451
The War Room
1 readers
1 users here now
Community for various OSINT news and subject matter for open discussion or dissemination elsewhere
founded 1 year ago
MODERATORS
452
453
454
455
Microsoft Exchange updates pulled after breaking non-English installs
Microsoft has pulled Microsoft Exchange Server's August security updates from Windows Update after finding they break Exchange on non-English installs.
On August 8th, Microsoft released new Exchange Server security updates during the August 2023 Patch Tuesday.
These security updates fix six vulnerabilities, including four remote code execution flaws, one elevation of privileges flaw, and a spoofing vulnerability that can be used to conduct an NTLM Relay Attack.
However, after Microsoft Exchange admins began installing the new updates on non-English servers, they found that the Exchange Windows services were no longer starting.
"Apparently the update cannot be successfully installed on operating systems and Exchange servers in German," warned IT architect Frank Zoechling.
"The setup fails with the error code 1603 and leaves a faulty Exchange installation. Users of Exchange servers and operating systems in German should therefore not install the update for the time being."
Microsoft has since updated the August 2023 Exchange Server Security Updates bulletin, warning admins that they temporarily removed the update from Windows and Microsoft Update while they investigate the issue.
"We are aware of Setup issues on non-English servers and have temporarily removed August SU from Windows / Microsoft update," explains Microsoft.
"If you are using a non-English language server, we recommend you wait with deployment of August SU until we provide more information."
A dedicated support article sheds more light on the issue, stating that the problems are caused by a "localization issue in the Exchange Server August 2023 SU installer".
Microsoft says that when you install the Microsoft Exchange Server 2019 or 2016 security updates on non-English operating systems, the installer will stop and roll back changes, leaving the Exchange Server Windows services in a disabled state.
For those impacted by the problematic install, Microsoft has shared the following steps that can be used to enable the Windows servers and start Exchange Server:
- If you’ve already tried to install the SU, reset the service state before you run Setup again. You can do this by running the following PowerShell script in an elevated PowerShell window:
- Change to the following directory: \Exchange Server\V15\Bin.
- Enter .\ServiceControl.ps1 AfterPatch, and then press Enter.
- Restart the computer.
- In Active Directory (AD), create an account that has the specific name that’s provided in this step. To do this, run the following command:
New-ADUser -Name "Network Service" -SurName "Network" -GivenName "Service" -DisplayName "Network Service" -Description "Dummy user to work around the Exchange August SU issue" -UserPrincipalName "Network Service@$((Get-ADForest).RootDomain)" 3. Wait for AD replication (up to 15 minutes), and then restart the Exchange Server SU installation. Setup should now run successfully. 4. After the installation finishes, run the following commands:
$acl = Get-Acl -Path "HKLM:\SOFTWARE\Microsoft\MSIPC\Server"
$rule = New-Object System.Security.AccessControl.RegistryAccessRule((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-20")), 983103, 3, 0, 0)
$acl.SetAccessRule($rule)
Set-Acl -Path "HKLM:\SOFTWARE\Microsoft\MSIPC\Server" -AclObject $acl
5. Restart the Exchange server to complete the installation.
6. After all Exchange servers are updated, you can safely delete the AD account that was created in step 2.
Once you complete these steps and restart the Exchange server, the Windows services should properly start again and Exchange will be back up and running.
For users running English localizations of Windows, it is still advised to download and install the updates to be protected from the disclosed vulnerabilities.
456
1
SecurityGen Study Highlights Hidden Threat to 5G Mobile Networks From GTP-Based Cyberattacks
(www.darkreading.com)
457
1
Rootly Raises $12M to Help Enterprise IT Teams Resolve Incidents 80 Percent Faster
(www.darkreading.com)
458
459
460
1
CISA discovered a new backdoor, named Whirlpool, used in Barracuda ESG attacks
(securityaffairs.com)
461
MoustachedBouncer hackers use AiTM attacks to spy on diplomats
Image: Midjourney
A cyberespionage group named 'MoustachedBouncer' has been observed using adversary-in-the-middle (AitM) attacks at ISPs to hack foreign embassies in Belarus.
According to an ESET report released today, the researchers observed five distinct campaigns, with the threat actors believed to be active since at least 2014, using AitM at Belarusian ISPs since 2020.
The two signature malware frameworks MoustachedBouncer used during this time are 'NightClub,' since 2014, and 'Disco,' introduced in 2020 to support data theft, capturing screenshots, recording audio, and more.
.jpg)
MoustachedBouncer campaigns
Source: ESET
AiTM attacks
The recent method used to breach networks is to use adversary-in-the-middle (AitM) attacks at the ISP level to trick targeted Windows 10 installation into assuming it stands behind a captive portal.
The ISPs confirmed to be used by MoustachedBouncer are Beltelecom (wholly state-owned) and Unitary Enterprise AI (largest private).
ESET believes the threat actors achieve this by manipulating the traffic either by breaching the ISP infrastructure or collaborating with entities that have access to the network service providers in Belarus.
"For IP ranges targeted by MoustachedBouncer, the network traffic is tampered at the ISP level, and the latter URL redirects to a seemingly legitimate, but fake, Windows Update URL, "updates.microsoft[.]com," explains ESET's report.
"Hence, the fake Windows Update page will be displayed to a potential victim upon network connection."
When a targeted Windows 10 device connects to the network, it will redirect captive portal checks (used to check if a device is connected to the internet) to a Fake Windows update HTML page.
This page uses JavaScript to display a "Get Updates" button that, when clicked, causes a fake operating system update ZIP file to be downloaded.
This ZIP file contains a Go-based malware that creates a scheduled task that executes every minute, fetching another executable, the malware loader, from what appears like a Google Cloud IP address but is likely just there for cover.
The malware payloads the MoustachedBouncer has used since 2014 are various versions of the 'NightClub' and 'Disco' malware toolkits, showcasing notable evolution with each new release.
Observed infection chain
Source: ESET
NightClub malware
NightClub was the first malware framework used by the espionage group, with distinct samples retrieved by ESET's analysts in 2014, 2017, 2020, and 2022.
Early versions featured file monitoring and SMTP (email) exfiltration and command and control server communications, while its authors later added a persistence mechanism and a keylogger,
The latest version of NightClub, used by the hackers between 2020 and 2022, features new modules for taking screenshots, recording audio, keylogging, and setting up a DNS-tunneling backdoor for C2 communications.
The DNS backdoor implements additional commands that give the malware file, directory creation, reading, and searching functions, and process manipulation capabilities.
Also, the newest NightClub uses a hardcoded private RSA-2048 key for encrypting its strings, while its configuration is stored in an external file, giving it more stealth and versatility.
ESET couldn't determine the infection channel that MoustachedBouncer used for NightClub, so that aspect remains unknown.
Disco malware
Disco is a newer malware framework reaching victims through the previously described AitM-based attack chain, which MoustachedBouncer started using in 2020.
Disco uses multiple Go-based plugins that expand its functionality, allowing the malware to:
- Take screenshots every 15 seconds (three modules)
- Execute PowerShell scripts (two modules)
- Exploit CVE-2021-1732 using a publicly-available PoC to elevate privileges
- Set up a reverse proxy using code inspired by the open-source tool 'revsocks' (two modules)
Disco also uses SMB (Server Message Block) shares for data exfiltration, a protocol primarily used for shared access to files, printers, and serial ports, so there's no direct transfer to the C2 server.
MoustachedBouncer's C2 infrastructure is not accessible directly from the public internet, effectively hiding it from security researchers and protecting it from takedowns.
ESET recommends that diplomats and embassy employees based in Belarus use end-to-end encrypted VPN tunnels when accessing the internet to block the AiTM attacks.
462
463
CISA: New Whirlpool backdoor used in Barracuda ESG hacks
Image: Midjourney
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has discovered a new backdoor malware named 'Whirlpool' used in attacks on compromised Barracuda Email Security Gateway (ESG) devices.
In May, Barracuda revealed a suspected pro-China hacker group (UNC4841) had breached ESG (Email Security Gateway) appliances in data-theft attacks using the CVE-2023-2868 zero-day vulnerability.
CVE-2023-2868 is a critical severity (CVSS v3: 9.8) remote command injection vulnerability impacting Barracuda ESG versions 5.1.3.001 through 9.2.0.006.
It was later discovered that the attacks started in October 2022 and were used to install previously unknown malware named Saltwater and SeaSpy and a malicious tool called SeaSide to establish reverse shells for easy remote access.
Instead of fixing devices with software updates, Barracuda offered replacement devices to all affected customers at no charge, indicating that the attacks were more damaging than originally thought.
CISA has since shared further details about an additional malware named Submariner that was deployed in the attacks.
New Whirlpool malware
Yesterday, CISA disclosed the discovery of another backdoor malware named 'Whirlpool' [VirusTotal] that was found to be used in the attacks on Barracuda ESG devices.
The discovery of Whirlpool makes this the third distinct backdoor used in the attacks targeting Barracuda ESG, once again illustrating why the company chose to replace devices rather than fix them with software.
"This artifact is a 32-bit ELF file that has been identified as a malware variant named "WHIRLPOOL," reads CISA's updated Barracuda ESG malware report.
"The malware takes two arguments (C2 IP and port number) from a module to establish a Transport Layer Security (TLS) reverse shell."
"The module that passes the arguments was not available for analysis."
From submissions to VirusTotal, the Whirlpool malware appears to have run under the 'pd' process.
Previously, on May 30, 2023, Barracuda found SeaSpy on hacked ESG appliances, a persistent passive backdoor that masquerades as a legitimate service, namely "BarracudaMailService," and runs commands on behalf of the threat actors.
SeaSpy initialization script (CISA)
On July 28, 2023, CISA warned of a previously unknown backdoor in breached Barracuda devices named 'Submarine.'
Submarine resides in the SQL database of ESG, allowing root access, persistence, and command and control communications.
Indicators of compromise and YARA rules that help detect infections by the four newly discovered variants of SeaSpy and Whirlpool are provided in a separate document.
If you identify suspicious activity on your Barracuda ESG appliance or discover signs of compromise by any of the three mentioned backdoors, you are urged to contact CISA's 24/7 Operations Center at "[email protected]" to help with their investigations.
464
465
Dell Compellent hardcoded key exposes VMware vCenter admin creds
An unfixed hardcoded encryption key flaw in Dell's Compellent Integration Tools for VMware (CITV) allows attackers to decrypt stored vCenter admin credentials and retrieve the cleartext password.
The flaw is caused by a static AES encryption key, shared across all installs, that is used to encrypt the vCenter credentials stored in the program's configuration file.
Dell Compellent is a line of enterprise storage systems offering features such as data progression, live volume, thin provisioning, data snapshots and cloning, and integrated management.
The software supports storage integration with VMware vCenter, a widely used platform for managing ESXi virtual machines.
However, to integrate the client, it must be configured with VMware vCenter credentials, which are stored in the Dell program's encrypted configuration file.
A hardcoded AES encryption key
LGM Security's researcher Tom Pohl, discovered in a penetration exercise that Dell CITV contains a static AES encryption key that is identical for all Dell customers across all installs.
This AES encryption key is used to encrypt the CITV configuration file containing the program's settings, including the entered vCenter admin credentials.
As AES is a symmetric cipher, it uses the same key for encrypting and decrypting data. This allows an attacker who extracts the key to easily decrypt the configuration file and retrieve the encrypted password.
"The Dell software needs administrative vCenter credentials to function correctly, and it protects those credentials in their config files with a static AES key," Pohl told BleepingComputer.
"Dell is interacting with vCenter servers, and is keeping its credentials in an encrypted confih file that should be completely inaccessible for viewing by anything or anyone other than the Dell software."
"Attackers should not be able to get access to the contents of that file, but it is accessible. However, due to this newly discovered vulnerability, attackers can extract the encryption key that the Dell software is using to protect the contents of that file."
LGM Security's team found that the Dell Compellent software directory contains a JAR file that, when decompiled, revealed a hardcoded static AES key.
JAR file in a Dell Compellent directory (LGM Security)
Using this AES key, Pohl could decrypt the Dell Compellent configuration file and retrieve the user name and password for the VMware vCenter administrator, as shown below.
Decrypting admin credentials using the recovered AES key (LGM Security)
The server containing that key was accessible using weak credentials (admin/admin). However, as seen repeatedly, threat actors can gain access to servers in various ways due to vulnerabilities or bad practices.
Also, the issue could be exploitable by rogue insiders or low-privileged external attackers who have access to Dell CITV.
In this instance, the LGM team could have gone further by leveraging access to domain controls but instead opted to create a domain admin account, exploiting the opportunity when a network admin mistakenly left their console unlocked.
Accessing the exposed vCenter server (LGM Security)
The analysts emailed Dell to inform them about their discovery on April 11th, 2023, but the computer and software vendor initially dismissed the report, misunderstanding the scope.
After further communication, Dell promised to roll out a fix by November 2023.
As the standard 90-day vulnerability disclosure policy has expired, Pohl has publicly shared his research in a DEFCON session titled "Private Keys in Public Places."
Pohl discovered similar hardcoded keys in Netgear and Fortinet in 2020, which were subsequently fixed.
466
1
Safeguarding Against Silent Cyber Threats: Exploring the Stealer Log Lifecycle
(www.bleepingcomputer.com)
Safeguarding Against Silent Cyber Threats: Exploring the Stealer Log Lifecycle
The first seven months of 2023 have seen a continued rapid evolution of the cybercrime ecosystem. Ransomware data exfiltration attacks, stealer log distribution, and new exploits targeting organizations continue to substantially increase.
This article explores a key component of the cybercrime ecosystem, stealer logs, and their role in the broader cybercrime ecosystem.
What are Stealer Logs?
Infostealer malware has risen to prominence as one of the most significant vectors of cybercrime over the past three years.
Infostealers are a form of remote access trojan (RAT) that infects a victim computer, exfiltrates all of the credentials saved in the browser, as well as session cookies, while also stealing other sensitive data such as credit card information, cryptocurrency wallet data, and other information from the host.
Logs are then either used or distributed to other cybercriminals as a key initial vector that enables financial fraud, account takeover attacks, ransomware distribution, and data breaches against organizations.
RedLine Stealer log file
Malware as a Service Vendors, Telegram, and the Cybercrime Supply Chain
Malware as a service (MaaS) vendors continually develop new variants of infostealer malware which are then sold in specialized Telegram channels. The most common variants we see today are RedLine, Vidar, and Raccoon.
Description of stealer web panel features
MaaS vendors often package their malware in convenient monthly subscription packages that can be easily purchased for a set amount of cryptocurrency, and come complete with command and control (C2) infrastructure and a backend that enables seamless management of hundreds of thousands of stealer logs.
Threat actors then simply need to identify methods to distribute the malware to consumers.
Distribution typically takes a few forms, some of the most common of which are adding infostealer payloads to cracked software, phishing emails, malvertising, and advertising free video-game currency; infostealer malware is mostly distributed in a “spray and pray” fashion, very rarely being employed in targeted attacks.
Backend for RedLine stealer malware
Once an infection takes place, data is exfiltrated to the malware’s backend infrastructure, in the form of “stealer logs”.
The screenshot on the left shows infrastructure related to a common infostealer variant. The columns display the infection date, country code, checkboxes to mark duplicates, counts of credentials, and finally an automatic parsing system to identify high-value credentials within the log.
Stealer Logs Distribution: Tor and Telegram Take Center Stage
Stealer logs used to be distributed almost exclusively on dark web online stores, through popular autoshops such as Genesis Market and Russian Market.
However, in recent years, there has been an increasing adoption of the messaging platform Telegram for everything related to cyber-crime, including stealer logs distribution; out of more than one million unique logs collected per month, we currently see more than 70% being distributed on Telegram channels.
Stealer logs shared in Telegram channel
Threat actor groups create channels, usually referred to as “clouds”, where they will sell access to freshly gathered stealer logs, for a subscription fee.
On top of selling access to their “private” channels, these groups will usually have a “public” channel, where they distribute what can be considered samples of what a potential buyer would get access to by purchasing a subscription to their “private” channels.
Every day, thousands of stealer logs are distributed across Telegram, spread across hundreds of channels.
Whilst most members of these channels are looking for an easy way to make a quick buck, such as by leveraging stolen cryptocurrency wallets, or access to bank accounts, other more advanced users will look at leveraging the illegitimate access stealer logs provide in order to disrupt corporate operations.
Stealer Logs, Access Brokers and Ransomware Affiliates
We have seen substantial evidence that initial access brokers (IAB), threat actors that operate on dark web forums and sell access to company networks and IT Infrastructure, use logs as a primary vector of initial access.
An initial access broker on the Exploit dark web forum looking to purchase logs
Once IABs have established a foothold in a company’s network, the access itself is then auctioned off on dark web forums.
Depending on the level of access provided, these auctions can be valuable to ransomware affiliates as an “easy” entry point for a ransomware attack.
How Stealer Logs Can Impact Consumers and Organizations
Stealer logs constitute a danger to consumer and organizations alike, with consumers (the victim of the infection) at risk of being victim of financial fraud or cryptocurrency theft, as well as unauthorized access to their accounts, but a surprising amount of stealer logs also provide some corporate access to various services.
A recent Flare analysis found more than 350,000 logs that contained credentials to commonly used corporate applications including single-sign on (SSO) portals, access to cloud environments, and other high-value applications.
Stealer Log Detection & Remediation with Flare
Flare automates detection for corporate credentials across tens of millions of stealer logs, providing contextualized high-value alerting to security teams.
Flare’s SaaS platform automatically detects the leading threats that lead to ransomware attacks, data breaches, and other forms of cybercrime affecting organizations.
Sign up for a free trial to find out how Flare can seamlessly integrate high-value cybercrime intelligence into your security program in 30 minutes.
Sponsored and written by Flare
467
468
469
470
471
472
473
474
475