Category Archives: News

Chinese Hackers Exploit Fortinet Vulnerability To Commit Espionage

A medium-severity security vulnerability in Fortinet FortiOS has been exploited in a zero-day attack, with a suspected Chinese hacking group behind the operation. Threat intelligence company Mandiant linked the activity to a broader campaign aiming to deploy backdoors in Fortinet and VMware solutions for persistent access to targeted environments. The firm is tracking this malicious operation as UNC3886, an advanced cyber-espionage group with Chinese connections.

Mandiant researchers observed UNC3886 targeting firewall and virtualization technologies lacking EDR support, demonstrating a deeper understanding of these technologies. The group has previously been connected to intrusions targeting VMware ESXi and Linux vCenter servers in a hyperjacking campaign that deployed backdoors like VIRTUALPITA and VIRTUALPIE.

This report comes as Fortinet discloses that government entities and large organizations fell victim to an unidentified threat actor exploiting a zero-day bug in Fortinet FortiOS software, resulting in data loss and OS and file corruption. The vulnerability, labeled CVE-2022-41328 with a CVSS score of 6.5, involves a path traversal bug in FortiOS that could enable arbitrary code execution. Fortinet patched the issue on March 7, 2023.

Mandiant found that UNC3886’s attacks targeted Fortinet’s FortiGate, FortiManager, and FortiAnalyzer appliances to deploy two different implants, THINCRUST and CASTLETAP. This was possible because the FortiManager device was exposed to the internet.

THINCRUST is a Python backdoor that can execute arbitrary commands and read and write files on disk. The threat actor uses its persistence to deliver FortiManager scripts that weaponize the FortiOS path traversal flaw, overwriting legitimate files and modifying firmware images. This includes a new payload called “/bin/fgfm” (CASTLETAP), which communicates with an actor-controlled server to receive instructions, run commands, fetch payloads, and exfiltrate data.

After deploying CASTLETAP to FortiGate firewalls, the threat actor connected to ESXi and vCenter machines to establish persistence using VIRTUALPITA and VIRTUALPIE. In cases where FortiManager devices had internet access restrictions, the attacker pivoted from a compromised FortiGate firewall with CASTLETAP to drop a reverse shell backdoor called REPTILE (“/bin/klogd”) on the network management system.

UNC3886 also used a utility called TABLEFLIP to connect directly to the FortiManager device, bypassing access-control list (ACL) rules. This is not the first instance of Chinese hacking groups targeting networking equipment to distribute custom malware, with recent attacks exploiting vulnerabilities in Fortinet and SonicWall devices.

The speed at which threat actors develop and deploy exploits has increased, with 28 vulnerabilities exploited within seven days of public disclosure, marking a 12% rise over 2021 and an 87% rise over 2020. China-aligned hacking groups have become highly skilled at exploiting zero-day vulnerabilities and deploying custom malware to steal credentials and maintain long-term access to targeted networks. Mandiant warns that this activity is evidence of advanced cyber-espionage threat actors utilizing any available technology to persist and navigate target environments, especially those without EDR solutions.

Microsoft March 2023 Patch Tuesday

On Tuesday, Microsoft issued updates to address at least 74 security vulnerabilities in its Windows operating systems and software. Among these, two flaws are already being actively exploited, with one particularly severe vulnerability found in Microsoft Outlook that can be exploited without any user involvement.

The Outlook vulnerability (CVE-2023-23397) affects all Microsoft Outlook versions from 2013 to the latest release. Microsoft confirmed that attackers are exploiting this weakness, which can be accomplished without user interaction by sending a malicious email that activates automatically upon retrieval by the email server—even before being viewed in the Preview Pane.

Although CVE-2023-23397 is classified as an “Elevation of Privilege” vulnerability, its severity is not accurately conveyed by this label, according to Kevin Breen, director of cyber threat research at Immersive Labs. Known as an NTLM relay attack, it enables an attacker to obtain an individual’s NTLM hash (Windows account password) and use it in a “Pass The Hash” attack.

Breen explained that the vulnerability effectively allows the attacker to authenticate as a trusted person without needing to know their password, which is equivalent to the attacker having valid credentials with access to an organization’s systems.

Rapid7, a security firm, highlights that this bug affects self-hosted Outlook versions like Microsoft 365 Apps for Enterprise, but not Microsoft-hosted online services such as Microsoft 365.

The other actively exploited zero-day flaw, CVE-2023-24880, is a “Security Feature Bypass” in Windows SmartScreen, which is part of Microsoft’s endpoint protection tools suite. Patch management provider Action1 notes that the exploit for this bug is low in complexity and does not require special privileges. However, it does necessitate some user interaction and cannot be used to access private information or privileges. The flaw can enable other malicious code to execute without being detected by SmartScreen reputation checks.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said CVE-2023-24880 allows attackers to create files that would bypass Mark of the Web (MOTW) defenses. He explained that protective measures like SmartScreen and Protected View in Microsoft Office depend on MOTW, so bypassing these defenses makes it easier for threat actors to disseminate malware through malicious documents and other infected files that would otherwise be stopped by SmartScreen.

This week, Microsoft also patched seven other vulnerabilities that were given its highest “critical” severity rating. These updates address security gaps that could be exploited to provide an attacker with full, remote control over a Windows host with minimal or no user interaction.

Additionally, Adobe released eight patches this week to fix 105 security vulnerabilities across various products, including Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator.

Chinese and Russian Hackers Using SILKLOADER Malware to Evade Detection

According to a report by Finnish cybersecurity firm WithSecure, Chinese and Russian cybercriminals have been using a new piece of malware called SILKLOADER to load Cobalt Strike onto infected machines. The malware employs DLL side-loading techniques to deliver commercial adversary simulation software. With the increased detection capabilities against Cobalt Strike, threat actors are seeking alternative options or developing new methods to propagate the framework to evade detection (source: The Hacker News).

SILKLOADER is similar to other loaders like KoboldLoader, MagnetLoader, and LithiumLoader, which incorporate Cobalt Strike components. It uses specially crafted libvlc.dll files to hijack a legitimate VLC media player binary, aiming to evade defense mechanisms. WithSecure’s researchers discovered the shellcode loader during their analysis of “several human-operated intrusions” targeting organizations in Brazil, France, and Taiwan in Q4 2022.

Another loader called BAILLOADER has also been linked to attacks involving Quantum ransomware, GootLoader, and the IcedID trojan in recent months. It is suspected that various threat actors are sharing Cobalt Strike beacons, crypters, and infrastructure provided by third-party affiliates to service multiple intrusions using different tactics.

WithSecure’s analysis of SILKLOADER samples indicates that the malware was initially created by Chinese cybercriminals and later acquired by a Russian threat actor. The increasing modularity of the cybercriminal ecosystem through service offerings makes it difficult to attribute attacks to specific threat groups based solely on the components used in their attacks.

Google Finds 18 Critical Security Vulnerabilities in Samsung Exynos Chips

According to a recent report, Google has discovered 18 severe security vulnerabilities in Samsung’s Exynos chips, some of which can be remotely exploited without user interaction to completely compromise a phone. These zero-day vulnerabilities affect a broad range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset.

Of the 18 vulnerabilities, four can allow an attacker to achieve internet-to-Samsung, Vivo, and Google, as well as wearables using the Exynos W920 chipset and vehicleses in late 2022 and early 2023. This means that a hacker can remotely compromise a phone at the baseband level without user interaction, requiring only knowledge of the victim’s phone number. If exploited, a threat actor could gain entrenched access to cellular information passing in and out of the targeted device. Google Project Zero’s head, Tim Willis, disclosed the four flaws but withheld additional details.

The remaining 14 vulnerabilities are considered less severe as they require a rogue mobile network insider or an attacker with local access to the device. Pixel 6 and 7 handsets have already received a patch as part of March 2023 security updates, but patches for other devices are expected to vary depending on the manufacturer’s timeline.

While waiting for the patches, users are recommended to turn off Wi-Fi calling and Voice over LTE (VoLTE) in their device settings to “remove the exploitation risk of these vulnerabilities.” Even though the attacks may appear difficult to execute, skilled attackers can devise an operational exploit to breach affected devices remotely and silently.

Websites that look like Telegram and WhatsApp Sites Stealing Crypto

According to a new analysis by ESET researchers Lukáš Štefanko and Peter Strýček, copycat websites for popular instant messaging apps like Telegram and WhatsApp are being used to distribute trojanized versions, infecting Android and Windows users with cryptocurrency clipper malware. The malware is designed to target victims’ cryptocurrency funds, with several targeting cryptocurrency wallets.

While the first instance of clipper malware on the Google Play Store dates back to 2019, this marks the first time Android-based clipper malware has been built into instant messaging apps. Some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on compromised devices, which is a new feature for Android malware.

The attack begins with unsuspecting users clicking on fraudulent ads on Google search results that lead to hundreds of sketchy YouTube channels, which then direct them to lookalike Telegram and WhatsApp websites. What’s unique about this latest batch of clipper malware is that it can intercept a victim’s chats and replace any sent and received cryptocurrency wallet addresses with addresses controlled by the threat actors.

One cluster of clipper malware makes use of OCR to find and steal seed phrases by leveraging a legitimate machine learning plugin called ML Kit on Android, making it possible to empty the wallets. Another cluster is designed to keep tabs on Telegram conversations for certain Chinese keywords related to cryptocurrencies and exfiltrate the complete message, along with the username, group or channel name, to a remote server.

Lastly, a fourth set of Android clippers come with capabilities to switch the wallet address as well as harvest device information and Telegram data such as messages and contacts. The rogue Android APK package names include org.telegram.messenger, org.telegram.messenger.web2, org.tgplus.messenger, io.busniess.va.whatsapp, and com.whatsapp.

ESET also found two Windows clusters, one which is engineered to swap wallet addresses and a second group that distributes remote access trojans (RATs) in place of clippers to gain control of infected hosts and perpetrate crypto theft.

It is important to note that these clusters, despite following a similar modus operandi, represent different sets of activity likely developed by different threat actors. The campaign, like a similar malicious cyber operation that came to light last year, targets Chinese-speaking users primarily motivated by the fact that both Telegram and WhatsApp are blocked in the country.

GoLang-Based HinataBot Exploiting Router and Server Flaws

A new botnet named HinataBot, which is based on the Golang programming language, has been found exploiting known vulnerabilities to compromise routers and servers for launching distributed denial-of-service (DDoS) attacks. According to a technical report by Akamai, the botnet’s name is inspired by a character from the anime series Naruto, with filenames like “Hinata-<OS>-<Architecture>.” The malware is distributed through the exploitation of exposed Hadoop YARN servers, Realtek SDK devices (CVE-2014-8361), and Huawei HG532 routers (CVE-2017-17215, CVSS score: 8.8).

HinataBot’s threat actors have been active since December 2022, initially using a generic Go-based Mirai variant before developing their custom malware. The malware is still evolving, with newer artifacts found in Akamai’s HTTP and SSH honeypots. HinataBot can contact a command-and-control (C2) server for instructions and initiate attacks on target IP addresses.

The latest version of HinataBot uses HTTP and UDP protocols for DDoS attacks. Tests by Akamai showed that an HTTP flood generated 20,430 HTTP requests, while a UDP flood created 6,733 packets. In a hypothetical real-world attack with 10,000 bots, a UDP flood would peak at over 3.3 terabit per second (Tbps), and an HTTP flood would generate about 27 gigabit per second (Gbps).

The use of Golang in malware, like HinataBot, GoBruteforcer, and KmsdBot, complicates reverse engineering due to its high performance, multi-threading, cross-compilation support, and complexity when compiled. Microsoft’s Azure Network Security Team has highlighted the importance of being proactive and developing a DDoS response strategy as DDoS attacks become more frequent and sophisticated.

Original source: The Hacker News

CISOs are Stressed and Burned Out

Employee well-being has become a primary focus for many businesses. Even before the pandemic, the C-suite was acutely aware of how employee mental health impacts business outcomes. But for cybersecurity professionals, stress has always been a part of the job.

A new survey revealed that one of the most concerning aspects of employee mental health is how it impacts cybersecurity programs and, more broadly, a business’ ability to protect itself from cyberattacks.

CISOs and their teams appear to be taking the brunt of unmitigated work-related stress levels and it’s affecting the entire organization. CISOs at small to midsize businesses with teams of five employees or fewer were surveyed to better understand how work-related stress is impacting CISOs – from their ability to do their job and lead their team to how it’s affecting their own professional outlook and personal life. Here’s what the survey results revealed.

Among the CISOs surveyed, there was a distressing number of respondents suffering from work-related stress. According to the report, 94% of CISOs reported being stressed at work, with 65% confiding that work-stress levels compromised their ability to protect their organizations.

More than 70% of the CISOs surveyed believed their stress levels were higher than their colleagues in other areas of the business. Unfortunately, CISO stress levels were not confined to the leadership role. Employee burnout is spreading like wildfire across security teams. Increased workloads are affecting all levels of the department, creating high churn rates while simultaneously hampering recruitment efforts. Nearly three-quarters of the CISOs surveyed said they had employees quit during the past year because of stress – with 47% reporting more than one employee exiting their role.

The rise in churn rates is leaving CISOs with a limited pool of candidates, underscoring the current talent shortage that is happening across the cybersecurity space. When asked about their hiring process, 83% of CISOs said they have had to compromise on candidate selection – hiring employees who lacked necessary skills and capabilities.

Today’s economic climate is having a major impact on cybersecurity departments. Reduced budgets, hiring freezes, and lack of resources are all leading to untenable workloads for CISOs and their staff. In fact, 38% of CISOs reported they are considering or actively searching for a new job. The reality is that security teams are inundated with alerts – required to manage an overwhelming number of cybersecurity threats coming from all directions.

The surge in work responsibilities is putting a spotlight on cybersecurity program gaps with many outside of the IT department questioning the safety of the organization. Nearly 80% of CISOs surveyed said they had received complaints from their bosses, colleagues, or subordinates about how security tasks were being handled. Consequently, 93% of CISOs say they are spending more time than they should on tactical tasks (versus strategic high-quality work). It’s a vicious cycle: the lack of appropriate headcounts and resources lead to CISOs managing too many tedious, redundant work tasks which result in less than satisfactory security outcomes – opening the door to high-stress work environments.

Anyone who has ever held a job knows it’s difficult to leave work-related stress at work. But for CISOs, it’s especially difficult to manage a healthy work-life balance because of the critical and immediate nature of their work responsibilities. According to the survey, a whopping 84% of CISOs said they had postponed or canceled a vacation because of an urgent security task – 11% report this has happened four or more times during the past year. Work fatigue has caused 64% of CISOs to cancel a private event and 77% of the CISOs surveyed claim that work-related stress is impacting their physical health.

The survey makes clear how CISO stress levels are impacting every part of their life; meanwhile, cybersecurity threats continue to grow at an alarming rate. How Businesses Can Help Reduce CISO Stress Levels# The mental health of your employees impacts every facet of the business.

According to a report from the MIT Sloan Management Review, “Organizations outperforming their peers are those that have cultivated a strong sense of empathy and flexibility, developed new skills to address workforce needs, and extended holistic mental health support to employees.” A stressed out security team is not operating at full capacity, missing key threats and leaving the organization vulnerable to attacks. It stands to reason that improving work-related stress levels for CISOs – and their staff – has a direct impact on the business’ cybersecurity efforts. But what deliberate steps can businesses take to reduce work-related stress levels? For starters, 100% of CISOs said they need additional resources to cope with security challenges, including automation capabilities, better training opportunities, and the ability to outsource tasks.

More than half of the CISOs surveyed want the ability to consolidate security technologies on a single platform – a move they said would directly impact their work life, helping to lower stress levels. Ultimately, businesses that fail to address CISO stress levels are putting their company at risk. It is impossible to prioritize cybersecurity initiatives without taking into account the mental health of the teams that manage it. Protecting your CISO’s well-being is the first step to protecting your business.

Original Article Source: The Hacker News

BlackLotus – First EUFI Bootkit Malware To Bypass Windows 11 Secure Boot

The Slovak cybersecurity company ESET has discovered the first publicly known malware capable of bypassing Secure Boot defenses in Unified Extensible Firmware Interface (UEFI) bootkits, called BlackLotus. The bootkit is capable of running on fully updated Windows 11 systems, disabling OS-level security mechanisms, and deploying arbitrary payloads during startup with high privileges.

According to ESET, BlackLotus is programmed in Assembly and C, is 80 kilobytes in size, and is available for purchase at $5,000 (with a subsequent version costing $200). The malware also includes geofencing capabilities, avoiding infection in several countries.

BlackLotus exploits CVE-2022-21894, a security flaw that allows arbitrary code execution during early boot phases, enabling malicious actors to carry out harmful actions on systems with UEFI Secure Boot enabled without requiring physical access. The vulnerability was addressed in Microsoft’s January 2022 Patch Tuesday update, but the affected, validly signed binaries have yet to be added to the UEFI revocation list, making its exploitation still possible.

The bootkit turns off security mechanisms like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender, while dropping a kernel driver and an HTTP downloader to communicate with a command-and-control (C2) server to retrieve additional user-mode or kernel-mode malware.

The exact modus operandi used to deploy the bootkit is still unknown, but it starts with an installer component that writes files to the EFI system partition, disables HVCI and BitLocker, and reboots the host. Following the restart, CVE-2022-21894 is weaponized to achieve persistence and install the bootkit, which is then automatically executed on every system start to deploy the kernel driver.

ESET researcher Martin Smolár said that “many critical vulnerabilities affecting security of UEFI systems have been discovered in the last few years. Unfortunately, due the complexity of the whole UEFI ecosystem and related supply-chain problems, many of these vulnerabilities have left many systems vulnerable even a long time after the vulnerabilities have been fixed.” Smolár further noted that it was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled.

The security community is encouraged to remain vigilant and take appropriate measures to secure their systems against such attacks.

Cybercriminals Targeting Law Firms With GootLoader and FakeUpdates

The following article was originally published on The Hacker News on March 1st, 2023, and discusses the recent targeting of law firms by cybercriminals using GootLoader and FakeUpdates malware.

Six law firms have fallen victim to two separate cyber threats, which utilized GootLoader and FakeUpdates (also known as SocGholish) malware, between January and February of 2023.

GootLoader, which has been active since late 2020, serves as a first-stage downloader that can deliver secondary payloads such as ransomware and Cobalt Strike.

The malware utilizes search engine optimization (SEO) poisoning to redirect individuals searching for business-related documents towards malicious websites that then drop the JavaScript malware.

Cybersecurity company eSentire reported on one of the campaigns, stating that the attackers compromised legitimate but vulnerable WordPress websites and added new blog posts without the owners’ knowledge.

“When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” explained eSentire researcher Keegan Keplinger in January 2022.

GootLoader is not the only JavaScript malware targeting law firms and business professionals, as SocGholish has also been used in a separate wave of attacks capable of delivering additional executables.

One of the campaigns stood out for using a website frequented by legal firms as a watering hole to distribute the malware, making it a noteworthy infection chain.

The cybercriminals behind these attacks have also demonstrated a preference for hands-on activity instead of deploying ransomware, indicating that they may have expanded their focus to include espionage operations.

According to Keplinger, “Prior to 2021, email was the primary infection vector used by opportunistic threat actors. From 2021 to 2023, browser-based attacks […] have steadily been growing to compete with email as the primary infection vector,” thanks in part to GootLoader, SocGholish, SolarMarker, and recent campaigns leveraging Google Ads to float top search results.

(Original article source: https://thehackernews.com/2023/03/cybercriminals-targeting-law-firms-with.html)

Microsoft Exchange Admins Told to Expand Antivirus Scanning

According to a recent article published on Help Net Security, Microsoft has advised Exchange administrators to expand the scope of antivirus scanning on Exchange servers. Attackers frequently target Microsoft Exchange servers due to their sensitive corporate information, including employee information that could be used for spear-phishing attacks.

Microsoft recommends using antivirus software, specifically Microsoft Defender, on Exchange servers, but some directories, processes, and file name extensions should be excluded from scanning. This exclusion list is extensive, but it no longer includes the Temporary ASP.NET Files and Inetsrv folders, the Powershell and w3wp processes, and other items.

However, Microsoft has warned that keeping these exclusions may prevent the detection of IIS webshells and backdoor modules, which are the most common security issues. Webshells and backdoors give attackers remote access and code execution capabilities on the server.

The article notes that the removal of these exclusions should not cause any stability issues on Exchange Server 2019, 2016, and 2013, but they can be put back into place if any issues arise.

Source: Help Net Security