Neu Cyber Threats – 2nd September 2021
Microsoft continues to experience cyber security issues
Microsoft has spoken about the recent wealth of attacks on several ProxyShell vulnerabilities. The tech giants released an advisory letting customers know that cyber criminals may take advantage of unpatched Exchange servers, “to deploy ransomware or conduct other post-exploitation activities” and have urged them to update as soon as possible.
A statement said: “Our recommendation, as always, is to install the latest CU and SU on all your Exchange servers to ensure that you are protected against the latest threats.”
Customers that have installed the May and June 2021 security updates for their Exchange servers are protected from these vulnerabilities, as are Exchange Online customers so long as they ensure that all hybrid Exchange servers are updated.
The three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) enable an adversary to trigger remote code execution on Microsoft Exchange servers. Microsoft said the bugs can be exploited in the following cases: the server is running an older, unsupported CU, the server is running security updates for older, unsupported versions of Exchange that were released in March 2021, or the server is running an older, unsupported CU, with the March 2021 EOMT mitigations applied.
“In any of the above scenarios, you must install one of latest supported CUs and all applicable SUs to be protected. Any Exchange servers that are not on a supported CU and the latest available SU are vulnerable to ProxyShell and other attacks that leverage older vulnerabilities,” said Microsoft.
Neuways advises Microsoft customers to follow the advisory and apply any available updates as soon as possible to avoid any potential issues.
Notorious cyber criminal gang shuts down…for now
In good news for businesses, another cyber criminal gang notorious for ransomware attacks has shut down. Before shutting down, the Ragnarok gang published its decryptor online, allowing victims to unlock and recover their files.
The decryptor, which is usually supplied after victims are forced to pay a ransom of thousands, came hardcoded with a master decryption key for free. Previously, Ragnarok’s public site was the place where the group would publish data from victims who refused to pay the set ransom.
Several researchers have confirmed that the Ragnarok decryptor works as advertised too. It’s currently being analysed, before researchers eventually release a clean version that is safe to use on Europol’s NoMoreRansom portal.
Having been active since late 2019, Ragnarok have been a constant threat to businesses across a range of industries. A signature style of attack from the group was to use exploits to breach a target company’s network and perimeter devices. From there, it would work within the internal network to encrypt an organisation’s servers and workstations.
Ragnarok was of one of a number of ransomware groups that would not just encrypt, but steal files so it could threaten to leak them on its portal to pressure victims to pay demanded ransoms, and then make good on the threat if the threat actors didn’t receive their money by a given deadline.
It is thought that they’ve shuttered operations in part due to mounting pressures and crackdowns from international authorities that already have led some key players to cease their activity. As well as Ragnarok, Avaddon and SyNack, two heavy hitters in the game — REvil and DarkSide – also closed up shop earlier this year.
However, even as some ransomware groups are hanging it up, new threat groups are filling in the gaps left in their wake, as cyber attacks continue to impact upon companies around the world. Two newcomer groups, Haron and BlackMatter, are among those that have emerged recently with intent to use ransomware to target large organisations that can pay hundreds of thousands of pounds in ransoms to fill their pockets.
Indeed, researchers think Ragnarok’s exit from the field isn’t permanent, and that the group will resurface in a new incarnation at some point. Neuways advises businesses to take the positive news with a pinch of salt. While this is genuinely great news, as mentioned, the vacancy will give plenty of pretenders a sense they can take advantage of businesses who may let up, given the news. Ensure your business is carefully carrying out its existing cyber security measures and you will be helping to put off cyber crime gangs from seeing businesses as easy targets and, ultimately, sources of revenue.
Malware found within certain versions of WhatsApp
Triada malware has resurfaced. Its most recent sighting is inside an advertising component of a modified version of the popular WhatsApp messaging app, called FM WhatsApp.
The malware, first spotted by researchers in 2016, is a type of mobile supply-chain malware that delivers trojans to victims. The latest version of Triada slips onto phones via an advertising software development kit (SDK), which is used to monetise applications.
Version 16.80.0 of FM WhatsApp is affected. The app, only available via unofficial third-party app stores, is used to give users added functionality to Facebook’s WhatsApp messenger service.
In a recent report, researchers warned that this latest version of Triada acts as a payload downloader, allowing for up to six additional trojan applications to be injected onto Android phones. These trojans can carry out a number of malicious actions – from commandeering a handset silently to displaying full-screen popup ads.
Researchers explained: “We don’t recommend using unofficial modifications of apps, especially WhatsApp mods. You may well end up with an unwanted paid subscription, or could lose complete control of your account altogether, which attackers can hijack to use for their own purposes, such as spreading spam in your name.” This could be a reputational disaster for businesses whose employees may use their personal devices for work purposes, as attackers could hypothetically take over their phones and distribute malware and further spam.
While it is unclear how popular the FM WhatsApp app is among users, the news is still a concern for the safety of users. When it was first discovered in 2016, Triada was described as “almost invisible” to users and proved a nightmare for those who were trying to find and remove it. Researchers also described it as “one of the most advanced mobile trojans we have ever encountered.”
Since then, the malware has upgraded. Instead of rooting the device to obtain elevating privileges, Triada evolved to become a pre-installed Android framework backdoor. The 2021 incarnation of Triada plants itself on Android handsets via malicious code embedded in the FM WhatsApp (version 16.80.0). When the app starts, the Triada malware is decrypted and launched – triggered via a long command string embedded in the app’s code.
Malware similar to Triada has garnered more publicity as it has been increasingly discovered pre-installed on budget phones as a backdoor for threat actors to abuse. In each case, a malicious dropper component delivers a host of trojans, giving criminals access to a device via a command-and-control backend. The most recent version of Triada has also evolved the way it infects and hides on a phone.
Triada now comes pre-installed on a handset or bundled inside a malicious app. Once active, the malware abuses a call in the Android framework log function. This means every time any app attempts to log something, a function is called and Triada code is launched, allowing the trojan to execute code in the context of any app.
Neuways advises to never use unofficial versions of applications that can be found on third-party stores. There is no guarantee that the applications have been subjected to the approval processes that are seen on the likes of Google Play and Apple’s App stores. By using these official, vetted stores, users are doing everything they can to stay cyber safe.
Cyber criminals found using brand-new backdoor in attacks
The financially motivated FIN8 cyber criminal gang have used a brand-new backdoor in several attempted, but ultimately unsuccessful, breaches of business networks.
The backdoor has been dubbed ‘Sardonic’, with researchers saying: “The ‘Sardonic backdoor’ is extremely potent and has a wide range of capabilities that help the criminals leverage new malware without updating components.”
In the past, FIN8 has typically gone after financial services and payment-card data from point-of-sale (PoS) systems, particularly those of retailers, restaurants and the hotel industry. It isn’t a brand new cyber crime gang, either, having been active since at least January 2016. But what is noticeable is that the gang periodically disappears in order to fine-tune tactics, techniques and procedures (TTPs), allowing them to evade detection and ramp up their success rate.
This was observed in March, when researchers spotted FIN8 re-emerging after a period of relative quiet with a new version of the BadHatch backdoor to compromise companies in a variety of industries. Sardonic is a further updated version of BadHatch that’s still under development. It is an improvement on BadHatch in that it can be automatically boosted with new functionality without the malware needing to be redeployed.
BadHatch provides file transfer and reverse-shell functionalities. It is just one component of FIN8’s arsenal of cyber weapons which also includes malware variants such as ShellTea, another backdoor, PunchBuggy, and the memory-scraper tool PunchTrack. FIN8 also use the TTPs of exploiting Windows zero-days and spear-phishing.
Researchers are confident that these most recent attacks were likely initiated via social engineering tactics and spear-phishing campaigns. During one of the attacks – FIN8 used a three-stage process to deploy and execute the Sardonic backdoor: A PowerShell script, a .NET loader and downloader shellcode. After it was loaded, researchers said that the embedded dynamic link library obtained the value of the Y1US environment variable and extracted the string that contained options for behaviour customisation so it could make changes.
The new backdoor uses TLS encryption to evade security monitoring in order to conceal Powershell commands. After it gains network access, FIN8 uses the access to scan for victim networks, giving attackers remote access, the ability to install a backdoor and deliver other malware payloads.
Neuways recommends that companies check for potential compromises by implementing Endpoint Security as one aspect of a thorough, well put together cyber security plan. If you need any cyber security help, or want to improve your existing defences, get in touch with the experts at Neuways. Call us on 01283 753333 or email firstname.lastname@example.org.