Weekly Intel Report - December 28, 2022
Weekly threatscape analysis that keeps you two steps ahead of the bad guys.
Ransomware, Malware & Phishing
LastPass: Hackers accessed and copied customers’ password vaults
Recommendation: Password manager LastPass announced Thursday that hackers had access to and copied a backup of data that included customers’ passwords, stored in an encrypted format. In an update to an existing post, Toubba said that data obtained during a previous attack in August was “used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.” The threat actor also accessed “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.” Despite the risk associated with Password managers, it is still recommended that you push users within your organization to use a password manager, as long as the service complies with technical standards which include preventing the service itself (and thus any attacker) from being able to access the decryption key.
Specific to this breach, APT recommends that if LastPass is used within your environment to force a password reset for all users of the password safe using the admin key. It is also essential to have a strong password policy that forces password resets every 60-90 days, with the use of both letters, numbers, special characters, and a password length of at least 12 characters.
RedDelta Targets European Government Organizations and Continues to Iterate Customer PlugX Variant
Recommendation: The Chinese state-sponsored threat activity group RedDelta is still targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor. During the three-month period from September through November 2022, RedDelta has regularly used an infection chain employing malicious shortcut files, which trigger a dynamic-link library search-order-hijacking execution chain to load consistently updated PlugX versions. RedDelta used decoy documents specific to government and migration policy with Europe. RedDelta did have communication with a European government department using C2 (command-and-control). Other aliases for RedDelta are BRONZE PRESIDENT, Mustang Panda, TA416, Red Lich, and HoneyMyte. Due to the nature of these rapid-fire attacks, they are extremely difficult to stop.
APT recommends continued security awareness within your organization, including education on how to spot phishing emails, verifying senders, hovering over email addresses and any included links, and the importance of not downloading any unknown files (especially from disreputable emails or websites).
Raspberry Robin Worm Strikes Again, Targeting Telecom and Government Systems
Recommendation: The Raspberry Robin work has been used in attacks against telecommunications and government office systems across Latin America, Australia, and Europe since September 2022. The main payload itself is packed with more than 10 layers of obfuscation and can deliver a fake payload once it detects sandboxing and security analytic tools. Most infections have occurred in Argentina, with others occurring in Australia, Mexico, Croatia, Italy, Brazil, France, India, and Colombia. The worm is attributed to an activity cluster tracked by Microsoft as DEV-0856 and is being used as an initial access mechanism to deliver LockBit and CLOP ransomware. The malware is known for relying on infected USB drives as a distribution vector to download a rogue MSI installer file that deploys that main payload responsible for facilitating post-exploitation. If sandboxing and analysis are not observed, the legitimate payload is installed and connected to a hard-coded .onion address. Trend Micro researchers believe that the threat actors are “testing the waters” to see how far this deployment can go.
If this is simply the testing of a new worm, APT recommends continued awareness and to be on high alert as it can be widely deployed across many organizations. APT also recommends ensuring that your hardware is not infected and that there are no rogue MSI installer files. It is recommended to check USB drives and files to ensure no viruses are already downloaded or waiting to be downloaded. Also, check your task manager to ensure that only the current processes being performed line up with what is being done on a device.
Vulnerabilities
Critical vulnerability discovered in Linux Kernel ‘ksmbd’ module rates a 10/10 on the CVSS scale
Recommendation: The ‘ksmbd’ module was just newly introduced in Linux 5.15, so it should not be widely used as of yet. This is good news as exploitable systems are not very common for this vulnerability. This remote code execution was first spotted last week but was just recently assigned a CVE indicator (CVE-2022-47939). The SMB2_TREE_DISCONNECT command allows a client to disconnect from a share. An attacker could exploit this by sending a specially crafted request and making the system think that it is actually trying to connect at the same time. This type of denial of service attack can be used to take down or stall your server by overwhelming it with requests. If you are impacted by this, APT recommends applying the latest patch released to remediate the vulnerability ASAP.
Apache vulnerabilities allow for new Zerobot malware to spread through exploitation.
Recommendation: Zerobot is the name given to a botnet that targets Internet of Things (IoT) devices. The latest version of the botnet has been upgraded with new capabilities that allow it to infect new devices by exploiting security vulnerabilities in Apache servers. The Microsoft Defender for IoT research team has also observed that this latest version adds new distributed denial-of-service (DDoS) capabilities. For the full list of CVEs added to Zerobot 1.1, see the full report. To spread itself across the internet, Zerobot uses a variety of methods including brute force attacks against unsecured devices and exploiting vulnerabilities in Internet of Things devices and web applications.
Zoom remediates a cross-site scripting bug that has worked in both the desktop and web versions of its Whiteboard application.
Recommendation: The vulnerability was found in the Zoom Whiteboard application and it was rated as high severity by the researcher. The bug allowed an attacker to inject malicious code into the application and perform actions like executing commands on the server or stealing user data. The exact details of the vulnerability and how it was exploited are not available but Zoom has confirmed that no user data was compromised as a result of this bug. Zoom also stated that they have fixed the issue in an update released on December 12th, 2022.
If you are impacted by this vulnerability, it is advised to update your application to the latest known version.