May Threat Intelligence Review
Threat News
Windows 10 22h2 is final version of windows 10
Security Analyst Recommendations: Just a friendly reminder of the inevitable churn that is Microsoft OS. While the end of service date is not until October 2025, I would not expect any new features in Windows 10. The recommendation now is to plan and begin executing a migration to Windows 11 before the 2025 end date begins.
3CX softphone application used to spread malware in Supply Chain Compromise
Security Analyst Recommendations: The big hack this month was that of 3CX. What is believed to be a North Korean threat group targeted the company and was able to use their 3CXDesktop App to spread malware as a legitimate signed binary. CrowdStrike was the first to break news on the compromise with CISA providing a bulletin afterwards. While it is believed this was used to target large enterprises that work in the government sector, it should still be noted that a supply chain attack like this can be very difficult to detect. This is why it is important to vet companies before installing their product throughout your network.
Vmware esxi linux servers targeted for ransomware
Security Analyst Recommendations: ESXi is quickly becoming one of the most targeted assets by attackers. The ability to not only encrypt the VMs hosted but also encrypt the hypervisor itself is extremely useful to ransomware gangs, especially as dwell time (time that it takes to detect a compromise) goes down. It’s also a good reminder that using Linux or another OS outside of Windows does not make you immune from attacks. Be sure to look at your ESXi infrastructure and determine if additional hardening or monitoring is needed to keep it secure.
FBI and CISA warn that Illumina medical devices are vulnerable to remote hacking
Security Analyst Recommendations: Illumina provides devices for genetic sequencing instruments. While this may be a niche example of vulnerability, it still illustrates how it is critical to look at the security for all devices in a network. Even those that are embedded in systems could become vulnerable. Having a plan for management, in particular patching and disaster recovery, is key to diverting possible attacks or other incidents.
Vulnerabilities and Exploits
Mandiant released its M-Trends 2023 report. This includes a wealth of interesting information about the investigations that were done in 2022 by Mandiant, who is now under Google.
Security Analyst Recommendations: While a lot of the information is interesting to dedicated security personnel, there are two interesting things to note for the general IT crowd. One, dwell time is down to 16 days. Dwell time is how long it takes to discover an attacker in a system or network. That is great news but we have to remember that ransomware is still able to operate in that time frame and be successful. The second interesting fact is that external organizations often provide the first notification of compromise as oppose to internal detection. This means that groups like CISA and other private security organizations are better able to see or disrupt attacker operations and warn of potential compromise. That is why its important to maintain partnerships with outside agencies.
The VEEAM Backup vulnerability from last month, tracked as CVE-2023-27532, is now being actively exploited across the Internet against vulnerable VEEAM systems with an external connection. In particular, the threat group known as FIN7 were able to use the vulnerability to gain access and remote code execute against VEEAM infrastructure. There is a patch for this vulnerability available. More information can be found here.
Security Analyst Recommendations: Last month I noted this as Moderate Yellow due to the lack of access to exploit it but since there is now a proof of concept for exploitation from an external source and recorded activity of that being done by threat groups, I am escalating this to a Critical Red. VEEAM products that are effected need to be patched immediately, especially if there is any external access to them.
Cisco disclosed a zero-day in its Prime Collaboration Deployment (PCD) software. The exploit allows for cross-site scripting attacks which essentially exploits the way user input is processed in order to get arbitrary code execution on a system. The web-based interface for the management platform is used to execute the attack but it does require a user of the platform to click on a malicious link to properly execute. So far, no patch is available. You can find more information here.
Security Analyst Recommendations: This is rated Moderate Yellow because it both requires user interaction from a specific type of user and uses cross-site scripting, which can be complicated to execute. While it is very possible this could be exploited, the risk is moderate for a zero-day. There are also no known cases of exploitation currently. To mitigate, make sure that users with access to the management platform are properly trained on phishing and add monitoring to determine if malicious activity is taking place until Cisco can issue a patch for the vulnerability.
Notable cyber Activities
CVE BreakDown
CVE-2023-27350 – Papercut printer management software reveals bypass authentication exploit.
CVE-2023-23397 – Exchange Outlook NTLM Relay Attack
CVE-2023-26360 – Adobe Cold Fusion Access Control Exploit
Top Malware Usage
Labyrinth Chollima- used in 3CX supply chain attack.
Mimikatz- attack framework used for credential attacks
Possible Detection: commands that include lsadump::sam or sekurlsa::logonpasswords
SocGholish- Initial access tool using Drive-By-Downloads from compromised WordPress sites
Possible Detection: JavaScript executing from ZIP file and making external network connections
Gootloader- Loader that is used to install additional malicious packages
Possible Detection: Wscript.exe spawning cscript.exe and PowerShell
Sources
