SISA Weekly Threat Watch – October 17th, 2022
SISA’s weekly series on threat advisories offers a quick snapshot of top security vulnerabilities and exploits, to help organizations stay up-to-date with the evolving threat landscape. The advisories also provide relevant information and recommendations to help them take preventive actions against the latest and critical threats.
Organizations can also opt-in for our free daily threat advisories by subscribing here.
According to security researchers, hackers are consistently improving their malware and implementing major changes to their attack infrastructure by exploiting multiple new and unpatched vulnerabilities on various platforms. These advanced multi-functional malware and emerging infiltration techniques often go undetected by security teams of many organizations. This past week also saw signs of new threat groups using improved cybercrime operations and platforms to break into organizations’ security defenses.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. Lazarus threat group exploiting Dell drivers for rootkit installation
A recent spear-phishing campaign involving the installation of a Windows rootkit via exploitation of signed Dell hardware driver has been attributed to North Korean state-sponsored threat group Lazarus. The campaign distributes a variety of malicious tools, including HTTP(S) uploaders, HTTP(S) downloaders, fully functional HTTP(S) backdoors, loaders, and droppers. The Bring Your Own Vulnerable Driver (BYOVD) technique is used by the Lazarus group to take advantage of a vulnerability in the Dell dbutil hardware driver.
Researchers from ESET discovered that the Lazarus group had also spread its patented custom HTTP(S) backdoor BLINDINGCAN (also known as ZetaNile), which supports a wide range of 25 commands for trying to manipulate files, executing commands, configuring C2 communication, taking screenshots, starting, and stopping processes, and stealing system data. Even after Dell tried to repair the driver, the flaw persisted. Organizations are advised to look at unusual driver installations and closely monitor any drivers that could be subject to BYOVD attacks in addition to relying on drivers that have been legitimately signed.
2. LilithBot malware and Eternity Project’s cybercrime operation
The LilithBot multi-purpose malware bot which is offered as a subscription by the Eternity organization was discovered by Zscaler’s ThreatLabz threat research team. The malware in this campaign performs the functions of a stealer, miner, clipper, and botnet while using fake certificates to avoid detection. In this campaign, the malware toolkit Eternity Project is offered as a malware-as-a-service (MaaS) and the Tor proxy is used to spread the malware.
The LilithBot malware sends three requests to the host IP address 77.73.133[.]12 on port 4545.The user agent demonstrates the malware’s connection to LilithBot. The second request is an API call to download the contents of the file in accordance with the ‘admin_settings_plugin.json’ settings of the plugin. LilithBot can steal cookies, screenshots, images, and browser history from the compromised systems. Organizations are recommended to detect and respond if there are any IOC’s traffic/artifacts found within their infrastructure.
3. Hundreds of Microsoft SQL servers backdoored with new malware
Security experts have revealed a new malware that targets Microsoft SQL servers. Several machines worldwide have already been infected by the backdoor known as Maggie. It is managed by SQL queries that are used to execute commands and interact with files. It can serve as a bridgehead inside the server and brute-force admin logins to other Microsoft SQL servers.
Maggie also provides basic TCP redirection functionality. Any IP address the compromised MS-SQL server is capable of accessing gets exposed to remote attacker requests. Once a thread count and password list file have been specified, admin passwords are brute forced using the WinSockScan and SqlScan commands. A hard-coded backdoor user is then introduced to the server. The security agency has provided a list of IOCs to recognize and prevent the attacks. Organizations should also be prepared with adequate security and be vigilant against such threats.
4. Microsoft fixes Windows vulnerability exploited in the wild
Recently discovered Windows COM+ Event System Service elevation of privilege vulnerability CVE-2022-41033 is being exploited in the wild. Another Elevation of Privilege vulnerability might also give an attacker control over Kubernetes clusters that are connected to Azure Arc. The operating system launches the Windows COM+ Event System Service by default, which oversees sending notifications regarding logons and logoffs.
An attacker having access to a computer that is being used by a guest or regular user can easily obtain SYSTEM privileges on that system and do anything with it. For businesses whose infrastructure depends on Windows Server, this vulnerability is extremely important. This vulnerability is exploited in the wild. It is strongly advised to patch the vulnerabilities published by Microsoft as soon as possible. Additionally, it is also important to ensure that auto-updates are enabled for Azure Arc and Azure Stack Edge users to avoid missing out on latest updates.
5. The Caffeine Phishing-as-a-Service platform
Researchers have discovered a new phishing-as-a-service (PhaaS) platform called “Caffeine” that has an easy-to-use user interface, is reasonably priced, and offers its criminal clients a wide range of capabilities and tools to plan and automate the main components of their phishing campaigns. The website for Caffeine is accessible to everyone and it is easy to create an account without providing a lot of personal information or using any external validation method (such as getting a reference from other Caffeine users) to access the website.
An attacker must install their tools-often referred to as “phishing kits” and use them to compromise user accounts for the web administrator, exploit flaws in platforms and technologies used for web infrastructure and misuse the vulnerable configurations of web applications. To stay protected from such advanced phishing campaigns, it is recommended to conduct routine web log analysis to find anomalous traffic behavior and periodically re-evaluate security policy for passwords and credential resets.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.