Threat actors compromise machines and web servers with Golang-based malware and C2 framework

Threat actors compromise machines and web servers with Golang-based malware and C2 framework

SISA Weekly Threat Watch ?– our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. PayPal accounts compromised in large-scale credential stuffing attack

PayPal alerts thousands of compromised accounts via?credential stuffing attacks?that revealed personal information. Credential stuffing attacks occur when hackers try username/password pairs from?data leaks?on various websites to access accounts. PayPal reports the attack impacted?34,942 users. The hackers were able to access full names, birthdates, addresses, SSNs, and individual tax identification numbers (ITINs). The attackers did not attempt or were unable to perform any?transactions?from the breached PayPal accounts.

As part of the steps taken to secure accounts, affected customers will be prompted to establish a?new password?the next time they log in, ensuring an added layer of security to prevent?unauthorized access?and protect personal information. PayPal also suggests activating?2FA?from ‘Account Settings’ to prevent unauthorized access to accounts, even with valid username and password.

2. Hackers spreading malware via Microsoft OneNote attachments

Threat actors have switched to using a new file format in their?malicious spam (malspam)?attachments to distribute malware:?Microsoft OneNote?attachments. Double-clicking these malicious spam attachments automatically launches the script, resulting in the malware from a remote site being downloaded and installed. According to the samples found, the malspam emails pretend to be?DHL shipping notifications, invoices,?ACH remittance forms, mechanical drawings, and shipping documents.

As Microsoft OneNote is installed by default in all?Microsoft Office/365 installations, even if a Windows user does not use the application, it is still available to open the file format. When launching OneNote attachments, the program warns you that doing so can?harm your computer and data, but unfortunately, it is commonly observed that these types of prompts are ignored, and users just click the OK button. It is advised to avoid opening email attachments from?untrusted sources?and do not disregard warnings displayed by the operating system or application.

3. Threat actors turn to Sliver as open-source alternative to popular C2 frameworks

C2 frameworks or?Command and Control (C&C)?infrastructure are used by security professionals to remotely control compromised machines during security assessments. One such C2 framework named?Sliver, a Golang-based cross-platform post-exploitation framework is now gaining more traction due to its plethora of features for?adversary simulation.

This makes Sliver an appealing tool for threat actors to use as a second stage to gain?elevated access?to the target system after compromising a machine using one of the initial intrusion vectors such as?spear-phishing?or exploitation of?unpatched flaws. It was demonstrated that Sliver could be leveraged for?privilege escalation, following it up by?credential theft?and?lateral movement?to ultimately take over the domain controller for the exfiltration of sensitive data. It is recommended to employ tools that have?behavior-based detection?capabilities to automatically detect and prevent malware. Additionally, keep the software updated and be wary of files coming from outside sources.

4. VMware patches critical vRealize Log Insight software vulnerabilities

IVMware has recently released software updates to address?four security vulnerabilities?that have been identified in its?vRealize Log Insight software, also known as Aria Operations for Logs. These vulnerabilities have the potential to expose users to?remote code execution (RCE)?attacks. Among these vulnerabilities, two have been rated as critical.

The two vulnerabilities are?directory traversal vulnerability?(CVE-2022-31706) and?broken access control vulnerability?(CVE-2022-31704) with CVSSv3 base score of?9.8. A malicious attacker who is unauthenticated can exploit these vulnerabilities in the impacted appliance by?injecting files?into the operating system, resulting in remote code execution. This highlights the importance of users to?update their software?as soon as possible and install the appropriate patches to protect against any potential malicious attacks.

5. DragonSpark attacks employ Golang malware to evade detection

The DragonSpark attacks are carried out by a threat actor who uses malware written in the?Golang programming language. This malware can interpret embedded Golang source code during runtime, making it difficult for static analysis to detect. Indicators of the?DragonSpark attacks?include the compromise of?web servers?and?MySQL database servers?that are accessible from the Internet.

Another notable malware used by the DragonSpark group is?m6699.exe, which is also written in Golang. This allows it to launch a?shellcode loader?that can contact the?command-and-control server?to receive and execute additional payloads. To reduce the attack surface, limit the number of systems exposed to the Internet and ensure that only essential services are accessible from the Internet. It is also recommended to use secure protocols for?remote access?and implement strong authentication mechanisms, such as?multi-factor authentication.

To get daily updates on the critical vulnerabilities being exploited by threat actors,?subscribe ?to SISA Daily Threat Watch – our daily actionable threat advisories.

CHESTER SWANSON SR.

Next Trend Realty LLC./wwwHar.com/Chester-Swanson/agent_cbswan

1 年

Thanks for the updates on, The SISA Weekly.

要查看或添加评论,请登录

社区洞察

其他会员也浏览了