The Good | White House Launches AI-Centric Cybersecurity Contest to Protect US Entities

The Biden-Harris administration this week announced a new hacking challenge with the purpose of using artificial intelligence (AI) to protect critical US infrastructure from growing cybersecurity threats. In collaboration with tech companies such as OpenAI and Anthropic who are making their technology available for the competition, the “AI Cyber Challenge” (aka AIxCC) offers up to $20 million in prizes for participating hackers. AIxCC will be led by the Defense Advanced Research Projects Agency (DARPA) who have made an additional $7 million available for SMBs looking to compete. The challenge was announced at Black Hat USA 2023 cybersecurity conference in Las Vegas in line with this years’ theme of generative AI.

I’m excited to announce the AI Cyber Challenge, a major, two-year @DARPA competition challenging the best and the brightest in cybersecurity and AI to secure the systems on which all American rely.https://t.co/mZR4ZNSiaM pic.twitter.com/VF1LiSGijh

— Perri Adams @ Black Hat and DEF CON (@perribus) August 9, 2023

The challenge is a practical exercise in demonstrating the potential benefits of AI in securing various software used across all industry verticals. Described by White House officials as being a “clarion call” for organizations to strengthen the security of their critical software, AIxCC plans to leverage the winning code to protect federal and critical infrastructure immediately. As part of the administration’s 2021 executive order on improving the nation’s cybersecurity posture, AIxCC is the latest effort in exploring AI-based security and innovation to mitigate the severe damage and costs associated with modern cyber risks.

The challenge also calls to attention the notion that AI holds potential in helping security professionals remain steps ahead of increasingly sophisticated cyber threat actors only if used safely and responsibly. Earlier this year, NIST launched an AI risk management framework and last month, the administration secured voluntary commitments from leading AI companies to manage the risk posed by the budding popularity of the technology.

Semi-finalists of the challenge can expect to compete at DEF CON 2024 with the final leg of the competition to be hosted the following year at DEF CON 2025.

The Bad | High-Severity RCE Vulnerability Threatens Windows Print Management Software

Earlier this week cybersecurity researchers uncovered a critical vulnerability in a print management software for Windows called PaperCut. Tracked as CVE-2023-39143, the path traversal and file upload flaw allows potential attackers to upload, read, or delete arbitrary files leading to remote code execution (RCE) of the application server.

Exploitation of this vulnerability requires the external device integration to be enabled, which is a default configuration for specific installations of the software. According to the researcher, they estimate that the vast majority of PaperCut installations currently run on Windows with this particular setting turned on. They also note that this vulnerability, though severe, involves multiple issues that must be chained together before server compromise is successful.

The company has strongly recommended their users to patch their installations to version 22.1.3 or later. To check if a server is vulnerable to CVE-2023-39143, use the following command:

CVE-2023-39143 is the latest in a string of vulnerabilities afflicting the PaperCut software this year. In April, two similar vulnerabilities, CVE-2023-27350 (an RCE flaw) and CVE-2023-27351 (an information disclosure flaw), came under widespread use by ransomware affiliates, most notably Cl0p and LockBit, to deliver Cobalt Strike and ransomware. Nearly two weeks later, the same vulnerabilities were exploited by Iranian-backed threat actors to gain access into targeted networks and exfiltrate corporate data.

SentinelOne customers are automatically protected against both Cl0p and LockBit 2.0 and 3.0 through the Singularity XDR platform which identifies and stops any malicious activities related to either ransomware affiliate.

The Ugly | DPRK-Backed Hack Group Breaches Russian Missile Makers

North Korean state-sponsored hacking group, ScarCruft (aka APT37), has been identified as the culprit behind a cyberattack on NPO Mashinostroyeniya, a Russian organization known for designing space rockets and intercontinental ballistic missiles. Despite being sanctioned by the U.S. Department of Treasury due to its involvement in the Russo-Ukrainian war, NPO Mashinostroyeniya fell victim to the attack, which involved planting an ‘OpenCarrot’ Windows backdoor for remote network access.

According an analysis by SentinelLabs, ScarCruft specializes in cyber espionage, targeting and exfiltrating data from various entities as part of its operations though the motives for this campaign are still unclear. The breach was initially discovered when leaked emails from NPO Mashinostroyeniya revealed suspicious network communications and a malicious DLL file installed on internal systems. This prompted further investigation by SentinelLabs, uncovering a more extensive intrusion than the missile makers initially realized.

The backdoor, ‘OpenCarrot,’ is associated with the Lazarus Group, another North Korean hacking entity. While collaboration between ScarCruft and Lazarus hasn’t been confirmed, it’s not uncommon for different North Korean threat actors to share tools and tactics. The ‘OpenCarrot’ backdoor boasts an array of functionalities, including reconnaissance, file and process manipulation, and reconfiguration of command-and-control communications.

Based on SentinelLabs’ assessment, this campaign underscores North Korea’s proactive mission to advance their mission development programs. The collaboration amongst various DPRK-based hacking groups suggests a unified strategy to continue a diverse range of threat campaigns aiming for profound and global consequences.

Awareness of the newest shifts and patterns is vital in the fast-changing world of cyber threats. This rings particularly true with ransomware, known for its quick changes and intricate tactics. This past August, our MDR team at SentinelOne stumbled upon something unusual in the wild: new instances of LOLKEK, or GlobeImposter as it’s also known, signaling fresh changes within this longstanding ransomware family.

This article takes you on an exploratory journey through the recent LOLKEK payloads, spotlighting key features, alterations in strategies, and shrewd observations in Indicators of Compromise (IoCs). We’ll also highlight a persistent OPSEC mistake that keeps giving away the ransomware operators’ game.

The knowledge and real-world examples provided here paint a complete picture of LOLKEK’s evolution and present-day situation. From its modest approach to ransom demands to its occasional connection with more elaborate financial assaults, comprehending LOLKEK provides insight into the wider landscape of ransomware.

LOLKEK | A Brief History

LOLKEK, also referred to as GlobeImposter, made its first appearance in 2016. In the fast-paced world of ransomware, where things change in the blink of an eye, this is like looking back to ancient history. This timeline even predates the ‘name-and-shame’ blogs that surfaced years later. To give you a perspective, Maze ransomware didn’t see the light of day until 2019. The GlobeImposter tag was a clever way to describe how this new ransomware imitated the methods of the then-known Globe ransomware.

LOLKEK can be considered a sort of ‘off-the-shelf’ ransomware. It’s something that’s frequently changed, tinkered with, and used, even by those with limited skills or resources. It’s often associated with what we might call a ‘small-time’ approach, especially regarding its targets and the ransom demands. In recent escapades, for example, the ransoms asked were often less than $2000 USD. Compare this to the eye-watering sums requested by heavyweights like Cl0p, LockBit, and Royal, and you see a sharp contrast.

LOLKEK’s primary targets tend to be small to medium-sized businesses (SMBs) and individual users. Despite this focus, there have been times when this ransomware played a part in more complex and calculated financial attacks. 2017 for example, the infamous TA505 (also known as G0092, GOLD TAHOE) group began employing GlobeImposter, moving away from Jaff, GandCrab, and Snatch. This allowed them to widen their net and boost the power of their operations, showcasing LOLKEK’s adaptability and role in the broader ransomware landscape.

Technical Details

We recently observed the following new LOLKEK samples in the wild:

08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed
58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f

These samples identify themselves as “W3CRYPTO LOCKER” while also directing victims to a new TOR-based victim portal mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion

Both newly observed samples were compiled in May of 2023. It is worth noting that only the 58AC26D62653A648D69D1BCAED1B43D209E037E6D79F62A65EB5D059E8D0FC3F sample is fully functional. The 08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed sample does not fully execute and appears to have some structural corruption.

08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed
(possibly corrupt)
Compile time: Thu May 11 06:15:13 2023

58AC26D62653A648D69D1BCAED1B43D209E037E6D79F62A65EB5D059E8D0FC3F
Compile time: Thu May 11 06:15:13 2023

When launched, the new LOLKEK payloads will discover and subsequently encrypt any locally available drive including mounted network shares in sequence.

The payloads also contain exclusions carried over from previous variants of the ransomware. These include the Windows, System Volume Information, and ProgramData folders.

These payloads appear to contain the functionality to discover and remove Volume Shadow Copies (VSS). However, this behavior was not observed when dynamically analyzing the sample 58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f. WMIC-formatted calls to remove VSS are found in the samples’ code.

Encrypted files, once fully processed, will have the “.MMM” extension appended to them.

When looking deeper into the encrypted files themselves, we see another identifying marker linking them to previous generations of LOLKEK/GlobeImposter. Encrypted files contain the same “CRYPTO LOCKER” string seen in said prior generations.

LOLKEK Victim Portal and Notes

The LOLKEK ransom notes are written as ReadMe.txt to all locations containing encrypted files and data. The format and construction of the ransom notes is identical to what we have seen previously with this ransomware family.

The supplied .ONION URIs all contain a string at the end, unique to each execution of the ransomware.

Examples (defanged):
http[:]//mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion/[?]M01YOOOOOOO http[:]//mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion/[?]m01TGRFBRRRR http[:]//mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion/[?]M01VXOQRTKM

Current LOLKEK victims are instructed to navigate to the TOR-based victim portal where they must register an account to engage in a ‘private’ chat session with the attackers. Again, we note that the newly staged portal is functionally identical to previous victim portals staged by this operation. The look, feel, and process has not changed.

At this point, victims are able to chat with their attacker. Small files can be decrypted for free as ‘proof’ of functional decryption. Should the victim choose to comply, they will receive details on how and where to pay via a ticketing-like interface.

Upon ticket creation, the ransom details are automatically provided in the victim chat. As we see in this example, the ransom demanded is $1350 USD. Payments must be made via Bitcoin (BTC).

A LOLKEK OPSEC Misstep

The operators behind this campaign appear to have followed the same steps, process, and template as their pre-existing counterparts with regards to misconfiguration of Apache. The status page of the server is visible on the TOR-based victim page.

From here, we can see that the server went live on May 23, 2023; just a short time after the related samples’ compilation date on May 11, 2023. When analyzing these threats, it is always worthwhile to examine these surface-level misconfigurations. A great deal can be learned about a campaign and threat actor just through this step alone. In this case, this detail pointed to the same configuration misstep that helps us solidify the link of relation between previous TZW and GlobeImposter campaigns.

Conclusion

The journey of LOLKEK, or GlobeImposter, through the ever-shifting landscape of commodity ransomware is fascinating. While giants like LockBit and Cl0p dominate the headlines with their sophisticated schemes, it’s essential not to overlook the small-scale but persistent operations like LOLKEK. These lesser-known threats continue to evolve, find new ways to attack, and pose very real risks.

What we’re observing with LOLKEK is not a stagnant picture. Its operators are relentlessly exploring new strategies, pivoting to fresh infrastructure, and experimenting with innovative payloads. The examples we’ve highlighted may very well be the first stirrings of a new chapter for this adaptable threat. Although smaller in scale, it has shown the potential to align with more targeted, sophisticated campaigns. It’s not unthinkable that we could see LOLKEK targeting larger organizations and demanding higher ransoms in the future.

Protection against ever-adaptive threats like LOLKEK demands a robust defense. The SentinelOne Singularity XDR Platform is designed to recognize, counter, and eliminate all malicious behaviors and elements associated with LOLKEK/GlobeImposter-based attacks. If you wish to arm yourself with the technology that stays one step ahead of threats like these, contact us today or book a demo. We’re here to help ensure that the next chapter in the ransomware story doesn’t include you.

Indicators of Compromise

SHA1

ed247b58c0680b7c92632209181733e92f1b0721
768b8d81a6b0f779394e4af48755ca3ad77ed951

SHA256

08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed
58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f

Ransom Notes SHA256

2c66e5f96470526219f40c6adfd6990cc28d520975da1fdb6bb5497d55a54117
0b179973dc267d9c300e9b7d3c27c67a18d7c79b2cc34927cbe5a465f83c6190

Ransom Notes SHA1 

88baff4e1751bd364cdb1a4bb5fda4a37ee127c4
456b0bda3f6d9ec9a874daac050b75fc28174510

IPs/URLs/Domains

Mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion
https[:]//yip[.]su/2QstD5
filessupport@onionmail[.]org

MITRE ATT&CK

T1005 – Data from Local System
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1070.004 – Indicator Removal: File Deletion
T1112 – Modify Registry
T1012 – Query Registry
T1083 – File and Directory Discovery
T1027.002 – Obfuscated Files or Information: Software Packing
T1082 – System Information Discovery
T1490 – Inhibit System Recovery
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Leveraging known bugs and unpatched exploits continue to be an unyielding strategy for threat actors. Ranging from security bypasses and credential exposure to remote code execution, software vulnerabilities remain tools of the trade for cyber attackers looking for a way into lucrative systems.

While new flaws found in Active Directory and the MOVEit file transfer application along with those used in the AlienFox toolkit or recent IceFire ransomware campaigns have wreaked havoc this year, a number of existing vulnerabilities stand out from the rest in terms of how often they are abused to this day.

In this post, we delve into CISA’s latest round-up, which lists the top 12 most routinely exploited vulnerabilities of 2022 that continue to pose significant threats to enterprise businesses.

1. Fortinet FortiOS & FortiProxy (CVE-2018-13379)

Fortinet FortiOS SSL VPNs are primarily used in border firewalls and work by fencing off sensitive internal networks from the public internet. In the case of CVE-2018-13379, a particularly severe path traversal flaw, APT actors could use specially crafted HTTP resource requests to steal legitimate credentials and connect to unpatched VPNs and download system files. Though a patch was released back in 2019, CVE-2018-13379 has come back around several times in the past three years targeting government, commercial, and technology service networks.

In 2020, a hacker posted a list of one-line exploits to steal VPN credentials from nearly 50,000 Fortinet VPN devices using this flaw. Security researchers at the time pointed out that of the 50,000 domains, over four dozen belonged to well-known financial and government organizations. Later that year, the flaw appeared again; this time exploited by government-backed actors working to compromise US election support systems. For this campaign, CVE-2018-13379 was chained together with others to gain access to exploit Internet-exposed servers and gain access. This vulnerability was seen once more in 2021 when 87,000 sets of credentials for Fortigate SSL VPN devices were leaked online, obtained through the exploitation of CVE-2018-13379.

These critical flaws remain lucrative to threat actors who bank on Fortinet’s widespread popularity and adoption as a provider of VPN solutions. The larger the user base, the more potential targets there are, which increases the appeal for attackers. As a result of their frequent abuse, the FBI and CISA have since issued a joint advisory warning users and administrators of Fortinet against advanced persistent threat (APT) actors actively exploiting existing and future critical VPN vulnerabilities. It is highly likely that these flaws will continue to be used to gain an initial foothold in vulnerable environments as a precursor for future attacks.

For more details on this vulnerability, refer to the advisory. Fortinet has also provided steps for mitigation and prevention here.

2 – 4. Microsoft Exchange Server (CVE-2021-34473, CVE-2021-31207, CVE-2021-34523)

Microsoft Exchange Server is a popular email and support system for organizations worldwide, deployed both on-premises and in the cloud. First seen in 2021, a chain of vulnerabilities identified in unpatched on-premises editions of Microsoft Exchange Server is still actively being exploited on internet-facing servers.

This chain of vulnerabilities is known collectively as “ProxyShell” and comprises CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523 to affect several versions of on-premises Microsoft Exchange Servers. ProxyShell targets unpatched Exchange servers to achieve pre-authenticated remote code execution (RCE). Out of the three, CVE-2021-34473 has the highest rated CVSS score of 9.1. While the remaining were initially classified as “exploitation less likely”, they bring significant value to attackers when used in combination with CVE-2021-34473. Together, ProxyShell allows attackers to execute arbitrary commands on vulnerable Exchange servers on port 443.

All three flaws were patched in 2021, but security researchers currently track several uncategorized threat (UNC) groups that are known to exploit ProxyShell vulnerabilities while predicting more clusters to appear as future generations of threat actors adopt working exploits. In a particular cluster of threat activity tracked as UNC2980, Mandiant researchers observed the ProxyShell vulnerabilities leveraged in a cyber espionage operation reportedly linked to Chinese-speaking actors. In this operation, UNC2980 dropped multiple tools into a US-based university’s environment after gaining access and deploying a web shell by exploiting ProxyShell. After exploitation via ProxyShell, the threat actors used publicly available tools such as Mimikatz, HTRAN, and EarthWorm to conduct post-exploitation activities.

Since its discovery, multiple intrusions leveraging ProxyShell have targeted the education, government, business services, and telecommunications industries. Microsoft’s security updates from May 2021 and June 2021 list the necessary updates that protect against ProxyShell. For more details on the vulnerability, see Microsoft’s blog post.

5. Microsoft Various Products (CVE-2022-30190)

Dubbed “Follina”, CVE-2022-30190 is a high-severity RCE vulnerability that affects multiple Microsoft Office products. Thought to be leveraged by a variety of Chinese-speaking threat actors, Follina allows the execution of arbitrary code after convincing users to open malicious Word documents or any other vector that processes URLs. Follina continues to be seen in various cyberattacks due to the large number of unpatched versions of Microsoft Office products available. It was first publicly disclosed in May of 2022:

Interesting maldoc was submitted from Belarus. It uses Word’s external link to load the HTML and then uses the “ms-msdt” scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt

— nao_sec (@nao_sec) May 27, 2022

Threat actors are known to exploit the Follina vulnerability through phishing scams, which use social engineering techniques to trick users into opening malicious Office documents. When users encounter embedded links within Office applications, these links are automatically fetched, triggering the execution of the Microsoft Support Diagnostic Tool (MSDT) protocol. MSDT (msdt.exe) is a Microsoft service primarily designed to collect system crash information for reporting to Microsoft support. However, threat actors can exploit this protocol by crafting links to force the execution of malicious PowerShell commands without requiring any further user interaction. This poses a serious security risk, as it allows attackers to remotely execute unauthorized commands on the targeted system through seemingly innocuous links.

The Follina flaw has more recently been exploited as a zero-day to support threat campaigns against organizations in critical industries. From March to May of 2022, an activity cluster tracked as UNC3658 exploited Follina to target the Philippine government. In April the same year, additional samples of Follina appeared in a campaign against South Asian telecommunication entities and business services by UNC3347. A third cluster dubbed UNC3819, CVE-2022-30190 was used to attack organizations in Russia and Belarus, suggesting a possible lure to content related to the illegal invasion of Ukraine.

CISA has urged Microsoft users and administrators to review Microsoft’s Guidance for CVE-2022-30190 to apply the necessary workarounds.

6. Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)

In late 2021, at least nine entities across the defense, healthcare, energy, technology, and education sectors were compromised through a patched critical flaw in Zoho’s ManageEngine ADSelfService Plus. The product offers a comprehensive self-service password management and single sign-on (SSO) solution tailored for Active Directory and cloud applications. This tool is designed to allow administrators to enforce two-factor authentication (2FA) for secure application logins while granting users the ability to reset their passwords autonomously.

Tracked as CVE-2021-40539, the vulnerability enabled threat actors to gain initial access to victim organizations’ systems. CVE-2021-40539 (CVSS 9.8) is an authentication bypass vulnerability affecting REST API URLs that could be used for RCE. In response to this, CISA issued a warning against the zero-day flaw and how it could be used to deploy webshells, allowing an actor to conduct post-exploitation activities, such as stealing administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory (AD) files.

Vulnerabilities in SSO solutions for AD and cloud applications are particularly nefarious. Should they be successfully exploited, attackers can essentially gain access to critical applications, sensitive data, and other areas deep within the corporate network through AD.

Most recently, exploitation of CVE-2021-40539 was observed in an attack against the International Committee of the Red Cross (ICRC). In their statement, Red Cross admitted to missing the critical patch that would have protected them from the exploit, highlighting the importance of maintaining a robust patch management process. As a result of the attack, the names, locations, and contact information of over 515,000 individuals part of the ICRC’s Restoring Family Links program were compromised.

Read Zoho’s advisory for more details about this vulnerability and how to update to ADSelfService Plus build 6114.

7 – 8. Atlassian Confluence Server & Data Center (CVE-2021-26084, CVE-2022-26134)

Atlassian Confluence, being a collaboration and documentation platform in use by many governments and private enterprises, continues to draw significant attention from threat actors. In CISA’s latest list of routinely exploited flaws, the Australian-based company holds two spots in the form of CVE-2021-26084 and CVE-2022-26134, which are both related to a case of Object-Graph Navigation Language (OGNL) injection.

Mass exploitation of CVE-2021-26084 first occurred in September 2021 and targeted the widely popular web-based documentation service. Confluence is designed to allow collaboration between multiple teams on shared projects. CVE-2021-26084 is a command injection vulnerability that could be exploited to execute arbitrary code on a Confluence Server or Data Center instance. Essentially having the same permissions as the user running the service, the attacker is able to execute any command, gain elevated admin privileges, and establish a foothold in the environment. CISA released an advisory guiding users and administrators to review Atlassian’s updates to prevent compromise.

Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already— this cannot wait until after the weekend.

— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) September 3, 2021

Just nine months later, Atlassian rolled out a warning for another OGNL injection vulnerability targeting their Confluence Server & Data Center. Tracked as CVE-2021-26134, it enables an unauthenticated attacker to execute arbitrary code in all supported versions of Confluence Data Center and Server. This critical-level flaw quickly became one of the top exploited bugs after a proof-of-concept (PoC) was released within a week of its initial disclosure. In this instance, CVE-2021-26134 was used to achieve unauthenticated RCE on the server and then drop a Behinder web shell. The Behinder web shell gave the actors very powerful capabilities such as interaction with Meterpreter and Cobalt Strike as well as memory-only web shells.

Since we posted about the Atlassian Confluence vulnerability yesterday (CVE-2022-26134), at @Volexity we have several new observations. The first is that that the targeted industries/verticals are quite widespread. This is a free-for-all where the exploitation seems coordinated.

— Steven Adair (@stevenadair) June 3, 2022

According to Atlassian’s website, the company supports 83% of Fortune 500 companies, 10 million monthly active users, and over 235,000 users in over 190 countries. The two Atlassian-based CVEs showcase how financially-motivated threat actors will continuously leverage exploits to reach many attractive targets at once.

9. Log4Shell (CVE-2021-44228)

Log4shell, assigned as CVE-2021-44228 and also known as “the Log4j vulnerability”, is a maximum severity RCE flaw found in Apache Log4j, a popular Java-based logging library used widely in various applications. This vulnerability allows remote attackers to execute arbitrary code on affected systems, potentially leading to unauthorized access, data breaches, and even full system compromise.

The vulnerability came to light in December 2021 when it was first publicly disclosed. The issue originated from the use of untrusted data in the “log4j2” component’s look-up mechanism, enabling attackers to inject malicious code through crafted log messages. This flaw exposed a wide variety of applications, including web servers, enterprise software, and cloud-based services, that all relied on Log4j for logging.

Though Apache quickly released a patch for the level 10.0-rated RCE vulnerability, security experts confirm that exploitation will be ongoing and could lead to widespread malware deployment given its broad use across major vendors. CISA has since issued a binding operational directive (BOD), ordering federal civilian executive branch (FCEB) agencies to patch their systems against this critical vulnerability.

The rapid exploitation of Log4shell is attributed to its widespread adoption across diverse industries and platforms. The Apache Log4j library has been a staple in the Java community for many years, making it present in countless applications and systems. What’s more is that patching the vulnerability has proved challenging, as many organizations struggle to identify and update all instances of Log4j within their infrastructures promptly.

See CISA’s GitHub repository for known affected products and patch information and their dedicated page containing technical details and patching guidelines for impacted organizations.

10 – 11. VMware Workspace ONE Access & Identity Manager (CVE-2022-22954, CVE-2022-22960)

VMware is a popular virtualization software, making it a frequent target for all levels of cyber attackers including advanced persistent threat (APT) groups. Exploiting vulnerabilities in VMware could grant unauthorized access to virtual machines and critical data hosted on the platform. Since VMware virtualizes multiple systems on a single physical server, a successful attack could potentially compromise multiple VMs simultaneously. Oftentimes, attackers choose to target VMware environments in order to gain a foothold in larger networks, exploiting the trust and accessibility of the virtualized infrastructure. VMware vulnerabilities take up two spots in CISA’s list of top exploited flaws this year.

First, CVE-2022-22954 (CVSS 9.8) is a server-side template injection vulnerability that could be triggered by a malicious actor with network access to achieve RCE in VMware’s Workspace ONE Access & Identity Manager. After PoCs for the vulnerability were published in spring of last year, security researchers saw it used in active attacks infecting servers with coin miners – a common first mode of attack when new flaws are exploited. VMware has published a security advisory with more details of this vulnerability here.

This is being exploited in the wild and crypto miners are being deployed#HUMINT
CVE-2022-22954#Vmware #Workspace Vulnerabilities

Expect #ransomware now/soon https://t.co/WlVy4EF9ZG

— mRr3b00t (@UK_Daniel_Card) April 13, 2022

Second, CVE-2022-22960 (CVSS ) is a privilege escalation vulnerability. According to CISA’s advisory on this vulnerability, it enables a malicious actor with local access to escalate privileges to root due to improper permissions in support scripts. If chained together with CVE-2022-22954, an actor could execute an arbitrary shell command as a VMware user and then wipe logs, escalate permissions, and move laterally to other systems with root access.

Since VMware products are used commonly across Federal Civilian Executive Branch (FCEB) agencies among other critical industries, CISA ordered an emergency directive for government agencies to complete a series of mitigation measures. These measures can be found here.

12. F5 Networks BIG-IP (CVE-2022-1388)

A few days after F5 published a patch for a critical RCE vulnerability tied to their BIG-IP suite of products last September, security researchers were able to create an exploit for the flaw. Classified as a missing authentication vulnerability, CVE-2022-1388 (CVSS 9.8) relates to an iControl REST authentication bypass that could lead to attackers gaining access and taking control of a compromised BIG-IP system. The attacker could perform a number of malicious actions such as dropping webshells for future attacks, deploying cryptocurrency miners, and exfiltrating sensitive data.

Remote code execution flaws are trivial to exploit, making them popular for targeting by opportunistic threat actors. Whenever vulnerabilities are found in internet-facing services, threat actors are sure to make quick work in leveraging them. Exploits like CVE-2022-1388 provide immediate, initial access to a targeted network and often enable attackers to follow through with lateral movement and privilege escalation; critical tactics in the cyberattack kill chain.

F5’s security advisory detailing CVE-2022-1388 indicators of compromise (IoCs) and steps for mitigation can be found here. CISA also released an advisory in response to the flaw in response to several PoCs that were published shortly after initial disclosure.

Conclusion

Enterprise security teams must acknowledge that old vulnerabilities persist and continue to pose a significant threat. While the latest CVEs often receive the spotlight, CISA’s annual list of routinely exploited vulnerabilities serves as a stark reminder that existing flaws are still capable of inflicting serious damage on vulnerable systems.

In addition to the comprehensive list, CISA offers guidance to vendors and tech organizations for identifying and mitigating potential risks. The recommendations include adopting secure-by-design practices and prioritizing patching known exploited vulnerabilities, thus minimizing the risk of compromise. Vendors are also encouraged to establish coordinated vulnerability disclosure programs, enabling root cause analysis for discovered flaws.

SentinelOne is ready to help security leaders defend their organizations against every level of cyberattack. To see how we can help you build a robust security posture, contact us today or book a demo.

The Good | High-Severity Flaws Patched in Firefox and Chrome Updates

Browsers are our windows to the internet and due to both their ubiquity and the amount of information they collect, they are often prime targets for threat actors, so there’s good news for Firefox and Chrome users this week as new security patches have been rolled out for both.

On Tuesday, Mozilla released new versions of Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14, which all include patches for several high-severity vulnerabilities, most prominently CVE-2023-4045, CVE-2023-4046, and CVE-2023-4047. The new iterations prohibit HTML and JavaScript code displayed on one site from accessing content on another site, correct a potentially exploitable crash caused by wrong values during WASM compilation, and resolve a clickjacking issue where users are tricked into giving up risky permissions for microphone, location, and notification services.

On the Google side, the tech firm handed out over $60,000 in bug bounties for three high-severity type confusion vulnerabilities in Chrome’s V8 engine. The latest update, Chrome 115, addresses six other severe flaws relating to issues such as a heap buffer overflow problem which often results in unpredictable behavior or generates incorrect results, crashes, or memory access errors, an insufficient data validation bug, and an inappropriate implementation issue. Users are encouraged to update to versions 115.0.5790.170 for Mac and Linux and to versions 115.0.5790.170/.171 for Windows.

The Bad | More Vulnerabilities Found in Ivanti’s Mobile Device Management Product

Following a maximum severity bypass vulnerability reported last week by Ivanti, the Utah-based IT firm has since issued warnings for two more vulnerabilities also found in its Endpoint Manager Mobile (EPMM) software.

The first of the two is a new path traversal vulnerability, tracked as CVE-2023-35081 (CVSS 7.2), allowing arbitrary file write capabilities. Threat actors exploiting this vulnerability could potentially bypass admin authentication and ACL restrictions to execute OS commands. All supported versions of EPMM, including releases 11.10, 11.9, 11.8, and older are impacted.

The company says that this new vulnerability differs from July’s CVE-2023-35078; however, it acknowledged that attackers could chain the two together for malicious purposes. A joint cybersecurity advisory from both CISA and the Norwegian National Cyber Security Centre (NCSC-NO) explains that chaining the two flaws could translate to privileged access across EPMM systems and the ability to execute uploaded files such as webshells.

Another one for the same product: CVE-2023-35082, CVSS 10.0
Search: https://t.co/T9uvu0P8Wr
Advisory: https://t.co/1o2GQSgkgm#vulnerability_map #cybersecurity https://t.co/w6TnuJpSFe

— Netlas.io (@Netlas_io) August 3, 2023

The second vulnerability announced this week is tracked as CVE-2023-35082 (CVSS 10.0) and could allow unauthenticated attackers to access the API in older, unsupported versions of the product (11.2 and below).

If exploited, attackers could access users’ personally identifiable information (PII) and make unauthorized changes to the server. Security researchers noted the bug’s close relation to last week’s remote unauthorized API access flaw in that both target the permissive qualities of certain entries in the mifs web application’s security filter chain.

Ivanti has released patches for all three vulnerabilities within the span of two weeks and urged its customers to upgrade to the latest version of EPMM and monitor their systems for signs of breaches.

The Ugly | Microsoft Domains Leveraged in Russian-Backed Teams Phishing Campaigns

Cyber threat group APT29, attributed to Russia’s Foreign Intelligence Service (SVR), was linked this week to a series of attacks on dozens of organizations. Likely indicative of an espionage campaign, the group targeted government agencies, non-government organizations (NGOs), IT and tech services, private manufacturing, and media sectors through phishing messages sent via Microsoft Teams.

According to a report released Wednesday, the attackers used compromised Microsoft 365 tenants to create tech support-themed domains and sent various social engineering lures to trick victims into granting approval for multi-factor authentication (MFA) prompts. The new domains were part of a legitimate Microsoft domain ‘onmicrosoft.com’ that is used when a custom domain is not successfully created.

Using this domain, the spoofed tech support messages would have appeared more trustworthy to the targeted users.

APT29 has been operating since at least 2008, crafting attacks against government networks in NATO member countries and in Europe, think tanks, and research institutes. Notoriously, the group is attributed to the SolarWinds supply chain attack that led to the compromise of as many as 18,000 government entities and Fortune 500 companies, at least nine federal agencies, and more than 100 businesses globally.

This latest activity is a timely reminder of just how pernicious and persistent these groups are, and organizations in all verticals are urged to be equally relentless in reinforcing strong cyber hygiene and continued awareness and education efforts.