Cyber Pulse: Edition 170 | 10 January 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Continuous attacks target Log4j flaw

Public and private organisations, including Microsoft and the US Federal Trade Commission (FTC), are alerting organisations against continuous attacks exploiting Log4Shell. Since December 2021, state-sponsored and other attackers have been targeting the Log4j flaw.

According to Microsoft, organisations might not be fully mindful of Log4j flaws in their environment. In the past month, Microsoft released multiple updates and alerts to help their customers. The tech firm has observed that many known attackers are adding and creating exploits of Log4Shell (CVE-2021-44228 and CVE-2021-45046) in their malware kits and tactics, such as hands-on keyboard attacks and coin miners. Microsoft noted that the exploitation attempts and testing stayed high during the last weeks of December 2021.

Organisations should widen their scanning capabilities to stay protected and identify threats to their environments. They should use scripts and scanning tools to better assess potential risks. Moreover, the FTC warning has advised companies to follow the official guidance on fixing the Log4j flaws.

Meanwhile, the security team of the UK National Health Service (NHS) said that it detected an unknown threat actor using the Log4Shell vulnerability to hack VMware Horizon servers and plant web shells for future attacks.

“The web shell can then be used by an attacker to carry out a number of malicious activities such as deploying additional malicious software, data exfiltration, or deployment of ransomware,” the NHS team said in a security alert published on Wednesday.

The NHS-reported attacks mark the second time a VMware product has been targeted via the Log4Shell vulnerability after reports that the Conti ransomware gang abused Log4Shell to compromise VMware vCenter servers last month.

Zloader campaign abuses Microsoft's security checks

A Zloader campaign has been discovered exploiting the digital signature verification process of Microsoft to deploy malware payloads. The campaign, run by Malsmoke hacker group, steals user credentials and has already targeted thousands of victims across 111 countries. According to researchers from Check Point, the campaign has been ongoing since at least November 2021.

The infection starts via a modified Atera installer (Java[.]msi), a genuine remote monitoring and management software. It is suspected that attackers used spear-phishing emails or pirated software resources, although researchers could not confirm the same. After execution, Atera creates an agent that assigns an endpoint with an email address managed by the threat actor. Then, the attackers gain full remote access to the target system. Hackers exploit known flaws (CVE-2013-3900, CVE-2012-0151, and CVE-2020-1599) in the campaign, and Microsoft has tried to fix the security gaps by releasing more rigid file verification policies. However, they were disabled by default, helping adversaries abuse it for their gain.

These attacks seem to be highly targeted in nature and may cause severe damage. The use of valid code signatures to stay undetected from security tools makes it harder for victim organisations to detect the threat. However, organisations can check out the indicators of compromise for proactive detection and prevention.

Cloud video distribution supply chain attack vector

The threat of supply chain attacks keeps getting more real by the day. This time, real estate websites were under a supply chain attack via a unique attack vector. A cloud video platform was leveraged to propagate a web skimmer campaign. Researchers at Unit42 discovered that Sotheby’s Brightcove account was breached by hackers who deployed a skimmer to pilfer payment card details from more than 100 websites. Sotheby’s was using the Brightcove video player to display previews of expensive real estate properties. While the attack was conducted last year, it has come to light only recently. The attackers added the skimmer scripts in a video, meaning that whenever others would import the video, their websites would get infected.

The malicious JavaScript code was highly obfuscated and was made to identify credit card patterns, verify credit card numbers, collect the data, and send it across to the operators. The skimmer was also capable of pilfering users’ personal data – such as names, email addresses, and phone numbers – checking the validity, and sharing it with the attackers’ C2 server. Palo Alto Networks stated that the skimmer is highly polymorphic, evasive, and continuously evolving. When brought together with cloud distribution platforms, this kind of skimmer can cause grave consequences.

As per Malwarebytes, the campaign began as early as January 2021 and the data collected was transferred to a remote server that also acted as a collection domain for a Magecart attack against Amazon CloudFront CDN in June 2019. In order to detect and impede the injection of malicious codes into online platforms, organisations are advised to perform web content integrity checks on a regular basis. It is, furthermore, recommended that they defend accounts from takeover attempts and keep an eye out for possible social engineering schemes.

FluBot malware now targets Europe posing as Flash Player app

The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features. FluBot is an Android banking trojan that steals credentials by displaying overlay login forms against many banks worldwide. The smishing (SMS phishing) lures for its distribution include fake security updates, fake Adobe Flash Players, voicemail memos, and impersonating parcel delivery notices. Once in the device, FluBot can steal online banking credentials, send or intercept SMS messages (and one-time passwords), and capture screenshots.

Because the malware uses the victim's device to send new smishing messages to all their contacts, it usually spreads like wildfire. An example of this campaign's SMS text targeting Polish recipients was shared by CSIRT KNF. When recipients click on the included link, they are brought to a page offering a fake Flash Player APK [VirusTotal] that installs the FluBot malware on the Android device.

Android users should always avoid installing apps from APKs hosted at remote sites to protect themselves from malware. This practice is especially true for well-known brands, like Adobe, whose apps should only be installed from trusted locations. Note that in many cases, a link to download FluBot will arrive on your device via one of your contacts, maybe even a friend or family. As such, if you receive an unusual SMS that contains a URL and urges you to click it, it’s likely a message generated by FluBot.

Finally, avoid installing APK files from unusual sources, regularly check that Google Play Protect is enabled on your Android device, and use a mobile security solution from a reputable vendor.

SonicWall: Y2K22 bug hits email security, firewall products

SonicWall has confirmed that some of its email security and firewall products have been hit by the Y2K22 bug, causing message log updates and junk box failures starting with 1 January 2022. The company says that email users and administrators will no longer be able to access the junk box or un-junk newly received emails on affected systems. They will also no longer be able to trace incoming/outgoing emails using the message logs because they're no longer updated.

On 2 January, SonicWall deployed updates to North American and European instances of Hosted Email Security, the company's cloud email security service. The same bug hit Microsoft and Honda. Starting with 1 January, Honda and Acura car owners began reporting that their in-car navigation systems' clocks would automatically get knocked back 20 years to 1 January 2002. The reports say that the Y2K22 bug impacts almost all older car models, including Honda Pilot, Odyssey, CRV, Ridgeline, Odyssey, and Acura MDX, RDX, CSX, and TL.

Microsoft was also hit by the same bug, with Microsoft Exchange on-premise servers stopping email delivery starting on 1 January 2022, due to the Y2K22 bug's impact on the FIP-FS anti-malware scanning engine, which would crash when scanning messages.

"The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues," Microsoft explained.

Microsoft released a temporary fix on 5 January, requiring further customer action while working on an update that would automatically address the issue on impacted Exchange servers.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.