Threat Simulator: March 2023 Update

You may think you are safe and have the latest tools, but are these tools appropriately configured? Are you protected, and could you respond quickly to the latest attacks?

This is where Keysight Threat Simulator can help. Threat Simulator allows you to proactively assess your People, Processes, and Security controls before the threat actor does.

Unlike most vendors in the Breach and Attack Simulation (or BAS) space, Keysight isn’t a newcomer to security testing. We’ve led the world in testing security and networking equipment since 2005. Our global Application and Threat Intelligence (ATI) Team keeps current on the latest threats, helping ensure that Threat Simulator can be updated with the latest attack techniques and mitigation recommendations.

We have summarized the latest cyber-attacks covered by Threat Simulator during March.

New Audits:

Text4shell Remote Code Execution: CVE-2022-42889

This assessment is a collection of Endpoint audits based on CVE-2022-42889, targeting Apache Commons Text library.

CVE-2022-42889 is a vulnerability in Apache Commons Text library that allows an attacker to execute arbitrary code on the vulnerable system. This library performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Due to a logic flaw, Script, DNS and URL lookup keys are interpolated by default and can be used to execute code or for contact with remote servers.

Microsoft Outlook Elevation of Privilege Vulnerability (Windows): CVE-2023-23397

This assessment is a collection of Endpoint audits based on CVE-2023-23397 targeting Windows systems. The Microsoft's advisory for the vulnerability is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

Exploitation of Remote Services - Text4shell Remote Code Execution: CVE-2022-42889 (Bash)

CVE-2022-42889 is a vulnerability in Apache Commons Text library that allows an attacker to execute arbitrary code on the vulnerable system. This library performs variable interpolation, allowing properties to be dynamically evaluated and expanded. Due to a logic flaw, Script, DNS and URL lookup keys are interpolated by default and can be used to execute code or for contact with remote servers.

This audit targets this vulnerability and it uses a Python script (bundled into a package using PyInstaller) to execute code on the endpoint. To reproduce the attack, a vulnerable application is used on one endpoint, and from the other endpoint, a malicious request is sent, resulting in a DNS query. An attacker performing the same steps as this audit would be able to get information about internal resources.

Exploitation for Credential Access - 'Save-TaskNTLMLeak': Craft Malicious Outlook Task for CVE-2023-23397 (PowerShell)

CVE-2023-23397 is a critical elevation-of-privileges vulnerability affecting Microsoft Outlook. The successful exploitation of this vulnerability allows an adversary to obtain the NTLM credentials of a Microsoft Outlook user. The exploitation consists of sending a specially-crafted email to a target user. No user interaction with the received e-mail is required for exploitation.

The Microsoft's advisory for the vulnerability is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

This audit executes a PowerShell script that crafts a malicious Outlook task. This task would be added by an adversary as an attachment to an email sent to the target user.

If the adversary already has access in the network, the patch to this vulnerability can be bypassed. This can be achieved by using a random hostname for the 'ReminderSoundFile' attribute of the crafted Outlook task. The attacker would usually open a listener for the resolution of that specific hostname, then capture the NTLM credentials that can be used to pivot through the network.

Exploitation for Credential Access - 'Save-CalendarNTLMLeak': Craft Malicious Calendar Appointment for CVE-2023-23397 (PowerShell)

CVE-2023-23397 is a critical elevation-of-privileges vulnerability affecting Microsoft Outlook. The successful exploitation of this vulnerability allows an adversary to obtain the NTLM credentials of a Microsoft Outlook user. The exploitation consists of sending a specially-crafted email to a target user. No user interaction with the received e-mail is required for exploitation.

The Microsoft's advisory for the vulnerability is available at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397

This audit executes a PowerShell script that crafts a malicious calendar appointment. This calendar appointment would be added by an adversary as an attachment to an email sent to the target user.

If the adversary already has access in the network, the patch to this vulnerability can be bypassed. This can be achieved by using a random hostname for the 'ReminderSoundFile' attribute of the crafted calendar appointment. The attacker would usually open a listener for the resolution of that specific hostname, then capture the NTLM credentials that can be used to pivot through the network.

Malicious Email Attachment Audit: Microsoft Outlook Privilege Escalation (CVE-2023-23397)

This audit sends an email with a specially-crafted Outlook Task as an attachment.

It uses the extension .msg, indicating that the attachment is a Microsoft Outlook Item.

The vulnerability is due to insufficient sanitization of the 'ReminderSoundFile' attribute of an Outlook task. This allows an attacker to configure a remote sound file for a new Outlook task that will be searched via the SMB protocol, upon the user receiving the malicious email.

If this audit is not blocked, the attacker would harvest the NLTM hashes of the target that received the email. No special interaction of the target with the received email is required, making the vulnerability extremely facile to exploit.

Exploitation for Client Execution - 'Microsoft Word': RTF Font Table Heap Corruption (CVE-2023-21716)

Microsoft Office is the de-facto Windows application for document processing. The Microsoft Office suite is a favorite vector and target for adversaries to gain initial foothold into an infrastructure.

CVE-2023-21716 is an integer overflow vulnerability in Microsoft Word. The vulnerability is due to insufficient validation of RTF files with a large number of fonts defined in the font table. A remote attacker could exploit the vulnerability by enticing an user to open a specially crafted RTF document. Successful exploitation could result in the crash of the Word application or remote code execution.

The purpose of this audit is to identify if the application is vulnerable, and opening the file will result in a crash of the Word application.

Password Guessing - "CrackMapExec": SSH brute force from DarkCloud (Bash)

Adversaries may try to guess passwords for a known account by using a repetitive or iterative mechanism with the help of a list of common passwords.

CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. CrackMapExec is hosted at https://github.com/Porchetta-Industries/CrackMapExec under the BSD 2-Clause "Simplified" License.

This audit uses the 'CrackMapExec' tool to guess the password of a known user over the SSH protocol by performing a dictionary attack.

Threat Campaigns:

Beepin’ Out of the Sandbox: Analyzing a New, Extremely Evasive Malware

A set of unique samples on VirusTotal(VT) were found to have implemented a significant amount of evasion techniques, including one technique using the Beep API.

The great number of sandbox, VM, and debugger evasion techniques the Bleep malware implements is not often seen. After infection, the malware will download and spread additional malicious tools, including ransomware, making it extremely dangerous.

Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool

This report describes a new variant of PlugX trojan using a legitimate open source debugger tool 'x32dbg.exe' to sideload a malicious DLL and deploy a backdoor.

To evade detection, the trojan replaces several DLLs used by this tool, but keeping the same file names and function names, to run different codes.

This trojan attempts to maintain remote access by combining multiple techniques such as duplicating itself in different places, creating a scheduled task for automatic execution or set autostart registry run key.

Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia

Hydrochasma is a new threat actor used in Asia to target shipping companies and medical laboratories, most likely through a phishing email. Most of the targeted companies have in common COVID-19 related information. This threat was observed since at least October 2022.

Eventhough there are tools used to allow remote access or exfiltrate data that have been deployed, the main motivation of this threat actor seems to be intelligence gathering.

BlackLotus UEFI bootkit: Myth confirmed

BlackLotus is the first identified UEFI bootkit that has the ability to bypass UEFI Secure Boot even on Windows 11 systems with the latest updates. This threat has been around since at least October 2022.

UEFI bootkits are very significant and stealthy threats because they can fully manipulate the OS boot process. This allows them to disable several OS security features, deploy their own malicious payloads, gain high privileges and establish persistent remote access on the compromised system.

Just Because It's Old Doesn't Mean You Throw It Away (Including Malware!)

A recent malware campaign was found using MyDoom worm, which is a malware discovered in 2004, making it outdated. Despite this, the campaign shows that old malware can still be effective, with the potential to deploy additional malware for various purposes. The affected platforms are Windows, and the impact is potentially severe, with a medium severity level.

Can You See It Now? An Emerging LockBit Campaign

A new LockBit ransomware campaign, observed in December and January, uses a combination of techniques to evade AV and EDR solutions, making it highly dangerous.

The attack starts with a .img container and a social engineering technique that displays a single file while hiding the rest of the files from the user. The post provides details of the evasive tradecraft used in the campaign, including the use of signed, legitimate executables, and multi-stage scripts that extract a password-protected ransomware executable. The ransom note threatens to publish the stolen and encrypted data on TOR websites if the ransom is not paid.

Ransomware Roundup - CatB Ransomware | FortiGuard Labs

On 2023-02-16, Fortinet Threat Intelligence, FortiGuard, released a bi-weekly roundup of its ransomware dataset.

This report covers variants of Ransomware Roundup - CatB Ransomware | FortiGuard Labs ransomware.

Ransomware Roundup - Trigona Ransomware

On 2023-02-02, Fortinet Threat Intelligence, FortiGuard, released a bi-weekly roundup of its ransomware dataset.

This report covers variants of Trigona ransomware.

Ransomware Roundup - Sirattacker and ALC Ransomware | FortiGuard Labs

On 2023-03-06, Fortinet Threat Intelligence, FortiGuard, released a bi-weekly roundup of its ransomware dataset.

This report covers variants of Ransomware Roundup - Sirattacker and ALC Ransomware | FortiGuard Labs ransomware.

Pandas With a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities

Check Point Research identified and tracked Sharp Panda campaigns targeting government entities across Southeast Asia since early 2021.

The campaigns typically followed the same attack pattern, with only minor changes observed: gain initial access by using spear-phishing emails, start the first in-memory loader called "5.t Downloader" and then start a second-stage loader that delivered the final backdoor.

Starting from early 2023, Check Point Research observed the usage of a new Soul malware family version as the second-stage payload received from the C2 server. This malware is capable to download and load various modules in memory. Those modules ensure remote access and data collection from the victim system.

#StopRansomware: Royal Ransomware (Alert AA23-061A)

CISA alerts against Royal threat actors spreading a new ransomware targeting U.S. and international organizations.

The threat actors gain access to target networks, disable antivirus software, exfiltrate substantial quantities of data, encrypt the systems by deploying the Royal ransomware and demand ransoms.

In reported incidents, instead of including the ransom amount and payment instructions in the initial ransom note, the attackers required direct interaction with the victims via a .onion URL (accesible by Tor browser). The approximate interval for demanded ransoms was 1 to 11 million USD equivalent in Bitcoin.

This threat has been around since approximately September 2022 and targeted various sectors such as Communications, Healthcare, Manufacturing and Education.

How SYS01 Stealer Will Get Your Sensitive Facebook Info

A campaign using Sys01 stealer is actively targeting Facebook business accounts by using Google ads and fake Facebook profiles. This was first seen in May 2022.

Threat actors entice victims with ads and fake profiles that promote video games, adult content and more, in order to download the SYS01 info stealer malware. The purpose of this threat actor is to steal sensitive information, such as login credentials, cookies, and Facebook ad and business account information.

The infection is divided into 2 parts: the loader, which is usually a legitimate C# app susceptible to side-loading vulnerability from a DLL file, and the Inno-Setup Installer, which decompresses to a whole PHP app containing malicious scripts.

CatB Ransomware | File Locker Sharpens Its Claws to Steal Data with MSDTC Service DLL Hijacking

CatB ransomware family (also referred to as CatB99 or Baxtoy) has been observed since November 2022 and it is believed to be related to Pandora ransomware.

Their use of DLL hijacking via Microsoft Distributed Transaction Coordinator (MSDTC) to extract and launch ransomware payloads has attracted attention on this ransomware.

Old Cyber Gang Uses New Crypter - ScrubCrypt

FortyGuard Labs observed between January and February 2023 a type of malware that obfuscates and encrypts applications to evade detection by security programs, named ScrubCrypt. The updated version of this malware is advertised as being able to bypass Windows Defender and provide anti-debug and bypass functions

The threat actor behind was identifies as 8220 Gang, a mining group from 2017 and they seem to target any organization susceptible to attacks.

IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks

SentinelOne has identified a new Linux version of IceFire ransomware family targeting international enterprise networks in the media and entertainment sector.

Previous versions of the IceFire ransomware were targeting only Windows sytems, but SentinelOne observed the expansion to Linux since at least mid February 2023.

This version of IceFire is deployed through the exploitation of CVE-2022-47986 vulnerability. On execution, it encrypts system files and demands ransom via a Tor-hosted payment portal.

GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers

Unit 42 discovered a new type of malware called GoBruteforcer, written in Golang, which targets web servers running phpMyAdmin, MySQL, FTP, and Postgres services.

The malware was hosted on a legitimate website and deployed an IRC bot on the victim server to communicate with the attacker's server. The threat actor used Classless Inter-Domain Routing (CIDR) block scanning to target a wide range of hosts within a network and brute force to gain access to the victim system.

That’s all for March, look out for our April update, coming soon.

And remember you may not be as safe as you think you are. Start using Threat Simulator today so you can stay safe and respond quickly to the latest attacks.

For more information on how we can help you stay safe from the latest threats, check out our ebook https://www.keysight.com/zz/en/library/articles-and-casestudies/ebook/keysight-threat-simulator.html

limit
3