TRIAGE - Threat Reporting and Intelligence on Attacks and General Exploits #23
James Beal
Security Architect and Threat Intelligence Researcher, Aeterneus Intel Founder. TRIAGE'ing the evolving threat landscape to help Infosec Teams and Execs keep their organizations safe!
Howdy everyone, welcome to volume number 23 of TRIAGE Tuesday! First we look at the Confluence vulnerability and the very quick turnaround time of attackers abusing the vulnerability for cryptomining. Our second story is a great move in the right direction, adding next-gen endpoint protection features to Microsoft Defender, which based on pure numbers is actually one of the top endpoint tools available right now. Our third story is tied to an evil little Linux rootkit and the technical breakdown of the researchers who discovered it. It is great research to be familiar with no matter your technical level of knowledge, and every one of these reports contains some interesting new methods of avoiding the protection software out there. We saw official Chinese hacking groups that were directly tied to government agencies drop off the radar in a big way around 10-12 years ago, now we have seen new research showing they did not stop, they have just been a lot more careful in stealth mode than they were in the early 2000’s. We finish off the week with another big ransomware attack, this time taking down an entire Italian city around peak tourism season! Enjoy a closer look at all 5 stories below!
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!
1. Hackers exploit recently patched Confluence bug for cryptomining
Overview: A cryptomining hacking group has been observed exploiting the recently disclosed remote code execution flaw in Atlassian Confluence servers to install miners on vulnerable servers. The vulnerability, tracked as CVE-2022-26134, was discovered as an actively exploited zero-day at the end of May, while the vendor released a fix on June 3, 2022. Various proof of concept (PoC) exploits were released in the days that followed, giving a broader base of malicious actors an easy way to exploit the flaw for their purposes. One of the threat actors who took advantage of this offering is a cryptomining group called the “8220 gang,” who, according to Check Point, perform mass net scans to find vulnerable Windows and Linux endpoints to plant miners. Miners are special-purpose programs that use the host’s available computational resources to mine cryptocurrencies like Monero for the threat actor.
TRIAGE: The big stories last week were tied into major vulnerabilities, and this Confluence bug was a major issue with the callout made as well by CISA to “patch in one day”. Hopefully the vast majority of people affected have removed their systems from the internet right away and have now patched with the available fix as well. This serves as another perfect example of why you need to stay on top of bugs/vulnerabilities and have a plan in place to respond to that news when it comes out sooner rather than later. In this case, we have updates that not only were vulnerable systems left out there, but that attackers took advantage right away, so there is no way to say, we will patch in our normal cycle, even if that is only a couple weeks away, let alone the normal cycles many companies use of 30-90 days between patching issues. The full value of why you need threat intelligence monitoring in some form at every company in one story.
2. Microsoft Defender now isolates unmanaged Windows devices that have been compromised
Overview: Microsoft has introduced a new capability for Microsoft Defender for Endpoint (MDE) that will allow enterprises to prevent attackers from moving laterally across the network using compromised unmanaged devices. This new capability gives network administrators the ability to "contain" unmanaged Windows devices on their networks in the event that such devices have been hacked or are suspected of having been compromised. "Starting today, when a device that is not enrolled in Microsoft Defender for Endpoint is suspected of being compromised, as a SOC analyst, you will be able to 'Contain' it," Microsoft said.
TRIAGE: Microsoft with their Defender product is definitely adding capabilities and getting closer to a full Endpoint Protection level toolset that you would see in the big commercial offerings such as Crowdstrike, Cybereason, etc. This is a step in the right direction and a big plus for many smaller to medium sized businesses that can more easily integrate Microsoft suites of software and tools into their environment but cannot afford the higher enterprise level budgets necessary to justify some of the higher tier commercial offerings. The capability to track machines and contain them, from a network standpoint, is a huge win for any security team, while they attempt to troubleshoot and determine the actual impacts on the machine and the overall network from any kind of malware.
3. Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat
Overview: In biology, a symbiote is an organism that lives in symbiosis with another organism. The symbiosis can be mutually beneficial to both organisms, but sometimes it can be parasitic when one benefits and the other is harmed. A few months back, we discovered a new, undetected malware that acts in this parasitic nature affecting Linux? operating systems. We have aptly named this malware Symbiote. What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using LD_PRELOAD (T1574.006), and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.
领英推荐
TRIAGE: Here is our technical story of the week, everyone interested should take a deeper dive into the details here, if nothing else for awareness of how these things work. This is a great example of the advancement of techniques used by malware authors and ways they are improving their products over time to work better or be better able to avoid detections from the suite of defender tools. Rootkits are bad news and always have been, because of their ability to compromise a system at a low level, remain hidden from many detection capabilities, and persist easily over reboots and many times, even an entire re-installation of the original operating system. They also offer all the capabilities listed in the overview plus more depending on how they are created, so they are a security nightmare for data collection and exfiltration. One of the few ways to catch them is tied to a system that does full network monitoring that can detect changes in data being sent externally as an average from each system.
4. Chinese hacking group Aoqin Dragon quietly spied orgs for a decade and People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices
Overview:
1st?story: A previously unknown Chinese-speaking threat actor has been discovered by threat analysts SentinelLabs who were able to link it to malicious activity going as far back as 2013. Named Aoqin Dragon, the hacking group is focused on cyber-espionage, targeting government, education, and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia.
2nd?story: PRC state-sponsored cyber actors readily exploit vulnerabilities to compromise unpatched network devices. Network devices, such as Small Office/Home Office (SOHO) routers and Network Attached Storage (NAS) devices, serve as additional access points to route command and control (C2) traffic and act as midpoints to conduct network intrusions on other entities. Over the last few years, a series of high-severity vulnerabilities for network devices provided cyber actors with the ability to regularly exploit and gain access to vulnerable infrastructure devices. In addition, these devices are often overlooked by cyber defenders, who struggle to maintain and keep pace with routine software patching of Internet-facing services and endpoint devices.
TRIAGE: We have definitely seen an increase in Chinese related hacking activity in the last couple months being called out at least in the general information security news space and threat intelligence circles. As we have discussed in the past, there did seem to be a “farming out” of government specific attacks in the last 2000’s to related APT groups that were “private” but as expected, as a big player and superpower in the world, they did not stop any kind of activity out there giving them some form of leverage in worldwide geo-politics. Here we have two of the latest examples of hacking activity that was going on since back then which was just recently discovered and network attacks from an actual state sponsored group.
5. Italian City Palermo Impacted by Cyberattack, Vice Society Ransomware Claims Responsibility
Overview: The Vice Society ransomware gang declared that it had been behind the recent attack that targeted the capital of the Italian island of Sicily, Palermo. The incident has caused a large-scale service outage. The cyberattack took place last Friday, and all internet-based services are still down, affecting 1.3 million people and tourists who are there for vacation. On Monday, the authorities confirmed the gravity of the ransomware attack, explaining that all systems had to be taken offline to control the damage and alerting people that the disruptions could last a few more days.
TRIAGE: Ransomware groups continue to plague the internet at large with their attacks and keep finding targets of opportunity. In this case, not another company but as we saw last summer with a rash of attacks on local city governments in the U.S., we now have a city in Italy pretty much “taken offline” in its entirety for at least several days. As covered in the story, this is not just the local citizens, but a whole wave of tourists from outside the country, so the actual costs of the incident in general expenses and lost tourism dollars spent could be very hard to measure but have a horrible impact on many local small businesses. Many European towns have a huge amount of the yearly profits by local businesses made from outside tourists and does have an obvious ripple effect of losses when something like this happens.
If you are not already, get this awesome weekly update delivered directly to your inbox! The?newsletter!