Cyber Security Weekly Recap (08-14 May)

Cyber Security Weekly Recap 08 14 May 2023 1024x604

New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows

Cybersecurity firm Deep Instinct has identified a new variant of the BPFDoor Linux backdoor malware that has remained mostly undetected in the wild. BPFDoor, also known as JustForFun, is associated with a Chinese threat actor called Red Menshen and was first documented by PwC and Elastic Security Labs in May 2022.

The malware is geared towards establishing persistent remote access to compromised target environments for extended periods of time. BPFDoor is named after the use of Berkeley Packet Filters, which is used to analyze and filter network traffic in Linux systems, and is used for network communications and processing incoming commands. The new version of BPFDoor is even more evasive as it removes many hard-coded indicators, making it difficult to detect. BPFDoor has remained hidden for a long duration due to its sophistication.

XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks

Cybersecurity researchers have discovered a phishing campaign that uses a unique attack chain to deliver the XWorm malware on targeted systems. Securonix has named this activity cluster MEME#4CHAN, and some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. The attacks begin with phishing attacks to distribute decoy Microsoft Word documents that weaponize the Follina vulnerability to drop an obfuscated PowerShell script. From there, the threat actors abuse the PowerShell script to bypass Antimalware Scan Interface (AMSI), disable Microsoft Defender, establish persistence, and ultimately launch the .NET binary containing XWorm. XWorm is a commodity malware that is advertised for sale on underground forums and comes with a wide range of features that allows it to siphon sensitive information from infected hosts.

While it’s unclear who is behind the current attacks, cybersecurity experts have warned that ransomware gangs are increasingly adopting these types of tactics to extort victims. This highlights the need for companies to implement strong security measures to prevent malware attacks from compromising their systems and data.

Education Sector Targeted by Bl00dy Ransomware Gang through Critical PaperCut Vulnerability

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint cybersecurity advisory, warning of attacks against the education facilities sector in the country. The advisory highlighted that the Bl00dy Ransomware Gang has targeted vulnerable PaperCut servers with the CVE-2023-27350 security flaw. The threat actors managed to gain access to victim networks across the Education Facilities Subsector where these servers were exposed to the internet. They used TOR and other proxies from within victim networks for external communications, masking malicious traffic and avoiding detection.

The Bl00dy Ransomware Gang exploited the vulnerability in some versions of PaperCut MF and NG that enabled a remote actor to bypass authentication and conduct remote code execution on affected installations. The vulnerability affects versions 8.0.0 to 19.2.7, 20.0.0 to 20.1.6, 21.0.0 to 21.2.10, and 22.0.0 to 22.0.8, which have now been patched. Since mid-April 2023, the exploitation of this vulnerability has been observed, and attackers have been primarily weaponizing it to deploy legitimate remote management and maintenance (RMM) software. They use the tool to drop additional payloads such as Cobalt Strike Beacons, DiceLoader, and TrueBot on compromised systems.

The Bl00dy Ransomware Gang left ransom notes on victim systems, demanding payment in exchange for decryption of encrypted files. Unfortunately, some of these operations led to data exfiltration and encryption of victim systems. The disclosure came to light as cybersecurity firm eSentire uncovered new activity targeting an unnamed education sector customer that involved the exploitation of CVE-2023-27350 to drop an XMRig cryptocurrency miner.

The education sector, in particular, is vulnerable to cyber attacks as it holds a wealth of confidential data. Educational institutions should take this threat seriously and implement robust cybersecurity measures to protect their networks. The FBI and CISA have urged organizations to patch their systems, strengthen passwords, and enable two-factor authentication (2FA). It is essential to stay vigilant and keep up to date with the latest cybersecurity trends to prevent such attacks.

New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation

A vulnerability has been discovered in the widely used WordPress plugin Essential Addons for Elementor. The flaw, identified as CVE-2023-32243, has the potential to give an attacker elevated privileges on an affected website. Essential Addons for Elementor has over a million active installations and could be exploited by an unauthenticated user to escalate their privileges to that of any user on the site.

This weakness could allow the attacker to reset the password associated with an administrator account, thus gaining full control of the site. The vulnerability has existed since version 5.4.0 and has now been addressed by the plugin maintainers in version 5.7.2, released on May 11, 2023. This disclosure follows the detection of a new wave of attacks since late March 2023 targeting WordPress sites with the SocGholish malware. The malware is a persistent JavaScript framework that facilitates the delivery of additional malware to infected hosts. It has been distributed via drive-by downloads that imitate a web browser update and uses compression techniques to evade detection.

New Phishing-as-a-Service Platform Lets Cybercriminals Generate Convincing Phishing Pages

A new phishing-as-a-service (PhaaS or PaaS) platform named Greatness has been discovered, enabling cybercriminals to lower the bar for phishing attacks and target business users of the Microsoft 365 cloud service. The platform creates highly convincing decoy and login pages, complete with the victim’s email address, company logo, and background image. The platform has already been used to launch attacks on manufacturing, healthcare, and technology organizations in the U.S., U.K., Australia, South Africa, and Canada.

Greatness is used to bypass two-factor authentication (2FA) protections and harvest credentials and time-based one-time passwords (TOTPs) entered by the victims. The attacks begin with malicious emails containing an HTML attachment that executes obfuscated JavaScript code upon opening. This code redirects the user to a landing page with their email address pre-filled, where they are prompted to enter their password and MFA code. The information is forwarded to the affiliate’s Telegram channel, allowing the attacker to obtain unauthorized access to the targeted accounts. The phishing kit also comes with an administration panel that enables the affiliate to configure the Telegram bot, keep track of stolen information, and even build booby-trapped attachments or links.

New Zero-Click Windows Vulnerability for NTLM Credential Theft

Microsoft’s latest Patch Tuesday updates for May 2023 came with a warning for Windows users to be cautious. Cybersecurity researchers have identified a new zero-click Windows vulnerability for NTLM credential theft that could be used to bypass integrity protections on targeted machines.

The vulnerability, tracked as CVE-2023-29324, was discovered by Akamai security researcher Ben Barnea. It is described as a security feature bypass and affects all Windows versions. However, Microsoft Exchange servers with the March update are exempt from the vulnerable feature.

Barnea explains that an unauthenticated attacker on the internet can exploit the vulnerability to force an Outlook client to connect to an attacker-controlled server, resulting in the theft of NTLM credentials. The most concerning aspect of the vulnerability is that it is a zero-click vulnerability, meaning that it can be triggered without any user interaction.

This new vulnerability is also a bypass for a fix Microsoft had put in place in March 2023 to resolve CVE-2023-23397, a critical privilege escalation flaw in Outlook that Russian threat actors exploited in attacks aimed at European entities since April 2022. Akamai researchers indicate that the issue arises from complex handling of paths in Windows, allowing a threat actor to create a malicious URL that can bypass internet security zone checks. Barnea warns that this vulnerability is yet another example of how patch scrutinizing can lead to new vulnerabilities and bypasses. He adds that it is a zero-click media parsing attack surface that could potentially contain critical memory corruption vulnerabilities.

To stay fully protected, Microsoft recommends that users install Internet Explorer Cumulative updates to address vulnerabilities in the MSHTML platform and scripting engine. Windows users are advised to update their systems promptly to stay secure and protect their systems from any potential cyber threats.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment