Tecplix ThreatTrack Insights - April II

1. PuTTY SSH Client Vulnerable to Key Recovery Attack

This advisory highlights a critical vulnerability in PuTTY versions 0.68 through 0.80 (prior to 0.81) that allows attackers to recover a user's NIST P-521 private key. This vulnerability stems from biased Elliptic Curve Digital Signature Algorithm (ECDSA) cryptographic nonce generation within these PuTTY versions.

Key Takeaways:

• An attacker can potentially steal a user's private key with minimal effort (approximately 60 signatures).
• Compromised private keys can be used for unauthorized access to various services, including Git repositories, potentially leading to supply chain attacks.
• The vulnerability can be exploited even if the attacker no longer has access to a vulnerable PuTTY version as long as they possess previously signed messages.

Impact:

• This vulnerability poses a significant risk to users who have used vulnerable PuTTY versions (0.68 - 0.80) to sign messages or authenticate with SSH servers.
• A compromised private key could grant attackers access to sensitive data, manipulate code repositories, and potentially disrupt software supply chains.

Who is Affected:

• Users who have used PuTTY versions 0.68 through 0.80 to sign messages or authenticate with SSH servers.
• Users of other applications (e.g., FileZilla, WinSCP, TortoiseGit, TortoiseSVN) that utilize vulnerable PuTTY libraries for SSH operations (prior to the mentioned patched versions).

Recommendations:

• The issue has been addressed in PuTTY 0.81, FileZilla 3.67.0, WinSCP 6.3.3, and TortoiseGit 2.15.0.1. Users of TortoiseSVN are recommended to use Plink from the latest PuTTY 0.81 release when accessing an SVN repository via SSH until a patch becomes available.
• ECDSA NIST-P521 keys used with any of the vulnerable components should be considered compromised and consequently revoked by removing them from ~/.ssh/authorized_keys files and their equivalents in other SSH servers.

2. Malicious Google Ads Pushing Fake IP Scanner

A Google malvertising campaign is exploiting vulnerabilities in search engine results pages (SERPs) to distribute a previously unknown backdoor dubbed MadMxShell. Attackers are leveraging typo squatting techniques to mimic legitimate IP scanner software and target IT professionals searching for such tools.

As many as 45 domains are said to have been registered between November 2023 and March 2024, with the sites masquerading as port scanning and IT management software such as Advanced IP Scanner, Angry IP Scanner, IP scanner PRTG, and ManageEngine. For the first time the delivery vehicle is being used to propagate a sophisticated Windows backdoor. So, the users who end up searching for such tools are displayed bogus sites that include JavaScript code designed to download a malicious file ("Advanced-ip-scanner.zip") upon clicking the download button.

Key Takeaways:

• This campaign utilizes Google Ads to push malicious domains disguised as popular IP scanners and IT management software to the top of search results.
• The backdoor, MadMxShell, employs a multi-stage attack chain involving:

1. Typo squatting domains mimicking legitimate software.
2. Malicious JavaScript downloading a ZIP archive containing a backdoor executable disguised as a popular IP scanner.
3. DLL side-loading and process hollowing to inject the backdoor.
4. Abusing legitimate Microsoft binaries (OneDrive.exe) for execution.
5. DNS MX queries for C2 communication to evade detection.
6. Evasive techniques to hinder forensic analysis.

• The attackers' origin and motives are currently unknown. However, their activity on underground forums suggests a potential focus on targeted attacks.

Impact:

This campaign poses a significant threat to IT professionals searching for legitimate software. A successful attack could result in:

• Information theft (system information, files)
• Remote command execution
• Persistence on compromised systems
• Disabling of security software

Who is Affected:

• IT professionals searching for IP scanners and IT management software are at the highest risk.
• Organizations with vulnerabilities in their search practices (e.g., relying solely on top search results) are also more susceptible.

Recommendations:

• Blacklist known email address wh8842480@gmail[.]com and domains blackhatworld[.]com and social-eng[.]ru.
• Use ad blockers and browser security extensions. Also, implement mechanisms to verify the digital signatures of DLLs and executables before loading them.
• Inform users about the risks of clicking on unfamiliar ads, especially those promoting software downloads.
• Ensure that users have up-to-date antivirus and anti-malware software installed on their devices. It detects and removes malicious software, including hidden backdoors.
• Implement network monitoring and firewall rules to detect and block suspicious outbound connections.

3. SIEM & SOC: Unified Approach to Streamline Security Operations

Cybersecurity threats are evolving faster than ever. A 2023 report reveals that the average eCrime breakout time is now 84 minutes—down from 98 minutes in 2021, demonstrating the extensive speed of today’s threat actors. This puts immense pressure on Security Operations Centers (SOCs), already burdened by growing log volumes, complex multi-vendor environments, and constant alert fatigue.

Challenges of Security Operations

• Incident Response Capability: Prompt and coordinated incident response is critical in mitigating the impact of cyber threats. However, uncoordinated or delayed responses leave organizations vulnerable to exploitation.
• Countering Advanced Threats: Sophisticated attackers leverage zero-day vulnerabilities and advanced persistent threats (APTs). The absence of known patches at discovery makes these threats particularly challenging. Additionally, social engineering attacks like phishing prey on human vulnerabilities, further complicating mitigation efforts.
• Supply Chain Risks: The attack surface has expanded beyond internal infrastructure. Attacks now commonly target vulnerabilities within a company’s supply chain. Limited visibility into supplier security practices and the difficulty of guaranteeing vendor trustworthiness create a complex challenge for SOCs.
• Lack of Integrations: Many organizations rely on a patchwork of security tools. Unfortunately, these tools often operate in isolation, hindering information sharing and impeding effective threat response. The lack of integration creates information silos, restricting the ability of SOCs to correlate data and swiftly neutralize threats.
• Alert Fatigue: The sheer volume of log data creates an overwhelming number of alerts, leading analysts to spend more time sifting through false positives than addressing real threats.
• Limited Visibility and Context: Without proper context, genuine threats are difficult to identify and prioritize. Misconfigured controls, user behavior anomalies, and other indicators can easily get lost in the noise.
• Resource Constraints: The cybersecurity skills gap makes finding and retaining qualified SOC analysts challenging. Organizations are also burdened with the cost of security tools and maintaining complex SIEM infrastructure.
• Compliance Demands: Meeting industry regulations like PCI-DSS and GDPR requires comprehensive security measures. Traditional SIEM solutions can make compliance reporting a time-consuming task.

A Unified Approach to Streamlined Security...click to read more.

4. MITRE's Network Breached via Ivanti Zero-days

The MITRE Corporation revealed that their Networked Experimentation, Research, and Virtualization Environment (NERVE) systems were breached in January 2024. A state-sponsored hacking group exploited two zero-day vulnerabilities (CVE-2023-46805, CVE-2024-21887) in Ivanti VPN software to gain access to the unclassified research network.

Key Takeaways:

• Zero-Day Chain: Adversaries combined two previously unknown vulnerabilities to bypass security measures.
• MFA Bypassed: Session hijacking techniques were used to circumvent multi-factor authentication (MFA).
• Lateral Movement: Hackers leveraged stolen administrator credentials to move laterally within the VMware environment.
• Persistence Mechanisms: Webshells and backdoors were employed for maintaining access and harvesting credentials.
• Espionage Motive: The attack aimed at gathering intelligence through planted malware.

Impact:

• Compromised Research Network: The NERVE network, used for research collaboration, was breached.
• Potential Data Theft: Sensitive information stored on NERVE could have been exfiltrated.
• Reputational Damage: A successful attack on a prominent research organization can have a negative impact on its reputation.

Who is Affected:

• Organizations using Ivanti VPN software are potentially vulnerable to similar attacks, particularly if not patched immediately.
• Research collaborators and partners who utilize the NERVE network may be concerned about potential data exposure.

Recommendations:

• Make sure the most recent security patches and upgrades are installed on all of the systems.
• Implement network segmentation to limit the lateral movement of attackers within your network.
• Implement robust monitoring and logging mechanisms to detect anomalous activities and potential indicators of compromise (IOCs).

5. Akira Ransomware Gang Extorts $42 Million

The Akira ransomware group has emerged as a significant threat, targeting various organizations across North America, Europe, and Australia. They have extorted approximately $42 million in illicit proceeds after breaching the networks of more than 250 victims as of January 1, 2024.

Key Takeaways:

• Akira has breached over 250 organizations, extorting approximately $42 million since March 2023.
• They target both Windows and Linux systems, including VMware ESXi virtual machines.
• Initial access methods include exploiting known vulnerabilities, unpatched RDP, spear phishing, and weak VPNs without MFA.
• The group employs various techniques to maintain persistence, evade detection, and escalate privileges.
• Akira utilizes a hybrid encryption scheme (ChaCha20 & RSA) and deletes shadow copies to hinder data recovery.
• In some cases, they deploy multiple ransomware variants during a single attack.

Impact:

• Significant financial losses due to ransom payments.
• Data breaches and potential exposure of sensitive information.
• Disruptions to critical infrastructure and business operations.

Who is Affected:

• Organizations of all sizes across various sectors, including critical infrastructure.
• Companies in North America, Europe, and Australia are particularly at risk.

Recommendations:

• Keep all software and systems up to date with the latest security patches to prevent known vulnerabilities from being exploited by ransomware attackers.
• Implement the principle of least privilege, ensuring that users only have access to the resources and information necessary for their roles.
• Use endpoint security solutions, such as antivirus and anti-malware software, to detect and block ransomware threats on individual devices.

In Crisis?

If you suspect a compromise or face a critical security issue, connect with us to unlock rapid, expert protection. Your Security and Business Continuity is our top Priority!

Get in touch with our security team by filling out this form or call at +91 6366 600 700.