This Week in Cyber 19th April 2024

Analyst Insight

This week's cyber security landscape has been dynamic, marked by several notable developments. Operation MidnightEclipse exposed a zero-day vulnerability in Palo Alto Networks PAN-OS software, demanding swift action to mitigate potential threats. Additionally, the cybercriminal group Muddled Libra's targeting of SaaS applications and cloud environments for data exfiltration underscores the evolving tactics necessitating robust authentication measures. Cisco's alert on the global surge in brute-force attacks corroborates analysts' growing concerns about the prevalence of such attempts in 2024. On a positive note, Operation Stargrew's success has resulted in 37 arrests across the UK and abroad. Detectives successfully dismantled an extensive fraud operation that victimised over 70,000 individuals in the UK alone.

Operation Stargrew: Dismantling a Global Cyber Fraud Network

An extensive cyber fraud operation, facilitated by the online platform LabHost, has been dismantled following a coordinated investigation led by the Metropolitan Police, codenamed Operation Stargrew. LabHost provided cyber criminals worldwide with tools to orchestrate phishing scams, resulting in substantial financial losses and data breaches affecting thousands of individuals. The platform allowed perpetrators to create fraudulent websites mimicking trusted brands, enabling them to deceive victims into disclosing sensitive personal and financial information. The investigation has led to 37 arrests across the UK and abroad, exposing the sophisticated nature of cyber crime networks. Detectives have contacted thousands of victims to notify them of the security breaches, underscoring the pervasive impact of online fraud on individuals and society. Met deputy commissioner Dame Lynne Owens emphasised the collective effort required to combat cyber crime and restore public trust in online platforms. Adrian Searle, director of the National Economic Crime Centre, highlighted the significant role of fraud in undermining societal trust and security. The successful operation underscores the collaborative approach of law enforcement agencies and private sector partners in combating international cyber fraud networks and safeguarding digital environments.

Palo Alto Networks PAN-OS Vulnerability: Operation MidnightEclipse

Since March 26, 2024, threat actors have been exploiting a zero-day vulnerability in Palo Alto Networks PAN-OS software, allowing unauthenticated attackers to execute arbitrary code with root privileges. Dubbed Operation MidnightEclipse, the campaign, attributed to a single threat actor, involves the creation of a cron job to fetch commands from an external server, enabling remote code execution on the firewall. The attackers carefully manage access to the command-and-control server to evade detection. This sophisticated attack chain, tracked by Volexity as UPSTYLE, includes a Python-based backdoor hosted on a separate server, writing command outputs to legitimate firewall files to avoid detection. Palo Alto Networks is expected to release fixes for the flaw by the end of the week, with organisations urged to monitor for signs of lateral movement internally and apply patches promptly to mitigate potential threats.

Muddled Libra: Targeting SaaS and Cloud Environments for Data Exfiltration

The cybercriminal group known as Muddled Libra, also referred to as Scatter Swine, Scattered Spider, Starfraud, and UNC3944, has been targeting software-as-a-service (SaaS) applications and cloud service provider (CSP) environments to steal sensitive data. Utilising sophisticated social engineering tactics, they gain initial access to networks and evade detection by employing living off the land techniques and frequently modifying their tactics. Their methods include reconnaissance to identify administrative users, leveraging phone calls posing as helpdesk staff, and extensive research on target organisations' applications and cloud providers. They exploit vulnerabilities like the Okta cross-tenant impersonation attack to access SaaS applications and CSP environments. Once inside, they gather intelligence and use it for lateral movement, targeting AWS and Azure services for data extraction. To defend against Muddled Libra's evolving tactics, organisations are advised to implement robust secondary authentication measures and address security vulnerabilities in their cloud environments.

Global Surge in Brute-Force Attacks, Cisco Warns

Cisco's recent alert highlights a significant rise in brute-force attacks targeting Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services worldwide since March 18, 2024. These attacks, originating from TOR exit nodes and other anonymising tunnels, pose serious risks of unauthorised network access, account lockouts, and denial-of-service conditions. Various devices, including Cisco Secure Firewall VPN, Checkpoint VPN, and SonicWall VPN, among others, have been targeted indiscriminately across different sectors and geographies. The attackers utilise both generic and valid usernames, with source IP addresses commonly associated with proxy services like TOR and VPN Gate.

Exploitation of OpenMetadata Vulnerabilities for Cryptocurrency Mining

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata, an open-source metadata management tool, to gain unauthorised access to Kubernetes workloads for cryptocurrency mining. Microsoft's Threat Intelligence team identified several flaws, including SpEL injection vulnerabilities and an authentication bypass, allowing remote code execution. Attackers target unpatched OpenMetadata workloads, conducting reconnaissance to assess network access. They deploy crypto-mining malware and establish command-and-control communications, often leaving personal notes. Users are advised to implement strong authentication and update to the latest OpenMetadata version. This trend follows attacks targeting publicly accessible Redis servers and Docker directories to install malware and achieve privilege escalation. Vigilance and timely patching are crucial in containerised environments to prevent exploitation and maintain security.