June has been a busy month, with a zero day POC being released for Microsoft Teams and several large international breaches that have demonstrated different organisations’ ability to respond to and manage complex cyber incidents.
New/Improved Techniques
Microsoft Teams – File Restriction Bypass
A member of the U.S. Navy red team has produced a POC tool to exploit an unresolved security issue in Microsoft Teams, allowing a bypass of the restrictions for incoming files from users outside of the organisation.
The vulnerability affects Microsoft Teams tenants running the default configuration (where tenant users are permitted to communicate with external accounts) and allows the external parties to bypass the restriction of sharing files. The external party can change the internal and external recipient ID in the POST request for the message, tricking the system into treating the external user as internal, allowing them to share files. If a malicious party were to register a domain similar to the enterprise, this would allow them to produce convincing messages that appear to be from a member within the enterprise.
Microsoft have confirmed the existence of the flaw, but indicated that it did not meet their requirements for immediate remediation, and have not indicated when this will be patched.
Fake Zero-Day Proof of Concept Exploits
In early May this year, the Exploit Intelligence team at VulnCheck discovered a campaign of malicious GitHub repositories. They initially discovered a repository that claimed to host a Signal zero-day and although this was quickly removed when reported, the individuals responsible were found to have a network of repositories and social media accounts promoting their repositories as hosting legitimate security research findings. The individuals purport to work for the fictitious High Sierra Cyber Security organisation and expended significant effort to create realistic looking profiles and professional repositories, going so far as to use headshots of legitimate / well known Cybersecurity researchers.
Strangely, given the scope and professionality of the campaign, analysis of the malware contained in these repositories indicates that the party behind this campaign may not be technically skilled, as the binaries have very high detection rates within VirusTotal and Endpoint Detection applications, due to a lack of obfuscation of malicious strings.
Android Trojan – Now Stealing Banking Information
A campaign targeting Android mobile devices to steal banking information has been identified with over 30,000 downloads from the Google Play Store. The malware, known as Anatsa, is delivered by applications posing as office/productivity tools – mainly as PDF viewers. Once the malicious application is installed, it will make a request to download the payload hosted on GitHub, disguised as a text-recognition add-on for Adobe.
This malware has been seen in the wild since earlier this year, with the latest version adding support for nearly 600 financial applications from global banking institutions. The malware is capable of performing on-device fraud, launching applications and automating the theft from the victim’s device, allowing it to bypass many of the anti-fraud systems used by these financial applications.
Attacks / Threats
[Worldwide] NATO Summit Spear-Phishing
A Russian linked threat actor known as RomCom has been targeting guests of the NATO Summit being held in Lithuania. Based on the details of the attack chain, the attacks appear to target supporters of Ukraine by using a replica of the Ukrainian World Congress website promoted via spear-phishing. The site was found to host a number of infected documents that initiate an outbound connection to download additional components from the attacker’s command and control (C2) server, with the goal to harvest system information/credentials, and deliver the RomCom remote access trojan (RAT). Connections to infected devices and the C2 domains were able to be linked back to known IP addresses for the RomCom group, who have been seen actively targeting Ukrainian infrastructure since late 2022.
[Taiwan] TSMC confirm LockBit breach
TSMC (Taiwan Semiconductor Manufacturing Company) have confirmed that they have been impacted by a supply chain attack through one of their equipment suppliers, Taiwan based Kinmax Technology. Kinmax confirmed that the data taken in the breach included details of server initial setup and configuration, but no data had been taken directly from TSMC, and there has been no impact to their operations. LockBit have demanded a $70 million ransom to not publish the data online, which they claim includes login details.
[Japan] Port of Nagoya Ransomware
LockBit have also claimed an attack on Japan’s busiest port, that took operations offline for over 60 hours. The Port of Nagoya is responsible for 10% of Japan’s import and export trade, and is the primary port used by Toyota for their international distribution. Information about the initial ingress, and other details of the attack have yet to be released. The port also suffered from a DDoS attack in late 2022, which took core operations offline for nearly an hour.
[US] MOVEit Update
At the end of May, APT group Cl0p exploited a vulnerability in the MOVEit enterprise file transfer tool in a supply chain attack. So far over 140 organisations have been impacted, and while only 10 of these victims have revealed the number of impacted individuals from each breach, the number of people with exposed personal information already stands at over 15 million.
CISA has revealed that several government agencies had experienced intrusions into their systems relating to the attack, including the Department of Energy, while Cl0p has released a statement indicating that they have deleted all Government / Healthcare Provider data – only time will tell if they are being truthful. Two of the larger victims revealed so far in this breach are industrial control system giants, Siemens Energy and Schneider Electric, who have both yet to confirm what data may have been impacted.
There are currently no reports of any of the impacted organisations being affected by ransomware, with Cl0p opting to focus on exfiltration, and extortion based on the stolen data. Progress Software, the creators of MOVEit are facing a class action lawsuit, in connection with the cyber attacks, and the US Government has offered a cool $10 million bounty for information linking the attacks to a foreign government.
[US] Water Treatment Facility Inside Attacker Indited
A former employee of the company contracted to manage the Discovery Bay Water Treatment Facility in California has been charged with intentionally causing damage to a protected computer.
The man, who was employed as a full time Instrumentation and Control Tech from 2016 to 2020 had installed remote access software, allowing him to gain access to the treatment facilities internal private network. In January 2021, after resigning from his position, the man was found to have accessed the facilities systems remotely and initiated an uninstall for critical software responsible for monitoring water pressure, chemical balance, and filtration. The man faces up to 10 years in prison, and a $250,000 fine – his motives are not yet clear to authorities.
[US] Barracuda ESG Appliance Recall, Hack linked to China.
Researchers at Mandiant have linked the data-theft attacks on Barracuda ESG (Email Security Gateway) appliances to the APT tracked as UNC4841, a hacking group known to conduct cyber espionage attacks on behalf of the CCP. The attacks have caused Barracuda to perform a complete recall and replace on affected appliances, with the devices being compromised at such a low level that it is impossible for Barracuda to ensure that they are clean. The vulnerability is believed to have been exploited in the wild since October 2022, but the total number of affected appliances is expected to be around 11,000 worldwide.
[Kazakhstan] Russian Cybersecurity Expert Detained
Kazakhstan authorities arrested a Russian National, Nikita Kislitsin, in relation to decade old hacking charges from the US Department of Justice. Kislitsin has been accused of hacking into a social networking site, Formspring, in 2012 and conspiring with another Russian man to sell the usernames and passwords obtained, predominantly belonging to users in the US. Only days after the arrest, authorities in Moscow also issued an arrest warrant for Kislitsin, seeking his extradition to Russia – placing Kazakhstan in a potentially awkward geopolitical situation.