Microsoft Exchange Servers Compromised by Turla APT
Background:
Active for over ten years, Turla (Secret Blizzard) is a cyberespionage threat group attributed to Russia’s Federal Security Service (FSB). In June 2023, Microsoft and CERT-Ukraine detected a new Turla campaign targeting defense sector organizations in Ukraine and Eastern Europe with malicious phishing attachments. Once inside, the attackers were using the Rclone open-source exfiltration tool, the previously described DeliveryCheck (CapiBar, GameDay) backdoor, and a new fully functional backdoors/infostealer dubbed Kazuar. Turla used a new technique by abusing a PowerShell administration-automation feature called Desired State Configuration (DSC). It was generating a managed object format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory. This payload was acting as the DeliveryCheck C2 server-side component.
Takeaway:
Many advanced attacks start with basic techniques such as unwarranted email with malicious attachment that requires the user to open and activate it and enable macroses. It is important to teach your users basic online hygiene and phishing awareness.
Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
Background:
CVE-2023-3519 is a remote code execution vulnerability affecting Netscaler (formerly Citrix) Application Delivery Controller (ADC) and NetScaler Gateway. A patch for this vulnerability was issued on July 18, 2023 but it was exploited as a zero-day since at least June 2023. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding one case of the exploitation of CVE-2023-3519 targeting a critical infrastructure organization’s non-production environment. During the initial exploitation, a TGZ archive was uploaded on the NetScaler ADC appliance. It delivered a generic webshell, discovery script, and setuid binary that were used to conduct SMB scanning, collect NetScaler decryption keys, enumerate and exfiltrate active directory data by uploading it as an image file. The actor proceeded with post-exploitation lateral movement attempts and implanted an additional PHP webshell with proxying capability.
Takeaway:
Network-segmentation controls can effectively block lateral movement attempts by threat actors, as happened during this incident. Regular review of network, firewall, and DNS logs can help detect unusual activities that may indicate a cyber attack. NetScaler ADC and NetScaler Gateway users should apply the patch released by Citrix: relevant updated versions are NetScaler ADC and NetScaler Gateway 13.1-49.13, NetScaler ADC and NetScaler Gateway 13.0-91.13, NetScaler ADC 13.1-FIPS 13.1-37.159, NetScaler ADC 12.1-FIPS 12.1-55.297, NetScaler ADC 12.1-NDcPP 12.1-55.297, and later releases.
FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware
Background:
FIN8 (Syssphinx), a financially motivated threat group, has been observed in point-of-sale attacks since at least January 2016, and in Ransomware attacks since at least June 2021. From 2019 to January 2021 the group was using and updating its Badhatch backdoor. In August 2021, Bitdefender researchers detected FIN8 switching to a new C++ backdoor dubbed Sardonic. Symantec researchers observed a rewritten version of Sardonic in a December 2022 ransomware attack: the backdoor was ported to the C programming language and received some random changes to lower its detection rate. From June 2021 to December 2022, FIN8 has been observed using various ransomware strains moving from Ragnar Locker provided by Viking Spider, to custom White Rabbit ransomware, and back to third-party BlackCat (ALPHV, Noberus) ransomware provided by FIN7 (Carbon Spider).
Takeaway:
Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data.
Sophos Discovers Ransomware Abusing “Sophos” Name
Background:
Despite the modern trend for ransomware crypters to be a single-purpose malware, the newly discovered Sophos Ransomware (SophosEncrypt) does more than just encrypt files. It also has general-purpose remote access trojan (RAT) capabilities including connecting over the internet to a command-and-control (C2) server, hooking the keyboard driver for keystroke logging, and profiling the system using WMI commands. The ransomware checks the language settings on the system and refuses to run if it is set to use the Russian language. For the target to communicate with the attacker, Sophos Ransomware also uses somewhat old-fashioned methods: email, and the Jabber instant-messenger platform.
Takeaway:
Despite its outdated features, Sophos Ransomware is fully functional and can encrypt a machine even if disconnected from its C2. Its initial delivery method is not known, but users are advised to take a phishing/social engineering awareness training. Have proper backup and restore processes in place that allows recovery without any need to decrypt the affected data.
Massive Targeted Exploit Campaign Against WooCommerce Payments Underway
Background:
Publicly published on March 23, 2023, CVE-2023-28121 is a critical (CVSS:3.1 score is 9.8) authentication-bypass and privilege escalation vulnerability in the popular Woocommerce Payments Plugin. Wordfence researchers detected a large-scale exploit campaign targeting CVE-2023-28121 that began on July 14, 2023, and peaked at 1.3 million attacks against 157,000 sites on July 16, 2023. One-two days prior to being attacked, these sites were targeted for reconnaissance with requests looking for readme.txt files indicating that WooCommerce Payments is installed. After exploiting versions 4.8.0 – 5.6.1 of the WooCommerce Payments plugin, the attackers were installing the WP Console plugin to execute code on a site, deploying a malicious file uploader, and were able to create malicious administrator users with randomized alphanumeric usernames.
Takeaway:
If your site had a vulnerable version of the WooCommerce Payments plugin in July 2023, it is recommended to check for any unauthorized plugins or administrator users. Regularly update your website components with the latest security patches.
Learn about our Penetration Testing Services
