Outlook flaw exploited by APT28 to breach Exchange accounts

SISA Weekly Threat Watch, Dec 11, 2023

A myriad of diverse cybersecurity threats emerged this past week, including sophisticated backdoors, ransomware developments, Outlook vulnerabilities exploitation, attacks on MIPS architecture, and critical Remote Code Execution (RCE) risks in Atlassian products. These instances emphasize the need for robust cybersecurity measures and immediate security updates to counter these evolving threats

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Agent Racoon backdoor targets organizations in Middle East, Africa, and U.S.  

An undisclosed threat group, likely nation-state actors, has been actively targeting diverse sectors in the Middle East, Africa, and the United States using a sophisticated .NET backdoor known as Agent Raccoon. This malware cleverly impersonates Google Update or Microsoft OneDrive Update, employing DNS for hidden communication with its Command and Control (C2) infrastructure via Punycode-encoded subdomains.

Capable of remote command execution, file manipulation, and system access, the malware showcases multiple variations in code, suggesting ongoing development for tailored operations. Additionally, the attackers leverage custom tools like Mimilite for credential theft and ‘Ntospy’ for credential interception, along with PowerShell snap-ins for email exfiltration and data harvesting. While confronting such evolving threats, organizations must prioritize threat intelligence integration, and collaborative efforts to bolster their resilience against sophisticated cyber adversaries.

2. Qilin ransomware’s Linux variant targets VMware ESXi

The Qilin ransomware gang has introduced an advanced VMware ESXi encryptor, demonstrating remarkable customization and sophistication within Linux encryptors. Originally known as “Agenda” and rebranded as Qilin, the group targets enterprises by infiltrating networks, conducting data theft, and deploying ransomware to encrypt all network devices. Distinguishing itself from other operations using the Babuk source code, Qilin crafts customized encryptors for Linux servers, offering extensive customization options through command-line arguments.

Upon execution, the ransomware identifies server types, specifically targeting VMware ESXi, and employs esxcli and esxcfg-advcfg commands, showcasing a high level of adaptability. Encrypted files feature a configured extension, accompanied by a ransom note directing victims to the gang’s Tor negotiation site for ransom payment. Organizations are advised to enhance their defenses by maintaining encrypted offline backups, implementing network segmentation, and avoiding direct access to ESXi hosts.

3. APT28 hackers exploit Outlook vulnerability to compromise Exchange accounts 

Microsoft’s Threat Intelligence team issued an alert regarding the Russian state-sponsored actor APT28, exploiting the CVE-2023-23397 Outlook vulnerability to compromise Microsoft Exchange accounts and access sensitive information. This critical elevation of privilege (EoP) flaw in Outlook on Windows, addressed as a zero-day by Microsoft in March 2023, was actively exploited by APT28 since April 2022.

Exploiting specially crafted Outlook messages, the actor pilfered NTLM hashes, enabling authentication with attacker-controlled SMB shares without user interaction. APT28 performed lateral movement, altering Outlook mailbox permissions for targeted email theft, effortlessly elevating privileges in the system. Despite security updates and subsequent fixes like CVE-2023-29324 in May, challenges persist in detecting hacker activity due to the minimal forensic traces left by the exploit. Users are advised to implement the security updates by Microsoft for CVE-2023-23397 and its bypass CVE-2023-29324.

4. MIPS chips targeted by new P2Pinfect malware in routers and IoT-based attacks 

A new variant of the P2Pinfect malware designed for MIPS architecture targets routers, IoT, and embedded devices, utilizing SSH brute-force tactics for unauthorized access. Crafted in Rust, this malware acts as a botnet agent, establishing peer-to-peer connections between infected hosts. Initially discovered in July 2023, this variant employs evolved propagation tactics, scanning for weak SSH credentials, and using Redis server vulnerabilities (CVE-2022-0543) for infection via Redis replication.

The malware attempts to upload a MIPS binary through SFTP and SCP, extends propagation via the ‘redis-server’ OpenWRT package, and includes a 32-bit ELF binary with a 64-bit Windows DLL for Redis shell command execution. To prevent such attacks, it is recommended to review and configure Redis server settings, disable any unnecessary services on routers and IoT devices, implement IDS/IPS solutions to detect and prevent suspicious activities, and continuously monitor network traffic for unusual patterns.

5. Patch released for critical RCE vulnerabilities in Atlassian products 

Atlassian released critical security updates targeting multiple vulnerabilities, including RCE risks across its Data Center and Server Products. These updates addressed high and critical vulnerabilities, such as CVE-2022-1471, involving a deserialization flaw in SnakeYAML library, potentially enabling RCE in multiple Atlassian products. Other critical vulnerabilities like CVE-2023-22522 impacting Confluence Data Center and Server and CVE-2023-22523 affecting Assets Discovery in Jira Service Management pose risks of remote code execution.

Additionally, a flaw in Atlassian Companion for macOS (CVE-2023-22524) allows potential code execution by bypassing blocklist and Gatekeeper protections, signifying significant security concerns. Of particular concern is the availability of a Proof-of-Concept exploit code for CVE-2022-1471, potentially amplifying the risk of RCE across various Atlassian platforms. Given the growing targeting of Atlassian.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.

For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.

SISA’s Latest
close slider