Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there.
The issue has persisted for at least eight years, according to some users, and affects Windows 10 21H1 and Windows 10 21H2.
Lax permissions
Like any antivirus solution, Microsoft Defender lets users add locations (local or on the network) on their systems that should be excluded from malware scans.
People commonly make exclusions to prevent antivirus from affecting the functionality of legitimate applications that are erroneously detected as malware.
Since the list of scanning exceptions differs from one user to another, it is useful information for an attacker on the system, since this gives them the locations where they can store malicious files without fear of being detected.
Security researchers discovered that the list of locations excluded from Microsoft Defender scanning is unprotected and any local user can access it.
Regardless of their permissions, local users can query the registry and learn the paths that Microsoft Defender is not allowed to check for malware or dangerous files.
Windows defender
Antonio Cocomazzi, a SentinelOne threat researcher who is credited for reporting the RemotePotato0 vulnerability, points out that there is no protection for this information, which should be considered sensitive, and that running the “reg query” command reveals everything that Microsoft Defender is instructed not to scan, be it files, folders, extensions, or processes.
Another security expert, Nathan McNulty, confirmed that the issue is present on Windows 10 versions 21H1 and 21H2 but it does not affect Windows 11.
McNulty also confirmed that one can grab the list of exclusions from the registry tree with entries that store Group Policy settings. This information is more sensitive as it provides exclusions for multiple computers.
A security architect versed in protecting the Microsoft stack, McNulty warns that Microsoft Defender on a server has “automatic exclusions that get enabled when specific roles or features are installed” and these do not cover custom locations.
Although a threat actor needs local access to get the Microsoft Defender exclusions list, this is far from being a hurdle. Many attackers are already on compromised corporate networks looking for a way to move laterally as stealthily as possible.
By knowing the list of Microsoft Defender exclusions, a threat actor that already compromised a Windows machine can then store and execute malware from the excluded folders without fear of being spotted.
In tests done conducted by researchers, a malware strain executed from an excluded folder ran unhindered on the Windows system and triggered no alert from Microsoft Defender.
We used a sample of Conti ransomware and when it was executed from a normal location Microsoft Defender kicked in and blocked the malware.
After placing Conti malware in an excluded folder and running it from there, Microsoft Defender did not show any warning and did not take any action, allowing the ransomware to encrypt the machine.
This Microsoft Defender weakness is not new and has been highlighted publicly in the past by Paul Bolton:
“Always told myself that if I was some kind of malware dev I would just lookup the WD exclusions and make sure to drop my payload in an excluded folder and/or name it the same as an excluded filename or extension” – Aura
Given that it’s been this long and Microsoft has yet to address the problem, network administrators should consult the documentation for properly configuring Microsoft Defender exclusions on servers and local machines via group policies.
The cloud environment relies on a few core principles. One of them is the idea that each customer is isolated from other customers, and no data can be inadvertently accessed across accounts. As the Internet moves more and more to the cloud, the importance of cloud security becomes increasingly paramount.
We, the Orca Security Research Team, discovered a critical security issue in the AWS Glue service that could allow an actor to create resources and access data of other AWS Glue customers. The exploit was a complex multi-step process and was ultimately possible due to an internal misconfiguration within AWS Glue. The Glue service has access to large quantities of data, making it a highly attractive target.
We’re sharing this with you today after having worked with AWS to remediate the issue and confirm with AWS that no customer accounts were inappropriately accessed. Within hours of reporting the issue, the AWS Glue service team had reproduced and confirmed our findings. By the following morning, partial mitigation was deployed globally, followed by a full mitigation a few days later.
AWS Principal Engineer, Anthony Virtuoso had this to say about our joint collaborative efforts in discovering and quickly fixing this vulnerability:
“At AWS, security is everyone’s job and our highest priority. We take vulnerability reports extremely seriously. We spend a lot of time thinking about and implementing security invariants to keep our customers safe, and we appreciate when that work can be informed or improved by independent security research.”
Anthony continued, “Today, Orca Security, a valued AWS partner, helped us detect and mitigate a misconfiguration before it could impact any customers. We greatly appreciate their talent and vigilance, and we would like to thank them for the shared passion of protecting AWS customers through their findings.”
Technical Overview of the Superglue Zero-Day Vulnerability
AWS Glue is a serverless data integration service that makes it easy to discover, prepare, and combine data for analytics, machine learning, and application development. During our research, we were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account, which provided us full access to the internal service API. In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges.
img: Orca Security Research Team
img: Orca Security Research Team
By carefully looking at what data could be accessible in the service account, we confirmed that we would be able to access data owned by other AWS Glue customers. We used accounts under our control to test and verify that this issue gave us the ability to access data from our other accounts without affecting any other AWS customers’ data.
These are some of the things that we were able to do:
Assume roles in AWS customer accounts that are trusted by the Glue service. In every account that uses Glue, there’s at least one role of this kind.
Query and modify AWS Glue service-related resources in a region. This includes but is not limited to metadata for: Glue jobs, dev endpoints, workflows, crawlers and triggers.
As mentioned above, all research related to this finding was conducted within AWS accounts owned by Orca Security. No other AWS customer accounts and no other customers’ data was accessed during our research.
We would like to thank the AWS security team, specifically Dan Urson and Zack Glick, for collaborating with us and working to quickly confirm and resolve this issue. The process of reporting and having the issue resolved was smooth and we got to meet some of the great people at AWS that help make sure the cloud is secure.
The Orca Security Research Team continues to dig around different cloud products and services to find such zero-day vulnerabilities. Our goal is to discover these vulnerabilities before any malicious actors do.
Police in Ukraine on Thursday said they broke up a ransomware gang allegedly responsible for extorting more than 50 companies across Europe and the U.S. for more than $1 million
The Ukrainian Cyberpolice, a division of the country’s national police, announced the arrest of an unnamed 36-year-old man who they say partnered with his wife and three others to carry out ransomware attacks.
The group is also accused of providing virtual private network (VPN) services to other criminals for a fee. VPNs are widely and legally used around the world to shield portions of internet traffic and obscure the end-user’s IP address. But police in Ukraine say this VPN service also allowed customers to download computer viruses, spyware and other malware.
“It was a purely ‘gangster’ service created by criminals for criminals and not under the control of any government or law enforcement agencies,” the Security Service of Ukraine said in a statement.
Allan Liska, an intelligence analyst at cybersecurity firm Recorded Future, told CyberScoop that it’s too soon to fully understand the significance of the arrest, but that 50 victims “sounds like a small to mid-sized [ransomware] affiliate.”
Law enforcement officials from the U.S. and the U.K. participated in nine raids on the man and his associates, the Ukrainian officials said, seizing computer equipment, mobile phones, bank cards, flash drives and three cars.
The FBI did not immediately respond to a request for more information.
The joint law enforcement effort announced Wednesday is just the latest example of cross-government cyber law enforcement activity in Ukraine occurring against the backdrop of major geopolitical tensions involving Ukraine, Russia, the United States and Europe.
Cybercriminals adopt all sorts of tactics to disguise credential stuffing activity and avoid basic prevention schemes like CAPTHCAs.
What is credential stuffing attacks?
Credential stuffing is a cyberattack in which exposed usernames and passwords are used to gain fraudulent access to user accounts through large-scale, automated login requests. High account usage, password reuse, and vast volumes of breached credentials on the dark web create the perfect storm for cybercriminals to carry out credential stuffing campaigns, while tactics used by malicious actors make identifying and preventing credential stuffing attempts a significant challenge for organizations.
Adding to pressures is the fact that attackers purposely disguise credential stuffing to make fraudulent access attempts appear legitimate and escape detection. “Credential stuffing attacks are emulating the sorts of requests that a legitimate user would make,” Troy Hunt, security researcher and founder of data breach notification service Have I Been Pwned, tells CSO. “Attackers are asking: What does it look like to make a legitimate request? How can we emulate that? Where it starts to get really interesting is when we look at the combativeness between defenders and attackers.”
Here are four ways cybercriminals hide credential stuffing activity with insight into how to defend against attacks.
Throttling requests to thwart rate limit controls
A common trick of the trade when it comes to disguising credential stuffing attacks is request throttling, says Salt Security technical evangelist and former Gartner analyst Michael Isbitski. “Rate limits and resource limits are often recommended as a security best practice for API mediation mechanisms,” he tells CSO.
As an example, organizations might set a rate limit of 10 requests per minute on a given API that is mediated by an API gateway. If an API caller attempts 11 requests in a minute, the first 10 will work provided the requester has access, and the last will be explicitly blocked. “This threshold will typically reset in the next minute, while some rate limiting mechanisms allow for dynamic limits where an API caller deemed to be excessive might be restricted for some longer interval, much like an account lockout threshold.
When attackers throttle requests, they configure their tools or scripts to run close to this limit without hitting it and then back off,” Isbitski adds, a technique that often works because rate limits are based on normal consumption patterns without considering abuse cases. “Dynamic rate limiting based on continuous behaviour analysis of API callers within sessions is the best defence against this technique,” he says.
Solving CAPTCHAs to disguise non-human logins
Credential stuffing attacks are automated. This creates the need for malicious actors to circumvent controls designed to prevent non-human login, specifically CAPTCHAs. Automatically generated upon a login request, CAPTCHAs ask users to perform an image-related task to prove they’re not a bot. While they are typically simple tests to pass for humans, a computer program is highly unlikely to be able to interpret the information required to return a correct response, and so access will be denied.
Credential stuffing actors invest time and effort into finding solutions to bypass this barrier. Hunt cites a real, past case of a human-led CAPTCHA-solving service for hire, which would receive a constant feed of CAPTCHA challenges to solve and send back on the corresponding APIs for a minimal fee. “The success rate was high – something like more than 90%. It was interesting to see how even anti-automation can be circumvented for a small cost,” he says.
This shines a light on the ROI around credential stuffing and the value malicious actors place on compromising accounts. “If we can raise the cost of these account takeover attacks, we start to reduce the ROI,” Hunt adds.
Altering HTTP header data to evade detection
Some security detection mechanisms attempt to profile or fingerprint an API caller by analyzing HTTP header information like user-agent strings, says Isbitski. However, security analysis on this metadata alone is unreliable and it’s something that attackers look to exploit.
“It’s entirely user controllable with even basic browser plugins. Intercepting proxies allows an attacker to alter headers as they see fit, and they can automate the alterations over sets of requests to evade detection,” says Isbitski. “They can appear as a web user, a mobile user, an IoT device, or something else if detection is limited to such header examination.”
Organizations must analyze more than just HTTP header information and examine behaviors of users within sessions to identify abusive API callers, Isbitski says. “This requires collection of API telemetry at numerous points of architecture and continuous analysis to identify anomalies that may be signs of an attack.”
Geo-distributing API requests to negate allow and deny lists
IP address allow and deny lists mediate calls to a back-end API and can be configured to block a network connection if the API call originates from an IP address or space that is known to be malicious. To negate this, attackers use proxies to make login attempts appear to originate from different locations.
“This method can geolocate a threat actor to a different country to where they may be residing and results in network defenders observing packets originating from a source IP address that did not generate the traffic,” senior cyberthreat intelligence analyst at Digital Shadows, Chris Morgan, tells CSO. Threat actors use network tunnels to mask their source IP address and geolocation, thus making attribution difficult for network defenders, he adds.
“Attackers also spin up cloud-hosted compute to launch and distribute their attacks,” Isbitski says. IP address spaces of cloud service providers (CSPs) are often trusted by organizations so sanctioned cloud resources and integrations can function without problems.”
Cloud-based IP addresses, particularly with containerized forms of computing, are too ephemeral for organizations to keep up with via IP address allow/deny lists, Isbitski says. “If and when a CSP does catch on, the attacker will have moved on to new forms of computing or new CSPs altogether. Much like rate limiting, security protection must be more dynamic so that it can identify when an attacker shifts where their API requests originate from or exhibit abusive behaviours.”
Preventing credential stuffing attacks
Hunt says multi-layered defense is key to preventing credential stuffing attacks for CISOs, starting with instilling a culture of good password hygiene across an organization. “Until we can actually steer people toward password managers and get a broader adoption rate, we’re only ever chipping around the edges. I think this is an easy win, low hanging fruit. Let’s try and stop people from using passwords that increase the risk of account takeover.”
Two-factor authentication is the next best step to take, Hunts says, pointing out that something as basic as SMS authentication is helpful and straightforward to implement. “Providing the tools to people is a good idea, and it’s a question of what happens in the background without impeding the login flow too much. We don’t want to do something that stops people from being able to use a service with little friction.”
From there, more complex confidence thresholds can be introduced that kick in when a combination of login red flags appear that require additional authentication checks. “If our confidence drops beneath a certain threshold, we can say: You’ve provided the right username and password, but this doesn’t sound quite right, so we sent you an email with a verification token, and if it’s just one click, it’s not too bad from a user friction perspective,” Hunt says.
Finally, and perhaps most importantly, Hunt advises organizations to firmly understand risk values across their spectrum of services and measure the impact of potentially suspicious logins on each of them individually. “It’s one thing if someone logged into my Chrome account to comment on pictures of cats, and it’s another thing altogether if they’re logging into a cryptocurrency wallet. So, there needs to be commensurate controls to risk and impact.”
Though the feds don’t cite any specific threat, a joint advisory from CISA, the FBI and the NSA offer advice on how to detect and mitigate cyberattacks sponsored by Russia.
Cyberattacks sponsored by hostile nation-states are always a major concern, for governments and organizations. Using advanced and sophisticated tactics, these types of attacks can inflict serious and widespread damage, as we’ve already seen in such incidents as the SolarWinds exploit. As such, organizations need to be vigilant for such attacks and make sure they have the means to prevent or combat them.
Authored by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA, the joint advisory doesn’t point to a specific threat but does advise organizations to adopt a “heightened state of awareness” about Russia-sponsored cyberattacks. The warning comes at a time when tension between the Kremlin and NATO is high over fears that Russia is planning a new invasion of Ukraine.
“The advisory doesn’t mention the current Russian-Ukraine tensions, but if the conflict escalates, you can expect Russian cyber threats to increase their operations,” said Rick Holland, the chief information security officer at Digital Shadows. “Cyberspace has become a key component of geopolitics. Russian APT groups aren’t at the top of the threat model for all companies, unlike the critical infrastructure providers mentioned in the alert, but could end up being collateral damage.”
On a general level, the advisory provides three pieces of advice to ensure that your organization is ready to defend itself against these state-sponsored attacks.
Be prepared. Confirm your processes for reporting a cyber incident and make sure there are no gaps among your IT staff for handling security threats. Create and test a cyber incident response plan, a resiliency plan and a continuity of operations plan so that critical business operations aren’t disrupted in the event of a cyberattack.
Beef up your cyber posture. Adopt best practices for identity and access management, protective controls and architecture, and vulnerability and configuration management.
Increase your vigilance. Stay current on potential cyber threats. Subscribe to CISA’s mailing list and feeds to get notifications when details are released about a security topic or threat.
The advisory also describes some of the specific vulnerabilities that Russian-sponsored hackers have targeted or exploited in the past to gain initial access into an organization:
Further, organizations should be aware of some of the tactics and targets used in Russian state-sponsored attacks. In many cases, these hackers will target third-party infrastructure and software as a way of impacting an entire supply chain, as seen in the SolarWinds attack. In other cases, they’ll go after operational technology (OT) and industrial control systems (ICS) networks by installing malware. Further, these attackers often use legitimate and stolen account credentials to infiltrate a network or cloud environment where they remain undetected as they plot their malicious campaigns.
The advisory also offers more specific tips for organizations on protection, detection and response to a cyberattack or other security incident.
Protection
Require multi-factor authentication for all users without exception.
Require that accounts have strong passwords. Don’t allow passwords to be used across multiple accounts to which an attacker might have access.
Establish a strong password policy for service accounts.
Secure your account and login credentials. Russian state-sponsored hackers often take advantage of compromised credentials.
Disable the storage of clear text passwords in LSASS memory.
Enable strong spam filters to stop phishing emails from reaching your users.
Update and patch all operating systems, applications and firmware. Prioritize patching the most critical and exploited vulnerabilities. Consider adopting a centralized patch management system to help with this process.
Watch out for evidence of known Russian state-sponsored tactics, techniques and procedures (TTPs). For this, review your authentication logs for login failures of valid accounts, especially multiple failed attempts. Look for “impossible logins” such as ones with changing usernames and ones that don’t match the actual user’s geographic location.
Response
Upon detecting a cyber incident on your network, quickly isolate any affected systems.
Secure your backups. Make sure your backed data is offline and secure. Scan your backup to make sure it’s free of malware.
Review any relevant logs and other artifacts.
Consider contacting a third-party IT company to advise you and help you ensure that the attacker is removed from your network.
“Russia has very advanced cyber warfare skills which keep them hidden once a network is compromised, although ironically, the initial attack vectors are typically those of low-tech email phishing campaigns, taking advantage of people reusing already compromised passwords or using easily guessed passwords,” said Erich Kron, security awareness advocate at KnowBe4.
“To strengthen organizations against these attacks, it is critical that they have a comprehensive security awareness program in place to help users spot and report suspected phishing attacks and to educate them on good password hygiene,” Kron added. “In addition, technical controls such as multi-factor authentication and monitoring against potential brute force attacks can play a critical role in avoiding the initial network intrusion.”
In this Tech Tip, SANS Institute’s Johannes Ullrich suggests using PowerShell to identify Windows systems affected by the newly disclosed vulnerability in http.sys.
Of the nine critical vulnerabilities Microsoft fixed in January’s Patch Tuesday release, the remote code execution flaw in the HTTP Protocol Stack (CVE-2022-21907) is a doozy. It affects Windows servers and clients (anything that can run http.sys) and has a CVSS rating of 9.8 on a 10.0 scale.
This Tech Tip shares insights from Dr. Johannes B. Ullrich, the Dean of Research at SANS Technology Institute, on how IT administrators can check which systems are impacted.
The vulnerability targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata. An attacker would be able to exploit this flaw by sending a specially crafted packet to a target server using http.sys to process packets.
Most worrying, Microsoft says the flaw is wormable, meaning human interaction is not required for an attack to spread from one vulnerable Windows box to another. Once an attacker compromises one system, it will be able to spread easily throughout the organization’s entire intranet.
Organizations are encouraged to find affected systems and deploy updates as soon as possible.
How Do I Check My System?
The flaw affects Windows 10 and Windows 11, as well as Server 2019 and Server 2022. It appears the vulnerable code was introduced in Windows Server 2019 and Windows 10 version 1809 – but disabled by default. Ullrich suggests the following PowerShell query to check the registry values to determine if the vulnerability exists on the system:
It’s also possible that other software using http.sys could be exposing the vulnerability, including Microsoft Internet Information Service (IIS), WinRM (Windows Remote Management), and WSDAPI (Web Services for Devices). Ullrich notes that http.sys can be described “as the core HTTP engine inside IIS.” Administrators can use the netsh command to list all processes that use http.sys.
netsh http show servicestate
Do I Have to Patch Immediately?
Microsoft rates the exploitability as “Exploitation More Likely,” and recommends patching this vulnerability as soon as possible. To put things in context, when Microsoft patched a similar wormable remote code execution flaw in the HTTP Protocol Stack (CVE-2021-31166) last May, it took less than a week for proof-of-concept code to be posted online.
Despite its critical rating, the actual exploit may wind up not as damaging as it could be, cautions Ullrich. “Past vulnerabilities were never fully exploited as several techniques were used to mitigate exploitation, and PoCs released were only able to cause a denial of service,” he says. There was a “similar fire drill” for an integer overflow vulnerability affecting http.sys in IIS back in 2015, but it “never amounted to much.”
Ullrich notes that a web application firewall would be able to block requests with trailers (where the malicious code would be hidden). That could buy organizations some time as they figure out the deployment schedule. At the moment, IT teams have a window of opportunity before any PoCs or exploits are published to assess their exposure and mitigate found issues.
An Iranian state-sponsored actor has been observed scanning and attempting to abuse the Log4Shell flaw in publicly-exposed Java applications to deploy a hitherto undocumented PowerShell-based modular backdoor dubbed “CharmPower” for follow-on post-exploitation.
“The actor’s attack setup was obviously rushed, as they used the basic open-source tool for the exploitation and based their operations on the previous infrastructure, which made the attack easier to detect and attribute,” researchers from Check Point said in a report published this week.
Iranian state-sponsored hackers
The Israeli cybersecurity company linked the attack to a group known as APT35, which is also tracked using the codenames Charming Kitten, Phosphorus, and TA453, citing overlaps with toolsets previously identified as the infrastructure used by the threat actor.
Log4Shell aka CVE-2021-44228 (CVSS score: 10.0) concerns a critical security vulnerability in the popular Log4j logging library that, if successfully exploited, could lead to remote execution of arbitrary code on compromised systems.
The ease of the exploitation coupled with the widespread use of Log4j library has created a vast pool of targets, even as the shortcoming has attracted swarms of bad actors, who have seized on the opportunity to stage a dizzying array of attacks since its public disclosure last month.
While Microsoft previously pointed out APT35’s efforts to acquire and modify the Log4j exploit, the latest findings show that the hacking group has operationalized the flaw to distribute the PowerShell implant capable of retrieving next-stage modules and exfiltrating data to a command-and-control (C2) server.
Attack flow
CharmPower’s modules also support a variety of intelligence gathering functionality, including features to gather system information, list installed applications, take screenshots, enumerate running processes, execute commands sent from the C2 server, and clean up any signs of evidence created by these components.
The disclosure comes as Microsoft and the NHS cautioned that internet-facing systems running VMware Horizon are being targeted to deploy web shells and a strain of ransomware called NightSky, with the tech giant connecting the latter to a China-based operator dubbed DEV-0401, which has also deployed LockFile, AtomSilo, and Rook ransomware in the past.
What’s more, Hafnium, another threat actor group operating out of China, has also been observed utilizing the vulnerability to attack virtualization infrastructure to extend their typical targeting, Microsoft noted.
“Judging by their ability to take advantage of the Log4j vulnerability and by the code pieces of the CharmPower backdoor, the actors are able to change gears rapidly and actively develop different implementations for each stage of their attacks,” the researchers said.
Crypto-Locking Malware Hits Traced by Microsoft to Attack Group Based in China
Attackers wielding Night Sky ransomware are among the latest groups that have been attempting to exploit serious vulnerabilities in widely used Apache Log4j software.
“In January, we started seeing attackers taking advantage of the vulnerabilities in internet-facing systems, eventually deploying ransomware,” Microsoft says. “We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organizations may not realize their environments may already be compromised.”
The emergence of ransomware-wielding attackers targeting Log4j vulnerabilities came just weeks after Apache’s first public alert, on Dec. 10, 2021, that a critical flaw in the Java Naming and Directory Interface API, in versions of the Log4j logging utility prior to 2.15.0, could be exploited to take control of a vulnerable system.
There are now a total of three such “Log4Shell” vulnerabilities: CVE-2021-44228 (the JNDI flaw in Log4j 2.x), CVE-2021-4104 (for how that vulnerability presents in certain uses of Log4j 1.x) and CVE-2021-45046 (a vulnerability introduced via an incomplete fix for the JNDI flaw). All have been patched via updates to Log4j, which have also included fixes for other newly discovered but less severe flaws.
The Night Sky crypto-locking malware being distributed by attackers gets installed when they exploit Log4j flaws in unpatched versions of VMware Horizon, Microsoft says.
The Night Sky ransomware attacks followed a Dec. 23, 2021, security alert from VMware warning that CVE-2021-44228 and CVE-2021-45046 were present in VMware Horizon and the VMware Horizon Agent that runs on-premises. That alert included mitigation recommendations.
Night Sky ransomware appears to be new. It was first spotted by security research group MalwareHunterTeam, which on Jan. 1 reported finding a dedicated data leak site for attacks tied to that strain of ransomware. As such, it means the attackers are practicing double extortion, meaning they demand payment not just for a decryptor, but also to not release stolen data.
MalwareHunterTeam reports that on Dec. 27, 2021, “the support chat system was set up – both the domain and the system itself” for Night Sky victims, while posts announcing two victims – one in Bangladesh and another in Japan – were added to the site on each of the two next days. Each of those victim listings includes samples of supposedly stolen data. It’s not clear how Night Sky ransomware was dropped on those two victims’ systems.
One of the Night Sky victims received a ransom demand of $800,000, in return for which the attackers agreed to furnish a decryptor as well as not dump stolen data, Bleeping Computer reported.
China-Based Attackers
But the attackers began targeting VMware Horizon no more than 10 days after VMware issued its security alert. “As early as Jan. 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon,” Microsoft says.
We have observed a China-based ransomware operator that we’re tracking as DEV-0401 exploiting the CVE-2021-44228 vulnerability in Log4j 2 (aka #log4shell) targeting internet-facing systems running VMWare Horizon. https://t.co/6GOdRwRTjk
— Microsoft Threat Intelligence (@MsftSecIntel) January 11, 2022
“These attacks are performed by a China-based ransomware operator that we’re tracking as DEV-0401,” it adds. This attack group “has previously deployed multiple ransomware families including LockFile, AtomSilo and Rook, and has similarly exploited internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473).”
As part of its attacks, the DEV-0401 group uses spoofed domain names that are meant to look legitimate but that typically feature slight misspellings, Microsoft says. Examples include “service[.]trendmrcio[.]com,” “api[.]rogerscorp[.]org,” “api[.]sophosantivirus[.]ga” and “apicon[.]nvidialab[.]us,” among others.
Escalating Attack Attempts
Last week, the U.K.’s National Health Service issued a security alert warning that attackers had been compromising VMware Horizon to gain persistence on NHS systems. The alert did not attribute those attacks to any particular group.
The Log4j flaw has allegedly also been used to drop ransomware into the IT environment at ONUS, which is one of Vietnam’s largest cryptocurrency platforms.
Getting hit with ransomware is just one of the risks facing organizations that use tools in which the vulnerable Log4j code is present. And the U.S. Cybersecurity and Infrastructure Security Agency says hundreds of millions of devices worldwide likely still run one of hundreds of pieces of software that contain vulnerable Log4j software.
As Britain’s National Cyber Security Center has said: ” If left unfixed, attackers can break into systems, steal passwords and logins, extract data and infect networks with malicious software.”
So far, however, CISA reports seeing largely low-level attacks targeting Log4j, primarily aimed at building botnets or mining for cryptocurrency. But on Monday, CISA Director Jen Easterly warned that more advanced attackers may have already been exploiting the flaw to gain persistence and lie low on systems until defenders are at a “lower alert” level.
Indeed, security researchers say nation-state attackers have also been searching for the flaw. Last month, Belgium’s Ministry of Defense announced that it had been hit by an attacker that utilized, in part, the Apache Log4j vulnerability.
Another example comes via software and hardware vendor Check Point, which reports that an advanced persistent threat group with the codenames APT35, Charming Kitten, Phosphorus and TA453, which is believed to be tied to Iran, “started widespread scanning and attempts to leverage Log4j flaw in publicly facing systems only four days after the vulnerability was disclosed.”
If the group’s Log4j exploit is successful, Check Point says the attackers switch to a PowerShell-based framework they’ve developed “to establish persistence, gather information and execute commands.” The vendor didn’t disclose how many organizations may yet have been successfully exploited in this manner.
Separately, cybersecurity firm CrowdStrike in late December warned that a China-linked espionage group, with the codename Aquatic Panda, had targeted a “large academic institution,” attempting to exploit the Apache Log4j flaw in the VMware Horizon Tomcat web server service. But CrowdStrike said that attack had been repelled.
Serious Patching Challenge
Meanwhile, Log4j challenges continue, including for vendors that remain in the process of having to identify and patch vulnerable software and systems. Then their customers and users will have to test these updates and release them into their own environments.
The challenge is compounded because many vulnerable products and services are in turn used by other products and services. “This open-source component is widely used across many suppliers’ software and services,” Microsoft says. “By nature of Log4j being a component, the vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.”
On Monday, Easterly said that CISA has cataloged more than 2,800 products that are known to be vulnerable to Log4Shell. The agency is tracking vulnerable products in a dedicated GitHub database.
A separate effort by the CERT Coordination Center, run by Carnegie Mellon University’s Software Engineering Institute, is tracking the presence or absence of the critical Log4j flaws across products issued by more than 1,600 vendors.
In response to CERT CC’s queries, 122 vendors have confirmed that they have one or more products or services affected by one of the three Log4j flaws. In addition, 91 vendors have responded saying none of their products or services are affected. But more than 1,400 vendors have yet to confirm or deny if their products or services run a vulnerable version of Log4j. At the same time, would-be attackers have access to numerous tools to help them identify systems with such flaws.
“Customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” Microsoft says. “Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”#
Electronic Arts (EA) has published an official response to numerous reports about hacked player accounts, confirming the problem and attributing it to phishing actors.
As the notice explains, hackers used social engineering against EA’s customer experience team to bypass two-factor authentication and take over 50 player accounts.
FIFA 22 is a very popular football (soccer) simulation game featuring a multi-player mode where people can compete in real-time, trade in-game items, etc.
The gaming company has promised to restore rightful owners’ access to the compromised accounts and has also announced the following measures to prevent this from happening again in the future:
All EA Advisors and individuals who assist with service of EA Accounts are receiving individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used in this particular instance.
Implementation of additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests.
The customer experience software will be updated to better identify suspicious activity, flag at-risk accounts, and further limit the potential for human error in the account update process.
The above changes will inevitably make customer service more cumbersome and slow, but they will improve account security, something that the FIFA community has been complaining about for years.
“We’d like to apologize for the inconvenience and frustration that this has caused, and that we were unable to share additional details in our original communication last week as we conducted a thorough investigation.” concludes EA’s statement
High-profile accounts hacked
The accounts that were targeted by the phishing actors include those of real footballers like Valentin Rosier, professional streamers, and in-game currency traders.
@EA_FIFA_France @EAFrance @EASPORTSFIFA Je viens de me connecter à mon compte et je viens de voir que j’ai été hack. Donc ce qui veux dire que je n’ai plus rien et je n’ai plus accès à mon compte fifa. Un compte ou j’avais 60 million de crédit, un compte ou j’ai mis de l’argent
These high-profile accounts have invested significant amounts of money in the game and use it as a source of income by monetizing their presence in that virtual space.
Some of the hacked account holders point out the possibility of EA’s staff giving away their personal data to the hackers, which would violate the GDPR, incurring fines up to 4% of EA’s annual turnover.
However, at this time, no data protection probes have been announced, and EA’s investigation on the incident is still ongoing, so the scope of the impact hasn’t been determined with certainty yet.
A new cross-platform backdoor called “SysJoker” has been observed targeting machines running Windows, Linux, and macOS operating systems as part of an ongoing espionage campaign that’s believed to have been initiated during the second half of 2021.
“SysJoker masquerades as a system update and generates its [command-and-control server] by decoding a string retrieved from a text file hosted on Google Drive,” Intezer researchers Avigayil Mechtinger, Ryan Robinson, and Nicole Fishbein noted in a technical write-up publicizing their findings. “Based on victimology and malware’s behaviour, we assess that SysJoker is after specific targets.”
Sysjoker backdoor
The Israeli cybersecurity company, attributing the work to an advanced threat actor, said it first discovered evidence of the implant in December 2021 during an active attack against a Linux-based web server belonging to an unnamed educational institution.
A C++-based malware, SysJoker is delivered via a dropper file from a remote server that, upon execution, is engineered to gather information about the compromised host, such as MAC address, user name, physical media serial number, and IP address, all of which are encoded and transmitted back to the server.
What’s more, connections to the attacker-controlled server are established by extracting the domain’s URL from a hard-coded Google Drive link that hosts a text file (“domain.txt”), enabling the server to relay instructions to the machine that allow the malware to run arbitrary commands and executables, following which the results are beamed back.
“The fact that the code was written from scratch and hasn’t been seen before in other attacks [and] we haven’t witnessed a second stage or command sent from the attacker […] suggests that the attack is specific which usually fits for an advanced actor,” the researchers said.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of the cookies. Cookie & Privacy Policy
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
