Cyber Pulse: Edition 179 | 18 March 2022

QA's practice director of Cyber Security, Richard Beck, rounds up this week's cyber security news.

Anonymous cripples Russian Fed Security Service (FSB) and other top sites

The Anonymous hacktivists collective are claiming to have targeted top Russian government websites in a series of DDoS attacks. As a result, the official website of the Federal Security Service (aka FSB, the principal security agency of Russia), the Stock Exchange, Analytical Center for the Government of the Russian Federation, and the Ministry of Sport of the Russian Federation have been forced to go offline.

The cyberattack, which was part of Anonymous’ ongoing operation called OpRussia, took place around 12:12 PM (GMT) on 15 March. The severity of the attack can be quantified by the fact that almost seven hours had passed since the attack took place, yet all targeted websites were still unreachable and offline for visitors. On Twitter, @YourAnonNews, one of the largest social media representatives of the Anonymous movement, shared several screenshots showing targeted domains and their current service status.

The group’s most significant attack took place last week when one of its affiliates hacked over 400 surveillance cameras in Russia. The hacktivists then defaced the compromised cameras with messages against President Putin and in support of Ukraine. The second attack, which is ongoing, is being set up by Squad303, a newly formed digital army comprising Anonymous-associated programmers. In the first stage of the attack, the group sent out 7 million text messages to random Russian citizens across the country urging them to protest against the Russian attack on Ukraine.

Russian hackers exploiting multi-factor authentication flaw

The FBI says Russian state-backed hackers gained access to a non-governmental organisation (NGO) cloud after enrolling their own device in the organisation's Duo MFA following the exploitation of misconfigured default multifactor authentication (MFA) protocols. To breach the network, they used credentials compromised in a brute-force password guessing attack to access an un-enrolled and inactive account, not yet disabled in the organisation's Active Directory.

"As Duo's default configuration settings allow for the re-enrolment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory," the federal agencies explained.

The next step was to disable the MFA service by redirecting all Duo MFA calls to localhost instead of the Duo server after modifying a domain controller file. This allowed them to authenticate to the NGO’s virtual private network (VPN) as non-administrator users, connect to Windows domain controllers via Remote Desktop Protocol (RDP), and obtain credentials for other domain accounts. With the help of these compromised accounts and without MFA enforced, the Russian-backed threat actors could move laterally and gain access to the cloud storage and email accounts and exfiltrate data.

The FBI and CISA urged all organisations today in a join cybersecurity advisory to apply the following mitigation measures:

• Enforce MFA and review configuration policies to protect against “fail open” and re-enrolment scenarios.
• Ensure inactive accounts are disabled uniformly across the Active Directory and MFA systems. 

Additional Wiper malware targeting Ukrainian organisations

Experts discovered a new wiper, tracked as CaddyWiper, that was employed in attacks targeting Ukrainian organisations. Experts at ESET Research Labs discovered a new data wiper, dubbed CaddyWiper, that was employed in attacks targeting Ukrainian organisations. The security firm has announced the discovery of the malware with a series of tweets.

“This new malware erases user data and partition information from attached drives,” ESET Research Labs reported. “ESET telemetry shows that it was seen on a few dozen systems in a limited number of organisations.”

CaddyWiper is the third wiper observed by ESET in attacks against Ukraine after HermeticWiper and IsaacWiper, experts pointed out that it does not share any significant code similarity with them. Similar to HermeticWiper deployments, CaddyWiper being deployed via GPO, a circumstance that suggests the attackers had initially compromised the target’s Active Directory server.

In order to maintain access to the target organisation while still disturbing operations, the CaddyWiper avoids destroying data on domain controllers. CaddyWiper uses the DsRoleGetPrimaryDomainInformation() function to determine if a device is a domain controller. The CaddyWiper sample analysed by ESET was not digitally signed, the malware was compiled.

Malware leveraging Telegram's infrastructure

Cybercriminals behind Raccoon Stealer have been found using a chat app to store and update C2 addresses to spread within infected machines. Recently, the stealer has added the ability to update its own actual C2 addresses on Telegram’s infrastructure. The Avast research report disclosed that the recent version of Raccoon Stealer communicates with its C2 within Telegram. The new variant has the capability to store and update its C2 addresses that are stored on Telegram’s infrastructure. So far, the stealer has spread clipboard crypto stealers, downloaders and WhiteBlackCrypt ransomware.

There are four crucial values for C2 communication, which are hardcoded in every sample. The values are MAIN_KEY, URLs of Telegram gates with a channel name, BotID, and TELEGRAM_KEY.  To hijack Telegram for C2, the malware decrypts MAIN_KEY that decrypts Telegram gates URLs and BotID. The stealer uses the Telegram gate to get to the actual C2 by using a string of queries that ultimately allow it to use the Telegram infrastructure for updating and storing real C2 addresses.

The exploitation of Telegram by cybercriminals is not new. Raccoon Stealer abuses it to operate in stealth mode. Experts think that the developers of this malware will continue to add new features to it to make it efficient. As a precaution, organisations should always use reliable anti-malware solutions.

Hundreds of GoDaddy-hosted websites compromised

Internet security analysts have spotted a spike in backdoor infections on WordPress websites hosted on GoDaddy's Managed WordPress service, all featuring an identical backdoor payload. The case affects internet service resellers such as MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress. The discovery comes from Wordfence, whose team first observed the malicious activity on 11 March, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy.

The backdoor infecting all sites is a 2015 Google search SEO-poisoning tool implanted on the wp-config.php to fetch spam link templates from the C2 that are used to inject malicious pages into search results. The campaign uses predominately pharmaceutical spam templates, served to visitors of the compromised websites instead of the actual content. The goal of these templates is likely to entice the victims to make purchases of fake products, losing money and payment details to the threat actors.

Wordfence also reminds admins that while removing the backdoor should be the first step, removing spam search engine results should also be a priority.

Scam Royal Mail AI chatbot offers a new iPhone

Royal Mail scams, in which people receive a scam notification that a parcel could not be delivered for some reason, are always popular techniques for people up to no good. We’ve covered them several times over the last year or so. Here’s the latest scam, promising a new IPhone to victims, and what happens when people visit the site in question. Visitors are greeted by a “chatbot”, talking to them directly about a missing parcel. The chatbot cycles through some text, claiming the parcel is damaged in some way.

Essentially, the scammers came up with an idea for an evolving Royal Mail phish – AI chatbots – and then inexplicably undermined themselves with a completely unrelated landing page promoting mobile phone competitions. You’d hope this would lower the chances of people signing up, but you never know.

As for the chatbot itself, there’s no way to know for sure how it is operated. It may be like one of those pornography chatbots on spam sites that run through the same handful of replies no matter what you type. Perhaps it was coded to detect a handful of different responses. It might even have been the scammer themselves, for that added splash of interactivity.

The site sporting the competition itself informed Which? magazine that an affiliate is responsible for this one and they’ve refunded three people who fell for it. Hopefully this low number does indeed indicate that starting off with a Royal Mail delivery and ending with mobile phones is a bridge too far. This is a better result than if the landing page was a carefully crafted Royal Mail fake out, so it’s possible we’ve all scored a lucky break here.

As with all these scams: Should you find a mysterious text or mail telling you a parcel is waiting, contact your local Royal Mail depot. Sites asking for delivery fees should be viewed with skepticism, and that goes double for offers of a distinctly non-postal variety.

Actors bypassing Apple App Store security

Scammers are bypassing Apple’s App Store security, stealing thousands of dollars’ worth of cryptocurrency from the unwitting, using the TestFlight and WebClips programmes. For about a year now, crypto-traders and lovelorn singles alike have been losing their money to CryptoRom, a malware campaign that combines catfishing with crypto-scamming. According to research from Sophos, CryptoRom’s perpetrators have now improved their techniques. They’re leveraging new iOS features – TestFlight and WebClips – to get fake apps onto victims’ phones without being subject to the rigorous app store approval process.

Successful CryptoRom scams have resulted in five-, six- and even seven-figure losses for victims. The trading apps tend to be cryptocurrency-related, since, more so than with fiat currency, cryptocurrency payments are irreversible. A crucial component to the CryptoRom attack flow is those fake apps. Victims might receive a link to download what purports to be BTCBOX, for example, or Binance – perfectly legitimate cryptocurrency trading platforms. These apps appear to have professional user interfaces, and even come with customer-service chat options.

Apple and Google apply strict vetting to weed out malicious mobile apps like these from their official stores. But, as Threatpost has covered before, hackers have clever tricks to get around conventional security testing. In the past, for example, CryptoRom’s preferred method was to use the Apple Developer Program and Enterprise Signatures. Since it’s almost impossible for law enforcement to crack down on any one individual scam, app store providers have a responsibility to monitor for misuse of these developer tools, Mark Lambert, vice president of products at ArmorCode, told Threatpost.

Kubernetes container vulnerability patched

A severe vulnerability affecting the CRI-O container engine for Kubernetes could be exploited to escape the container and gain root access to the host, CrowdStrike reports. CRI-O is a lightweight container runtime for Kubernetes with support for OCI (Open Container Initiative) compatible runtimes. Tracked as CVE-2022-0811 (CVSS score of 8.8), the vulnerability exists due to the lack of proper validation for kernel parameters passed to the pinns utility. The issue was introduced in CRI-O version 1.19, when sysctl support was added to the container engine. Referred to as cr8escape, the security hole could be exploited by an attacker to “escape from a Kubernetes container and gain root access to the host and be able to move anywhere in the cluster,” CrowdStrike said.

Exploitation requires rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime. In addition to malware execution, the security defect could allow an attacker to perform other actions on the host, including data exfiltration and lateral movement across pods. According to CrowdStrike, which has published proof-of-concept (PoC) code targeting the flaw, the potential impact of this vulnerability is widespread, given the broad, default use of CRI-O by many platforms.

Thus, users are advised to update CRI-O immediately, to prevent potential attacks. The flaw was resolved with the release of CRI-O versions 1.22.3, 1.21.6, 1.20.7, and 1.19.6. Mitigation steps include blocking pods that contain sysctl settings with values containing “+” or “=”, blocking all sysctls, or employing a ins wrapper to strip the “-s” option – thus preventing pods from modifying kernel parameters. Although not recommended, a downgrade to CRI-O version 1.18 or earlier could also prevent exploitation.

Website contact forms backdoored by malware

BazarBackdoor is observed spreading via website contact forms to avoid detection by security software. The backdoor malware is developed by the TrickBot group and has been under active development for some time. According to Abnormal Security, the recent distribution campaign was active between December 2021 and January 2022, targeting corporate victims with BazarBackdoor. The aim was to deploy ransomware or Cobalt Strike.

In one of the cases, the attackers used a corporate contact form on the website, where they posed as employees of a Canadian construction firm requesting a product supply quote. After a company representative responds with the quotation, the attackers send back a malicious ISO file attachment in an email, meant to be relevant to the negotiation. To avoid any possible security alerts, the attackers used file-sharing services TransferNow and WeTransfer to send these malicious files.

The attackers behind BazarBackdoor are using contact forms to improve the credibility and legitimacy of their attacks. Website admins are suggested to stay alert whenever receiving suspicious emails from unknown sources.

Irish Government fine Facebook $18.6m over data breach from 2018

The Irish Data Protection Commission (DPC) on Tuesday slapped Facebook and WhatsApp owner Meta Platforms a fine of €17 million (~£14.3 million) for a series of security lapses that occurred in violation of the European Union's GDPR laws in the region.

"The DPC found that Meta Platforms failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users' data, in the context of the twelve personal data breaches," the watchdog said in a press release. The decision follows the regulator's investigation into 12 data breach notifications it received over the course of a six-month period between 7 June and 4 December 2018.

The development follows a similar penalty the DPC imposed on WhatsApp, fining the messaging service €225 million in September 2021 for failing to meet its GDPR transparency obligations. Following the ruling, WhatsApp tweaked its privacy policy with regards to how it handles European users' data and shares that information with its parent, Meta. Around the same time, the Luxembourg National Commission for Data Protection (CNPD) also hit Amazon with an $886.6 million fine in July 2021 for non-compliance with data-processing laws. Then earlier this year, France fined both Meta and Google for violating EU privacy rules by failing to provide users with an easy option to reject cookie tracking technology.

Train with QA Cyber Security

Interested in learning more about cyber security? QA's Cyber Security practice offers training, labs, certifications and qualifications in a wide range of subjects, including attack and defence, data privacy, security operations, digital forensics and incident response, secure engineering, cyber governance, risk and compliance, cyber intelligence, and cloud security.

Contact us today.