Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Zero-day vulnerability. Show all posts

The Lazarus Hacking Group's Covert Strategy: Utilizing MagicLine4NX Software in a Global Supply-Chain Assault

 

In a joint effort, the National Cyber Security Centre (NCSC) and South Korea's National Intelligence Service (NIS) have issued a serious warning about the activities of the Lazarus hacking group, associated with North Korea. The group is exploiting a zero-day vulnerability found in the widely-used MagicLine4NX software, leading to a series of sophisticated supply-chain attacks affecting various entities globally.

The MagicLine4NX software, developed by Dream Security in South Korea, is a crucial joint certificate program for secure logins and digital transactions. Exploiting a vulnerability in this software, cyber actors gained unauthorized access to the intranets of targeted organizations, breaching security authentication systems in the process.

The joint advisory revealed, "Cyber actors utilized the software vulnerabilities to gain unauthorized access to the intranet of a target organization. They exploited the MagicLine4NX security authentication program for initial intrusion and a zero-day vulnerability in network-linked systems to move laterally, accessing sensitive information."

The intricate attack chain began with a watering hole attack, a tactic where hackers compromise websites frequented by specific users. In this case, state-sponsored hackers infiltrated a media outlet's website, embedding malicious scripts into an article. The attack specifically targeted visitors using certain IP ranges. When visitors employed the MagicLine4NX authentication software and accessed the compromised website, the embedded code executed, providing hackers with complete control over the system.

Subsequently, the attackers accessed an internet-side server from a network-connected PC, exploiting system vulnerabilities. They then spread the malicious code to a business-side server via a network-linked system's data synchronization function.

Despite security measures, the threat actors persisted in attempting to infiltrate business PCs with the aim of extracting sensitive information. The malware established a connection to two C2 servers—one serving as a gateway within the network-linked system and the other located externally on the internet. The report noted, "The malicious code attempted to move data from the internal server to the external server but was thwarted by the security policy. Had it succeeded, substantial internal network information might have been compromised."

The warning emphasized the severity of such attacks, citing previous supply chain intrusions by North Korea-linked APT groups. Notably, the Labyrinth Chollima APT targeted VoIP software maker 3CX, leading cybersecurity vendors to detect the popular software as malware. In a separate incident, Microsoft Threat Intelligence researchers exposed a supply chain attack by APT Diamond Sleet (ZINC), affecting over 100 devices across Japan, Taiwan, Canada, and the United States.

As cybersecurity agencies work to contain these threats, the increasing sophistication of these attacks underscores the urgent need for heightened vigilance and robust security measures against supply-chain vulnerabilities.

"Ransomware Alert: Clop Gang Targets Microsoft with Exploits on SysAid Zero-Day Vulnerability"

 


A new vulnerability in SysAid's widely used IT service automation software has been discovered that lets hackers from a notorious ransomware gang exploit their software, says the software maker. As reported by Sasha Shapirov, CEO of SysAid, in a blog post published Wednesday, attackers are exploiting a zero-day vulnerability that affects its Cloud software that is hosted on-premises. 

Zero-day vulnerabilities are defined as vulnerabilities that have no time to be fixed by a vendor- in this case, SysAid- before attackers exploit them in the wild. There have been some limited attacks that have exploited a zero-day vulnerability in Microsoft's SysAid IT support software, tracked as CVE-2023-47246, which was exploited by attackers in recent weeks. 

It has been reported by the IT giant that the attacks have been linked to the Clop ransomware group (also known as Lace Tempest). There was a flaw in the software that the company reported to its software provider, who immediately repaired it. 

A potential vulnerability in SysAid's on-premise software was discovered by its security team on November 2nd, the company reported. An investigation of the issue has been undertaken by the cybersecurity firm Profero, which was engaged by the software firm. It was determined that Profero had found a zero-day vulnerability in the software that had compromised it. 

SysAid offers a comprehensive range of tools for the management of a large range of IT services within an organization, such as IT service monitoring, IT service management, and IT service management performance analysis. 

Among the most notorious aspects of the Clop ransomware is the fact that it exploits zero-day vulnerabilities within widely used software. Among recent examples of downloadable file transfers are MOVEit Transfer, GoAnywhere MFT, and Accellion File Transfer Access. According to a report published on Wednesday by SysAid, CVE-2023-47246 is a path traversal vulnerability that can be exploited to expose users to unauthenticated code execution attacks. 

A rapid incident response company, Profero, has been engaged by the company to investigate the attacks and provide technical details of the attack that has been uncovered.  An attacker exploited the zero-day security vulnerability to upload a WAR (Web Application Resource) archive containing a webshell into the webroot of SysAid Tomcat, the web service that manages SysAid's free web applications. 

The threat actors were then able to execute further PowerShell scripts and execute GraceWire malware to dispatch the malware through a legitimate process (e.g. spoolsv.exe, msiexec.exe, svchost.exe) that was already running. A report by Sophos states that the malware loader ('user.exe') makes sure that running processes on the compromised system are not infected with any Sophos security products. 

In a series of posts on X (formerly Twitter) Microsoft's Threat Intelligence team explained that its researchers wanted to describe how the exploit of the SysAid vulnerability could be traced to a hacking group called Lace Tempest, a group better known as Clop ransomware. 

There has been a link between the notorious Russia-linked ransomware gang and mass hacks that exploited a zero-day flaw in the file transfer service MOVEit Transfer, which is used by thousands of organizations across the globe. In terms of the number of organizations and individuals affected, Emsisoft says more than 2,500 organizations have so far been affected. 

On its official website, the company proudly claims to have an extensive customer base that exceeds 5,000 across a staggering 140 countries. These valued customers represent a diverse range of industries, including but not limited to education, government, and healthcare. While the exact number of affected customers remains undisclosed, SysAid has taken a proactive approach to addressing the situation. 

Furthermore, the company has diligently analyzed the incident to provide crucial indicators of compromise that are instrumental in both detecting and preventing future intrusions. These indicators encompass a multitude of valuable information such as filenames and their associated hashes, IP addresses involved in the attack, file paths utilized by the threat actor, and the specific commands employed to either download malware or erase any traces of initial access. By equipping its customers with such comprehensive insights, SysAid aims to enhance their cybersecurity posture and protect their valuable data from potential threats.

CIOp Attacks: Ransomware Group Reveal Names of the MOVEit Zero-Day Attack Victims


CIOp ransomware group has revealed names of more than two dozen organizations that are apparently attacked in their campaign via a zero-day vulnerability in the MOVEit managed file transfer (MFT) software.

The ransomware group utilized the MOVEit transfer vulnerability, CVE-2023-34362, to steal data from firms that had been using the product. Despite some evidence indicating that the hackers tested the vulnerability as early as 2021, broad exploitation appears to have begun in late May 2023.

In no time, the attacked were proved to be connected to the CIOp group, that had earlier utilized a zero-day in the GoAnywhere MFT products, stealing data of several firms. The MOVEit zero-day campaign's perpetrators have acknowledged their involvement, and they have given victims until June 14 to contact them in order to stop the release of data taken from their systems. They say they have struck hundreds of targets.

The victims of the attacks include energy giant Shell, as well as firms from various sectors like financial, healthcare, manufacturing, IT, pharmaceutical, and education sectors. A large number of victims include US-based banks and other financial institutions, followed by healthcare organizations. The hackers declared they would not target pediatric healthcare facilities after the breach was discovered.

The first known victims of the attacks included UK-based payroll and HR company Zellis (and its clients British Airways, Aer Lingus, the BBC, and the Boots), the Canadian province of Nova Scotia, the University of Rochester, the Illinois Department of Innovation & Technology (DoIT), and the Minnesota Department of Education (MDE).

Following the ransomware attacks, the group has not yet leaked any data stolen from these organizations.

The number of businesses that have reported being impacted keeps expanding. In recent days, statements about the incident have been released by Johns Hopkins University and Johns Hopkins Health System, UK media authority Ofcom, and a Missouri state agency.

Moreover, in a report published on Thursday, CNN noted that a number of US federal government organizations were also impacted with the attacks, as per Eric Goldstein who is the executive director for CISA. These agencies include Department of Energy, which is now working on the issue to control the impact of the attack.

However, the ransomware gang claims that their prime motive behind these attacks is to acquire ransoms from businesses and confirms that all the state-related data they may have acquired in the attacks has been deleted.

Atlassian Patches Confluence Zero-day Vulnerabilities

Atlassian issued security updates for a critical zero-day vulnerability in Confluence Server and Data Center, the flaw was exploited in the wild to backdoor web-exposed servers. The zero-day (CVE-2022-26134) vulnerability impacts all versions that support Confluence Server and Data Center, it allows threat actors to access remote code execution on unpatched servers. As the vulnerability was reported as actively exploited bug, the Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its "Known Exploited Vulnerabilites Catalog". 

It means federal agencies can block all web traffic to Confluence servers on their networks. Atlassian has released patches and asked its customers to update their devices to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, that have been patched for this vulnerability. "We strongly recommend upgrading to a fixed version of Confluence as there are several other security fixes included in the fixed versions of Confluence," it says. 

Users who can't upgrade their Confluence installs for now can use temporary workaround and mitigate the CVE-2022-26134 security vulnerability via upgrading few JAR files on their confluence servers. The flaw was discovered by cybersecurity firm Volexity. During investigation, the firm found that zero-day was used to deploy a BEHINDER JSP web shell, it allowed the hackers to perform remote code execution on the servers. Threat actors also used a China Chopper web shell and a file upload software as backups to keep access to the hacked servers. 

Volexity researchers believe that various hackers from China are using CVE-2022-26134 flaws to gain access into web-exposed and unpatched Confluence servers. "The targeted industries/verticals are quite widespread. This is a free-for-all where the exploitation seems coordinated. It is clear that multiple threat groups and individual actors have the exploit and have been using it in different ways. Some are quite sloppy and others are a bit more stealth. Loading class files into memory and writing JSP shells are the most popular we have seen so far," said Volexity. 


Zoom Zero-Day Allowed Remote Code Execution, Patch Issued


Video and audio conferencing software, Zoom patched a zero-day vulnerability that was affecting users running old versions of Windows: Windows 7, Windows Server 2008 R2 and earlier. The flaw was detected on Thursday and later published in a blog post by security research organization ACROS Security.

The vulnerability that was previously unknown, allowed a remote attacker to execute arbitrary code on targeted user’s system on which one of the supported versions of Zoom Client for Windows is installed; in order to set the attack into motion, the attacker manipulates the victim into carrying out some typical action (Opening a received doc. file) and reportedly, there is no security warning displayed to the user as the attack takes place.


After disclosing the zero-day vulnerability to Zoom, ACROS released a micropatch for its 0patch client in order to safeguard its own clients against attack till the time Zoom came out with an official patch. In the wake of various security flaws, the company halted the production of new features for a while so that the major privacy-related concerns that are threatening user security can be treated with much-needed attention. However, this ‘feature freeze’ period ended very recently i.e., on July 1, last week itself, and the zero-day was detected a few days later.


In conversation with Threatpost, 0patch’s co-founder, Mitja Kolsek said, “Exploitation requires some social engineering – which is practically always the case with user-side remote code execution vulnerabilities,”


“While a massive attack is extremely unlikely, a targeted one is conceivable." “Zoom Client features a fairly persistent auto-update functionality that is likely to keep home users updated unless they really don’t want to be,” he wrote.


“However, enterprise admins often like to keep control of updates and may stay a couple of versions behind, especially if no security bugs were fixed in the latest versions.”


“Zoom takes all reports of potential security vulnerabilities seriously. This morning we received a report of an issue impacting users running Windows 7 and older. We have confirmed this issue and are currently working on a patch to quickly resolve it,” said Zoom, while addressing the issue initially.


A few days later, on July 10, a fix was released by the company and the officials said, "Zoom addressed this issue, which impacts users running Windows 7 and older, in the 5.1.3 client release on July 10. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.”

LeeHozer and Moobot Have The Same Attack Maneuvers?


Sharing has become a thing with cyber-criminals and their malware mechanisms. Reportedly, LeetHozer botnet was found to have similar attack tactics as that of the Mootbot malware family. Researchers have reasons to think that the party that created the Moobot also could be the ones who created the LeetHozer.

Per researchers, the LeetHozer botnet has been counting on other kinds of malware for a little bit of sharing here and there. Per sources, it has in the past used the loader and reporter system that the Mirai uses.

Apparently, despite using the same mechanisms as Mirai the LeetHoxer threat was a little different. According to researchers, other Mirai variations too were altered including the encryption procedure, the bot program, and the command and control protocol. The unique "string and downloader" too were revealed to be of the same kind as Mirai.

Per reports, the botnet was noticed when it was found to be manipulating a vulnerability in the “telenet service” of a device. It made use of the default password to get access to the device. Once the device got infected the LeetHozer sent the information of the device to its reporter mechanism which then got to the command and control server and then finally the instructions for the Denial-of-Service attack were received.

The history of various attacks has it that Moobot has been a part of quite a lot of attacks ever since it first surfaced last year. According to researchers, several threat actors have made use of it to exploit zero-day vulnerabilities. It was discovered by the researchers while it was manipulating a zero-day vulnerability in fiber routers, reports mention. It hence is needless to say that one of the major attack tactics of the Moobot is exploiting any zero-day flaw it could get it claws into.

There are numerous ways in which an organization can create a barricade against any such attacks. The cyber and technological security personnel could design a response plan and a contingency plan especially against DDoS attacks, the systems should be backed up at all times, and configuration could be done in a way that as soon as the network is attacked the back-up kicks in. Also, researchers suggest that Artificial Intelligence could prove to be a very lucrative solution for such problems.

Three Botnets Abuse Zero-Day Vulnerabilities in LILIN's DVRs!


Not of late, LILIN recorders were found to be vulnerable. Reportedly, botnet operators were behind the zero-day vulnerabilities that were exploited in the Digital Video Recorders (DVRs ) that the vendor is well known for.

Sources mention that the exploitation of the zero-day vulnerabilities had been a continuous thing for almost half a year and the vendor was unaware. Nevertheless, they rolled out a patch in February 2020.

Digital Video Recorders are electronic devices that collect video feeds from local CCTV/IP cameras systems and store them on different mass storage devices like SD cards, USB flash drives, disk drives, etc.

DVRs are a huge deal today given they are a major element for the security cameras that are used almost everywhere in these times.

With CCTV cameras raging, attacks especially designed for them have also risen equally. Malware botnets and other hacker operations have been targeting these widely used DVRs for quite some time now.

Per sources, the non-revised and out of date firmware stands to be the reason for these devices being hacked. Especially, the DVRs with default credentials are exploited to kick off DDoS and other IoT attacks.
Sources mention that security researchers found LILIN’s DVRs too were being exploited for almost half a year, since August last year by three botnets.


The vulnerability in the “NTPUpdate”, sources mention, allows attackers to inject and control the system’s commands. Via one of the ‘hardcoded credentials’ (root/icatch99 & report/8Jg0SR8K50) the attacker stands a chance to retrieve and alter a DVR’s config file, and later control commands on the device after the File Transfer Protocol (FTP) server configuration is regularly matched.

Per sources, the first botnet behind the zero-day vulnerability was the “Chalubo botnet” with a motive of exploiting the NTPUdate of the LILIN DVRs. The other two were employed by the “FBot botnet”

Reportedly, a couple of weeks after the previous attacks of the FBot, the Moobot botnet also tried its luck and succeeded on the second zero-day vulnerability.

There is no knowing as to what the exact motive was behind hacking the LILIN DVRs. Nevertheless, there has been a history of DDoS attacks, re-routing traffic, and proxy networks.

As it happens there are, per sources, over 5,000 LILIN DVRs that exist today thus making it quite a hefty task to update all of them immediately. But it’s a relief to know that the first step has been taken. There’s not much to worry about now given LILIN has released a firmware update along with solutions for mitigation.