Cyber Pulse: Edition 166 | 3 December 2021

Compromised cloud accounts lead to cryptomining

With the increasing shift of the world to cloud environments comes the threat of increasing cyberattacks. Google has found recent incidents of cryptocurrency mining, ransomware and phishing campaigns. Google’s Threat Horizons report claims that hackers were compromising cloud accounts used for storing files and data. Hackers don’t only use these as mining resources but also leverage the storage space to perform malicious activities. Of 50 recently compromised Google Cloud Platform (GCP) instances, 86% were used to conduct crypto mining. Ten percent of the instances were used to scan other resources available publicly to detect vulnerable systems. Eight percent of the compromised instances were leveraged to attack other targets.

While the aim of the attackers did not seem to be data theft, cloud asset compromises still pose many risks. Following China’s ban on cryptocurrency transactions, the world’s 14 largest crypto mining companies shifted their bases to the US, Kazakhstan, Canada and Russia.

Cloud misconfiguration issues have touched new heights as research by Palo Alto suggests that attackers can now compromise honeypots within 30 seconds. Organisations must secure their cloud platforms by auditing and assessing cloud configuration and proactive defence against whatever threats may come.

TAG researchers found a group of attackers exploiting cloud resources to generate traffic to YouTube, with the purpose of manipulating views. They adopted new TTPs such as leveraging free trial projects, joining Google Developer Community for free projects, and exploiting start-up credits with phony companies. The perpetrators also gained free credits by making small credit card payments and later declining them. Google believes that threat actors who gain access to legitimate cloud instances will use them for financial gains. This would enable them to abuse unsuspecting users.

Authorities warn of actively exploited critical ManageEngine ServiceDesk vulnerability

The US Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) are warning of active exploitation of a newly patched flaw in Zoho's ManageEngine ServiceDesk Plus product to deploy web shells and carry out an array of malicious activities. Tracked as CVE-2021-44077 (CVSS score: 9.8), the issue relates to an unauthenticated, remote-code execution vulnerability affecting ServiceDesk Plus versions up to and including 11305 that, if left unfixed, "allows an attacker to upload executable files and place web shells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files," CISA said.

A security misconfiguration in ServiceDesk Plus led to the vulnerability, Zoho noted in an independent advisory. This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks. CVE-2021-44077 is also the second flaw to be exploited by the same threat actor that was formerly found exploiting a security shortcoming in Zoho's self-service password management and single sign-on solution, known as ManageEngine ADSelfService Plus (CVE-2021-40539), to compromise at least 11 organisations, according to a new report published by Palo Alto Networks' Unit 42 threat intelligence team.

Over the past three months, at least two organisations have been compromised using the ManageEngine ServiceDesk Plus flaw, a number that's expected to climb further as the APT group ramps up its reconnaissance activities against technology, energy, transportation, healthcare, education, finance and defence industries. Zoho, for its part, has made available an exploit detection tool to help customers identify whether their on-premises installations have been compromised, in addition to recommending that users "upgrade to the latest version of ServiceDesk Plus (12001) immediately" to mitigate any potential risk arising out of exploitation.

Watchdog warns of new Omicron (Covid-19) phishing campaign

Sensing another opportunity to take advantage of fears surrounding the Covid-19 pandemic, scammers are deploying a phishing campaign where they attempt to exploit the emergence of the Omicron coronavirus variant in order to line their pockets, warns British consumer watchdog Which?.

In an email obtained by Which?, the fraudsters pose as the National Health Service (NHS) and offer potential victims a chance to get a “free Omicron PCR test” that will help them avoid pandemic-related restrictions introduced recently by the British government. The email also deceptively claims that the new variant isn’t detectable by test kits used for previous Covid-19 variants and a new test kit has been developed for that purpose.

Beside deploying a range of Covid-19 vaccine-related scams, criminals have also taken aim at various pharmaceutical companies and governmental organisations involved in the vaccine development, approval and deployment process. They have compromised an Oxford University research lab that conducts research into ways to combat the virus, and stolen documents from the European Medicines Agency, to name just a few campaigns and incidents in the past almost two years.

VirusTotal introduces Collections to simplify IoC sharing

Chronicle-owned VirusTotal this week announced VirusTotal Collections, a new resource aimed at making it easier for security researchers to share Indicators of Compromise (IoCs). Registered VirusTotal users have access to these collections, and their owners can easily add or remove IoCs to/from them, to ensure they remain relevant. With Collections, VirusTotal aims to eliminate the need for security researchers to use other services, such as Pastebin or other sharing platforms, to make IoCs available to the community.

“All our community generated content, including comments, graphs and collections, will contribute to the Community section of file, URL, domain and IP address reports. This means that if a security researcher creates a Collection with a file in it, if you visit the file report you will see the collection in the community section,” VirusTotal explains.

IoC collections can be created by accessing the Search tab from the VirusTotal home page. VirusTotal Collections, the malware scanning service, offers a more actionable and contextualised alternative to sharing IoCs, as they are public via the platform’s UI and API, and can be shared using their permalink in blog posts, reports, and the like.

Project Zero flags high-risk Zoom security flaw

Video conferencing software giant Zoom has shipped patches for a pair of security defects that expose Windows, macOS, Linux, iOS and Android users to malicious hacker attacks. The flaws, discovered and reported by Google Project Zero researcher Natalie Silvanovich, affect the company’s flagship Zoom Client for Meetings on all major platforms and could be exploited for code execution attacks. Zoom slapped a “high-severity” rating on the more serious of the two vulnerabilities (CVE-2021-34423) and warned that the issue also affects a wide range of downstream components and SDKs.

“This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code,” Zoom said in a barebones advisory listing a range of affected products. The bug is described as a buffer overflow with a CVSS base score of 7.3. Zoom also fixed a second memory corruption vulnerability (CVE-2021-34424) that allowed for the exposure of the state of process memory in multiple products and components. Zoom also added a new automatic updating mechanism to the desktop version of the software to help users find and apply security patches in a timely manner.    

Critical wormable security flaw found in several HP printer models

Cybersecurity researchers disclosed eight-year-old security flaws affecting 150 different multifunction printers (MFPs) from HP Inc that could be potentially abused by an adversary to take control of vulnerable devices, pilfer sensitive information, and infiltrate enterprise networks to mount other attacks. The two weaknesses — collectively called Printing Shellz — were discovered and reported to HP by F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev, prompting the PC maker to issue patches.

CVE-2021-39238 (CVSS score: 9.3)'s critical severity rating also stems from that the vulnerability is wormable, meaning it could be exploited to self-propagate to other MFPs on the compromised network. A hypothetical attack scenario could involve embedding an exploit for the font-parsing flaws in a malicious PDF document and then social engineering the target into printing the file. Alternatively, an employee from the victim organisation could be lured into visiting a rogue website, in the process sending the exploit to the vulnerable MFP directly from the web browser in what's known as a cross-site printing attack. Besides enforcing network segmentation and disabling printing from USB drives by default, it's highly recommended for organisations using the affected devices to install the patches as soon as they become available.