Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 02/15/2023

    GoAnywhere Vulnerability Exploitation by Ransomware Actors

    Overview

    Recently the Clop ransomware group has claimed they have stolen data from multiple organizations by exploiting a vulnerability tracked as CVE-2023-0669 in GoAnywhere MFT secure file transfer tool. Exploitation allows attackers to gain remote code execution if the administrative console is exposed to the Internet. Note that the vulnerability can also be exploited from an internal system with visibility to the administrative console (ports 8000 and 8001).

    Potential Impact

    The impact would be significant as exploitation allows attackers to steal data from unpatched systems and launch attackers against internal systems aiming to encrypt files.

    Recommended Actions

    Forta has released an update to mitigate exploitation. The fixed version is GoAnywhere MFT is version 7.12. It is also recommended that vulnerability assessments are performed regularly to remove public access to risky or unnecessary services and to ensure patches are being applied efficiently. Furthermore, it is recommended that systems be protected and monitored with an Endpoint Detection & Response platform.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

       

      Malicious Google Ads

      Overview

      A recent phishing campaign has targeted Amazon Web Services (AWS) logins by abusing Google ads to display a phishing page in Google Search results. These malicious ads have been showing near the top of search results, right behind Amazon’s promoted search results. Additionally, and not specific to Amazon, GreyCastle Security has observed compromise via interaction with malicious ads becoming more common in recent years.

      Potential Impact

      Interacting with a malicious ad will likely redirect the end user to a “legitimate-looking” login page where the user will be prompted to enter credentials and sometimes the second factor of authentication, like a passcode. Additionally, malicious ads could potentially lead to the download of malware, potentially resulting in end-user device compromise and the ability to execute network-wide attacks.

      Recommended Actions

      User awareness is the most effective defense to prevent users from interacting with malicious ad content. Additionally, having content filtering in place could potentially block a user from accessing a malicious site though it will not be 100% effective. Organizations should encourage and enforce, where possible, the use of multi-factor authentication. Additionally, systems should be protected and monitored with an Endpoint Detection & Response platform to enable quick response to a potentially compromised endpoint.

      Sources

      https://www.bleepingcomputer.com/news/security/malicious-google-ads-sneak-aws-phishing-sites-into-search-results/

      OpenSSL Patches Several Vulnerabilities

      Overview

      On February 7, 2023, OpenSSL released fixes for “one high and seven moderate severity fixes.”

      Potential Impact

      The ubiquity of OpenSSL in operating systems and applications makes any significant OpenSSL vulnerability worth noting. Perhaps the most significant CVE, 2022-4203, was caused by a buffer overrun which, according to OpenSSL, could lead to “disclosure of private memory contents (such as private keys, or sensitive plaintext).” Because this buffer overrun occurs during certificate verification, exploitation will largely be limited to clients and not servers. OpenSSL also reports that they do not know of a working exploit for this vulnerability.

      Recommended Actions

      Ensure that operating systems are patched in a timely manner, and if you develop applications that utilize OpenSSL, ensure that OpenSSL libraries are up to date, according to the OpenSSL advisory in the link below. 

      Sources

      https://www.openssl.org/news/secadv/20230207.txt

      Qakbot Spreads Through Malicious OneNote Documents

      Overview

      Researchers at Sophos published a report on February 6, 2023, describing the spread of Qakbot malware through sending .ONE onenote files. The report describes spam campaigns whereby the malware injects malicious documents as attachments into email conversations on compromised hosts or sends malicious links in an impersonal spam message. The spam campaigns began on January 31, 2023.

      Indicators:

      The malicious attachments analyzed by Sophos were all named “ ApplicationReject_#####(Jan31).one or ComplaintCopy_#####(Feb01).one (where the ##### was a random, five-digit number)”. Emails from the spam campaigns all used the recipient’s last name in the subject line.

      Potential Impact

      Qakbot infection allows attackers to control the infected host. It has been known to be used by several major ransomware groups.

      Recommended Actions

      Search email systems for the indicators referenced above, and consider including this information in end-user security training efforts.

      Sources

      https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from - Youtube
      Vimeo
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Spotify
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us