Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SolarWinds Attack. Show all posts

Russian SolarWinds Attackers Launch New Wave of Cyber Espionage Attacks

 

Russian intelligence has once more employed hacker outfit Nobelium/APT29 as part of its ongoing invasion of Ukraine, this time to spy on foreign ministries and diplomats from NATO-member states as well as additional targets in the European Union and Africa. 

The time also coincides with a wave of attacks against Canadian infrastructure that are thought to have a Russian connection. 

The possible targets of the espionage campaign were alerted to the threat on April 13 by the Polish Military Counterintelligence Service and the CERT team in Poland, along with indicators of compromise. The organisation known by Microsoft as Nobelium, also known by Mandiant as APT29, is not new to the game of nation-state espionage; it was responsible for the infamous SolarWinds supply chain attack over three years ago. 

The Polish military and CERT alert said that APT29 is now back with a completely new set of malware tools and reported marching orders to infiltrate the diplomatic corps of nations that support Ukraine. 

APT29 returns with fresh orders

According to the Polish notice, the advanced persistent threat (APT) always starts its attack with a clever spear-phishing email. 

"Emails impersonating embassies of European countries were sent to selected personnel at diplomatic posts," authorities explained. "The correspondence contained an invitation to a meeting or to work together on documents." 

The recipient would next be instructed to follow a link or download a PDF in order to view the ambassador's calendar or obtain meeting information. Both actions would direct the targets to a malicious website that was loaded with the threat group's "signature script," which the report refers to as "Envyscout".

"It utilizes the HTML-smuggling technique — whereby a malicious file placed on the page is decoded using JavaScript when the page is opened and then downloaded on the victim's device," Polish officials added. "This makes the malicious file more difficult to detect on the server side where it is stored." 

The malicious site also informs its victims through a message that they downloaded the right file. 

"Spear-phishing attacks are successful when the communications are well written, use personal information to demonstrate familiarity with the target, and appear to come from a legitimate source," Patrick Harr, CEO of SlashNext, stated. "This espionage campaign meets all of the criteria for success." 

For instance, one phishing email claimed to be from the Polish embassy. The Polish authorities also noticed that the Envyscout programme had been modified three times using better obfuscation techniques during the period of the observed campaign. 

The organisation, once infiltrated, employs modified versions of the Snowyamber downloader, Halfrig, which has Cobalt Strike as embedded code, and Quarterrig, which shares code with Halfrig, according to the Polish alert. 

In light of this and other Russian espionage activities, governments, diplomats, international organisations, and non-governmental organisations (NGOs) should be on high alert. 

Along with warnings from Polish cybersecurity authorities, Canadian Prime Minister Justin Trudeau has recently spoken out publicly about a recent wave of cyberattacks linked to Russia that targeted Canadian infrastructure. These attacks included denial-of-service assaults on the websites of Hydro-Québec, an electric utility, his office, the Port of Québec, and Laurentian Bank. According to Trudeau, Canada's backing for Ukraine is a factor in the cyberattacks. 

Although there was no harm to Canada's infrastructure, Sami Khoury, the director of the Canadian Centre for Cyber Security, emphasised during a news conference last week that "the threat is real.""You must protect your systems," said Khoury, "if you run the critical systems that power our communities, provide Internet access to Canadians, provide health care, or generally operate any of the services Canadians can't live without." "Watch your network traffic. Implement mitigations."

Microsoft Links SolarWinds Serv-U SSH 0-Day Attack to a Chinese Hacking Group

 

Microsoft Threat Intelligence Center has published technical facts regarding a now-patched, 0-day remote code execution exploit affecting SolarWinds Serv-U managed file transfer service software that it has attributed with "high confidence" to a hacking group functioning out of China.

In early July, Microsoft Offensive Research & Security Engineering team addressed a remote code execution flaw (CVE-2021-35211) that was present in Serv-U's implementation of the Secure Shell (SSH) protocol, which could be exploited by cyber criminals to execute arbitrary code on the compromised system, including the ability to install destructive programs and check out, modify, or delete delicate data. 

"The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration," Microsoft Offensive Research and Security Engineering team explained in a detailed write-up describing the exploit.

"An attacker can exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. When successfully exploited, the vulnerability could then allow the attacker to install or run programs, such as in the case of the targeted attack we previously reported," the researchers added.

Though Microsoft attributed the attacks to DEV-0322, a China-based hacking group citing "observed victimology, tactics, and procedures," the firm has now disclosed the remote, pre-auth vulnerability originated from the manner the Serv-U process managed access violations without terminating the process, thereby making it straightforward to pull off stealthy, dependable exploitation tries. 

"The exploited vulnerability was caused by the way Serv-U initially created an OpenSSL AES128-CTR context. This, in turn, could allow the use of uninitialized data as a function pointer during the decryption of successive SSH messages,” the researchers said. 

"Therefore, an attacker could exploit this vulnerability by connecting to the open SSH port and sending a malformed pre-auth connection request. We also discovered that the attackers were likely using DLLs compiled without address space layout randomization (ASLR) loaded by the Serv-U process to facilitate exploitation," the researchers further explained.

ASLR is a protection mechanism primarily used to protect against buffer overflow attack by randomly arranging the handle room positions where system executables are loaded into memory. 

After a thorough examination of the SolarWinds hack, Microsoft researchers advised the affected organizations to enable ASLR compatibility for all binaries loaded in the Serv-U procedure."ASLR is a critical security mitigation for services which are exposed to untrusted remote inputs, and requires that all binaries in the process are compatible in order to be effective at preventing attackers from using hardcoded addresses in their exploits, as was possible in Serv-U," the researchers concluded.

Last year in December, Microsoft revealed that a different espionage group may have been exploiting the IT infrastructure provider's Orion software to install a persistent backdoor called Supernova on contaminated devices. Cybersecurity firm SecureWorks attributed the intrusions to a China-linked hacking group called Spiral.

Chinese Hackers Exploit New SolarWinds Zero-Day in Targeted Attacks

 

Microsoft Threat Intelligence Centre (MSTIC) on Tuesday revealed a zero-day remote code execution exploit, being used to attack SolarWinds Serv-U FTP software in limited and targeted attacks. Microsoft revealed that the attacks are linked to a China-based threat group tracked as 'DEV-0322.' 

“MSTIC attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed victimology, tactics, and procedures," Microsoft said in an update on Wednesday.

To carry out the attack, threat actors deployed malware in the Orion software sold by the IT management company SolarWinds. According to the local media outlets, the hackers exploited at least 250 federal agencies and top organizations in the US. 

Tracked as CVE-2021-35211, the RCE vulnerability resides in Serv-U's implementation of the Secure Shell (SSH) protocol. While it was previously revealed that the attacks were limited in scope, SolarWinds said it's unaware of the identity of the potentially affected customers. 

“The vulnerability being exploited is CVE-2021-35211, which was recently patched by SolarWinds. We strongly urge all customers to update their instances of Serv-U to the latest available version," Microsoft advised. 

On Tuesday, SolarWinds published a security update for a zero-day vulnerability in Serv-U FTP servers that allow remote code execution when SSH is enabled. According to SolarWinds, this flaw was disclosed by Microsoft, who saw a hacker actively exploiting it to execute commands on vulnerable customer's devices.

"This activity group is based in China and has been observed using commercial VPN solutions and compromised consumer routers in their attacker infrastructure," says a new blog post by the Microsoft Threat Intelligence Center. 

According to Microsoft, the ‘DEV-0322’ hacking group has previously targeted entities in the US Defense Industrial Base Sector and software companies. "The Defense Industrial Base (DIB) Sector is the worldwide industrial complex that enables research and development (R&D), as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements," explains a CISA document describing the DIB sector.

In December 2020, Microsoft revealed that a separate espionage group may have been exploiting the IT infrastructure provider's Orion software to drop a persistent backdoor called Supernova on compromised systems. The intrusions have since been attributed to a China-linked threat actor called Spiral.

PRODAFT Accessed Servers of a SolarWinds Hacker

 

A Swiss cybersecurity firm says it has accessed servers utilized by a hacking group attached to the SolarWinds breach, uncovering details concerning who the attackers targeted and how they did their operation. The firm, PRODAFT, likewise said the hackers have proceeded with their campaign as the month progressed. 
PRODAFT, Proactive Defense Against Future Threats, is a cybersecurity and cyber intelligence organization providing solutions for business clients and government establishments.

PRODAFT researchers said they were able to break into the hackers' computer infrastructure and audit-proof of an enormous campaign between August and March, which targeted a great many organizations and government associations across Europe and the U.S. The point of the hacking group, named SilverFish by the researchers, was to keep an eye on victims and steal information, as per PRODAFT's report. SilverFish did an “extremely sophisticated” cyber-attack on at least 4,720 targets, including government organizations, worldwide IT providers, many banking establishments in the U.S. and EU, major auditing firms, one of the world's leading Covid-19 test kit makers, and aviation and defense companies, as per the report. 

SilverFish is centered around network reconnaissance and information exfiltration and utilizes an assortment of software and scripts for both initial and post-exploitation activities. These incorporate promptly accessible tools like Empire, Cobalt Strike, and Mimikatz, as well as customized rootkits, PowerShell, BAT, and HTA files. Prodaft says that SilverFish attackers tend to follow specific standards of conduct while specifying domains, including running orders to list domain controllers and trusted domains, as well as displaying stored credentials and admin user accounts. 

Scripts are then dispatched for post-exploit reconnaissance and information theft exercises. Hacked, legitimate domains are here and there used to reroute traffic to the C2. "The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks," the company says.

"SilverFish are still using relevant machines for lateral movement stages of their campaigns," the company added. "Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group's presence on their networks."

Sunshuttle, the Latest Strain Allegedly Linked to SolarWinds Hackers

 

FireEye researchers have discovered a new strain of backdoor malware on the servers of an organization exploited by the SolarWinds hackers. The new strain is identified as ‘Sunshuttle’ and it was uploaded by a U.S.-based entity to a public malware repository in August 2020.

FireEye researchers Lindsay Smith, Jonathan Leathery, and Ben Read believe this new strain is connected to the hackers behind the SolarWinds supply-chain attack. Sunshuttle is a second-stage backdoor written in Go that uses HTTP to link with a command-and-control server for data exfiltration and adding a new code. 


Hacking of cybercrime forums ‘Mazafaka and Exploit’


Mysterious threat actors are targeting popular Russian language cybercrime forums ‘Mazafaka and Exploit’ and are leaking the stolen data on the dark web. On Tuesday, unknown threat actors dumped thousands of usernames, email addresses, and passwords on the dark web apparently stolen from Mazafaka. Threat actors have also leaked a 35-page PDF online which is a private encryption key allegedly used by Maza administrators. 

According to cyber intelligence firm Intel 471, “the file comprised more than 3,000 rows, containing the username, partially obfuscated passwords hashes, email addresses, and other contact details. Initial analysis of the leaked data pointed to its probable authenticity, as at least portion of the leaked user records correlated with our own data holdings.”

Antivirus Creator John McAfee charged with $13M cryptocurrency fraud 


John McAfee has been charged with securities fraud over a ‘pump-and-dump’ cryptocurrency scheme. Federal prosecutors unsealed a case against McAfee and his executive advisor and bodyguard Jimmy Gale Watson Jr. claiming the pair has raked in more than $13 million from the investors they victimized with their fraudulent schemes.

In late 2017 and early 2018, McAfee urged his hundreds of thousands of Twitter followers to invest in a number of obscure cryptocurrencies. Prosecutors say he failed to disclose his own financial stake in those tokens and in some cases outright lied about it. 

“The defendants allegedly used McAfee’s Twitter account to publish messages to his hundreds of thousands of Twitter followers touting various cryptocurrencies through false and misleading statements to conceal their true, self-interested motives,” Manhattan US Attorney Audrey Strauss stated.

US Senate's Selection Committe Raises Some Serious Concerns Regarding SolarWinds Attack

 

The US Senate’s select committee has blamed Russia for the massive intelligence operation that infiltrated SolarWinds, a Texas-based software company, to steal data from various governments and nearly 100 companies. Threat actors exploited the vulnerabilities in SolarWinds and Microsoft programs to penetrate the companies and government agencies. 

Some key issues were raised during a hearing of US Senate’s select committee:

• Threat actors conducting a “dry run”; 
• The true motive behind an attack; 
• Threat actors exploiting Amazon Web services vulnerabilities; 
• Improvement in cyberthreat and intelligence information sharing.

Kevin Mandia, CEO of FireEye revealed the methodology used by threat actors for conducting a “dry run” in October 2019. He stated during his testimony that “they put an innocuous build in to make sure that it made it to the [production] environment,”. He also added that his company’s engineers have worked day in, day out, spending more than 10,000 hours to analyze the source of the data breach and how it led the threat actors to the SolarWinds server.

Many witnesses blamed the Russian-based hacking group for data breach, Microsoft’s President Brad Smith testified: “We’ve seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else.” 

Senator Marco Rubio, the vice chairperson of the intelligence committee said there is conclusive evidence to suggest that the attack was more than a cyberespionage campaign. Hence, to draw any conclusions at this point is not justified. “While I share the concern that an operation of this scale with a disruptive intent could have caused mass chaos, those are not the facts that are in front of us. Everything we have seen thus far indicates this was an intelligence operation – a rather successful one – that was ultimately disrupted.”

Senators slammed Amazon Web Services for declining to testify given the company’s infrastructure was used in the attack. Sen. Rubio stated that “we had extended an invitation to Amazon to participate. The operation we’ll be discussing today uses their infrastructure, [and], at least in part, required it to be successful. Apparently, they were too busy to discuss that here with us today, and I hope they’ll reconsider that in future.”

Sen. Richard Burr said, Amazon Web Services hosted most of the secondary command and control nodes in the SolarWinds attack, which raised questions about how much Amazon and its executives have revealed about what they know. 

During the hearing, witnesses agreed with many of the committee members regarding the strengthening of cyberthreat and intelligence information sharing. Kevin Mandia, CEO of FireEye said that 2015 Cybersecurity Information Sharing Act should be updated which will make it easier to share intelligence and provide protection to data breach and gather the initial intelligence. Anne Neuberger, Deputy National Security Adviser said earlier this month that nine federal agencies and 100 private organizations, were compromised as part of the attack.