Search This Blog

Showing posts with label Zoho. Show all posts

Luna Moth: Hackers After the Subscription Scam 

Luna Moth is a brand-new data extortion group that has been breaking into businesses to spoof users' data. If the victims don't pay a ransom to prevent the information from being made public, hackers threaten to make the records publicly accessible. 

The hacker group adopted the alias Luna Moth and has been engaged in phishing efforts since at least March in which remote access tools (RAT) were distributed, enabling corporate data theft.

How does the scam work?

The Luna Moth ransomware gang has been analyzed by the incident response team at cybersecurity firm Sygnia, it was noted that the actor is attempting to establish a reputation under the name Silent Ransom Group (SRG).

In a report published, Sygnia claims that although the goal of Luna Moth, also known as TG2729, is to acquire key data, its method of operation is similar to that of a scammer.

The organization has been posing as Zoho MasterClass Inc. and Duolingo over the last three months, operating a widespread phishing scam.  The malicious emails are sent from Gmail accounts that were altered to look like official company email accounts, claiming to be from the Zoho Corporation or Duolingo.

Domains used

In April 2022, the first verified campaign-related domain was registered. Hostwinds, a service provider, hosts both the exfiltration and phishing domains, which are both listed under Namecheap.

The two primary sets of domains and IPs that make up Luna Moth infrastructure  can be tied to subscription fraud:

  • Domains with the XYZ TLD, such as maaays[.]xyz, are exfiltration domains. The organization uses these domains as the endpoint for the exfiltrated data when using the Rclone obfuscation method.
  • Phishing sites like masterzohoclass[.]com that pretend to be associated with Duolingo or Zoho. The majority of these domains only last for four hours or less.

Standard tools

Atera, Splashtop, Syncro, and AnyDesk are just a couple of good remote administration tools (RATs) that the hackers mainly employ to control compromised devices. These tools also give the hackers some flexibility and persistence: even if one of the RATs is taken out of the system, the others can still reinstall it. Furthermore, off-the-shelf tools like SharpShares, and SoftPerfect Network Scanner,  are being utilized by the group.

The tools are saved on spyware with fake names that make them appear to be legitimate These technologies enable threat actors to conduct basic reconnaissance tasks, acquire access to additional resources, and steal data from compromised networks in addition to RATs.

US Defense Contractors Struck by SockDetour Windows backdoor


SockDetour, a new custom malware discovered on US defence contractor computers, has been utilised as a backup backdoor to sustain access to hijacked networks. 

The malicious payload was discovered by Unit 42 security researchers, who believe its administrators kept it hidden for a long time because it has been utilised in the open since at least July 2019. The fact that SockDetour "operates filelessly and socketlessly" on compromised Windows servers by hijacking network connections explains its stealthiness, making it much difficult to identify at the host and network levels. 

The connection hijacking is carried out with the help of the official Microsoft Detours library package, which is used for monitoring and instrumenting Windows API calls.

Unit 42 explained, “With such implementation, SockDetour [..] serves as a backup backdoor in case the primary backdoor is detected and removed by defenders." 

The threat actors utilised a very precise delivery server in one of the attacks, QNAP network-attached storage (NAS) device commonly used by small businesses that had earlier been infected with QLocker ransomware — they most likely utilised the same security vulnerability (the CVE-2021-28799 remote code execution bug) to acquire access to the server. 

On July 27, 2021, the researchers discovered the malware on the Windows server of at least one US defence contractor, which led to the identification of three additional defence organisations being attacked by the same group with the same backdoor. 

"Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting U.S.-based defence contractors using the tools. Unit 42 has evidence of at least four defence contractors being targeted by this campaign, with a compromise of at least one contractor," researchers explained. 

What is SockDetour?

The SockDetour backdoor was earlier linked to attacks exploiting various vulnerabilities in Zoho products, including ManageEngine ADSelfService Plus (CVE-2021-40539) and ServiceDesk Plus (CVE-2021-44077), by an APT activity cluster tracked by Unit 42 as TiltedTemple. While Unit 42 analysts suspected in November that the TiltedTemple campaign was the work of a Chinese-sponsored threat group known as APT27, the firm did not link the SockDetour malware to a specific hacking group. 

The partial attribution is based on techniques and harmful tools that match APT27's earlier activities, as well as similar cyber espionage targeting of the same industries (e.g., defence, technology, energy, aerospace, government, and manufacturing). TiltedTemple attacks targeting Zoho vulnerabilities resulted in the compromise of critical infrastructure organisations' networks. 

In three separate campaigns in 2021, TiltedTemple assaults targeting Zoho vulnerabilities resulted in the penetration of networks belonging to critical infrastructure organisations around the world, using: 
• an ADSelfService zero-day exploit between early-August and mid-September, 
• an n-day AdSelfService exploit until late October, 
• and a ServiceDesk one starting with October 25.

Zoho: Patch New ManageEngine Flaw Abused in Attacks ASAP


Customers should upgrade their Desktop Central and Desktop Central MSP installations to the latest available version, as per business software supplier Zoho. 

ManageEngine Desktop Central from Zoho is a management tool that allows administrators to automatically apply updates and software across the network and troubleshoot them remotely. Zoho announced that a freshly patched serious issue in its Desktop Central and Desktop Central MSP products is being actively exploited by malicious actors, indicating the third security vulnerability in its products to be exploited in the wild in the last four months. 

The vulnerability, designated CVE-2021-44515, is an authentication bypass flaw that could let an attacker bypass authentication and launch arbitrary code in the Desktop Central MSP server. 

If indicators of the breach being discovered, Zoho recommends doing, "password reset for all services, accounts, Active Directory, etc. that has been accessed from the service installed machine" together with Active Directory administrator passwords. 

"As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible." 

If impacted, the company suggests disconnecting and backing up all essential business information on affected systems from the network, resetting the compromised servers, restoring Desktop Central, and updating it to the most recent release after the installation is complete. The company has also made an Exploit Detection Tool available, which will assist customers in detecting indicators of compromise in their systems. 

A quick search with Shodan revealed over 3,200 ManageEngine Desktop Central machines open to attacks and running on various ports. 

CVE-2021-44515 now joins two previous vulnerabilities, CVE-2021-44077 and CVE-2021-40539, that have been abused to attack critical infrastructure organisations' networks around the world. 

CVE-2021-44077, an unauthenticated, remote code execution vulnerability impacting ServiceDesk Plus, is being abused to drop web shells and carry out a variety of post-exploitation operations as part of a campaign termed "TiltedTemple," according to the US Cybersecurity and Infrastructure Security Agency (CISA).

Determined APT is Abusing ManageEngine ServiceDesk Plus Flaw


An APT gang is abusing a severe vulnerability in Zoho ManageEngine ServiceDesk Plus (CVE-2021-44077) to infiltrate enterprises in a range of industries, including defence and technology. 

The Cybersecurity and Infrastructure Security Agency (CISA) alerted, “Successful exploitation of the vulnerability allows an attacker to upload executable files and place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” 

CVE-2021-44077 is an authentication bypass flaw in ManageEngine ServiceDesk Plus (on-premises) installations using versions 11305 and earlier. An incorrect security configuration process in ServiceDesk Plus is the root of the vulnerability, which allows an attacker to obtain unauthorised access to the application's information via a few of its application URLs. 

The company explained, “To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.” 

On September 16, 2021, ManageEngine (a Zoho subsidiary) released version 11306 to address the issue. CVE-2021-44077 has been the target of attacks for quite some time. Unit 42 at Palo Alto Networks has linked the activity to a "persistent and determined APT actor" who first exploited a zero-day vulnerability in ADSelfService in August and September, then moved to leverage another vulnerability (CVE-2021-44077) impacting the same software in September and October, and is now (since late October) exploiting CVE-2021-44077 in the ServiceDesk Plus software. 

The researchers believe that the APT actor generated the exploit code for their assaults because there is no publicly available proof of concept exploit code for CVE-2021-44077. 

“Upon exploitation, the actor has been observed uploading a new dropper to victim systems. Similar to the previous tactics used against the ADSelfService software, this dropper deploys a Godzilla web shell which provides the actor with further access to and persistence in compromised systems,” they shared.

“Over the past three months, at least 13 organizations across the technology, energy, healthcare, education, finance and defence industries have been compromised [by this APT]. Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states.” 

Unit 42's search for internet-facing ManageEngine ServiceDesk Plus installations found over 4,700 installations, with 2,900 of them vulnerable to exploitation. In the United States, there are about 600 of them. 

The researchers have released technical details and proofs of concept for the most recent attacks targeting CVE-2021-44077, as well as suggestions for companies on how to protect themselves. Similar information, as well as network indicators, TTPs, Yara rules, and mitigation advice, is available in the CISA advisory, and Zoho has offered additional details and a downloadable exploit detection tool that businesses can use to run a quick scan and explore any compromises in their installation. 

Finally, the Palo Alto researchers have issued an additional cautionary statement: “In continuing to track this actor’s activities, we believe it is also important to note that on Nov. 9, we observed the actor connecting to passwordmanagerpromsp[.]com. This domain is associated with another ManageEngine product that provides Managed Service Providers (MSPs) with the ability to manage passwords across multiple customers in a single instance. Earlier this year, Zoho released a patch for CVE-2021-33617 affecting this product. While we have not seen any exploitation attempts to date, given the actor’s emerging pattern of targeting ManageEngine products and the actor’s interest in this third product, we highly recommend organizations apply the relevant patches.”

Zoho ManageEngine ServiceDesk Plus Vulnerability, Exploited By Threat Actors


The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning concerning the continued exploitation of a newly patched vulnerability in Zoho's ManageEngine ServiceDesk Plus product. 

CVE-2021-44077, graded critical by Zoho, is indeed an unauthenticated remote code execution (RCE) flaw that affects all ServiceDesk Plus versions up to and including 11305. This problem was resolved by a Zoho update for ServiceDesk Plus versions 11306 and higher released on September 16, 2021. 

According to the FBI and CISA, advanced persistent threat (APT) cyber attackers are among those abusing the vulnerabilities. After successfully exploiting the vulnerability, an attacker can upload executable files and deploy web shells, allowing the opponent to perform post-exploitation operations such as compromising administrator credentials, lateral movement, and extracting registry hives and Active Directory files. 

"A security misconfiguration in ServiceDesk Plus led to the vulnerability," Zoho explained in an official alert issued on November 22. "This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks." 

As per a recent study released by Palo Alto Networks' Unit 42 threat intelligence team - CVE-2021-44077 is perhaps the second flaw abused by the very same threat actor that has been previously discovered exploiting a security vulnerability in Zoho's self-service password management and single sign-on solution identified as ManageEngine ADSelfService Plus (CVE-2021-40539) to compromise at least 11 organizations. 

"The threat actor expand[ed] its focus beyond ADSelfService Plus to other vulnerable software," Unit 42 researchers Robert Falcone and Peter Renals said. "Most notably, between October 25 and November 8, the actor shifted attention to several organizations running a different Zoho product known as ManageEngine ServiceDesk Plus." 

The attacks are thought to be orchestrated by a "persistent and determined APT actor" known as "DEV-0322," an evolving threat cluster that Microsoft asserts is based in China and was earlier noticed manipulating a then-zero-day flaw in SolarWinds Serv-U managed file transfer service earlier this year. Unit 42 is keeping an eye on the joint activities known as the "TiltedTemple" campaign. 

Following a successful compromise, the threat actor will upload a fresh dropper ("msiexec.exe") to victim systems, which would then implement the Chinese-language JSP web shell titled “ "Godzilla" to create continuity in those machines, similar to the techniques that were used against the ADSelfService software. 

At least two different organizations have been affected by the ManageEngine ServiceDesk Plus weakness in the last three months, with the number likely to increase as the APT group ramps up its reconnaissance operations against the technology, energy, transportation, healthcare, education, finance, and defense industry. 

Zoho, for its part, has decided to make an exploit identification tool available to assist customers to identify whether their on-premises facilities have already been affected, as well as recommending that consumers "upgrade to the latest version of ServiceDesk Plus (12001) immediately" to mitigate any potential risks that arise from exploitation.

Port of Houston Attacked Employing Zoho Zero-Day Vulnerability


CISA officers on 23rd of September reported about a potential government-backed hacker organization that has tried to break the Port of Houston networks, one of the major port agencies in the United States, employing zero-day vulnerabilities in a Zoho user authentication device. 

Authorities at the Port claimed they fought the attack effectively, adding that the attempted breach was not influenced by operational data or systems. 

The attack investigation was launched that led to the formation of a combined advisory on 16 September by the CISA, the FBI, and the Coast Guard alerting American organizations of cyberattacks by a nation-state hacking group utilizing the Zoho zero-day. 

The zero-day was employed mostly in late August cyberattacks according to Matt Dahl, Principal Intelligence Analyst at the CrowdStrike security firm. Nevertheless, on 8 September Zoho fixed the vulnerability (CVE-2021-40539), whereupon CISA additionally sent the first warning on the ongoing attacks. 

CISA officials have claimed that they have still not given a specific hacking organization or foreign government the credit for the attack on the Port of Houston. 

The Port Houston is the nation's largest port with a waterborne tonnage and a vital economic powerhouse for the Houston area, the State of Texas, and the United States, which has held and managed public wharves and terminals along with Houston Ship Chanel for over 100 years. More than 200 private terminals and eight public terminals along with the federal waterway aid nearly 1.35 million jobs in Texas and a national 3.2 million jobs, while $339 billion in economic activity in Texas—20.6% of Texas' total gross domestic product (GDP), with economic impacts totaling $801.9billion across the country. 

“[A]ttribution can always be complicated in terms of being able to dispositively say who that threat actor is,” CISA Director Jen Easterly told senators in a meeting of the Senate Homeland Security and Governmental Affairs Committee. 

“But we are working very closely with our interagency partners and the intelligence community to better understand this threat actor so that we can ensure that we are not only able to protect systems, but ultimately to be able to hold these actors accountable,” the CISA Director added, who categorized the attackers as a “nation-state actor” in an answer to a subsequent question. 

However, The officers of Port of Houston did not respond to the response request to gather further facts regarding the attack.