At a glance.
- Lancefly, a new APT with a custom backdoor.
- Man in the middle phishing attacks are on the rise.
- Ransomware report: targeting and classification.
- CISA and FBI release a joint report on PaperCut NG/MF vulnerability exploitation.
- The Five Eyes disrupt Russia's FSB Snake cyberespionage malware with an interesting tool.
- A work-around for a March patch.
- Seven entries added to CISA's Known Exploited Vulnerabilities Catalog.
- Remote code execution exploits Ruckus in the wild.
Lancefly, a new APT with a custom backdoor.
Symantec released a blog yesterday that presented a new advanced persistent threat (APT) called Lancefly which is utilizing a custom backdoor to target government, aviation, and other sectors. “The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted. The attackers in this campaign also have access to an updated version of the ZXShell rootkit.”, Symantec reports. Lancefly’s custom back door, dubbed Merdoor, seems to have been around since 2018 and includes several features such as keylogging, multiple C2C communication methods, and the ability to listen in on local port commands. Symantec explained that Merdoor is “injected into the legitimate processes perfhost.exe or svchost.exe.” Symantec assesses that Lancefly may have used phishing emails as an attack vector in a campaign in 2020. However, in this more recent activity, the initial infection vector was not entirely clear. "We saw some indications of what the initial infection vector may have been in two victims, though this was not conclusive,” writes Symantec. Lancefly’s targets as of yet seem to be government, aviation, education and telecommunications organizations all located in South and Southeast Asia.
Man in the middle phishing attacks are on the rise.
In a report released on May 9th, Researchers at Cofense Intelligence explained that man-in-the-middle (MtM) attacks have increased by 35% between Q1 2022 and Q1 2023. Treat actors are combining MtM attacks with credential phishing with the intention of stealing usernames and passwords and session cookies to bypass multi-factor authentication. 95% of the MitM phishing attacks they observed targets Microsoft Office 365 authentication. They also tend to use URL redirection: “89% of campaigns used at least one URL redirect, and 55% used two or more.” These MitM phishing attacks evade standard secure connection processes used in most websites by setting up two secure connections between the attacker and the victim and the attacker and the desired website. The attackers then use a proxy login page to harvest credentials from the victim. Cofense recommends the following defensive measures:
- Users should be reminded of which online portals are approved for company use.
- Emails containing URLs or attachments that bring users to a website which looks legitimate but does not match the company-approved ones should be considered suspicious and reported for further analysis.
Ransomware report: targeting and classification.
GuidePoint Security on May 11th released their GRIT Ransomware Report for April 2023. The total number of organizations affected dropped 22% from March to April. The United States maintains its place atop the leaderboard when it comes to being victimized by ransomware: the US had one-hundred-seventy-nine victims, whereas the runner-up, the United Kingdom, came in with a distant eighteen. The most widespread ransomware threats to the US have been LockBit, Bianlian, and ALPHV. Manufacturing was, by far, the most targeted industry, followed by healthcare and technology. Looking at the gangs themselves, LockBit’s numbers continued to grow this month, ALPHV nearly doubled the number of its victims in the past month, and the researchers say April marked the “most impactful” month for Bianlian, which increased its victim count from twenty-seven in March to forty-five in April.
CISA and FBI release a joint report on PaperCut NG/MF vulnerability exploitation.
CISA and the FBI have released a joint report detailing the PaperCut NG and PaperCut MF vulnerability CVE-2023-27350. The FBI has observed the Bl00dy ransomware gang attempting to exploit the vulnerability on PaperCut servers belonging to education sector targets. “Education Facilities Subsector entities maintained approximately 68% of exposed, but not necessarily vulnerable, U.S.-based PaperCut servers. In early May 2023, according to the FBI, the Bl00dy Ransomware Gang gained access to victim networks across that subsector where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Some of these operations led to data exfiltration and encryption of victim systems. The Bl00dy Ransomware Gang left ransom notes on victim systems demanding payment in exchange for decryption of encrypted files.” CISA recommends that organizations implement “Emerging Threat Suricata Signatures to detect when GET requests are sent to the SetupCompleted page.” (And the agency warns that they should “be careful of improperly formatted double-quotation marks if copying and pasting signatures from this advisory.” If an organization finds it’s been compromised, CISA and the FBI urge them to create a backup of their PaperCut servers, wipe the application server, and restore the database from a safe backup point before April 2023. Organizations can also mitigate the risk by updating their applications to the latest version, in which the vulnerability has been fixed.
The Five Eyes disrupt Russia's FSB Snake cyberespionage malware with an interesting tool.
The Five Eyes took down the Snake infrastructure Russia's FSB has used for espionage and disruptive activity for almost twenty years. Operation MEDUSA involved not only technical disruption of Snake malware deployments but lawfare as well. Operation MEDUSA was the work of an international partnership whose principal members were, in the US, the NSA, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Cyber National Mission Force (CNMF), and in the other Four Eyes the Canadian Cyber Security Centre (CCCS), the United Kingdom National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), and the New Zealand National Cyber Security Centre (NCSC-NZ).
"Operation MEDUSA disabled Turla’s Snake malware on compromised computers through the use of an FBI-created tool named PERSEUS, which issued commands that caused the Snake malware to overwrite its own vital components. Within the United States, the operation was executed by the FBI pursuant to a search warrant issued by United States Magistrate Judge Cheryl L. Pollak of the Eastern District of New York, which authorized remote access to the compromised computers. This morning, the Court unsealed redacted versions of the affidavit submitted in support of the application for the search warrant, and of the search warrant issued by the Court. For victims outside the United States, the FBI is engaging with local authorities to provide both notice of Snake infections within those authorities’ countries and remediation guidance." (If the FSB is given to esoteric Lutheran allusions, the FBI apparently has a classicist streak--Perseus, after whom their remediation tool was named, was the slayer of the Gorgon Medusa, the sight of whom could turn victims to stone.)
A work-around for a March patch.
Researchers at Akamai have discovered a critical vulnerability in an internet explorer component assigned CVE-2023-29324. This vulnerability tricks an outlook client into connecting with the attacker’s server. This allows the attacker to crack the victim’s password offline or use it in a relay attack. It is assessed that Russian threat actors have been using this exploit for over a year, targeting the European government, transportation, energy and military sectors. Importantly, this attack is classified as a no-click attack, which means that the victim doesn’t have to interact with the malware by clicking a link or downloading a zip file. It works by sending a reminder email to the victim with a custom sound notification. The sound notification contains a path to the attacker’s server allowing the outlook client and the bad server initiating a handshake and giving the attacker access to the Net-NTLMv2 hash. Akamai informed Microsoft of this vulnerability and Microsoft released an update in the March Patch Tuesday to fix the problem, but Akamai has since determined that there are workarounds that could get past the patch. Microsoft addressed those remaining issues in this month's Patch Tuesday. For more on the work-around, see CyberWire Pro.
Seven entries added to CISA's Known Exploited Vulnerabilities Catalog.
CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog (KEV). Vulnerabilities are added to the catalog based on evidence of active exploitation in the wild. US Federal civilian executive agencies have until June 2nd, 2023, to address them:
- CVE-2023-25717 Multiple Ruckus Wireless Products CSRF and RCE Vulnerability
- CVE-2021-3560 Red Hat Polkit Incorrect Authorization Vulnerability
- CVE-2014-0196 Linux Kernel Race Condition Vulnerability
- CVE-2010-3904 Linux Kernel Improper Input Validation Vulnerability
- CVE-2015-5317 Jenkins User Interface (UI) Information Disclosure Vulnerability
- CVE-2016-3427 Oracle Java SE and JRockit Unspecified Vulnerability
- CVE-2016-8735 Apache Tomcat Remote Code Execution Vulnerability
Remote code execution exploits Ruckus in the wild.
One of the more noteworthy vulnerabilities CISA added to its Known Exploited Vulnerabilities Catalog Friday was the critical remote code execution (RCE) issue affecting multiple Ruckus products. Bleeping Computer reports that the flaw concerns devices using the Ruckus Wireless Admin panel. The CVE-2023-25717 vulnerability, while first acknowledged in February, has probably not seen many patches on vulnerable Wi-Fi access points, which in these attacks have been targeted by AndoryuBot malware. The malware, once within the system, adds the compromised device to a botnet for use in distributed-denial-of-service (DDoS) attacks. Ruckus released a security bulletin in February that was updated last week, detailing the almost 60 devices impacted and patches available. Many end-of-life devices, however, have no patch available.