Supply Chain compromise: SolarWinds Orion
FireEye researchers have unveiled a major global information theft and espionage operation that takes advantage of the supply chain to gain access to the systems of public and private entities. The entry point was the insertion of malicious code into legitimate updates of Orion SolarWinds, a widely used IT infrastructure management software. Between March and June 2020, the supplier’s official website offered multiple digitally signed versions for download containing a backdoor called by researchers SUNBURST. The attackers behind this campaign have kept secrecy a priority in their raids, using as few malware artifacts as possible, as well as hard-to-attribute tools and OpSec techniques. Victims include telecommunications, consulting, technology and extraction companies in North America, Europe, Asia and the Middle East; as well as government organisations. As for the threat agent, Volexity researchers have revealed details of three independent incidents that occurred between December 2019 and July 2020, which were allegedly carried out by this same agent, which they have named Dark Halo (FireEye designates it as UNC2452), against a US Think Tank. The aim of these intrusions was to obtain emails associated with specific individuals in the organisation (executives, politicians and IT staff). SolarWinds has issued a new update today (2020.2.1 HF 2) with the ability to disable any traces of SUNBURST malware that may have been left on systems that had malicious versions installed. Meanwhile, in an effort to mitigate this threat, Microsoft reported that its antivirus product Microsoft Defender is beginning to quarantine those Orion software binaries that are part of malicious versions, which could cause crashes in systems that have not yet been updated. Likewise, this organisation, together with several cyber security partners, have carried out an operation to take control of the Command & Control (C&C) server used by SUNBURST, with the aim of preventing the deployment of additional payloads on infected systems and identifying possible victims. In addition, FireEye revealed yesterday that actions taken by Microsoft and its partners to mitigate the threat of SUNBURST malware have enabled a “kill switch” in its code, which will prevent its execution by resolving all domains and sub-domains of the C&C server to a Microsoft proprietary IP. It is not yet known how the threat agents managed to implement the malicious code in the SolarWinds updates, is considered as a possible entry vector incorrectly secured FTP services or initial compromise of the Office365 mail service. Researchers at ReversingLabs, through extensive code analysis of Orion binaries, have revealed that previous versions of the software had already been manipulated to lay the groundwork for the subsequent introduction of malicious code. Attackers went so far as to modify the source code by imitating the coding style and naming rules of the software developers, also compromising the packaging infrastructure and legitimate digital signature mechanisms.
Vulnerabilities in Verifone and Ingenico devices
Security researchers Aleksei Stennikov and Timur Yunusov have exposed vulnerabilities in Point of Sale (PoS) devices from two of the industry’s leading manufacturers, Verifone and Ingenico, at the Black Hat Europe 2020 presentation. These terminals are those used in commercial establishments to manage the sales process, collection, ticket printing, among other things. The flaws detected would affect the Verifone VX520 devices, the Verifone MX series and the Ingenico Telium 2 series. These are vulnerabilities of the type of stack overflows and buffer overflows that could allow arbitrary code to be executed. The researchers also highlight that both brands use default passwords in their accesses. The exploitation chain of the flaws could be carried out in different ways, being both the physical access to the PoS terminal and the remote input vectors valid for the threat agents, whose objective is to exfiltrate card information, clone terminals or malware infections that could spread to the network in which they are located. Both companies confirm that they have updated their terminals to avoid exploiting vulnerabilities that would have existed for at least 10 years.
Omission of SAML authentication due to flaws in the Golang XML parser
Mattermost security researchers, in collaboration with Golang’s security team, have revealed three critical vulnerabilities in the XML parser of the Go programming language. The flaws, identified as CVE-2020-29509, CVE-2020-29510 and CVE-2020-29511, all with a CVSS of 9.8, are due to the fact that Golang’s XML parser returns inconsistent results when encoding and decoding XML. Threat agents could exploit these vulnerabilities in Go based SAML implementations and modify SAML messages by injecting malicious XML mark-up to impersonate another user, which could lead to privilege escalation and, in some cases, outright unauthentication. So far, the Go security team has failed to address these vulnerabilities.
New cyber espionage campaign from Lazarus Group
Researchers from HvS Consulting have carried out a detailed investigation on a recent cyber espionage operation attributed to Lazarus Group and aimed at multiple European entities in the electrical and manufacturing sector. The incidents began to be noticed in March and April 2020, extending to November without solution of continuity. Social engineering has been the preferred entry point, making users receive false job offers with malicious macros either through emails, contacts on social networks such as LinkedIn or messaging apps like WhatsApp. The final goal is to infect the entire network and remain undetected in order to exfiltrate confidential information. It is worth highlighting that Lazarus has advanced traffic tunneling capabilities, with a flexible infrastructure that allows modification in its C&C servers frequently and with tools that run completely in memory, thus avoiding detection.
Telephone extortion as DoppelPaymer operators’ new tactic
The US Federal Bureau of Investigation (FBI) has issued an alert reporting a new extortion tactic by DoppelPaymer ransomware operators. It should be noted that this malicious software already applied the well-known double extortion tactic, which consists of publishing exfiltered data of its victims in case they do not make the payment required by the threat agents. According to FBI investigations, they have obtained evidence that consists of telephone calls to victim companies in order to intimidate and coerce them and their workers to pay the ransom for the encrypted and stolen data. This tactic has been used by Doppel-Paymer operators since February 2020. Likewise, the digital media ZDNet published at the beginning of this month information indicating that other ransomware operators, such as Sekhmet, Maze, Conti and Ryuk, have taken up this same extortion tactic against their victims. The FBI also recommends not paying the ransom demanded and bringing these incidents to the attention of the authorities.
0-day vulnerability in HPE server management software
Hewlett Packard Enterprise has revealed a 0-day vulnerability in its Systems Insight Manager (SIM) software, which would affect both Windows and Linux operating systems. The flaw, identified as CVE-2020-7200, could allow a non-privileged threat agent code execution on vulnerable servers due to inadequate validation of user-provided data. While HPE has not yet released the security update that fixes the flaw, it has provided temporary mitigation measures for the Windows operating system, based on disabling the “Federated Search” and “Federated CMS Configuration” features. The firm has not revealed whether the vulnerability is being actively exploited, however, they claim that the full fix will be made public in a future version of the software.