May 17, 2024NewsroomVulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting D-Link routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The list of vulnerabilities is as follows –

• CVE-2014-100005 – A cross-site request forgery (CSRF) vulnerability impacting D-Link DIR-600 routers that allows an attacker to change router configurations by hijacking an existing administrator session

• CVE-2021-40655 – An information disclosure vulnerability impacting D-Link DIR-605 routers that allows attackers to obtain a username and password by forging an HTTP POST request to the /getcfg.php page

There are currently no details on how these shortcomings are exploited in the wild, but federal agencies have been urged to apply vendor-provided mitigations by June 6, 2024.

It’s worth noting that CVE-2014-100005 affects legacy D-Link products that have reached end-of-life (EoL) status, necessitating that organizations still using them retire and replace the devices.

The development comes as the SSD Secure Disclosure team revealed unpatched security issues in DIR-X4860 routers that could enable remote unauthenticated attackers to access the HNAP port in order to obtain elevated permissions and run commands as root.

“By combining an authentication bypass with command execution the device can be completely compromised,” it said, adding the issues impact routers running firmware version DIRX4860A1_FWV1.04B03.

SSD Secure Disclosure has also made available a proof-of-concept (PoC) exploit, which employs a specially crafted HNAP login request to the router’s management interface to get around authentication protections and achieve code execution by taking advantage of a command injection vulnerability.

D-Link has since acknowledged the issue in a bulletin of its own, stating a fix is “Pending Release / Under Development.” It described the vulnerability as a case of LAN-side unauthenticated command execution flaw.

Ivanti Patches Multiple Flaws in Endpoint Manager Mobile (EPMM)

Cybersecurity researchers have also released a PoC exploit for a new vulnerability in Ivanti EPMM (CVE-2024-22026, CVSS score: 6.7) that could permit an authenticated local user to bypass shell restriction and execute arbitrary commands on the appliance.

“This vulnerability allows a local attacker to gain root access to the system by exploiting the software update process with a malicious RPM package from a remote URL,” Redline Cyber Security’s Bryan Smith said.

The problem stems from a case of inadequate validation in the EPMM command-line interface’s installation command, which can fetch an arbitrary RPM package from a user-provided URL without verifying its authenticity.

CVE-2024-22026 impacts all versions of EPMM before 12.1.0.0. Also patched by Ivanti are two other SQL injection flaws in the same product (CVE-2023-46806 and CVE-2023-46807, CVSS scores: 6.7) that could allow an authenticated user with appropriate privilege to access or modify data in the underlying database.

While there is no evidence that these flaws have been exploited, users are advised to update to the latest version to mitigate potential threats.

Cybersecurity researchers have shed more light on a remote access trojan (RAT) known as Deuterbear used by the China-linked BlackTech hacking group as part of a cyber espionage campaign targeting the Asia-Pacific region this year.

“Deuterbear, while similar to Waterbear in many ways, shows advancements in capabilities such as including support for shellcode plugins, avoiding handshakes for RAT operation, and using HTTPS for C&C communication,” Trend Micro researchers Pierre Lee and Cyris Tseng said in a new analysis.

“Comparing the two malware variants, Deuterbear uses a shellcode format, possesses anti-memory scanning, and shares a traffic key with its downloader unlike Waterbear.”

BlackTech, active since at least 2007, is also tracked by the broader cybersecurity community under the monikers Circuit Panda, Earth Hundun, HUAPI, Manga Taurus, Palmerworm, Red Djinn, and Temp.Overboard.

Cyber attacks orchestrated by the group have long involved the deployment of a malware called Waterbear (aka DBGPRINT) for nearly 15 years, although campaigns observed since October 2022 have also utilized an updated version called Deuterbear.

Waterbear is delivered by means of a patched legitimate executable, which leverages DLL side-loading to launch a loader that then decrypts and executes a downloader, which subsequently contacts a command-and-control (C&C) server to retrieve the RAT module.

Interestingly, the RAT module is fetched twice from the attacker-controlled infrastructure, the first of which is just used to load a Waterbear plugin that furthers the compromise by launching a different version of the Waterbear downloader to retrieve the RAT module from another C&C server.

Put differently, the first Waterbear RAT serves as a plugin downloader while the second Waterbear RAT functions as a backdoor, harvesting sensitive information from the compromised host through a set of 60 commands.

The infection pathway for Deuterbear is a lot similar to that of Waterbear in that it also implements two stages to install the RAT backdoor component, but also tweaks it to some extent.

The first stage, in this case, employs the loader to launch a downloader, which connects to the C&C server to fetch Deuterbear RAT, an intermediary that serves to establish persistence through a second-stage loader via DLL side-loading.

This loader is ultimately responsible for executing a downloader, which again downloads the Deuterbear RAT from a C&C server for information theft.

“In most of the infected systems, only the second stage Deuterbear is available,” the researchers said. “All components of the first stage Deuterbear are totally removed after the ‘persistence installation’ is completed.”

“This strategy effectively protects their tracks and prevents the malware from easily being analyzed by threat researchers, particularly in simulated environments rather than real victim systems.”

Deuterbear RAT is also a more streamlined version of its predecessor, retaining only a subset of the commands in favor of a plugin-based approach to incorporate more functionality.

“Waterbear has gone through continuous evolution, eventually giving rise to the emergence of a new malware, Deuterbear,” Trend Micro said. “Interestingly, both Waterbear and Deuterbear continue to evolve independently, rather than one simply replacing the other.”

Targeted Campaign Delivers SugarGh0st RAT

The disclosure comes as Proofpoint detailed an “extremely targeted” cyber campaign targeting organizations in the U.S. that are involved in artificial intelligence efforts, including academia, private industry, and the government, to deliver a malware called SugarGh0st RAT.

The enterprise security company is tracking the emerging activity cluster under the name UNK_SweetSpecter.

“SugarGh0st RAT is a remote access trojan, and is a customized variant of Gh0st RAT, an older commodity trojan typically used by Chinese-speaking threat actors,” the company said. “SugarGh0st RAT has been historically used to target users in Central and East Asia.”

SugarGh0st RAT was first documented late last year by Cisco Talos in connection with a campaign targeting the Uzbekistan Ministry of Foreign Affairs and South Korean users since August 2023. The intrusions were attributed to a suspected Chinese-speaking threat actor.

The attack chains entail sending AI-themed phishing messages containing a ZIP archive that, in turn, packs a Windows shortcut file to deploy a JavaScript dropper responsible for launching the SugarGh0st payload.

“The May 2024 campaign appeared to target less than 10 individuals, all of whom appear to have a direct connection to a single leading U.S.-based artificial intelligence organization according to open source research,” the company said.

The end goal of the attacks is not clear, although it’s theorized that it may be an attempt to steal non-public information about generative artificial intelligence (GenAI).

What’s more, the targeting of U.S. entities coincides with news reports that the U.S. government is looking to curtail China’s access to GenAI tools from companies like OpenAI, Google DeepMind, and Anthropic, offering potential motives.

Earlier this year, the U.S. Department of Justice (DoJ) also indicted a former Google software engineer for stealing proprietary information from the company and attempting to use it at two AI-affiliated technology companies in China, including one that he founded around May 2023.

“It is possible that if Chinese entities are restricted from accessing technologies underpinning AI development, then Chinese-aligned cyber actors may target those with access to that information to further Chinese development goals,” the company said.

A new report from XM Cyber has found – among other insights – a dramatic gap between where most organizations focus their security efforts, and where the most serious threats actually reside.

The new report, Navigating the Paths of Risk: The State of Exposure Management in 2024, is based on hundreds of thousands of attack path assessments conducted by the XM Cyber platform during 2023. These assessments uncovered over 40 million exposures that affected millions of business-critical assets. Anonymized data regarding these exposures was then provided to the Cyentia Institute for independent analysis. To read the full report, check it out here.

Download the report to discover:

• Key findings on the types of exposures putting organizations at greatest risk of breach.
• The state of attack paths between on-prem and cloud networks.
• Top attack techniques seen in 2023.
• How to focus on what matters most, and remediate high-impact exposure risks to your critical assets.

The findings shine a critical light on the continuing over-emphasis on remediating CVEs in cybersecurity programs. In fact, XM Cyber found that CVE-based vulnerabilities account for less than 1% of the average organizations’ On-prem exposure landscape. Even when factoring in high-impact exposures that present a risk of compromise to business-critical assets, these CVEs still represent only a small percentage (11%) of the exposure risk profile.

Where does the lion’s share of risk actually lie? Let’s dig deeper into the results:

CVEs: Not Necessarily Exposures

When analyzing the On-premises infrastructure, of the vast majority of organizations (86%) the XM Cyber report found, not surprisingly, that remote code executable vulnerabilities accounted (as mentioned above) for less than 1% of all exposures and only 11% of critical exposures.

The research found that identity and credential misconfigurations represent a staggering 80% of security exposures across organizations, with a third of these exposures putting critical assets at direct risk of breach – a gaping attack vector actively being exploited by adversaries.

Thus, the report makes it clear that while patching vulnerabilities is important, it’s not enough. More prevalent threats like attackers poisoning shared folders with malicious code (taint shared content) and using common local credentials on multiple devices expose a much larger share of critical assets (24%) compared to CVEs.

Thus, security programs need to extend far beyond patching CVEs. Good cyber hygiene practices and a focus on mitigating choke points and exposures like weak credential management are crucial.

Don’t Sweat Dead Ends, Hunt High-Impact Choke Points

Traditional security tries to fix every vulnerability, but XM Cyber’s report shows that 74% of exposures are actually dead ends for attackers – offering them minimal onward or lateral movement. This makes these vulnerabilities, exposures, and misconfiguration less critical to your remediation efforts, allowing more time to focus on the real issues that present a validated threat to critical assets.

The remaining 26% of exposure discovered in the report would allow adversaries to propagate their attacks onward toward critical assets. The XM Cyber Attack Graph Analysis(™) identifies the key intersections where multiple attack paths toward critical assets converge as “choke points”. The report highlights that only 2% of exposures reside on “choke points”. Giving security teams a far smaller subset of high-impact exposures to focus their remediation efforts on. These “choke points” – are highlighted in yellow & red on the graph below. They are especially dangerous because compromising just one can expose a significant portion of critical assets. In fact, the report found that 20% of choke points expose 10% or more of critical assets. Thus, identifying attack paths and homing in on high-risk choke points can give defenders a bigger bang for their buck – reducing risk much more efficiently. To learn more about choke points, check out this article.

Finding and Categorizing Exposures: Focus on Critical Assets

Where are exposures and how do attackers exploit them? Traditionally, the attack surface is seen as everything in the IT environment. However, the report shows that effective security requires understanding where valuable assets reside and how they are exposed.

For example, the report analyzes the distribution of potential attack points across environments – finding that not all entities are vulnerable (see the graph below). A more critical metric is exposure to critical assets. Cloud environments hold the most critical asset exposures, followed by Active Directory (AD) and IT/Network devices.

It’s worth drilling down into the extreme vulnerability of organizational AD. Active Directory remains the cornerstone of organizational identity management – yet the report found that 80% of all security exposures identified stem from Active Directory misconfigurations or weaknesses. Even more concerning, one-third of all critical asset vulnerabilities can be traced back to identity and credential problems within Active Directory.

What’s the takeaway here? Security teams are often organized by critical asset categories. While this might be sufficient for managing the overall number of entities, it can miss the bigger picture. Critical exposures, though fewer, pose a much higher risk and require dedicated focus. (To help keep you on track with addressing AD security issues, we recommend this handy AD best practices security checklist.)

Different Needs for Different Industries

The report also analyzes differing cybersecurity risks across industries. Industries with a greater number of entities (potential attack points) tend to have more vulnerabilities. Healthcare, for example, has 5 times the exposure of Energy and Utilities.

However, the key risk metric is the proportion of exposures that threaten critical assets. Here, the picture flips. Transportation and Energy have a much higher percentage of critical exposures, despite having fewer overall vulnerabilities. This means they hold a higher concentration of critical assets that attackers might target.

The takeaway is that different industries require different security approaches. Financial firms have more digital assets but a lower critical exposure rate compared to Energy. Understanding the industry-specific attack surface and the threats it faces is crucial for an effective cybersecurity strategy.

The Bottom Line

A final key finding demonstrates that exposure management can’t be a one-time or annual project. It’s an ever-changing, continuous process to drive improvements. Yet today’s over-focus on patching vulnerabilities (CVEs) leads to neglect of more prevalent threats.

Today’s security ecosystem and threat landscape are not yesterday’s. It’s time for a cybersecurity paradigm shift. Instead of patching every vulnerability, organizations need to prioritize the high-impact exposures that offer attackers significant onward and lateral movement within a breached network – with a special focus on the 2% of exposures that reside on “choke points” where remediating key weakness in your environment will have the most positive reduction in your overall risk posture.

The time has come to move beyond a check-the-box mentality and focus on real-world attack vectors.

The State of Exposure Management report’s findings are based on data from the XM Cyber Continuous Exposure Management Platform that was analyzed independently by the Cyentia Institute. Grab your free report here.

Note: This article was expertly written by Dale Fairbrother, Senior Product Marketing Manager at XM Cyber.

May 17, 2024NewsroomCryptojacking / Malware

The cryptojacking group known as Kinsing has demonstrated its ability to continuously evolve and adapt, proving to be a persistent threat by swiftly integrating newly disclosed vulnerabilities to exploit arsenal and expand its botnet.

The findings come from cloud security firm Aqua, which described the threat actor as actively orchestrating illicit cryptocurrency mining campaigns since 2019.

Kinsing (aka H2Miner), a name given to both the malware and the adversary behind it, has consistently expanded its toolkit with new exploits to enroll infected systems in a crypto-mining botnet. It was first documented by TrustedSec in January 2020.

In recent years, campaigns involving the Golang-based malware have weaponized various flaws in Apache ActiveMQ, Apache Log4j, Apache NiFi, Atlassian Confluence, Citrix, Liferay Portal, Linux, Openfire, Oracle WebLogic Server, and SaltStack to breach vulnerable systems.

Other methods have also involved exploited misconfigured Docker, PostgreSQL, and Redis instances to obtain initial access, after which the endpoints are marshaled into a botnet for crypto-mining, but not before disabling security services and removing rival miners already installed on the hosts.

Subsequent analysis by CyberArk in 2021 unearthed commonalities between Kinsing and another malware called NSPPS, concluding that both the strains “represent the same family.”

Kinsing’s attack infrastructure falls into three primary categories: Initial servers used for scanning and exploiting vulnerabilities, download servers responsible for staging payloads and scripts, and command-and-control (C2) servers that maintain contact with compromised servers.

The IP addresses used for C2 servers resolve to Russia, while those that are used to download the scripts and binaries span countries like Luxembourg, Russia, the Netherlands, and Ukraine.

“Kinsing targets various operating systems with different tools,” Aqua said. “For instance, Kinsing often uses shell and Bash scripts to exploit Linux servers.”

“We’ve also seen that Kinsing is targeting Openfire on Windows servers using a PowerShell script. When running on Unix, it’s usually looking to download a binary that runs on x86 or ARM.”

Another notable aspect of the threat actor’s campaigns is that 91% of the targeted applications are open-source, with the group mainly singling runtime applications (67%), databases (9%), and cloud infrastructure (8).

Credit: Forescout

An extensive analysis of the artifacts has further revealed three distinct categories of programs –

• Type I and Type II scripts, which are deployed post initial access and are used to download next-stage attack components, eliminate competition, and evade defenses by disabling firewall, terminating security tools like SELinux, AppArmor, and Aliyun Aegis, and deploying a rootkit to hide the malicious processes

• Auxiliary scripts, which are designed to accomplish initial access by exploiting a vulnerability, disable specific security components associated with Alibaba Cloud and Tencent Cloud services from a Linux system, open a reverse shell to a server under the attacker’s control, and facilitate the retrieval of miner payloads

• Binaries, which act as a second-stage payload, including the core Kinsing malware and the crypto-miner to miner Monero

The malware, for its part, is engineered to keep tabs on the mining process and share its process identifier (PID) with the C2 server, perform connectivity checks, and send execution results, among others.

“Kinsing targets Linux and Windows systems, often by exploiting vulnerabilities in web applications or misconfigurations such as Docker API and Kubernetes to run cryptominers,” Aqua said. “To prevent potential threats like Kinsing, proactive measures such as hardening workloads pre-deployment are crucial.”

The disclosure comes as botnet malware families are increasingly finding ways to broaden their reach and recruit machines into a network for carrying out malicious activities.

This is best exemplified by P2PInfect, a Rust malware that has been found to exploit poorly-secured Redis servers to deliver variants compiled for MIPS and ARM architectures.

“The main payload is capable of performing various operations, including propagating and delivering other modules with filenames that speak for themselves like miner and winminer,” Nozomi Networks, which discovered samples targeting ARM earlier this year, said.

“As its name suggests, the malware is capable of performing Peer-to-Peer (P2P) communications without relying on a single Command and Control server (C&C) to propagate attackers’ commands.”

May 17, 2024NewsroomLinux / Malware

The Kimsuky (aka Springtail) advanced persistent threat (APT) group, which is linked to North Korea’s Reconnaissance General Bureau (RGB), has been observed deploying a Linux version of its GoBear backdoor as part of a campaign targeting South Korean organizations.

The backdoor, codenamed Gomir, is “structurally almost identical to GoBear, with extensive sharing of code between malware variants,” the Symantec Threat Hunter Team, part of Broadcom, said in a new report. “Any functionality from GoBear that is operating system-dependent is either missing or reimplemented in Gomir.”

GoBear was first documented by South Korean security firm S2W in early February 2024 in connection with a campaign that delivered malware called Troll Stealer (aka TrollAgent), which overlaps with known Kimsuky malware families like AppleSeed and AlphaSeed.

A subsequent analysis by the AhnLab Security Intelligence Center (ASEC) revealed that the malware is distributed via trojanized security programs downloaded from an unspecified South Korean construction-related association’s website.

This includes nProtect Online Security, NX_PRNMAN, TrustPKI, UbiReport, and WIZVERA VeraPort, the last of which was previously subjected to a software supply chain attack by the Lazarus Group in 2020.

Symantec said that it also observed the Troll Stealer malware being delivered via rogue installers for Wizvera VeraPort, although the exact distribution mechanism by which the installation packages get delivered is presently unknown.

“GoBear also contains similar function names to an older Springtail backdoor known as BetaSeed, which was written in C++, suggesting that both threats have a common origin,” the company noted.

The malware, which supports capabilities to execute commands received from a remote server, is also said to be propagated through droppers that masquerade as a fake installer for an app for a Korean transport organization.

Its Linux counterpart, Gomir, supports as many as 17 commands, allowing its operators to perform file operations, start a reverse proxy, pause command-and-control (C2) communications for a specified time duration, run shell commands, and terminate its own process.

“This latest Springtail campaign provides further evidence that software installation packages and updates are now among the most favored infection vectors for North Korean espionage actors,” Symantec said.

“The software targeted appears to have been carefully chosen to maximize the chances of infecting its intended South Korean-based targets.”