Malicious ISS module exploitation is the latest trend among threat actors targeting Exchange servers, analysts say.

Attackers once focused on exploiting ProxyLogon Microsoft Exchange server vulnerabilities have made a pivot to the new SessionManager backdoor, which can be used to gain persistent, undetected access to emails -- and even take over the target organization's infrastructure. 

Researchers from Kaspersky today report the emergence of SessionManager, which they say is part of a bigger trend of attackers deploying malicious backdoor modules inside Internet Information Services (ISS) servers for Windows, like Exchange servers.   

The malicious SessionManager backdoor, first observed in March 2021, has been used to target nongovernmental organizations (NGOs) across Africa, Europe, the Middle East, and South Asia, the researchers add. The Kaspersky report says 34 servers across 24 individual NGOs have been compromised by SessionManager. 

"The exploitation of Exchange server vulnerabilities has been a favorite of cybercriminals looking to get into targeted infrastructure since Q1 2021," said Pierre Delcher, senior security researcher at Kaspersky, in a post about the findings. "The recently discovered SessionManager was poorly detected for a year and is still deployed in the wild."

The Kaspersky team recommends regular threat hunting for malicious modules in exposed ISS servers and focusing detection on lateral movement across the network, as well as close monitoring of data exfiltration to the Internet. 

"In the case of Exchange servers, we cannot stress it enough: The past year’s vulnerabilities have made them perfect targets, whatever the malicious intent, so they should be carefully audited and monitored for hidden implants, if they were not already,” Delcher warned.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Exchange Servers Backdoored Globally by SessionManager

Devices from Cisco, Netgear and others at risk from the multi-stage malware, which has been active since April 2020 and shows the work of a sophisticated threat actor.

Devices from Cisco, Netgear and others at risk from the multi-stage malware, which has been active since April 2020 and shows the work of a sophisticated threat actor.

A novel multistage remote access trojan (RAT) that’s been active since April 2020 is exploiting known vulnerabilities to target popular SOHO routers from Cisco Systems, Netgear, Asus and others.

The malware, dubbed ZuoRAT, can access the local LAN, capture packets being transmitted on the device and stage man-in-the-middle attacks through DNS and HTTPS hijacking, according to researchers from Lumen Technologies’ threat-intelligence arm Black Lotus Labs.

The ability to not only hop on a LAN from a SOHO device and then stage further attacks suggests that the RAT may be the work of a state-sponsored actor, they noted in a blog post published Wednesday.“The use of these two techniques congruently demonstrated a high level of sophistication by a threat actor, indicating that this campaign was possibly performed by a state-sponsored organization,” researchers wrote in the post.

The level of evasion that threat actors use to cover up communication with command-and-control (C&C) in the attacks “cannot be overstated” and also points to ZuoRAT being the work of professionals, they said.

_“_First, to avoid suspicion, they handed off the initial exploit from a dedicated virtual private server (VPS) that hosted benign content,” researchers wrote. “Next, they leveraged routers as proxy C2s that hid in plain sight through router-to-router communication to further avoid detection. And finally, they rotated proxy routers periodically to avoid detection.”

****Pandemic Opportunity****

Researchers named the trojan after the the Chinese word for “left” because of the file name used by the threat actors, “asdf.a.” The name “suggests keyboard walking of the lefthand home keys,” researchers wrote.

Threat actors deployed the RAT likely to take advantage of often unpatched SOHO devices shortly after the COVID-19 pandemic broke out and many workers were ordered to work from home, which opened up a host of security threats, they said.

“The rapid shift to remote work in spring of 2020 presented a fresh opportunity for threat actors to subvert traditional defense-in-depth protections by targeting the weakest points of the new network perimeter — devices which are routinely purchased by consumers but rarely monitored or patched,” researchers wrote. “Actors can leverage SOHO router access to maintain a low-detection presence on the target network and exploit sensitive information transiting the LAN.”

****Multi-Stage Attack****

From what researchers observed, ZuoRAT is a multi-stage affair, with the first stage of core functionality designed to glean information about the device and the LAN to which its connected, enable packet capture of network traffic, and then send the info back to command-and-control (C&C).

“We assess the purpose of this component was to acclimate the threat actor to the targeted router and the adjacent LAN to determine whether to maintain access,” researchers noted.

This stage has functionality to ensure only a single instance of the agent was present, and to perform a core dump that could yield data stored in memory such as credentials, routing tables and IP tables, as well as other info, they said.

ZuoRAT also includes a second component comprised of auxiliary commands sent to the router for use as the actor so chooses by leveraging additional modules that can be downloaded onto the infected device.

“We observed approximately 2,500 embedded functions, which included modules ranging from password spraying to USB enumeration and code injection,” researchers wrote.

This component provides capability for LAN enumeration capability, which allows the threat actor to further scope out the LAN environment and also perform DNS and HTTP hijacking, which can be difficult to detect, they said.

****Ongoing Threat****

Black Lotus analyzed samples from VirusTotal and its own telemetry to conclude that about 80 targets so far have been compromised by ZuoRAT.

Known vulnerabilities exploited to access routers to spread the RAT include: CVE-2020-26878 and CVE-2020-26879. Specifically, threat actors used a Python-compiled Windows portable executable (PE) file that referenced a proof of concept called ruckus151021.py to gain credentials and load ZuoRAT, they said.

Due to the capabilities and behavior demonstrated by ZuoRAT, it’s highly likely that not only that the threat actor behind ZuoRAT is still actively targeting devices, but has been ” living undetected on the edge of targeted networks for years,” researchers said.

This presents an extremely dangerous scenario for corporate networks and other organizations with remote workers connecting to affected devices, noted one security professional.

“SOHO firmware typically isn’t built with security in mind, especially pre-pandemic firmware where SOHO routers weren’t a big attack vector,” observed Dahvid Schloss, offensive security team lead for cybersecurity firm Echelon**,** in an email to Threatpost.

Once a vulnerable device is compromised, threat actors then have free rein “to poke and prod at whatever device is connected” to the trusted connection that they hijack, he said.

“From there you could attempt to use proxychains to throw exploits into the network or just monitor all the traffic going in, out, and around the network,” Schloss said.

ZuoRAT Can Take Over Widely Used SOHO Routers

IBM Spectrum Protect Client 8.1.0.0 through 8.1.14.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 225886.

**Security Bulletin**

  

**Summary**

The IBM Spectrum Protect back-up archive client is vulnerable to information disclosure as user credentials are stored in memory in plain text. The back-up archive client is also vulnerable to a denial of service due to certain read operations on TCP/IP sockets.

**Vulnerability Details**

**CVEID:**   CVE-2022-22478  
**DESCRIPTION:**   IBM Spectrum Protect Client stores user credentials in plain clear text which can be read by a local user.  
CVSS Base score: 6.2  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225886 for the current score.  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**   CVE-2022-22474  
**DESCRIPTION:**   IBM Spectrum Protect dsmcad, dsmc, and dsmcsvc processes incorrectly handle certain read operations on TCP/IP sockets. This can result in a denial of service for IBM Spectrum Protect client operations.  
CVSS Base score: 5.9  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225348 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Spectrum Protect Client

8.1.0.0-8.1.14.0

**Remediation/Fixes**

**NOTE**:  APAR IT40671 was created for CVE-2022-22474.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

29 June 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Component":"Client","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"},{"code":"PF027","label":"Solaris"}\],"Version":"8.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}\]

CVE-2022-22478: Information Disclosure and Denial of Service Vulnerabilities in IBM Spectrum Protect Backup-Archive Client (CVE-2022-22478, CVE-2022-22474)

IBM Spectrum Protect Operations Center 8.1.0.000 through 8.1.14 could allow a remote attacker to gain details of the database, such as type and version, by sending a specially-crafted HTTP request. This information could then be used in future attacks. IBM X-Force ID: 226940.

  

**Summary**

IBM Spectrum Protect Operations Center may disclosure database information in error messages sent to the user which could be used in future attacks.

**Vulnerability Details**

**CVEID:**   CVE-2022-22494  
**DESCRIPTION:**   IBM Spectrum Protect Operations Center could allow a remote attacker to gain details of the database, such as type and version, by sending a specially-crafted HTTP request. This information could then be used in future attacks.  
CVSS Base score: 3.7  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226940 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**Version(s)**

IBM Spectrum Protect Operations Center

8.1.0.000-8.1.14.xxx

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

29 June 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSER5J","label":"IBM Spectrum Protect Extended Edition"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}\],"Version":"8.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}\]

CVE-2022-22494: Security Bulletin: Information Disclosure in IBM Spectrum Protect Operations Center (CVE-2022-22494)

IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.5 and 6.1.0.0 through 6.1.1.0 could disclose sensitive version information that could aid in future attacks against the system. IBM X-Force ID: 211414.

  

**Summary**

IBM Sterling B2B Integrator has addressed a sensitive version information disclosure vulnerability.

**Vulnerability Details**

**CVEID:**   CVE-2021-38954  
**DESCRIPTION:**   IBM Sterling B2B Integrator Standard Edition could diclose sensitive version information that could aid in future attacks against the system.  
CVSS Base score: 4.3  
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211414 for the current score.  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

**Affected Products and Versions**

**Affected Product(s)**

**APAR(s)**

**Version(s)**

IBM Sterling B2B Integrator

IT38705

6.0.0.0 - 6.0.3.5

IBM Sterling B2B Integrator

IT38705

6.1.0.0 - 6.1.1.0

**Remediation/Fixes**

**Product(s)**

**Version(s)**

**Remediation/Fix**

IBM Sterling B2B Integrator

6.0.0.0 - 6.0.3.5

Apply IBM Sterling B2B Integrator version  6.0.3.6 on Fix Central

IBM Sterling B2B Integrator

6.1.0.0 - 6.1.1.0

Apply IBM Sterling B2B Integrator version  6.1.1.1 on Fix Central

Note that the fix may also be present in other releases. This can be verified by looking for the APAR number on the Fix List page

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

20 Jun 2022: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU031","label":"Syncsort"},"Product":{"code":"SSMHNK","label":"IBM Sterling B2B Integrator"},"Component":"B2B API","Platform":\[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}\],"Version":"6.0.0.0 - 6.1.1.1","Edition":""}\]

CVE-2021-38954: Security Bulletin: IBM Sterling B2B Integrator B2B API is vulnerable to information disclosure vulnerability (CVE-2021-38954)

Backdoor.Win32.Cafeini.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/a8fc1b3f7a605dc06a319bf0e14ca68b.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP ports 51966 and 23. Authentication is required, however the password "mama" is weak and found within the PE file. Moreover, the FTP server running on non standard port 23 also uses same password. Trying to execute a program incorrectly you get reply like, "STATUS I can't run program", as it requires the full path to the file to execute.Family: CafeiniType: PE32MD5: a8fc1b3f7a605dc06a319bf0e14ca68bVuln ID: MVID-2022-0617Disclosure: 06/29/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 51966CAFEiNi 1.1Enter your password:mamaC:\Users\victim\Desktop>whoamiwhoamiSTATUS: unknown command "WHOAMI"C:\Users\victim\Desktop>exec c:\Windows\system32\calc.exeexec c:\Windows\system32\calc.exeSTATUS: program runnedC:\Users\victim\Desktop>Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Cafeini.b MVID-2022-0617 Hardcoded Credential

Researchers have analyzed a long running campaign that compromises SOHO routers to further penetrate and eavesdrop on networks.
The post ZuoRAT is a sophisticated malware that mainly targets SOHO routers appeared first on Malwarebytes Labs.

Researchers have analysed a campaign leveraging infected SOHO routers to target predominantly North American and European networks of interest.

The so-called ZuoRAT campaign, which very likely started in 2020, is so sophisticated that the researchers suspect that there is a state sponsored threat actor behind it.

**SOHO routers**

SOHO is short for small office/home office and SOHO routers are hardware devices that route data from a local area network (LAN) to another network connection. Modern SOHO routers have almost the same functions as home broadband routers, and small businesses tend to use the same models. Some vendors also sell routers with advanced security and manageability features, but most SOHO devices are only monitored in exceptional cases.

Which is probably the reason why the ZuoRAT managed to fly under the radar for so long.

**Compromise the router**

The first step in the campaign is to take control of the router. The researchers identified infected routers of several manufacturers including popular brands like ASUS, Cisco, DrayTek, and NETGEAR. It is likely that the threat actor used unpatched vulnerabilities to steal credentials from the targeted routers. Although patches for these vulnerabilities exist, it is not uncommon for device administrators never to apply these patches.

This lack of security is often caused by lack of awareness. And the lack of awareness starts by small business owners not knowing which type or model of router they have exactly. So even if they read about a vulnerability in their router, it may not sink in that it applies to them. The rebranding of routers by providers is another contributing factor to the owners’ ignorance.

**Drop the RAT**

The vulnerability or chain of vulnerabilities allow the threat actor to download a binary, then execute it on the host. Once installed, ZuoRAT enumerates the devices connected to the infected router. The threat actor can then use DNS hijacking and HTTP hijacking to cause the connected devices to install other malware.

The ZuoRAT agent framework enables in-depth reconnaissance of target networks, traffic collection and network communication hijacking. Some of the functions will run by default, while others might be intended to be called by additional commands.

**Mirai**

ZuoRAT looks like a heavily modified version of the Mirai malware. The authorities may have caught the Mirai creators, but the spirit of their botnet lives on. Numerous groups took advantage of the open-source code to create mini variants. But the command and control infrastructure used in this campaign is intentionally complex in an attempt to conceal what’s happening.

**Attribution**

While attribution is always hard, the researchers listed several indications that the group behind this campaign might be of Chinese origin. One set of C2 infrastructure controlled by this threat actor and used to interact with the Windows RATs was found to be hosted on internet services from China-based organizations. Also, some of the program database paths contained Chinese characters, while others referenced “sxiancheng”, a possible name or Chinese locality.

China is a likely candidate even if it seems they have already bitten off more than they can chew. According to an article in the Financial Times Chinese university students have been lured to work as translators to help identify hacking targets, and to analyze stolen material.

**DNS hijacking**

Using the gathered information about the DNS settings and the internal host in the adjacent LAN, there were several functions designed to perform DNS hijacking. Some functions allowed the threat actor to update DNS hijacking rules specifying which domains to hijack, the malicious IP address resulting from the hijack and the number of times to trigger the rule.

**HTTP hijacking**

Another noteworthy function enabled the actor to specify which client or subnet to hijack. It hijacked the process so that it could match the traffic pattern. If the pattern matched one of the rules, it displayed a 302 error that redirected the client’s browser to another location where the threat actor could manipulate the connection.

**Mitigation**

If you fear that your router has been compromised, simply restarting an infected device will remove the initial ZuoRAT exploit. To fully recover, however, a factory reset clears infected devices.

To avoid your router from getting infected, find the most recent firmware and install it so you have all the latest patches.

Systems that used an infected route for their internet access and used no block lists that included the C2 infrastructure of ZuoRAT may be infected. This is not only true for Windows systems. The researchers found samples written in GO, which is a cross-platform language.  

IoCs associated with this campaign for threat hunting can be found on the Black Lotus Labs GitHub page.

Stay safe, everyone!

ZuoRAT is a sophisticated malware that mainly targets SOHO routers

An unauthenticated remote code execution vulnerability found in Zoho’s compliance tool could leave organizations exposed to an information disclosure catastrophe, new analysis shows.

A critical vulnerability in Zoho’s widely used compliance tool, ManageEngine ADAudit Plus, which monitors changes to Microsoft Active Directory, leaves endpoints vulnerable to unauthenticated users. A successful exploit could allow an attacker to take over an entire enterprise network, Horizon3.ai researchers warn.  

ADAudit Plus offers a path into an organization’s workstations, servers, and file servers, giving IT admins access to a range of users, groups, permissions, and login credentials, as well as security policies. ADAudit Plus also enables users to collect security events from agents running on other machines in the domain through endpoints that agents use to upload events.

The platform’s ability to offer deep access into a company’s internal IT ecosystem heightens the potential for a nightmare-scenario level of data exposure in the event of a breach.

The CVE-2022-28219 vulnerability enables malicious actors to easily take over a network for which they already have initial access. Malicious actors could exploit this vulnerability to deploy ransomware, exfiltrate sensitive business data, or disrupt business operations.

They could also then go on to exploit XML External Entities (XXE), Java deserialization, and path traversal vulnerabilities to wreak additional havoc, according to an in-depth analysis this week by Horizon3.ai.

**Inside the Vulnerability**

Horizon3.ai discovered some of the ADAudit Plus endpoints used for reporting were unauthenticated.

“One of the first things that stood out was the presence of a /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf charting library,” the analysis states. “This is the same vulnerable endpoint from CVE-2020-10189, reported against ManageEngine Desktop Central.”

It added, “This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events. While looking for a file-upload vector, we found a path to trigger a blind XXE \[XML External Entity injection\] vulnerability in the ProcessTrackingListener class, which handles events containing Windows scheduled task XML content.”

The vulnerability was disclosed to Zoho in March, which released a new build, ADAudit Plus 7060, to fix the issue. The patch fixes the vulnerability by removing the /cewolf endpoint altogether, instead using a secure version of DocumentBuilderFactoryin the ProcessingTrackingListener class and requiring authentication in the form of an agent GUID between agents and ADAudit Plus.

**High Stakes, Plus Exploitation Difficult to Detect**

Horizon3.ai chief architect Naveen Sunkavally explains that ManageEngine products are very common in the enterprise and have been favorite targets of attackers over the years.

“ADAudit Plus is a tool that's used for compliance and auditing, which is a common need for many companies spanning different verticals,” he says. “This vulnerability has been found to be present in many types of environments, from healthcare and technology to construction and local governments.”

Just last fall, ManageEngine ADSelfService Plus, Desktop Central, and ServiceDesk Plus were all actively targeted by attackers using previously undisclosed zero days (CVE-2021-44515, CVE-2021-44077, and CVE-2021-40539) that are now part of the CISA Known Exploited Vulnerabilities (KEV) list.

The latest vulnerability is easy to exploit without any prior knowledge and can yield the "keys to the kingdom,  Sunkavally explains. To boot, exploitation is not that easy to detect because it makes use of the natural behavior of the ADAudit Plus application.

“ADAudit Plus is an attractive target for attackers because it integrates with Active Directory and stores high-privileged domain user credentials,” Sunkavally says.

He notes an attacker with initial access to a compromised network could exploit this vulnerability to extract these high-privileged credentials, move laterally, and take over the entire network.

“We've seen real-world environments where just exploiting this vulnerability alone is enough to take over the enterprise,” Sunkavally adds.

He advises businesses using ADAudit Plus to upgrade to build 7060 or later and ensure ADAudit Plus is configured with a dedicated service account with restricted privileges.

“This vulnerability is not one to hold off on patching,” he says.

**Buggy ManageEngine Has History of Vulnerabilities**

This is not the first time the ManageEngine suite was found to have vulnerabilities. Last September a joint advisory from the FBI and CISA warned of APT attackers exploiting a critical authentication bypass vulnerability in ManageEngine ADSelfService Plus.

While Zoho moved to fix the vulnerabilities, less than a month later Palo Alto Networks issued a warning that many companies are still vulnerable.

Most recently, an elusive attack targeting SolarWinds' Orion network management software, dubbed the Supernova cyberattack, exploited a ManageEngine flaw in the software running on a victim's server.

Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration

Immigration organisations are being targeted by the APT group Evilnum, using spear phishing to send malicious Word documents.
The post Immigration organisations targeted by APT group Evilnum appeared first on Malwarebytes Labs.

Organisations working in the immigration sector are advised to be on high alert for Advanced Persistent Threat (APT) attacks. Bleeping Computer reports that European organisations, specifically, are under threat from the Evilnum hacking group.

Evilnum, on the APT scene since 2018 at the earliest and perhaps most well known for targeting the financial sector, appears to have switched gears.

**In times of conflict**

The observed attacks seem to have sprung into life on or around the beginning of the invasion of Ukraine. This is quite worrying for several reasons:

*   Immigration organisations in Europe are still impacted by the fallout from COVID-19. Additionally, Government immigration services continue to be non-functional or afflicted with severe delays in processing. The UK, which set up a dedicated visa for Ukrainian refugees, has experienced processing delays for unrelated visas of up to 6 months as a result of this project. Being targeted with malware could impact crucial services still further, putting people at risk.
*   Huge amounts of sensitive data is passing to and from independent immigration organisations related to the invasion of Ukraine. Exfiltration of this data could put people both outside Ukraine and those still there at risk of significant harm.
*   Many volunteer organisations have sprung up to support efforts related to Ukraine. Many of these have little to no funding and are being run by random groups of immigration lawyers with minimal experience of cybersecurity issues. This is, unfortunately, an area of potential rich pickings for attackers.

**Important attack details**

The APT group targeted an Intergovernmental organisation (IGO), an entity created via treaty which involves two or more nations to work on issues of common interest. This attack, then, is at the highest level in terms of immigration related impact.

It begins, as so many attacks do, with a targeted email containing a rogue attachment. Opening the attached Word document fires up a message which claims that the document was created in a later version of Microsoft Word. It explains how to enable editing in order to view the supposed content, typically called “Compliance” but also “Complaint” or “Proof of ownership”, among others.

Heavily obfuscated JavaScript decrypts and deposits an encrypted binary and a malware loader (which loads up the binary), and creates a scheduled task to keep things constantly ticking over. File system artefacts created during execution are designed to imitate legitimate Windows binary names, to assist in detection avoidance.

The aim here is to create a backdoor on infected systems. Machine snapshots are taken and sent back to base via POST requests, with exfiltrated data in encrypted form.

**Cybersecurity, just from a different point of view**

Refugees from Ukraine are being assisted by multiple organisations that were set up after the initial invasion. Lawyers helping to run these groups may not be fully immersed in cybersecurity. However, they follow strict rules and regulations with regard to client data by default. As a result, they’re often doing security-centric things to keep client data secure without perhaps noticing the crossover.

For example: Most immigration lawyer/client interactions in the UK currently are remote, partly due to COVID-19 and partly because the UK’s visa system is now almost entirely online. As a result, pretty much everything involving sensitive documentation begins life in the form of an email. This sounds bad at first glance; however, this isn’t the case. Lawyers and clients aren’t emailing important documents in plaintext. Instead, they’re making use of encrypted documents, secure file uploads, and deleting data as and when required.

**Tips for immigration orgs**

If you’re a small organisation looking to help with visa or refugee processes for Ukrainians fleeing the invasion, here’s some of the things you can make a start on now to help keep things secure:

*   Ensure your website is HTTPs. Most sites I’ve seen in this realm use a combination of contact email and/or web form. You don’t want sensitive information intercepted because of insecure websites. As few people as possible should have admin access to the site, and anything related to publishing. Use as few extensions and plugins as possible. Paying for domain anonymity services is useful if required.
*   Consider using an alias for public facing email addresses. Additionally, lock down all email addresses with multifactor authentication (MFA). The same goes for backup/recovery emails tied to the main account(s).
*   If you have the choice of SMS codes or authentication apps/hardware based security keys for 2FA, choose the latter. SMS won’t work with no signal reception, and fraudsters may divert your SMS codes via SIM swapping.
*   Consider using a password manager for organization-specific passwords. If you need to share logins, use a management tool which allows you to share logins without revealing the password itself. Should you land on a phishing site, your password manager won’t pre-fill your details into the bogus portal.

I’ve spoken to individuals from several UK-based immigration organisations, including those focused on helping Ukrainians. At this point, none of them report having been targeted by attacks similar to the above. However, those organisations are absolutely in the spotlight for anyone potentially up to no good. If you’re in this line of work, or you’re just getting started, consider where and how you can begin to get things locked down right now.

Immigration organisations targeted by APT group Evilnum

There were a record number of zero-day attacks last year, but some basic cyber-hygiene strategies can help keep your organization more safe.

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just over Memorial Day weekend, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because blue teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organization's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.

**How Do Zero-Days Work?**

Typically, what a zero-day will do is gain access to an environment through a vulnerability previously unseen, then it stealthily maps the environment and, when ready, launches the attack. This is far too late for an incident response team to prevent further damage. Staying alert for these slow-burn attacks requires an approach to security that prioritizes looking for certain techniques and behaviors that a hacker or known threat group may use, rather than scanning for specific pieces of malware. In other words, ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.

While it might sound like a broken record, patching is integral to protection against exploits. As soon as a proof of concept (PoC) is made public on the Dark Web or more legitimate forums like GitHub, most vendors will develop a patch. Staying on top of guidance from industry organizations like (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploits that are most relevant and most risky to your organization.

However, zero-day exploits are those that the vendor doesn't know exist, and therefore no patch is available. It's very difficult to defend against these without protections and detections that are broad enough to identify tactics, techniques, and procedures. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense.

Above all, investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur. By placing hands on keyboards and unlocking visibility into all aspects of an ecosystem, a security team can more readily detect hints that a zero-day might be targeted against them and deploy necessary patches. For example, if a robot you operate in the US randomly connects to a server in Ukraine without any other unusual behavior, it might signal that a zero-day has been leveraged. And while there may have been an initial access into your robot or environment through a zero-day, having a broad view of your IT security ecosystem, along with technologies like artificial intelligence, can alert an incident response team to create a patch for a vulnerability as soon as possible.

Thankfully, even though more zero-days are being discovered than ever before, they're still relatively rare in the world of cybersecurity. Up until the last several years, zero-day exploits were mostly identified and held closely by national governments, who wanted to save them to deploy whenever necessary. But the commercialization of hacking groups, including ransomware-as-a-service platforms, has created an ecosystem incentivizing the purchasing and selling of zero-days, often with the financial or technological resources of a nation-state in support.

With such capable attackers, virtually every business should be worried — from large companies that serve as final targets for hackers, to smaller companies that can serve as stepping stones in a sequence of attacks. The constant of security operations can detect and mitigate threat actors from lurking behind the scenes of an IT ecosystem through a zero-day exploit, no matter the origin. So, while patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.

Tag

#windows