At a glance.
- BlackCat (ALPHV) follows Cl0p, exploiting the GoAnywhere MFA vulnerability.
- Mirai botnet exploits vulnerability disclosed at Pwn2Own.
- PaperCut critical vulnerability under active exploitation, as are Google and MinIO vulnerabilities.
- CISA produced two Industrial Control System advisories.
- CVE-2023-29552 a critical level Service Location Protocol exploit.
- KillNet sub group announces new DDoS tool kit for pre-sale.
- Play ransomware's new tools.
- The 3CX compromise: a complex supply-chain attack.
BlackCat (ALPHV) follows Cl0p, exploiting the GoAnywhere MFA vulnerability.
At-Bay reported this morning that Cl0p is now seconded by BlackCat (a.k.a. ALPHV) in using the GoAnywhere MFT exploit CVE-2023-0669. The researchers write “The vulnerability is a good example of how cyber criminals don’t just go after the most prevalent or publicly-known CVE disclosures. The most important indicator of risk isn’t just the score that’s given to the vulnerability, but how easily it can be exploited by cyber criminals in-the-wild, at scale, to achieve a desired outcome.” Forta released a patch to remedy this vulnerability in February of this year and all users are recommended to install the patch. As well, At-Bay urges organizations using the affected GoAnywhere MFT versions to “immediately follow the mitigation methods recommended by Fortra.”
BlackCat seems increasingly active. As At-Bay reports “According to At-Bay’s claims data — which includes any confirmed attacks against its 30,000+ policyholders — the BlackCat group was responsible for 9.8% of ransomware claims in 2022 making it the third most successful ransomware group last year. This year is trending similarly with 13.5% of ransomware claims in the first three months of 2023 coming from BlackCat. Despite being a relative newcomer, BlackCat is also the third most active ransomware group so far this year following Royal (17.24%) and LockBit (37.9%).” For more information on ransomware trends this year, see CyberWire Pro.
Mirai botnet exploits vulnerability disclosed at Pwn2Own.
The Zero Day Initiative announced the discovery of new activity using a zero-day exploit that surfaced during last month’s Pwn2Own event. “This bug in the TP-Link Archer AX21 Wi-Fi router was originally disclosed to ZDI during the Pwn2Own Toronto event, where it was used by Team Viettel in their LAN-side entry against the TP-Link device and by Qrious Security in their WAN-side entry.” The report continues, “TP-Link released a firmware update in March that “Fixed some security issues” – including this and other CVEs. It was after this fix was made public that exploit attempts using this CVE were detected in the wild.”
The zero day (CVE-2023-1389) is now being used by the Mirai botnet. The Zero Day Initiative began seeing the exploit in the wild on April 11th. Mirai botnet was using the exploit “to make an HTTP request to the Mirai command and control (C2) servers to download and execute a series of binary payloads… Seeing this CVE being exploited so quickly after the patch being released is a clear demonstration of the decreasing ‘time-to-exploit’ speed that we continue to see across the industry.” The researchers recommend that users apply TP-Link’s patch, which is the only effective defense against the exploit.
PaperCut critical vulnerability under active exploitation, as are Google and MinIO vulnerabilities.
On Friday CISA added three vulnerabilities to its Known Exploited Vulnerabilities Catalog: CVE-2023-27350 PaperCut MF/NG Improper Access Control Vulnerability, CVE-2023-28432 MinIO Information Disclosure Vulnerability, and CVE-2023-2136 Google Chrome Skia Integer Overflow Vulnerability.
PaperCut blogged details of a critical vulnerability (9.8 out of the maximum 10 possible CVSS score): CVE-2023-27350, which affects servers running the software. The company explained, “The PaperCut application is popular with the State, Local, and Education (SLED) type organizations, where just education makes up 450 of those results.” PaperCut released a security patch on 8 March 2023 to address this vulnerability, and updated its patch bulletin today advising its users to urgently update their servers with the most recent patch as they believe some servers are actively being exploited. PaperCut also said “If you suspect that your server has been compromised, we recommend taking server backups, then wiping the Application Server, and rebuilding the Application Server and restoring the database from a ‘safe’ backup point prior to when you discovered any suspicious behavior.” Experts continue to recommend that users should update their software in accordance with developer recommendations as this would lessen your organization's exposure to fixed vulnerabilities.
Google released a statement which listed CVE-2023-2136 as one of the 8 vulnerabilities it patched on 18 April. It added “Google is aware that an exploit for CVE-2023-2136 exists in the wild.” CVE-2023-28432 affected version RELEASE.2021-08-31T05-46-54Z and has been patched as of March 20th. MinIO posted that “All users of distributed deployment are impacted. All users are advised to upgrade ASAP.”
CISA produced two Industrial Control System advisories.
CISA released two Industrial Control System (ICS) advisories today ICSA-23-115-02 which affects Scada-LTS versions 2.7.4 and prior, and ICSA-23-115-01 which affects N8844A Data Analytics Web Service. For ICSA-23-115-02 CISA assigned CVE-2015-1179 and writes “Scada-LTS versions 2.7.4 and prior are vulnerable to cross-site scripting. This could allow a remote attacker to craft malicious URLs that may execute arbitrary code in an authenticated user’s browser and print sensitive information.” ICSA-23-115-01 was assigned CVE-2023-1967 and CISA wrote “Keysight N8844A Data Analytics Web Service deserializes untrusted data without sufficiently verifying the resulting data will be valid.”
CVE-2023-29552 a critical level Service Location Protocol exploit.
BITSIGHT reported today that they had discovered a new high-severity exploit for the Service Location Protocol. “SLP is a protocol that was created in 1997 through RFC 2165 to provide a dynamic configuration mechanism for applications in local area networks.” The exploit dubbed CVE-2023-29552 allows attackers to launch DoS attacks against open SLP instances. BITSIGHT writes “Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported.” BITSIGHT urges businesses to disable SLP on devices connected to the open internet and if that is not possible “then firewalls should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service.”
KillNet sub group announces new DDoS tool kit for pre-sale.
KillNet announced on Anonymous Russia’s telegram page that they are creating a new DDoS service called “Tesla-Bot.” Tesla-Bot is a DDoS tool kit which comes in three different flavors and prices. For $25 you get Basic, which has ten bots, Pro for $75, which comes with thirty bots, and Rare which comes with a premium fifty bots. The tool is in presale and will be available for general purchase on April 28th. The Anonymous Russia page stated today that it will not be running C2 for the purchased tool kits, “all of the bots in the bot net are autonomous.”
Play ransomware's new tools.
Symantec, part of Broadcom Software, has shared their observation of two new tools in use by the Play ransomware gang. The tools include an infostealer coined “Grixba,” as well as a Volume Shadow Copy Service, or VSS, copying tool. The researchers have identified an infostealer called Grixba, defined as “a network scanning tool used to enumerate all users and computers in the domain.” In addition to the enumeration of software and services, the Grixba infostealer checks for security and backup software, as well as remote administration tools. The Grixba tool was developed using “a popular .NET development tool for embedding and applications dependencies into a single executable file,” known as Costura.
Also developed using Costura was another executable, a VSS copying tool that the researchers say “embeds the library AlphaVSS into executables. The AlphaVSS library is a.NET framework that provides a high-level interface for interacting with VSS. The library makes it easier for .NET programs to interface with VSS by offering a set of controlled APIs.” This tool allows for the threat actors to copy files normally blocked by the OS. For more on the evolution of Play, see CyberWire Pro.
The 3CX compromise: a complex supply-chain attack.
Mandiant reports that the exploitation of 3CX, a supply-chain attack, was itself enabled by a previous supply-chain attack. "In March 2023, Mandiant Consulting responded to a supply chain compromise that affected 3CX Desktop App software," the company's report said. "During this response, Mandiant identified that the initial compromise vector of 3CX’s network was via malicious software downloaded from Trading Technologies website. This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack." The attack is being attributed to UNC4736, generally regarded as a North Korean threat actor. Its activities have been related to the "financially motivated North Korean 'AppleJeus' activity as reported by CISA." For more developments in the 3CX compromise story, see CyberWIre Pro.