Cyber Pulse: Edition 178 | 10 March 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Ukraine cyber update

A cyber-attack campaign targeting Ukrainian government agencies with MicroBackdoor malware has been confirmed by the country’s Computer Emergency Response Team (CERT-UA) in a statement released on 7 March.

The agency reported that phishing emails were sent containing a file named "dovidka.zip", which contained a contextual help file (Microsoft Compiled HTML Help) called "dovidka.chm". This file contained the bait image "image.jpg", which CERT-UA said was information on the procedure for frequent artillery shelling, and HTA-file "file.htm", which contained malicious code in VBScript. Execution of the malicious code would result in the running of the dropper "ignit.vbs", which would decode the .NET loader "core.dll", later executing the MicroBackdoor malware.

The infection sequence entailed embedding a malicious URL in a phishing message using a compromised email address of a diplomat from a European NATO country, which, when clicked, delivered an archive file incorporating a dropper that, in turn, downloaded a decoy document to retrieve the final-stage PlugX malware.

The disclosures come as a deluge of distributed denial-of-service (DDoS) attacks have bombarded numerous Ukraine sites, such as those associated with the Ministry of Defense, Foreign Affairs, Internal Affairs, and services like Liveuamap.

"Russian hackers keep on attacking Ukrainian information resources nonstop," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in a tweet over the weekend.

Estonia bug bounty programme in support of Ukraine

Meanwhile, ethical hackers are being invited to unearth critical vulnerabilities in the digital infrastructure of both the Ukrainian and Russian governments. HackenProof, the Estonia-based bug bounty platform, said bugs reported in a vulnerability disclosure program (VDP) focused on Ukrainian assets will be sent to the Ukrainian authorities for remediation in order to bolster the nation against cyber-aggression from Russia or elsewhere.

Information about security flaws submitted to a second VDP dedicated to Russia’s “propaganda machine”, meanwhile, is being relayed to Ukrainian cyber forces so they can “remove false information” and “disseminate real facts” about Russia’s ongoing invasion of Ukraine.

Speaking on Twitter, one hacker declined to participate due to the potential risks of escalating the conflict, while another tweeted concern about the suggested Russian targets, which include SCADA systems and the telecommunications, banks, and energy sectors.

Complex multilateral threat actors target Ukraine

Another cluster of threat activity concerns webmail users of Ukr.net, Yandex.ru, wp.pl, rambler.ru, meta.ua, and i.ua, who have been at the receiving end of phishing attacks by a Belarusian threat actor tracked as Ghostwriter (aka UNC1151).

The hacking group also "conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organisations," Shane Huntley, director of Google's Threat Analysis Group (TAG), said in a report.

But it's not just Russia and Belarus who have set their sights on Ukraine and Europe. Included in the mix is a China-based threat actor known as Mustang Panda (aka TA416 or RedDelta) attempting to plant malware in "targeted European entities with lures related to the Ukrainian invasion."

The developments also follow Russia's decision to ban Facebook and throttle other widely-used social media platforms in the country just as technology companies from the US have moved to sever ties with Russia, effectively creating an iron curtain and curtailing online access.

For more background on the emerging cyber-attacks targeting Ukrainian systems, please see our previous Cyber Pulse edition 177.

Nvidia's code-signing certificates stolen and abused in attacks

Cybercriminals were found using stolen Nvidia code-signing certificates to sign malicious programmes. They do so to appear legitimate to security systems, which eventually allow the loading of malicious drivers in Windows.

Recently, Nvidia confirmed suffering a cyberattack wherein attackers stole the company’s credentials and proprietary data. The extortion group Lapsus$ claims to have stolen 1TB of data during the attack. After a failed attempt to negotiate with Nvidia, the gang leaked the data online. The leak included two stolen code-signing certificates used to sign drivers and executables by Nvidia developers.

After the extortion group leaked Nvidia's code-signing certificates, they were used by various threat actors to sign malware and other tools. In some cases, the stolen certificates were used to sign Cobalt Strike beacons, Mimikatz, backdoors, and remote access trojans. In one specific case, the attacker used the certificate to sign Quasar RAT. Others were found using the stolen certificate to sign a Windows driver.

Both stolen Nvidia certificates stand expired. However, Windows still allows a driver signed with the certificates to be loaded. This makes the malicious programs look like legitimate Nvidia programmes. The recent use of a stolen Nvidia certificate is a perfect example of how eager cybercriminals are abusing any loose ends in security infrastructure. To avoid this threat, admins are suggested to configure Windows Defender Application Control policies to control Nvidia drivers loaded into Windows OS.

Millions of APC smart UPS devices can be remotely hacked, damaged

Uninterruptible power supply (UPS) products made by Schneider Electric subsidiary APC are affected by critical vulnerabilities that can be exploited to remotely hack and damage devices, according to enterprise device security company Armis.

Armis researchers have identified three vulnerabilities in APC Smart-UPS devices, which they collectively named TLStorm. APC says it has sold more than 20 million UPS devices worldwide and data from Armis shows that nearly 80% of companies are exposed to TLStorm attacks. UPS devices are used in data centers, hospitals and industrial facilities, and attacks targeting these systems can have serious consequences.

Armis researchers have analysed the communications between the APC Smart-UPS devices and their remote management services and discovered vulnerabilities in the TLS implementation and a design flaw related to firmware upgrades.

One security hole, tracked as CVE-2022-22806, has been described as a TLS authentication bypass issue that can lead to remote code execution. The second TLS-related flaw, CVE-2022-22805, has been described as a buffer overflow related to packet reassembly and it can also lead to remote code execution. The third vulnerability, CVE-2022-0715, is related to unsigned firmware updates. These vulnerabilities can be exploited remotely – including from the internet – by an unauthenticated attacker to “alter the operations of the UPS to physically damage the device itself or other assets connected to it,” Armis said.

In a security advisory released on Tuesday, Schneider Electric said the vulnerabilities, which have been classified as “critical” and “high severity”, impact SMT, SMC, SCL, SMX, SRT, and SMTL series products. The company has started releasing firmware updates that contain patches for these vulnerabilities. In the case of products for which firmware patches are not available, Schneider has provided a series of mitigations for reducing the risk of exploitation.

Samsung confirms Galaxy source code breach, but no customer info stolen

Samsung on Monday confirmed that the company recently suffered a cyber attack but said that it doesn't anticipate any impact on its business or customers. Last week, South American hacking group Lapsus$ claimed it had stolen 190GB of confidential data, including source code, from the South Korean tech giant's servers. The group also posted snapshots of the alleged data online. Samsung has now confirmed in a statement, without naming the hacking group, that there was a security breach, but it asserted that no personal information of customers was compromised.

"We were recently made aware that there was a security breach relating to certain internal company data. Immediately after discovering the incident, we strengthened our security system," the company said. "According to our initial analysis, the breach involves some source codes relating to the operation of Galaxy devices but does not include the personal information of our consumers or employees. Currently, we do not anticipate any impact to our business or customers. We have implemented measures to prevent further such incidents and will continue to serve our customers without disruption."

Hacking group targets Gmail users

Google’s TAG warned several Gmail users of being targeted in phishing campaigns performed by a Chinese hacking group. The warnings came after Gmail’s defences automatically blocked the emails. The attacks were launched by the notorious APT31 and targeted high-profile Gmail users affiliated with the US government. Google sends alerts on government-backed attacks when they are launched via infrastructure associated with government-sponsored threat actors. The TAG team didn’t find any connection between the attacks and the ongoing war. 

The Chinese-sponsored APT41 breached at least six US state government networks between May 2021 and February 2022 by exploiting vulnerable internet-facing web apps. Earlier this month, the CISA and Symantec found a network attack tool targeting sufficiently secured networks. Dubbed Daxin, the malware is allegedly associated with Chinese threat actors and has been active since at least 2013.

In order to tackle these attempted attacks, businesses are suggested to stay vigilant in their IT protocols and train their employees to recognise phishing emails. Furthermore, a robust security awareness training program is a necessity. One of the necessary steps to upgrade an organisation's cybersecurity posture is implementing state-of-art layered security solutions. 

DDoS attacks with ransomware note

Attackers are bombarding targets with multiple ransom notes to extort and also manipulate the stock price of targeted companies. These notes were added as a string_of_text directed to CEOs. Recently, a DDoS ransomware threat actor targeting one of the customers of Imperva crippled a single website with up to 2.5 million requests per second. Within these requests, a researcher observed multiple ransom notes that kept updating with time. The first note is sent just before the launch of a DDoS attack. By the time the target receives the note, the attack is already making its way into targeted systems. This is to create a sense of urgency for the victims to pay.

A message is also addressed to the bosses stating that they will have to pay one Bitcoin a day if they wish attackers to stop the attacks. Some of the embedded messages were signed as revil_this_is_our_dominion, suggesting that the attacks may be related to the REvil RaaS group – or maybe these messages are coming from an imposter. A day after the attacks, the attackers sent 15 million requests to the same site with a new message that warned the CEO to tank the company’s stock price by hundreds of millions in market cap.

Based on the evidence, the DDoS attacks came from the Meris botnet that uses thousands of IoT devices hijacked due to a years-old vulnerability tracked as CVE-2018-14847 in MicroTik routers. It's been a while since the flaw was disclosed, but attackers are still exploiting it. Cybercriminals are becoming innovative with their techniques to target bigger firms with impersonation attacks. Thus, organisations are suggested to invest sufficiently in their network security systems to stay protected.

Researchers report on vulnerable healthcare devices

Healthcare devices, including imaging tools and diagnostic lab equipment, are most often left inadequately secure on hospital networks. A set of vulnerabilities have been found in PTC’s Axeda agent that can affect such devices. The seven flaws have been dubbed Access:7 by researchers Forescout and are present in PTC’s Axeda agent, which is used for remote access and management of more than 150 connected devices across over 100 vendors.

Three of the security flaws have been rated critical, with a score of at least 9.4. They could be abused for RCE on devices running an outdated Axeda agent version. While Axeda has been phased out to be replaced with ThingWorx, the former is still in use in several sectors on 2,000 unique devices. In the case of medical devices, even less critical vulnerabilities can have a substantial impact.

An attacker gaining read access by abusing CVE-2022-25249 could exfiltrate PHI or diagnostics and sell it on for a profit. Exploiting CVE-2022-25250 could shut down the platform, rendering remote service impossible. Exploiting CVE-2022-25246 could enable the attacker to leverage the VNC connection to modify medical information. Furthermore, they can leverage this to insert malicious code to gain persistence on the network.

Provided the nature of the healthcare sector, the attackers have several attack vectors to gain initial access. The facilities are accessible to the public, with various network sockets and connected devices with physical access. With inadequate segmentation, adversaries can access the internal operational network via a guest WiFi network. The medical staff can be lured to give up initial access by phishing through easily obtainable email addresses. IT systems can have bugs that lead adversaries to operational networks. They can access the internal network in places with insufficient segmentation with a sharing system or internet portal.

Complete protection against Access:7 necessitates patching devices running vulnerable versions of Axeda agents. PTC has already released official patches and device manufacturers should provide their own updates to customers. In addition to this, implementing segmentation controls and appropriate network hygiene to reduce the risk from vulnerable devices is key.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.