New supply chain attack exploits abandoned AWS S3 buckets

SISA Weekly Threat Watch - 26 June 2023

The speed with which state actors or financially motivated groups exploit newly disclosed vulnerabilities continues to be a major threat for enterprises across the world. Researchers detected threat actors targeting RDP connections, S3 buckets, and APIs in various attack campaigns last week. These attacks demonstrate the increasing sophistication of modern cyber-attacks, but also highlight how threat actors might use them to exploit older, widely adopted technologies.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Researchers uncover novel RDStealer malware targeting remote desktop protocol

First noticed in its use as part of a highly targeted cyber espionage operation called RedClouds against an East Asian IT company, the custom malware written in Golang called RDStealer, monitors RDP connections with client drive mapping enabled, infecting connecting RDP clients with a Logutil backdoor and exfiltrating sensitive data. A primary evasion tactic involves the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor payloads.

The intrusion set is characterized by the use of a server-side backdoor called RDStealer, which specializes in continuously gathering clipboard content and keystroke data from the host. When a new RDP client connection is detected, commands are issued by RDStealer to exfiltrate sensitive data, such as browsing history, credentials, and private keys from apps like mRemoteNG, KeePass, and Google Chrome. All virtual channels are capable of transferring data and can be weaponized, so administrators are advised to consider exposed entry points and deploy automated protection controls.

2. New supply chain attack exploits abandoned S3 buckets to distribute malicious binaries

In a novel software supply chain attack aimed at open-source projects, it has emerged that threat actors could seize control of expired Amazon S3 buckets to serve rogue binaries without altering the modules themselves. The attackers poisoned the NPM package “bignum” by hijacking the S3 bucket serving binaries necessary for its function and replacing them with malicious ones. Malicious binaries steal the user IDs, passwords, local machine environment variables, and local host name, and then exfiltrates the stolen data to the hijacked bucket.

The binary file was initially hosted on a now-expired Amazon AWS S3 bucket, which, if inaccessible, would prompt the package to look for the binary locally. However, an unidentified attacker noticed the sudden abandonment of a once-active AWS bucket and seized the abandoned bucket. Consequently, whenever bignum was downloaded or re-installed, the users unknowingly downloaded the malicious binary file, placed by the attacker. v0.13.1 of bignum does not use node-pre-gyp and does not have support for downloading pre-built binaries in any form, avoiding the risk of malicious downloads. Organizations must check that all software dependencies are properly vetted and then documented in a software bill of material so that the assets can be monitored.

3. VMware Aria Operations for Networks vulnerability exploited in the wild (CVE-2023-20887)

pre-authentication command injection vulnerability in VMware Aria Operations for Networks, has been spotted being exploited in the wild. The flaw could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution. The fixes were released on June 7, 2023.

Now as per an update shared by VMware on June 20, the flaw has been weaponized in real-world attacks, although the exact specifics are unknown yet. Affected products include VMware Aria Operations Networks versions 6.x. Users of Aria Operations for Networks are recommended to update to the latest version as soon as possible to mitigate potential risks.

4. ScarCruft hackers exploit Ably service for stealthy wiretapping attacks

Researchers have uncovered new custom malware known as ‘AblyGo backdoor’ and ‘FadeStealer,’ which are employed by threat actors in cyber espionage attacks. These malware variants are believed to be distributed through phishing emails that carry attachments in the form of password-protected Word and Hangul Word Processor documents (.docx and .hwp files), as well as a Windows CHM file named ‘password.chm.’ Once the CHM file is accessed, it not only displays the supposed password to unlock the documents but also silently downloads and executes a remote PowerShell script.

‘AblyGo backdoor,’ leverages the Ably Platform, an API service utilized by developers to incorporate real-time features and information delivery into their applications. The backdoors deployed in the compromised systems eventually introduce a final malicious payload known as ‘FadeStealer’ which utilizes DLL sideloading to inject itself into the legitimate ‘ieinstall.exe’ process of Internet Explorer. It is recommended to implement strong email security measures, including advanced spam filters, email authentication protocols (such as SPF, DKIM, and DMARC), and robust anti-malware solutions to detect and prevent phishing emails from reaching users’ inboxes. Additionally, develop a comprehensive incident response plan that outlines the steps to be taken in the event of a security breach.

5. ChamelDoH: New Linux backdoor leveraging DNS-over-HTTPS (DoH) tunneling

ChamelDoH, the malware crafted in C++, serves as a tool enabling communication through DNS-over-HTTPS (DoH) tunneling. To gain initial access and carry out data theft, ChamelGang has employed attack chains that exploit vulnerabilities found in Microsoft Exchange servers and Red Hat JBoss Enterprise Application. The group utilizes a passive backdoor named DoorMe, which functions as a native IIS module registered as a filter. This module exclusively processes HTTP requests and responses that contain the correct cookie parameter, demonstrating its unconventional operational principle.

ChamelDoH stands out due to its innovative communication approach, leveraging DNS-over-HTTPS (DoH) for its operations. This technique employs the HTTPS protocol to perform Domain Name System (DNS) resolution, enabling the malware to send DNS TXT requests to a malicious nameserver. It is recommended to deploy and maintain advanced endpoint protection solutions that include behavior-based detection mechanisms and real-time threat intelligence updates. This helps in detecting and blocking malicious activities associated with ChamelDoH and other malware variants. Secure DNS protocols and proper DNS resolution are also essential to prevent such attacks.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider