This Week in Cyber 05th July 2024

Analyst Insight

This week's cybersecurity events underscore significant threats and vulnerabilities. The Boolka threat actor's SQL injection attacks delivering the BMANAGER trojan and the active exploitation of the critical MOVEit Transfer vulnerability (CVE-2024-5806) highlight ongoing risks from web-based vulnerabilities and enterprise software flaws. The 8220 Gang's exploitation of Oracle WebLogic Server for cryptocurrency mining and the use of the MSHTML flaw to deliver MerkSpy spyware emphasise the persistent financial motivations and evolving tactics of cybercriminals. Additionally, critical flaws in the CocoaPods dependency manager exposing iOS and macOS apps to supply chain attacks highlight the vulnerabilities in widely used development tools, underscoring the need for robust security measures across the software supply chain.

UK’s NCA Leads Major Cobalt Strike Takedown

The UK’s National Crime Agency (NCA) conducted Operation Morpheus alongside international partners to disrupt the cybercrime supply chain by targeting IP addresses hosting the Cobalt Strike tool, which is often abused by threat actors.

The operation resulted in 593 domains being taken down out of 690 instances of unlicensed Cobalt Strike software hosted by 129 internet service providers in 27 countries. The NCA believes this will lower the barrier to entry into cybercrime and prevent damaging ransomware and malware attacks.

OpenSSH Vulnerability regreSSHion

Security updates have been released for the OpenSSH server component (sshd) to fix a critical security flaw (CVE-2024-6387) that could result in unauthenticated remote code execution with root privileges.

The vulnerability impacts versions between 8.5p1 and 9.7p1. Versions prior 4.4p1 are also vulnerable to the race condition bug unless they are patched for CVE-2006-5051 and CVE-2008-4109.

Cybersecurity firms Palo Alto and Wiz have said the vulnerability is unlikely to be subjected to widespread exploitation, given that a threat actor must know in advance what Linux distribution they are targeting.

Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks

Researchers have uncovered three critical vulnerabilities in the CocoaPods dependency manager for Swift and Objective-C projects, which could be exploited for supply chain attacks, jeopardising numerous iOS and macOS applications. These flaws allowed attackers to claim unclaimed pods and insert malicious code into popular apps.

E.V.A Information Security researchers Reef Spektor and Eran Vaknin detailed the issues, which were patched by CocoaPods in October 2023. The most severe vulnerability (CVE-2024-38368, CVSS score: 9.3) allowed attackers to take over unclaimed packages and tamper with their code. Another flaw (CVE-2024-38366, CVSS score: 10.0) enabled arbitrary code execution on the Trunk server by exploiting an insecure email verification process. The third issue (CVE-2024-38367, CVSS score: 8.2) involved a verification link manipulation that could lead to a zero-click account takeover.

8220 Gang Active Exploiting WebLogic Server Flaws for Crypto-Mining

Security researchers have uncovered new details about the 8220 Gang's cryptocurrency mining operations, which exploit vulnerabilities in Oracle WebLogic Server. The group, also tracked as Water Sigbin by Trend Micro, leverages flaws such as CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839 to gain initial access. Their sophisticated tactics include fileless execution techniques using DLL reflective and process injection to evade disk-based detection. After establishing a foothold, the attackers deploy a PowerShell script to drop a first-stage loader that masquerades as the legitimate WireGuard VPN application but launches malicious binaries in memory.

The 8220 Gang's operations involve the PureCrypter loader, which exfiltrates hardware information and creates scheduled tasks to run the miner while excluding malicious files from Microsoft Defender Antivirus. The command-and-control server provides XMRig configuration details, leading to the execution of the miner, disguised as a legitimate Microsoft binary. Additionally, the group has been using a new installer tool, k4spreader, since February 2024 to distribute the Tsunami DDoS botnet and PwnRig mining program. This tool facilitates system persistence, updates itself, and deploys other malware while disabling firewalls and terminating rival botnets, highlighting the group's evolving and sophisticated attack strategies.

Google to Block Entrust Certificates in Chrome

Google has announced that starting around November 1, 2024, it will block websites using certificates from Entrust in its Chrome browser due to compliance failures and the certificate authority's inability to promptly address security issues. According to Google's Chrome security team, Entrust has demonstrated a pattern of concerning behaviours and a lack of progress in improving its security measures, which has eroded confidence in its competence and reliability.

Beginning with Chrome version 127, TLS server authentication certificates from Entrust will no longer be trusted by default. This change will impact Chrome on Windows, macOS, ChromeOS, Android, and Linux, with an exception for Chrome on iOS and iPadOS due to Apple's policies. Users visiting sites with Entrust or AffirmTrust certificates will see a warning that their connection is not secure. Website operators are urged to switch to another trusted certificate authority by October 31, 2024, to avoid disruptions. Entrust certificates are widely used by major organisations including Microsoft, Mastercard, VISA, and VMware.

Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

Threat actors have been exploiting a now-patched security flaw in Microsoft MSHTML to deliver the MerkSpy surveillance tool, primarily targeting users in Canada, India, Poland, and the U.S. Fortinet FortiGuard Labs researcher Cara Lin reports that MerkSpy is designed to monitor user activities, capture sensitive information, and establish persistence on compromised systems.

The attack begins with a Microsoft Word document containing a fake job description, exploiting CVE-2021-40444, a high-severity MSHTML flaw allowing remote code execution. This flaw was patched by Microsoft in September 2021. Opening the document downloads an HTML file ("olerender.html") that initiates the execution of embedded shellcode. The shellcode downloads a file disguised as "GoogleUpdate," which is actually an injector payload that evades detection and loads MerkSpy into memory. The spyware captures screenshots, keystrokes, login credentials, and MetaMask data, sending it to an external server. 

New Intel CPU Vulnerability 'Indirector' Exposes Sensitive Data

Security researchers have discovered a new side-channel attack, codenamed Indirector, affecting modern Intel CPUs, including Raptor Lake and Alder Lake. This vulnerability leverages weaknesses in the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB), allowing attackers to leak sensitive information from the processors. Researchers Luyi Li, Hosein Yavarzadeh, and Dean Tullsen identified that Indirector can bypass existing defenses, posing a significant threat to the security of affected CPUs.

The attack involves using a custom tool called iBranch Locator to find any indirect branch and then performing precision-targeted IBP and BTB injections to execute speculative execution attacks. These attacks can hijack the control flow of a victim program, causing it to jump to arbitrary locations and leak secrets. While Intel has acknowledged the findings and stated that previous mitigations such as IBRS, eIBRS, and BHI are effective against this new research, it is recommended to use the Indirect Branch Predictor Barrier (IBPB) more aggressively and harden the Branch Prediction Unit (BPU) design.