JsonWebToken server, dropping the severity level to 7.6/10.

Researchers discovered that after verifying a maliciously constructed JWS token, threat actors might use JsonWebToken to execute remote malware on servers. This is aided by a bug in JsonWebToken's verify() method, which checks a JWT and returns the decoded data. The token, the secretOrPublicKey, and options are the three inputs that this method accepts.

Artur Oleyarsh of Palo Alto Networks Unit 42 said, "An attacker will need to leverage a fault within the secret management mechanism to exploit the vulnerability mentioned in this post and manipulate the secretOrPublicKey value."

The security researcher claims that the Auth0 technical team released a patch for the vulnerability in December 2022. "We appreciate the Auth0 team's competent handling of the disclosure procedure and the provision of a patch for the reported vulnerability," said Oleyarsh.

In summary, the cybersecurity analyst stressed the importance of security awareness when utilizing open-source software. It is critical that downstream users proactively identify, mitigate, and patch vulnerabilities in such products as open-source software often appears as a lucrative first entry pathway for threat actors to stage supply chain attacks. The fact that hackers are now considerably faster at exploiting recently discovered flaws, substantially reducing the time between a patch release and exploit availability, simply makes matters difficult.

Cybercrimes are More Interconnected and are Likely to be More Prevalent


According to two senior representatives from the cyber-security company, Palo Alto Networks, cybercrime and online scams are anticipated to be more prevalent than in previous years. 

Among various cyber threats, business e-mail compromise (BEC) and ransomware attacks continue to be on the top of the global watch list. 

As per Ms. Wendi Whitmore, Palo Alto Network’s Unit 42 senior vice-president, BEC scams, targets both corporations and individuals making genuine transfer-of-funds requests. It makes BEC the most common and costly threat to organizations worldwide. 

“We see (criminal) organizations where you’ve got a member in Nigeria that’s closely communicating (on the Dark Web) with someone in Eastern Europe, and maybe communicating closely with someone in Asia […] I think that as the economy continues to have more challenges, we’re going to see even more of that level of interconnectivity,” says Ms. Whitmore. 

On the FBI Internet Crime Complaint Centre report 2021, BEC continues to hold the apex position, for the sixth year. 

Does Dark Web Harbor Cybercrime? 

Mr. Vicky Ray, a principal researcher at Unit 42 who studies data and telemetry used in such global cyberattacks, believes that the Dark Web has become a breeding ground for cybercrime. 

On the Internet or the ‘Surface web,’ which is readily accessed by the general public, one can look for a variety of information or participate in forums. On the other hand, in order to access Dark Web, one needs a certain browser and a known URL. Some Dark Web forums demand that new members have a known party vouch for them. 

According to Palo Alto, the growth of Darknet markets in Asia has given cybercriminals more flexibility, since the platform's anonymity makes it less likely that they will ever be tracked. 

“It’s hard, but at the end of the day, it is our job to connect these dots together to really answer... the hard question of who may be behind it (a cyberattack) or what the motivation is.” Mr. Ray told The Straits Times. 

No matter if the attack is a ransomware attack or a data breach, cyber criminals are in an ecosystem where “everyone supports each other and collaboration is everywhere”, he continues, showing a screengrab of a malware developer apparently receiving feedback on a Dark Web forum. 

“What has changed in the past three years has been the tactics of ransomware as a service […] These gangs who were actually creating and using the ransomware to target victims, or potential victims back in the day, what they have realized is, if they provide that to other criminals, who are called affiliates, they can be more profitable,” he adds. 

Cybercrime on Dark Web

Criminals on the Dark Web co-operate in an operation in a variety of ways, from "consultants" who offer professional guidance to affiliates who buy malware from developers. 

However, there also lies a similar collaboration between law enforcement and business parties, like Palo Alto, which shares its criminal research with Interpol. 

In one such case, for instance, in 2021, the Nigerian Police Force detained 11 members of certain cybercrime gangs, who are assumed to be part of a threat group ‘SilverTerrier’ recognized for their BEC scams, said Interpol on its website. 

During Operation Falcon II, which ran from December 13 to December 22, 2021, investigators analyzed data from the network's BEC scams, which were allegedly linked to 50,000 individuals. One suspect had more than 800,000 potential victim domain credentials on his laptop, while no monetary amount was disclosed. 

In regards to this, Interpol said, “Through Interpol’s Gateway initiative, Palo Alto Networks’ Unit 42 and Group-IB (a cyber-security firm) have contributed to investigations by sharing information on ‘SilverTerrier’ threat actors, and analyzing data to situate the group’s structure within the broader organized crime syndicate. They also provided key technical expertise consultancy to support the Interpol teams.” 

The Gateway Initiatives aid law enforcement agencies and corresponding private companies to communicate information in a secure and quicker manner, in order to mitigate and disrupt cybercrime.

“We really see the significance of these (partnerships)... So you will see a lot of the law enforcement now openly talking to us and collaborating,” adds Mr. Ray  

Analysis on Agent Tesla's Successor

OriginLogger, a malware that has been hailed as the replacement for the well-known data theft and remote access trojan (RAT) noted as Agent Tesla, had its functioning dissected by Palo Alto Networks Unit 42

Agent Tesla, one of the most notorious keyloggers used by hackers, was shut down on March 4, 2019, due to legal issues. It is a remote access program built on the.NET platform, that has long existed in the cyber realm, enabling malicious actors to obtain remote access to target devices and transmit user data to a domain under their control. It has been in the public since 2014 and is promoted for sale on dark web forums. Typically, attackers send it as an attachment in harmful spam emails.

Since Agent Tesla and OriginLogger are both commercialized keyloggers, it should not be assumed that one has a distinct advantage over the other in terms of initial droppers. 

Security company Sophos revealed two new versions of the common virus in February 2021, with the ability to steal login information from online browsers, email clients, and VPN clients as well as use the Telegram API for command and control.

According to Unit 42 researcher Jeff White, what has been labeled as Agent Tesla version 3 is OriginLogger, which is alleged to have emerged to fill the gap left by the former after its operators shut down the business.

A YouTube video explaining its features served as the foundation for the cybersecurity company's study, which resulted in the detection of a malware sample "OriginLogger.exe" that was added to the VirusTotal malware archive on May 17, 2022.

The binary is a developer code that enables a purchased client to specify the kind of data to be acquired, including screenshots, the clipboard, and the list of services and programs from which the keys are to be retrieved.

Unlike the IP addresses linked to originpro[.]me, 74.118.138[.]76 resolves to 0xfd3[.]com rather than any OriginLogger domains directly. Turning to this domain reveals that it has MX and TXT entries for mail. originlogger[.]com in the DNS.

Around March 7, 2022, the disputed domain started to resolve to IP 23.106.223[.]47, one octet higher than the IP used for originpro[.]me, which used 46. 

OrionLogger uses both Google Chrome and Microsoft Outlook, both of which were utilized by Unit 42 to locate a GitHub profile with the username 0xfd3 that had two source code repositories for obtaining credentials from those two applications.

Similar to Agent Tesla, OrionLogger is distributed via a fake Word file that, when viewed, is utilized to portray an image of a German passport, a credit card, and several Excel Worksheets that are embedded in it.

The files essentially include a VBA macro that uses MSHTA to call a remote server's HTML page, which contains obfuscated JavaScript code that allows it to access two encoded binaries stored on Bitbucket.

Advertisements from threat actors claim that the malware employs time-tested techniques and can keylog, steal credentials, and screenshots, download additional payloads, post your data in a variety of ways, and try to escape detection.

A corpus analysis of over 1,900 samples reveals that using 181 different bots and SMTP, FTP, web uploads to the OrionLogger panel, and Telegram are the most popular exfiltration methods for returning data to the attacker. The goal of this investigation was to automate and retrieve keylogger configuration-related information.





CISA Updates its Database With 10 New Actively Exploited Vulnerabilities

 

A high-severity security vulnerability impacting industrial automation software from Delta Electronics was among 10 new actively exploited vulnerabilities that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed in its Known Exploited Vulnerabilities (KEV) Database on Friday.

FCEB agencies are required to address the vulnerabilities by the deadline in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, in order to safeguard their networks from attacks that take advantage of the flaws in the catalog.

Private firms should analyze the Catalog and fix any infrastructure weaknesses, according to experts.

The problem, which has a CVSS score of 7.8, affects DOPSoft 2 versions 2.00.07 and earlier. It is listed as CVE-2021-38406. A successful exploit of the issue could result in the execution of arbitrary code.

Delta Electronics DOPSoft 2's incorrect input validation causes an out-of-bounds write that permits code execution, according to a CISA notice. "Delta Electronics DOPSoft 2 lacks sufficient validation of user-supplied data when parsing specified project files," the alert stated.

Notably, CVE-2021-38406 was first made public as part of an industrial control systems (ICS) advisory that was released in September 2021.

It is crucial to emphasize that the impacted product is no longer being produced and that there are no security updates available to solve the problem. On September 15, 2022, Federal Civilian Executive Branch (FCEB) organizations must abide by the directive.

The nature of the attacks that take advantage of the security issue is not well known, but a recent analysis by Palo Alto Networks Unit 42 identified instances of in-the-wild assaults that took place between February and April 2022.

The development supports the idea that attackers are becoming more adept at using newly reported vulnerabilities as soon as they are made public, which encourages indiscriminate and opportunistic scanning attempts that intend to benefit from postponed patching.

Web shells, crypto miners, botnets, remote access trojans (RATs), initial access brokers (IABs), and ransomware are frequently used in a precise order for the exploitation of these assaults.

CVE-2021-31010 (CVSS score: 7.5), an unpatched hole in Apple's Core Telephony component that could be used to get around sandbox constraints, is another high-severity flaw added to the KEV Catalog. In September 2021, the tech giant corrected the flaw.

The IT giant appears to have quietly updated its advisory on May 25, 2022, to add the vulnerability and clarify that it had actually been utilized in attacks, even though there were no signs that the hole was being exploited at the time.

The iPhone manufacturer said that it was aware of a claim that this flaw might have been extensively exploited at the time of release. Citizen Lab and Google Project Zero were credited with making the finding. 

Another noteworthy aspect of the September update is the patching of CVE-2021-30858 and CVE-2021-30860, both of which were used by NSO Group, the company behind the Pegasus spyware, to circumvent the security measures of the operating systems.

This suggests that CVE-2021-31010 may have been linked to the previously described two issues as part of an attack chain to get past the sandbox and execute arbitrary code.



Google Drive & Dropbox Targeted by Russian Hackers

The Russian state-sponsored hacking collective known as APT29 has been attributed to a new phishing campaign that takes advantage of legitimate cloud services like Google Drive and Dropbox to deliver malicious payloads on compromised systems.

In recent efforts targeting Western diplomatic stations and foreign embassies globally between early May and June 2022, the threat group APT29 also known as Cozy Bear or Nobelium has embraced this new strategy. However, the phishing documents included a link to a malicious HTML file that was used as a dropper for other harmful files, including a Cobalt Strike payload, to enter the target network.

Google and DropBox were alerted about the operation by Palo Alto Networks, and they took measures to restrict it. Organizations and governments have been cautioned by Unit 42 researchers to maintain a high state of alert. Organizations should be cautious about their capacity to identify, inspect, and block undesirable traffic to legitimate cloud storage providers in light of APT 29's new methods.

APT29, also known as Cozy Bear, Cloaked Ursa, or The Dukes, is a cyber espionage organization that seeks to gather information that supports Russia's geopolitical goals. It also carried out the SolarWinds supply-chain hack, which resulted in the compromising of several US federal agencies in 2020.

The use of cloud services like Dropbox and Google Drive to mask their activity and download further cyberespionage into target locations is what has changed in the most recent versions. According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

According to reports, the attack's second version, seen in late May 2022, was further modified to host the HTML dropper in Dropbox.

The findings also line up with a recent statement from the Council of the European Union that "condemns this appalling behavior in cyberspace" and highlights the rise in hostile cyber actions carried out by Russian threat actors.

In a news release, the EU Council stated that "this increase in harmful cyber actions, in the context of the war against Ukraine, presents intolerable risks of spillover effects, misinterpretation, and possible escalation."







 GALLIUM APT Deployed a New PingPull RAT

According to Palo Alto Networks researchers, the PingPull RAT is a "difficult-to-detect" backdoor that uses the Internet Control Message Protocol (ICMP) for C2 connections. Experts also discovered PingPull variations that communicate with each other using HTTPS and TCP rather than ICMP.

Gallium, a Chinese advanced Trojan horse (APT), has an ancient legacy of cyberespionage on telecommunications companies, dating back to 2012. In 2017, the state-sponsored entity, also called Soft Cell by Cybereason, has been linked to a broader range of attacks aimed at five major Southeast Asian telecom businesses. However, during the last year, the group's victimology has expanded to include financial institutions and government agencies in Afghanistan, Austria, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. 

A threat actor can use PingPull, a Visual C++-based virus, to gain access to a reverse shell and run unauthorized commands on a compromised computer. File operations, detailing storage volumes, and timestamping files are all part of it now. 

The researchers explained that "PingPull samples which use ICMP for C2 communications issue ICMP Echo Request (ping) packets to the C2 server." "The C2 server will send commands to the system by responding to these Echo queries with an Echo-Reply packet." 

PingPull variants that use HTTPS and TCP rather than ICMP to interact with its C2 server have been discovered, along with over 170 IP addresses associated with the company since late 2020. Although the threat actor is recognized to exploit internet-exposed programs to acquire an initial foothold and deploy a customized form of the China Chopper web shell to create persistence, it's not obvious how the targeted networks are hacked. 

Throughout Southeast Asia, Europe, and Africa, the GALLIUM trojan continues to pose a serious danger to telecommunications, finance, and government organizations. It is recommended all businesses use the results of researchers to inform the implementation of protective measures to guard against this threat group, which has deployed a new capability called PingPull in favor of its espionage efforts.

Backdoor Installed by HelloXD Ransomware , Directed Windows and Linux Devices

 

HelloXD is ransomware that first appeared in November 2021 and does double extortion assaults. Researchers discovered several variations that affect Windows and Linux computers. 

According to a recent analysis from Palo Alto Networks Unit 42, the malware's creator has developed a new encryptor with unique packing for detection avoidance and encryption algorithm tweaks. This is a substantial deviation from the Babuk code, indicating the author's goal to create a new ransomware strain with possibilities and characteristics to allow for more attacks. 

HelloXD ransomware threat 

HelloXD first emerged to the public on November 30, 2021, and is based on Babuk's leaked code, which was published in September 2021 on a Russian-language cybercrime site. 

Palo Alto Networks Unit 42 security researchers Daniel Bunce and Doel Santos said, "Unlike other ransomware, this ransomware does not have an active leak site; instead, it prefers to direct the infected victim to negotiations via Tox chat and onion-based messaging instances." 

The operators of the ransomware family are no exception since they used double extortion to extort cryptocurrencies by exfiltrating a victim's personal data, encrypting key, performing cyber espionage, and threatening to publish it.MicroBackdoor is an open-source malware used for command-and-control (C2) communications to browse the infected system, exfiltrate files, execute orders, and remove traces, according to its developer Dmytro Oleksiuk. 

In March 2022, the Belarusian threat actor nicknamed Ghostwriter (aka UNC1151) used multiple forms of the implant in its cyber operations against Ukrainian governmental agencies. The features of MicroBackdoor allow a hacker to explore the file system, upload and download files, run commands, and delete traces of its activity from compromised PCs. 

Hello XD is a harmful ransomware project in its early stages that is now being deployed in the field. Although infection volumes aren't high now, its active and targeted development paves the way for a more harmful state. By piecing together the actor's digital trail, Unit 42 said it connected the likely Russian vendor behind HelloXD — who passes by the online aliases x4k, L4ckyguy, unKn0wn, unk0w, _unkn0wn, and x4kme — to further cybercriminals like selling proof-of-concept (PoC) exploits and custom Kali Linux distributions using malicious software. 

During 2019 and 2021, the average lifespan of an enterprise ransomware attack — that is, the period between initial access and ransomware distribution — decreased by 94.34 percent, from nearly two months to just 3.85 days, according to a new report by IBM X-Force.

The role of initial access brokers (IABs) in getting access to victim networks and then selling that access to associates, who then misuse the foothold to install ransomware payloads, has been attributed to the enhanced speed and efficiency trends in the ransomware-as-a-service (RaaS) ecosystem. 

Overall, the data theft by threat actor appears skilled and capable of moving Hello XD forward, so analysts should keep a close eye on its progress.

Palo Alto Networks' Unit 42 Publishes Report on Mespinoza Group

 

Unit 42 of Palo Alto Networks has examined the Mespinoza gang's latest techniques and practices in identifying its 'cocky' message and its instruments endowed with 'creative names' – but has shown no evidence suggesting that the group has changed to ransomware-as-a-service. 

Mespinoza attacks mostly, demonstrate various trends between different actors and families threatened with ransomware, which make their attacks simple and easy to use. 

The report researchers explained, "As with other ransomware attacks, Mespinoza originates through the proverbial front door – internet-facing RDP servers – mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities. Further costs are saved through the use of numerous open-source tools available online for free, or through the use of built-in tools enabling actors to live off the land, all of which benefits bottom-line expenses and profits." 

Although the MESPINOZA organization has not been as active as the more popular REvil, still its operations have achieved great success: the examination of Unit 42, revealed that victims pay up to $470,000 each for decryption of files, mainly from targets in the US and UK - including a Hackney Council attack last October.

After a victim is in their sight, they may rapidly and accurately proceed from breach to exfiltration to ransomware. One scenario, by no means the quickest, lasted less than three days from breaking the RDP network through network recognition and credential collection, and on the second day the required data were exfiltrated and the ransomware deployed on the third day. 

"Through the use of various open-source tools - mostly designed for use by sysadmins and pen-testers - the Mespinoza actors can move around the network with ease, looking for high-value data for maximum leverage as they go, and staging the latter parts of their attack to encrypt as many systems as possible," stated Alex Hinchliffe, threat intelligence analyst at Unit 42. 

The group has primarily mostly targeted the manufacturers, retailers and medical sector, and the education sector. Unit 42 research also revealed evidence that the Mespinoza Group's previous reports followed in the footsteps of REvil and offered Ransomware-as-a-services.

Communication from the group described as "cocky," by the researchers, could have been mistaken in this respect. Researchers have concluded, "Victim organizations are referred to as 'partners,'" the researchers found. "Use of that term suggests that they try to run the group as a professional enterprise and see victims as business partners who fund their profits." 

"Generally speaking RDP and other remote administration tools have become a high-value target for many cybercriminals and nation-state adversaries because of how simple it is to find them," Hinchliffe told. 

"There's no reason to expose RDP directly to the public internet in this day and age," security researcher Tom Hudson told The Register of the all-too-familiar entry point for Mespinoza's attacks. "If you need RDP access over the internet you should be requiring the use of a VPN with multi-factor authentication enforced." 

While Mespinoza may not be above the copying victims lists of other malware groups, it is evident that its tools are named in another area. The report further notes that a tool for building network tunnels is dubbed 'MagicalSocks.' A component saved on its server is probably called 'HappyEnd.bat.' This is probably used to encapsulate an attack.