Security researchers from Cryptolaemus have identifed what seems to be the reappearence of the popular Emotet malware, whose infrastructure had remained inactive since January after a joint intervenion by security forces worldwide to thwart its operations. The new samples used the same propagation mechanism traditionally linked with this botnet: malspam with Excel or Word attachments or ZIP files protected with passwords, spoofed senders and information stolen from old victims’ email threads. The only important difference lies in the use of encypted communications with the C2 severs through HTTPS. Even though it has been only one day since the detection of the spam campaign, other researchers have started warning about this new Emotet activity and its delivery as second payload by the Trickbot malware. Operators of this same malware, Trickbot, who are known by the alias of ITG23, have been recently spotted participating in several campaigs along with the Shathak (TA551) threat actor, in attempts to delivery its malware as a previous step of a compromise with the Conti ransomware.
More information: https://isc.sans.edu/diary/28044
0-day in FatPipe VPN actively exploited
The FBI has issued a statement warning about an advance persistent threat (APT) abusing a 0-day vulnerability in FatPipe VPN devices since at least last May. Specifically, FBI forensic analysis claims that the attackers could have accessed the file upload function in the device’s firmware and install a webshell with root access, leading to elevated privileges in the internal networks of the targeted organizations. The 0-day vulnerability described affects FatPipe MPVPN, IPVPN and WARP virtual private network (VPN) devices and is not yet identified with a CVE number or criticality. FatPipe has already released a path and a security advisory (FPSA006). The FBI advisory also contains YARA rules and indicators in order to identify related activity on the systems.
More details: https://www.ic3.gov/Media/News/2021/211117-2.pdf
ChainJacking: new software supply chain attack
Security company Intezer, together with Checkmarx, has published a paper on a new supply chain attack against sofware providers that could put at risk several common use management tools. Known as “ChainJacking”, the attack consist on the modifitacion or corruption of Github, Go Package Manager or NPM open source packages that are included by default in management tools. In the case of Github, an attacker could claim ownership of an abandonned username and start delivering malicous code to anyone downloading the package, taking advantage of the trust gained by the username’s former owner. By exploiting this in a repository of Go packages, it could lead to a chain reaction that would amplify the spread of the malicious code and would infect a wide range of products, causing a damage comparable to that of last year’s Solarwinds incident or that of this year’s Kaseya attack. So far, no active exploitation of this attack has been reported, but this cannot be overlooked given the recent tendency of software supply chain attacks that are difficult to detect, have a huge impact, and give threat agents further changes of infection.
0-day vulnerability in ManageEngine ServiceDesk
Researchers from IBM have discovered 0-Day flaw in the ManageEngine ServiceDesk engine. This is a widely used help desk management platform that includes applications for the management of projects and IT services. The vulnerability, CVE-2021-37415, could be exploited to grant access to an unauthorized attacker in a API rest subset of an application, which is responsible for the recovery of information from the existing tickets within said application. Moreover, upon successful exploitation, a threat agent could access confidential data through the Internet, including information on the patches to be applied or the internal network structure of an organization, among others. Also, this could lead to a supply chain attack, due to the widespread use of this product and the nature of the vulnerability. ManageEngine has issued version 11302 to correct the flaw and that shall be applied as soon as possible.