TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #22
James Beal
Security Architect and Threat Intelligence Researcher, Aeterneus Intel Founder. TRIAGE'ing the evolving threat landscape to help Infosec Teams and Execs keep their organizations safe!
Howdy everyone, welcome to volume number 22 of TRIAGE Tuesday! First we look at the first of two huge vulnerabilities that came out in the last week along with the fact that at least one Chinese APT group is already taking advantage of the slack time between vulnerability announcement and companies ability to mitigate. Our second giant vulnerability is on Atlassian Confluence systems and the surprising time frame by CISA of one day for systems patching or at least taken offline. Our third story is only shocking in the fact that it really is not shocking that expected Russian attackers will not be prosecuted in Russia’s criminal system after hacking US systems and supposedly being arrested a couple months ago. Story number four this week is also not a surprise to anyone that a criminal ransomware group is taking payments and then leaking company data out on the public internet anyway after receiving their money. We finish off the week with two more big hits related to ransomware, so watch out for corporate websites being defaced to public shame ransomed organizations and the speed at which everything can go sideways! Enjoy a closer look at all 5 stories below!
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!
1. Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability
Overview: The high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the "ms-msdt:" protocol URI scheme to execute arbitrary code. Specifically, the attack makes it possible for threat actors to circumvent Protected View safeguards for suspicious files by simply changing the document to a Rich Text Format (RTF) file, thereby allowing the injected code to be run without even opening the document via the Preview Pane in Windows File Explorer. An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in a tweet.
TRIAGE: It has been a week of breaking releases on major vulnerabilities, as our first story here and the next one below hitting in the span of 4-5 days, depending on how you measure the timeline on the general release of the news. This one is a major issue, as there has not been a security patch provided, with the mitigation requiring a registry change on each system and then reverting that registry change back once a patch is available. This is a BIG lift for any reasonably sized company, let alone the big players with tens of thousands of servers and workstations, and that requires an actual asset management system to identify all the systems that need it done. It is also as the story linked shows, being actively exploited in the wild by at least one APT group that we know of at this time, which really means others are working on it or trying it and just have not been discovered doing so in the wild at this time. The best method of protection is the defense in depth security stack everyone hopefully has going in their organizations and testing your endpoint protection toolset to verify it has protections in place. If not, it’s a rather trivial process to successfully attack someone with this method.
2. Zero-Day Exploitation of Atlassian Confluence
Overview: Over the Memorial Day weekend in the United States, Volexity conducted an incident response investigation involving two Internet-facing web servers belonging to one of its customers that were running Atlassian Confluence Server software. The investigation began after suspicious activity was detected on the hosts, which included JSP webshells being written to disk. Volexity immediately used Volexity Surge Collect Pro to collect system memory and key files from the Confluence Server systems for analysis. After a thorough review of the collected data, Volexity was able to determine the server compromise stemmed from an attacker launching an exploit to achieve remote code execution. Volexity was subsequently able to recreate that exploit and identify a zero-day vulnerability impacting fully up-to-date versions of Confluence Server. Atlassian has since confirmed the vulnerability and subsequently assigned the issue to CVE-2022-26134.
TRIAGE: This has also been added to the CISA Known Vulnerabilities list, with a date of June 2nd?and a fixed/completed date of June 3rd, which is the first time I have seen a vuln get added to that list with a due date of the next day, as it is normally a three week timeframe to patch. This is a remote code execution vulnerability with active exploitation already detected in the wild, and the best course of action is to remove those affected systems from direct external internet access at least temporarily until they can get a full security patch available to the public. Even if you are not running any Confluence systems, it is a perfect example of how things can progress so quickly, just like the MSDT vulnerability above, and the risks involved in 0-day vulnerabilities. This is a perfect reason and example in why you need all the tools working properly to have any chance of catching this activity if someone does get in with a 0-day, and procedures listed in an Incident Response plan and recovery planning that everyone from IT, InfoSec and the Executive team have agreed make sense ahead of time. During a 0-day is not the time to start the discussion on how we recover and how it’s done, does that process even work as we expect it does and has it been tested? That makes for a VERY bad day.
3. Russia nixes US charges against REvil defendants as cooperation fizzles
Overview: Blaming the United States for a lack of cooperation, Russian will not charge the defendants in the REvil case with any attacks on Americans or American businesses, according to Russian media reports last week. Whatever progress the United States had made under the Biden administration in encouraging Moscow to address its harboring of cybercriminals appears to be at a standstill. "America doesn't care about Russian hackers" read the headline of the Russian newspaper Kommersant.
Russia arrested eight members of the REvil group in January based on tips from U.S. intelligence. According to Kommersant, the U.S. has not continued to engage with Russia. The Department of Justice declined to comment on the matter. The REvil defendants, linked to attacks on major corporations and supply chain nodes, will now only be charged with credit card fraud against two Mexican citizens living in America.
领英推荐
TRIAGE: As many of us expected, the “Russian support against criminal actors within the country” we saw at the beginning of the year is working out as expected now that geo-politics have changed and Russia is being shamed by the rest of the world over the Ukraine conflict and the way that has been handled both in the real world and in cyberspace. It was obviously mostly posturing and trying to look like they were going to crackdown on bad actors to garner favor with Western governments either coincidentally or purposefully before Putin chose to move against Ukraine. Now we see that Russia is not going to move forward with prosecuting any of the defendants for their criminal actions against U.S. citizens or businesses.
4. US govt: Paying Karakurt extortion ransoms won’t stop data leaks
Overview: Several U.S. federal agencies warned organizations today against paying ransom demands made by the Karakurt gang since that will not prevent their stolen data from being sold to others. Karakurt, the data extortion arm of the Conti ransomware gang and cybercrime syndicate, is focused on stealing data from companies since at least June 2021 and forcing them into paying ransoms under the threat of publishing the information online. Within just two months, between September and November 2021, more than 40 organizations have fallen victim to Karakurt hacking attempts. "Although Karakurt's primary extortion leverage is a promise to delete stolen data and keep the incident confidential, some victims reported Karakurt actors did not maintain the confidentiality of victim information after a ransom was paid," the FBI, CISA, U.S. Department of Treasury, and FinCEN said in a joint advisory. "The U.S. government strongly discourages the payment of any ransom to Karakurt threat actors, or any cyber criminals promising to delete stolen files in exchange for payments."
TRIAGE: The decision and discussions around ransomware payments have always been a very grey area, against the black and white “never pay” thoughts of the organizations from the U.S. Here we have an example of double dipping, with ransomware payment and then payment for not releasing stolen data into the public domain. Companies should always do everything they can to avoid being forced to make payments, as those payments do go to fund terrorist organizations and other criminal groups to continue to make these attack tools and go after new victims. In this case, it’s a great example of where paying the ransom demands to a criminal is very much “no honor among thieves” as there are multiple companies stating they paid and data was still released to the public. To the public usually means either for sale on “hacker forums” or dropped for free just to embarrass other companies into paying, they do not usually just place is on Reddit or another normal site. The issue there is any other criminal on those boards that wants access to the company data for any other nefarious activity now has direct access to whatever they can find for sale.
5. Ransomware gang now hacks corporate websites to show ransom notes and Ransomware attacks need less than four days to encrypt systems
Overview:
1st?story: A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes. This new extortion strategy is being conducted by Industrial Spy, a data extortion gang that recently began using ransomware as part of their attacks. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid.
2nd?story: Attackers are getting quicker at launching ransomware attacks against enterprises, with new IBM X-Force research finding that the average duration of enterprise ransomware attacks quickened 94 percent - from two months to under four days - between 2019 and 2021. The maturing underground cybercrime economy has spurred this change, with initial access brokers and affiliate models helping ransomware operators quicken their attack lifecycles. This lifecycle encompasses different stages of ransomware attacks, including initial access, lateral movement, the obtaining of privileged access to the Active Directory and, finally, the deployment of ransomware at scale.
TRIAGE: The last two stories of the week are both updates on general ransomware activity as an awareness for everyone. We now have ransomware gangs taking further measures to extort funds by taking over websites and public shaming the company into payments as well as the same activity above with double ransoms on encrypted systems as well as data leaks. The second story is a report from IBM’s X-force research group and discussed in several places about the timeframe for ransomware to infect all systems down to four days from 60, which is a speed that should not surprise anyone involved in the field from a technical perspective but once again is a reminder as discussed already that being prepared ahead of time is your only real way to respond to these kind of attacks if you have any hope of not being completely taken down across the entire environment.
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!