Mar 06 2023

PlugX Trojan Disguised as Legitimate Windows Debugger Tool in Latest Attacks

Description

The PlugX trojan is using a disguise as an open-source Windows debugger tool called x64dbg to avoid detection and take control of a target system. According to Trend Micro researchers, x64dbg is a legitimate debugger tool for Windows that is commonly used to inspect kernel-mode and user-mode code, crash dumps, or CPU registers. PlugX is a modular implant that has been around for over a decade and is known for its data exfiltration capabilities and its ability to use the compromised machine for malicious purposes. One of the techniques it uses is called DLL side-loading, which exploits the DLL search order mechanism in Windows to load a malicious DLL from a digitally signed software application. By using a legitimate application with a valid digital signature, PlugX can avoid detection and maintain persistence. The attack chain also includes the deployment of a backdoor and a UDP shell client that collects system information and awaits instructions from a remote server. Despite advancements in security technology, DLL side-loading remains a viable technique for attackers to deliver malware and gain access to sensitive information, as long as systems and applications continue to trust and load dynamic libraries.

Infected Technology

Windows Operating System

Source

https://thehackernews.com/2023/02/plugx-trojan-disguised-as-legitimate.html

Recommendation

Isolate the infected system by disconnecting it from the network and Internet. Identify the extent of the infection using antivirus and malware detection tools. Remove all files and processes related to the malware.

Cisco addressed a critical vulnerability, tracked as CVE-2023-20078, impacting its IP Phone 6800, 7800, 7900, and 8800 Series products

Description

Cisco has released security updates to address a critical flaw in its IP Phone 6800, 7800, 7900, and 8800 Series products. The vulnerability, tracked as CVE-2023-20078, is a command injection issue caused by insufficient validation of user-supplied input in the web-based management interface. An unauthenticated, remote attacker can exploit this vulnerability to execute arbitrary commands with the highest privileges on the underlying operating system. Cisco also addressed a high-severity denial-of-service vulnerability, tracked as CVE-2023-20079, impacting the same IP Phone series products, as well as the Cisco Unified IP Conference Phone 8831 and Unified IP Phone 7900 Series. This vulnerability is also caused by insufficient validation of user-supplied input in the web-based management interface, allowing an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial-of-service condition. Cisco recommends migrating to a fixed release to fix CVE-2023-20078. However, the company will not release updates to fix CVE-2023-20079 in Unified IP Conference Phone models, as they have entered the end-of-life process. Customers are advised to refer to the end-of-life notices for these products. The advisory rates CVE-2023-20078 with a severity score of 9.8 out of 10 and CVE-2023-20079 with a CVSS score of 7.5.

Infected Technology

CISCO

Source

https://securityaffairs.com/142901/security/cisco-critical-command-injection-bug-ip-phone.html

Recommendation

To address CVE-2023-20078, users should migrate Cisco Multiplatform Firmware version earlier than 11.3.7SR1 to a fixed release. For CVE-2023-20079, the company will not release software updates to address the vulnerabilities as the affected products have entered their end-of-life (EoL) process. Customers are advised to refer to the end-of-life notices for these products.

CVE ID

CVE-2023-20078

BlackLotus Becomes First UEFI Bootkit Malware to Bypass Secure Boot on Windows 11

Description

BlackLotus is a new type of malware that can bypass Secure Boot defenses, making it a significant threat. It is the first publicly known malware capable of bypassing Secure Boot. UEFI bootkits, like BlackLotus, allow full control over the operating system boot process, making it possible to disable security mechanisms and deploy arbitrary payloads during startup. BlackLotus is sold for $5,000 and $200 per new version. It features geofencing capabilities to avoid infecting computers in certain countries. BlackLotus exploits CVE-2022-21894 to get around UEFI Secure Boot protections and set up persistence. It can turn off security mechanisms like BitLocker, Hypervisor-protected Code Integrity (HVCI), and Windows Defender. It drops a kernel driver and an HTTP downloader that communicates with a command-and-control (C2) server. It is unknown how BlackLotus deploys the bootkit. It starts with an installer component that is responsible for writing the files to the EFI system partition, disabling HVCI and BitLocker, and then rebooting the host. After rebooting, it weaponizes CVE-2022-21894 to achieve persistence and install the bootkit. The bootkit is automatically executed on every system start to deploy the kernel driver. The driver launches the user-mode HTTP downloader and runs next-stage kernel-mode payloads. The latter is capable of executing commands received from the C2 server over HTTPS, including downloading and executing a kernel driver, DLL, or a regular executable, fetching bootkit updates, and even uninstalling the bootkit from the infected system. UEFI systems have had many critical vulnerabilities, leaving many systems vulnerable even after the vulnerabilities have been fixed, and it was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled.

Infected Technology

Windows

Source

https://thehackernews.com/2023/03/blacklotus-becomes-first-uefi-bootkit.html

Recommendation

Use Secure Boot Enable Two-factor authentication. Use reputable antivirus or anti-malware software. Using Sandboxing technologies to isolate potential malicious programs

CVE ID

CVE-2022-21894

Organizations Warned of Royal Ransomware Attacks

Description

The FBI and CISA have issued a warning to organizations about the increasing threat posed by the Royal ransomware, which has been targeting US and international organizations since September 2022 in various sectors, including critical infrastructure, healthcare, education, and manufacturing. The Royal ransomware uses its own file encryption program and exfiltrates large amounts of data for double extortion. The ransom demands range from $1 million to $11 million and are made via a Tor website. The operators gain initial access through phishing, RDP, exploitation of vulnerabilities, and initial access brokers. Once inside a network, they use various tools for persistence, lateral movement, and data harvesting, including Cobalt Strike, Ursnif/Gozi, and RMM software. They also use Windows Restart Manager to identify files in use and delete shadow copies to prevent data restoration. Organizations are advised to maintain a recovery plan, secure all accounts with strong and unique passwords, implement multi-factor authentication, segment their networks, monitor for abnormal activity, and keep software and systems updated. The FBI and CISA alert come after a warning from the HHS about the risks of the Royal ransomware in the healthcare sector.

Infected Technology

Windows

Source

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a

Recommendation

Keep all operating systems, software, and firmware up to date. Review domain controllers, servers, workstations, and active directories Require multifactor authentication. Segment networks

Unauthenticated Insecure Deserialization - BuddyForms

Description

The two vulnerabilities discovered by Quarkslab affect the reference implementation of TPM2.0, which is used by many vendors and device manufacturers. The first vulnerability (CVE-2023-1017) is an out-of-bounds write, which could allow an attacker to write two bytes past the end of a buffer. The second vulnerability (CVE-2023-1018) is an out-of-bounds read, which could allow an attacker to read two bytes past the end of a buffer.The impact of these vulnerabilities depends on the specific implementation of TPM2.0 and the data stored in the affected buffer. In some cases, an attacker could overwrite protected data in the TPM firmware, leading to a crash or arbitrary code execution within the TPM. This could enable the attacker to gain access to sensitive data or compromise the security of the entire system.

Infected Technology

TPM 2.0 library

Source

https://securityaffairs.com/142951/hacking/trusted-platform-module-2-flaws.html

Recommendation

Use TPM Remote Attestation to detect any changes to devices. Ensure TPM is tamper-proof

CVE ID

CVE-2023-1018 CVE-2023-1017

CISA warns of hackers exploiting ZK Java Framework RCE flaw

Description

CISA has added CVE-2022-36537, a high-severity remote code execution (RCE) flaw impacting the ZK Framework, to its “Known Exploited Vulnerabilities Catalog” after threat actors began exploiting it to access sensitive information. Multiple proof-of-concept exploits were published on GitHub in December 2022. The flaw was actively exploited in attacks against ConnectWise R1Soft Server Backup Manager software and other ZK Framework-based products. The vulnerability was discovered in 2022 and addressed by ZK in May 2022, but the impact of the flaw is widespread, given the framework’s widespread use. Federal agencies have until March 20, 2023, to apply available security updates to secure their networks.

Infected Technology

ZK Java Framework

Source

https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-zk-java-framework-rce-flaw/

Recommendation

Update to ZK Framework version 9.6.2. Monitor systems for compromise. Review security controls for robustness. Stay informed on latest threats and best practices.

CVE ID

CVE-2022-36537