Weekly Intel Report - December 14, 2022
Threatscape analysis that keeps you two steps ahead of the bad guys.
Ransomware, Malware & Phishing
The U.S. Department of Health and Human Services (HHS) issued a new warning today for the country's healthcare organizations regarding ongoing attacks from a relatively new operation, the Royal Ransomware gang.
Recommendation: The HHS’s security team published on Wednesday that they have seen the ransomware group behind multiple attacks against US healthcare organizations in both the Healthcare and Public Health (HPH) sectors. The ransomware group is focused on targeting US healthcare organizations based on past successful attacks. The Royal Ransomware group, following each healthcare compromise, also claimed that they leaked all data allegedly stolen from the victims’ networks online.
Since September 2022, Royal operators have been seen quickly ramping up malicious activities, after initially being spotted in January 2022. Using a new encryption that generates ransom nots with the same name, the group also uses social engineering to trick corporate victims into installing remote access software following callback phishing attacks, where the attackers impersonate software providers and food delivery services. After successfully infecting the targets and encrypting systems on their enterprise network, Royal will demand ransom payments ranging anywhere from $250,000 to $2 million. The federal government has also warned about other ransomware operations known for actively targeting healthcare organizations across the US.
APT recommends that companies organize security awareness trainings for all employees, especially around phishing. This includes regularly testing users with phishing emails and SMS messages, training employees on how to identify and report phishing emails, educating on a month-to-month basis with security lunch and learns, etc.
It is also essential to teach employees the different methods of phishing attacks, including smishing, and vishing, so that they are aware of all ways that they can be targeted and the different types of attachments that can be included in different phishing methods. Knowing the procedures used within the adversary helps inform organizations’ security programs and assists in building a more resilient, proactive security program that protects patient information.
Python, JavaScript Developers Targeted With Fake Packages Delivering Ransomware.
Recommendation: Phylum security researchers warn of a new software supply chain attack relying on typo squatting to target Python and JavaScript developers. A threat actor was typo squatting popular PyPI packages to direct developers to malicious dependencies containing code to download payloads written in Golang (Go). The purpose of their attack is to infect victims with ransomware variants designed to update the desktop background with a message impersonating the CIA and instructing the victim to open a ‘readme’ file. The malware also attempts to encrypt some of the victims' files. In this case, the ‘readme’ file is in fact a ransom note that tells the victim they need to pay the attackers in crypto to receive a decryption key. According to Phylum CTO, the number of malicious packages is expected to continue to increase.
APT recommends educating users about the different ways that they can be targeted and various phishing techniques, including different methods attackers use and the attachments in which they load malware.
Cybersecurity Experts Uncover Inner Workings of Destructive Azov Ransomware
Recommendation: Cybersecurity researchers have published the inner workings of a new wiper called Azov Ransomware that's deliberately designed to corrupt data and "inflict impeccable damage" to compromised systems. Distributed through another malware loader known as SmokeLoader, the wiper routine is set to overwrite a file’s contents in alternating 666-byte chunks with random noise, a technique referred to as intermittent encryption, which is being increasingly leveraged by ransomware operators to evade detection and encrypt victims’ files more quickly. Azov is different than other ransomware models due to its modification of certain 64-bit executables to execute its own code. Azov Ransomware also incorporates a logic bomb – a set of conditions that should be met before activating a malicious action – to detonate the execution of the wiping and backdooring functions at a predetermined time.
APT recommends staying in the know regarding any indicators of compromise associated with the actors and be actively threat hunting for those IOCs within your organization's environment and network. APT also recommends blocking any of these indicators of compromise at both the agent and endpoint level, as well as within your security tools.
Top 4 SaaS Security Threats for 2023
Recommendation: With the year of 2022 ending, there is no better time to buckle down and prepare to face the security challenges in the year to come. With SaaS sprawl ever growing and becoming more complex, organizations can look to four areas within their SaaS environment to harden and secure:
Misconfigurations
SaaS-to-SaaS Access
Device-to-SaaS User Risk
Identity and Access Governance
APT recommends using an SSPM platform (SaaS security posture management). This is a type of automated security tool for monitoring security risks in SaaS applications. SSPM identifies misconfigurations, unnecessary user accounts, excessive user permissions, compliance risks, and other cloud security issues.
APT recommends using an SSPM like Adaptive Shield to harden SaaS security and identify and remediate issues faster to prevent future attacks.
MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics
Recommendation: The Iran-linked MuddyWater threat actor has been observed targeting several countries in the Middle East, as well as Central and West Asia, as part of their new spear-phishing activity. The current intrusion follows MuddyWater’s long-running modus operandi of using phishing lures that contain direct Dropbox links or document attachment with an embedded URL pointing to a ZIP archive file. Messages are sent from compromised corporate accounts that are on sale on the darknet.
The threat actors switched from ScreenConnect and RemoteUtilities to Altera Agent (July 2022) to help fly under the radar. They also switched the admin tool to Syncro. The new integrated software offers a way to completely control a machine, allowing the adversary to conduct reconnaissance, deploy additional backdoors, and even sell access to other actors. Threat groups and their tactics and techniques are continuously evolving and adapting to find new ways to stay undetected.
APT recommends that you continue to follow best practices within your organization, including continued security awareness training, and using advanced IDs and IPs. As threat groups are continuing to evolve their techniques to evade detection, it is essential that you are continually threat hunting to be aware of trending groups’ latest techniques, tactics, and procedures along with any indicators of compromise. Best practice would be to hunt within your environment for the IOCs to ensure that you have not been hit with ransomware.
Vulnerabilities
Amazon Elastic Container Registry (ECR) Public Gallery is susceptible to a critical security flaw that could have been exploited to stage a potentially devastating attack.
Recommendation: A critical vulnerability in Amazon’s Elastic Container Registry (ECR) was recently discovered, which could give hackers the ability to write malicious code into Docker images and execute it on servers running the images. Amazon ECR is a container registry service, managed by Amazon Web Services. By default, your account has read and write access to the repositories in your public registry. IAM users require permissions to make calls on Amazon ECR APIs and to push images to repositories that are owned by that IAM user or one of their group memberships.
Amazon immediately released a fix for this following the report by Lightspin to help prevent the issue from becoming bigger.
Security researchers are calling out a serious vulnerability in Fortinet's FortiGate SSL-VPN firmware that could lead to a remote attack against the firewall components. The issue, which was disclosed on Monday, affects versions up to 6.0.3 and has already been exploited in the wild by unknown threat actors.
Recommendation: This is a critical bug and should be patched immediately. It is being tracked as CVE-2022-42475 (CVSS score: 9.3). The vulnerability relates to a heap-based buffer overflow vulnerability that could allow an unauthenticated attacker to execute arbitrary code via specially crafted requests.
It's important to make sure you're using the latest version of FortiOS to get the most up-to-date security features. The latest releases address several known vulnerabilities in FortiOS versions 7.2.3, 7.0.9, 6.4.11, and 6.2.12 as well as FortiOS-6K7K versions 7.0.8, 6.4.10, 6.2.12, and 6.0 15.
Cisco has released a new security advisory warning of a high-severity flaw that could potentially be exploited by an unauthenticated attacker to cause remote code execution or denial-of-service (DoS) condition affecting IP Phone 7800 and 8800 Series firmware versions 9.6.3 and earlier.
Recommendation: Cisco has issued a security advisory warning of a vulnerability impacting some switch models that could allow an attacker to execute arbitrary code within the management plane. The vulnerability is tracked as CVE-2022-20968 (CVSS score: 8.1) and stems from a case of insufficient input validation of received Cisco Discovery Protocol (CDP) packets. On December 8, 2022, Cisco published an advisory that describes a remote code execution vulnerability (CVE-2023-0915) in its networking devices. According to the advisory, users are vulnerable if they are running Network Address Translation (NAT) and have enabled the use of the Cisco Discovery Protocol (CDP).
An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. A successful exploit could allow the attacker to cause a stack overflow, resulting in possible remote code execution or a denial-of-service (DoS) condition on an affected device.
Google has released the December 2022 security update for Android, fixing four critical-severity vulnerabilities. The most serious of the flaws impacts Bluetooth, allowing attackers to remotely execute code by exploiting a flaw in the Bluetooth stack of the Android operating system.
Recommendation: The four critical vulnerabilities are identified as remote code execution flaws (CVE-2022-20472, CVE-2022-20473, and CVE-2022-20411) and an information disclosure flaw (CVE-2022-20498). The rest of the vulnerabilities addressed include elevation of privilege, more RCE vulnerabilities and information disclosure, and denial-of-service issues.
APT recommends applying the released updates as soon as possible, especially if you are no longer receiving automatic monthly updates. If this is the case, the next recommendation would be to upgrade to an updated device to stay current.
A new zero-day in the Citrix ADC and Gateway (CVE-2022-27518) breaks down the network perimeter, allowing hackers to gain access to sensitive data with little friction.
Recommendation: State-sponsored hackers are actively exploiting a zero-day Citrix ADC and Gateway vulnerability (CVE-2022-27518) to gain access to corporate networks.
To ensure customer security, it is crucial for administrators to apply the appropriate patches for this critical security update immediately. Customers who are using an affected build with a SAML SP or IdP configuration are urged to install the recommended builds immediately as this SAML vulnerability has been identified as critical. This vulnerability is due to insufficient validation of SAML federated ID information, allowing attackers to impersonate another user and access the application.