Get Help Now
CONTACT US

RESOURCES  >   THREAT INTEL BRIEFINGS

Date: 3/28/2022

North Korean Hackers Target Software Vendors via Chrome Zero-Day Vulnerability

Overview

Google has released a report identifying two North Korean government hacking campaigns that exploited a Google Chrome 0-day.

Potential Impact

To date, this campaign targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.

Anyone who clicked on the links sent in the email would be served a hidden iframe that would trigger the exploit kit.

The fake domains included disneycareers[.]net, find-dreamjob[.]com, indeedus[.]org, varietyjob[.]com, ziprecruiters[.]org. The exploitation URLs were https[:]//colasprint[.]com/about/about.asp and https[:]//varietyjob[.]com/sitemap/sitemap.asp.

Depending on whether an unknown set of requirements were met, the victim served a Chrome remote code execution exploit and some additional javascript.

Recommended Actions

Apply Google Stable Channel Update, February 14, 2022, found here: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html

Sources
https://therecord.media/north-korean-hackers-target-employees-of-news-outlets-software-vendors-and-more-through-chrome-vulnerability/?utm_campaign=cyber-daily&utm_source=hs_email&utm_medium=email&_hsenc=p2ANqtz-8LJhWE-WknLiPRhZkS0qrWF9S-9fviB3bReINOoXlrB1W4Sfe4Tv2P4N3NLnvp4eVPRQAP

Okta Updates on Lapsus$ Group (aka DEV-0537) Security Incident It Incurred

Overview

Okta says 366 corporate customers, or about 2.5% of its customer base, were impacted by a security breach that allowed hackers to access the company’s internal network.

The authentication giant admitted the compromise after the Lapsus$ hacking and extortion group posted screenshots of Okta’s apps and systems on Monday, some two months after the hackers first gained access to its network.

The breach was initially blamed on an unnamed subprocessor that provides customer support services to Okta. In an updated statement on Wednesday, Okta’s chief security officer David Bradbury confirmed the subprocessor is a company called Sykes, which last year was acquired by Miami-based contact center giant Sitel.

Initially, the company believed screenshots connected with the breach claim are related to a January security incident where Okta “detected an attempt to compromise the account of a third-party customer support engineer working for one of our sub-processors,” the company said in a statement. A sub-processor investigated and contained the January incident.

Lapsus$ has also claimed responsibility for alleged breaches at Nvidia in February and Microsoft on Monday. The group claimed to have accessed source code for Bing, Bing Maps and Cortana, according to screenshots from the group’s official Telegram channel posted on Twitter by research group vx-underground, which shares malware source code and samples

The company was one of many caught by the Log4j vulnerability, which impacted customer agent products, the company said in a December statement. Okta deployed mitigations and patches for components of its identity service that used Log4j shortly after initial disclosure and continued to track subsequently disclosed vulnerabilities associated with the Java-based logging utility. 

Potential Impact

Companies exposed could have incurred a data leak, potential credential theft and ransomware. 

Details include:

  • DEV-0537 uses a variety of methods that are typically focused on compromising user identities to gain initial access to an organization including:
  • Deploying the malicious Redline password stealer to obtain passwords and session tokens
  • Purchasing credentials and session tokens from criminal underground forums
  • Paying employees at targeted organizations (or suppliers/business partners) for access to credentials and MFA approval
  • Searching public code repositories for exposed credentials
  • Using the compromised credentials and/or session tokens, DEV-0537 accesses internet-facing systems and applications. These systems most commonly include virtual private network (VPN), remote desktop protocol (RDP), virtual desktop infrastructure (VDI) including Citrix, or identity providers (including Azure Active Directory, Okta). For organizations using MFA security, DEV-0537 used two main techniques to satisfy MFA requirements–session token replay and using stolen passwords to trigger simple-approval MFA prompts hoping that the legitimate user of the compromised account eventually consents to the prompts and grants the necessary approval. In some cases, DEV-0537 first targeted and compromised an individual’s personal or private (non-work-related) accounts giving them access to then look for additional credentials that could be used to gain access to corporate systems. Given that employees typically use these personal accounts or mobile phone numbers as their second-factor authentication or password recovery, the group would often use this access to reset passwords and complete account recovery actions.
  • Microsoft also found instances where the group successfully gained access to target organizations through recruited employees (or employees of their suppliers or business partners).
General Recommended Actions
  • Strengthen MFA implementation
  • Multifactor authentication (MFA) is one of the primary lines of defense against DEV-0537. While this group attempts to identify gaps in MFA, it remains a critical pillar in identity security for employees, vendors, and other personnel alike. 
  • Do:
  • Require MFA for all users coming from all locations including perceived trusted environments.
  • Leverage more secure implementations such as FIDO Tokens, or Microsoft Authenticator with number matching. 
  • Use Azure AD Password Protection to ensure that users aren’t using easily guessed passwords. 
  • Leverage passwordless authentication methods such as Windows Hello for Business, Microsoft Authenticator, or FIDO tokens.
  • Implement user and sign-in risk-based policies that block high impact user actions like device enrollment and MFA registration.
  • Break glass accounts should be stored offline and not be present in any sort of online password vaulting solution.
  • Use automated reports and workbooks such as Azure Monitor workbooks for reports for detailed analysis on risk distribution, risk detection trends, and opportunities for risk remediation.
  • Remind employees that enterprise or workplace credentials should not be stored in browsers or password vaults Turn on cloud-delivered protection 
  • Leverage modern authentication options for VPNs
  • VPN authentication should leverage modern authentication options such as OAuth or SAML connected to Azure AD to enable risk-based sign-in detection. 
  • Strengthen and monitor your cloud security posture
  • DEV-0537 leverages legitimate credentials to perform malicious actions against customers. Since these credentials are legitimate, some activity performed might seem consistent with standard user behavior. 
  • Improve awareness of social engineering attacks
  • Raise and improve awareness of social engineering tactics to protect your organization. Educate members of your technical team to watch out for and report any unusual contacts with colleagues. 
  • Embed a culture of security awareness in your organization 
  • Establish operational security processes in response to DEV-0537 intrusions secured with personal credentials
But Do Not:
  • Use weak MFA factors such as text messages (susceptible to SIM swapping), simple voice approvals, simple push (instead, use number matching), or secondary email addresses.
  • Include location-based exclusions. MFA exclusions allow an actor with only one factor for a set of identities to bypass the MFA requirements if they can fully compromise a single identity.
  • Allow credential or MFA factor sharing between users.
  • Finally, we advise organizations to follow very tight operational security practices when responding to an intrusion believed to be DEV-0537. Organizations should develop an out-of-band communication plan for incident responders that is usable for multiple days while an investigation occurs. Documentation of this response plan should be closely held and not easily accessible.

Sources

https://techcrunch.com/2022/03/23/okta-breach-sykes-sitel/
https://www.bleepingcomputer.com/news/security/okta-we-made-a-mistake-delaying-the-lapsus-hack-disclosure/ https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/

Hive ransomware operation converts VMware encryptor to Rust

Overview

Ransomware specifically targeting VMware ESXi platforms has been converted to the Rust programming language. This change has added both new features and new difficulties for security researches to investigate the technical aspects of the ransomware.

Potential Impact

The Hive Ransomware group specifically targets VMware ESXi platforms with Linux-based encryptors. Normally these have been written in the Golang programming language, however this has allowed for extensive reverse engineering and analysis. It seems that the conversion of these encryptors to the Rust programming language has increased the difficulty of analysis and increased the efficiency of the tool(s). Additionally, The Hive has dramatically increased its ability to conceal their payment negotiations by utilizing new scripts that victims must run in order to communicate with the ransomware group. 

Recommended Actions

The Hive is not the first ransomware group to begin converting to Rust and certainly will not be the last. Due to this organizations need to pay close attention to their Linux servers to detect signs of attacks. Although ransomware attacks follow well-known patterns, detecting (and preventing) attacks early in the attack chain is critical.

Sources
https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-linux-vmware-esxi-encryptor-to-rust/?&web_view=true

Russian Government exploring options for potential cyberattacks

Overview

What is the current or potential problem?
Last week’s announcement by President Biden on “our Nation’s Cybersecurity” that “the Russian Government is exploring options for potential cyberattacks” has gotten a great deal of media attention and has led to speculation about what attacks might be looming.

How do you know if you are vulnerable?
Determining if your organization is vulnerable is best done through a systematic, organized, and regular vulnerability assessments that evaluate all information assets.

Potential Impact

What is likelihood/impact?

Regardless of the origin of cyber-attacks, all organizations should consider the likelihood of cyber-attack to be high. Impact can range from small monetary losses to complete inability to continue business operations.

Recommended Actions

Perform vulnerability assessments, and develop a security plan with “SMART” goals: Specific, Measurable, Attainable, Relevant, and Time-Bound.  Commit to an incident response retainer with a reputable cybersecurity company, such as GreyCastle Security.  If attacks occur in a large wave, cybersecurity companies may need to adopt a “retainer-only” plan until the wave of attacks recedes.

Sources
https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/

Google Chrome Zero-day being actively exploited in the wild

Overview

A zero-day vulnerability was discovered in Google Chrome that is actively being exploited in the wild. This vulnerability is tracked as CVE-2022-1096.

Potential Impact

A previous zero-day vulnerability in Chrome (CVE-2022-0609) was observed to be exploited by nation state actors and a similar situation is likely with CVE-2022-1096. Technical details of exploits are not yet released by Google but successful exploitation will likely result in remote code execution. 

Recommended Actions

Ensure Chrome is updated to version 99.0.4844.84 or higher.

Sources
https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html

FCC labels Kaspersky as risk to national security

Overview

The Federal Communications Commission (FCC) stated that Kaspersky, the Russian antivirus provider, is now blacklisted as it is an “unacceptable risk to national security.” The US Department of Homeland Security had previously banned the use of Kaspersky in 2017 and the German government recently warned its nation about using their products.

Potential Impact

As suggested by the BSI, Germany’s Federal office for Information Security, Russian authorities can force Kaspersky to carry out cyberattacks against their clients and utilize them for cyberespionage.  As a result, US companies are prohibited from purchasing Kaspersky’s products.

Recommended Actions

The Secure and Trusted Networks Act can exclude the use of equipment or from the Nation’s networks if it poses a threat to national security. To comply with this and the statement from the FCC, it is recommended that other antivirus providers are utilized to better ensure the safety of your network.  

Sources
Kaspersky blacklisted by FCC alongside China Telecom and China Mobile | ZDNet
US says Kaspersky poses unacceptable risk to national security (bleepingcomputer.com)

For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

For non-strategic clients, please reach out to your Advisor for further discussion.

Let’s Discuss Your Cybersecurity Needs

Contact Us

 

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound
Contact Us