by jdpoteet | Sep 11, 2024 | Threat Advisories
DOWNLOAD PDF
SUMMARY
Cisco recently addressed two critical vulnerabilities (CVE-2024-20439 and CVE-2024-20440) in the Cisco Smart Licensing Utility (CSLU), removing a backdoor administrative account and fixing an information disclosure flaw. These vulnerabilities could allow remote attackers the ability to gain unauthorized administrative access or retrieve sensitive data. Users are advised to update to the latest version to prevent exploitation.
RISK SCORE
CVE-ID CVSSv3 Score
CVE-2024-20439 9.8
CVE-2024-20440 9.8
VULNERABILITY DETAILS
CSLU is a Windows-based tool designed to manage licenses and associated products locally, without the need to connect to Cisco’s cloud-based Smart Software Manager.
The first flaw, CVE-2024-20439, involved a backdoor account that allowed unauthorized attackers to log in with administrative privileges using static, hardcoded credentials, through the API of the Cisco Smart Licensing Utility application. This vulnerability was particularly dangerous and allowed attackers to gain full access to systems remotely without authentication.
The second flaw, CVE-2024-20440, involved the exposure of sensitive log files containing API credentials, accessible through crafted HTTP requests. This vulnerability impacted only certain versions of the CSLU and posed a significant risk by leaking sensitive data that could be used in further attacks.
AFFECTED PRODUCTS
- Cisco Smart License Utility 2.0.0, 2.1.0, and 2.2.0
REMEDIATION
- Update to Cisco Smart License Utility 2.3.0 or later.
REFERENCES
by jdpoteet | Sep 10, 2024 | Threat Advisories
DOWNLOAD PDF
SUMMARY
SonicWall’s self-disclosed critical security vulnerability in SonicOS is now under active exploitation. Available updates should be applied as soon as possible. The vulnerability (CVE-2024-40766) has a CVSS score of 9.3 out of 10 and stems from improper access control in the SonicOS management interface and SSLVPN, which could allow unauthorized access to resources and, under certain conditions, trigger a firewall crash.
TECHNICAL DETAILS
CVE-2024-40766 is a critical access control vulnerability with a CVSS v3 score of 9.3, affecting multiple generations of SonicWall Firewall devices, including Gen 5, Gen 6, and Gen 7 models. The flaw, initially disclosed on August 22, 2024, affects the management interface of SonicOS, but recent updates indicate it also impacts the SSLVPN feature. The vulnerability could allow unauthorized resource access and may also lead to firewall crashes.
AFFECTED DEVICES AND VERSIONS
- SonicWall Gen 5 running SonicOS version 5.9.2.14-12o and older: Fixed in SonicOS version 5.9.2.14-13o.
- SonicWall Gen 6 running SonicOS version 6.5.4.14-109n and older: Fixed in 6.5.2.8-2n (for SM9800, NSsp 12400, NSsp 12800) and 6.5.4.15-116n (for other Gen 6 firewalls).
- SonicWall Gen 7 running SonicOS version 7.0.1-5035 and older: The issue is not reproducible in version 7.0.1-5035 and later.
SonicWall has not provided detailed technical information on how the vulnerability is exploited but highlights its potential to allow unauthorized access and cause firewall failures, which could leave corporate networks exposed. Given that SonicWall firewalls are often accessible via the internet for VPN services, they are prime targets for exploitation.
RECOMMENDATIONS
SonicWall’s critical steps for securing devices against CVE-2024-40766.
- Restrict SonicOS management portal access to trusted sources only. Disabling internet access to the WAN management portal entirely can significantly reduce exposure.
- Only allow SSLVPN access from trusted sources. If SSLVPN functionality is not required, disable it to further reduce attack surface.
- For Gen 5 and Gen 6 devices, administrators should enforce immediate password changes for SSLVPN users with local accounts. The “User must change password” option should also be enabled for all local users.
- Activate MFA for all SSLVPN users to add an additional layer of security. SonicWall supports MFA using Time-based One-Time Passwords (TOTP) or email-based OTPs, providing stronger protection against unauthorized access. Detailed configuration instructions for MFA are available on SonicWall’s support portal.
- Ensure that all affected devices are running the latest patched firmware versions as outlined above. Regularly check for firmware updates and apply them promptly to mitigate known vulnerabilities.
REFERENCES
by jdpoteet | Sep 4, 2024 | Threat Advisories
DOWNLOAD PDF
SUMMARY
A ransomware-as-a-service (RaaS) operation is posing as the legitimate Cicada 3301 organization and has already listed 19 victims on its extortion site. The new ransomware is employing techniques similar to BlackCat ransomware did. It uses robust encryption methods, exploits system utilities to disable security measures. The ransomware is distributed via a RaaS platform and targets a wide range of file extensions.
TECHNICAL DETAILS
Cicada3301 is a new ransomware variant, first seen in June 2024 and has been active in exploiting vulnerabilities in small to medium-sized businesses (SMBs). This ransomware is written in Rust, allowing it to operate on both Windows and Linux/ESXi platforms, showcasing its versatility and broader attack surface. Cicada3301 operates under a ransomware-as-a-service (RaaS) model, with its developers actively recruiting affiliates on underground forums.
Cicada3301 incorporates several advanced features from BlackCat, such as using ChaCha20 for encryption and manipulating system utilities like fsutil, IISReset.exe, and wevtutil to disrupt system recovery and erase traces of its activity. Additionally, it can execute remote commands using embedded credentials via PsExec, enhance network traffic capacity for malicious operations, and terminate processes related to backup and recovery to prevent data restoration.
The ransomware specifically targets a range of 35 file extensions important to enterprise operations, ensuring the encryption of valuable data, including: sql, doc, rtf, xls, jpg, jpeg, psd, docm, xlsm, ods, ppsx, png, raw, dotx, xltx, pptx, ppsm, gif, bmp, dotm, xltm, pptm, odp, webp, pdf, odt, xlsb, ptox, mdf, tiff, docx, xlsx, xlam, potm, and txt.
The use of the EDRSandBlast tool was also used by Cicada3301 to exploit vulnerabilities in signed drivers, a technique previously used by the BlackByte group, to evade endpoint detection and response (EDR) systems.
INDICATORS OF COMPROMISE (IOCs)
SHA-1:
- c08a863c2e5288d4ce2a9d46a725518f12711a7
- 54a8fe5c70ed0007fdd346a9a75977fd9f8ad24a
RECOMMENDATIONS
- Utilize advanced endpoint protection solutions to detect and block ransomware behaviors, including the misuse of legitimate tools for malicious activities.
- Ensure all systems and software are regularly updated to patch vulnerabilities that could serve as entry points for ransomware.
- Maintain frequent backups of critical data, and regularly test recovery processes to confirm they are effective in ransomware scenarios.
- Implement network segmentation to contain the spread of ransomware within isolated network segments.
- Enforce policies that restrict the execution of scripts, such as PowerShell, that attackers commonly exploit.
- Conduct user training to raise awareness of phishing risks and strengthen defenses against social engineering attacks.
- Deploy continuous monitoring tools to identify early indicators of compromise and enable rapid response to mitigate threats.
- Secure and monitor the use of administrative tools like PsExec, ensuring that management interfaces are not publicly accessible.
REFERENCES
by jdpoteet | Sep 4, 2024 | News
For this 4th installment of Blackswan’s OSINT CyberTruck Challenge, we decided to up the ante to “HARD MODE”
Good luck, and happy hunting!
by jdpoteet | Sep 3, 2024 | Threat Advisories
DOWNLOAD PDF
SUMMARY
A new malware campaign was recently identified, which leverages Google Sheets as a command-and-control (C2) platform. This campaign impersonates a tax authority from government agencies across Europe, Asia, and the United States. The threat actors are targeting more than 70 organizations worldwide, utilizing a custom-made tool named Voldemort. This tool is specifically engineered to exfiltrate data and deploy additional malicious payloads. The campaign’s scope spans a wide array of sectors, including insurance, aerospace, transportation, academia, finance, technology, industrial manufacturing, healthcare, automotive, hospitality, energy, government, media, telecommunications, and social welfare organizations.
TECHNICAL DETAILS
A recent report by Proofpoint highlights a sophisticated phishing campaign in which attackers craft emails tailored to the geographic location of the targeted organization, utilizing publicly available information. These emails impersonate communications from the organization’s national tax authority, purportedly providing updated tax information and including links to relevant documents. When recipients click on the provided link, they are redirected to a landing page hosted on InfinityFree, with the page URL masked by Google AMP Cache. The page features a “Click to view document” button, which, upon interaction, checks the browser’s User Agent. If the browser is running on a Windows operating system, the victim is redirected to a search-ms URI (Windows Search Protocol) linked to a URI tunneled through TryCloudflare. Alternatively, users operating on non-Windows platforms are directed to an empty Google Drive URL, which does not deliver any malicious content.
When the victim interacts with the search-ms file, Windows Explorer is activated, presenting a LNK or ZIP file that is deceptively labeled as a PDF document. The use of the search-ms URI in recent phishing campaigns has become increasingly common due to its ability to mislead victims into believing that the file resides locally in their Downloads folder, when in fact it is hosted on an external WebDAV/SMB share. Opening this file initiates the execution of a Python script from another WebDAV share, without actually downloading it to the host machine. This script profiles the victim by collecting system information, all while displaying a decoy PDF to obscure its malicious operations. Concurrently, the script downloads a legitimate Cisco WebEx executable (CiscoCollabHost.exe) alongside a malicious DLL (CiscoSparkLauncher.dll), which subsequently loads the Voldemort malware through DLL side-loading.
Voldemort, a backdoor developed in C, offers a comprehensive array of commands and file management capabilities, including data exfiltration, deployment of additional payloads, and file deletion. A notable aspect of Voldemort is its utilization of Google Sheets as its command and control (C2) server. The malware periodically contacts Google Sheets to receive new commands and uploads exfiltrated data into specific cells within the spreadsheet. These cells are identified using unique identifiers, such as UUIDs, to enable efficient management and isolation of compromised systems. Voldemort communicates with Google Sheets via Google’s API, utilizing an embedded client ID, secret, and refresh token stored in its encrypted configuration. This approach provides a highly reliable and resilient C2 channel, minimizing the likelihood of network communication being detected by security systems. Additionally, the pervasive use of Google Sheets in enterprise settings makes it impractical to block the service, thereby enhancing the malware’s stealth capabilities.
INDICATORS OF COMPROMISE (IOCs)
- hxxps://pubs[.]infinityfreeapp[.]com/SA150_Notes_2024[.]html
- hxxps://pubs[.]infinityfreeapp[.]com/IRS_P966[.]html
- hxxps://pubs[.]infinityfreeapp[.]com/Notice_pour_remplir_la_N%C2%B0_2044[.]html
- hxxps://pubs[.]infinityfreeapp[.]com/La_dichiarazione_precompilata_2024[.]html
- hxxps://pubs[.]infinityfreeapp[.]com/Steuerratgeber[.]html
- hxxps://od[.]lk/s/OTRfNzQ5NjQwOTJf/test[.]png
- hxxps://od[.]lk/s/OTRfODQ1Njk2ODVf/2044_4765[.]pdf
- hxxps://od[.]lk/s/OTRfODM5Mzc3NjFf/irs-p966[.]pdf
- hxxps://od[.]lk/s/OTRfODM3MjM2NzVf/La_dichiarazione_precompilata_2024[.]pdf
- hxxps://od[.]lk/s/OTRfODQ1NDc2MjZf/SA150_Notes_2024[.]pdf
- hxxps://od[.]lk/s/OTRfODQ1NzA0Mjlf/einzelfragen_steuerbescheinigungen_de[.]pdf
- hxxps://sheets[.]googleapis[.]com:443/v4/spreadsheets/16JvcER[1]0TVQDimWV56syk91IMCYXOvZbW4GTnb947eE/
- hxxps://resource[.]infinityfreeapp[.]com/ABC_of_Tax[.]html
- hxxps://resource[.]infinityfreeapp[.]com/0023012-317[.]html
- hxxps://od[.]lk/s/OTRfODQ4ODE4OThf/logo[.]png
- hxxps://od[.]lk/s/OTRfODQ5MzQ5Mzlf/ABC_of_Tax[.]pdf
- hxxp://83[.]147[.]243[.]18/p/
- pants-graphs-optics-worse[.]trycloudflare[.]com
- ways-sms-pmc-shareholders[.]trycloudflare[.]com
- recall-addressed-who-collector[.]trycloudflare[.]com
- invasion-prisoners-inns-aging[.]trycloudflare[.]com
- 0b3235db7e8154dd1b23c3bed96b6126d73d24769af634825d400d3d4fe8ddb9
- 3fce52d29d40daf60e582b8054e5a6227a55370bed83c662a8ff2857b55f4cea
- 561e15a46f474255fda693afd644c8674912df495bada726dbe7565eae2284fb
- 6bdd51dfa47d1a960459019a960950d3415f0f276a740017301735b858019728
- fa383eac2bf9ad3ef889e6118a28aa57a8a8e6b5224ecdf78dcffc5225ee4e1f
RECOMMENDATIONS
- Implement advanced email filtering to detect and block phishing emails, especially those impersonating trusted entities like tax authorities.
- Regularly train employees on how to recognize phishing attempts and suspicious links, particularly those that redirect to unexpected domains.
- Use network monitoring tools to detect unusual traffic patterns, such as unexpected communication with Google Sheets or other cloud-based services.
- Deploy and update endpoint detection and response (EDR) solutions to identify and block malicious scripts, unusual process executions, and unauthorized file activities.
- Limit the execution of macros, scripts, and URI protocols like search-ms, which can be exploited by malware to deliver payloads.
- Ensure that access to cloud services like Google Sheets is monitored and controlled through security policies and access restrictions.
- Keep all software, especially operating systems and productivity tools, updated to protect against known vulnerabilities.
REFERENCES
