Anonymous Sudan hacktivists target websites with DDoS attack

This week saw threat actors target some of the major platforms and organizations to compromise systems and steal sensitive information with attacks ranging from cross-site infections and cryptojacking to DDoS attacks and zero-day exploits. These targeted attacks demonstrate that threat actors are constantly developing new ways to infiltrate organizations’ infrastructure and cause damage, emphasizing the significance of deploying strong security measures and staying vigilant against emerging threats.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Massive Balada Injector campaign attacking WordPress sites since 2017

An estimated one million WordPress websites have been compromised in a long-lasting campaign to inject a Linux backdoor that researchers named Balada Injector. The campaign has been running since 2017 and aims mostly to redirect to fake tech support pages, fraudulent lottery wins, and push notification scams. Balada Injector attacks in waves that occur once a month or so, each using a freshly registered domain name to evade blocking lists.

Injection methods observed include siteurl hacks, HTML injections, database injections, arbitrary file injections and cross-site infections. Cross-site infections enable the attackers to re-infect cleaned-up sites repeatedly, as long as access to the VPS is maintained. The Balada Injector plants multiple backdoors on compromised WordPress sites which act as hidden access points for the attackers. It is recommended to keep all website software up to date, remove unused plugins and themes, utilize a web application firewall and monitor admin users to stay protected from such attacks.

2. Hacktivist group Anonymous Sudan targets website with DDoS attack

The Russian group “Anonymous Sudan” launched a new series of DDoS attacks on websites belonging to both the public and private sectors. Anonymous Sudan’s attacks can disrupt government operations, health facilities, and airport services, which could lead to serious consequences. The group selected France as its target country in a multi-day campaign in March 2023, focusing on hospitals, colleges, and airports. The group also released data from many airlines and payment processors during that time, claiming to have hacked the organizations and put sensitive data for sale.

Killnet announced the inclusion of Anonymous Sudan as a formal member of their group of hacktivists. After a DDoS attack on the Cochin International Airport’s (CIAL) website over one weekend, the threat group has listed six new targets. The latest list includes India’s prestigious medical institution, AIIMS and the largest public sector bank, the State Bank of India (SBI), among other organizations. To avoid being a victim of these attacks, organizations are advised to check the settings for anti-DDoS system, scan websites for vulnerabilities, keep a close eye out for any suspicious activity and block all the group’s identified IOCs.

3. Veritas vulnerabilities added to CISA ‘Must Patch’ list

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software that could lead to the execution of privileged commands on the underlying system. The vulnerabilities are – Veritas Backup Exec Agent Improper Authentication Vulnerability, Veritas Backup Exec Agent File Access Vulnerability, and Veritas Backup Exec Agent Command Execution Vulnerability.

Exploiting these vulnerabilities, an attacker can remotely exploit the SHA authentication scheme, gain unauthorized access, execute privileged commands, and use one of the data management protocol commands to execute an arbitrary command on the system using system privileges. The flaws were fixed in a patch released by Veritas in March 2021. The SHA authentication issue has been fixed in Backup Exec 21.2 release which remediates this issue.

4. Windows zero-day vulnerability (CVE-2023-28252) exploited in ransomware attacks

A zero-day vulnerability in the Windows Common Log File System (CLFS), has been patched by Microsoft which is actively exploited by cybercriminals to escalate privileges and deploy Nokoyawa ransomware payloads. The CLFS is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode. Successful exploitation of this vulnerability enables threat actors to gain SYSTEM privileges and fully compromise targeted Windows systems.

The Nokoyawa ransomware gang has used other exploits targeting the CLFS driver since June 2022, with similar yet distinct characteristics, linking them all to a single exploit developer. Targeting multiple industry verticals, including retail and wholesale, energy, manufacturing, healthcare, and software development; the group has used at least five more CLFS exploits. Organizations are advised to apply recommended security updates on their Windows systems. Additionally, employ tools that have behavior-based detection capabilities to automatically detect and prevent such malware early in the attack chain to prevent its execution.

5. Color1337 cryptojacking attack targets Linux servers

Linux machines have been targeted by a cryptojacking campaign that is believed to have started in Romania. The Color1337 campaign uses a botnet to mine Monero, and it can spread to more machines on the network. The attackers, going by the name ElPatrono1337, allegedly used an SSH brute-force attack to initially enter the targeted network. The compromised computer executes a shell script called uhQCCSpB that was obtained from the attacker-controlled infrastructure.

The uhQCCSpB script, when run, enables attackers to carry out additional commands on the infected machine. The FastAndSteady function, that installs the Monero miner diicot optimized to use the resources of the infected machine for cryptomining, is used if the computer has more than four cores. Furthermore, it also leverages Discord features to disguise its malicious communication, making it challenging to monitor and trace. This emphasizes the significance of constantly monitoring network traffic and exposed resources for any malicious activity.