Digium Phones Under Attack: Insight Into the Web Shell Implant
(published: July 15, 2022)
Palo Alto Unit42 researchers have uncovered a large-scale campaign targeting Elastix VoIP telephony servers used in Digium phones.
The attackers were exploiting CVE-2021-45461, a remote code execution (RCE) vulnerability in the Rest Phone Apps (restapps) module. The attackers used a two-stage malware: initial dropper shell script was installing the PHP web shell backdoor.
The malware achieves polymorphism through binary padding by implanting a random junk string into each malware download. This polymorphism allowed Unit42 to detect more than 500,000 unique malware samples from late December 2021 till the end of March 2022. The attackers use multilayer obfuscation, schedules tasks, and new user creation for persistence.
Potentially affected FreePBX users should update their restapps (the fixed versions are 15.0.20 and 16.0.19, or newer). New polymorphic threats require a defense-in-depth strategy including malware sandbox detection and orchestrating multiple security appliances and applications.
North Korean Threat Actor Targets Small and Midsize Businesses with H0lyGh0st Ransomware
(published: July 14, 2022)
Microsoft researchers have linked an emerging ransomware group, H0lyGh0st Ransomware (DEV-0530) to financially-motivated North Korean state-sponsored actors. In June-October 2021, H0lyGh0st used SiennaPurple ransomware family payloads written in C++, then switched to variants of the SiennaBlue ransomware family written in Go. Microsoft detected several successfully compromised small-to-mid-sized businesses, including banks, event and meeting planning companies, manufacturing organizations, and schools.
Small-to-mid-sized businesses should consider enforcing multi-factor authentication (MFA) on all accounts, cloud hardening, and regular deployment of updates with Active Directory being the top priority.
The Trojan Horse Malware & Password “Cracking” Ecosystem Targeting Industrial Operators
(published: July 14, 2022)
Dragos researchers discovered a campaign infecting industrial control systems (ICS) through password “cracking” software for programmable logic controllers (PLCs) and HMI (human-machine interface) terminals. Infection spreads through infrastructure advertising the password recovery tools to unlock PLC and HMI from a number of companies: ABB, Allen Bradley, Automation Direct, Fuji Electric, LG, Mitsubishi, Omron, Panasonic, Pro-Face, Siemens, Vigor, and Weintek.
The tool for AutomationDirect did try to extract the needed password by exploiting the now-fixed CVE-2022-2003 vulnerability. At the same time these tools drop a variant of the Sality malware that is looking to replace cryptocurrency addresses in the clipboard and causing the Central Processing Unit (CPU) utilization levels to spike to 100%.
Network defenders should monitor for unexpected CPU usage spikes. Avoid installing password “cracking” software from unknown actors on any systems with access to sensitive operations.
Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability
(published: July 13, 2022)
Wordfence researchers discovered a spike in activity targeting Kaswara Modern WPBakery Page Builder Addons. All versions of the plugin are vulnerable to CVE-2021-24284 and they are no longer supported. Since July 4, 2022, Wordfence detects on average 443,868 attack attempts per day. Several thousand websites worldwide still have this vulnerable plugin installed. The attackers try to upload a zip file containing a PHP uploader and then proceed to upload more files to the compromised website. One of the campaign objectives is to use NDSW trojan to redirect site visitors to malicious websites.
Website maintainers should remove unsupported and vulnerable plugins such as Kaswara Modern WPBakery Page Builder. Incident response for compromised websites should include removing malicious files uploaded by the attackers, removing unauthorized admin accounts, and reverting other changes made by the attackers.
ChromeLoader: New Stubborn Malware Campaign
(published: July 12, 2022)
Unit42 researchers describe evolution and versions of the ChromeLoader (Choziosi Loader, ChromeBack) malware. ChromeLoader multi-stage infection ends with a browser extension that acts as an adware and an infostealer, leaking all of the user’s search engine queries.
The earliest ChromeLoader variant targeting Windows with AutoHotKey (AHK) executables was active in the wild in December 2021. By March 2022, two more major Windows-targeting and one MacOs-targeting ChromeLoader variants were used, starting infection with disk image files (ISO for Windows and DMG for MacOs).
The ChromeLoader payload uses various obfuscation techniques and switch-case-oriented programming. It also addresses a vital function using a randomized sort algorithm permutations and not directly referencing it in the script, thus forcing deobfuscation tools to drop it as an unreferenced function.
Check application reviews, developer information, and scan a downloaded file before making use of it. Defenders can monitor for PowerShell spawning chrome.exe containing load-extension and AppDataLocal as a parameter.
Lithuanian Energy Firm Disrupted by DDOS Attack
(published: July 12, 2022)
Russia-based hacktivist group KillNet claimed responsibility for the distributed denial of service (DDoS) attack on Lithuanian energy company Ignitis Group. The company confirmed dealing with its “biggest cyber-attack in a decade”. KillNet targeted Lithuania when it began enforcing EU sanctions on goods traveling to Kaliningrad, a Russian exclave.
Make sure that your mitigation techniques address the KillNet DDoS arsenal including CLAP, DNS Amplification, ICMP Flood, IP Fragmentation, NTP Flood, TCP RST Flood, TCP SYN Flood, and TCP SYN / ACK. Hacktivist groups tend to utilize DDoS attacks as their main vector to affect businesses and government entities that they are not happy with. Denial-of-service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time.
BlackCat (Aka ALPHV) Ransomware Is Increasing Stakes Up To $2,5M In Demands
(published: July 10, 2022)
BlackCat (ALPHV), is a well known Ransomware syndicate operating since 2021 with multiple disruptions to major organizations and companies which includes OilTanking GmbH, Swissport, and two US universities: Florida International University and the University of North Carolina.
Built on Rust, a general purpose programming language, BlackCat was put on flash alert by the FBI as one of the emerging ransomware threats. Experts at Resecurity unveiled TTP’s where the approach includes using “SYSVOL” active directory component to store BlackCat Cryptor and also uses Windows Task Scheduler to deploy and configure ransomware to a defined group of users.
Whilst infecting the target victim, actors perform mechanisms to ensure roll-back to normal operations is prevented. Average ransom demands ranged from $570,000 in early 2021 and the figure exceeding 2.5 Million US Dollars (£1,681,220 +) in 2022. BlackCat publishes new victims every 4 days on their dark web platform, using a practice called “quadruple extortion”. This includes Encryption, Data Theft, DDoS, and Harassment.
Based on the attacks, BlackCat is known to include a randomized extension of 6 characters for their encryption and also includes a notably new feature of searching files and data of the potential victim’s employees and customers.
Proper user account policies and having a strategy for recovery plan reduce the exposure of such attacks and the damages adhering to the organizations. Password management, user accounts security and administrative account management are basic but important points to further reduce exposure to such malicious actors. Usage of VPN, network segmentation, disabling remote access and regular backups are some of the other risk mitigation techniques.
Killnet, a Russia-affiliated hacktivist group specialized in distributed denial of service (DDoS) attacks, originally created on the basis of a Russian-speaking DDoS-for-hire group with the same name. On February 26, 2022, KillNet formed an Anonymous-like collective to wage war on Anonymous (a loosely affiliated group of volunteer hacktivists), Ukraine, and countries that support Ukraine in a way hostile to Russia. The group united with other threat groups (XakNet Team), DDoS actors and services such as Stresser[.]tech, and its most popular media on Telegram messenger had over 80,000 users/subscribers.
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.
FreePBX, when restapps (aka Rest Phone Apps) 184.108.40.206, 220.127.116.11, 18.104.22.168, or 22.214.171.124 is installed, allows remote attackers to execute arbitrary code, as exploited in the wild in December 2021. The fixed versions are 15.0.20 and 16.0.19.
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the ‘uploadFontIcon’ AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.