Vietnamese hackers use DarkGate malware to target US entities

This week’s cybersecurity landscape featured a range of threats, including security breaches compromising customer data, critical remote code execution vulnerabilities in software, zero-day attacks on networking devices, targeted malware attacks by Vietnamese hackers, and a critical vulnerability in virtualization software. These attacks underline the importance of maintaining strong security measures and promptly addressing software vulnerabilities to safeguard against diverse cyber threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Okta’s support system breach exposes customer data to unrecognized threat actors

Okta, an identity services provider, has revealed a recent security breach in which unidentified malicious individuals utilized stolen login credentials to gain access to their support case management system. It is important to note that their Auth0/CIC case management system remains unaffected. However, this system contains sensitive HTTP Archive (HAR) files, including cookies and session tokens, which malicious actors could exploit.

In one of the incidents, the attackers used an authentication token stolen from Okta’s support system to access Okta instance, capitalizing on an open session with administrative privileges. The threat actors compromised two separate employee accounts within the Okta platform. Despite the intricacies, proactive response effectively protected the systems and customer data from any harm. Okta strongly recommends all customers to diligently sanitize their HAR files before sharing, ensuring the safeguarding of critical credentials and cookies/session tokens. It is also advised to vigilantly monitor and respond to unexpected changes in passwords and MFA (Multi Factor Authentication) settings within the Okta instances.

2. Critical SolarWinds RCE bugs enable unauthorized network takeover

Security experts have identified three critical remote code execution vulnerabilities within SolarWinds Access Rights Manager (ARM) software. These vulnerabilities could potentially permit remote attackers to execute code with SYSTEM privileges, which is the highest level of access on a Windows system. These flaws, identified as CVE-2023-35182, CVE-2023-35185, and CVE-2023-35187, involve deserialization issues and improper validation of user-supplied paths.

The remaining security concerns addressed in SolarWinds’ Access Right Manager, while not critical, still posed a high-severity risk. These vulnerabilities could be exploited by attackers to escalate privileges or execute arbitrary codes on the host following authentication. The vendor addressed all vulnerabilities with a patch available in version 2023.2.1 of its Access Rights Manager.

3. Cisco releases first in series of patches for IOS XE vulnerabilities

Cisco has released free software updates to address two vulnerabilities (CVE-2023-20198 and CVE-2023-20273) that were exploited by hackers as zero-day. These security issues were used to compromise over 50,000 Cisco IOS XE devices. Both vulnerabilities, which Cisco tracks as CSCwh87343, are in the web UI of Cisco devices running the IOS XE software. The company says that the threat actor exploited the critical flaw to gain initial access to the device and then “issued a privilege 15 command” to create a normal local account.

Using CVE-2023-20273, the attacker escalated the new local user’s privileges to root and introduced a malicious script into the file system. Cisco warns that the two vulnerabilities can be exploited if the web UI (HTTP Server) feature of the device is turned on, which is possible through the ip http server or ip http secure-server commands. The main mitigation guidance is to disable the HTTP server in IOS XE, which eliminates the attack vector completely. Additionally, ensure that the affected devices are promptly updated to the latest, most secure software versions.

4. DarkGate malware used by Vietnamese hackers to target entities in the U.S.

Security researchers have identified multiple instances of DarkGate malware infection attempts targeting organizations in the United Kingdom (UK), the United States (US), and India. These attacks have been attributed to Vietnamese threat actors with connections to the notorious Ducktail info stealer. DarkGate malware attacks employ AutoIt scripts typically acquired through a Visual Basic Script, often delivered via phishing emails or messaging platforms like Skype or Microsoft Teams.

In a recent incident, victims were targeted through a LinkedIn message containing a “job description*.zip” file, redirecting them to content on Google Drive. Both DarkGate and Ducktail threat actors use similar tactics and lures, with Ducktail acting as an information stealer, while DarkGate functions as a remote access trojan (RAT) with information-stealing capabilities and covert persistence on compromised hosts. To prevent such attacks, it is recommended to keep all operating systems, software, and firmware up to date and employ EDR (Endpoint Detection and Response) tools to detect and prevent execution of such malwares.

5. CVE-2023-34048: VMware patches critical vulnerability in vCenter Server

VMware has released security updates to address a critical vulnerability in vCenter Server. This vulnerability can be exploited for remote code execution attacks on servers that are susceptible to it. The flaw CVE-2023-34048 is described as an out-of-bounds write vulnerability within the DCE/RPC protocol implementation. This type of vulnerability occurs when a product writes data beyond the intended buffer, typically resulting in data corruption, system crashes, or the potential for code execution.

An attacker with network access to vCenter Server could potentially exploit this vulnerability to trigger an out-of-bounds write, which may lead to remote code execution. The specific network ports associated with potential exploitation in attacks targeting this vulnerability are 2012/tcp, 2014/tcp, and 2020/tcp. The company strongly advises its customers to promptly apply the patches to reduce any potential security risks.