In the last few months, multiple groups of attackers successfully compromised corporate email accounts of at least 156 high-ranking officers at various firms based in Germany, the UK, Netherlands, Hong Kong, and Singapore.

Dubbed ‘PerSwaysion,’ the newly spotted cyberattack campaign leveraged Microsoft file-sharing services—including Sway, SharePoint, and OneNote—to launch highly targeted phishing attacks.

According to a report Group-IB Threat Intelligence team published today and shared with The Hacker News, PerSwaysion operations attacked executives of more than 150 companies around the world, primarily with businesses in finance, law, and real estate sectors.

“Among these high-ranking officer victims, more than 20 Office365 accounts of executives, presidents, and managing directors appeared.”

So far successful and still ongoing, most PerSwaysion operations were orchestrated by scammers from Nigeria and South Africa who used a Vue.js JavaScript framework-based phishing kit, evidently, developed by and rented from Vietnamese speaking hackers.

“By late September 2019, PerSwaysion campaign has adopted much mature technology stacks, using Google appspot for phishing web application servers and Cloudflare for data backend servers.”

Like most phishing attacks aiming to steal Microsoft Office 365 credentials, fraudulent emails sent as part of PerSwaysion operation also lured victims with a non-malicious PDF attachment containing ‘read now’ link to a file hosted with Microsoft Sway.

“The attackers pick legitimate cloud-based content sharing services, such as Microsoft Sway, Microsoft SharePoint, and OneNote to avoid traffic detection,” the researchers said.

Next, the specially crafted presentation page on Microsoft Sway service further contains another ‘read now’ link that redirects users to the actual phishing site—waiting for the victims to enter their email account credentials or other confidential information.

Once stolen, attackers immediately move on to the next step and download victims’ email data from the server using IMAP APIs and then impersonate their identities to further target people who have recent email communications with the current victim and hold important roles in the same or other companies.

email phishing attack

“Finally, they generate new phishing PDF files with the current victim’s full name, email address, legal company name. These PDF files are sent to a selection of new people who tend to be outside of the victim’s organization and hold significant positions. The PerSwaysion operators typically delete impersonating emails from the outbox to avoid suspicion.”

“Evidence indicates that scammers are likely to use LinkedIn profiles to assess potential victim positions. Such a tactic reduces the possibility of early warning from the current victim’s co-workers and increases the success rate of new phishing cycle.”

Though there’s no clear evidence on how attackers are using compromised corporate data, researchers believe it can be ‘sold in bulk to other financial scammers to conduct traditional monetary scams.’

Group-IB has also set-up an online web-page where anyone can check if their email address was compromised as part of PerSwaysion attacks—however, you should only use it and enter your email if you’re highly expecting to be attacked.

Coronavirus cyber attacks

The Coronavirus is hitting hard on the world’s economy, creating a high volume of uncertainty within organizations.

Cybersecurity firm Cynet today revealed new data, showing that the Coronavirus now has a significant impact on information security and that the crisis is actively exploited by threat actors.

In light of these insights, Cynet has also shared a few ways to best prepare for the Coronavirus derived threat landscape and provides a solution (learn more here) to protect employees that are working from home with their personal computers because of the Coronavirus.

The researchers identify two main trends – attacks that aim to steal remote user credentials and weaponized email attacks:

Remote User Credential Theft

The direct impact of the Coronavirus is a comprehensive quarantine policy that compels multiple organizations to allow their workforce to work from home to maintain business continuity.

This inevitably entails shifting a significant portion of the workload to be carried out remotely, introducing an exploitable opportunity for attackers.

The opportunity attackers see the mass use of remote login credentials to organizational resources that far exceed the norm. As a result, remote connections are established by employees and devices that have never done so before, meaning that an attacker could easily conceal a malicious login without being detected by the target organization’s security team.

Cynet’s global threat telemetry from the recent three weeks reveals that Italy features a sharp spike in phishing attacks in comparison to other territories, indicating that attackers are hunting in full force for user credentials.

coronavirus in Italy

In addition, the researchers also detect a respective spike both in detected anomalous logins to its customers’ environments, as well as in customers actively reaching out to CyOps (Cynet MDR) to investigate suspicious logins to critical resources.

coronavirus in Italy

Correlating the two spikes validates that attackers are actively exploiting the Coronavirus derived havoc.

Weaponized Email Attacks

Employees that work from home often would do so from their personal computers, which are significantly less secure than the organizational ones, making them more vulnerable to malware attacks.

Besides, Cynet released today’s figures that support the above claim. Here is the double spike Cynet sees within its customers from Italy of email-based attacks:

email cyberattack

A closer look at the attacks reveals that they possess a considerable threat to organizations that do not have advanced protection in place:

email malware attack

While 21% of these emails featured simplistic attacks with a link to download a malicious executable embedded in the email body, the vast majority included more advanced capabilities such as malicious Macros and exploits or redirection to malicious websites – a challenge that surpasses the capabilities of most AV and email protection solutions.

Taking a closer look at how these attacks were blocked verifies that they should be regarded as a severe risk potential:

cyber attack protection

‘The fact that only about 10% of the malware in these attacks was identified by its signature, indicates that the attackers behind these campaigns are using advanced attacking tools to take advantage of the situation’, says Eyal Gruner, CEO, and Co-Founder of Cynet.

Moreover, there is another aspect to the Coronavirus impact. In many cases, the functioning of the security team itself is impaired due to missing team members in quarantine, making the detection of malicious activity even harder.

From conversations with these companies, it turns out that the operations of many security teams are significantly disturbed due to quarantined team members, causing them to use Cynet’s MDR service more often to compensate for the lack of staff.

cyberattacks

‘We have reached out to our customers in Italy ‘, says Gruner, ‘and they have confirmed that a significant part of their workforce works from home these days.’

To sum up the situation in Italy, employees working from home, security teams that are not fully operational and general atmosphere of uncertainty, create ideal conditions for attackers that seek to monetize the new situation through phishing, social engineering, and weaponized emails.

The data from Cynet’s Italian install base should serve as an illustrative example of the cyber effect in a territory where Coronavirus has a high prevalence. While this is not yet the case for other countries, the rapid Coronavirus spread implies that the cyber threat landscape in Italy would soon be duplicated in other geolocations as well.

In order to efficiently confront these threats, CISOs should evaluate the defenses they have in place and see whether they provide protection against phishing and malicious logins.

As a breach protection platform, Cynet introduces a dedicated offering tailored to the new Coronavirus related cyber risks.

For both existing and new customers, Cynet will allow, free of charge (for 6 months), the deployment of its product, Cynet 360, on personal computers used by employees working from home.

Cynet massively adds staff to CyOps, its MDR services team, to be able to cover for companies with reduced security staff because of the Coronavirus.

Learn more about Cynet’s offering here.

IBM Data Risk Manager (IDRM)

A cybersecurity researcher today publicly disclosed technical details and PoC for 4 unpatched zero-day vulnerabilities affecting an enterprise security software offered by IBM after the company refused to acknowledge the responsibly submitted disclosure.

The affected premium product in question is IBM Data Risk Manager (IDRM) that has been designed to analyze sensitive business information assets of an organization and determine associated risks.

According to Pedro Ribeiro from Agile Information Security firm, IBM Data Risk Manager contains three critical severity vulnerabilities and a high impact bug, all listed below, which can be exploited by an unauthenticated attacker reachable over the network, and when chained together could also lead to remote code execution as root.

  • Authentication Bypass
  • Command Injection
  • Insecure Default Password
  • Arbitrary File Download

Ribeiro successfully tested the flaws against IBM Data Risk Manager version 2.0.1 to 2.0.3, which is not the latest version of the software but believes they also work through 2.0.4 to the newest version 2.0.6 because “there is no mention of fixed vulnerabilities in any change log.”

“IDRM is an enterprise security product that handles very sensitive information. A compromise of such a product might lead to a full-scale company compromise, as the tool has credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company,” Ribeiro said.

Critical Zero-Day Vulnerabilities in IBM Data Risk Manager

In brief, the authentication bypass flaw exploits a logical error in the session ID feature to reset the password for any existing account, including the administrator.

The command injection flaw resides in the way IBM’s enterprise security software lets users perform network scans using Nmap scripts, which apparently can be equipped with malicious commands when supplied by attackers.

According to the vulnerability disclosure, to SSH and run sudo commands, IDRM virtual appliance also has a built-in administrative user with username “a3user” and default password of “idrm,” which if left unchanged, could let remote attackers take complete control over the targeted systems.

The last vulnerability resides in an API endpoint that allows authenticated users to download log files from the system. However, according to the researcher, one of the parameters to this endpoint suffers from a directory traversal flaw that could let malicious users download any file from the system.

Besides technical details, the researcher has also released two Metasploit modules for authentication bypass, remote code execution, and arbitrary file download issues.

Ribeiro claims to have reported this issue to IBM via CERT/CC and in response, the company refused to accept the vulnerability report, saying: ” We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers.”

In response Ribeiro said, “In any case, I did not ask or expect a bounty since I do not have a HackerOne account and I don’t agree with HackerOne’s or IBM’s disclosure terms there. I simply wanted to disclose these to IBM responsibly and let them fix it.”

The Hacker News has reached out to IBM, and we will update the article as more information becomes available.

Update:

An IBM spokesperson told The Hacker News that “a process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

wordpress hacking theme

A popular WordPress theme plugin with over 200,000 active installations contains a severe but easy-to-exploit software vulnerability that, if left unpatched, could let unauthenticated remote attackers compromise a wide range of websites and blogs.

The vulnerable plugin in question is ‘ThemeGrill Demo Importer‘ that comes with free as well as premium themes sold by the software development company ThemeGrill.

ThemeGrill Demo Importer plugin has been designed to allow WordPress site admins to import demo content, widgets, and settings from ThemeGrill, making it easier for them to quickly customize the theme.

According to a report WebARX security company shared with The Hacker News, when a ThemeGrill theme is installed and activated, the affected plugin executes some functions with administrative privileges without checking whether the user running the code is authenticated and is an admin.

The flaw could eventually allow unauthenticated remote attackers to wipe the entire database of targeted websites to its default state, after which they will also be automatically logged in as an administrator, allowing them to take complete control over the sites.

themegrill wordpress plugin

“Here we see (in the screenshot) that there is no authentication check, and only the do_reset_wordpress parameter needs to be present in the URL on any ‘admin’ based page of WordPress, including /wp-admin/admin-ajax.php.”

According to the WebARX researchers, the vulnerability affects ThemeGrill Demo Importer plugin version 1.3.4 up to 1.6.1, all released in the last 3 years.

“This is a serious vulnerability and can cause a significant amount of damage. Since it requires no suspicious-looking payload, it is not expected for any firewall to block this by default, and a special rule needs to be created to block this vulnerability,” the WebARX researchers said.

WebARX, which provides vulnerability detection and virtual patching software to protect websites from the third-party component vulnerabilities. responsibly reported this vulnerability to ThemeGrill developers two weeks ago, who then released a patched version 1.6.2 on February 16.

WordPress Dashboard automatically notifies admins when a plugin needs to be updated, but you can also choose to have plugin updates automatically installed instead of waiting for manual action.

Cerberus android banking trojan

After a few popular Android Trojans like AnubisRed Alert 2.0GM bot, and Exobot, quit their malware-as-a-service businesses, a new player has emerged on the Internet with similar capabilities to fill the gap, offering Android bot rental service to the masses.

Dubbed “Cerberus,” the new remote access Trojan allows remote attackers to take total control over the infected Android devices and also comes with banking Trojan capabilities like the use of overlay attacks, SMS control, and contact list harvesting.

According to the author of this malware, who is surprisingly social on Twitter and mocks security researchers and antivirus industry openly, Cerberus has been coded from scratch and doesn’t re-use any code from other existing banking Trojans.

The author also claimed to be using the Trojan for private operations for at least two years before renting it out for anyone interested from the past two months at $2000 for 1 month usage, $7000 for 6 months and up to $12,000 for 12 months.

Cerberus Banking Trojan: Features

 

According to security researchers at ThreatFabric who analyzed a sample of Cerberus Trojan, the malware has a pretty common list of features, like:

  • taking screenshots
  • recording audio
  • recording keylogs
  • sending, receiving, and deleting SMSes,
  • stealing contact lists
  • forwarding calls
  • collecting device information
  • Tracking device location
  • stealing account credentials,
  • disabling Play Protect
  • downloading additional apps and payloads
  • removing apps from the infected device
  • pushing notifications
  • locking device’s screen

Once infected, Cerberus first hides its icon from the application drawer and then asks for the accessibility permission by masquerading itself as Flash Player Service. If granted, the malware automatically registers the compromised device to its command-and-control server, allowing the buyer/attacker to control the device remotely.

To steal users’ credit card numbers, banking credentials and passwords for other online accounts, Cerberus lets attackers launch screen overlay attacks from its remote dashboard.

In screen overlay attack, the Trojan displays an overlay on top of legitimate mobile banking apps and tricks Android users into entering their banking credentials into the fake login screen, just like a phishing attack.

“The bot abuses the accessibility service privilege to obtain the package name of the foreground application and determine whether or not to show a phishing overlay window,” the researchers said.

 

android banking malware

According to researchers, Cerberus already contains overlay attack templates for a total of 30 unique targets, including:

  • 7 French banking apps
  • 7 U.S. banking apps
  • 1 Japanese banking app
  • 15 non-banking apps

 

Cerberus Uses Motion-based Evasion Tactic

Cerberus also uses some interesting techniques to evade detection from antivirus solutions and prevent its analysis, like using the device accelerometer sensor to measure movements of the victim.

The idea is straightforward—as a user moves, their Android device usually generates some amount of motion sensor data. The malware monitors the user’s steps through the device motion sensor to check if it is running on a real Android device.

“The Trojan uses this counter to activate the bot—if aforementioned step counter hits the pre-configured threshold it considers running on the device to be safe,” the researchers explain.

“This simple measure prevents the Trojan from running and being analyzed in dynamic analysis environments (sandboxes) and on the test devices of malware analysts.”

If the user’s device lacks sensor data, the malware assumes that the sandbox for scanning malware is an emulator with no motion sensors and will not run the malicious code.

However, this technique is also not unique and has previously been implemented by the popular Android banking Trojan ‘Anubis’.

It should be noted that Cerberus malware does not exploit any vulnerability to get automatically installed on a targeted device in the first place. Instead, the malware installation relies on social engineering tactics.

Therefore, to protect yourself from becoming victims to such malware threats, you are recommended to be careful what you download on your phone and definitely think thrice before side-loading stuff as well.

fileless malware attack

Watch out Windows users!

There’s a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it.

Why? That’s because, first, it’s an advanced fileless malware and second, it leverages only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers, rather than using any malicious piece of code.

The technique of bringing its own legitimate tools is effective and has rarely been spotted in the wild, helping attackers to blend in their malicious activities with regular network activity or system administration tasks while leaving fewer footprints.

Independently discovered by cybersecurity researchers at Microsoft and Cisco Talos, the malware — dubbed “Nodersok” and “Divergent” — is primarily being distributed via malicious online advertisements and infecting users using a drive-by download attack.

First spotted in mid-July this year, the malware has been designed to turn infected Windows computers into proxies, which according to Microsoft, can then be used by attackers as a relay to hide malicious traffic; while Cisco Talos believes the proxies are used for click-fraud to generate revenue for attackers.

Multi-Stage Infection Process Involves Legitimate Tools

 

fileless malware attack flow

The infection begins when malicious ads drop HTML application (HTA) file on users’ computers, which, when clicked, executes a series of JavaScript payloads and PowerShell scripts that eventually download and install the Nodersok malware.

“All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” Microsoft explains.

As illustrated in the diagram, the JavaScript code connects to legitimate Cloud services and project domains to download and run second-stage scripts and additional encrypted components, including:

  • PowerShell Scripts — attempt to disable Windows Defender antivirus and Windows update.
  • Binary Shellcode — attempts to escalate privileges using auto-elevated COM interface.
  • Node.exe — Windows implementation of the popular Node.js framework, which is trusted and has a valid digital signature, executes malicious JavaScript to operate within the context of a trusted process.
  • WinDivert (Windows Packet Divert) — a legitimate, powerful network packet capture and manipulation utility that malware uses to filter and modify certain outgoing packets.

At last, the malware drops the final JavaScript payload written for the Node.js framework that converts the compromised system into a proxy.

 

“This concludes the infection, at the end of which the network packet filter is active, and the machine is working as a potential proxy zombie,” Microsoft explains.

 

“When a machine turns into a proxy, it can be used by attackers as a relay to access other network entities (websites, C&C servers, compromised machines, etc.), which can allow them to perform stealthy malicious activities.”

 

malware proxy server

According to the experts at Microsoft, the Node.js-based proxy engine currently has two primary purposes—first, it connects the infected system back to a remote, attacker-controlled command-and-control server, and second, it receives HTTP requests to proxy back to it.

malware click fraud

On the other hand, experts at Cisco Talos concludes that the attackers are using this proxy component to command infected systems to navigate to arbitrary web pages for monetization and click fraud purposes.

Nodersok Infected Thousands of Windows Users

According to Microsoft, the Nodersok malware has already infected thousands of machines in the past several weeks, with most targets located in the United States and Europe.

While the malware primarily focuses on targeting Windows home users, researchers have seen roughly 3% of attacks targeting organization from industry sectors, including education, healthcare, finance, retail, and business and professional services.

Since the malware campaign employs advanced fileless techniques and relies on elusive network infrastructure by making use of legit tools, the attack campaign flew under the radar, making it harder for traditional signature-based antivirus programs to detect it.

“If we exclude all the clean and legitimate files leveraged by the attack, all that remains are the initial HTA file, the final Node.js-based payload, and a bunch of encrypted files. Traditional file-based signatures are inadequate to counter sophisticated threats like this,” Microsoft says.

However, the company says that the malware’s “behavior produced a visible footprint that stands out clearly for anyone who knows where to look.”

In July this year, Microsoft also discovered and reported another fileless malware campaign, dubbed Astaroth, that was designed to steal users’ sensitive information, without dropping any executable file on the disk or installing any software on the victim’s machine.

Microsoft said its Windows Defender ATP next-generation protection detects this fileless malware attacks at each infection stage by spotting anomalous and malicious behaviors, such as the execution of scripts and tools.

hacking air gapped computers

It may sound creepy and unreal, but hackers can also exfiltrate sensitive data from your computer by simply changing the brightness of the screen, new cybersecurity research shared with The Hacker News revealed.

In recent years, several cybersecurity researchers demonstrated innovative ways to covertly exfiltrate data from a physically isolated air-gapped computer that can’t connect wirelessly or physically with other computers or network devices.

These clever ideas rely on exploiting little-noticed emissions of a computer’s components, such as light, soundheatradio frequencies, or ultrasonic waves, and even using the current fluctuations in the power lines.

For instance, potential attackers could sabotage supply chains to infect an air-gapped computer, but they can’t always count on an insider to unknowingly carry a USB with the data back out of a targeted facility.

When it comes to high-value targets, these unusual techniques, which may sound theoretical and useless to many, could play an important role in exfiltrating sensitive data from an infected but air-gapped computer.

How Does the Brightness Air-Gapped Attack Work?

In his latest research with fellow academics, Mordechai Guri, the head of the cybersecurity research center at Israel’s Ben Gurion University, devised a new covert optical channel using which attackers can steal data from air-gapped computers without requiring network connectivity or physically contacting the devices.

“This covert channel is invisible, and it works even while the user is working on the computer. Malware on a compromised computer can obtain sensitive data (e.g., files, images, encryption keys, and passwords), and modulate it within the screen brightness, invisible to users,” the researchers said.

The fundamental idea behind encoding and decoding of data is similar to the previous cases, i.e., malware encodes the collected information as a stream of bytes and then modulate it as ‘1’ and ‘0’ signal.

In this case, the attacker uses small changes in the LCD screen brightness, which remains invisible to the naked eye, to covertly modulate binary information in morse-code like patterns

“In LCD screens each pixel presents a combination of RGB colors which produce the required compound color. In the proposed modulation, the RGB color component of each pixel is slightly changed.”

“These changes are invisible, since they are relatively small and occur fast, up to the screen refresh rate. Moreover, the overall color change of the image on the screen is invisible to the user.”

The attacker, on the other hand, can collect this data stream using video recording of the compromised computer’s display, taken by a local surveillance camera, smartphone camera, or a webcam and can then reconstruct exfiltrated information using image processing techniques.

As shown in the video demonstration shared with The Hacker News, researchers infected an air-gapped computer with specialized malware that intercepts the screen buffer to modulate the data in ASK by modifying the brightness of the bitmap according to the current bit (‘1’ or ‘0’).

hacking air gapped computers

You can find detailed technical information on this research in the paper [PDF] titled, ‘BRIGHTNESS: Leaking Sensitive Data from Air-Gapped Workstations via Screen Brightness,’ published yesterday by Mordechai Guri, Dima Bykhovsky and Yuval Elovici.

Air-Gapped Popular Data Exfiltration Techniques

It’s not the first time Ben-Gurion researchers came up with a covert technique to target air-gapped computers. Their previous research of hacking air-gap machines include:

  • PowerHammer attack to exfiltrate data from air-gapped computers through power lines.
  • MOSQUITO technique using which two (or more) air-gapped PCs placed in the same room can covertly exchange data via ultrasonic waves.
  • BeatCoin technique that could let attackers steal private encryption keys from air-gapped cryptocurrency wallets.
  • aIR-Jumper attack that takes sensitive information from air-gapped computers with the help of infrared-equipped CCTV cameras that are used for night vision.
  • MAGNETO and ODINI techniques use CPU-generated magnetic fields as a covert channel between air-gapped systems and nearby smartphones.
  • USBee attack that can be used to steal data from air-gapped computers using radio frequency transmissions from USB connectors.
  • DiskFiltration attack that can steal data using sound signals emitted from the hard disk drive (HDD) of the targeted air-gapped computer;
  • BitWhisper that relies on heat exchange between two computer systems to stealthily siphon passwords or security keys;
  • AirHopper that turns a computer’s video card into an FM transmitter to capture keystrokes;
  • Fansmitter technique that uses noise emitted by a computer fan to transmit data; and
  • GSMem attack that relies on cellular frequencies.
citrix adc and gateway vulnerability

It’s now or never to prevent your enterprise servers running vulnerable versions of Citrix application delivery, load balancing, and Gateway solutions from getting hacked by remote attackers.

Why the urgency? Earlier today, multiple groups publicly released weaponized proof-of-concept exploit code [12] for a recently disclosed remote code execution vulnerability in Citrix’s NetScaler ADC and Gateway products that could allow anyone to leverage them to take full control over potential enterprise targets.

Just before the last Christmas and year-end holidays, Citrix announced that its Citrix Application Delivery Controller (ADC) and Citrix Gateway are vulnerable to a critical path traversal flaw (CVE-2019-19781) that could allow an unauthenticated attacker to perform arbitrary code execution on vulnerable servers.

Citrix confirmed that the flaw affects all supported version of the software, including:

  • Citrix ADC and Citrix Gateway version 13.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.1 all supported builds
  • Citrix ADC and NetScaler Gateway version 12.0 all supported builds
  • Citrix ADC and NetScaler Gateway version 11.1 all supported builds
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 all supported builds

The company made the disclose without releasing any security patches for vulnerable software; instead, Citrix offered mitigation to help administrators guard their servers against potential remote attacks⁠—and even at the time of writing, there’s no patch available almost 23 days after disclosure.

Through the cyberattacks against vulnerable servers were first seen in the wild last week when hackers developed private exploit after reverse engineering mitigation information, the public release of weaponized PoC would now make it easier for low-skilled script kiddies to launch cyberattacks against vulnerable organizations.

According to Shodan, at the time of writing, there are over 125,400 Citrix ADC or Gateway servers publicly accessible and can be exploited overnight if not taken offline or protected using available mitigation.

While discussing technical details of the flaw in a blog post published yesterday, MDSsec also released a video demonstration of the exploit they developed but chose not to release it at this moment.

Besides applying the recommended mitigation, Citrix ADC administrators are also advised to monitor their device logs for attacks.

ransomware attacks on critical infrastructure

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) earlier today issued a warning to all industries operating critical infrastructures about a new ransomware threat that if left unaddressed could have severe consequences.

The advisory comes in response to a cyberattack targeting an unnamed natural gas compression facility that employed spear-phishing to deliver ransomware to the company’s internal network, encrypting critical data and knocking servers out of operation for almost two days.

“A cyber threat actor used a spear-phishing link to obtain initial access to the organization’s information technology network before pivoting to its operational technology network. The threat actor then deployed commodity ransomware to encrypt data for impact on both networks,” CISA noted in its alert.

As ransomware attacks continue to escalate in frequency and scale, the new development is yet another indication that phishing attacks continue to be an effective means to bypass security barriers and that hackers don’t always need to exploit security vulnerabilities to breach organizations.

CISA highlighted that the attack did not impact any programmable logic controllers (PLCs) and that the victim did not lose control of its operations. But in the aftermath of the incident, the company is reported to have initiated a deliberate operational shutdown, resulting in a loss of productivity and revenue.

Noting that the impact was limited to Windows-based systems and assets located in a single geographic locality, it said the company was able to recover from the attack by getting hold of replacement equipment and loading last-known-good configurations.

Although the notification is lean on the specifics of the attack, this is not the first time phishing links have been employed to deliver ransomware. Lake City’s I.T. network was crippled last June after an employee inadvertently opened a suspicious email that downloaded the Emotet Trojan, which in turn downloaded TrickBot Trojan and Ryuk ransomware.

The evolving threat landscape means companies need to consider the full scope of threats posed to their operations, including maintaining periodic data backups and devising fail-over mechanisms in the event of a shutdown.

Aside from securing the email channel and identifying and protecting the most attacked individuals, this also underscores the need for adopting appropriate anti-phishing measures to stop social engineering attempts from reaching their targets’ inboxes and training people to spot mails that get through.

Additionally, it’s imperative that vulnerable organizations safeguard the digital supply chain by segmenting critical network infrastructure using firewalls and conducting periodic security audits to identify gaps and weaknesses.

For a full list of mitigative measures that can be undertaken, head to the CISA advisory here.

Update:

Cybersecurity firm Dragos issued an assessment on Wednesday linking the attack on the facility to an alert put out by the US Coast Guard in December. The Ryuk ransomware infection had forced the facility to shut down for 30 hours, disrupting camera and physical access control systems, along with shutting down the entire corporate IT network at the facility.

The analysis cited overlaps in the outage period between the two reports, the impact on Windows-based systems, and the primary attack vector being an email message containing a malicious link.

Windows mssql malware hacking

Cybersecurity researchers today uncovered a sustained malicious campaign dating back to May 2018 that targets Windows machines running MS-SQL servers to deploy backdoors and other kinds of malware, including multi-functional remote access tools (RATs) and cryptominers.

Named “Vollgar” after the Vollar cryptocurrency it mines and its offensive “vulgar” modus operandi, researchers at Guardicore Labs said the attack employs password brute-force to breach Microsoft SQL servers with weak credentials exposed to the Internet.

Researchers claim the attackers managed to successfully infect nearly 2,000-3,000 database servers daily over the past few weeks, with potential victims belonging to healthcare, aviation, IT & telecommunications, and higher education sectors across China, India, the US, South Korea, and Turkey.

Windows mssql malware hacking

Thankfully for those concerned, researchers have also released a script to let sysadmins detect if any of their Windows MS-SQL servers have been compromised with this particular threat.

Vollgar Attack Chain: MS-SQL to System Malware

The Vollgar attack starts off with brute-force login attempts on MS-SQL servers, which, when successful, allows the interloper to execute a number of configuration changes to run malicious MS-SQL commands and download malware binaries.

“Attackers [also] validate that certain COM classes are available – WbemScripting.SWbemLocator, Microsoft.Jet.OLEDB.4.0 and Windows Script Host Object Model (wshom). These classes support both WMI scripting and command execution through MS-SQL, which will be later used to download the initial malware binary,” the researchers said.

Windows mssql malware hacking

Aside from ensuring that cmd.exe and ftp.exe executables have the necessary execute permissions, the operator behind Vollgar also creates new backdoor users to the MS-SQL database as well as on the operating system with elevated privileges.

Upon completion of the initial setup, the attack proceeds to create downloader scripts (two VBScripts and one FTP script), which are executed “a couple of times,” each time with a different target location on the local file system to avert possible failures.

One of the initial payloads, named SQLAGENTIDC.exe or SQLAGENTVDC.exe, first proceeds to kill a long list of processes with the goal of securing the maximum amount of system resources as well as eliminate other threat actors’ activity and remove their presence from the infected machine.

Furthermore, it acts as a dropper for different RATs and an XMRig-based crypto-miner that mines Monero and an alt-coin called VDS or Vollar.

Attack Infrastructure Hosted On Compromised Systems

Guardicore said attackers held their entire infrastructure on compromised machines, including its primary command-and-control server located in China, which, ironically, was found compromised by more than one attack group.

“Among the files [on the C&C server] was the MS-SQL attack tool, responsible for scanning IP ranges, brute-forcing the targeted database, and executing commands remotely,” the cybersecurity firm observed.

 

“In addition, we found two CNC programs with GUI in Chinese, a tool for modifying files’ hash values, a portable HTTP file server (HFS), Serv-U FTP server and a copy of the executable mstsc.exe (Microsoft Terminal Services Client) used to connect to victims over RDP.”

 

Windows mssql malware hacking

Once an infected Windows client pings the C2 server, the latter also receives a variety of details about the machine, such as its public IP, location, operating system version, computer name, and CPU model.

Stating that the two C2 programs installed on the China-based server were developed by two different vendors, Guardicore said there are similarities in their remote control capabilities — namely downloading files, installing new Windows services, keylogging, screen capturing, activating the camera and microphone, and even initiating a Distributed Denial-of-Service (DDoS) attack.

Use Strong Passwords to Avoid Brute-Force Attacks

With about half-a-million machines running MS-SQL database service, the campaign is yet another indication that attackers are going after poorly protected database servers in an attempt to siphon sensitive information. It’s essential that MS-SQL servers that are exposed to the internet are secured with strong credentials.

“What makes these database servers appealing for attackers apart from their valuable CPU power is the huge amount of data they hold,” Guardicore researchers concluded. “These machines possibly store personal information such as usernames, passwords, credit card numbers, etc., which can fall into the attacker’s hands with only a simple brute-force.”