Weekly Cybersecurity Briefing - April 19, 2023
Access Point Consulting
Hands-on cybersecurity for small to mid-sized companies.
Ransomware, Malware & Phishing
Over a Million Financial Records Exposed in Data Incident Involving Fintech Company
Analysis: PDF documents containing invoices from individuals and businesses were made publicly accessible, exposing personal information such as names, email addresses, physical addresses, phone numbers, and tax information.
The exposed database belonged to NorthOne Bank, a financial technology company used by over 320,000 US businesses. The issue was reported to NorthOne Bank, and they resolved it after several follow-up messages. It is unclear how long the records were exposed or who else may have had access to the database.
The exposure of tax information and invoices can pose significant risks, including business identity theft and potential scams. Cybercrimes with a goal of financial gain are common, and victims often face some degree of financial loss and damage to their credit scores. NorthOne Bank’s mobile app is available on various platforms and integrates with multiple payment processing systems.
It is essential that relevant staff have proper training in setting permissions for files with sensitive data. In addition, Access Point recommends having strong encryption methods for sensitive data. Robust monitoring and logging mechanisms help to detect and alert adminstrators on any unauthorized access or unusual activity within the system.
DDoS attacks shifting to VPS infrastructure for increased power
Analysis: Hyper-volumetric DDoS attacks in the first quarter of 2023 have shifted from a reliance on compromised IoT devices to leveraging breached virtual private servers (VPS), according to internet security company Cloudflare.
The newer generation of botnets is now using vulnerable and misconfigured VPS servers, using leaked API credentials or known exploits instead of building large swarms of weak IoT devices. This approach allows threat actors to build high performance botnets that can be up to 5,000 times stronger than IoT-based botnets.
Cloudflare has been working with cloud computing providers and partners to crack down on these emerging VPS-based threats and has succeeded in taking down substantial portions of these novel botnets. In general, Cloudflare reports a steady stream of DDoS attacks, which causes service outages by bombarding the target with garbage traffic until their demands are met.
Israel was the country most targeted by DDoS attacks during this period, followed by the United States. The size and duration of attacks varied, with most lasting under 10 minutes and not exceeding 500mbps, but larger attacks exceeding 100mbps are on the rise compared to the previous quarter.
Access Point recommends having a tried and tested incident response plan in the event of a DDoS attack in hopes of containing the attack as efficiently as possible. It is also essential that you have an active threat hunting program actively searching for potential indicators of compromise.
RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware
Analysis: Cyber security researchers have uncovered details about a rising cybercriminal gang called “Read The Manual” (RTM) Locker, which operates as a private ransomware-as-a-service (RaaS) provider.
The group uses affiliates to carry out ransomware attacks and generate illicit profit. RTM Locker initially started as a banking malware targeting businesses in Russia, but it has since evolved to deploy ransomware on compromised hosts. One key trait of the group is its deliberate avoidance of high-profile targets that could draw attention to its activities (e.g. critical infrastructure, law enforcement, and COVID-19 vaccine-related corporations).
The group's affiliates are bound by strict rules to avoid drawing attention, requiring them to either remain active or notify the gang of their leave. The Locker is suspected to be executed on networks that are already under the group's control, indicating previous compromises through other means. The group uses extortion techniques to compel victims to pay the ransom, while the ransomware payload itself is capable of elevating privileges, terminating antivirus and backup services, and deleting shadow copies.
Access Point recommends that companies follow the guidelines below:
Beware of Juice Jacking and Impersonation Attacks – Warns FCC and FBI
Analysis: The FCC and FBI have issued advisories warning about two different cyberattacks.
The FCC advisory focuses on “Juice Jacking,” where cyber criminals install malware into USB charging stations in public places to steal personal information. Users are advised to carry their own charger and use electrical outlets instead of USB charging ports.
Meanwhile, the FBI advisory is warning about impersonation attacks targeting Chinese individuals in the US, where scammers posed as Chinese law enforcement or prosecutors to defraud victims of personal information. The FBI advises caution when sharing personal information over the phone with strangers claiming to be law enforcement.
Experts found the first LockBit encryptor that targets macOS system
Analysis: Researchers have issued a warning that the LockBit ransomware gang has developed encryptors to target macOS devices. This marks the first time a ransomware gang has created an encryptor specifically for macOS systems.
The encryptors were discovered in a ZIP archive uploaded to VirusTotal by the MalwareHunterTeam. The archive contains previously unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC architectures, including builds for PowerPC CPUs used in older macOS systems.
There is speculation that these encryptors may have been created for testing purposes due to the presence of strings in the encryption that are out of place in a macOS encryptor. Therefore, the encryptors may not be effective in actual attacks against macOS systems. Security experts also point out the encryptors are not properly signed or notarized, and do not take into account macOS security mechanisms, making their impact on macOS systems minimal in their current form. Nevertheless, the discovery highlights these ransomware gangs’ continued efforts to continuously expand their operations, including targeting Apple systems and macOS devices.
Access Point recommends keeping all software and operating systems up to date with the latest patches and security updates, while also implementing MFA for all user accounts. It is equally important to have an active threat hunting program, as the threat landscape is ever changing, and it is essential to stay in the know with the new ways in which operators are targeting businesses.
领英推荐
Trigona Ransomware Attacking MS-SQL Servers
Analysis: Trigona ransomware appears to be targeting poorly managed MS-SQL servers that are exposed to external connections and have weak or easily guessable account credentials.
The attackers are likely using brute force or dictionary attacks to gain access to these servers. Once access is gained, the attackers install CLR Shell malware, which is a type of CLR assembly malware that can receive commands from the attackers and perform various malicious actions with high privilege levels, including privilege escalation (using vulnerabilities such as MS16-032), information gathering, and user account configuration.
The CLR Shell malware is used to exploit vulnerabilities and escalate privileges in the MS-SQL server, allowing the attackers to gain administrative control over the server. Once the attackers have escalated their privileges, they install Trigona ransomware, which is disguised as a dropper malware named svcservice.exe. This dropper malware creates and executes the actual Trigona ransomware, named svchost.exe, in the same path.
The dropper malware also creates and executes a batch file named svchost.bat, which registers the Trigona binary to the Run key to ensure persistence even after a system reboot. The batch file also deletes volume shadow copies and disables the system recovery feature to prevent recovery from the ransomware infection.
Access Point recommends organizations using MS-SQL servers ensure that they are properly managed with strong security measures in place. This includes using complex and unique account credentials, keeping the servers up to date with the latest security patches, and monitoring for any signs of unauthorized access or malicious activity.
Regular backups of important files should also be maintained to enable recovery in case of a ransomware attack. For an extra layer of protecton, users should segregate their networks. As always, it is absolutely crucial that users have multi-factor authentication configured and switched on.
Vice Society Ransomware Using Stealthy PowerShell Tool for Data Exfiltration
Analysis: Threat actors associated with the Vice Society ransomware gang have been observed using a custom PowerShell-based tool to automate the process of exfiltrating data from compromised networks. This allows them to avoid using external tools that may be flagged by security software or human-based detection mechanisms, and can hide within the general operating environment.
The tool, identified as “w1.ps1,” identifies mounted drives on the system, recursively searches through root directories, and exfiltrates data over HTTP. It also has exclusion criteria to filter out system files, backups, and folders related to web browsers and security solutions from Symantec, ESET, and Sophos. The tool demonstrates a professional level of coding and illustrates the ongoing threat of double extortion in the ransomware landscape.
We insist that organizations prioritize robust security protections, as well as have a dedicated team to stand watch over the evolving threat landscape.
Vulnerabilities
Google Releases Urgent Chrome Update to Fix Actively Exploited Zero-Day Vulnerability
Analysis: A zero-day vulnerability tracked as CVE-2023-2033 impacts the Google Chrome web browser as a type confusion issue in the V8 JavaScript engine.
According to NIST’s National Vulnerability Database (NVD), "Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.” Although this vulnerability has been exploited in the wild, there have been no specifics or indicators of compromise (IoCs) released to prevent further attacks.
The full report acknowledges that CVE-2023-2033 is similar to four vulnerabilities that were previously remediated by Google in 2022 (CVE-2022-1096, CVE-2022-1364, CVE-2022-3723, and CVE-2022-4262), which were actively abused type confusion flaws in V8.
Access Point recommends that users upgrade to version 112.0.5615.121 for Windows, macOS, and Linux to mitigate potential threats. It is also advised that those who use Brave, Opera, Microsoft Edge, Vivaldi, and other Chromium-based browsers apply fixes as they become available.
New sandbox escape PoC exploit available for vm2 library, patch now
Analysis: A sandbox escape proof of concept (PoC) exploit in the vm2 sandbox has been released by security researchers.
A well-known JavaScript sandbox library that is used by software, including IDEs, code editors, and various security tools, vm2 allows partial code execution on isolated Node.js servers while securing system resources and external data from unauthorized access. The report claims that, through this flaw, it is possible to execute unsafe code on a host running the vm2 sandbox.
Over the last two weeks, multiple vulnerabilities were discovered relating to vm2. The most recent two (CVE-2023-29199 and CVE-2023-30547) were discovered by Seunghyun Lee.
The critical vulnerability tracked as CVE-2023-30547 is an exception sanitization flaw allowing an attacker to raise an unsanitized host exception inside “handleException().” As the report explains, “if an attacker sets up a custom ‘getPrototypeOf()’ proxy handler that throws an unsanitized host exception, the ‘handleException’ function will fail to sanitize it.”
Access Point recommends that all users whose projects incorporate the vm2 library upgrade to version 3.9.17 as soon as possible to remediate these vulnerabilities.
CISA warns of Android bug exploited by Chinese app to spy on users
Analysis: An Android Framework vulnerability — which allows an attacker to escalate privileges on unpatched Android devices without requiring user interaction — has been acknowledged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in a warning released on Sunday, April 16.
CISA warned that this vulnerability, tracked as CVE-2023-20963, is believed to have been exploited to spy on users of the Chinese ecommerce Pinduoduo app. Further elaboration from CISA states, “Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed.”
This bug was also acknowledged by Google as being under limited, targeted exploitation with the updates they released early last month.
Additionally, the full report recognizes that the U.S. Federal Civilian Executive Branch Agencies (FCEB) are required to secure their devices to remediate this vulnerability by May 4.
Access Point recommends that users follow the instructions from the FCEB and remove this application and all residual files from their devices as soon as possible.