While vulnerabilities and zero-days are nothing new, sometimes the pace at which new ones can trend can be quite astonishing. The recent Microsoft vulnerability involving Storm-0558 is the one gaining most coverage, and has the most fallout (especially since it involves state-sponsored adversaries). It also doesn’t help that Microsoft recently announced its new SSE solutions: Entra Private Access and Entra Internet Access. But let’s get to unpacking that below…

Microsoft Hack: Storm-0558

On July 11 2023, Microsoft disclosed that a Chinese-sponsored hacking group called Storm-0558 had exploited a flaw in Microsoft’s cloud email service to gain access to the email accounts of U.S. government employees. The hacking group compromised an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.

The flaw exploited by Storm-0558 allowed the group to forge authentication tokens to access user accounts. These tokens are used to authenticate users to Microsoft’s cloud email service, and they are typically generated by the user’s device. However, Storm-0558 was able to steal these tokens from users’ devices by exploiting a vulnerability in the Windows operating system.

Once Storm-0558 had access to the user accounts, they were able to read and send emails, as well as access other information stored in the accounts. Microsoft said that the group did not appear to have deleted any emails or taken any other malicious actions.

Microsoft has since patched the vulnerability exploited by Storm-0558, and the company is working with affected organizations to help them secure their accounts. The company has also warned other organizations to be on the lookout for similar attacks.

The hacking of U.S. government email accounts by Storm-0558 is a reminder that even large organizations with strong security measures in place can be vulnerable to cyberattacks. It is important for all organizations to have a layered security approach that includes both technical and procedural controls.

Here are some additional details about the Storm-0558 hack:

The group is believed to be based in China.

• The group has been active since at least 2019.
• The group is known for targeting government agencies and other organizations in the United States and Europe.
• The group’s methods include spear phishing, password spraying, and exploiting vulnerabilities in software.
• The group has been linked to a number of other high-profile cyberattacks, including the hack of the SolarWinds Orion software.

Microsoft has said that it is “committed to working with law enforcement to bring those responsible to justice.” The company has also said that it is “taking steps to further strengthen our security posture and protect our customers.”

CISCO AnyConnect Vulnerability CVE-2023-20178

CVE-2023-20178 is a vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows. This vulnerability could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM.

The vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. A successful exploit could allow the attacker to execute code with SYSTEM privileges.

The vulnerability was first reported to Cisco on June 16, 2023 by Filip Dragovic, who later released a POC on June 18. Cisco released a security advisory on June 23, 2023, and released patches for affected versions of the software on July 14, 2023.

The following versions of Cisco AnyConnect and Cisco Secure Client are affected by this vulnerability:

• Cisco AnyConnect Secure Mobility Client Software for Windows 4.10.06079 and earlier
• Cisco Secure Client Software for Windows 5.0.01242 and earlier

To mitigate this vulnerability, Cisco recommends that users update to the latest version of the software. Users can also download the security advisory from the Cisco website.

The following are the steps that an attacker could take to exploit this vulnerability:

• Connect to a VPN using Cisco AnyConnect or Cisco Secure Client.
• Once the VPN connection is established, the client update process will be executed.
• A temporary directory will be created in C:\Windows\Temp with default permissions.
• The attacker can abuse a specific function of the Windows installer process to delete the temporary directory.
• If the temporary directory is deleted, the installer process will fail.
• The installer process will then try to restart itself with elevated privileges.
• If the attacker is able to control the restart process, they can execute code with SYSTEM privileges.

This vulnerability is rated as High severity by Cisco. Users should update to the latest version of the software as soon as possible to mitigate this vulnerability.

Fortinet RCE Flaw

The Fortinet Remote Code Execution (RCE) flaw in FortiNAC is a critical vulnerability that could allow an unauthenticated attacker to execute arbitrary code on vulnerable devices. The vulnerability is tracked as CVE-2023-33299 and has a CVSS score of 9.6.

The vulnerability exists due to a deserialization flaw in the FortiNAC web application. An attacker could exploit this vulnerability by sending specially crafted HTTP requests to the FortiNAC web server. A successful exploit could allow the attacker to execute arbitrary code on the FortiNAC device, which could then be used to gain control of the network.

The vulnerability affects FortiNAC versions 7.2.0 through 9.4.2. Fortinet has released patches for all affected versions of FortiNAC. Users are advised to apply the patches as soon as possible to mitigate this vulnerability.

The following are the steps that an attacker could take to exploit this vulnerability:

• Gather the IP address of the FortiNAC device.
• Craft a specially crafted HTTP request that contains malicious serialized data.
• Send the HTTP request to the FortiNAC web server.
• If the exploit is successful, the attacker will be able to execute arbitrary code on the FortiNAC device.

The following are some of the risks associated with this vulnerability:

• An attacker could gain control of the FortiNAC device and use it to launch further attacks on the network.
• An attacker could steal sensitive data from the FortiNAC device, such as user credentials or network configuration information.
• An attacker could disrupt the operation of the FortiNAC device, causing network outages or service disruptions.

Users are advised to apply the patches for FortiNAC as soon as possible to mitigate this vulnerability. Fortinet has also provided a mitigation workaround that can be used to protect vulnerable devices until the patches can be applied.

The following are the steps to implement the mitigation workaround:

• Disable the FortiNAC web application.
• Configure the FortiNAC device to only allow connections from trusted hosts.
• Monitor the FortiNAC device for signs of compromise.

The mitigation workaround will not prevent an attacker from exploiting the vulnerability, but it will make it more difficult for them to do so. Users are advised to apply the patches for FortiNAC as soon as possible to fully mitigate this vulnerability.

Curious how Banyan protects against vulnerabilities? Attend our weekly demo each Tuesday or set up a custom demo today.

Have you felt like you’re hearing more about spearphishing in the news? There’s a reason why: in the ever-expanding landscape of cyber threats, spearphishing has increased this year as a particularly insidious (but effective) tactic employed by threat actors to breach organizational defenses. From APTs to decentralized digital mercenaries, there are simply more attacks this year against more organizations, and the spearphisher is getting better at their job. According to Barracuda’s just-released 2023 Spearphishing Report, 50% of organizations have suffered spearphishing attempts during the past year.

Spearphishers from several APTs have been making headlines over the past few weeks due to increasing sophistication and the devastating consequences of their attacks, in several cases prompting multi-agency alerts to the U.S. cybersecurity community. Unlike traditional phishing attacks that cast a wide net, the latest spearphisher tactics (like those used by Iran’s Charming Kitten, North Korea’s APT43, and Kaminsky, which we’ll discuss below) are brutally targeted and increasing in their effectiveness. Worthy of note is how similar the tactics are between the APTs, despite being sponsored by different nation-states. Here are a few notable recent attacks over the past two months highlighting the severity of the spearphishing problem metastasizing through the cybersecurity corpus.

Charming Kitten Attacks, June 2023

Volexity just published new research during the last week of June 2023 on the Charming Kitten APT group, an Iranian-based threat actor, who currently specializes in gathering intelligence through compromised credentials and spear-phishing emails.  Once inside, the Charming Kitten APT group extracts additional access and attempts to shift to corporate VPNs or remote access services. In this particular spear-phishing campaign first observed in May 2023, Charming Kitten was found to be distributing an updated version of the POWERSTAR backdoor (aka CharmPower).

POWERSTAR Backdoor

Volexity analyzed the latest version of the POWERSTAR backdoor and discovered a complex POWERSTAR variant, likely assisted by a custom server-side component for automation.

Here’s how the attack played out: Charming Kitten spearphishers focused on a target using an email address while pretending to be an Israeli media reporter. Before deploying the malware via the pathways noted above, the spearphisher requested that the target review a document on US foreign policy (which is a common request from journalists to subject matter experts they have interviewed or might interview). Next, they sent a malicious LNK file embedded into a password-protected RAR file disguised as a “draft report” (along with the password).

The Charming Kitten Spearphisher Playbook

Here is how the spearphishing attack unfolds:

1. The spearphisher poses as a genuine person with a verifiable public profile, initiating contact and establishing a basic rapport with the target.
2. The sender’s email is a lookalike of the impersonated person’s personal account, disguised by a reputable webmail service. The first contact contains no malicious content, avoiding security software detection and recipient concerns (“There’s no link or attachment…this email must be safe…”)
3. After getting a reply from the target, the spearphisher follows up with emails strengthening the attacker-victim rapport and trust.
4. Spearphisher emails a malicious, password-protected attachment, separating the password to restrict automated scanning and extraction.

Charming Kitten – Not so Powerless

Earlier in April, Charming Kitten was also observed spearphishing Israeli targets with malware designed to deploy an updated version of a Windows backdoor called PowerLess.

Here’s where the attack chain starts: an ISO disk image file equipped with Iraq-themed lures to drop a custom, in-memory downloader that in turn launches the PowerLess implant. The ISO file displays a decoy document written in Arabic, English, and Hebrew, and appears to discuss academic content about Iraq from a legitimate non-profit entity called the Arab Science and Technology Foundation (ASTF), hinting that the research community itself may have been the original campaign target.

The PowerLess backdoor steals data from web browsers and apps like Telegram, logs keystrokes, takes screenshots, and records audio. According to Check Point: “while the new PowerLess payload remains similar, its loading mechanisms have significantly improved, adopting techniques rarely seen in the wild, such as using .NET binary files created in mixed mode with assembly code. PowerLess [c2] communication to the server is Base64-encoded and encrypted after obtaining a key from the server. To mislead researchers, the threat actor actively adds three random letters at the beginning of the encoded blob.”

Spearphisher Team: APT 43 + Kimusky

Charming Kitten isn’t the only APT using this nefarious tactic of impersonating others to launch spearphishing campaigns. At the end of May 2023, Mandiant reported the existence of a new self-funding advanced persistent threat, APT 43, whose activities overlap with that of Kimusky (and sometimes have been attributed to that group). In early June 2023, the NSA advised that Kimusky (also known as Thallium, or Velvet Chollima) has been conducting large-scale espionage campaigns against members of think tanks, academia, and media. Kimsuky spearphishers meticulously plan, then execute their attacks with email addresses that closely resemble those of real individuals, then by crafting convincing, realistic content for the intended target.

Like Charming Kitten, the spearphisher impersonates legitimate, unknowing journalists or writers to inquire about topics like current political events in the Korean peninsula, pending U.S. talks, or foreign or economic policies with China. Emails contain inquiries, invitations for interview, an ongoing survey, or requests to review documents and reports. Similar to Charming Kitten, the initial emails are usually free of malware or any attachments, as their role is to gain the target’s trust rather than achieve a quick compromise. The detailed steps from their playbook below are excerpted from the joint June US Government advisory below.

The Kimusky Spearphisher Playbook

1. Kimsuky actors are known to impersonate well-known news outlets and journalists using a domain such as “@XYZcnn.news,” spoofing a real news outlet, while actual emails from the news service appear as “@XYZnews.com.”

2. DPRK cyber actors commonly take on the identities of real people to gain trust and establish rapport in their digital communications. Kimsuky actors may have previously compromised the email accounts of the person whom they are impersonating. This allows the actors to search for targets while scanning through compromised emails, with a particular focus on work-related files and personal information pertaining to retirees, social clubs, and contact lists. They craft convincing spearphishing emails by repurposing the person’s email signature, contact list, and past email exchanges. DPRK cyber actors are also known to compromise email accounts belonging to foreign policy experts and subsequently create a secondary email account, using the email account and identity of the expert to communicate with other significant targets.

3. In other cases, a Kimsuky actor will use multiple personas to engage a target; one persona to conduct initial outreach and a second persona to follow-up on the first engagement to distract a potential victim from discerning the identity of the original persona. Another tactic is to resend” or “forward” an email from a source trusted by a target.

4. The initial phishing email occasionally contains a malicious link or document, often purporting to be a report or news article. These attached malicious documents are frequently password-protected, which helps them evade detection by antivirus software and other security measures. However, more often, the initial spearphishing email does not contain any malicious links or attachments and is instead intended to gain the trust of the victim.

5. Once DPRK cyber actors establish engagement with a target, the actors attempt to compromise the account, device, or network belonging to the target by pushing malicious content in the form of a malicious macro embedded within a text document. This document is either attached directly to the email, or stored in a file hosting service, such as Google Drive or Microsoft OneDrive. These malicious macros, when enabled, quietly establish connections with Kimsuky command and control infrastructure, and result in the provision of access to the target’s device.

6. In some cases, Kimsuky actors have developed “spoofed” or fake but realistic versions of actual websites, portals, or mobile applications, and directed targets to input credentials and other information that are harvested by the DPRK. Compromise of a target account can lead to persistent access to a victim’s communications, often through a malware used by Kimsuky actors called BabyShark. Kimsuky actors have also been known to configure a victim’s email account to quietly auto-forward all emails to another actor-controlled email.

It’s worth keeping an eye on these spearphishing tactics coming out of the APTs (especially those listed above), mostly because attacks get tested in one environment before the tactics spread; often an APT tries a strategy in one place against one target, and then they (or their counterparts and competitors) perfect the techniques and weaponize them further. The same tactics executed against academics one day often take down industrial control systems or enterprises in subsequent months once other cybercriminals find them effective.

A recent talk I attended at Seattle BSides 2023 comes to mind discussing an intrusion from one of the APTs listed above into a volatile manufacturing environment, where the consequences of two chemicals mixing at the wrong time would have been lethal not just to occupants of the factory, but the town in which the plant was housed. We all know cybersecurity has implications in the physical world, but the data shows the spearphisher has gotten smarter…and so should your defensive tools.

Learn more about how Banyan protects against the evolving threat landscape and schedule a custom demo today.

*Researched and authored by Mademoiselle

It’s popular because it’s profitable and it’s been a big moment for ransomware around the planet over the past few weeks. At Banyan, we decided to assemble the latest ransomware news for a mid-May Ransomware Threat Update (because there’s been enough of it to warrant its own blog). Ransomware has become ever more targeted, with its strategists becoming more and more creative, especially as the average ransomware payout declined almost 40% last year. A new trend we’re seeing is around double- and triple- extortion, where employees are threatened with the release of personal sensitive data (selfies…medical records…) along with corporate data. As a result, ransomware negotiations have gotten much more nuanced for all involved.

Ransomware Threats Take a Hit – DOJ Charges Wazawaka

Mateev on the run: In other big ransomware news, the U.S. DOJ unsealed indictments Tuesday, May 16 accusing Mikhail Pavlovich Matveev aka “Wazawaka,” a Russian national, of the following: conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. Since 2020, Matveev allegedly collaborated from Russia with other hackers using ransomware variants including LockBit, Hive and Babuk. His activities are linked to $200 million in ransom from around global 2,800 victims, which included hospitals, businesses, nonprofits – including churches and charities – and government agencies. He’s still on the loose, though, and a $10 million USD reward might not be enough to find him (which is a really big bug bounty). He’s known for trolling Brian Krebs earlier this year and also is missing a finger, so keep your eyes open.

Educators, beware: CISA and other agencies have warned of attacks carried out against Education targets by a threat actor known as the Bl00dy Ransomware Gang, who began striking in early May. Bl00dy gained access to victim networks across the Education Facilities Subsector, where PaperCut servers vulnerable to CVE-2023-27350 were exposed to the internet. Note: in an attempt to mask malicious traffic and avoid detection, the Bl00dy actors use TOR and other proxies from within victim networks for external comms.

Ransomware Threats Everywhere – New Kids on the Block

Getting the Royal treatment – “Most likely what happened is you decided to save money on your security…” is how Royal started its ransomware note to the city of Dallas. Some websites–like those for municipal courts and libraries–are still down three weeks after the initial attack on the city of Dallas, Texas. Made up of former members of the Conti cybercrime syndicate, the Royal ransomware group is thought to be behind the attack. If you’re in healthcare, pay attention: Royal has been involved in high-profile attacks against critical infrastructure (especially healthcare) since first emerging in September 2022. 

New Actor – RA Group: Cybersecurity researchers from Talos have uncovered a threat actor called RA Group, which first kicked off its operations in late April using previously leaked Babuk source code. It launches double-extortion attacks, stealing sensitive victim personal data as it encrypts systems (to motivate the victims to pay the ransom demand out of fear of personal compromise). When RA Group leaks the data, it discloses the name of the victim, a list of the stolen data, the total size, and the victim’s website, just to be extra-thorough…

MalasLocker and Zimbra: Also heating up this May, more reports of MalasLocker ransomware, which targets Zimbra servers to steal email and encrypt files, and finally finishing with a demand for a ‘charity’ donation. Instead of demanding a ransom payment, the threat actors instead request a donation to charity before they provide an encryptor and stop leaking data. The operation began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted.

–

Curious how Banyan can help prevent ransomware? Schedule a custom demo today.

*Researched and authored by Mademoiselle

What is the VMware ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974)?

A new heap-overflow vulnerability (CVE-2021-21974) has been discovered in the VMware ESXi OpenSLP service. This vulnerability allows attackers to execute arbitrary code and take control of the affected system, posing a serious threat to organizations that use VMware’s ESXi to manage their virtual infrastructure.

On February 3rd, 2023 the cloud hosting provider OVH notified the security community of an active ransomware campaign affecting many of their ESXi customers (sometimes referred to as “ESXiArgs” because the ransomware creates files with an extension of .args). As of the publishing of this article, no CVE is being concretely attributed as the initial access vector for the ESXiArgs campaign by first-party sources.

VMware ESXi enables organizations to consolidate their server resources and reduce costs. The OpenSLP service provides location information for services within the virtual infrastructure, making it a critical component of the overall system. The heap-overflow vulnerability in this service makes it possible for attackers to execute arbitrary code, leading to the complete compromise and takeover of the affected system.

What the Banyan Research Lab has Observed

Banyan Security’s Research Lab has consistently found IT-approved systems with misconfigurations which allow for unauthorized and unwanted access, as well as non-IT-approved servers and network access points. Banyan’s Discover and Publish functionality discovers shadow IT devices and systems with open ports, enabling policies to be created that lock down access.

In light of this vulnerability, organizations should take immediate action to protect their virtual infrastructure. While patching is an important step, it may not be enough to ensure complete security.

What To Do Next About the VMware ESXi OpenSLP Vulnerability

Next steps for remediation depend on how the system is being accessed. If using a full-tunnel Layer 3 VPN, this access may be disabled. This would be disruptive for end users; however, not shutting the system down right away would allow for a more thorough investigation if a breach is suspected, collecting forensic information of a live system to take further steps or track down bad actors. For organizations with ZTNA, access to very specific ports should be configured. This CVE uses port 427 (which is not a common port to expose). Logical segmentation of this system would further secure the system from attacks based on that and other unnecessarily opened ports. This type of segmentation can be done using the ZTNA solution and would not require any changes to the system itself while it is under investigation. Any changes to the system may reveal to the attacker that the attack has been discovered.

A modern solution will also be able to give visibility into which user from which device is attempting to access the compromised system using the port related to the exploit. This visibility can be used to report on policies that are too permissive and users/devices that may be affected by malware.

As Ransomware-as-a-Service (RaaS) grows, the number of attacks will continue to grow. The FBI’s Internet Crime Complaint Center received 3,729 complaints about ransomware attacks in 2021, an increase of over 70% from 2020. Unprotected and unpatched systems are the low-hanging fruit that attackers often focus on, but can also be the easiest for organizations to remediate.

Visit us to learn more about how Banyan can protect your organization.