Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities.jpg)
Cyber Security Briefing, 14 - 20 October
Vulnerability actively exploited in Citrix NetScaler
The team of researchers at Mandiant has issued a publication alerting about the active exploitation of a vulnerability affecting Citrix NetScaler. The security flaw is registered as CVE-2023-4966, CVSSv3 of 7.5, which was patched last week by the vendor.
However, new details from the research carried out by the Mandiant team suggest that this vulnerability has been exploited by malicious actors since last August. It should be noted that exploiting this security flaw can be done without requiring high privileges, user interaction or high complexity, as the only prerequisite for exploiting the vulnerability is that the device is configured as a gateway (virtual VPN server, ICA proxy, CVPN, RDP proxy) or AAA virtual server. This could lead to access to confidential information on the affected devices.
Citrix recommends applying the corresponding security patches, as well as following a series of additional recommendations provided by the manufacturer.
Iranian group Crambus compromises Middle Eastern government systems for 8 months
The Crambus cyberespionage group, also known as APT34, OilRig or Muddy Water, carried out an eight-month intrusion on at least 12 computers in a Middle Eastern government network.
According to Symantec Threat Hunter Team, the Iranian-origin group is known for its intelligence-gathering operations through long-term intrusions, and reportedly carried out attacks against multiple governments, including Saudi Arabia, Albania, and the U.S. In this latest attack, Crambus employed different types of malware combined with legitimate tools to gain, expand and maintain its access on the systems from February to September 2023.
Among the malware used was Backdoor.Power.Exchange, a known backdoor that had not been attributed to this group until now, which allows logging into an Exchange server to monitor emails sent by the attackers with commands for arbitrary code execution in the PowerShell.
New malware discovered targeting Southeast Asia
Researchers at Elastic Security Labs have identified a new backdoor, called BLOODALCHEMY, used in attacks targeting governments and organizations in the Association of Southeast Asian Nations (ASEAN). This new malware is part of the China-linked REF5961 intrusion suite and has recently been observed in espionage attacks against the Mongolian government.
BLOODALCHEMY is an x86 backdoor written in C that exists as shellcode injected into a signed benign process; and requires a specific loader to be run because it does not have the ability to load and run on its own.
Additionally, it does not compile as position independent so when loading to a base address other than the preferred one, the binary must be patched to take the new position into account. Likewise, the malware communicates using the HTTP protocol to connect to C2 and applies a classic obfuscation method.
On the other hand, the analysis carried out highlights that the backdoor only contains a few commands with real effects and limited functionality. Based on research, the malware is part of a larger toolset and is still under active development due to its lack of capabilities.
Thousands of Cisco IOS XE devices compromised by a 0-day vulnerability
This week Cisco issued a security advisory warning about the critical 0-day vulnerability, CVE-2023-20198, actively exploited that affects its IOS XE software and is used in enterprise switches, routers, wireless controllers, among others.
Following these events, researchers from VulnCheck have published that malicious actors have infected thousands of vulnerable devices, which require the web user interface function to be enabled, as well as the HTTP or HTTPS server function. The company has also made available on a tool on its GitHub repository to identify whether the systems of those using Cisco IOS XE software have been compromised by this security flaw.
It should be noted that although a patch is not yet available, a mitigating measure can be taken by disabling the web interface and removing all internet administration interfaces.
BlackCat ransomware uses Muchkin virtual machine in its operations
Palo Alto Unit 42 has published the results of an investigation in which they say they have identified in BlackCat ransomware incidents the use of a new virtual machine, called Munchkin, in its operations.
This is a custom distribution of Alpine OS Linux that, after compromising a device, ransomware operators install VirtualBox and create a new virtual machine using the Munchkin ISO. Munchkin allows BlackCat to run on remote systems and/or encrypt remote Server Message Block (SMB) or Common Internet File System (CIFS) shares.
It should be noted that Munchkin includes a set of scripts and utilities that allow its operators to deploy malware payloads bypassing the corresponding security solutions on their victims' computers. Finally, experts point out that the use of virtual machines by ransomware operators in their operations is a growing trend.
Image from Kjpargeter on Freepik.
.jpg "Cyber Security in the age of AI: why phishing attacks are now more dangerous")
