Cybersecurity

IoCs list: https://www.trendmicro.com/content/dam/trendmicro/global/en/research/24/c/multistage-ra-world-ransomware-uses-anti-av-tactics,-exploits-gpo/ioc-ra-world.txt

Some with low detection on VT.

U.S. agencies warn of Phobos ransomware attacks on government entities and critical infrastructure since May 2019. The attacks exploit vulnerabilities and use advanced techniques for persistence and elevated privileges. Despite the high ransom costs, paying does not prevent new attacks, with 78% of victims being attacked again.

Golden SAML, an attack technique that exploits the SAML single sign-on protocol, was used as a post-breach exploit, compounding the devastating SolarWinds attack of 2020—one of the largest breaches of the 21st century. The supply chain SolarWinds attack affected thousands of organizations around the world, including the U.S. Government, by deploying malicious code into the company’s Orion IT management and monitoring software. In the wake of this attack, CISA and cybersecurity experts encouraged organizations with hybrid identity environments to move SAML authentication to a cloud identity system such as Entra ID. Semperis researchers Tomer Nahum and Eric Woodruff have discovered a new application of Golden SAML—one that can be exploited even in organizations that have followed previous security recommendations meant to defend against Golden SAML. The new attack technique, dubbed Silver SAML, enables the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce. To Semperis’ knowledge, no attacks using Silver SAML have been reported. Semperis researchers rate this vulnerability as a MODERATE risk to organizations. Depending on the compromised system, should Silver SAML be used to gain unauthorized access to business-critical applications and systems, the risk is SEVERE.

The FBI and CISA have detailed Phobos ransomware deployment tactics in an advisory, part of a stop-ransomware initiative with MS-ISAC. Phobos, a ransomware-as-a-service since 2019, gains access via phishing, exploits RDP ports, and escalates privileges using Windows functions. It establishes persistence, exfiltrates data for leverage, and targets backups to prevent recovery without paying a ransom. The advisory includes compromise indicators for defense.

New Linux malware, GTPDOOR, targets telecom networks adjacent to GPRS roaming exchanges (GRX) using GTP for C2 communications. Discovered by security researcher haxrob, it's likely linked to LightBasin (UNC1945), known for telecom attacks. GTPDOOR masquerades as a syslog process and uses raw sockets to receive UDP messages. It covertly executes commands via GTP-C Echo Request messages, responding to external probes with crafted TCP packets.

IoT devices utilizing Microsoft's uAMQP C library for Azure Cloud Services communication may be susceptible to RCE due to a critical vulnerability, CVE-2024-27099, with a CVSS score of 9.8. The flaw arises from a "double free" memory error, potentially exploitable by remote attackers without user interaction. The issue, resolved by a commit on Feb. 9, doesn't affect the Python uAMQP library.

Researchers from Unit 42 at Palo Alto Networks have identified a new Linux variant of the Bifrost RAT, with advanced evasion techniques and a fake domain similar to VMware's. The malware, known for 20 years, now features an ARM version, indicating expansion to new architectures. Although not extremely sophisticated, Bifrost is evolving into a more covert and widespread threat.

The Health Sector Coordinating Council (HSCC) released a five-year strategic plan (HIC-SP) urging healthcare organizations to enhance cybersecurity to protect against growing threats. The plan outlines 12 objectives, including increased use of cybersecurity practices, third-party risk management, and leveraging AI for efficiency. By 2029, cybersecurity aims to be integral to public health and patient safety standards.

The Lazarus Group exploited CVE-2024-21338, a zero-day vulnerability in Windows AppLocker's 'appid.sys' driver, to gain kernel privileges and disable security tools, avoiding BYOVD tactics. Avast reported this to Microsoft, leading to a patch. The FudModule rootkit, used by Lazarus, now features enhanced stealth and can disable products like Microsoft Defender and CrowdStrike Falcon.

Passkeys are a safer and easier alternative to passwords. With passkeys, users can sign in to apps and websites with a biometric sensor (such as a fingerprint or facial recognition), PIN, or pattern, freeing them from having to remember and manage passwords.

Developers and users both hate passwords: they give a poor user experience, they add conversion friction, and they create security liability for both users and developers. Google Password Manager in Android and Chrome reduces the friction through autofill; for developers looking for even further improvements in conversion and security, passkeys and identity federation are the industry's modern approaches.

A passkey can meet multifactor authentication requirements in a single step, replacing both a password and OTP (e.g. 6-digit SMS code) to deliver robust protection against phishing attacks and avoids the UX pain of SMS or app-based one-time passwords. Since passkeys are standardized, a single implementation enables a passwordless experience across all of a users' devices, across different browsers and operating systems.

See also https://www.youtube.com/watch?v=SWocv4BhCNg

Group-IB's report reveals a 70% increase in the sale of zero-day exploits in 2023 and monthly rentals of vulnerabilities, such as CVE-2023-38831 (WinRAR < 6.23). There is growing interest in ChatGPT credentials to access corporate data, with over 225,000 infostealer records for sale on the dark web. Apple devices are becoming more common targets.

NIST has released version 2.0 of the Cybersecurity Framework (CSF), focused on risk management and security for software supply chains. The update includes the new Govern function and tools such as the CSF 2.0 Reference Tool and the CPRT, to assist in the implementation and organizational coordination of the framework.

Two new vulnerabilities have been identified in WiFi software affecting devices connecting to both enterprise and home networks. The wpa_supplicant vulnerability (CVE-2023-52160) impacts all Android devices, Linux distributions using the default WiFi client, and ChromeOS devices. It allows attackers to create malicious clones of trusted Enterprise WiFi networks to intercept traffic. The IWD vulnerability (CVE-2023-52161) affects Linux devices used as wireless access points, enabling unauthorized access to protected home WiFi networks. Users are advised to update their systems with the provided patches to protect against these security flaws.

The group's new leak site lists the FBI among its alleged victims and threatens to release confidential Fulton County data, including details of a murder trial jury and documents related to Donald Trump's court cases. The latter, if released, could potentially impact the upcoming U.S. election. LockBit taunts law enforcement, claiming the seized decryptors are of limited use, with many protected from FBI use. The FBI asserts their actions have hindered LockBit's operations, protected potential victims, and damaged the group's reputation, vowing to continue their disruption efforts.

"SubdoMailing" is a fraud campaign that uses over 8,000 domains and 13,000 subdomains to send 5 million daily emails with scams. Attackers bypass spam filters using domains from well-known companies, such as MSN, VMware, and eBay. Discovered by Guardio Labs in 2022, the campaign exploits SPF and DKIM email policies.

The Five Eyes intelligence alliance (FVEY) has warned that hackers from the Russian Foreign Intelligence Service (SVR), known as APT29, are now targeting cloud services. After breaching U.S. federal agencies and Microsoft 365 accounts in NATO nations, they are now compromising cloud infrastructures using stolen service credentials and access tokens, as well as exploiting residential routers and MFA fatigue. Defenses against these initial access methods, such as enabling MFA and monitoring for indicators of compromise, are recommended.