This Week in Cyber 01st September 2023

Alert for Developers: Suspicious Rust Libraries Found Sending OS Information to Telegram Channel

Malicious packages were detected on the Rust programming language's crate registry, highlighting an ongoing threat to developers through software supply chain attacks. These suspicious libraries, uploaded between August 14 and 16, 2023, by a user named "amaperf," have since been removed. The packages, including postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger, were found to possess functions to collect the operating system information and transmit it to a hardcoded Telegram channel.

The motive behind this campaign remains unclear, but it's suggested that the threat actor may have been in the early stages of compromising developer machines to later deliver rogue updates with enhanced data exfiltration capabilities. Developers have become high-value targets due to their access to SSH keys, production infrastructure, and company intellectual property.

This isn't the first time crates.io has been targeted; a supply chain attack called CrateDepression was uncovered in May 2022. In a related development, Phylum also uncovered an npm package called emails-helper, which, once installed, facilitated the exfiltration of machine data and executed encrypted binaries. Although npm removed the package, it had already garnered 707 downloads.

These incidents underscore the need for developers to exercise caution and due diligence in their software development activities. Such attacks can be triggered by seemingly innocuous actions like running npm install. Malicious packages have also been found on the Python Package Index (PyPI), attempting to steal sensitive data and download undisclosed second-stage payloads from remote servers.

Ivanti Alerts About Actively Exploited Critical Zero-Day Vulnerability in Sentry Software

Software services provider Ivanti has issued a warning regarding a critical zero-day vulnerability impacting Ivanti Sentry (formerly MobileIron Sentry), which is actively being exploited in the wild. This development marks a significant escalation in the company's security concerns. Tracked as CVE-2023-38035, this flaw involves an authentication bypass affecting versions 9.18 and earlier due to an inadequately restrictive Apache HTTPD configuration.

If exploited, the vulnerability permits unauthorized access to sensitive APIs utilized for configuring Ivanti Sentry on the administrator portal (typically port 8443 or MICS). Despite the high CVSS score, there's low risk for customers who do not expose port 8443 to the internet. Successful exploitation allows attackers to alter configurations, execute system commands, and write files onto the system.

Mnemonic, a Norwegian cybersecurity company, discovered and reported the flaw, highlighting the potential for an unauthenticated threat actor to gain root-level access. Additionally, the vulnerability could be exploited in conjunction with other Ivanti Endpoint Manager Mobile (EPMM) flaws. Ivanti has recently faced other critical vulnerabilities in its software, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to list CVE-2023-38035 in its Known Exploited Vulnerabilities catalogue, requiring affected agencies to patch by September 12, 2023. Horizon3.ai's proof-of-concept further emphasizes the urgency of patching, as it identified over 500 exposed MobileIron Sentry instances, primarily in Germany, the US, the UK, China, and France.

Leak of LockBit 3.0 Ransomware Builder Sparks Emergence of Numerous New Iterations

The leakage of the LockBit 3.0 ransomware builder last year has resulted in threat actors exploiting the tool to create new variants. Russian cybersecurity firm Kaspersky has identified a ransomware attack that employed a modified version of LockBit, with a distinct ransom note procedure. This variant, attributed to a new group called NATIONAL HAZARD AGENCY, directly states the payment amount and communication channels, differing from LockBit's typical approach.

Other actors, such as Bl00dy and Buhti, have also capitalized on the leaked builder. Kaspersky has found 396 LockBit samples, with 312 originating from leaked builders, and 77 containing no "LockBit" reference in ransom notes. Despite minor adjustments, similarities suggest rushed development. Meanwhile, the ransomware landscape evolves; ADHUBLLKA, rebranded multiple times, targets individuals and small businesses, tied together through code and infrastructure. The report coincides with a surge in ransomware attacks, including Cl0p's extensive breach using the MOVEit Transfer app flaw, affecting over 1,000 entities. Sophos' 2023 report indicates shorter dwell times for ransomware incidents, highlighting the increasing speed of ransomware operations.

Evolution of Phishing-as-a-Service: Advancements in Smart Techniques

Microsoft has issued a warning about a rise in adversary-in-the-middle (AiTM) phishing methods as part of the phishing-as-a-service (PhaaS) cybercrime model. This trend includes both new AiTM-capable PhaaS platforms and existing services like PerSwaysion integrating AiTM capabilities. These developments facilitate large-scale phishing campaigns that aim to bypass multi-factor authentication (MFA) protections.

Phishing kits with AiTM features function in two primary ways: utilizing reverse proxy servers to intercept and capture user credentials, authentication codes, and cookies, and deploying synchronous relay servers to present convincing imitation sign-in pages. The Greatness PhaaS platform, discovered by Cisco Talos, is a notable example, catering to cybercriminals targeting Microsoft 365 cloud users with deceptive login pages. The key objective is to extract session cookies, granting hackers access to privileged systems without needing reauthentication. Microsoft emphasizes that AiTM attacks demand distinct incident response protocols, necessitating the invalidation of stolen session cookies to counteract breaches.