SISA Weekly Threat Watch – November 28th, 2022

Genuine services such as Google Ads, Amazon RDS, GitHub, OneDrive, and VMware are being abused by multiple threat groups in order to remain hidden and steal information. Depending on the nature of the information exposed, adversaries could either steal the data for financial gain or leverage it to gain a better understanding of a company’s IT environment, which could then serve as a steppingstone for covert intelligence gathering efforts.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. KmsdBot malware hijacking systems for mining Crypto and launch DDoS attacks

A new evasive and complex malware named KmsdBot is targeting the SSH connection that uses weak login credentials. The Golang-based malware has been discovered to attack a variety of businesses, including gaming, luxury car brands, and security firms. KmsdBot has the ability to download a list of login credentials in order to spread itself and scan for open SSH ports. It can start DDoS attacks and cryptominers.

A client binary is included that communicates with the C2 server, controls the mining operation, and updates the malware. Another binary seems to carry out additional attack operations in addition to cryptomining operations. To evade detection, it does not persist on the infected system and deletes itself upon restart. Two-step verification (also known as two factor authentication or 2FA) is a highly recommended security feature to add an extra layer of protection. Using public key authentication to secure your SSH connections is also one of the most effective defenses against system compromise of this kind.

2. Hundreds of Amazon RDS instances expose PII

In a recent discovery, it was found that scores of Amazon Relational Database Service (RDS) databases are being exposed monthly, with substantial Personally Identifiable Information (PII) leakage, including names, email addresses, phone numbers, dates of birth, marital status, car rental information, and even company logins. This provides a potential treasure trove for threat actors — either during the reconnaissance phase of the cyber kill chain or extortion ware/ransomware campaigns.

According to research carried out by the Israeli company, Mitiga, it is found that 810 snapshots were publicly shared for varying duration. AWS Config can be used to get visibility of your environment. This tool allows you to manage rules and get your environment state based on these rules. It is recommended to add rds-snapshots-public-prohibited rule which checks if there are RDS snapshots that are public. Additionally, avoid giving unnecessary permissions, a best-practice known as “least-privilege permissions”.

3. $100M from over 1,300 victims extorted by Hive Ransomware Crook

From June 2021 through at least November 2022, threat actors have used Hive ransomware-as-a-service (RaaS) to target a wide range of businesses to extort $100M from around 1,300 companies. Hive’s RaaS model involves developers, who create, maintain, and update the malware, and affiliates, who are responsible for conducting the attacks on target networks by often purchasing initial access from initial access brokers (IABs). By using the stolen single factor logins, they gain initial access to victim networks via Remote Desktop Protocol (RDP), virtual private networks (VPNs), other remote network connection protocols. 

In most cases, gaining a foothold involves the exploitation of ProxyShell flaws in Microsoft Exchange Server, followed by taking steps to terminate processes associated with antivirus engines and data backups to facilitate file encryption. To avoid being victim to such attacks, it is recommended to implement time-based access for accounts set at the admin level and higher and implement Restrict Server Message Block (SMB) Protocol within the network to only access necessary servers and remove or disable outdated versions of SMB.

4. APT actors compromise Federal Agency using Log4Shell exploit

In a joint cybersecurity advisory, it has been revealed that an attacker, suspected to be sponsored by the Iranian government, broke into the network of Federal Civilian Executive Branch (FCEB) and used their access to mine cryptocurrency and steal credentials. A bi-directional traffic between the network and a known malicious IP address was observed which is linked to the exploitation of the Log4Shell vulnerability (CVE-2021-44228) in VMware Horizon servers.

A https activity was noticed from a malicious Server IP, and it was found to be a Lightweight Directory Access Protocol (LDAP) server used to exploit Log4Shell. The exclusion rule allowlisted the entire c:drive, enabling threat actors to download tools to the c:drive without virus scans. It is recommended to install updated builds to ensure the affected VMware Horizon and UAG systems are updated to the latest version. For identity and access management (IAM), use best practices such as phishing resistant Multi-Factor Authentication (MFA), strong passwords, and regular auditing of administrator accounts and permissions

5. Microsoft warns of hackers using Google Ads to distribute Royal ransomware

Google Ads are being used by a growing threat activity cluster in one of its campaigns to spread various post-compromise payloads, including the newly discovered Royal ransomware. Microsoft is tracking the group as DEV-0569 after discovering the updated malware delivery technique in late October 2022. The gang is constantly advancing its evasion strategies, post-compromise payload delivery, and ransomware facilitation, the paper says, which explains how DEV-0569 attacks are evolving.

The group provided downloader links to its victims in the form of simple programmes like Microsoft Teams, Zoom, Adobe Flash Player, AnyDesk, or LogMeIn between August and October. The next stage payloads, such as the Royal ransomware and Cobalt Strike Beacon implant, are dropped using the malware downloader BatLoader (through PowerShell commands). To prevent connections to dangerous domains and IP addresses, it is recommended to enable network protection. Reducing local administrative rights can also prevent the installation of RATs and other unwanted applications.