Microsoft fixes two 0-day and 63 other vulnerabilities in Patch Tuesday

Microsoft has fixed 63 vulnerabilities in its September Patch Tuesday, including two 0-days, one of them actively exploited, and another five critical flaws that would allow remote code execution.

The actively exploited 0-day, identified as CVE-2022-37969 and CVSS 7.8, was discovered by researchers from DBAPPSecurity, Mandiant, CrowdStrike and Zscaler and affects the Common Log File System (CLFS), allowing an attacker to gain system privileges.

On the other hand, the second 0-day that has not been exploited is listed as CVE-2022-23960 and with CVSS 5.6, and it refers to a cache speculation restriction vulnerability.

Microsoft Dynamics CRM (CVE-2022-35805 and CVE-2022-34700), 2 others in IKE (CVE-2022-34722 and CVE-2022-34721) and, finally, a flaw in Windows TCP/IP (CVE-2022-34718), all of which would allow remote code execution.

More info →

* * *

Analysis of the OriginLogger keylogger

Researcher Jeff White from Unit 42 in Palo Alto has published the results of his recent analysis on the OriginLogger keylogger, which is considered to be the heir to Agent Tesla.

It is used to steal credentials, screenshots and all kinds of device information and is for sale on sites that specialise in spreading malware.

Its infection chain is initiated through different types of droppers, but usually a Microsoft Office document with malicious macros, which redirect to a page from which a file with an obfuscated script is downloaded, used at the same time for downloading a payload that will be used to create persistence and schedule different tasks.

The payload will also contain PowerShell code and two encrypted binaries, one of which is a loader and the other the actual OriginLogger payload.

Another feature that makes OriginLogger a separate version of Agent Tesla is the variety of data exfiltration methods, using SMTP and FTP protocols and servers, web pages with their own panels or Telegram channels and bots.

More info →

* * *

Lampion malware distributed in new phishing campaign

Cofense researchers have analysed a phishing campaign distributed by email, in which the attachment contains a script that downloads and executes the Lampion malware.

This malware, discovered in 2019, corresponds to a banking trojan that seeks to steal information from the infected device. It connects to its command-and-control (C2) server and is able to superimpose a page on top of banking login forms to get the user’s information.

As for the campaign, it is distributed by sending via stolen corporate accounts various fraudulent emails, which attach malicious payment proofs hosted on WeTransfer and urge them to be downloaded.

Once the recipient of the fraudulent email downloads the malicious document and opens it, several VBS scripts are executed and the attack chain begins. It is worth noting that Lampion focuses mainly on Spanish-speaking targets, abusing cloud services to host the malware, including Google Drive and pCloud.

More info →

* * *

SAP Security Bulletins

SAP has issued 16 security advisories on its September Security Patch Day, fixing 55 Chromium and other high-priority vulnerabilities.

First, SAP is issuing security updates for the Google Chromium browser that affect several versions of SAP Business Client. On the other hand, among the high priority vulnerabilities fixed is an XSS vulnerability affecting SAP Knowledge Warehouse, identified as CVE-2021-42063 and with CVSS 8.8.

Also among the most critical is CVE-2022-35292, with CVSS of 7.8, which affects the service path in SAP Business One and would allow privilege escalation to SYSTEM.

The second priority note corresponds to the SAP BusinessObjects service, affected with two vulnerabilities, one of them, with CVE-2022-39014 and CVSS 7.7, would make it possible for an attacker to gain access to unencrypted confidential information; while the other vulnerability, designated with CVE-2022-28214 and CVSS 7.8, corrects for the possibility of information disclosure in the service.

A related vulnerability update, CVE-2022-35291 and CVSS 8.1, affecting SuccessFactors is published, which resumes the functionality of file attachments.

More info →

* * *

Webworm activity analysis

Symantec’s threat research team published a post yesterday detailing the activities of a group called Webworm, which reportedly has the same TTPs and devices in use as the threat actor known as Space Pirates, leading researchers to believe they could be the same group.

According to the investigation, the group has been active since 2017 and has been engaged in attacks and espionage campaigns against government agencies and companies in the IT, aerospace and energy sectors, especially in Asian countries.

Among its usual resources are modified versions of the Trochilus, Gh0st RAT and 9002 RAT remote access trojans, used as a backdoor and spread via loaders hidden in fake documents. It is worth noting that the RATs used by Webworm remain difficult to detect by security tools, as their evasion, obfuscation and anti-analysis tricks are still remarkable.

More info →

Fear, panic and uncertainty are some of the feelings constantly experienced in corporate leadership. In management committees, the big question is frequently asked: is our cyber security working?

As well as, What are the new behavioural patterns of adversaries? How do we understand cyberspace in order to define the design, construction and implementation of a cyber security strategy? How do we perceive the cyber threat landscape? Or are we considering retrospective, prospective and panoramic aspects to define a cross-cutting and comprehensive cyber security strategy?

The National Institute of Standards and Technology (NIST) defines resilience as “the ability of an organisation to transcend (anticipate, resist, recover from, and adapt to) any stress, failure, hazard, and threat to its cyber resources” within the organisation and its ecosystem, so that the organisation can confidently pursue its mission, enable its culture, and maintain its desired way of operating.

Comprehensively understanding the impact of cyber risks on an organisation is a complex but critical factor in strengthening cyber resilience. Therefore, frameworks and tools are needed to equip human talent to understand and communicate the prevailing cyber risks and their impact.

Cyber resilience must be seen as a strategic imperative.

Cyber resilience and its benefits must be clear to corporate leadership. Therefore, it is important to translate the impact of the state of cyber resilience into operations, strategy and business continuity. It is a commitment to position cyber resilience as a strategic imperative.

However, current figures and developments indicate that much work is needed to close the cyber resilience capability and performance gap between industry ecosystems and within organisations.

Where is your company on the cybersecurity journey?

The World Economic Forum’s (WEF) Global Cybersecurity Outlook 2022 ound that only 19% of respondents feel confident that their organisations are cyber resilient, indicating that a large majority know that their organisations lack the cyber resilience they need to be commensurate with the risks they are exposed to.

In addition, the report found that 58% of respondents believe their partners and suppliers are less resilient than their own organisation, and 88% are concerned about the cyber resilience of the small and medium-sized businesses that are part of their ecosystem.

In another Accenture report, 81% of respondents said that “staying ahead of attackers is a constant battle and the cost is unsustainable”, compared to 69% in 2020.

No matter the size, sector or risk profile of your organisation, all of them are exposed to increasingly sophisticated cyber-attacks.

This indicates that as organisations, ecosystems, supply chains and supplier relationships become more interconnected and interdependent – and the pace of change and transformation processes accelerates – not only is resilience lagging, but a cohesive approach to how resilience is designed. It is increasingly clear that, despite this interconnectedness, there is no alignment to jointly overcome disruptive cyber events.

Is your organisation prepared for what is to come, and can you measure your organisation’s capability in the face of various attacks, threats or incidents? It should be emphasised that no matter the size, economic sector, risk profile of your organisation, all organisations are exposed to increasingly sophisticated, evolving and innovative cyber attacks.

There is a reality that many organisations are ill-equipped to demonstrate their capabilities to withstand sophisticated cyber-attack behaviour. What do we need? Where are we joining forces to move forward? Do we have the operational, technical and strategic capabilities? How can we draw a roadmap? What are we doing and how can we improve?

Many organisations are poorly prepared to withstand sophisticated cyber-attacks.

Cyber resilience is not about creating a contingency plan and continuity of operations, it is something that goes beyond ensuring availability and focuses on resilience in the aftermath of a technology infrastructure.

How prepared is our organisation and strengthening its capabilities to identify, detect, prevent, cancel, recover, cooperate and continuously improve against cyber threats?

According to The Cyber Resilience Index: Advancing Organizational Cyber Resilience 2022 report (WEF) found that the top four reasons why cyber resilience is limited in today’s ecosystems are that many organisations:

1. They have a narrow perspective on cyber resilience, focusing primarily on security response and recovery.
2. They lack a common understanding of what a comprehensive cyber resilience capability should include
3. They find it difficult to accurately measure the organisation’s cyber resilience performance or communicate its true value to senior management
4. They struggle to be transparent within their organisation and with ecosystem partners about the shortcomings of their cyber resilience posture and their experiences with disruptive events.

The impact of cybersecurity attacks on SMEs and corporates

Characteristics of a cyber-resilient organisation

The approach to cyber resilience must also be free of the fear-driven constraints caused by mere preservation of the status quo that are so often followed by attempts to return to a demonstrably fragile state when disruption predictably occurs.

The reward of making cyber resilience part of the ethos is a greater opportunity to take healthy risks, innovate and responsibly capture the value of tomorrow’s digital economy.

Some resilience techniques that you can implement to mature your security programmes and improve your ability to provide services to customers during a cyber incident:

• Adaptive response: Optimise the ability to respond in a timely and appropriate manner to adverse conditions.
• Analytical monitoring: Maximise the ability to detect potential adverse conditions and reveal the extent of adverse conditions.
• Coordinated protection: Requires an adversary to overcome multiple safeguards.
• Deception: Deceive or confuse the adversary or conceal critical adversary assets.
• Diversity: Limit the loss of critical functions due to the failure of common replicated components.
• Dynamic positioning: Impeding an adversary’s ability to locate, eliminate, or corrupt mission or business assets.
• Dynamic representation: Support situational awareness, reveal patterns or trends in adversary behaviour.
• Non-persistence: Provide a means to reduce an adversary’s intrusion.
• Privilege restriction: Restrict privileges based on user attributes and system elements.
• Reordering: Reducing the attack surface of the defending organisation.
• Redundancy: Reducing the consequences of loss of information or services.
• Segmentation: Limit the set of potential targets to which malware can easily be spread.
• Integrity checked: Detect attempts by an adversary to deliver compromised data, software or hardware, as well as successful modifications or fabrication.
• Zero trust: Implies questioning the organisation’s security practices and policies right to ask for and expect clear answers.
• Unpredictability: Increasing an adversary’s uncertainty regarding the system protections they may encounter.

Cyber resilience must be part not only of the technical systems, but also of the teams, the organisational culture and the way we work on a daily basis.

It is imperative for the success of a cyber resilient organisation to design, build and manage cyber resilience and then get the fundamentals right. Cyber resilience must be part not only of the technical systems, but also of the teams, the organisational culture and the day-to-day way of working.

Cyber resilience must be a pervasive mindset underpinned by a holistic approach within organisations and across their ecosystems. For decades, cyber resilience management has been underrepresented and confused with other principles in cyber security programmes.

Today, more than ever, there are many positives. We have come a long way in a short time. But the key is not to become complacent and complacent, to reaffirm our commitment to improvement and to recognise that the attacker will come back with new capabilities and skills.

What is a botnet and how does it work?

To begin with, let’s dissociate the word botnet. On the one hand, “bot” means robot and, on the other hand, “net” means network. This gives the phrase a meaning, something like “a network of robots”.

A bot, or robot, would be a system infected by malicious software whose target is defined in the malware code. Therefore, a botnet would be a net of systems infected by the same malicious software.

A botnet is a group of systems infected by malicious software (malware) and managed by the same BotMaster.

This network is called a Botnet, what is not implicit in the name is the fact that they are controlled remotely through a common Command and Control (hereafter C&C) server from which the operator of the network, also known as BotMaster, will send instructions to perform malicious actions.

In botnets, the famous parental phrase “if a friend of yours goes off a cliff, will you do it too? Well, yes sir, everyone will do the same as they are controlled by a specific threat actor.

Botnets also on mobile devices

It is not only computers that are affected, mobile devices are also targeted by BotMasters. For example, on a well-known Dark Web forum, a botnet is offered for the Android operating system, which is one of the most widely used operating systems worldwide.:

The full functionality and capabilities are included in the post itself:

In this case it is the Anubis botnet, whose main objective is to collect bank account information. But it can also be used to send SMS messages to the device’s contacts.

How many times have we seen online scams in which we have received a message from a known person asking for data, money or simply sending a link? Obviously, coming from a known person does not usually seem suspicious. However, nothing could be further from the truth.

Additionally, and as a curious fact, botnet names are often associated with the malware that links them. Due to the large amount of malware currently in existence, it is practically impossible to list them all. Among the best known, although not always the most widely used, are Emotet, Mirai, Pink, Arkei, Redline and Racoon.

How Lokibot, the malware used by Machete to steal information and login credentials, works

Uses and purposes of botnets

There are an infinite number of uses for a botnet, it all depends on the imagination of each threat actor, which, it has been demonstrated, is also quite broad.

One of the most common uses of botnets, for example, are the famous distributed denial of service or DDoS attacks, which are orchestrated, in most cases, by networks of infected systems.

Distributed Denial of Service (DDoS) attacks are often launched using botnets.

However, not only can an infected computer be used to attack exposed services, but also to collect the affected user’s credentials, mine cryptocurrencies, carry out phishing attacks, and even download other malware.

What’s more, from the DFIR team’s perspective, many ransomware attacks start with the insertion of botnet malware. These malwares are tasked with downloading more malware to move laterally in the network, downloading updates to the malware itself, or even directly downloading the payload of the ransomware itself.

How do I know if my computer is part of a botnet?

That said, the question often arises “how do I know if my computer is part of a botnet?” It is best to have an EDR, a firewall with defined rules or a powerful signature-based detection software, otherwise it can go completely unnoticed by a user.

In general, infected people will not be handpicked, i.e., they are not targeted attacks, but, on the contrary, mass campaigns that make anyone susceptible to be infected.

Everyone is susceptible to being targeted by a botnet just because they have a computer or a mobile phone.

Many people think that they are “nobody” or not “interesting” enough for a botnet operator to be particularly interested in attacking them. Nothing could be further from the truth.

Who doesn’t access their bank account from their computer, who doesn’t access online shopping platforms, who doesn’t access their company’s internal network via a VPN, any information of this kind is still very valuable, or even if you are a low-ranking worker in a company, you still have access to that private network that is so attractive to cybercriminals!

Differences between encryption, hashing, encoding and obfuscation

How to identify botnet operators

Likewise, the question arises “is it easy to identify the threat actors operating botnets”? It is not easy. In fact, investigation is complicated by the fact that threat actors, apart from being groups of several people, often operate through the Tor network.

In addition, the operators use domain generation algorithms (DGA) to generate a large number of domain names. In this way, they manage to evade possible detection by the C&C server, as only some of these domains will resolve to a real C&C server.

For example, if a specific IP address or domain is denied access by a firewall rule, the BotMaster will have so many domains that it can dynamically change the domain name of its C&C.

In this way, it maintains contact with the bot as it will continuously generate the same list of domains per DGA. Another evasion method used is to make use of a Fast Flux network in which, basically, many different IP addresses would be assigned to the same domain name.

These IP addresses will be changeable and, assuming that many different domain names will be used, the possible IP addresses connecting to the C&C would increase exponentially. For these reasons, dismantling a botnet organisation takes years of investigation, dedication and, in some cases, cooperation between law enforcement agencies in several countries.

Attacking login credentials

Dark Web sales of malware and botnets

Of course, as with anything, there is also malware available for sale on the Dark Web, as discussed in the post on these types of markets.

Threat actors also have the possibility to add systems to their botnets by selling or renting specific malware on Dark and Deep Web forums and markets. For example, below, we can see a sale of Redline for life (and at a discount of 300 euros!).

In this other recent post from a well-known Dark Web marketplace, the Arkei malware is offered for sale for $210:

Not only paid malware is found, but, ironically, there are also free “pirated” versions of malware, as we can see below with the Arkei malware.

Although the post was opened in 2018, it can be seen that the thread has been quite active throughout the years up to 2022, apparently accumulating a lot of downloads.

As another curious fact, and following the saying “if you want something well done, do it yourself”, tutorials are offered for sale, and sometimes for free, to learn how to set up your own botnet.

Dark Web sales of credentials and session cookies

One of the capabilities of malware infecting systems is the theft of login credentials or the theft of session cookies from web services.

It is a common occurrence to see credentials being sold on major Deep and Dark Web markets. It is as common as it is worrying as it not only affects access credentials to personal services (Amazon, online banking, supermarkets, streaming platforms, etc.), but also affects access to professional services such as access to work tools, access to VPN networks, access to professional mail, etc.

The sale of credentials on Deep and Dark Web markets is as common as it is disturbing

What started out as the compromise of a single computer, ends up being the compromise of an entire corporate network and can lead to a serious security incident, as discussed above.

In order to provide real data and obtaining data for all countries in the world and from the sales of the main Dark Web markets, it was found that, in the last month alone, at least 311 credentials for access to Citrix services, 2000 accesses to the intranet of different companies, 105 VPN accesses, among many others, have been offered for sale. At the enterprise level, it is, to say the least, worrying. 

Conclusion

As we have seen, anyone can be a target of a botnet and the consequences can be dire.

The human factor is one of the main players in botnet infection so, at this point, there is nothing more we can do than recommend being very careful about where we click or where we download software from – beware of freeware or off-platform downloads!

This way, we will already be much less likely to end up “turned” into a bot.

0-day vulnerability in Google Chrome

Google released on Friday an emergency patch for the Chrome browser on Windows, Mac and Linux, fixing a 0-day vulnerability, which is being actively exploited.

The security flaw, identified as CVE-2022-3075, relates to insufficient data validation by the Mojo library collection, which is responsible for providing independent mechanisms for communication between processes with different programming languages.

A malicious actor could bypass the security restrictions when the victim accessed a specially crafted web page. Google reported that an anonymous researcher reported the vulnerability on August 30 and that exploits are available to exploit it.

Users of Chromium-based browsers, such as Microsoft Edge, Brave and Opera, would be affected by this vulnerability, so it is recommended to upgrade to Google Chrome version 105.0.5195.102, which addresses the 0-day.

More info →

*  *  *

New breach affects the giant Samsung

The multinational company Samsung acknowledged on September the 2nd that it had been the target of a security breach.

According to the statement issued, at the end of July, an unauthorised third party gained access to information on some Samsung systems in the United States, exposing the personal information of several customers.

The information accessed included name, demographic and contact information, date of birth, and product registration information, but did not include social security numbers or credit card information.

This incident is the second in less than six months to be reported, as in March there were reports that internal data from the source code of its smartphones was leaked.

The company has indicated that it has taken security measures to ensure that such incidents do not happen again.

More info →

*  *  *

QNAP patches 0-day used in new Deadbolt ransomware attacks

QNAP has issued a security advisory urging NAS users to upgrade to the latest version of Photo Station. The advisory follows the detection of an ongoing DeadBolt ransomware attacks that began on Saturday that exploits a 0-day vulnerability in Photo Station.

QNAP, which has already released security updates for Photo Station, urges its customers to update the software to the latest available version and suggests that users replace Photo Station with QuMagie, a safer photo storage management tool for QNAP NAS devices.

The details of this flaw are still unclear at this time, but the company strongly recommends, in order to reduce the possibility of being attacked, not to connect QNAP NAS directly to the Internet and to make use of the myQNAPcloud Link feature provided by QNAP, or enable the VPN service.

They also recommend using strong passwords for user accounts and take regular backups to prevent data loss. This would be the fourth round of DeadBolt attacks targeting QNAP devices since January 2022, which was followed by similar incursions in May and June.

More info →

*  *  *

HP fixes a serious vulnerability in HP Support Assistant

HP has issued a security advisory warning users about a recently discovered vulnerability in HP Support Assistant, a software tool that comes pre-installed on all HP computers, which is used for troubleshooting or performing hardware diagnostic tests, among others.

The flaw, identified as CVE-2022-38395 and with CVSS of 8.2, allows attackers to elevate their privileges on vulnerable systems. Although the manufacturer has not provided many details about the vulnerability, the advisory mentions that it is a DLL hijacking flaw when users try to launch HP Performance Tune-up from HP Support Assistant.

In this type of flaw, the code that is executed when loading the library obtains the privileges of the executable, in this case SYSTEM permissions. Due to the large number of devices with HP Support Assistant installed and the low complexity of the exploit, it is recommended that all HP users update Support Assistant as soon as possible.

More info →

*  *  *

The North Face and Vans announce credential stuffing attack

VF Corporation has released a statement to its customers in which they report that they have suffered a data breach on The North Face and Vans retail brands.

The threat actors used credential stuffing techniques to breach 162,823 customer accounts on thenorthface.com and 32,082 customer accounts on vans.com. A credential stuffing attack involves attempting to access accounts with compromised credentials from other leaks, a strategy that is based on the assumption that the users are probably reusing passwords across multiple platforms.

The attack on The North Face began on July 26th, was detected on August 11th and disrupted on August 19th. On the other hand, the intrusion at Vans was detected on the 20th of August and was active for only one day.

Among the data that could have been exfiltrated were names, addresses, e-mail addresses, purchase history and customer telephone numbers, among others.

In their statement, the company said that credit card data is stored in third-party payment systems, so it could not have been affected by the attack. Finally, the company has confirmed that all the credentials of the affected accounts have been reset.

More info →