Cyber Pulse: Edition 185 | 23 May 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Pro-Russian hackers target Italian institutions

Pro-Russian hackers have targeted the websites of various Italian institutions and government ministries, law enforcement said on Friday. The attack, which began on Thursday evening and was still in progress as of Friday early afternoon, was reportedly confirmed by Italy’s Postal Police. The attack was launched at around 8pm GMT on Thursday by the hacker group "Killnet," Italian cyber-security group Yarix said in a statement.

Among the approximately 50 institutions reportedly hit are Italy’s superior council of the judiciary, its customs agency and its foreign affairs, education and cultural heritage ministries. On Friday, shortly before 12pm GMT, Italy’s embassy in London tweeted that the websites of the country’s foreign ministry and all its embassies had been hit and were currently inoperable.

“The Ministry of Foreign Affairs website and consular applications at this location have been affected by a cyber attack,” the tweet read. “We apologise to users for inconveniences and delays in the processing of paperwork.”

Killnet also launched attacks in early May targeting Italy’s upper house of parliament, the National Health Institute (ISS) and the Automobile Club d’Italia.

Edited. Original source: Reuters

Canada bans Huawei and ZTE and tell telcos to rip out 5G and 4G equipment

Following the steps of its Five Eyes partners, Canada has moved to ban Huawei and ZTE from its telco networks.

"The government of Canada is ensuring the long-term safety of our telecommunications infrastructure. As part of that, the government intends to prohibit the inclusion of Huawei and ZTE products and services in Canada's telecommunications systems," Minister of Innovation, Science and Industry François-Philippe Champagne said.

"As a result, telecommunications companies that operate in Canada would no longer be permitted to make use of designated equipment or services provided by Huawei and ZTE. As well, companies that already use this equipment installed in their networks would be required to cease its use and remove it."

Citing many of the same reasons that Australia used to ban Huawei in 2018, the Canadian government said the interconnectedness and interdependence of 5G networks make exploitation much more significant. The government of Canada has conducted an extensive examination of 5G wireless technology and the various technical, economic, and national security aspects of 5G implementation. The examination made clear that while this technology will bring significant benefits and economic opportunities, the technology will also introduce new security concerns that malicious actors could exploit.

In 5G systems, sensitive functions will become increasingly decentralised and virtualised in order to reduce latency, and the number of devices they will connect will also grow exponentially. Canadian telcos will be banned from purchasing any new 5G or 4G equipment or managed service from Huawei and ZTE from the start of September, and have until 28 June 2024 to rip out any existing 5G equipment, and until the end of 2027 to remove any LTE equipment.

Edited. Original source: CBC

Greenland says health services ‘severely limited’ after cyberattack

The government of Greenland confirmed reports this week that the island’s hospital system was “severely” impacted by a cyberattack. Government officials did not respond to requests for comment about whether it was a ransomware attack, but in a statement, explained that the healthcare system’s digital network crashed because of the incident. They were forced to restart all IT systems and servers, meaning hospital workers cannot access any patient medical records. 

“The health service’s services are therefore severely limited and increased waiting time must be expected and some will experience going in vain at agreed times. Acute inquiries will of course continue to be met and you can contact the health service by phone,” the government said in a statement translated from Danish.

“The technical analysis currently show that there has been no damage to citizens’ data and that they have not been copied, but investigations into the extent of the cyber-attack are still ongoing. The health service will report when operations are normalised,” the government said.

A government spokesperson told Greenland news outlet Sermitsiaq that the attack started on 9 May and may have connections to a previous attack in April based on an examination of the technical footprints left on the network. Government officials said there was another cyberattack on 25 March that forced Greenland’s parliament to cancel all of its meetings that week. Digital systems were crippled and the government struggled to distribute social benefit payments to citizens. 

Greenland has a population of about 56,000. "There is a significant ransomware attack on the HSE IT systems. We have taken the precaution of shutting down all our our IT systems in order to protect them from this attack and to allow us fully assess the situation with our own security partners."

Edited. Original source: Record

Microsoft researchers have observed a spike in the activity of the Linux bot XorDdos over the last six months

XORDDoS, also known as XOR.DDoS, first appeared in the threat landscape in 2014. It is a Linux Botnet that was employed in attacks against gaming and education websites with massive DDoS attacks that reached 150 gigabytes per second of malicious traffic. XorDdos leverages persistence mechanisms, efficient evasion, and anti-forensic techniques, including obfuscating the malware’s activities, evading rule-based detection mechanisms, and hash-based malicious file lookup.

Microsoft experts observed in the last six months a 254% increase in the activity associated with XorDdos. XorDdos spreads primarily via SSH brute force, it uses a shell script to try credential combinations across thousands of servers.

Microsoft experts determined two of XorDdos’ methods for initial access to the target systems: the first method copies a malicious ELF file to temporary file storage /dev/shm and then executing it, while the second one involves the execution of a bash script that performs a sequence of activities via the command line.

XorDdos uses various persistence mechanisms to support different Linux distributions, including init and cron scripts, setting a system’s default runlevel, and using symlinks they point to the scripts that should run at the specified runlevel.

“XorDdos’ modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures. Its SSH brute force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets,” concludes the report. “Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.”

Edited. Original source: Microsoft

Google reports 9 zero-day vulnerabilities

To protect its users, Google’s Threat Analysis Group (TAG) routinely hunts for 0-day vulnerabilities exploited in-the-wild, it says. In 2021, they reported nine 0-days affecting Chrome, Android, Apple and Microsoft, leading to patches to protect users from these attacks. Their blog is a follow-up to their July 2021 post on four 0-day vulnerabilities they discovered in 2021, and details campaigns targeting Android users with five distinct 0-day vulnerabilities:

CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 in Chrome and CVE-2021-1048 in Android.

Consistent with findings from CitizenLab, TAG assess likely government-backed actors purchasing these exploits are operating (at least) in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia. The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem.

Google's findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalise exploits. Seven of the nine 0-days TAG discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.

Edited. Original source: Google

Researchers discover GitLab continuous integration (CI) attacks

Security researchers at SentinelLabs are calling attention to a software chain supply attack targeting Rust developers with malware aimed directly at infecting GitLab continuous integration (CI) pipelines. The campaign, dubbed CrateDepression, combines typosquatting and the impersonation of a known Rust developer to push a malicious ‘crate’ (a compilation unit in Rust) hosted on the Rust dependency community repository. The malicious crate was swiftly flagged and removed but SentinelLabs researchers found a second-stage payload exclusively built to  Gitlab CI pipelines, signaling a risk of further larger-scale supply-chain attacks.

“Given the nature of the victims targeted, this attack would serve as an enabler for subsequent supply-chain attacks at a larger-scale relative to the development pipelines infected,” SentinelLabs said in a technical report documenting its findings.

“An infected machine is inspected for the GITLAB_CI environment variable in an attempt to identify Continuous Integration (CI) pipelines for software development. On those systems, the attacker(s) pull a next-stage payload built on the ‘red-teaming’ post-exploitation framework Mythic,” SentinelLabs explained.

This second-stage payload contains a switch with a large array of tasking options, including the ability to capture screenshots, keyboard strokes, and the uploading and downloading of files. On macOS, the operator can choose to persist by either or both of a LaunchAgent/Daemon and a LoginItem. SentinelLabs said an investigation by the crates.io security team and Rust Security Response working group turned up 15 iterative versions of the malicious ‘rustdecimal’ as the attacker(s) tested different approaches and refinements.

While the ultimate intent of the attacker(s) is unknown, the intended targeting could lead to subsequent larger scale supply-chain attacks depending on the GitLab CI pipelines infected. Software supply-chain attacks have gone from a rare occurrence to a highly desirable approach for attackers to ‘fish with dynamite’ in an attempt to infect entire user populations at once.

Edited: Original source - SentinelLabs

CISA orders action on VMWare vulnerabilities

The US Cybersecurity & Infrastructure Security Agency (CISA) is ordering federal agencies and contractors to fix a series of vulnerabilities affecting multiple VMWare products, some of which the agency says are being actively exploited on unpatched systems in the wild.

The directive, issued Wednesday, centers around at least four distinct vulnerabilities. In April, VMware issued a patch for two flaws, a server-side template injection flaw (rated 9.8 out of 10 for severity) that can lead to remote code execution and a privilege escalation bug (7.8 severity). CISA said there is evidence indicating that malicious hackers were able to reverse engineer the update to create an exploit for unpatched systems less than 48 hours from the release, and added the bugs to their known exploited vulnerabilities database that agencies are required to follow for patching protocols. On Wednesday, VMWare released patches for another two vulnerabilities (CVE-2022-22972 and CVE-2022-22973) and CISA believes that all four can be used in tandem to compromise unpatched versions of affected software and pose “an unacceptable risk” to federal systems.

“This determination is based on the confirmed exploitation of CVE-2022-22954 and CVE-2022-22960 by threat actors in the wild, the likelihood of future exploitation of CVE-2022-22972 and CVE-2022-22973, the prevalence of the affected software in the federal enterprise, and the high potential for a compromise of agency information systems,” the order states.

Federal agencies had until Monday 23 May to develop an inventory of all affected software instances in their IT environment and either patch it or remove it from their networks. Versions of VMWare applications that are publicly accessible via the internet must be assumed to be compromised, disconnected immediately and subjected to threat hunting protocols. Agencies may reconnect these products to their networks only after threat hunt activities are complete with no anomalies detected and updates are applied.

Edited: Original source - CISA

Microsoft emergency updates fix Windows AD authentication issues

Microsoft has released emergency out-of-band (OOB) updates to address Active Directory (AD) authentication issues after installing Windows Updates issued during the May 2022 Patch Tuesday on domain controllers. The company has been working on a fix for this known issue causing authentication failures for some Windows services since 12 May.

“After installing updates released 10 May 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP)," Microsoft explained.

An issue has been found related to how the mapping of certificates to machine accounts is being handled by the domain controller. The OOB Windows updates released today are available only via the Microsoft Update Catalog and will not be offered through Windows Update. The company released the following cumulative updates for installation on Domain Controllers (no action needed on the client-side):

• Windows Server 2022: KB5015013 
• Windows Server, version 20H2: KB5015020 
• Windows Server 2019: KB5015018 
• Windows Server 2016: KB5015019 
• Microsoft also released standalone updates: 
• Windows Server 2012 R2: KB5014986 
• Windows Server 2012: KB5014991 
• Windows Server 2008 R2 SP1: KB5014987 
• Windows Server 2008 SP2: KB5014990 

Since this known issue was discovered, the US Cybersecurity & Infrastructure Security Agency (CISA) had to remove a Windows security flaw from its catalog of known exploited bugs (an actively abused Windows LSA spoofing zero-day tracked as CVE-2022-26925) due to the auth issues caused by May 2022 updates when deployed on domain controllers.

Edited: Original source - Microsoft

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.