Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label ProxyNotShell. Show all posts
Ransomwares
Andariel Cyber Attacks FortiOS Play ransomware Play ransomware variant ProxyNotShell ransomware attacks Ransomwares

Play Ransomware Threat Intensifies with State-Sponsored Links and Advanced Tactics

 

Play ransomware continues to be a formidable cybersecurity threat, with over 300 successful attacks reported globally since its first detection in 2022. Named for the “.PLAY” extension it appends to encrypted files, this ransomware has been linked to Andariel, a North Korean state-sponsored hacking group operating under the Reconnaissance General Bureau. 

This connection highlights the increasing involvement of state-backed actors in sophisticated cybercrime campaigns targeting both public and private sector organizations worldwide. Recent analysis by AhnLab sheds light on how Play ransomware gains access to its victims’ networks. The attackers exploit vulnerabilities in widely used software systems or misuse valid user accounts. 

Known flaws in Microsoft Exchange Server’s ProxyNotShell vulnerabilities (CVE-2022-41040 and CVE-2022-41082) and Fortinet’s FortiOS (CVE-2020-12812 and CVE-2018-13379) have been frequently abused by these attackers. After infiltrating a network, they use port scanning techniques to gather information about active systems and services, collect Active Directory data, and identify paths for privilege escalation. These escalated privileges allow the attackers to obtain administrator-level access, steal credentials, and ultimately gain control over the domain environment. 

One of the key challenges in detecting Play ransomware lies in its ability to blend malicious activities with legitimate operations. The attackers often use tools like Process Hacker to disable security products. Many of these tools are not inherently malicious and are commonly used for legitimate purposes, making it difficult for security systems to distinguish between normal and nefarious activities. This ability to evade detection underscores the sophistication of Play ransomware and its operators. 

The impact of a Play ransomware attack goes beyond encryption. Like many modern ransomware variants, Play uses double-extortion tactics, exfiltrating sensitive data before locking systems. This exfiltrated data is then leveraged to pressure victims into paying ransoms by threatening to leak the information on dark web forums. The combination of system disruption and the risk of public data exposure makes Play ransomware particularly damaging to its targets. To mitigate the risks posed by Play ransomware, cybersecurity experts and the Federal Bureau of Investigation (FBI) recommend implementing proactive defenses. 

Organizations should ensure that software, operating systems, and firmware are regularly updated to address vulnerabilities. Phishing-resistant multi-factor authentication (MFA) is crucial to reduce the risk of unauthorized access, while employee training on recognizing phishing attempts remains essential. Additionally, network segmentation can limit the attackers’ ability to move laterally, reducing the overall impact of an attack. 

Play ransomware illustrates the evolving complexity of cyber threats, particularly those linked to state-sponsored groups. Its reliance on exploiting known vulnerabilities, combined with its use of legitimate tools, highlights the critical need for organizations to adopt comprehensive cybersecurity measures. By prioritizing vulnerability management, user education, and proactive defenses, organizations can better protect themselves against the ongoing threat posed by Play ransomware and similar cyber campaigns.
Read more »
Vulnerabilities and Exploits
ChatGPT CISA Cyberattacks CyberCrime Cybersecurity FBI Microsoft ProxyNotShell Ransomware Vulnerabilities and Exploits

FBI Alarmed as Ransomware Strikes 300 Victims, Critical Sectors Under Siege

 


There was an advisory published late on Monday about the Play ransomware gang that was put out by the Federal Bureau of Investigation (FBI) together with the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre. The Play gang is thought to have debuted last year and has launched multiple attacks on targets since then. 

It was first spotted being deployed against South American government agencies around the middle of last year but pivoted months later to target entities in the US and Europe. The FBI and other cyber security agencies are warning about the rise of the Play ransomware double-extortion group which has now attacked hundreds of organizations. 

Since June 2022, Play ransomware - also known as Playcrypt - has hit a wide range of businesses and critical infrastructure organizations in North America, South America, and Europe, the cyber security advisory said. Unlike typical ransomware operations, the Play ransomware affiliates use email communication for negotiations, rather than providing Tor negotiations page links in ransom notes left on compromised systems. 

However, the gang still employs strategies commonly associated with ransomware, such as stealing sensitive documents from compromised systems to pressure victims into paying ransom demands under the threat of leaking the stolen data online. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued a joint advisory to disseminate IOCs and TTPs discovered as recently as October 2023 by the Play ransomware group. 

According to the joint advisory, these organizations are urged to cover their vulnerabilities that have been previously exploited to diminish the likelihood of falling victim to Play ransomware attacks. A special focus should be placed on the implementation of multifactor authentication for webmail, VPN, and accounts accessing critical systems, and the advisory also discusses the importance of updating and patching regular software, along with routine vulnerability assessments, as recommended. 

It is recommended that organizations follow security best practices to ensure that their endpoints are secure. A few of the steps include keeping all software and hardware up-to-date and making sure that all urgent security patches are applied as soon as possible, as these patches usually address known and abused security vulnerabilities. Companies should also be encouraged to implement multi-factor authentication (MFA) wherever possible to keep their passwords strong and fresh.  

An example of a high-profile victim of a ransomware attack would be the City of Oakland in California, Arnold Clark, Rackspace cloud computing company, and the Belgian city of Antwerp in Belgium. A custom VSS Copying Tool is also used by the Play Gang to evict files from shadow volume copies, even when other applications are currently using them. 

The joint advisory issued by CISA and other agencies indicates that the Playgroup is gaining access to the networks of organizations through the abuse of legitimate accounts and the exploitation of public-facing applications through known security flaws in FortiOS [CVE-2018-13379 and CVE-2020-12812] and Microsoft Exchange, including ProxyNotShell, a remote code execution (RCE) vulnerability, as well as CVE-2022-41040, which is also tracked as CVE-2022-40802. 

In their report, the authors noted that many ransomware actors were observed to use services and resources that could be accessed externally, such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN), to gain access. In addition to using tools like AdFind to run AD queries and Grixba to steal information from the network, the bad actors also use tools like the Grixba infostealer to scan for antivirus software and grab data from the network once they have accessed the computer. 

Also, they have used PowerShell scripts to target Microsoft Defender, and they have used GMER, IOBit, and PowerTool to disable these software and remote log files. In most cases, ransomware actors obtain their access via external-facing services such as Virtual Private Networks (VPNs) and Remote Desktop Protocols (RDPs). 

The actors in play ransomware use tools such as AdFind, an information-stealing tool, to enumerate network information and scan for anti-virus software, and Grixba, an information stealer, to enumerate network information and scan for anti-virus software, to execute active directory queries. As well as removing log files and disabling antivirus software, actors use tools such as GMER, IOBit, and PowerTool.
Read more »
Vulnerabilities and Exploits
Cloud Services Microsoft ProxyNotShell Rackspace Ransomware Vulnerabilities and Exploits

Rackspace: Ransomware Bypasses ProxyNotShell Mitigations

 


According to Rackspace Technology, a cloud hosting company that provides managed cloud services, the massive December 2 attacks have caused the company to take action. As part of the attack, thousands of small and midsized businesses suffered disruption in their email services due to a zero-day exploit against a vulnerability in Microsoft Exchange Server called server-side request forgery (SSRF), or CVE-2022-41080. 

According to Karen O'Reilly-Smith, the chief security officer at Rackspace, in an email response, the root cause of this vulnerability is a zero-day exploit associated with CVE-2022-41080. It has been reported that Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include any notes on the fact that it was part of a remote execution chain that was exploitable. 

According to a third-party advisor to Rackspace, the company had yet to apply the ProxyNotShell patch because the company was concerned that it may cause "authentication errors" that could take down its Exchange servers, as well as other potential issues. As part of its mitigation strategies for the vulnerabilities, Rackspace had already implemented Microsoft's mitigation recommendations, which the software giant had deemed as a means of preventing attacks. 

A security firm called CrowdStrike was hired by Rackspace for its breach investigation, and CrowdStrike posted its findings in an open blog post on its findings. CrowdStrike explained how the Play ransomware group had used a newly developed technique to exploit a new ProxyNotShell RCE vulnerability called CVE-2022-41080 and CVE-2022-41082. 

According to a report, CrowdStrike's post about who beat Backdoor Play was the outcome of the company's investigation into the attack against Rackspace. However, the company's external advisor told us that the research about Play's bypass method was the result of CrowdStrike's investigation into the attack. 

Last month, Microsoft informed Dark Reading that while the attack bypasses mitigations provided by previous releases of ProxyNotShell, it does not bypass the actual patch that is being applied to the system.  

'Patching - if you can do so - is the answer,' says an external advisor, pointing out that the company had weighed the risks and benefits of patching at the time when mitigations were said to have been effective and on the other hand, the patch had the potential to take their servers down. The external advisor's report states that at the time when the risk was being evaluated, considered, and weighed, they were aware of it. Because the patch has not yet been applied, the servers remain unavailable.  

According to a Rackspace spokesperson, the company has not responded to questions about whether or not the ransomware attackers have been paid.
Read more »
Subscribe to: Posts (Atom)