Cyber Pulse: Edition 174 | 9 February 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Millions stolen in attack on blockchain infrastructure Meter

Blockchain infrastructure company Meter said $4.4 million was stolen during a cyberattack. The company said it manages an infrastructure that allows smart contracts to scale and travel through heterogeneous blockchain networks. The Meter network, as well as the Moonriver network, were affected by the hack. 

Blockchain research company PeckShield confirmed that 1391 ETH and 2.74 BTC were stolen during the incident. The company said it was hacked and urged users not to trade unbacked meterBNB circulating on Moonriver. 

Later that day, Meter wrote that it stopped all bridge transactions and discovered that the issue related to a bug "introduced in the automatic wrap and wrap of native tokens like BNB and ETH extended by the Meter team." According to Meter, its extended code "had a wrong trust assumption" that let the hacker fake BNB and ETH transfers by "calling the underlying ERC20 deposit function." They are working with authorities and said they found "some early traces of the hacker", urging the culprit to return the stolen money. 

In addition, last week, $324 million was stolen through the popular decentralised cross-chain message-passing protocol Wormhole. Researchers found evidence of an 80,000 ETH transfer from Wormhole as well as another 40,000 of ETH being sold by the hacker on Solana. They have offered $10 million to the hacker for the return of the funds and offered the same amount to anyone who can provide information "leading to the arrest and conviction of those responsible for the hack".

Just five days before the Wormhole incident, DeFi protocol Qubit Finance took to Twitter to beg hackers to return more than $80 million that was stolen from them. The recent hacks continue a run of attacks on DeFi and blockchain platforms that have occurred over the last year. Chainalysis said at least $2.2 billion was outright stolen from DeFi protocols in 2021. Poly Network saw $611 million stolen from their platform in August, while Bitmart lost $196 million in early December.

Argo CD vulnerability leaks sensitive info from Kubernetes apps

A vulnerability in Argo CD, used by thousands of organisations for deploying applications to Kubernetes, can be leveraged in attacks to disclose sensitive information such as passwords and API keys. Tracked as CVE-2022-24348, the path-traversal flaw was discovered by the security research team at Apiiro and can lead to privilege escalation, information disclosure, and lateral movement attacks. Threat actors can exploit the vulnerability by loading a malicious Kubernetes Helm Chart YAML file onto the target system, allowing the extraction of sensitive information from other applications.

Argo CD is being used by thousands of organisations globally, so discovering the vulnerability is significant and requires immediate attention by developers and admins. The developers of Argo CD envisioned the possibility of a malicious actor using Helm value files outside of the chart folder, and attempted to address the issue with a new check mechanism introduced in version 1.3.0, released in 2019.

However, as discovered by Apiiro now, there’s a way to bypass the anti-path-traversal checks if the listed valueFiles are made to look like a URI. The special parser treats the local file path as a URI, assumes it has received an HTTP request, and accepts it without additional sanity tests. The impact of this is the disclosure of contents of files on the same repository and the abuse of the contents to perform additional malicious actions. Argo CD released a security update that contains the fix for CVE-2022-24348 today, with version 2.3.0-rc4. Everyone is recommended to upgrade to it as there are no workarounds.

Very powerful Malware "​Mars Stealer" sold for $150

Researchers revealed Mars Stealer, which steals information from all renowned web browsers, various cryptocurrency wallets and extensions, and 2FA plugins. It is written in ASM/C using WinApi and leverages special techniques to conceal WinApi calls, gather information in the memory, support secure SSL connection with C2, and encrypt strings.

In addition to this, Mars Stealer pilfers files from infected systems and has its own loader to reduce the infection footprint. The operators, however, have excluded Outlook from their target app list but experts believe that it may be included in future versions.

The malware size is a meager 95KB and evades detection by using Base64 and RC4 for string encryption. All connections to the C2 are encrypted. Furthermore, Mars Stealer includes Sleep function intervals to conduct timing checks. This ensures a mismatch occurs if a debugger is used. The malware can also remove itself after stealing all user data or if and when the operator decides to delete it. 

Interestingly, Mars Stealer checks if a user is located in countries part of the Commonwealth of Independent States, a common feature among Russian-based malware. If the victim’s system language ID matches Russia, Kazakhstan, Belarus, Uzbekistan or Azerbaijan, it will wipe itself without causing any harm. Moreover, if the malware’s compilation date is older than a month than the system time, it makes an exit. At this time, Mars Stealer is being sold for $140 to $160 on hacking forums and hence, it is suspected that a lot of threat actors will get their hands on it to perform malicious activities. It can cause massive headaches to its victims in the form of identity theft, cryptocurrency losses, privacy issues, and system infections. 

Ransomware hits industrial control systems and operational technology environments

Claroty’s Global State of Industrial Cybersecurity report is based on a Pollfish survey of 1,100 IT and Operational Technology (OT) security professionals in the United States, Europe and the APAC region, conducted in September 2021. More than half of respondents work for enterprises that have an annual revenue exceeding $1 billion. Roughly 80% of respondents admitted that their organisation had experienced a ransomware attack within the past year, and nearly half said the incident had impacted their industrial control systems (ICS) and/or OT environment.

Only 15% of respondents said there was no impact or minimal impact on operations, and nearly 50% said there was significant impact. 7% said the incident resulted in a full operations shutdown that lasted for more than a week. The cyberattack was disclosed to both authorities and shareholders in most cases, but some companies apparently did not inform anyone.

The survey shows that ransomware payments are prevalent, with more than 60% confirming that they had paid a ransom. 20% of respondents said the amount of money paid to the hackers exceeded $1 million – this includes nearly 7% that paid out more than $5 million. Of the individuals who took part in the Claroty survey, 28% believe ransomware payments should be legal and there should be no requirement to inform authorities. More than 41%, on the other hand, believe these types of payments should be legal only as long as regulators or authorities are informed. Approximately 20% believe ransomware payments should be illegal. As for the workforce, a vast majority of respondents believe IT security professionals in their organisation are capable of managing the cybersecurity of OT/ICS environments. However, 40% said they are urgently looking to hire more industrial cybersecurity experts.

Cyber espionage operations uncovered

The Gamaredon group, believed to be linked with Russia, is using eight new malware payloads for its recent cyber-espionage operations. The observed attacks were aimed toward Ukrainian entities. Researchers at Symantec analysed a recent campaign in which eight new malware samples were used by Gamaredon (aka Shuckworm or Armageddon). The attacks started in July 2021 with the spread of spear-phishing emails laden with macro-laced Word documents. These files launch a VBS file that eventually drops a well-documented backdoor, known as Pteranodon, that was developed and improved by Gamaredon for around seven years.

For a long time, researchers believe that Gamaredon is linked to Russia. A recent report from the SSU also claimed the involvement of the Russian FSB in the attacks on Ukraine. In November 2021, Ukrainian government agencies disclosed the identity of five members of the Gamaredon hacking group allegedly working for the Russian federal agency, FSB.

Moreover, Gamaredon is thought to be behind more than 5,000 attacks, targeting more than 1,500 government systems based in Ukraine since 2014. Most of their attacks are aimed at security, defence and law enforcement agencies to harvest intelligence and sensitive information from the infected systems for geopolitical interests. The frequent attacks on Ukrainian entities by the Gamaredon group show its keen interest in the region. Furthermore, the involvement of Russian interests indicates that this group has the potential to further improve its tools or techniques. Therefore, organisations are suggested to implement a proactive strategy and well-defined countermeasures.

Critical flaws discovered in Cisco Small Business RV Series routers

 Cisco has patched multiple critical security vulnerabilities impacting its RV Series routers that could be weaponised to elevate privileges and execute arbitrary code on affected systems, while also warning of the existence of proof-of-concept (PoC) exploit code targeting some of these bugs. Three of the 15 flaws, tracked as CVE-2022-20699, CVE-2022-20700, and CVE-2022-20707, carry the highest CVSS rating of 10.0, and affect its Small Business RV160, RV260, RV340, and RV345 Series routers.

Additionally, the flaws could be exploited to bypass authentication and authorisation protections, retrieve and run unsigned software, and even cause denial-of-service (DoS) conditions. The networking equipment maker acknowledged that it's "aware that proof-of-concept exploit code is available for several of the vulnerabilities" but didn't share any further specifics on the nature of the exploit or the identity of the threat actors that may be exploiting them.

CVE-2022-20699 concerns a case of remote code execution that could be exploited by an attacker by sending specially crafted HTTP requests to a device that functions as an SSL VPN Gateway, effectively leading to the execution of malicious code with root privileges.

CVE-2022-20700, CVE-2022-20701 (CVSS score: 9.0), and CVE-2022-20702 (CVSS score: 6.0), which the company said stems from an insufficient authorisation enforcement mechanism, could be abused to elevate privileges to root and execute arbitrary commands on the affected system.

CVE-2022-20708, the third flaw to receive a 10.0 score on the CVSS scale, is due to insufficient validation of user-supplied input, enabling the adversary to inject malicious commands and get them on the underlying Linux operating system. Cisco also stressed that there are no workarounds that address these aforementioned weaknesses, urging customers to update to the latest version of the software as soon as possible to counter any potential attacks.

Kenyon Produce (KP) manufacturing and distributions impacted by breach

The German-owned company says it became aware of the attack on 28 January, and that it immediately took the necessary steps to contain the incident. The company also said it has informed employees, customers, and suppliers of the incident, adding that it is keeping them informed of new developments. While KP Snacks said that its operations suffered “some disruptions”, reports suggest that shortages could last for a couple of months, due to the severity of the attack.

The company didn’t say which ransomware family was involved in the attack, but the cybergang behind the Conti ransomware might be responsible. Conti’s operators reportedly stole a great deal of data from the company, including employees’ personal information, credit card statements, confidential documents, and other data, and are threatening to leak the information online unless the company pays a ransom.

100 million Android users targeted with fraudulent subscription

A fraudulent subscription campaign, called Dark Herring, has targeted over 100 million Android users around the world. The campaign has been operating for almost two years. The earliest malicious app laden with Dark Herring was submitted in March 2020.

The Dark Herring campaign caused losses worth hundreds of millions of dollars by abusing millions of devices via their 470 Google Play Store apps. The apps subscribe users to premium services that charge $15 per month via Direct Carrier Billing (DCB). The operators of the Dark Herring campaign cashed out the subscriptions while users remained unaware of the infection and the fraudulent charges for a long time, sometimes several months. The names of some malicious apps are Smashex, Upgradem, Stream HD, Vidly Vibe, and Cast It. They pretended to be casual games, photography tools, utilities, and productivity apps.

So far, the fraudulent apps have been installed by 105 million users in 70 countries. The installed app does not come with any malicious code. It uses a hard-coded encrypted string that leads the users to a first-stage URL hosted on Amazon's CloudFront. The response from the server includes links to other JavaScript files hosted on AWS instances. These files are downloaded onto the compromised device. These scripts are used to prepare apps’ configuration in relation to the victim, print unique identifiers, fetch languages, country information, and find out applicable DCB platforms in each case. Finally, the app displays a customised WebView page to urge the victim to input the phone number, and supposedly receive a temporary OTP code to activate the account on the application.

The Dark Herring campaign has been ongoing for almost two years and has targeted millions of users already. This indicates that sometimes downloading apps from genuine stores does not guarantee the safety of users.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.