The cybercriminal group behind InterPlanetary Storm malware has released its new variant into the wild. The malware is building a botnet – which now consists of roughly 13,500 infected machines worldwide. More about the IPS malware and ongoing campaign you can find below.
Microsoft 365: APT steals Office 365 data using OAuth2 / Hours-long outage
An APT known as TA2552 has been spotted using OAuth2 or other token-based authorization methods to access Office 365 accounts, in order to steal users’ contacts and mail.
OAuth is an open standard for access delegation, commonly used as a way for people to sign into services without entering a password – using signed-in status on another, trusted service or website. The most visible example might be the “Sign in with Google” or “Sign in with Facebook” that many websites use in lieu of asking visitors to create a new account.
According to researchers from Proofpoint, targets receive well-crafted lures asking them to click a link which carries them to the legitimate Microsoft third-party apps consent page.
“Once signed into their O365 (Office 365) account, the user is redirected to the official O365 consent process that prompts them to grant permissions to the actor’s application,” they explained. “The domains that catch the OAuth tokens are often registered via Namecheap and hosted on Cloudflare.”
In the case of this campaign, the malicious apps are asking for read-only access to the user’s contacts, profile and mail – all of which could be used to snoop around accounts, silently steal data or even intercept password reset messages from other accounts, like online banking. The ability to perform reconnaissance on an O365 account supplies an actor with valuable information that can later be weaponized in business email compromise (BEC) attacks or account takeovers…
Proofpoint researchers said that organizations worldwide have received messages, but TA2552 seems to favor Spanish speakers. The attack campaign regularly uses messages with Mexican tax and government themes. However, it has branched out to impersonate popular consumer brands, including Netflix and Amazon Prime Mexico.
Neverending problems
Microsoft resolves a hours-long outage affecting its cloud services – both in the Azure Public and Azure Government clouds. The downtime started approximately at 21:25 UTC on Monday and affected users who were trying to login into its various services including Microsoft 365, Azure, Dynamics 365, as well as into other custom applications that use Azure Active Directory (AAD) authentication.
“Users who were not already authenticated to the cloud services using Azure AD would have seen multiple authentication request failures. Impact was primarily in the Americas based on the issue being exacerbated by load, but users in other regions may also have experienced some impact. Users that had previously authenticated prior to the issue may not have experienced any noticeable effect,” said Microsoft.
The company has identified the likely culprits behind the whole situation. The root cause seems to be a combination of three separate and unrelated issues, including a code defect in a service update, a tooling error in the Azure AD safe deployment system, and a code defect in Azure AD’s rollback mechanism.
The situation shows that even giants such as Microsoft sometimes experience downtimes. However, this is Microsoft’s concern according to the shared responsibility model. When it comes to Office 365 information – not Microsoft but the user is responsible for data protection and should have an additional backup solution. Want some? Sign up for our beta test and get it for free!
InterPlanetary Storm botnet – almost 14k infected machines across 84 countries worldwide
A new variant of the InterPlanetary Storm malware – in addition to Windows and Linux machines – targets Mac and Android devices. It also comes with interesting detection-evasion tactics.
The malware spreads via brute force attacks on devices with Secure Shell (SSH), a cryptographic network protocol for operating network services securely over an unsecured network. It can also access an open Apple Desktop Bus (ADB) ports, which connect low-speed devices to computers.
The botnet uses the implementation of libp2p, which is a network framework that allows users to write decentralized peer-to-peer (P2P) applications. This framework was originally the networking protocol of InterPlanetary File System (IPFS), on which researchers based the malware’s name.
How to avoid detection. This new variant of IPS malware is able to auto-update to the latest available malware version and kill other processes on the machine that present a threat, like debuggers or competing malware (by looking at strings such as “rig,” “xig” and “debug”). It can also detect honeypots by looking for the string “svr04” in the default shell prompt.
Currently there is estimated 13,500 infected machines – and that number continues to grow. Half of the infected machines are in Hong Kong, South Korea and Taiwan. Other infected systems are in Russia, Brazil, the U.S., Sweden and China. The botnet does not have clear functionality yet, but it gives its operators a backdoor into the infected devices so they can later be used for cryptomining, DDoS, or other large-scale attacks.
How to avoid becoming a victim. To avoid infection, researchers suggest end users properly configure SSH access on all devices and use a cloud security posture management tool to monitor SSH access control, eliminating any potential configuration mistakes.
61% of Microsoft Exchange Servers still open to actively exploited flaw. Patch now!
Despite Microsoft issuing patches almost eight months ago, 61 percent of Exchange servers are still vulnerable. CVE-2020-0688 is a severe bug that allows authenticated attackers to execute code remotely with system privileges. It exists in the control panel of Exchange – Microsoft’s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, was fixed as part of Microsoft’s February Patch Tuesday updates – and admins in March were warned that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors.
However, new telemetry found that out of 433,464 internet-facing Exchange servers observed, at least 61 percent of Exchange 2010, 2013, 2016 and 2019 servers are still vulnerable to the flaw.
Experts recommend to determine whether Exchange has been updated and to install the update on any server with the Exchange Control Panel (ECP) enabled.
With the ongoing activity, admins should also determine whether anyone has attempted to exploit the vulnerability in their environment. The exploit code that Sellers tested left log artifacts in the Windows Event Log and the IIS logs (which contain HTTP server API kernel-mode cache hits) on both patched and unpatched server: “This log entry will include the compromised user account, as well as a very long error message that includes the text invalid viewstate,” said Tom Sellers with Rapid7.
Admins can also review their IIS logs for requests to a path under /ecp (usually /ecp/default.aspx). These should contain the string __VIEWSTATE and __VIEWSTATEGENERATOR – and will have a long string in the middle of the request that is a portion of the exploit payload.
“You will see the username of the compromised account name at the end of the log entry,” Sellers said. “A quick review of the log entries just prior to the exploit attempt should show successful requests (HTTP code 200) to web pages under /owa and then under /ecp.”
Ransomware attack on Tyler Technologies – after-effects, breached networks and the upcoming United States election
Tyler Technologies, Inc. is the largest software provider to the United States’ public sector. An important player on the market, but also one which disclosed a ransomware attack last week. As if it wasn’t serious enough, only a few days later its customers started reporting suspicious logins and previously unseen remote access tools on their networks.
The ransomware attack took place on September 23, the threat actors breached the network of the company and deployed the malware. Some researchers speculate the company was infected with the RansomExx, which is a human-operated ransomware, This means that attackers manually infected the systems after gaining access to the target network. If it is correct, then there is one good piece of information. The RansomEXX ransomware does not appear to exfiltrate data before encrypting target systems.
At first the company representatives declared that the incident was limited to the internal corporate network and phone systems. The cloud infrastructure was not impacted and data of customers were not affected. Further investigation revealed that attackers have had much darker intentions. Several customers were forced – after some suspicious logins to client systems were detected – to reset password as a precautionary measure.
What is happening there? Some customers reported observing new remote access software, the Bomgar client, installed on their servers. This suggests that attackers might have gained access to passwords for Tyler’s web-hosted infrastructure and moved to the company’s client networks.
Is there a bigger problem? The Tyler Technologies’ solutions are used to display election results. U.S. intelligence agencies warned already that foreign governments might try to sow mistrust by altering sites that report votes. Why? Simply because it’s easier than changing the results themselves. Disinformation is also a manipulation…
Do you have thirst for knowledge? There is ten more cybersecurity stories below
1. Fake software crack sites used to push Exorcist 2.0 Ransomware (Bleeping Computer)
2. Who’s Behind Monday’s 14-State 911 Outage? (Krebs on Security)
3. Vulnerability in Wireless Router Chipsets Prompts Advisory (Dark Reading)
4. Cisco fixes actively exploited bugs in carrier-grade routers (Bleeping Computer)
5. Microsoft Office 365 Phishing Attack Uses Multiple CAPTCHAs (Threat Post)
6. These hackers have spent months hiding out in company networks undetected (ZDNet)
7. APT‑C‑23 group evolves its Android spyware (WeLiveSecurity)
8. Windows XP and Server 2003 compiled from leaked source code (Bleeping Computer)
9. Linkury adware caught distributing full-blown malware (ZDNet)
10. QR Codes: A Sneaky Security Threat (Threat Post)