Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Credential Harvester. Show all posts

CISA Published MARs on Samples Targeting Pulse Secure Devices

 

Five new research reports outlining malware detected on compromised Pulse Secure devices were issued this week by the US Cybersecurity and Infrastructure Security Agency (CISA). Adversaries have been targeting Pulse Connect Secure VPN appliances to exploit a variety of vulnerabilities, including CVE-2021-22893 and CVE-2021-22937, which were found earlier this year.

CISA issued an alert in April this year on assaults on Pulse Secure devices, along with indicators of compromise (IOCs) and details on the malware used by the attackers. Threat actors' tactics, techniques, and procedures (TTPs) are detailed in the malware analysis reports (MARs). 

CVE-2021-22893 is a buffer overflow vulnerability in Pulse Connect Secure Collaboration Suite prior to version b9.1R11.4 that allows remote authenticated attackers to execute arbitrary code as the root user through a maliciously crafted meeting room. Two hacking groups have used the zero-day vulnerability in Pulse Secure VPN equipment to break into the networks of US defence contractors and government institutions around the world, according to reports issued by FireEye and Pulse Secure in May. 

CVE-2021-22937 is a high-severity remote code execution vulnerability in Pulse Connect Secure's admin web interface. A remote attacker might use the weakness to overwrite arbitrary files and gain root-level code execution. The bug has a CVSS score of 9.1 and is the consequence of a bypass of the patch provided in October 2021 to address the CVE-2020-8260 issue, according to experts. Early this month, Ivanti corrected a major code execution issue in Pulse Connect Secure VPN. 

According to CISA, two of the samples are maliciously modified Pulse Secure files received from compromised machines, both of which are credential harvesters. One of the files also serves as a backdoor, allowing attackers to access the hacked device remotely. A malicious shell script in another file might log usernames and passwords. A third sample consisted of many files, one of which had a shell script for converting a Pulse Secure file to a web shell. One file was created to intercept certificate-based multi-factor authentication, while others were created to read web request data.

Two Perl scripts designed to execute attacker instructions, a Perl library, a Perl script, and a shell script designed to manipulate and execute the 'bin/umount' file were included in the fifth sample.

TeamTNT: New Credential Harvester Targets Cloud Services and other Software

 

Secrets must be kept confidential in order for networks to be protected and supply-chain attacks to be avoided. Malicious actors frequently target secrets in storage mechanisms and harvest credentials from systems that have been compromised. DevOps software often stores credentials in plain text that is accessible even without user intervention, posing a significant security risk. 

When inside a victim's device, malicious actors have been known to steal cloud service provider (CSP) credentials. For example, the cybercriminal group TeamTNT is no stranger to attacking cloud containers, expanding their arsenal to steal cloud credentials, and experimenting with new environments and intrusive activities. 

Trend Micro discovered new evidence that TeamTNT has expanded its credential harvesting capabilities to threaten numerous cloud and non-cloud services in victims' internal networks and systems post-compromise in the group's most recent attack routine. 

The malware created by TeamTNT is designed to steal credentials from specific applications and services. It infects Linux machines with vulnerabilities such as exposed private keys and recycled passwords, and it focuses on looking for cloud-related data on infected devices. 

Cloud misconfigurations and repeated passwords, as in the group's other attacks, make it easy to gain access to a victim's device. To gain access to other systems, the community harvests credentials for Secure Shell (SSH) and Server Message Block (SMB), as before. Both intrusion strategies have the ability to disperse their payloads in a worm-like manner. 

The malware searches for app configurations and data based on a search list when running through the linked devices, and sends them to the command-and-control (C&C) server, using a.netrc file to automatically log in using the harvested credentials. Comparing the harvester with the group’s previous versions, Trend Micro saw a significant increase in targets. 

Since TeamTNT's payloads are focused on illegal Monero mining, it's no surprise that the malware searches the infected system for Monero configuration data. The malware looks for Monero wallets on all devices that the group has access to. The malware attempts to remove all traces of itself from the infected device at the end of its routine. According to research, it strongly suggests that this is not being achieved effectively. Although the command "history -c" clears the Bash history, some commands continue to run and leave traces on other sections of the device. 

Malicious actors deliberately search internal networks and systems for legitimate users' credentials in order to facilitate their post-intrusion activities. They could use the cloud services paid for by legitimate organizations for other malicious purposes if they have CSP credentials. 

Furthermore, plaintext credentials are a gold mine for cybercriminals, particularly when used in subsequent attacks. Vulnerabilities, especially those in unpatched and otherwise unsecured internet-facing systems, are the same. 

Customers are advised to use the hidden vaults provided by their CSPs and adopt these best practices to minimize the risks of this TeamTNT routine and other related threats: 
1.Adopt the collective responsibility model and enforce the concept of least privilege. 
2.Replace default credentials with strong and stable passwords and make sure that the security settings of various systems environments are personalized to the needs of the company. 
3.Avoid storing passwords in plain text and use multifactor authentication.