Cybersecurity Weekly Briefing October 24-30

Critical vulnerability in Hewlett Packard Enterprise SSMC

Hewlett Packard Enterprise has fixed a critical authentication evasion vulnerability (CVE-2020-7197, CVSS 10) affecting its StoreServ Management Console (SSMC) storage management software. HPE SSMC is present in the HPE Primera and HPE 3PAR StoreServ storage platforms. The flaw has been classified by the company as highly critical because it is an easily exploitable vulnerability, which does not require user interaction and can be exploited by an unprivileged attacker. In addition, HPE has corrected 64 vulnerabilities affecting HPE Intelligent Management Center (iMC). HPE strongly recommends updating SSMC to 3.7.1.1 version or higher.

More details: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbst04045en_us

KashmirBlack Botnet attacks content management systems

Imperva security researchers, after analysing the KashmirBlack botnet, have discovered that it would be infecting thousands of websites by attacking their content management systems (CMS). KashmirBlack controls hundreds of bots, each of which communicates with the C&C to receive new targets and perform brute-force attacks, install backdoors and expand the size of its network. According to researchers, the main objective of this botnet would be to infect websites and then use their servers to mine cryptocurrencies or redirect legitimate traffic to spam sites, among others. To spread, KashmirBlack looks for websites with CMSs such as WordPress, Magento or Joomla that run vulnerable software and use known exploits to exploit these bugs.

All the info: https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-i/

TrickBot extends its activity to Linux devices

On October 12th, Microsoft reported that a conglomerate of technology companies had participated in a joint action to eliminate the TrickBot botnet. Days later, Redmond company published that 94% of the infrastructure had been eliminated, but warned that the threat agents behind the botnet would reactivate its operations. As a result, Netscout research team has shared new findings where they explain who TrickBot authors have extrapolated parts of their code to Linux, in order to extend the reach of their victims. To do so, they are using a new TrickBot backdoor called Anchor, discovered in late 2019 by Cybereason researchers, which would now be used on Linux devices to allow communication with their Command & Control. Anchor stands out for using the DNS protocol to communicate with C2 servers in a stealthy way, and each part of the communication made to C2 follows a sequence of 3 different DNS queries, the last one being in charge of sending commands to the bot to execute a payload. According to researchers, these characteristics show great complexity in terms of communication with Anchor’s C2, and in addition, the payloads that the bot can execute reflect a constant capacity for innovation, as evidenced by its change to Linux.

More: https://www.netscout.com/blog/asert/dropping-anchor

Attempts to exploit a recent critical bug in Oracle WebLogic

On October 20th, Oracle published its security newsletter correcting a critical bug in Oracle WebLogic servers that would allow remote code execution without authentication, CVE-2020-14882 (CVSS 9.8). Shortly after the code of exploitation of this vulnerability was made public, the SANS Institute of Technology detected attacks against its honeypots in which this bug was to be exploited. In these actions, the threat agents only verified whether the system was vulnerable. As a result, the application of the corresponding patches is strongly recommended to correct this vulnerability which would affect the following versions of Oracle WebLogic Server: 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0. The attacks came from 4 IP addresses – 114,243,211[.]18 (China Unicom), 139,162,33[.]228 (Linode, USA), 185,225,19[.]240 (MivoCloud, Moldova) and 84,17,37[.]239 (DataCamp Ltd, Hong Kong) – and according to SANS, the exploit they used was based on the technical specifications of a Vietnamese blog post posted on Wednesday by security researcher @testanull.

Info: https://isc.sans.edu/diary/26734

Malware campaigns lead to ransomware infection

FireEye security researchers have made a publication compiling new campaigns from malware families that always work as droppers to end up with a ransomware infection. One of the characteristics is their methodology of action, since the threat agents carry out their attack within the first 24 hours of the initial compromise. It should also be noted that the different malware used, like Kegtap/Beerbot, Singlemalt/Stillbot and Winekey/Corkbot, use the same Command & Control infrastructure. The operators of these campaigns have so far targeted individuals from organisations in different sectors and geographical locations. The entry vector for these campaigns starts with the forwarding of malicious emails that simulate generic corporate communications and provide links to documents hosted on Google Docs, which include a new URL from which the malware is downloaded. Once this is executed in the host of the initial victim, the authors use useful loads such as Powetrick and/or Cobalt Strike to carry out network and host reconnaissance. In this way they can get to know the affected organisation internally and facilitate lateral movements, scale privileges, and in some cases, download and execute ransomware such as Ryuk.

More: https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html