Evolved Raspberry Robin targets systems with one-day exploits

Last week’s cybersecurity landscape was marked by critical security developments across various fronts, including vulnerabilities affecting Linux distributions, banking institutions targeted by sophisticated trojans, evolution of Raspberry Robin malware, Microsoft addressing 73 security vulnerabilities, and the emergence zero-day exploits targeting Microsoft Exchange Server. These events emphasize the need for strengthened cybersecurity measures, involving timely software updates and regular security awareness training, to effectively counteract the escalating threats. 

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats. 

1. CVE-2023-40547: Critical Boot Loader flaw in Shim impacts Linux distributions 

The CVE-2023-40547 vulnerability poses significant concerns as it allows attackers to install persistent bootkits on various Linux distributions, including Debian, SUSE, and Ubuntu, by exploiting the shim boot loader. Shim, essential in the boot process of most Linux distributions, ensures secure boot through certificate embedding and bootloader authentication but mishandles the HTTP protocol, leading to potential remote code execution through an out-of-bounds write scenario.  

Major Linux distributions like Debian, SUSE, and Ubuntu have issued advisories addressing this critical flaw, highlighting the susceptibility of Shim boot support to attacker-controlled values during HTTP response parsing. Exploiting this vulnerability, attackers can intercept HTTP traffic to inject malicious content, manipulate EFI variables, or exploit PXE to gain early system control, necessitating updating Shim and refreshing the secure boot chain of trust as key recommendations. 

2. Coyote: Exploiting Squirrel installer, multi-stage trojan targets 61 Brazilian banks

Sixty-one Brazilian banking institutions have been targeted by Coyote, a sophisticated banking trojan utilizing the Squirrel installer for distribution and employing Node.js and the lesser-known Nim programming language as a loader. Coyote stands out for its unique approach, utilizing the open-source Squirrel framework and shifting away from Delphi to Nim. In a documented attack chain, Coyote uses a Squirrel installer to trigger a Node.js application, executing a Nim-based loader to deploy the malicious payload through DLL side-loading.  

Once activated, Coyote monitors systems, communicates with a controlled server, and conducts malicious activities like taking screenshots and logging keystrokes. Mitigation recommendations include installing applications from reliable sources, cautious permission granting, avoiding suspicious links, employing robust security solutions, and providing cybersecurity awareness training. 

3. Raspberry Robin malware evolves with early access to Windows exploits

The recent iterations of the Raspberry Robin malware exhibit enhanced stealth capabilities and target vulnerable systems exclusively with one-day exploits, exploiting recently patched vulnerabilities before patches are widely implemented. Initially discovered in 2021, Raspberry Robin is a dynamic worm known for using USB drives to infiltrate systems and deploy additional payloads, with affiliations to threat actors like EvilCorp, FIN11, TA505, and the Clop ransomware gang.  

Recent activities show an escalation in global attacks, utilizing Discord to distribute malicious archive files containing digitally signed executables and malicious DLL files. Upon execution, Raspberry Robin leverages various one-day exploits, including those for CVE-2023-36802 and CVE-2023-29360, targeting Microsoft Streaming Service Proxy and Windows TPM Device Driver vulnerabilities, respectively, before public disclosure of exploit codes. Mitigation strategies include employee training on phishing awareness, robust endpoint protection, network monitoring, and strict access control policies. 

4. Microsoft February 2024 Patch Tuesday fixes 2 exploited zero-days, 73 flaws

Microsoft has released patches addressing 73 security vulnerabilities, including two actively exploited zero-days: CVE-2024-21351 affecting Windows SmartScreen and CVE-2024-21412 affecting Internet Shortcut Files, both enabling attackers to bypass security features and potentially execute arbitrary code. The vulnerabilities cover various Microsoft products, including Windows, Microsoft Exchange Server, and Microsoft Outlook, with 16 elevation of privilege, 3 security feature bypass, 30 remote code execution, 5 information disclosure, 9 denial of service, and 10 spoofing vulnerabilities.  

Notably, the APT group DarkCasino (Water Hydra) exploited CVE-2024-21412 targeting financial traders. Critical vulnerabilities fixed include those affecting Windows Hyper-V, Pragmatic General Multicast (PGM), Microsoft Dynamics Business Central/NAV, Microsoft Exchange Server, and Microsoft Outlook. Organizations are recommended to promptly apply security patches to affected systems and educate users on phishing awareness to avoid opening suspicious files or clicking on links from unknown sources. 

5. CVE-2024-21410: Zero-day exploitation of new Critical Exchange Server vulnerability

Microsoft has confirmed the active exploitation of CVE-2024-21410, a critical security vulnerability in Exchange Server, enabling remote, unauthenticated threat actors to escalate privileges through NTLM relay attacks specifically targeting vulnerable versions of Microsoft Exchange Server. In these attacks, attackers manipulate network devices to authenticate against an NTLM relay server under their control, impersonating targeted devices and escalating privileges.  

Exploiting vulnerabilities in NTLM clients like Outlook, attackers leak credentials, then relay them against the Exchange server, assuming victim client privileges and potentially gaining unauthorized access. Exchange Server 2019 CU14 addresses the vulnerability by enabling NTLM credentials Relay Protections. Admins can use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016, to protect against attacks targeting unpatched devices.