Cyber Security Weekly Briefing 4 – 10 December

Telefónica Tech    10 December, 2021

Catalan government suffers DDoS attack

According to the statement issued by the Catalan government, the Centre de Telecomunicacions i Tecnologies de la Informació (CTTI) detected last Friday a cyber-attack that compromised more than 2,000 of the organization’s computer applications for approximately 3 hours. The attack suffered was a denial-of-service (DDoS) attack, which consists of the collapse of services by increasing the volume of traffic so that the servers increase their processing time. Regarding the origin of the attack, the Generalitat has indicated that initial investigations indicate that it could be an attack contracted through the dark web, although at the moment there is no confirmation of this. Several websites and services dependent on the Generalitat, such as La Meva Salut, were affected, and other services such as Catalan television, TV3 and Catalunya Ràdio also experienced technical problems. Eventually, within a period of no more than three hours, the situation was under control and normality was restored, as the organization itself has already assured.

More: https://govern.cat/salapremsa/notes-premsa/416324/nota

Emotet: new campaigns using Trickbot and Cobalt Strike in their infections

Researchers at CheckPoint have published an analysis of the resurgence of Emotet. According to the researchers, these new campaigns have seen the use of Trickbot as an entry vector, one of the most widely used botnets, which in recent months has infected up to 140,000 victims worldwide, with more than 200 campaigns and thousands of IP addresses on compromised devices. Trickbot, like Emotet, is commonly used to distribute ransomware, such as Ryuk or Conti. CheckPoint analyses these new campaigns where it has been observed that Trickbot is distributing Emotet. They point out that it has improved its capabilities with new tools such as: the use of elliptic curve cryptography instead of RSA, improvements in its control flow flattening methods or adding to the initial infection the use of malicious Windows application installation packages that mimic legitimate software. On the other hand, it is worth noting that Cryptolaemus researchers have reported that in some cases Emotet would be directly installing Cobalt Strike on compromised devices, which would speed up the infection process giving immediate access to lateral movement, data theft or ransomware distribution.

Learn more: https://research.checkpoint.com/2021/when-old-friends-meet-again-why-emotet-chose-trickbot-for-rebirth/

RCE vulnerability in Windows 10 and 11

Security researchers at Positive Security have discovered a remote code execution drive-by vulnerability in Windows 10 and 11. This flaw occurs through Internet Explorer 11/Edge Legacy, the default browser on most Windows devices, and is triggered through an argument injection into the Windows default handler URI ms-officececmd. An attacker could exploit this vulnerability via a malicious website that allows a redirect to a URI created by ms-officecmd. It should be noted that Microsoft Teams must be installed on the system for the exploit to work. Following Positive Security’s report of the flaw in March, Microsoft initially dismissed it and upon appeal by the researchers, classified it as critical. In August, Microsoft partially fixed the bug, still allowing argument injection.

All the info: https://positive.security/blog/ms-officecmd-rce

0-day vulnerability in Apache Log4j

A PoC has been published for a 0-day vulnerability, recently assigned as CVE-2021-44228, for code execution in Apache Log4j, an open-source library developed in Java that allows software developers to save and write log messages that is used in multiple applications by companies around the world. This flaw would allow malicious code to be executed on application servers or clients, one of the most prominent being those running Java versions of the Minecraft video game, manipulating log messages and even messages entered the game’s own chat. According to LunaSec researchers, Java versions higher than 6u211, 7u201, 8u191 and 11.0.1 are not affected by this attack vector. Furthermore, LunaSec indicates that Steam and Apple iCloud cloud services have also been affected. Lastly, it should be noted that the versions of apache log4j affected are 2.0 to 2.14.1, with this security flaw being corrected in version 2.15.0.

All the details: https://www.lunasec.io/docs/blog/log4j-zero-day/

Analysis of Russian state actor Nobelium

Researchers at Mandiant have published an article detailing operations carried out by Nobelium, an actor associated with the Russian Foreign Intelligence Service (SVR). Mandiant reports that the tactics employed by the group to gain initial access to the victim’s infrastructure include: the use of credentials compromised in previous malware campaigns where the CRYPTBOT stealer was used, compromise of cloud service providers (CSPs) and abuse of push notifications (MFA). Once the first access is gained, the actor attempts to gain persistence and escalate privileges by using the RDP protocol, employing WMI and PowerShell to distribute the BEACON backdoor on the victim’s network. This backdoor was later used to install a new tool they have named CEELOADER, a downloader that communicates via HTTP with Nobelium’s C2, and which distributes Cobalt Strike. In addition, Mandiant highlights the use of residential IP proxy services to authenticate themselves in the victim’s systems and the use of compromised WordPress where they host the payloads that will lead to the second stage of the infection chain. Likewise, the French National Cybersecurity Agency (ANSSI) has issued a statement specifying that since last February multiple campaigns against French organizations originating from the Russian actor have been detected.

Más info: https://www.mandiant.com/resources/russian-targeting-gov-business

Leave a Reply

Your email address will not be published.