Apr 26, 2024NewsroomNetwork Security / Zero Day

Palo Alto Networks has shared remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation.

The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in multiple versions of PAN-OS 10.2.x, 11.0.x, and 11.1.x.

There is evidence to suggest that the issue has been exploited as a zero-day since at least March 26, 2024, by a threat cluster tracked as UTA0218.

The activity, codenamed Operation MidnightEclipse, entails the use of the flaw to drop a Python-based backdoor called UPSTYLE that’s capable of executing commands transmitted via specially crafted requests.

The intrusions have not been linked to a known threat actor or group, but it’s suspected to be a state-backed hacking crew given the tradecraft and the victimology observed.

The latest remediation advice offered by Palo Alto Networks is based on the extent of compromise –

• Level 0 Probe: Unsuccessful exploitation attempt – Update to the latest provided hotfix

• Level 1 Test: Evidence of vulnerability being tested on the device, including the creation of an empty file on the firewall but no execution of unauthorized commands – Update to the latest provided hotfix

• Level 2 Potential Exfiltration: Signs where files like “running_config.xml” are copied to a location that is accessible via web requests – Update to the latest provided hotfix and perform a Private Data Reset

• Level 3 Interactive access: Evidence of interactive command execution, such as the introduction of backdoors and other malicious code – Update to the latest provided hotfix and perform a Factory Reset

“Performing a private data reset eliminates risks of potential misuse of device data,” Palo Alto Networks said. “A factory reset is recommended due to evidence of more invasive threat actor activity.”

Apr 27, 2024NewsroomMalware / Software Security

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor.

Cybersecurity firm Securonix is tracking the activity under the name DEV#POPPER, linking it to North Korean threat actors.

“During these fraudulent interviews, the developers are often asked to perform tasks that involve downloading and running software from sources that appear legitimate, such as GitHub,” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said. “The software contained a malicious Node JS payload that, once executed, compromised the developer’s system.”

Details of the campaign first emerged in late November 2023, when Palo Alto Networks Unit 42 detailed an activity cluster dubbed Contagious Interview in which the threat actors pose as employers to lure software developers into installing malware such as BeaverTail and InvisibleFerret through the interview process.

Then earlier this February, software supply chain security firm Phylum uncovered a set of malicious packages on the npm registry that delivered the same malware families to siphon sensitive information from compromised developer systems.

It’s worth noting that Contagious Interview is said to be disparate from Operation Dream Job (aka DeathNote or NukeSped), with Unit 42 telling The Hacker News that the former is “focused on targeting developers, mainly through fake identities in freelance job portals, and the next stages involve the use of developer tools and npm packages leading to […] BeaverTail and InvisibleFerret.”

Operation Dream Job, linked to the prolific Lazarus Group from North Korea, is a long-running offensive campaign that sends unsuspecting professionals employed in various sectors like aerospace, cryptocurrency, defense, and others malicious files dressed as job offers to distribute malware.

First uncovered by Israeli cybersecurity firm ClearSky at the start of 2020, it also exhibits overlaps with two other Lazarus clusters known as Operation In(ter)ception and Operation North Star.

The attack chain detailed by Securonix starts with a ZIP archive hosted on GitHub that’s likely sent to the target as part of the interview. Present within the file is a seemingly innocuous npm module that harbors a malicious JavaScript file codenamed BeaverTail that acts as an information stealer and a loader for a Python backdoor called InvisibleFerret that’s retrieved from a remote server.

The implant, besides gathering system information, is capable of command execution, file enumeration and exfiltration, and clipboard and keystroke logging.

The development is a sign that North Korean threat actors continue to hone a raft of weapons for their cyber attack arsenal, consistently updating their tradecraft with improved abilities to hide their actions and blend in on host systems and networks, not to mention siphon off data and turn compromises into financial gain.

“When it comes to attacks which originate through social engineering, it’s critical to maintain a security-focused mindset, especially during intense and stressful situations like job interviews,” Securonix researchers said.

“The attackers behind the DEV#POPPER campaigns abuse this, knowing that the person on the other end is in a highly distracted and in a much more vulnerable state.”

Apr 27, 2024NewsroomCyber Attack / Malware

Cybersecurity researchers have discovered a targeted operation against Ukraine that has been found leveraging a nearly seven-year-old flaw in Microsoft Office to deliver Cobalt Strike on compromised systems.

The attack chain, which took place at the end of 2023 according to Deep Instinct, employs a PowerPoint slideshow file (“signal-2023-12-20-160512.ppsx”) as the starting point, with the filename implying that it may have been shared via the Signal instant messaging app.

That having said, there is no actual evidence to indicate that the PPSX file was distributed in this manner, even though the Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered two different campaigns that have used the messaging app as a malware delivery vector in the past.

Just last week, the agency disclosed that Ukrainian armed forces are being increasingly targeted by the UAC-0184 group via messaging and dating platforms to serve malware like HijackLoader (aka GHOSTPULSE and SHADOWLADDER), XWorm, and Remcos RAT, as well as open-source programs such as sigtop and tusc to exfiltrate data from computers.

“The PPSX (PowerPoint slideshow) file appears to be an old instruction manual of the U.S. Army for mine clearing blades (MCB) for tanks,” security researcher Ivan Kosarev said. “The PPSX file includes a remote relationship to an external OLE object.”

This involves the exploitation of CVE-2017-8570 (CVSS score: 7.8), a now-patched remote code execution bug in Office that could allow an attacker to perform arbitrary actions upon convincing a victim to open a specially crafted file, to load a remote script hosted on weavesilk[.]space.

The heavily obfuscated script subsequently launches an HTML file containing JavaScript code, which, in turn, sets up persistence on the host via Windows Registry and drops a next-stage payload that impersonates the Cisco AnyConnect VPN client.

The payload includes a dynamic-link library (DLL) that ultimately injects a cracked Cobalt Strike Beacon, a legitimate pen-testing tool, directly into system memory and awaits for further instructions from a command-and-control (C2) server (“petapixel[.]fun”).

The DLL also packs in features to check if it’s being executed in a virtual machine and evade detection by security software.

Deep Instinct said it could neither link the attacks to a specific threat actor or group nor exclude the possibility of a red teaming exercise. Also unclear is the exact end goal of the intrusion.

“The lure contained military-related content, suggesting it was targeting military personnel,” Kosarev said.

“But the domain names weavesilk[.]space and petapixel[.]fun are disguised as an obscure generative art site (weavesilk[.]com) and a popular photography site (petapixel[.]com). These are unrelated, and it’s a bit puzzling why an attacker would use these specifically to fool military personnel.”

The disclosure comes as CERT-UA revealed that about 20 energy, water, and heating suppliers in Ukraine have been targeted by a Russian state-sponsored group called UAC-0133, a sub-cluster within Sandworm (aka APT44, FROZENBARENTS, Seashell Blizzard, UAC-0002, and Voodoo Bear), which is responsible for a bulk of all the disruptive and destructive operations against the country.

The attacks, which aimed to sabotage critical operations, involve the use of malware like Kapeka (aka ICYWELL, KnuckleTouch, QUEUESEED, and wrongsens) and its Linux variant BIASBOAT, as well as GOSSIPFLOW and LOADGRIP.

While GOSSIPFLOW is a Golang-based SOCKS5 proxy, LOADGRIP is an ELF binary written in C that’s used to load BIASBOAT on compromised Linux hosts.

Sandworm is a prolific and highly adaptive threat group linked to Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). It’s known to be active since at least 2009, with the adversary also tied to three hack-and-leak hacktivist personas such as XakNet Team, CyberArmyofRussia_Reborn, and Solntsepek.

“Sponsored by Russian military intelligence, APT44 is a dynamic and operationally mature threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations,” Mandiant said, describing the advanced persistent threat (APT) as engaged in a multi-pronged effort to help Russia gain a wartime advantage since January 2022.

“APT44 operations are global in scope and mirror Russia’s wide ranging national interests and ambitions. Patterns of activity over time indicate that APT44 is tasked with a range of different strategic priorities and is highly likely seen by the Kremlin as a flexible instrument of power capable of serving both enduring and emerging intelligence requirements.”

Apr 26, 2024NewsroomMobile Security / Cybercrime

Fake browser updates are being used to push a previously undocumented Android malware called Brokewell.

“Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware,” Dutch security firm ThreatFabric said in an analysis published Thursday.

The malware is said to be in active development, adding new commands to capture touch events, textual information displayed on screen, and the applications a victim launches.

The list of Brokewell apps that masquerade as Google Chrome, ID Austria, and Klarna is as follows –

• jcwAz.EpLIq.vcAZiUGZpK (Google Chrome)
• zRFxj.ieubP.lWZzwlluca (ID Austria)
• com.brkwl.upstracking (Klarna)

Like other recent Android malware families of its kind, Brokewell is capable of getting around restrictions imposed by Google that prevent sideloaded apps from requesting accessibility service permissions.

The banking trojan, once installed and launched for the first time, prompts the victim to grant permissions to the accessibility service, which it subsequently uses to automatically grant other permissions and carry out various malicious activities.

This includes displaying overlay screens on top of targeted apps to pilfer user credentials. It can also steal cookies by launching a WebView and loading the legitimate website, after which the session cookies are intercepted and transmitted to an actor-controlled server.

Some of the other features of Brokewell include the ability to record audio, take screenshots, retrieve call logs, access device location, list installed apps, record every every event happening on the device, send SMS messages, do phone calls, install and uninstall apps, and even disable the accessibility service.

The threat actors can also leverage the malware’s remote control functionality to see what’s displayed on screen in real-time, as well as interact with the device through clicks, swipes, and touches.

Brokewell is said to be the work of a developer who goes by the name “Baron Samedit Marais” and manages the “Brokewell Cyber Labs” project, which also includes an Android Loader publicly hosted on Gitea.

The loader is designed to act as a dropper that bypasses accessibility permissions restrictions in Android versions 13, 14, and 15 using a technique previously adopted by dropper-as-a-service (DaaS) offerings like SecuriDropper and deploy the trojan implant.

By default, the loader apps generated through this process have the package name “com.brkwl.apkstore,” although this can configured by the user by either providing a specific name or enabling the random package name generator.

The free availability of the loader means it could be embraced by other threat actors looking to sidestep Android’s security protections.

“Second, existing ‘Dropper-as-a-Service’ offerings that currently provide this capability as a distinctive feature will likely either close their services or attempt to reorganize,” ThreatFabric said.

“This further lowers the entry barrier for cybercriminals looking to distribute mobile malware on modern devices, making it easier for more actors to enter the field.”

Update

A Google spokesperson shared the below statement with The Hacker News –

“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”

Apr 26, 2024NewsroomSupply Chain Attack / Software Security

Several security vulnerabilities disclosed in Brocade SANnav storage area network (SAN) management application could be exploited to compromise susceptible appliances.

The 18 flaws impact all versions up to and including 2.3.0, according to independent security researcher Pierre Barre, who discovered and reported them.

The issues range from incorrect firewall rules, insecure root access, and Docker misconfigurations to lack of authentication and encryption, thus allowing an attacker to intercept credentials, overwrite arbitrary files, and completely breach the device.

Some of the most severe flaws are listed below –

• CVE-2024-2859 (CVSS score: 8.8) – A vulnerability that could allow an unauthenticated, remote attacker to log in to an affected device using the root account and execute arbitrary commands

• CVE-2024-29960 (CVSS score: 7.5) – The use of hard-coded SSH keys in the OVA image, which could be exploited by an attacker to decrypt the SSH traffic to the SANnav appliance and compromise it.

• CVE-2024-29961 (CVSS score: 8.2) – A vulnerability that can allow an unauthenticated, remote attacker to stage a supply chain attack by taking advantage of the fact the SANnav service sends ping commands in the background at periodic intervals to the domains gridgain[.]com and ignite.apache[.]org to check for updates

• CVE-2024-29963 (CVSS score: 8.6) – The use of hard-coded Docker keys in SANnav OVA to reach remote registries over TLS, thereby allowing an attacker to carry out adversary-in-the-middle (AitM) attack on the traffic

• CVE-2024-29966 (CVSS score: 7.5) – The presence of hard-coded credentials for root users in publicly-available documentation that could permit an unauthenticated attacker full access to the Brocade SANnav appliance.

Following responsible disclosure twice in August 2022 and May 2023, the flaws have been addressed in SANnav version 2.3.1 released in December 2023. Brocade’s parent company Broadcom, which also owns Symantec and VMware, released advisories for the flaws earlier this month.

Hewlett Packard Enterprise has also shipped patches for a subset of these vulnerabilities in HPE SANnav Management Portal versions 2.3.0a and 2.3.1 as of April 18, 2024.