Welcome to Security Sunday – Week 3. our weekly summary from the world of cybersecurity (15. 01. – 21. 01. 2024).

We’re collecting notable incident and vulnerability reports from the past week.

FBI and CISA Issue Warning on Androxgh0st Malware Botnet Targeting AWS and Microsoft Credentials

In a joint announcement, the FBI and CISA have issued a warning regarding the Androxgh0st malware, revealing that threat actors are orchestrating a botnet with a specific focus on stealing cloud credentials from AWS and Microsoft. The stolen information is then exploited to facilitate the delivery of additional malicious payloads.

Initially detected by Lacework Labs in 2022, this botnet, as per Fortiguard Labs data, had control over more than 40,000 devices almost a year ago. Androxgh0st malware actively seeks out vulnerabilities related to remote code execution (RCE), specifically targeting CVE-2017-9841 (PHPUnit unit testing framework), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel PHP web framework).

Primarily a Python-scripted malware, Androxgh0st zeroes in on .env files containing sensitive data, including credentials for prominent applications like Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio from the Laravel web application framework. It boasts various functionalities capable of exploiting the Simple Mail Transfer Protocol (SMTP), such as scanning for and exploiting exposed credentials and application programming interfaces (APIs), along with deploying web shells. The pilfered Twilio and SendGrid credentials empower threat actors to execute spam campaigns posing as compromised companies. Lacework notes that Androxgh0st, depending on its use, can perform one of two primary functions against acquired credentials, with the most commonly observed being to check the email sending limit for the account to assess its suitability for spamming. In addition to this, attackers have been observed creating fake pages on compromised websites, providing them with a backdoor to access databases housing sensitive information and deploy more malicious tools crucial to their operations. Upon successfully compromising AWS credentials on vulnerable websites, Androxgh0st operators attempt to create new users and user policies. Moreover, they utilize stolen credentials to spin up new AWS instances for scanning additional vulnerable targets across the Internet.

Based on evidence of active exploitation, CISA has added the CVE-2018-15133 Laravel deserialization of untrusted data vulnerability to its Known Exploited Vulnerabilities Catalog, directing federal agencies to secure their systems against these attacks by February 6. Additionally, the CVE-2021-41773 Apache HTTP Server path traversal and CVE-2017-9841 PHPUnit command injection vulnerabilities were added to the catalog in November 2021 and February 2022, respectively.

Russian Hackers Breach Microsoft Corporate Emails in a Month-Long Cybersecurity Incident

Microsoft issued a warning on Friday night, revealing that some of its corporate email accounts fell victim to a breach resulting in data theft by a Russian state-sponsored hacking group known as Midnight Blizzard. The intrusion was detected on January 12th, and Microsoft’s subsequent investigation traced the attack to Russian threat actors commonly identified as Nobelium or APT29.

The breach occurred in November 2023, initiated by a password spray attack targeting a legacy non-production test tenant account. In a password spray attack, threat actors compile a list of potential login names and systematically attempt to access each one using a specific password. The success of this brute force attack suggests that the compromised account lacked essential security measures such as two-factor authentication (2FA) or multi-factor authentication (MFA), practices highly recommended by Microsoft for all online accounts. Once access to the “test” account was secured, the Nobelium hackers exploited it to infiltrate a “small percentage” of Microsoft’s corporate email accounts for a duration exceeding a month. It remains unclear why a non-production test account possessed permissions to access other accounts within Microsoft’s corporate email system unless it was exploited to pivot to accounts with elevated permissions. The breached email accounts included members of Microsoft’s leadership team and employees in the cybersecurity and legal departments, from whom the hackers pilfered emails and attachments. Microsoft clarified that the initial target was information related to Midnight Blizzard itself.

Microsoft emphasized that the breach did not result from vulnerabilities in their products or services but rather from a brute force password attack on the affected accounts. Despite ongoing investigations, Microsoft assured that the breach has not materially impacted the company’s operations.

Nobelium, also known as Midnight Blizzard, APT29, and Cozy Bear, is a Russian hacking group believed to be associated with Russia’s Foreign Intelligence Service (SVR). The group gained notoriety in connection with the 2020 SolarWinds supply chain attack, impacting both the U.S. government and Microsoft. In June 2021, Nobelium breached another Microsoft corporate account, enabling access to customer support tools. Beyond cyberespionage and data theft, Nobelium is known for developing custom malware for its operations. Microsoft, being a pivotal target due to its control over extensive global data and services, faced another cyber incident recently when Chinese hackers stole a Microsoft signing key, providing access to email accounts of several organizations, including U.S. and Western European government agencies.

TeamViewer abused to breach networks in recent ransomware attacks

In a new wave of ransomware attacks, threat actors are once again leveraging TeamViewer to gain initial access to organizational endpoints, attempting to deploy encryptors based on the leaked LockBit ransomware builder.

TeamViewer, a legitimate remote access tool widely used in the enterprise world for its simplicity and capabilities, has unfortunately become a preferred tool for scammers and ransomware actors. These malicious actors use TeamViewer to access remote desktops, dropping and executing malicious files without hindrance. A recent report reveals that cybercriminals have revisited these techniques, still using TeamViewer to compromise devices and attempt ransomware deployment. The analyzed log files indicated connections from the same source in both cases, suggesting a common attacker. In one compromised endpoint, Huntress observed multiple accesses by employees in the logs, indicating legitimate use for administrative tasks. In the second endpoint, which had been running since 2018, there was no activity in the logs for the past three months, making it a potentially more attractive target for attackers. In both cases, attackers attempted to deploy ransomware using a DOS batch file (PP.bat) placed on the desktop, which executed a DLL file (payload) via a rundll32.exe command. While the attack on the first endpoint succeeded but was contained, the antivirus product on the second endpoint stopped the effort, leading to repeated payload execution attempts with no success.

While it remains unclear how threat actors are gaining control of TeamViewer instances, the company emphasized the importance of maintaining strong security practices. TeamViewer suggested using complex passwords, implementing two-factor authentication, utilizing allow-lists, and regularly updating to the latest software versions to safeguard against unauthorized access. The company also provided a set of best practices for secure unattended access to further support users in maintaining secure operations.

BreachForums Admin Sentenced to 20 Years of Supervised Release

Conor Brian Fitzpatrick, the administrator of the BreachForums hacking forum, has been sentenced to 20 years of supervised release. Fitzpatrick had previously agreed to plead guilty to all charges. BreachForums operated as a cybercrime marketplace, facilitating members in soliciting, selling, purchasing, and exchanging illicitly obtained or compromised data, along with various contraband items. This included stolen access devices, cybercrime tools, compromised databases, and services for gaining unauthorized access to targeted systems.

In March 2023, law enforcement arrested Fitzpatrick, also known as Pompompurin. The arrest followed extensive surveillance, including the search and seizure of evidence from his residence. Fitzpatrick was charged with soliciting individuals for the sale of unauthorized access devices and was released on a $300,000 bond signed by his parents. The BreachForums hacking forum was established in 2022 after the seizure of RaidForums during Operation TOURNIQUET. Fitzpatrick consistently maintained that he had no affiliation with RaidForums. U.S. prosecutors recommended a 15-year prison sentence in a memorandum filed on January 16th. However, it has been revealed that Fitzpatrick was ultimately sentenced to time served and 20 years of supervised release. The initial two years of the supervised release will be served under home confinement, with GPS location monitoring..

The sentencing document outlined specific outings and permissions during home confinement, such as therapy sessions, meetings with the probation officer, medical appointments, and religious observances. Additionally, Fitzpatrick is required to comply with the computer monitoring program administered by the probation office, allowing the installation of monitoring software on any computer he uses.

Furthermore, Fitzpatrick has been ordered to pay restitution to compensate for the losses incurred by the victims, with the specific amount yet to be determined.

Atlassian has issued a warning about a critical remote code execution vulnerability

Tracked as CVE-2023-22527, the flaw is categorized as critical (CVSS v3: 10.0) and allows unauthenticated attackers to execute remote code on vulnerable Confluence endpoints. The impacted versions include those released before December 5, 2023, with out-of-support releases also at risk.

The vulnerability is a template injection issue, and while most recent supported versions have been patched, Atlassian recommends that users install the latest version to protect against non-critical vulnerabilities outlined in its January Security Bulletin. The affected Confluence Data Center and Server versions range from 8.0.x to 8.5.3. Atlassian addressed the flaw in versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), all released in December. Admins are urged to move to actively supported releases, as older release branches, including 8.4.5 and prior, will not receive security updates. Atlassian provides no mitigation or workarounds, advising users to apply available updates promptly. Instances not connected to the internet and those without anonymous access are still exploitable but with reduced risk. If immediate updates are not possible, users are advised to take impacted systems offline, back up data outside the Confluence instance, and monitor for malicious activity. Atlassian’s Confluence software has been targeted by threat actors in the past, making prompt updates crucial for security.

Interested in cyber security? Check out the next episodes of our weekly magazine Security Sunday.