SISA Weekly Threat Watch – December 19th, 2022

The use of open-source tools by threat actors in cyberattacks is on the rise. Attackers constantly refine and improve their post-exploitation methods to avoid detection during the planning and implementation stages in their victims’ environments. Following a series of exploited vulnerabilities last week, it is evident that the faster organizations implement swift and bold security measures, the sooner adversary activity can cease.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. FBI: Cuba ransomware raked in $60 Million from over 100 victims

The recently released joint advisory warns that critical infrastructure, financial services, healthcare, information technology, and government services are among the businesses being attacked by Cuba ransomware. The ransomware attackers updated their TTPs this year with new RATs and exploit kits. CVE-2022-24521 in the Windows Common Log File System (CLFS) driver and CVE-2020-1472 (Zerologon) in the Microsoft Netlogon process are two examples of targeted vulnerabilities in recent attack efforts.

After getting initial access, the actors use the Hancitor loader to spread the ransomware on infected devices. Enterprises are recommended to utilize email-based security to identify phishing emails as the initial infection may occur through spam email. Avoiding clicking on suspicious links, enabling multi-factor authentication (MFA), and implementing a recovery plan are some best practices to stay protected from such attacks.

2. Microsoft fixes 2 zero-day vulnerabilities and 49 flaws

As a part of its December 2022 Patch Tuesday, Microsoft fixed two zero-day vulnerabilities, including an actively exploited bug and 49 flaws. The various types of vulnerabilities include Elevation of Privilege Vulnerabilities, Remote Code Execution Vulnerabilities, Denial of Service Vulnerabilities, and Security Feature Bypass Vulnerabilities, among others.

The first zero-day vulnerability was a Windows SmartScreen Security Feature Bypass Vulnerability where an attacker can create a malicious file that would escape Mark of the Web (MOTW) defenses. This can result in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office. The second zero-day vulnerability was a DirectX Graphics Kernel Elevation of Privilege Vulnerability, exploiting which an attacker could gain SYSTEM privileges. Among 49 vulnerabilities fixed, six of them are classified as ‘Critical’ as they allow remote code execution. Users are recommended to install security updates to mitigate potential threats.

3. Iranian-state hackers targeting key figures in activism, journalism, and politics

A new discovery of social engineering and credential phishing activity was made by Iranian hacker organization APT42, which is known to overlap with Charming Kitten (also known as APT35 or Phosphorus). The report claims that the group has started a larger campaign using a fake URL shortener that uses the name of the real URL shortener cutt[.]ly. WhatsApp is used to distribute phishing links. After being clicked, it sends the target to a phony login page that is designed to seem like the Microsoft, Google, or Yahoo login pages.

As soon as the targets’ data was compromised, attackers had access to their emails, cloud storage folders, calendars, and contacts. Additionally, they synced the infected email and used the Google Takeout tool to export information on web searches, payments, travel and locations, and YouTube activity. To stay protected from such attacks, it is recommended to avoid clicking on suspicious links and downloading unknown email attachments without first checking their legitimacy. Enterprises must also implement MFA on all accounts, especially those that access critical systems.

4. Fortinet urges customers to fix actively exploited FortiOS SSL-VPN vulnerability

Multiple versions of Fortinet’s popular FortiGate firewall have a heap buffer overflow vulnerability that is said to have been exploited by the attackers in the wild. The company stated that the vulnerability affects multiple versions of the operating system for its FortiGuard appliances, which is FortiOS and informed that the flaw is in the SSL VPN functionality of the appliances. On successful exploitation, the flaw can allow unauthenticated users to crash devices remotely and potentially perform code execution.

When the vulnerability is exploited, it will generate the following entries in the logs: Logdesc=”Application crashed” and msg=”[…] application:sslvpnd,[…], Signal 11 received, Backtrace: […].“ Fortinet has shared a list of IP addresses seen exploiting the bug and also warned about the file system artifacts that would be present on exploited devices. In addition to applying the patches and disabling the VPN-SSL functionality, it is recommended to create access rules to limit connections from specific IP addresses.

5. Weaponizing EDR and Antivirus against users to wipe data

Multiple zero-day vulnerabilities have been discovered that could be exploited to turn security products such as endpoint detection and response (EDR) and antivirus (AV) tools into next-generation wipers with the potential to impact hundreds of millions of endpoints all around the world. The wiper runs with the permission of an unprivileged user and yet can wipe almost any file on a system, including system files, and make a computer unbootable.

There are two main events when an EDR deletes a malicious file. First, the EDR identifies a file as malicious and then it deletes it. Between these two events an attacker can use a junction and point the EDR towards a different path. These are called time-of-check to time-of-use (TOCTOU) vulnerabilities. The files could be deleted in a directory without having modification privileges. To address the vulnerability, users are advised to upgrade these software to new versions – Microsoft Malware Protection Engine: 1.1.19700.2; TrendMicro Apex One: Hotfix 23573 & Patch_b11136; Avast & AVG Antivirus: 22.10.