This Week in Cyber 19th May 2023

3 Vulnerabilities Found in Microsoft Azure API Management Service

Microsoft Azure API Management service recently addressed three security flaws disclosed by Israeli cloud security firm Ermetic. The vulnerabilities included two server-side request forgery (SSRF) issues and an unrestricted file upload flaw in the API Management developer portal. Exploiting these flaws could have allowed attackers to access sensitive information, bypass security measures, and execute unauthorized code. However, Microsoft swiftly patched the vulnerabilities after responsible disclosure. Ensuring the security of cloud-based services remains an ongoing challenge, and prompt action is vital to maintain the integrity of such platforms.

Advanced Phishing-as-a-Service Platform Targeting Microsoft 365 Users

A new phishing-as-a-service platform named 'Greatness' has been spotted targeting Microsoft 365 users since at least mid-2022. This powerful tool empowers cybercriminals to conduct highly convincing phishing attacks by creating realistic decoy and login pages. By leveraging sophisticated techniques, Greatness has made it easier for attackers to engage in phishing campaigns, thereby increasing the risks faced by businesses.The platform specifically targets Microsoft 365 phishing pages, equipping its users with an attachment and link builder. This feature enables the generation of deceptive login pages that closely resemble the genuine Microsoft 365 interface. These pages are skilfully designed to appear authentic, complete with pre-filled victim email addresses and the logo and background image of the targeted organization. Notably, Greatness has primarily focused its attacks on organizations operating in the manufacturing, healthcare, and technology sectors.The phishing process orchestrated by Greatness involves several steps. Victims receive malicious emails containing HTML attachments. Once these attachments are opened, they trigger obfuscated JavaScript code that redirects users to deceptive landing pages. These landing pages are cleverly designed to pre-fill the victim's email address and prompt them to enter their password and multi-factor authentication (MFA) code. By gathering these credentials and time-based one-time passwords (TOTPs), cybercriminals gain unauthorized access to the targeted accounts. The stolen information is then transmitted to the affiliate's Telegram channel, allowing further exploitation of the compromised accounts.To mitigate the risks associated with PhaaS platforms like Greatness, organizations must prioritize vigilance and adopt robust security measures. Implementing security awareness programs, reinforcing the use of multi-factor authentication, and fostering a culture of cyber vigilance are essential steps in protecting against the escalating threat of advanced phishing attacks. Combined with a robust monitoring solution such as Telesoft MDR ensures that even if phishing attacks slip through the net, your network and systems are still protected.

8220 Gang Exploiting Oracle WebLogic Flaw for Crypto-Mining

The cryptojacking group known as 8220 Gang has been using a six-year-old security flaw in Oracle WebLogic servers to carry out attacks. The flaw, known as CVE-2017-3506, allows attackers to remotely execute arbitrary commands. By exploiting this vulnerability, the group can gain unauthorized access to sensitive data or compromise entire systems. 8220 Gang, previously documented by Cisco Talos, targets vulnerable Oracle WebLogic and Apache web servers to deploy cryptocurrency mining malware. They use off-the-shelf malware downloaders and crypters to conceal their activities and evade detection. In their latest attack chain, they exploit the Oracle WebLogic Server vulnerability to deliver a PowerShell payload, which then creates another obfuscated PowerShell script in memory. Once a few more requirements have been met, the malware then communicates to a c2 server through port 9090, 9091 or 9092.

Targeting Linux and VMware ESXi Systems: Introducing the Latest 'MichaelKors' Ransomware-as-a-Service

A new ransomware-as-a-service (RaaS) operation named MichaelKors has emerged, specifically targeting Linux and VMware ESXi systems. This development indicates a growing focus of cybercriminals on ESXi, according to a report by cybersecurity firm CrowdStrike. ESXi, a widely used virtualization and management system, lacks support for third-party agents or antivirus software, making it an attractive target for attackers.The technique of targeting VMware ESXi hypervisors with ransomware, known as hypervisor jackpotting, has been employed by various ransomware groups in the past. SentinelOne's analysis revealed that leaked Babuk source code was utilized by 10 ransomware families to develop lockers for VMware ESXi hypervisors.Several e-crime outfits, such as ALPHV, Black Basta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach, have updated their tactics to target ESXi. Attackers exploit compromised credentials and gain elevated privileges to access the hypervisor, enabling them to run malicious ELF binaries and exploit vulnerabilities.The appeal of targeting VMware ESXi hypervisors lies in their direct access to physical servers, granting attackers control over the underlying resources. The lack of security tools, network segmentation, and existing vulnerabilities in ESXi environments make them a prime target.To combat hypervisor jackpotting, organizations are advised to limit direct access to ESXi hosts, implement two-factor authentication, regularly back up ESXi datastore volumes, apply security updates, and conduct security posture reviews.As more organizations adopt cloud environments and transfer workloads to VMware-based virtualization infrastructure, the targeting of ESXi poses a significant concern. VMware plans to update their knowledge base article with current information, acknowledging the need for revised security measures.