DDoS attacks by Bangladesh hacktivists target Indian infrastructure

SISA Weekly Threat Watch - 14 August 2023

In the past week, cybersecurity researchers have uncovered significant developments in digital threats. From RCE attacks to targeted DDoS attacks and from persistent data thefts to advanced malware techniques, a multitude of incidents have unfolded, highlighting the persistence and ingenuity of threat actors. These incidents underscore the need for enhanced security measures as threat actors evolve in their tactics.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Hundreds of Citrix servers backdoored in an RCE attack

According to security researchers, hundreds of Citrix NetScaler ADC and Gateway servers have been compromised by malicious actors who have been deploying web shells. The attacks make use of critical code injection vulnerability CVE-2023-3519, which results in unauthenticated remote code execution (RCE). The vulnerability mainly impacts unpatched Netscaler appliances configured as gateways (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authentication virtual servers (AAA server).

The flaw, patched by Citrix last month, carries a CVSS score of 9.8. Citrix also patched two more critical vulnerabilities, CVE-2023-3466 and CVE-2023-3467, which may be used to escalate privileges to the root account and conduct reflected cross-site scripting (XSS) attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) previously announced the use of CVE-2023-3519 to launch web shells. The actors were able to execute discovery on the victim’s active directory (AD), acquire AD data, and exfiltrate AD data thanks to the web shell. Security teams are advised to prioritize the patching of Citrix servers as a top security measure. Additionally, segment the network to minimize lateral movement within the infrastructure and isolate critical systems, applying proper access controls between different network segments.

2. Bangladesh hacktivists target critical infrastructure in India with DDoS Attacks

Threat intelligence experts have shed light on the hacktivist collective known as Mysterious Team Bangladesh. Since June 2022, the new threat has defaced 78 websites and launched 750 DDoS assaults. With a heavy concentration on India, the firm primarily focuses on the government, banking, and transportation sectors. The gang prefers to conduct a brief test attack to determine a target’s susceptibility to DDoS attacks before launching a full-scale attack. It most often exploits vulnerable versions of PHPMyAdmin and WordPress in its malicious activity.

Although DDoS attacks have made up the majority of the group’s attacks to date, they have also defaced targets’ websites and, in some cases, may have used common or default admin passwords or exploits for well-known vulnerabilities to gain access to Web servers and administrative panels. To thwart a DDoS attack, it is advised to enroll in a DDoS (Cloud) Mitigation protection service, identify critical assets, and develop DDoS response and business continuity plans. It is also recommended to deploy load balancers to distribute traffic and minimize the impact of DDoS.

3. Microsoft fixed a flaw in Power Platform after being criticized

Microsoft fixed a critical vulnerability in its Power Platform after facing criticism for the delayed response. According to Microsoft, the flaw can provide unauthorised access to Custom Code functions used by Power Platform custom connectors. A risk of information disclosure would exist if the function contained secret information or sensitive information.

This issue seems to be created by insufficient access control to Azure Function hosts, which are launched as part of creating and operating custom connectors in Microsoft’s Power Platform. Despite the fact that most client interactions with custom connections take place through authorized APIs, calls to the Azure Function might still be made using the API endpoints without the need for authentication. This enabled attackers to intercept OAuth client IDs and secrets by exploiting unsecured Azure Function hosts. The company noted that no customer action is required and that it found no evidence of active exploitation of the vulnerability in the wild.

4. Threat actors abuse Cloudflare Tunnel for persistent access, data theft

Hackers are increasingly abusing the legitimate Cloudflare Tunnels feature to create stealthy HTTPS connections from compromised devices, bypass firewalls, and maintain long-term persistence. Cloudflare Tunnel’s cloudflared command-line tool enables users to set up safe connections between an origin web server and Cloudflare’s closest data center, hiding the web server IP addresses and thwarting brute-force login and volumetric distributed denial-of-service (DDoS) attacks. This capability gives a lucrative way for a threat actor with elevated access to an infected host to establish a foothold by creating the token necessary to create the tunnel from the victim computer.

As soon as a configuration modification is performed in the Cloudflare Dashboard, the tunnel updates. This enables TAs to only activate functionality when they need to conduct operations on the victim computer and to stop functionality when they do not want their infrastructure to be exposed. What is more alarming is that the adversary may use the Private Networks capabilities of the tunnel to covertly access a variety of IP addresses (i.e., endpoints inside a local network) as if they were “physically collocated” with the victim system hosting the tunnel. To enable detection of unauthorized tunnels, organizations using Cloudflare services could potentially limit their services to specific data centers and generate detections for traffic like Cloudflared tunnels that route to anywhere except their specified data centers.

5. APT31’s sophisticated malware techniques and their impact on industrial cybersecurity

APT31, a recognized Chinese threat actor has been linked to advanced backdoors capable of exfiltrating sensitive information to Dropbox. APT31’s cyber-espionage toolkit reveals a meticulously crafted three-stage attack. The first phase establishes a robust persistence mechanism, ensuring that the malware remains entrenched in the infiltrated system, even surviving potential reboots. The second phase focuses on data harvesting. This sophisticated malware variant has the capability to delve into Microsoft Outlook folders to unearth critical file names, alongside the power to execute remote commands. 

In the third phase, APT31’s malware packages the harvested data, typically compressing it into RAR archive files for efficiency, and then transmits it to a remote server under the attackers’ control. Significantly, APT31’s modus operandi diverges from conventional tactics by setting up its command-and-control infrastructure within the victim’s internal network. To stay protected, it is recommended to install and update centralized security software, ensure Active Directory policies restrict unnecessary user access, and implement two-factor authentication, such as smart cards or one-time codes, for VPNs.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider