SISA Weekly Threat Watch – October 10th, 2022
SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.
Organizations can also opt-in for our free daily threat advisories by subscribing here.
Improved attack approaches adopted by cyber criminals have made defending against increasingly complex cyberthreats a challenging task for organizations. According to recent studies by security analysts, adversaries often lurk around a target network, waiting for an opportunity to access valuable assets or grow their presence and eventually take complete control of the systems. This past week researchers uncovered multiple such instances that involved payment card frauds, ransomware attacks, new malware backdoors and fake browser updates.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. A multimillion-dollar global online credit card scam uncovered
ReasonLabs, a cybersecurity firm, has revealed a massive operation that allegedly stole millions of dollars from credit cards between 2019 to earlier this year. The fraudster’s plan includes running a large false network of dating websites with working customer service departments. Once the websites are operational, the con artists pressure the payment processors to provide credit card acceptance. The scammers scan the darknet for thousands of stolen credit cards and purchase them before charging them for the services on their bogus website.
The scammers behind this scheme most likely employed proxies to build multiple fake dating websites. All the websites allude to the bogus domain https://dateprofits[.]com as an affiliate management program. As a best practice, all cardholders must review their monthly billing statements and immediately report any erroneous charges. No matter how little the charge may be, failing to notify it provides threat actors plenty of time to carry out their plans.
2. Microsoft confirms new Exchange Zero-Days being used in attacks
Microsoft has confirmed the existence of two recently discovered zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019. Authentication to the exchange server is necessary to successfully exploit the Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040. On successful exploitation, it may be coupled with CVE-2022-41082 to enable remote code execution (RCE) using the PowerShell Remoting Service.
With full user access coupled with the privileges attached to the account, the attacker can view, change, or delete data as well as create new accounts. The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. Microsoft also suggests admins block the 5985/TCP and 5986/TCP Remote PowerShell ports to prevent attacks. It is also recommended to apply automated patch management to enterprise assets on a more frequent basis to update applications.
3. FARGO Ransomware (Mallox) being distributed to vulnerable MS-SQL Servers
FARGO, like GlobeImposter, is a well-known ransomware that targets weak MS-SQL servers. According to the researchers, the MS-SQL process on the compromised machine starts the ransomware infection by downloading a .NET file using cmd.exe and powershell.exe. Additional malware, including the locker, is retrieved by the payload, which then generates and executes a BAT file that shuts down services and processes.
The ransomware payload then attempts to delete the registry key for the open-source ransomware “vaccine” known as Raccine by injecting itself into AppLaunch.exe, a legitimate Windows process. The malware then creates the ransom note (named “RECOVERY FILES.txt”) and renames the locked files with the extension “.Fargo3”. Using strong and unique passwords and keeping all the machines up to date with the latest security patches is essential to stay protected from such attacks.
4. New malware Backdoors VMware ESXi Servers to hijack virtual machines
Hackers have developed a new technique for establishing persistence on VMware ESXi hypervisors, allowing them to control virtual machines for Windows and Linux and vCenter servers covertly. The threat actor, identified as UNC3886, modified the acceptance level from “community” to “partner” in the XML descriptor for the VBI used in the attack to mislead anyone looking into it.
The attacker also used the ‘—force’ flag to install the malicious VIBs. Using these methods, the threat actor infected the compromised ESXi server with the malware known as VirtualPita and VirtualPie. These two malwares allow the execution of unrestricted commands, file uploads and downloads, and the starting and stopping of the logging system. To prevent systems from getting compromised, it is recommended to use vCenter Single Sign-On and consider decoupling ESXi and vCenter Servers from Active Directory. Additionally, centralized logging of ESXi environments is also essential for both proactive detection of potential malicious behavior and event investigation.
5. SolarMarker APT returns in a new Watering Hole Attack
The infamous SolarMarker threat actor group has declared its return and changed its attack strategy. In watering hole attacks, it is now using fake Chrome browser updates to distribute malware that steals information under the same name. These websites that are built using open-source content management systems (CMS) usually have security flaws and are therefore easy to compromise.
The SolarMarker hackers initially hired SEO poisoning to entice professionals and exploit code documents. However, the strategy of faking Chrome updates to mislead employees indicates that the attackers are trying a new way to spread their data-stealing malware. Implementing appropriate endpoint monitoring and user awareness policies can help detect and prevent such threats. It is also recommended to avoid downloading files from unknown websites as even a seemingly harmless action like looking for a template or agreement form can lead to infection.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.