DDoS attacks on IoT devices skyrocket in 2023

SISA Weekly Threat Watch - 25 September 2023

In the past week, a spectrum of cyber threats and attacks has emerged, highlighting the evolving landscape of digital risks. These threats encompass advanced ransomware attacks, a surge in IoT-related DDoS attacks, cloud-native cryptojacking campaigns, and sophisticated web-skimming campaigns targeting payment companies. These developments underscore the imperative for organizations and individuals alike to remain vigilant, implement robust cybersecurity practices, and stay informed about emerging threats to effectively safeguard their digital assets and privacy.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. BlackCat’s Sphynx Ransomware incorporates Impacket and RemCom for advanced attacks

Microsoft has identified a new variant of the BlackCat ransomware, known as Sphynx, which incorporates the Impacket networking framework and the RemCom hacking tool. Impacket is used for credential dumping, allowing threat actors to extract usernames and passwords from processes on compromised devices. RemCom is a small remote shell that provides threat actors with the capability to execute commands on remote devices within the compromised network. This development enables the ransomware to propagate laterally within compromised networks.

Unlike traditional ransomware that primarily focuses on encrypting files for ransom, Sphynx represents a toolkit. This means it combines various tools and functionalities, including Impacket and RemCom, to carry out a broader range of attacks. This advanced ransomware variant highlights the importance of proactive cybersecurity measures, including patch management, network segmentation, and robust security tools. Organizations must also prioritize employee training and incident response planning to effectively defend against such threats.

2. IoT sparks new DDoS alert: The emergence of DDoS 2.0

The Internet of Things (IoT) is revolutionizing operational efficiency across diverse sectors like healthcare and logistics. However, it has also ushered in novel security vulnerabilities, most notably in the form of DDoS attacks originating from IoT devices. In H1 2023, IoT DDoS attacks surged by 300%, causing a $2.5 billion global financial loss. 90% of complex DDoS attacks in 2023 were botnet-based.

IoT devices’ distributed nature makes them ideal platforms for such attacks, posing difficulties in identifying and thwarting malicious traffic, thereby compounding the challenges associated with DDoS defense. To expand botnets, attackers target new IoT devices, involving the botnet and loader server. The botnet infiltrates the device, and the loader server deploys malware, granting persistent access incorporating it into the botnet’s network. Users are advised to implement safe IoT practices, regularly update IoT devices, implement multi-layer security protocols from firewalls to intrusion detection systems, and invest in specialized DDoS protection solutions to prevent devices from being compromised.

3. New AMBERSQUID cryptojacking operation targets uncommon AWS services

A recently emerged cloud-native cryptojacking campaign is targeting less commonly used Amazon Web Services (AWS), including AWS Amplify, AWS Fargate, and Amazon SageMaker, with the aim of secretly mining cryptocurrency. The AMBERSQUID operation effectively exploited cloud services without triggering AWS resource approval requirements, which would have been the case with spamming EC2 instances.  Security researchers identified this campaign by analyzing 1.7 million images on Docker Hub, moderately attributing it to Indonesian attackers due to the use of the Indonesian language in scripts and usernames. Some images run cryptocurrency miners from actor-controlled GitHub repositories, while others execute shell scripts targeting AWS.

A notable tactic involves the misuse of AWS CodeCommit which is used to host private Git repositories, to create a private repository, utilized in various services as a source. This repository contains the source code of an AWS Amplify app, which a shell script leverages to build an Amplify web app and initiate the cryptocurrency mining process. To prevent such attacks, it is recommended to set up comprehensive monitoring and alerting for AWS services, enable AWS Trusted Advisor for real-time recommendations, and implement least privilege IAM (Identity and Access Management) policies.

4. Critical security vulnerabilities uncovered in Nagios XI network monitoring software

Several security vulnerabilities have been revealed in the Nagios XI network monitoring software, potentially leading to unauthorized privilege elevation and the exposure of sensitive information. According to a researcher, if three specific vulnerabilities (CVE-2023-40931, CVE-2023-40933, and CVE-2023-40934) are successfully exploited, an authenticated attacker could potentially execute arbitrary SQL commands. This would enable users, with varying levels of access privileges, to access and retrieve data from the database.

The information acquired through these vulnerabilities could be used to further elevate their privileges within the system and obtain sensitive user data like password hashes and API tokens. In contrast, CVE-2023-40932 pertains to a different issue, specifically a cross-site scripting (XSS) vulnerability found in the Custom Logo component. Exploiting this flaw could allow an attacker to inject arbitrary JavaScript into the system, giving them the ability to read and modify page data. It is highly recommended that users upgrade to Nagios XI version 5.11.2 or a later version to avoid exploitation of the vulnerabilities.

5. Silent Skimmer campaign targets payment companies in APAC and NALA regions

Silent Skimmer, a financially motivated threat actor, has been conducting a sophisticated web-skimming campaign for over a year, initially focused on the APAC region but expanding to North America. They exploit internet-facing applications, utilizing a .NET deserialization vulnerability like CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX, allowing remote code execution. Upon successful exploitation, they deploy a malicious DLL payload to the compromised server, initiating a series of actions to introduce various malicious tools stored on an HTTP File Server controlled by the attackers.

In the final stage, they exfiltrate sensitive financial data to obfuscate their activities. While the threat actor’s identity remains undisclosed, clues point to Chinese involvement, such as Chinese code in PowerShell Remote Access Trojans and the geographic location of the command-and-control server in Asia. Their strategic targets include online businesses and Point-of-Sale providers running ASP.NET and IIS web servers. Organizations must remain vigilant, apply patches, monitor their infrastructure, and collaborate with the cybersecurity community to defend against this ongoing threat.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider