Widespread exploitation of severe vulnerability in ownCloud.

Dave Bittner: Reports of a Critical Vulnerability in ownCloud. Sites serving bogus McAfee virus alerts. Japan’s space agency reports a breach. Okta Revises the impact of their recent breach.. Cryptomixer gets taken down in an international law enforcement operation. "SugarGh0st" RAT prospects targets in Uzbekistan and South Korea. NATO cyber exercise runs against the background of Russia's hybrid war.  On today’s Threat Vector segment, David Moulton of Palo Alto Networks’ Unit 42 talks with guest John Huebner about the intricacies of managing threat intelligence feeds. And Russian DDoS’ers are looking for volunteers. 

Dave Bittner: Today is November 30, 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Critical Vulnerability in ownCloud Leads to Mass Exploitation of Servers

Dave Bittner: In today’s top story, security researchers are closely monitoring a widespread exploitation of a severe vulnerability in ownCloud, an open source file-sharing server application. The flaw, rated at the maximum severity of 10, allows attackers to gain full control of servers running ownCloud by simply sending a web request to a static URL. This vulnerability has led to attackers obtaining passwords and cryptographic keys for administrative control.

Dave Bittner: The vulnerability affects versions 0.2.0 and 0.3.0 of the graph api app, which is part of some ownCloud deployments. This flaw was disclosed on November 21, and within four days, security firm Greynoise observed mass exploitation attempts on their honeypot servers, which mimic vulnerable ownCloud servers. Additionally, the Shadowserver Foundation reports over eleven thousand exposed instances, primarily in Germany, the US, France and Russia. The exploitation involves accessing a URL that reveals configuration details from the PHP environment, potentially exposing sensitive data like the ownCloud admin password, mail server credentials, and license key.

Dave Bittner: Disabling the graph api app alone is insufficient to secure servers against this threat. ownCloud has advised users to delete a specific file within the app and disable the phpinfo function in docker-containers. They also recommend changing critical credentials as a precaution.

Dave Bittner: Moreover, ownCloud has recently fixed two other high-severity vulnerabilities, an authentication bypass in the WebDAV API, and a subdomain validation bypass flaw. While there are no reports of these vulnerabilities being actively exploited, users are urged to follow the mitigation steps provided by ownCloud.

Dave Bittner: The exposure of this vulnerability in ownCloud, and the recent security breaches in various file-sharing apps, highlight the increasing risk and potential impact of such exploits on enterprise networks. Users and administrators of ownCloud are advised to take immediate steps to secure their systems in line with the guidance provided.

Sites serving bogus McAfee virus alerts.

Dave Bittner: Malwarebytes warns that the ScamClub threat actor resurfaced several weeks ago following a disruption of its operations by Confiant in September. The threat actor abused ad exchanges used by legitimate sites, including the Associated Press, ESPN, and CBS, in order to redirect users to a phony McAfee security alert. The researchers conclude, “ScamClub is resourceful and continues to have a deep impact on the ad ecosystem.”

Scam steals travel company customer credentials.

Dave Bittner: Secureworks reports a Vidar infostealer campaign that compromised a hotel's Booking.com credentials. An employee fell victim to a phishing attack, leading to Vidar's installation and unauthorized messages sent to guests from the hotel's Booking.com account. Soon after, guests reported unauthorized withdrawals from their accounts. The attackers exploited the lack of multi-factor authentication (MFA) on the hotel's Booking.com account. Secureworks suggests this incident is part of a larger fraud campaign targeting Booking.com customers and properties. In this scheme, customers received fake messages, seemingly from hotel owners via Booking.com, asking for payment details confirmation. These messages contained malicious URLs where victims entered information, which the attackers then used for financial theft.

JAXA Faces Cyber Threat, Protects Critical Aerospace Data Amidst Investigation into Network Vulnerability Exploitation

Dave Bittner: Reports surfaced yesterday of a cyber attack targeting Jaxxa, Japan’s Space Agency. For the details on this story I'm joined by Maria Varmazis, host of the "T-Minus" podcast right here on the N2K network. Maria, what do we know about this incident?

Maria Varmazis: Yeah, so thanks Dave. So, what we found out is that JAXA, as you mentioned, Japan's Space Agency, they disclosed that they had an active directory breach over the summer and it was just disclosed rather recently. And it ends up that an external source, we don't know who, tipped off the agency that some of that information had been breached, and it sounds like it was an employee personal details and now it's being followed by an internal probe. We don't know a whole lot about the nature of the attack, again, aside from active directory was involved; we don't know the motive, we don't know exactly what was breached, although again, personal information from employees seems very likely given that it was active directory and there's no attribution yet either. So, things have been a little hush-hush, because an attack of this nature is not great [brief laughter] understandably, but it is certainly alarming. So, there is attention being paid.

Dave Bittner: So, reading between the lines here we are assuming that this is more on the IT side of the house than the OT side?

Maria Varmazis: That's correct, yeah. So, as much as when we talk about cybersecurity and Aerospace people might think, "Oh my gosh, satellites or rockets getting hacked" it's almost never stuff like that. it's usually the stuff that's on the ground and it's often IT systems and it's a tale as old as time in cybersecurity, right? So, yes this was active directory. It was not a rocket or anything that was actually going to space.

Dave Bittner: For perspective here, when we think about Japan and their place on the global stage for space, where do they sit? Where are they in the pecking order?

Maria Varmazis: They're pretty high up to be honest with you. They are a major collaborator with countries like the United States with NASA, with Europe, with India, they do a lot and they have a lot of major rockets of their own. They are involved in a lot of major missions and fantastic scientific and space firsts. So, yeah they're actually pretty big. So, them being hacked, whether it was a drive-by so to speak or if it was on purpose, is not great news and it is kind of scary. Yeah, not -- not small potatoes by any means.

Dave Bittner: Yeah. Maria Varmazis is host of the "T-Minus" Space News Daily podcast here on the N2K network. We will have a link to her team's coverage of this story in our Show Notes. Maria, thanks for joining us.

Maria Varmazis: Thanks so much Dave. [ Music ]

Dave Bittner: Identity and access management company Okta has significantly revised its assessment of a recent breach. Initially, Okta reported that the breach impacted only 134 customers, less than one percent of its total customer base. However, further investigation revealed that the breach potentially exposed data from essentially all of its customers. Okta has not confirmed active exploitation of this information but warns of the possibility of phishing or social engineering attacks targeting its customers, especially those who have used customer support. Although the compromised information is not considered highly sensitive, the risk of its use in phishing campaigns is a serious concern. The Wall Street Journal highlights this incident as an example of the challenges and risks associated with early disclosure of data breaches and cyberattacks, underscoring the complexities faced by organizations in managing and communicating about cybersecurity incidents. The FBI, in collaboration with UK's Financial Intelligence Investigation Service and Finland's National Bureau of Investigation, has seized the Sinbad cryptomixer service, extensively used by North Korea's Lazarus Group for laundering stolen cryptocurrency. This action aligns with sanctions imposed by the US Treasury Department's Office of Foreign Asset Control targeting Sinbad for processing millions from Lazarus Group heists and other cybercrimes, including drug trafficking and darknet marketplace activities. The sanctions block all of Sinbad's assets within the US or under US control and prohibit any dealings with Sinbad by US entities or individuals. Violations could lead to further sanctions. This crackdown reflects North Korea's increasing reliance on cryptocurrency theft, with Recorded Future's Insikt Group reporting over $3 billion stolen since 2017, as international sanctions cripple its economy. The Lazarus Group's state-supported operations allow it to operate on a larger scale than typical criminal gangs, potentially inspiring other sanctioned entities like Russia to adopt similar tactics in the cryptocurrency arena. Cisco Talos researchers have released a report detailing cyberespionage activities targeting Uzbekistan and South Korea, using a remote access Trojan named "SugarGh0st." This RAT is considered a derivative of the well-known Gh0st RAT. The primary method of attack is phishing, involving bait documents specifically designed to pique the interests of the intended targets. Two distinct infection methods were identified: one involving the decryption and execution of the SugarGh0st RAT, the other using the DynamicWrapperX loader to inject and run shellcode that eventually leads to the execution of SugarGh0st. While attribution for these attacks remains uncertain, the researchers tentatively suggest, with low confidence, that a Chinese-speaking threat actor could be responsible. CERT-EU has issued a warning to the European Union about ongoing cyber attacks by Russia's GRU, specifically by the threat actor APT28, also known as Fancy Bear. According to POLITICO, at least seven EU governments are currently targeted by these campaigns, primarily through phishing tactics. The attackers are using a variety of decoy documents as bait, including falsified meeting minutes from a European Parliament subcommittee and a report from a United Nations Special Committee. The suspected long-term objective behind these efforts is to gather intelligence related to the upcoming EU elections next year, and potentially to exert influence over these elections. NATO is conducting a cyber exercise amidst the backdrop of Russia's ongoing hybrid war. This exercise aims to bolster NATO's readiness and response capabilities in the cyber domain, a critical area of modern warfare where digital attacks can complement conventional military strategies. It reflects an acknowledgment of the heightened cyber threats in the current geopolitical landscape, particularly with Russia's active engagement in hybrid warfare tactics that blend traditional military force with cyber operations. This exercise is a strategic step to enhance NATO's collective cyber defense and resilience against such multifaceted threats. [ Music ] On today's Threat Vector segment, David Moulton of Palo Alto Networks' Unit 42 speaks with guest John Huebner, also from Palo Alto Networks. They delve into the intricacies of managing threat intelligence feeds in cybersecurity. [ Music ]

David Moulton: Welcome to Threat Vector, a segment where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to speak with Jon Huebner, an XSIAM Consultant for our Cortex Team about finding the needle in the haystack when it comes to threat intelligence feeds. Jon has worked in the healthcare and government sectors and is a Navy veteran, who transitioned his experience with physical security, anti-terrorism, and leadership into the cybersecurity industry. Let's get right into it. Jon, thanks for joining me today on Threat Vector. I wanted to talk to you about threat intelligence. First, how can organizations effectively differentiate between valuable threat intelligence feeds and the noise that often accompanies those feeds and makes it hard to find that -- that proverbial needle in a haystack?

Jon Huebner: So, companies that sign up for all these free feeds really damages their threat intelligence and it puts more work on the analysts and also creates automations that are not that great, which is a huge part in the cyber industry right now. So, finding that valuable intelligence feed is so important. Companies need to start looking at where they are, like what are they, and what do they do. They need to take their risk assessments, which not that many people do and then they need to take that risk assessment team and have them communicate with the threat analyst and tell them "Hey, we have companies that are located in this country and these might be our current threats, and this is going to be something that's constantly changing, it's not just companies and national threats and hackers, you're also looking at what types of servers are going to be attacked, where are you most vulnerable, and you need to assess the risk, because there's always going to be risk. You can only mitigate risk and you need to leverage the intelligence so you have that and there's going to be some feeds that focus more on some things than others, and some of these free feeds will also not be as good and you get more false-positives, but some free feeds may do better for some companies. So, going back to the question, you really got to work with your risk assessment and figure out how you can leverage that and find the right intelligence.

David Moulton: So, talk about what strategies can be employed to cleanup that signal-to-noise ratio and the intelligence feeds.

Jon Huebner: So, a lot of companies have all these free feeds coming in and it's just mass and mass of information, and usually when you're adjusting these speeds you can put a reputation on how trustworthy that verdict will be. Companies need to start working with this and there's a lot of threat-sharing platforms out there now, like MISP. You have a lot of states doing it in their state MISP where one state shares all of their information and IOCs with another state, but some of those aren't going to be valuable. So, companies need to go back those risk assessments that I was just mentioning and really prioritize where it is and sometimes you may just need to find one feed, like one paid good feed and go with that and so then start basically tuning it from there. Threat intelligence is not just adjusting all its data and saying oh here's this data, have fun. Good luck. It's more of pulling the data in and tuning it kind of just like a sim or some of your other security products. So, you need a very active threat intelligence team on there and you really need to start from the beginning, to with this is our plan. We want to do x, y, z and do it from there. So, that would really help clean up a lot of the mess that we're seeing right now.

David Moulton: Jon, talk to me about the risks you've seen from neglecting expired feeds or not tuning intelligence feeds.

Jon Huebner: So, some of these companies are having these indicators adjusted with no expiration; IPs change, domains change, all of these IOCs are changing and some of these domains can change in less than 24 hours. Some of these IPs are also changing in a couple days probably, sometimes even hours as well. And if you don't ever expire these indicators, they could be in your White List, they could be in your Black List. By the way, it could just not end well for you, because sometimes Microsoft will end on that Black List and if you're [inaudible 00:17:54] a Cloud instance of 0365, you're going to start running into trouble and blocking some things that you don't want to block, and even more if it's on that White List that might be a very bad day and you're leaving a wide open hole in your organization's security.

David Moulton: So, think about the context of threat intelligence. What are some of the best practices you see for identifying and prioritizing actionable feeds and indicators?

Jon Huebner: You got to really hash out how you want to move forward, where you want to focus your intelligence, what you want your intelligence to be, and what your main use cases are going to be, along with having a very good threat intelligence team that can tune and treats it as their baby so they can give you a good product and also communicate with the other parts of the organization. [ Music ]

David Moulton: Jon, thanks for taking the time to talk to me about your approaches to optimizing and tuning your threat intel. Like most things, the one and done approach doesn't work. It really sounds more like gardening where you have to tend to the feeds with constant evaluation, and make the effort to weed out any problems. Sometimes it sounds like it's best to just start fresh. If you're looking for well-curated threat intel and threat actor insights, you should check out the "Unit 42" Threat Research Center, and remember, if you think that you're under attack, contact the experts at "Unit 42" to help assess your risk and exposure. We'll be back in the CyberWire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]

Dave Bittner: That's David Moulton and Jon Huebner both from Palo Alto Networks. [ Music ] And finally, the Russian hacktivist group NoName057(16) is on a recruiting spree for its "volunteer DDoSia Project," as proclaimed on their Telegram channel. They're casting a net to enlist cyber warriors in what they describe as a cyber war initiated by the West against Russia. "Australian Cyber Security Magazine" reports that these digital soldiers will be compensated in cryptocurrency and can earn ranks and merit awards, mimicking a real military structure. The source of their funding remains murky, though criminal proceeds are a likely suspect. DDoSia, as the name hints, focuses on distributed denial-of-service attacks. The allure of ranks and accolades suggests NoName057(16) is targeting military enthusiasts and perhaps those whose ambitions outpaced their life achievements. It seems in the world of hacktivism, even keyboard warriors can dream of being decorated heroes. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. A quick programming note, as we near the end of the year, it's the perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry. We'd love to help you achieve those goals. We've got some unique end-of-year opportunities, complete with special incentives to launch 2024. So, tell your marketing team to reach out! Send us a message to sales@thecyberwire.com or visit our website so we can connect about building a program to meet your goals. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com -- your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment -- people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]