Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities.jpg)
Cyber Security Briefing, 26 – 30 June
BIND DNS server vulnerabilities fixed
The Internet Systems Consortium (ISC) has issued security advisories to address multiple vulnerabilities affecting several versions of Berkeley Internet Name Domain (BIND), the most widely deployed DNS server software.
The vulnerabilities addressed include CVE-2023-2828, CVE-2023-2829 and CVE-2023-2911, all with CVSS 7.5. Their successful exploitation could exhaust all available memory on a target server, making it unavailable and causing DoS.
Although ISC said it has no evidence of exploitation of the flaws, it strongly recommends that BIND users upgrade to the latest version of the software.
New Volt Typhoon campaign exploiting vulnerability in Zoho ManageEngine
The APT known as Volt Typhoon or Bronze Silhouette has been detected using a critical vulnerability.
According to research by CrowdStrike, which tracked the adversary under the name Vanguard Panda, it observed the cyberespionage group in a recent campaign targeting critical infrastructure in the Pacific region.
In that campaign, the group customised its tactics using exploits and lateral movement techniques, as well as the CVE-2021-40539 vulnerability in Zoho's ManageEngine ADSelfService Plus, a password management and single sign-on solution. Allowing them to remotely execute code and mask their web shell as a legitimate process by deleting logs as it went along.
However, the researchers mention that despite attempts to cover their tracks, more web shells, backdoors, Java source code and compiled files from their Apache Tomcat web server were detected, leading to their discovery. Volt Typhoon nonetheless had widespread access to the victim's environment over an extended period, demonstrating familiarity with the targeted infrastructure and being diligent in cleaning up its tracks.
Mockingjay: new technique to bypass EDR detection
Cybersecurity researchers at Security Joes discovered a new process injection technique called Mockingjay, which could allow threat actors to bypass EDR and other security products to stealthily execute malicious code on compromised systems.
Mockingjay differs from other approaches because it does not use commonly abused Windows API calls, set special permissions, perform memory allocations, or even start a thread, eliminating many potential opportunities for detection.
Security Joes analysts discovered the msys-2.0.dll DLL inside Visual Studio 2022 Community, which had a default RWX section 16 KB in size. By leveraging this pre-existing RWX section, one can take advantage of the inherent memory protections it offers, effectively bypassing any functions that may have already been detected by EDRs.
Campaign against web hosting companies uncovered
Researchers at Unit 42 in Palo Alto uncovered an active campaign that targeted web hosting and IT companies for more than two years.
The campaign, named CL-CRI-0021 or Manic Menagerie 2.0, aimed to leverage the resources of compromised servers by installing cryptocurrency miners on machines for monetary gain.
In addition, it deployed web shells to gain sustained access to the internal resources of compromised websites. Threat actors turned hijacked legitimate websites into large-scale command and control (C2) servers, affecting thousands of web pages.
This malicious activity was carried out from legitimate, reputable websites, making it difficult for security solutions to detect. Multiple techniques were used to evade detection by monitoring tools and cybersecurity products.
Payloads, custom tools, and legitimate publicly available tools were also used to avoid recognition of known malware. This threat actor is believed to have been active since at least 2018, targeting web hosting companies in Australia.
Analysis of Dark Power Ransomware
Researchers at Heimdal Security have published an analysis of the Dark Power ransomware, which was detected in early 2020. It is a highly effective ransomware written by NIM, which employs an encryption technique that randomly generates a unique ASCII string that is used to obtain the decryption key.
Heimdal reports that the distribution would be done via phishing emails and could also be done through the exploitation of vulnerabilities. After infiltrating the system, it starts a workflow in which it initiates the encryption key, encrypts the binary string, terminates processes and services, and can also create the exclusion of files and folders.
As for the ransom, the actors are asking for approximately $10,000, including in the note the Monero cryptocurrency address and a TOR link to their website. According to the data, Dark Power is said to have targeted entities in different sectors such as education, healthcare, manufacturing, and food production, with samples identified in the US, Peru, Turkey, France, Israel, Egypt, Algeria and the Czech Republic. Since its re-emergence last February, at least 10 companies have been compromised.
Image: Freepik.
