Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Rapid7. Show all posts

Guess Who's Back? LodaRAT, A Global Cybersecurity Threat



LodaRAT, a remote access tool active since 2016, has resurfaced in a new campaign that’s taking the cybersecurity world by storm. Originally designed for basic information theft, this tool has transformed into a sophisticated malware capable of carrying out global cyber-espionage operations. What’s alarming is that while LodaRAT hasn’t been updated since 2021, its reach and effectiveness have grown, making it a pressing concern for individuals and organisations worldwide.  

A Global Campaign with Far-Reaching Impact  

What sets this latest campaign apart is its global nature. Unlike previous efforts that targeted specific regions, LodaRAT is now aiming at victims across the world. Around 30% of related malware samples uploaded to VirusTotal came from the United States, suggesting widespread infection. This shift indicates that LodaRAT is no longer confined to limited geographic boundaries, and its operators are adapting to target more diverse networks and systems.  


How LodaRAT Works  

LodaRAT’s tactics have become more complex, allowing it to infiltrate systems and operate undetected. Its distribution relies on a mix of phishing emails, system vulnerabilities, and other malware like DonutLoader and Cobalt Strike. It also disguises itself as trusted software such as Skype, Discord, or Windows Update to trick users into installing it.  

Once installed, the malware carries out a variety of harmful activities, including:  

  • Spying on users by recording audio and video through webcams and microphones.  
  • Stealing credentials and cookies from popular browsers like Microsoft Edge and Brave.  
  • Disabling security measures such as the Windows Firewall to create backdoors.  
  • Spreading through networks, using SMB protocol exploits to infect other devices.  
  • Hiding its tracks by storing stolen data in concealed locations on the victim's system.  


Increased Risks for Organizations  

This new campaign has heightened risks for businesses and organisations. LodaRAT is capable of spreading within internal networks by exploiting specific vulnerabilities, particularly via port 445. This allows attackers to move laterally, targeting multiple devices in the same network. Such breaches can lead to stolen data, operational disruptions, and significant financial losses.  


Protecting Against LodaRAT 

To defend against LodaRAT, organisations and individuals need to take proactive measures:  

1. Strengthen security systems by using advanced endpoint protection tools.  

2. Monitor network activity to detect unusual behaviours that could indicate malware presence.  

3. Educate users on phishing tactics to prevent accidental downloads.  

4. Adopt strong authentication practices to make credential theft harder.  

5. Use tools like Rapid7’s Insight Agent to identify potential threats and weak points.  


The return of LodaRAT shows how minor tweaks to existing malware can make it highly effective. This campaign is a reminder that even older threats can evolve and remain dangerous. Staying vigilant and updating cybersecurity measures regularly are key to staying ahead of such attacks.  

By understanding how LodaRAT operates and taking the necessary precautions, organisations and individuals can better protect themselves in an increasingly complex digital ecosystem.  

Microsoft Confirms Zero Day Exploits, Prompts Users to Update


This week Microsoft confirmed around 132 security vulnerabilities in its product lines, including a total of six zero-day flaws that are currently being actively exploited. Because of this, security professionals advise Windows users to upgrade right away.

One of these zero-day vulnerabilities is of remote code executive (RCE) type, affecting Windows HTML and Microsoft Office. Microsoft has surprisingly not yet released a patch for CVE-2023-36884, opting instead to provide configuration mitigation methods, despite this being a Patch Tuesday rollout. Microsoft has connected the exploitation of this vulnerability to the Russian cybercrime group RomCom, which is suspected to be acting in the interests of Russian intelligence.

According to Rapid7 vulnerability risk management specialist Adam Barnett, the RomCom gang has also been linked to ransomware assaults that have been directed at a variety of targets. More such security experts are raising concerns given the number of vulnerabilities and the multiple zero-days that they are coming across, regarding which they are warning Windows users to adopt the updated versions promptly. The Microsoft Security Update Guide contains a comprehensive list of the vulnerabilities fixed by the most recent Patch Tuesday release. Security professionals have, however, drawn attention to some of the more crucial ones.

CVE-2023-36884 

According to Microsoft, “investigating reports of a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents.”

While this vulnerability is still unpatched, Microsoft says it will “take the appropriate action to help protect our customers” ones they are done with the investigations. However, speculations claims that this will happen via an out-of-band security update rather than leaving an actively exploited zero-day up for patch for next month’s Patch Tuesday rollout. Microsoft directs users to a threat intelligence blog article that offers workaround mitigations in the meantime.

CVE-2023-32046 

This flaw is a Windows MSHTML platform elevation of privilege vulnerability that is being exploited. The zero-day flaw exploits the MSHTML core Windows components, that are used to produce content like HTML.

According to Kev Breen, director of cyber threat research at Immersive Labs, “This is not limited to browsers.” He warns, “other applications like Office, Outlook, and Skype also make use of this component.” It is likely that the attack vectors would include typical suspects—a malicious document attached to an email or a malicious website or web page. . “This vulnerability would likely be used as an initial infection vector[…]allowing the attacker to gain code execution in the context of the user clicking the link or opening the document,” says Breen.

Are Chatbots Making it Difficult to Trace Phishing Emails?


Chatbots are curbing a crucial line of defense against bogus phishing emails by rectifying grammatical and spelling errors, a key attribute to trace fraudulent mails, according to experts. 

The warning comes as international advisory published from the law enforcement agency Europol concerning the potential criminal use of ChatGPT and other "large language models." 

How Does Chatbot Aid Phishing Campaign? 

Phishing campaigns are frequently used as bait by cybercriminals to lure victims into clicking links that download malicious software or provide sensitive information like passwords or pin numbers. 

According to the Office for National Statistics, half of all adults in England and Wales reported receiving a phishing email last year, making phishing emails one of the most frequent kinds of cyber threat. 

However, artificial intelligence (AI) chatbots can now rectify the flaws that trip spam filters or alert human readers, addressing a basic flaw with some phishing attempts—poor spelling and grammar. 

According to Corey Thomas, chief executive of the US cybersecurity firm Rapid7 “Every hacker can now use AI that deals with all misspellings and poor grammar[…]The idea that you can rely on looking for bad grammar or spelling in order to spot a phishing attack is no longer the case. We used to say that you could identify phishing attacks because the emails look a certain way. That no longer works.” 

As per the data, ChatGPT, the market leader that rose to fame after its launch last year, is being used for cybercrime, with the development of "large language models" (LLM) finding one of its first significant commercial applications in creating malicious communications. 

Phishing emails are increasingly being produced by bots, according to data from cybersecurity specialists at the UK company Darktrace. This allows crooks to send longer messages that are less likely to be detected by spam filters and to get beyond the bad English used in human-written emails. 

Since the huge prevalence of ChatGPT last year the overall volume of malicious email scams that attempt to trick users into clicking a link has decreased, being replaced by emails that are more linguistically complicated. According to Max Heinemeyer, the company's chief product officer, this indicates that a sizable proportion of threat actors who create phishing and other harmful emails have developed the ability to create longer, more complicated prose—likely using an LLM like ChatGPT or something similar. 

In Europol’s advisory report in a study on the usage of AI chatbots, the firm mentioned similar potential issues, such as fraud and social engineering, disinformation, and cybercrime. According to the report, the systems are helpful for guiding potential offenders through the processes needed to hurt others. Since the model can be used to deliver detailed instructions by posing pertinent questions, it is much simpler for criminals to comprehend and ultimately commit different forms of crime. 

In a report published this month, the US-Israeli cybersecurity company Check Point claimed to have created a convincing-looking phishing email using the most recent version of ChatGPT. By instructing the chatbot that it wanted a sample phishing email for a program on staff awareness, it got beyond the chatbot's safety procedures. 

With the last week's launch of its Bard product in the US and the UK, Google has also entered the chatbot race. Bard cooperated gladly, if without much finesse when the Guardian asked him to write an email that would convince someone to click on a suspicious-looking link: "I am writing to you today to give a link to an article that I think you will find interesting." 

Additionally, Google highlighted its “prohibited use” policy for AI, according to which users are not allowed to use its AI models to create content for the purpose of “deceptive or fraudulent activities, scams, phishing, or malware”. 

In regards to the issue, OpenAI, the company behind ChatGPT mentioned its terms of use, which says users “may not use the services in a way that infringes, misappropriates or violates any person’s rights”.  

Data From Honeypots Shows Bot Attack Trends Against RDP, SSH



Rapid7's RDP and SSH honeypots were used to collect data over nine months between September 10, 2021, and September 9, 2022. This resulted in the discovery of tens of millions of attempted connection attempts during this timeframe. Honeypots were set up over two weeks in which they captured 215,894 unique IP source addresses, 512,002 unique passwords, and both RDP and SSH honeypots. A large portion (99.997%) of the passwords can likely be found in the text file rockyou2021.txt.

The Rockyou website was hacked in 2009 as a result of a security breach. Consequently, 32 million user accounts were found in cleartext by the attackers, and they stole them. There was an exposed list containing 14,341,564 passwords that eventually turned into the original rockyou.txt list of passwords. This list was widely used in dictionary attacks and is included with Kali Linux as an aid to penetration testing.

There have been numerous password lists added to the original over the years, and updated ones are constantly being added. A result of this research is the rockyou2021.txt collection, which comprises about 8.4 billion records. It is a 92 GB text file that contains about 8.4 billion passwords. There is a pre-release version of the code on the GitHub website for free download. 

Rapid7 explains in its report titled Good Passwords for Bad Bots (PDF), "We use the RockYou set of passwords as a source of passwords that attackers could generate and try to see if there was any evolution beyond the use of a password list." 

The fact that 99.99% of the passwords used to attack Rapid7 honeypots can be found on this password list probably comes as no surprise. This is because most of the passwords used are very common. There are only 14 of the 497,848 passwords that are not included in rockyou2021, out of 497,848 passwords that are involved in the SSH attacks.

There is also an IP address included with each of these files that represent the honeypot that has been hacked. As per Rapid7, there may have been a programming error in the scanner used by the attacker, which in turn makes this situation seem more likely.

In rockyou2021, only one password among those used to attack the RDP honeypots is not included among those that were used in the attack. There was a password 'AuToLoG2019.09.25' that was the thirteenth most prevalent in the entire country. This is a bit puzzling, but the report notes there are malware samples containing the ‘AuToLoG’ string. “The samples are classified as generic trojans by most antivirus vendors but appear to have RDP credentials hardcoded into them,” adds the report.

Besides the SSH mistakes in the example above and the one AuToLog password that was used to access the honeypot, every other password that was used in those honeypot attacks can be found in rockyou2021. In general, honeypot attacks are automated opportunistic bot attacks that prey on weak signals and extract data from them.

During Rapid7's analysis of the passwords that were used, the company found that standard, well-known passwords were preferred over less common passwords. The top five RDP password attempts were: (the empty string), '123', 'password', '123qwe', and 'admin', with '' (the empty string) coming in second. According to the statistics, 123456, nproc, test, qwerty, and password were the top five SSH password attempts over the last 12 months. All of these passwords, as well as all of the others, could have been obtained from rockyou2021.

Rockyou2021 is effectively nothing more than a massive list of words. Random ASCII and mixed ASCII string strings as well as special character strings do not fall under the definition. The number of possible ASCII seven-character strings is approximately 8.4 billion, which would mean that if we added up every possible variation of ASCII seven characters, it would take around 70 trillion possibilities to find the complete set.

With the length of a password being increased, the probability that this would happen will rise dramatically. From Rapid7's analysis, the overriding conclusion is that the use of long, strong random strings like those generated by password manager applications and which are not likely to be included in dictionaries would provide a very strong defense against opportunistic bot-driven automated attacks that are carried out by hackers.

Despite their low costs, Tod Beardsley, Rapid Seven's director of research, advises that these automated attacks are not complementary to each other, but are rather low-cost. As a result, this indicates that password managers are currently not the default method of generating and storing passwords, which signifies that this needs to change. It is imperative to note that password managers have one major drawback, which is that they are not always intuitive or easy to use.

Rapid7 Finds Four Flaws in SIGMA Spectrum Infusion Pump and WiFi Battery



Rapid7 discovers four vulnerabilities

Rapid7 on April 20, 2022 found vulnerabilities in two TCP/IP enabled medical devices found by Baxter Healthcare. The four vulnerabilities impacted the company's SIGMA Spectrum Infusion Pump and SIGMA Wifi battery. 

After five months when Rapid7 reported the issue to Baxter, the organizations are now disclosing they have collaborated to discuss the effect, solution, and a team strategy for these flaws. 

InfoSecurity reports: all these vulnerabilities have now reportedly been fixed, but in the new disclosure report, Heiland clarified that even before the patches were released, the issues could not have been exploited over the internet or at a great distance.

About the vulnerability 

Rapid7 has covered the findings in a recent report, where the firm mentioned Sigma bugs were found by Deral Heiland, Rapid7’s main IoT (Internet of Things) expert. 

To give readers a general idea, Baxter’s SIGMA infusion pumps are generally used by hospitals to give medicine and nutrition directly into a patient's circulatory system. 

The first vulnerability (known as CVE–2022–26390) discovered by Rapid7 made the pump to send the WiFi credentials to the battery unit when it was connected to the primary infusion pump and the infusion pump got power. 

The second vulnerability (known as CVE–2022–26392), on the contrary, observed the exposure of the command 'hostmassage' to format string vulnerability while executing a telnet session on the Baxter SIGMA WiFi battery firmware version 16. 

The third vulnerability (known as CVE–2022–26393) is also a format string vulnerability on WiFi battery software version 20 D29. 

The last and fourth vulnerability (known as CVE–2022–26394) observed WiFi battery units (versions 16, 17 and 20 D29) enabling remote unauthorised modification of the SIGMA GW IP address (used in configuration of back-end communication services for devices' working). 

How does the attack take place?

The threat actor has to be within atleast WiFi range of the impacted devices, and in few instances, he will need to have a direct physical access. 

But if the hacker gets a network access to the pump unit, with a single unauthorised packet, he can make the unit to redirect all back-end system to a host they control, making a scope for for a possible man in the middle (MiTM) attack.

Rapid7 reports:

This could impact the accuracy of the pump data being sent for monitoring and recording purposes, and also potentially be used to intercept Drug library data updates to the pumps — which could potentially be dangerous."



Four Critical Flaws Identified in Sage X3 ERP Software

 

Cybersecurity firm Rapid7 announced on Wednesday that it discovered four security flaws in the Sage X3 ERP software, resource, and planning (ERP) supply chain software that if left unpatched, could have allowed attackers to take over the system and run commands. 

The first two were protocol-related issues involving remote administration of Sage X3, and the latter two are web application flaws. Rapid7 recommends that Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required. The company states that this will effectively mitigate all four flaws, but users will need to update according to their regular patch cycle schedule. 

Rapid7 researchers Jonathan Peterson, Aaron Herndon, Cale Black, Ryan Villarreal, and William Vu, who identified the flaws (CVE-2020-7387 through -7390), said that the most critical vulnerabilities exist in the remote administrator function of the platform. Companies rely on Sage X3 as an ERP system that’s primarily used for supply chain management in medium to large companies. The product has become quite popular in the UK and other European markets.

Cybersecurity experts found the case concerning because the flaws identified by Rapid7 are linked to an authentication bypass that’s critical in any context, but the fact that the application can execute commands by design makes it a truly serious vulnerability for those with the software installed, said AJ King, CISO at BreachQuest. 

King explained that because the software can execute commands by design, any authentication bypass immediately offers the unauthenticated threat actor the ability to run commands.

“In a typical authentication bypass, the threat actor would not automatically gain the ability to execute programs. The Rapid7 researchers also discovered that the application communicates using a custom encryption protocol. This is such a departure from best practices that security professionals are often heard saying ‘friends don’t let friends roll their own crypto.’ This sort of behavior has no place in enterprise software,” King stated.

Following recent cyberattacks on the Colonial Pipeline and JBL, companies should be extra vigilant with their ERP software. Sage X3 is commonly used in supply chain management for medium and large organizations and can be a target for this particular type of attacker.

Three Unpatched Bugs Spotted in Third-Party Provisioning Platform

 

Researchers at Rapid7 have unearthed three highly critical security flaws in Akkadian Provisioning Manager, a third-party provisioning tool within Cisco Unified Communications environments that can be chained together to enable remote code execution (RCE) with elevated privileges.

Cisco’s UC suite allows VoIP and online video communications across enterprise footprints. The Akkadian products are equipment that is generally employed in huge enterprises to enable handle the method of provisioning and configuring all of the UC clientele and scenarios, via automation.

The flaws present in version 4.50.18 of the Akkadian edition, are as follows: 

•CVE-2021-31579: Use of tough-coded credentials (ranking 8.2 out of 10 on the CVSS vulnerability-severity scale)

•CVE-2021-31580 and CVE-2021-31581: Improper neutralization of specific components used in an OS command (using exec and vi commands, respectively; ranking 7.9) 

•CVE-2021-31582: Publicity of sensitive information to an unauthorized actor (ranking 7.9)

The combination of CVE-2021-31579 with either CVE-2021-31580 or CVE-2021-31581 will allow an unauthorized adversary to acquire root-degree shell entry to affected equipment, as per Quick7. That will make it straightforward to install cryptominers, keystroke loggers, persistent shells, and any other form of Linux-primarily based malware. 

CVE-2021-31582 allows an attacker who is presently authenticated to the unit to alter or delete the contents of the regional MariaDB database, which is free of charge and an open-source fork of the MySQL relational databases administration process. In some cases, attackers could recover LDAP BIND credentials in use in the host organization, which are used to authenticate clients (and the consumers or applications behind them) to a directory server. 

“In addition to these issues, two other questionable findings were discovered: The ability to read the cleartext local MariaDB credentials, and the inadvertent shipping of an entire GitHub repo with commit history. At the time of this writing, it’s unclear if these findings present unique security issues, but should be reviewed by the vendor,” the company explained, in a blog post this week. 

Security recommendations for organizations 

To guard their environments, firms ought to restrict network access to the SSH port (22/tcp), so that only trustworthy people are allowed on, and disable any internet-facing connectivity, Rapid7 advised.

“Furthermore, system operators should know that, in the absence of a fix, users who have access to the Akkadian Appliance Manager effectively have root shell access to the device, due to the second and third issues,” according to the assessment. 

Rapid7 disclosed the flaws to Akkadian in February, but irrespective of multiple adhere to-ups, there is been no response, in accordance with Immediate7.