InfoSec Weekly

June 05, 2023

Table Of Contents

New Linux Ransomware Strain BlackSuit Shows Striking Similarities to Royal

Description

Named “Blacksuit,” this ransomware poses a significant threat to Linux-based servers, cloud infrastructure, and embedded devices. The primary objective of this malware is to encrypt files on infected systems and demand a ransom for their decryption. Blacksuit is believed to be distributed through various means, including malicious email attachments, compromised software downloads, and exploiting vulnerabilities present in Linux systems. Once a system is infected, the ransomware proceeds to encrypt files, rendering them inaccessible to the user. The article warns that Blacksuit has the potential to cause severe disruptions to critical services and organizations relying on Linux infrastructure. Considering this emerging threat, it is crucial for Linux system administrators and users to remain vigilant and take proactive measures to protect their systems. This includes maintaining up-to-date security patches, implementing robust email filtering and antivirus solutions, regularly backing up important data, and ensuring the use of strong, unique passwords. Additionally, organizations should consider educating their employees about the risks associated with malicious attachments and social engineering techniques to prevent the initial infection vector of Blacksuit and other similar malware strains.

Infected Technology

Linux Operating System

Source

https://thehackernews.com/2023/06/new-linux-ransomware-strain-blacksuit.html

Recommendations

• Keep Systems Updated • Implement Robust Security Measures • Use Strong Access Controls


MOVEit Transfer Under Attack: Zero-Day Vulnerability Actively Being Exploited

Description

A critical vulnerability in Progress Software’s MOVEit Transfer managed file transfer application is being actively exploited by attackers. The vulnerability, identified as CVE-2023-34362, is an SQL injection flaw that allows unauthorized access to the application’s database. The company has released patches for the affected versions. It has been reported that around 2,500 instances of MOVEit Transfer were exposed to the internet, primarily in the United States. Successful exploitation results in the deployment of a web shell to exfiltrate data stored by MOVEit Transfer. The web shell also creates new admin user accounts to avoid detection. Threat actors have been scanning for MOVEit installations, although the specific group behind the attacks is unknown. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert and recommends taking mitigation steps. The attacks target file transfer solutions and may involve ransomware groups. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Over 3,000 exposed hosts using MOVEit Transfer have been identified, including those belonging to U.S. government agencies. The attacks have affected various industries in multiple countries. The motivations behind the attacks are unclear, but stolen data may be monetized through extortion or underground forums. Targeting enterprise file transfer systems has been a lucrative strategy for cybercriminals.

Infected Technology

Progress Software’s in MOVEit Transfer

Source

https://thehackernews.com/2023/06/moveit-transfer-under-attack-zero-day.html

Recommendations

• Apply patches: Update MOVEit Transfer to the provided patched versions. • Secure server access: Block inbound and outbound traffic, allowing only authorized access.


Active Mirai Botnet Variant Exploiting Zyxel Devices for DDoS Attacks

Description

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included a recently fixed critical security vulnerability in Zyxel devices in its Known Exploited Vulnerabilities (KEV) catalog. CISA stated that there is evidence of active exploitation of the flaw. Tracked as CVE-2023-28771 with a CVSS score of 9.8, this vulnerability is a command injection flaw that affects various firewall models. It allows unauthorized attackers to execute arbitrary code by sending a specially crafted packet to the device. Zyxel has addressed this security flaw by releasing updates on April 25, 2023. The impacted devices include ATP, USG FLEX, VPN, and ZyWALL/USG, with specific firmware versions that were patched in subsequent updates.The Shadowserver Foundation tweeted that this vulnerability has been actively exploited since May 26, 2023, to create a botnet similar to Mirai. Cybersecurity company Rapid7 has also warned about widespread abuse of CVE-2023-28771 in real-world attacks.In response to these developments, it is crucial for users to promptly apply the provided patches to mitigate potential risks. U.S. federal agencies are required to update their devices by June 21, 2023.

Infected Technology

• ATP (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) • USG FLEX (versions ZLD V4.60 to V5.35, patched in ZLD V5.36) • VPN (versions ZLD V4.60 to V5.35, patched in ZLD V5.36), and • ZyWALL/USG (versions ZLD V4.60 to V4.73, patched in ZLD V4.73 Patch 1)

Source

https://thehackernews.com/2023/06/active-mirai-botnet-variant-exploiting.html

CVE ID

CVE-2023-28771

Recommendation

• Apply patches and updates immediately.


Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering

Description

Chinese nation-state group Camaro Dragon, also known as Mustang Panda, has been linked to a new backdoor called TinyNote, which serves as a first-stage payload for intelligence gathering. The malware demonstrates multiple methods to establish persistence and communicate with servers. Camaro Dragon recently gained attention for the Horse Shell firmware implant, which utilizes TP-Link routers to create a mesh network for covert communications. The group’s evasion tactics and targeting techniques have evolved, using a variety of custom tools. TinyNote targets Southeast and East Asian embassies and is the first known Mustang Panda artifact written in Golang. The malware specifically bypasses the Indonesian antivirus solution Smadav. APT41 (Wicked Panda) has been found using living-off-the-land techniques, while Sharp Panda targets high-level government officials in G20 nations through phishing campaigns. The Chinese People’s Liberation Army (PLA) uses open-source intelligence for military advantage, leveraging the West’s open information environment. Recorded Future warns commercial data providers to exercise caution when selling data to entities in China.

Infected Technology

Home Routers, Antivirus solutions, Windows operating system, and email systems

Source

https://thehackernews.com/2023/06/camaro-dragon-strikes-with-new-tinynote.html

Recommendation

• Implement robust cybersecurity measures. • Enhance network security. • Deploy advanced threat detection solutions. • Educate employees on phishing awareness. • Enable multi-factor authentication (MFA). • Monitor and analyze network traffic. • Regularly back up data. • Stay informed about emerging threats. • Engage third-party cybersecurity services. • Foster international collaborations.


Description

A bug is discovered in the Chromium project that could allow adversaries to bypass SameSite cookie protection feature on Android browsers. The SameSite setting in Chromium is designed to restrict cookie access, preventing them from appearing in HTTP responses when users navigate to a website via a link or redirect request. However, security researcher Axel Chong discovered a bug in Chromium that allowed the bypassing of SameSite cookie protection on Android devices. By using the intent scheme to navigate to a target website, Chong found that SameSite=strict cookies carried over when the web server initiated a redirection with an intent URL. This bypassed the intended security measures of SameSite and the Sec-Fetch-Site header, which are usually used to protect against cross-site request forgery (CSRF). Even normal redirect requests without the intent protocol were affected.

Infected Technology

Chromium-based browser on Android devices

Source

https://portswigger.net/daily-swig/chromium-bug-allowed-samesite-cookie-bypass-on-android-devices

Recommendation

• Update browser to the latest version on Android devices. • Enable experiment cookie feature by entering “chrome://flags/#enable-experimental-cookie-features” in the address bar and enabling the flag. • Avoid visiting untrusted websites or following unknown intent URLs that could potentially exploit the SameSite cookie bypass vulnerability.


call to action image

Ready to get started?

Don’t let the attacker get the upper hand – protect your services with our expertise. Contact us now and stay ahead of the game.

Contact Us