This Week in Cyber 12th January 2024

Apache OFBiz Vulnerabilities

Apache OFBiz is an open-source enterprise resource planning (ERP) and business process automation framework. It provides a suite of business applications that cover various aspects, including accounting, order processing, customer relationship management (CRM), and supply chain management. Recently, multiple vulnerabilities have been discovered in Apache OFBiz, which disclose authentication bypass flaws leading to remote code execution (RCE). As of now, PRIOn Knowledge Base decision engine has established that Apache OFBiz, for both vulnerabilities, holds an “Urgent” priority, scoring 80, and, according to the PRIOn SLA is subject to a remediation resolution within one week.

CVE-2023-49070 is a pre-authentication Remote Code Execution (RCE) vulnerability which has been identified in Apache OFBiz 18.12.09. The issue stems from the presence of XML-RPC, which is no longer maintained but remains in the system. CVE-2023-51467, on the other hand, allows attackers to bypass authentication processes, granting them the ability to remotely execute arbitrary code. Both vulnerabilities have been assigned critical severity ratings with a CVSS score of 9.8 .

FTC Bans Outlogic (X-Mode Social) from Selling Sensitive Location Data

The U.S. Federal Trade Commission (FTC) has issued a ban on data broker Outlogic, formerly known as X-Mode Social, prohibiting the sharing or selling of sensitive location data with third parties. The settlement follows allegations that the company sold precise location data, including visits to sensitive places like medical clinics and domestic abuse shelters. Outlogic is required to destroy previously collected location data unless it obtains consumer consent, ensures de-identification, or renders the data non-sensitive. This marks the first-ever ban on the use and sale of sensitive location data. The FTC accused Outlogic of lacking safeguards against misuse and not being transparent about data recipients, leading to potential privacy risks and harm. Outlogic expressed disagreement with the FTC's implications, emphasising no finding of location data misuse. U.S. Senator Ron Wyden commended the FTC's action and called for robust privacy legislation to protect personal information.

RE#TURGENCE: Hackers Targeting Global MS SQL

Poorly secured Microsoft SQL (MS SQL) servers are under siege by hackers, unleashing a financially motivated campaign across the U.S., European Union, and Latin American regions. Dubbed RE#TURGENCE by cybersecurity firm Securonix, the threat campaign involves a two-fold conclusion—either selling 'access' to compromised hosts or delivering ransomware payloads. The attack methodology mirrors a previous campaign, DB#JAMMER, discovered in September 2023, involving brute-force attacks and the exploitation of the xp_cmdshell configuration option for shell command execution.

The attackers proceed with a PowerShell script retrieval, fetching an obfuscated Cobalt Strike beacon payload, and post-exploitation activities that include downloading tools like Mimikatz for credential harvesting. Notably, lateral movement is facilitated by PsExec, a legitimate system administration utility, ultimately culminating in the deployment of the Mimic ransomware. Despite similarities with DB#JAMMER, RE#TURGENCE distinguishes itself by leveraging legitimate tools like AnyDesk for remote desktop access, indicating a targeted approach with an intent to blend in with normal activity. Securonix uncovered the threat actors' operational security blunder, monitoring clipboard activity through AnyDesk, leading to the identification of their origins and the alias "atseverse," linked to profiles on Steam and the hacking forum SpyHack. The incident serves as a stark reminder to secure critical servers and avoid direct exposure to the internet.

NoaBot: The New Mirai-based Botnet in Crypto Mining Campaign

A new botnet called NoaBot, based on the Mirai botnet, is being used for a crypto mining campaign. It has a self-spreading capability and an SSH key backdoor to download and execute additional binaries or spread itself. It uses an SSH scanner to search for servers susceptible to dictionary attacks, brute-forces them, and adds an SSH public key for remote access. NoaBot is linked to another botnet campaign involving a Rust-based malware family known as P2PInfect. The threat actors have experimented with dropping P2PInfect in place of NoaBot in recent attacks, indicating attempts to pivot to custom malware.

Unlike other Mirai variants, NoaBot is compiled with uClibc, which changes how antivirus engines detect the malware. The attack chain results in the deployment of a modified version of the XMRig coin miner. The new variant does not contain any information about the mining pool or the wallet address, making it impossible to assess the profitability of the illicit cryptocurrency mining scheme. Akamai has identified 849 victim IP addresses to date, spread geographically across the world, with high concentrations in China. The malware’s method of lateral movement is via SSH credentials dictionary attacks. Restricting arbitrary internet SSH access and using strong passwords can greatly diminish the risks of infection.

Mandiant X Account Breach

In a recent incident, Mandiant's X account, formerly known as Twitter, faced a security breach due to a brute-force password attack. This attack, carried out on January 3, 2023, allowed a threat actor to gain control of the account and distribute phishing links hosting a cryptocurrency drainer named CLINKSINK. Despite the usual protection of two-factor authentication, vulnerabilities arising from team transitions and policy changes left the account exposed. The attackers exploited victims by encouraging them to connect their wallets, claiming a bogus token airdrop. This led to illicit profits exceeding $900,000, involving at least 35 affiliate IDs and 42 unique Solana wallet addresses.

Analyst Insight

This week in cybersecurity, we've spotted some fresh vulnerabilities in Apache, the FTC cracking down on legislation, and Mandiant’s X account falling victim to a hack. Thankfully, it's been a relatively calm week, but the crypto trend is showing no signs of slowing down into 2024.

The Mandiant X account breach was all about cashing in through phishing with cryptocurrency. On top of that, there's a new Mirai-based botnet specialising in crypto-mining. Detecting these crypto-related attacks is no walk in the park without the right tools and human analysts. They're crafted to slip by automated detection, underscoring the need for human-led threat hunting in the cybersecurity game.