CISA ADVISORY || Hacker News Gone - HackerHub Here! NoPac, MSHTML, and Red Cross vs. Cyberattack.
Friday, January 28th, 2021
Welcome to HackerHub
As per usual, welcome to another edition of Hacker News and enjoy this week’s curated list of articles. Found below, you’ll get some really awesome content that we put together and made specifically for you.
Finally, Hacker News is in the process of officially being rebranded as HackerHub. Pretty dope, right? Anywho, just be on the lookout for HackerHub instead of Hacker News in your inbox from hence forth! Today the email is being sent from the Hacker News name, but next week it will be different.
Cheers!
William
Due to travel, no podcast has been uploaded this week - I know I know, I’ll get back onto it, but the past couple months have been a bit hectic. Keep an eye open for any new episodes coming out, folks!
CISA Dispatched Advisory
Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
From Jan. 11th:
This joint Cybersecurity Advisory (CSA)—authored by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and National Security Agency (NSA)—is part of our continuing cybersecurity mission to warn organizations of cyber threats and help the cybersecurity community reduce the risk presented by these threats. This CSA provides an overview of Russian state-sponsored cyber operations; commonly observed tactics, techniques, and procedures (TTPs); detection actions; incident response guidance; and mitigations. This overview is intended to help the cybersecurity community reduce the risk presented by these threats.
CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.
Be Prepared.
Enhance your organization’s cyber posture.
Increase organizational vigilance.
Historically, Russian state-sponsored advanced persistent threat (APT) actors have used common but effective tactics—including spearphishing, brute force, and exploiting known vulnerabilities against accounts and networks with weak security—to gain initial access to target networks. Vulnerabilities known to be exploited by Russian state-sponsored APT actors for initial access include:
CVE-2018-13379 FortiGate VPNs
CVE-2019-1653 Cisco router
CVE-2019-2725 Oracle WebLogic Server
CVE-2019-7609 Kibana
CVE-2019-9670 Zimbra software
CVE-2019-10149 Exim Simple Mail Transfer Protocol
CVE-2019-11510 Pulse Secure
CVE-2019-19781 Citrix
CVE-2020-0688 Microsoft Exchange
CVE-2020-4006 VMWare (note: this was a zero-day at time.)
CVE-2020-5902 F5 Big-IP
CVE-2020-14882 Oracle WebLogic
CVE-2021-26855 Microsoft Exchange (Note: this vulnerability is frequently observed used in conjunction with CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065)
Russian state-sponsored APT actors have also demonstrated sophisticated tradecraft and cyber capabilities by compromising third-party infrastructure, compromising third-party software, or developing and deploying custom malware. The actors have also demonstrated the ability to maintain persistent, undetected, long-term access in compromised environments—including cloud environments—by using legitimate credentials.
In some cases, Russian state-sponsored cyber operations against critical infrastructure organizations have specifically targeted operational technology (OT)/industrial control systems (ICS) networks with destructive malware. See the following advisories and alerts for information on historical Russian state-sponsored cyber-intrusion campaigns and customized malware that have targeted ICS:
ICS Advisory ICS Focused Malware – Havex
ICS Alert Ongoing Sophisticated Malware Campaign Compromising ICS (Update E)
ICS Alert Cyber-Attack Against Ukrainian Critical Infrastructure
Technical Alert CrashOverride Malware
CISA ICS Advisory Schneider Electric Triconex Tricon (Update B)
Russian state-sponsored APT actors have used sophisticated cyber capabilities to target a variety of U.S. and international critical infrastructure organizations, including those in the Defense Industrial Base as well as the Healthcare and Public Health, Energy, Telecommunications, and Government Facilities Sectors. High-profile cyber activity publicly attributed to Russian state-sponsored APT actors by U.S. government reporting and legal actions includes:
Russian state-sponsored APT actors targeting state, local, tribal, and territorial (SLTT) governments and aviation networks, September 2020, through at least December 2020. Russian state-sponsored APT actors targeted dozens of SLTT government and aviation networks. The actors successfully compromised networks and exfiltrated data from multiple victims.
Russian state-sponsored APT actors’ global Energy Sector intrusion campaign, 2011 to 2018. These Russian state-sponsored APT actors conducted a multi-stage intrusion campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data.
Russian state-sponsored APT actors’ campaign against Ukrainian critical infrastructure, 2015 and 2016. Russian state-sponsored APT actors conducted a cyberattack against Ukrainian energy distribution companies, leading to multiple companies experiencing unplanned power outages in December 2015. The actors deployed BlackEnergy malware to steal user credentials and used its destructive malware component, KillDisk, to make infected computers inoperable. In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids.
General News of the Week
Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets
Cybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defense industry in Western Asia.
With Microsoft OneDrive being leveraged as a command-and-control (C2) server (previously we have seen this with Discord too), it will only connect to legitimate Microsoft domains and won’t show any suspicious traffic on the network.
First signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more in a short span of three days between October 6 and 8.
The infection chain begins with the execution of a Microsoft Excel file containing an exploit for the MSHTML remote code execution vulnerability (CVE-2021-40444), which is used to run a malicious binary that acts as the downloader for a third-stage malware dubbed Graphite.
The DLL executable uses OneDrive as the C2 server via the Microsoft Graph API to retrieve additional stager malware that ultimately downloads and executes Empire, an open-source PowerShell-based post-exploitation framework widely abused by threat actors for follow-on activities.
High-Severity Rust Programming Bug Could Lead to File, Directory Deletion
"An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldn't otherwise access or delete," the Rust Security Response working group (WG) said in an advisory published on January 20, 2021.
Rust 1.0.0 through Rust 1.58.0 is affected by this vulnerability. The flaw, which is tracked as CVE-2022-21658 (CVSS score: 7.3), has been credited to security researcher Hans Kratz, with the team pushing out a fix for Rust version 1.58.1 last week.
Specifically, the issue resides from an improperly implemented check to prevent recursive deletion of symbolic links (aka symlinks) in a standard library function named "std::fs::remove_dir_all." This results in a race condition, which, could be exploited by an adversary by abusing their access to a privileged program to delete sensitive directories.
NoPac Windows Exploit
In mid-December 2021, while everyone has been focused on Log4j vulnerabilities, two Windows privilege escalation vulnerabilities (CVE-2021-42278 and CVE-2021-42287) began to pose a serious risk to organizations. These vulnerabilities, noPac, enable attackers to gain control over a domain controller in matter of minutes.
CVE-2021-42287 is a privilege escalation vulnerability associated with the Kerberos Privilege Attribute Certificate (PAC) in Active Directory Domain Services (AD DS).
CVE-2021-42278 is a Security Account Manager (SAM) spoofing security bypass vulnerability. Threat actors could leverage these flaws to escalate to domain administrator privileges from a standard user account.
NoPac relies on changing the SamAccountName of a computer account to the name of a domain controller. By default, every authenticated user can add up to ten computers to the domain. The exploitation process includes the following steps: Read Article to See The Steps
Potential precursor to ransomware infections
After gaining domain access, a threat actor’s ability to deploy additional malware, including ransomware, is virtually unlimited. AD abuse is involved in most ransomware incidents Secureworks researchers investigate. Threat actors typically leverage misconfigurations to escalate privileges within AD. In this case, AD design flaws create the escalation path.
Final Thoughts
Organizations should immediately apply the applicable Microsoft patches to all domain controllers in their environments. These patches include the November 9, 2021 releases for CVE-2021-42278 and CVE-2021-42287, as well as the November 14 out-of-band update. If one domain controller is overlooked, the domain remains vulnerable. Organizations should also follow Microsoft guidance to phase updates for CVE-2021-42287 and restrict users’ ability to join workstations to a domain. As of December 17, Secureworks researchers have not observed noPac exploitation in the wild but recommend that organizations remain vigilant.
Creds to 0reoByte for the article.
Breaches and Leaks of the Week
Red Cross vs. Third Party Cyberattack
The attack compromised personal data and confidential information on more than 515,000 highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. The data originated from at least 60 Red Cross and Red Crescent National Societies around the world.
The ICRC's most pressing concern following this attack is the potential risks that come with this breach -- including confidential information being shared publicly -- for people that the Red Cross and Red Crescent network seeks to protect and assist, as well as their families. When people go missing, the anguish and uncertainty for their families and friends is intense.
The ICRC has no immediate indications as to who carried out this cyber-attack, which targeted an external company in Switzerland the ICRC contracts to store data. There is not yet any indication that the compromised information has been leaked or shared publicly.