At a glance.
- Update on Barracuda ESG exploitation.
- Camaro Dragon’s current cyberespionage tools spread through infected USB drives.
- Mirai update: new infection vectors.
- Microsoft Threat Intel report: Midnight Blizzard, a Russian SVR threat actor.
- Ukraine experiencing a "wave" of cyberattacks during its counteroffensive.
- "Anonymous Sudan" is neither.
- Proof-of-concept: Microsoft Teams as potential attack vector.
Update on Barracuda ESG exploitation.
Proofpoint has tweeted updates on exploitation of CVE-2023-2868, a vulnerability found in Barracuda's Email Security Gateway (ESG). UNC4841, the "aggressive and highly skilled actor conducting targeted activity" is believed to be acting on behalf of the Chinese government. Its targets, geographically, have been, from the most to least frequently affected, the United States, Norway, Taiwan, and Poland. By sector, UNC4841 has been most interested in academic institutions, defense establishments, and the US Federal Government.
Michael Raggi, Staff Threat Research Engineer at Proofpoint, explained. “Proofpoint has observed intermittent exploitation attempts by Chinese state-aligned threat actor UNC4841 targeting CVE-2023-2868 from October 2022 through May 29, 2023. This vulnerability was being actively used in the wild by an APT actor as recently as three weeks ago. While the phishing campaigns involved conventional espionage operations, the threat actor also exhibited a sustained focus on scientific research, energy entities, and public health data which demonstrates a more complex tasking than initially disclosed publicly. This zero-day vulnerability continues an increasing trend of vulnerable email gateway appliances being exploited via advanced exploits contained within phishing emails.”
Barracuda has issued both mitigations and patches.
| Sponsored by CyberArk | The future of security is identity and with CyberArk, the future of identity is secure. | With 84% of organizations experiencing an identity-related breach, identity is the new battlefield. As the pioneers of privileged access management, we started by protecting the most privileged users and most critical data. With intelligent privilege controls, today we’re applying the same levels of security and protection to every identity – both human and machine. CyberArk offers the most advanced identity security platform in the world, surrounding every identity with a powerful force field of continuous protection. |
|
Camaro Dragon’s current cyberespionage tools spread through infected USB drives.
Check Point Research released a report focusing on a USB-propagated malware campaign that it attributes to the Chinese-based espionage group Camaro Dragon. The Check Point Research Incident Response Team (CPIRT) discovered the malware while investigating an incident in a European hospital earlier this year. “The investigation showed that the malicious activity observed was likely not targeted but was simply collateral damage from Camaro Dragon’s self-propagating malware infections spreading via USB drives.” Patient Zero, as CPR calls the first victim, initially received the infection while attending a conference in China and connecting a USB drive to a colleague's already infected computer.
The malware hides all of the victim’s files on the drive and shows a program that appears to merely display the files, but which launches a backdoor in the background. The tools involved in the infection, WispRider and HopperTick, seem to align with other tools used by Camaro Dragon, including TinyNote (a Go-based backdoor) and HorseShell (a malicious router firmware).
The malware spreads through human interaction with infected machines. Check Point writes, “The ability to propagate autonomously and uncontrollably across multiple devices enhances this threat’s reach and potential impact. This approach not only enables the infiltration of potentially isolated systems but also grants and maintains access to a vast array of entities, even those that are not primarily targeted.” The researchers have since noticed several newer variations of these backdoors, all seeming to originate in Southeast Asia. Check Point reports that Camaro Dragon uses its own FTP servers and third-party services like Google Drive to exfiltrate data.
| Sponsored by Expel | Wish you had a cheat sheet for AWS investigations? Expel created one! | We remediate loads of cyber incidents in Amazon Web Services (AWS), and some common themes have emerged re: attacker use of APIs. We’ve noticed they map nicely to MITRE ATT&CK tactics. So we captured them in a mind map of possible attack paths once hackers are inside an AWS environment. This resource should be helpful if you ever find yourself chasing a baddie through the cloud and want to catch them sooner than later. |
|
Mirai update: new infection vectors.
A version of the Mirai botnet is exploiting vulnerabilities affecting D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek devices, BleepingComputer reports. According to Palo Alto Networks’ Unit 42, “The threat actors have the ability to gain complete control over the compromised devices, integrating those devices into the botnet. These devices are then used to execute additional attacks, including distributed denial-of-service (DDoS) attacks.”
Akamai has observed Mirai botnet samples exploiting CVE-2023-26801, a command injection vulnerability affecting certain versions of LB-LINK wireless routers. The researchers stated, “This can lead to various security risks, including unauthorized access, device compromise, and further exploitation within the network.”
| Sponsored by Scytale | Are you compliant yet? You better be if you want your prospects to buy. | Your prospects are demanding SOC 2 and you're not closing deals without it. Scytale's security compliance automation platform helps companies get compliant and stay compliant with frameworks like SOC 2, ISO 27001, HIPAA, GDPR and PCI-DSS without breaking a sweat. Save hundreds of hours with streamlined compliance and dedicated support, remain compliant all year round with automated monitoring and alerts, and most importantly, boost sales by providing proof of information security to your customers. |
|
Microsoft Threat Intel report: Midnight Blizzard, a Russian SVR threat actor.
Microsoft has released a new intelligence profile on a Russian Foreign Intelligence Service (SVR) threat actor it now calls Midnight Blizzard (formerly NOBELIUM). This threat actor targets government agencies, non-governmental organizations, and diplomatic personnel in an intelligence gathering operation. Microsoft writes, “They utilize diverse initial access methods ranging form stolen credentials to supply chain attacks, exploitation of on-premise environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain downstream customers, as well as ADFS malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is tracked by partner security companies as APT29, UNC2452, and Cozy Bear.” Midnight Blizzard uses a “cyber fire-and-maneuver” technique, moving between low-reputation IP addresses that are used for only a short period of time. This helps them obfuscate their operations. In response to this threat actor Microsoft announced that it has added protections to Defender Antivirus, Defender for Endpoint, Defender for Cloud Apps, and Azure Active Directory.
Ukraine experiencing a "wave" of cyberattacks during its counteroffensive.
US Deputy National Security Advisor Anne Neuberger told the FT Cyber Resilience Summit yesterday, “We know Ukraine is currently experiencing a significant surge in cyberattacks in parallel to the kinetic aspects.” The Record reports that she specified neither the scope of the attacks nor the sectors that were receiving hostile attention.
"Anonymous Sudan" is neither.
There's a growing consensus that Anonymous Sudan, which represents itself as a hacktivist organization with Islamist sympathies operating in Sudan, is neither an Anonymous affiliate nor Sudanese. Cybernews summarizes the evidence that points to the group's status as a KillNet affiliate, which means in turn that it's working for the Russian intelligence services. Much of the evidence leading to the conclusion that Anonymous Sudan is a Russian front group comes from research by Australian security firm CyberCX, and Anonymous Sudan wasn't happy about being outed. The group yesterday said it had conducted a distributed denial-of-service (DDoS) attack against CyberCX's website (no signs of disruption this morning), explaining, "The reason for the attack: stop spreading rumors about us, and you must tell the truth and stop the investigations that we call the investigations of a dog." The "dog" insult is a nice but too obvious gesture toward the culture of the Sahel, but, really, few will be deceived. Straight up, Anonymous Sudan is Russian.
The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.
Proof-of-concept: Microsoft Teams as potential attack vector.
Researchers at Jumpsec have discovered a way to use Microsoft Teams as a vector for malware delivery, BleepingComputer reports. Researcher Max Corbridge explains, “Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request.” Corbridge adds, “When sending the payload like this, it is actually hosted on a Sharepoint domain and the target downloads it from there. It appears, however, in the target inbox as a file, not a link.”
Microsoft acknowledged the vulnerability, but told Jumpsec that it “did not meet the bar for immediate servicing.”
Dror Liwer, co-founder of Coro, stated, “While we normally hear about email as the most common entry point for attackers, we see Teams, Slack, and other messaging platforms as a quickly developing vector. Attackers will always look for a path of least resistance, and while email has been a very lucrative method, less people expect an attack through Teams, and as such are more easily targeted.”
Comments
Post a Comment
Please leave a comment about our recent post.