CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required

 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands on the underlying system. The flaws were fixed in a patch released by Veritas in March 2021.

CVE-2021-27876 (CVSS score: 8.1) - Veritas Backup Exec Agent File Access Vulnerability

CVE-2021-27877 (CVSS score: 8.2) - Veritas Backup Exec Agent Improper Authentication Vulnerability

CVE-2021-27878 (CVSS score: 8.8) - Veritas Backup Exec Agent Command Execution Vulnerability

Google-owned Mandiant, in a report published last week, revealed that an affiliate associated with the BlackCat (aka ALPHV and Noberus) ransomware operation is targeting publicly exposed Veritas Backup Exec installations to gain initial access by leveraging the aforementioned three bugs.

The threat intelligence firm, which is tracking the affiliate actor under its uncategorized moniker UNC4466, said it first observed exploitation of the flaws in the wild on October 22, 2022.

In one incident detailed by Mandiant, UNC4466 gained access to an internet-exposed Windows server, followed by carrying out a series of actions that allowed the attacker to deploy the Rust-based ransomware payload, but not before conducting reconnaissance, escalating privileges, and disabling Microsoft Defender's real-time monitoring capability.

Also added by CISA to the KEV catalog is CVE-2019-1388 (CVSS score: 7.8), a privilege escalation flaw impacting Microsoft Windows Certificate Dialog that could be exploited to run processes with elevated permissions on an already compromised host.

The fifth vulnerability included in the list is an information disclosure flaw in Arm Mali GPU Kernel Driver (CVE-2023-26083) that was revealed by Google's Threat Analysis Group (TAG) last month as abused by an unnamed spyware vendor as part of an exploit chain to break into Samsung's Android smartphones.

Federal Civilian Executive Branch Agencies (FCEB) have time till April 28, 2023, to apply the patches to secure their networks against potential threats.

The advisory also comes as Apple released updates for iOS, iPadOS, macOS, and Safari web browsers to address a pair of zero-day flaws (CVE-2023-28205 and CVE-2023-28206) that it said has been exploited in real-world attacks.

Researchers Discover Critical Remote Code Execution Flaw in vm2 Sandbox Library

 The maintainers of the vm2 JavaScript sandbox module have shipped a patch to address a critical flaw that could be abused to break out of security boundaries and execute arbitrary shellcodes.

The flaw, which affects all versions, including and prior to 3.9.14, was reported by researchers from South Korea-based KAIST WSP Lab on April 6, 2023, prompting vm2 to release a fix with version 3.9.15 on Friday.

"A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox," vm2 disclosed in an advisory.

The vulnerability has been assigned the identified CVE-2023-29017 and is rated 9.8 on the CVSS scoring system. The issue stems from the fact that it does not properly handle errors that occur in asynchronous functions.

vm2 is a popular library that's used to run untrusted code in an isolated environment on Node.js. It has nearly four million weekly downloads and is used in 721 packages.

KAIST security researcher Seongil Wi has also made available two different variants of a proof-of-concept (PoC) exploit for CVE-2023-29017 that get around the sandbox protections and allow the creation of an empty file named "flag" on the host.

The disclosure comes almost six months after vm2 resolved another critical bug (CVE-2022-36067, CVSS score: 10) that could have been weaponized to perform arbitrary operations on the underlying machine.

Taiwanese PC Company MSI Falls Victim to Ransomware Attack

 Taiwanese PC company MSI (short for Micro-Star International) officially confirmed it was the victim of a cyber attack on its systems.

The company said it "promptly" initiated incident response and recovery measures after detecting "network anomalies." It also said it alerted law enforcement agencies of the matter.

That said, MSI did not disclose any specifics about when the attack took place and if it entailed the exfiltration of any proprietary information, including source code.

"Currently, the affected systems have gradually resumed normal operations, with no significant impact on financial business," the company said in a brief notice shared on Friday.

In a regulatory filing with the Taiwan Stock Exchange, it said that it's setting up enhanced controls of its network and infrastructure to ensure the security of data.

MSI is further urging users to obtain firmware/BIOS updates only from its official website and refrain from downloading files from other sources.

The disclosure comes as a new ransomware gang known as Money Message added the company to its list of victims. The threat actor was spotlighted by Zscaler late last month.

"The group utilizes a double extortion technique to target its victims, which involves exfiltrating the victim's data before encrypting it," Cyble noted in an analysis published this week. "The group uploads the data on their leak site if the ransom is unpaid."

The development comes a month after Acer confirmed a breach of its own that resulted in the theft of 160 GB of confidential data. It was advertised on March 6, 2023, for sale on the now-defunct BreachForums.

Iran Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise

The Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.

That's according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed DEV-1084.

"While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation," the tech giant revealed Friday.

MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country's Ministry of Intelligence and Security (MOIS). It's been known to be active since at least 2017.

It's also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, and TEMP.Zagros, and Yellow Nix.

Cybersecurity firm Secureworks, in its profile of Cobalt Ulster, notes that it's not entirely uncommon in the realm of the threat actor to "inject false flags into code associated with their operations" as a distraction in an attempt to muddy attribution efforts.

Attacks mounted by the group have primarily singled out Middle Eastern nations, with intrusions observed over the past year leveraging the Log4Shell flaw to breach Israeli entities.

The latest findings from Microsoft reveal the threat actor probably worked together with DEV-1084 to pull off the espionage attacks, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold in the target environment.

"Mercury likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage," Microsoft said.

In the activity detected by Redmond, DEV-1084 subsequently abused highly privileged compromised credentials to perform encryption of on-premise devices and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks.

Furthermore, the threat actors gained full access to email inboxes through Exchange Web Services, using it to perform "thousands of search activities" and impersonate an unnamed high-ranking employee to send messages to both internal and external recipients.

The aforementioned actions are estimated to have transpired over a roughly three-hour time frame starting at 12:38 a.m. (when the attacker logged into the Microsoft Azure environment via compromised credentials) and ending at 3:21 a.m. (when the attacker sent emails to other parties after the successful cloud disruption).

It's worth noting here that DEV-1084 refers to the same threat actor that assumed the "DarkBit" persona as part of a ransomware and extortion attack aimed at Technion, a leading research university in Israel, in February. The Israel National Cyber Directorate, last month, attributed the attack to MuddyWater.

"DEV-1084 [...] presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran's link to and strategic motivation for the attack," Microsoft added.

The links between Mercury and DEV-1084 originate from infrastructure, IP address, and tooling overlaps, with the latter observed using a reverse tunneling utility called Ligolo, a staple MuddyWater artifact.

That said, there is not ample evidence to determine if DEV-1084 operates independently of MuddyWater and collaborates with other Iranian actors, or if it's a sub-team that's only summoned when there is a need to conduct a destructive attack.

Cisco Talos, early last year, described MuddyWater as a "conglomerate" comprising several smaller clusters rather than a single, cohesive group. The emergence of DEV-1084 suggests a nod in this direction.

"While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target," Talos noted in March 2022.

Researchers Uncover Thriving Phishing Kit Market on Telegram Channels

 In yet another sign that Telegram is increasingly becoming a thriving hub for cybercrime, researchers have found that threat actors are using the messaging platform to peddle phishing kits and help set up phishing campaigns.

"To promote their 'goods,' phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, 'What type of personal data do you prefer?'," Kaspersky web content analyst Olga Svistunova said in a report published this week.

The links to these Telegram channels are distributed via YouTube, GitHub, and the phishing kits that are developed by the crooks themselves. The Russian cybersecurity firm said it detected over 2.5 million malicious URLs generated using phishing kits in the past six months.

One of the prominent services offered is to provide threat actors with Telegram bots that automate the process of generating phishing pages and collecting user data.

Although it's the scammer's responsibility to distribute the fake login pages to targets of interest, the credentials captured in those pages are sent back by means of another Telegram bot.

Other bot services go a step further by advertising options to generate phishing pages that mimic a legitimate service, which is then used to lure potential victims under the pretext of giving away free likes on social media services.

"Scammer-operated Telegram channels sometimes post what appears to be exceptionally generous offers, for example, zipped up sets of ready-to-use phishing kits that target a large number of global and local brands," Svistunova said.

In some cases, phishers have also been observed sharing users' personal data with other subscribers for free in hopes of attracting aspiring criminals, only to sell paid kits to those who wish to pull off more such attacks. The scammers further offer to teach "how to phish for serious cash."

Using free propositions is also a way for scammers to trick cash-strapped and newbie criminals into using their phishing kits, resulting in double theft, where the stolen data is also sent to the creator without their knowledge.

Paid services, on the other hand, include advanced kits that boast of an appealing design and features like anti-bot detection, URL encryption, and geoblocking that threat actors could use to commit more advanced social engineering schemes. Such pages cost anywhere between $10 to $280.

Another paid category entails the sale of personal data, with credentials of bank accounts advertised at different rates based on the balance. For example, an account with a balance of $49,000 was put up for $700.

What's more, phishing services are marketed via Telegram on a subscription basis (i.e., phishing-as-a-service or PhaaS), wherein the developers rent the kits for a monthly fee in return for providing regular updates.

Also promoted as a subscription is a one-time password (OTP) bot that calls users and convinces them to enter the two-factor authentication code on their phones to help bypass account protections.

Setting up these services is relatively straightforward. What's more difficult is earning the trust and loyalty of the customers. And some vendors go out of their way to assure that all the information is encrypted so that no third parties, including themselves, can read it.

The findings also follow an advisory from Cofense earlier this January, which revealed an 800% increase year-over-year in the use of Telegram bots as exfiltration destinations for phished information.

"Wannabe phishers used to need to find a way onto the dark web, study the forums there, and do other things to get started," Svistunova said. "The threshold to joining the phisher community lowered once malicious actors migrated to Telegram and now share insights and knowledge, often for free, right there in the popular messaging service."

FBI Cracks Down on Genesis Market: 119 Arrested in Cybercrime Crackdown

 A coordinated international law enforcement operation has dismantled Genesis Market, an illegal online marketplace that specialized in the sale of stolen credentials associated with email, bank accounts, and social media platforms.

Coinciding with the infrastructure seizure, the major crackdown, involved authorities from 17 countries, culminating in 119 arrests and 208 property searches in 13 nations. However, the .onion mirror of the market appears to be still up and running.

The "unprecedented" law enforcement exercise has been codenamed Operation Cookie Monster.

Genesis Market, since its inception in March 2018, evolved into a major hub for criminal activities, offering access to data stolen from over 1.5 million compromised computers across the world totaling more than 80 million credentials.

A majority of infections associated with Genesis Market-related malware have been detected in the U.S., Mexico, Germany, Turkey, Sweden, Italy, France, Spain, Poland, Ukraine, Saudi Arabia, India, Pakistan, and Indonesia, among others, per data gathered by Trellix.

Some of the prominent malware families that were leveraged to compromise victims encompass AZORult, Raccoon, RedLine, and DanaBot, which are all capable of stealing sensitive information from users' systems. Also delivered through DanaBot is a rogue Chrome extension designed to siphon browser data.

"Account access credentials advertised for sale on Genesis Market included those connected to the financial sector, critical infrastructure, and federal, state, and local government agencies," the U.S. Department of Justice (DoJ) said in a statement.

The DoJ called Genesis Market one of the "most prolific initial access brokers (IABs) in the cybercrime world." The U.S. Treasury Department, in a coordinated announcement, sanctioned the criminal shop, describing it as a "key resource" used by threat actors to target U.S. government organizations.

Besides credentials, Genesis also peddled device fingerprints – which include unique identifiers and browser cookies – so as to help threat actors circumvent anti-fraud detection systems used by many websites.

"The combination of stolen access credentials, fingerprints, and cookies allowed purchasers to assume the identity of the victim by tricking third-party websites into thinking the Genesis Market user was the actual owner of the account," the DoJ added.

Court documents reveal that the U.S. Federal Bureau of Investigation (FBI) gained access to Genesis Market's backend servers twice in December 2020 and May 2022, enabling the agency to access information pertaining to about 59,000 users of the cybercrime bazaar.

The packages of stolen information harvested from infected computers (aka "bots") were sold for anywhere between $0.70 to several hundreds of dollars depending on the nature of the data, according to Europol and Eurojust.

"The most expensive would contain financial information which would allow access to online banking accounts," Europol noted, stating the criminals purchasing the data were also provided with additional tools to use it without attracting attention.

"Buyers were provided with a custom browser that would mimic one of their victims. This allowed the criminals to access their victim's account without triggering any of the security measures from the platform the account was on."

The proprietary Chromium-based browser, referred to as Genesium, is cross-platform, with the maintainers claiming features such as "anonymous surfing" and other advanced functionalities that permit its users to bypass anti-fraud systems.

Genesis Market, unlike Hydra and other illicit marketplaces, was also accessible over the clarinet, thereby lowering the barrier of entry for lesser-skilled threat actors looking to obtain digital identities in order to breach individual accounts and enterprise systems.

The takedown is expected to have a "ripple effect throughout the underground economy" as threat actors search for alternatives to fill the void left by Genesis Market.

Genesis Market is the latest in a long line of illegitimate services that have been taken down by law enforcement. It also arrives exactly a year after the dismantling of Hydra, which was felled by German authorities in April 2022 and created a "seismic shift in the Russian-language darknet marketplace landscape."

"Almost a year after Hydra's takedown, five markets — Mega, Blacksprut, Solaris, Kraken, and OMG!OMG! Market — have emerged as the biggest players based on the volume of offers and the number of sellers," Flashpoint said in a new report.

The development also follows the launch of a new dark web marketplace known as STYX that's primarily geared toward financial fraud, money laundering, and identity theft. It's said to have opened its doors around January 19, 2023.

"Some examples of the specific service offerings marketed on STYX include cash-out services, data dumps, SIM cards, DDOS, 2FA/SMS bypass, fake and stolen ID documents, banking malware, and much more," Resecurity said in a detailed writeup.

Like Genesis Market, STYX also offers utilities that are designed to get around anti-fraud solutions and access compromised accounts by using granular digital identifiers like stolen cookie files, physical device data, and network settings to spoof legitimate customer logins.

The emergence of STYX as a new platform in the commercial cybercriminal ecosystem is yet another sign that the market for illegal services continues to be a fruitful business, allowing bad actors to profit from credential theft and payment data.

"The majority of STYX Marketplace vendors specialize in fraud and money laundering services targeting popular digital banking platforms, online marketplaces, e-commerce, and other payment applications," Resecurity noted. "The geographies targeted by these threat actors are global, spanning the U.S., E.U., U.K., Canada, Australia, and multiple countries in APAC and the Middle East."

Protect Your Company: Ransomware Prevention Made Easy

 Every year hundreds of millions of malware attacks occur worldwide, and every year businesses deal with the impact of viruses, worms, keyloggers, and ransomware. Malware is a pernicious threat and the biggest driver for businesses to look for cybersecurity solutions.

Naturally, businesses want to find products that will stop malware in its tracks, and so they search for solutions to do that. But malware protection alone is not enough, instead what's needed is a more holistic approach. Businesses need to defend against malware entering the network, and then on top of that have systems and processes in place to restrict the damage that malware can do if it infects a user device.

This approach will not only help stop and mitigate the damage from malware, but defend against other types of threats too, such as credential theft as a result of phishing, insider threats, and supply-chain attacks.

Malware Protection and Web Filtering#

The first and most sensible place to begin is with anti-malware solutions. It's important to look for malware solutions that can confront today's key threats, such as known malware, polymorphic variants, ransomware, zero-day exploits, and Advanced Persistent Threats (APTs). This requires a strong toolkit of virus signature databases, virtual code execution, as well as heuristics and other machine learning techniques.

Ideally, you would also use malware protection for both the network and the endpoint. This requires two different solutions, but a multi-layered approach means less chance of something getting through.

In addition to Malware Protection, Web Filtering keeps your employees away from potential threats by disallowing known malicious sites, questionable sites, and other places online you'd rather not have managed devices visit.

Zero Trust Network Access#

Every security strategy in a modern network environment should embrace the principles of Zero Trust. The most practical implementation of which is Zero Trust Network Access (ZTNA).

Zero Trust itself is a set of ideas about security based on the idea "never trust, always verify." That is, no one should be allowed to just log in to the network and stay as long as they like. Because if you do that, you can never really know whether or not the user logging in is who they claim to be, or if they're a threat actor who obtained a legitimate user's login credentials.

Instead, each user should only be allowed to access resources they need to do their job, and not to every cloud resource or on-prem server in the company. An HR employee, for example, has no practical reason to access a company Git server containing a codebase, or an SQL database containing sensitive customer information. So the network should, by default, group HR employees together into one group and disallow them from accessing that information.

This approach goes for every department. Only the resources they need to do their jobs should be available, while access to everything else is disallowed.

Segmenting access at the application level isn't quite enough to qualify as Zero Trust, however. In fact, this level of restricting access, known as micro-segmentation, is just one part of the Zero Trust approach.

A full ZTNA implementation also embraces context checks that can involve the security status of a managed device, time-based access rules, and geographic requirements.

You might, for example, require that managed devices must be running a specific minimum version of Windows or macOS. You could require that all devices have a specific antivirus solution running, or that a specific security certificate is installed somewhere on the device.

Micro-segmentation, allowing specific people to access specific applications, in conjunction with context-based authentication rules provides a complete Zero Trust approach.

In addition, there should be access rules not only for users on managed devices but also on unmanaged devices. The latter are best handled by Agentless ZTNA solutions where people access individual applications through a web portal that is not discoverable over the open Internet. Here, too, you can apply context rules such as allowing access only during certain times of the day or disallowing access based on location.

With a ZTNA strategy in place, it will be much harder for threat actors to traverse a business network in search of sensitive data. Ransomware will have a much harder time encrypting all of a business' files, and disgruntled employees won't be able to exfiltrate as much data or cause other mayhem within the company.