CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 61: June 20 2023

Links

https://www.hackread.com/diicot-hackers-ssh-servers-brute-force-malware/
https://www.securityweek.com/barracuda-zero-day-attacks-attributed-to-chinese-cyberespionage-group/
https://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/
https://cyware.com/news/third-bug-in-moveit-transfer-found-d35a9335
https://www.helpnetsecurity.com/2023/06/19/cve-2023-35708/
https://www.bleepingcomputer.com/news/security/moveit-transfer-customers-warned-of-new-flaw-as-poc-info-surfaces/
https://cyberscoop.com/energy-department-cl0p-moveit-cisa/

New Threat Group Targets SSH Servers

  • Cado Labs Researchers
    • Diicot
      • emerging Romanian threat actor
      • AKA Mexals
      • extensive technical knowledge
      • active since 2020
  • new campaign
    • Cayosin botnet
      • Mirai-based botnet agent
    • target routers running the Linux-based OS OpenWRT
    • targets are the internet exposed SSH servers with password authentication enabled.
    • username and password list is pretty restrictive
      • including only default or easy-to-guess credentials.
  • Tactics
    • Shell Script Compiler
      • make loader scripts difficult to analyze.
    • UPX (unpacker)
      • Ultimate Packer for Executables
      • modified header with the byte sequence 0x59545399.
      • UPX header prevents unpacking through the standard command.
        • Making to harder to detect
        • upx dex utility created by Akamai’s Larry Cashdollar, and the sequence can be identified by detection tools.
      • Discord
        • For C2
          • supports HTTP POST requests to a webhook URL.
        • Snowflake timestamps in the links
          • allowing for data exfiltration and viewing campaign statistics
          • creation dates within a given channel.

Barracuda Zero-Day Attacks

  • Barracuda Network
    • Founded 2003
    • security, networking, and storage products based on network appliances and cloud services.
  • Attacks
    • CVE-2023-2868
      • Barracuda Email Security Gateway (ESG)
        • module designed for the initial screening of email attachments.
    • the targeted entity an email containing a specially crafted TAR file as an attachment.
      • likely crafted the body and subject of the message to appear as generic spam.
        • flagged by spam filters.
        • dissuade security analysts from performing a full investigation.
    • Discovered by Barracuda
    • May 18
    • Engaged Mandiant (owned by Google Cloud)
    • Exploited since at least October 2022
    • execute a reverse shell, after which they downloaded custom backdoor malware.
      • SeaSpy, SaltWater and SeaSide
      • C&C communications, downloading and executing files, executing commands, and providing proxying capabilities.
  • Attribution
    • UNC4841
    • high confidence
      • on behalf of Chinese government
  • Protection
    • Barracuda urged customers to immediately replace compromised appliances.
      • Hinting that the patch may not fully protect devices.
      • attackers started modifying their malware and deploying additional persistence mechanisms.

GravityRAT goes after WhatsApp backups.

  • ESET researchers
    • updated version of Android GravityRAT spyware
    • distributed as the messaging apps BingeChat (on going) and Chatico (no longer active)
  • GravityRAT
    • Used since 2015
    • RAT = Remote Access Tool
    • used in targeted attacks against India.
    • Windows, Android, and macOS versions
    • exfiltrate WhatsApp backups and receive commands to delete files.
    • provide legitimate chat functionality.
  • Attack
    • bingechat[.]net
      • login required.
      • registration closed.
        • possibly only open as needed (or another factor)
    • made available in the Google Play store.

Third MOVEit Bug Discovered

  • Story
  • First Bug
    • CVE-2023-34362
    • Utilized by Cl0p cyber extortion gang.
  • Second Bug
    • CVE-2023-35036
    • Huntress researchers partnering with Progress.
      • Code review
  • Third Bug
    • CVE-2023-35708
    • No evidence to be exploited yet.
    • escalated privileges and unauthorized access
    • crafted payload to a MOVEit Transfer application endpoint result in modification and disclosure of MOVEit database content
  • Cl0p ransomware group
    • The Cl0p ransomware gang has claimed responsibility for launching multiple attacks involving the first MOVEit Transfer vulnerability.
    • According to a representative from the group, it began exploiting the vulnerability on May 27.
    • Following the deadline of June 14, the Cl0p ransomware group publicly disclosed the names of over two dozen organizations affected by the attacks.
      • Victims
        • The list includes
          • multinational oil and gas company Shell
          • several banks
          • media companies
          • universities
          • two entities of the US Department of Energy
            • Oak Ridge Associated Universities
            • contractor at Oak Ridge National Laboratory
          • the Oregon Department of Transportation
      • “CLOP did state that government data will be deleted and not retained or shared.
        • To avoid being a target of any governemtn
      • Rewards for Justice program
        • US State Department
          • offered a considerable monetary reward for individuals who “have info linking CL0P Ransomware Gang or any other malicious cyber actors targeting U.S. critical infrastructure to a foreign government.”
  • Protect Yourself
    • A patch for the latest vulnerability is currently being tested and will be released soon.
    • MOVEit Transfer customers are advised to disable HTTP and HTTPs traffic until patched.
    • temporary measure, modifying firewall rules to block traffic on ports 80 and 443.
      • web UI login will be unavailable.

file transfers can still be conducted using SFTP and FTP/s protocols