This Week in Cyber 30th June 2023

Year-Long Cyber Attack Unveiled: RDStealer Malware Targets IT Firm

In a recent discovery, cybersecurity experts have uncovered a sophisticated year-long cyber attack targeting an East Asian IT company. The attack, known as RedClouds, utilized a custom malware called RDStealer, written in Golang. Bitdefender, the Romanian cybersecurity firm, revealed that the operation aimed to compromise credentials and exfiltrate sensitive data. The campaign, which began in early 2022, exhibited the hallmarks of China-based threat actors. Initially, the attackers relied on commonly available remote access and post-exploitation tools before transitioning to their bespoke malware to evade detection. Notably, the RDStealer malware employed evasion techniques by utilizing Windows folders, including "C:\Program Files\Dell\CommandUpdate," a legitimate Dell application directory, to camouflage malicious activity. The malware's standout feature was its ability to monitor and compromise remote machines via the Remote Desktop Protocol (RDP) if client drive mapping was enabled. RDStealer exfiltrated sensitive data, such as credentials and private keys, from popular applications like mRemoteNG, KeePass, and Google Chrome. The attackers also infected connecting RDP clients with Logutil, another Golang-based custom malware, to maintain persistence and facilitate command execution. This attack highlights the increasing sophistication of modern cyber threats and the need to remain vigilant against state-sponsored threat actors leveraging both new and established technologies.

NSA Guide: Protecting Windows Systems from the Advanced BlackLotus Bootkit

The U.S. National Security Agency (NSA) has released guidance to help organizations protect against a UEFI bootkit called BlackLotus. BlackLotus is an advanced crimeware solution capable of bypassing Windows Secure Boot protections. It takes advantage of a known Windows flaw called Baton Drop, which allows threat actors to replace patched boot loaders with vulnerable versions and execute BlackLotus on compromised endpoints. UEFI bootkits like BlackLotus give threat actors complete control over the boot process, enabling them to interfere with security mechanisms and deploy additional payloads with elevated privileges. It's important to note that BlackLotus does not target Linux systems and is not a firmware threat. The NSA recommends hardening user executable policies, monitoring the integrity of the boot partition, updating recovery media, configuring defensive software, monitoring device integrity measurements, customizing UEFI Secure Boot, and removing the Microsoft Windows Production CA 2011 certificate. Microsoft is working on fixes to address the vulnerabilities exploited by BlackLotus, expected to be available in early 2024.

30,000 Websites Affected by Critical Flaw in WordPress Plugin for WooCommerce

A critical security flaw has been disclosed in the "Abandoned Cart Lite for WooCommerce" plugin used by more than 30,000 websites on WordPress. This vulnerability poses a significant risk as it allows attackers to bypass authentication and gain unauthorized access to user accounts with abandoned shopping carts. The flaw stems from inadequate encryption protections within the plugin, where a hard-coded encryption key makes it possible for malicious actors to log in as a user with an abandoned cart. The severity of this issue is rated 9.8 out of 10 on the CVSS scoring system. The plugin developer, Tyche Softwares, addressed the vulnerability in version 5.15.0, which is now available for users to update. It is highly recommended that website owners using this plugin promptly install the latest version to mitigate the risk of exploitation. In a related discovery, a separate authentication bypass flaw was found in the "Booking Calendar | Appointment Booking | BookIt" plugin, affecting over 10,000 WordPress installations. This flaw, which allowed unauthenticated attackers to log in as any existing user on the site, has also been resolved in the latest release, version 2.3.8. The significance of these vulnerabilities highlights the importance of regularly updating plugins and maintaining robust security practices to protect websites from potential threats.

Malware Could Bypass Detection with New Mockingjay Process Injection Technique

A new process injection technique called Mockingjay has been discovered by researchers, which allows threat actors to execute malicious code on compromised systems while bypassing security solutions. Unlike traditional methods that require specific system calls and Windows APIs, Mockingjay leverages pre-existing Windows portable executable files, specifically msys-2.0.dll, to load malicious code undetected. This DLL offers a sizable RWX (Read-Write-Execute) space of 16 KB, making it an ideal candidate for the injection. The technique involves two approaches: self injection and remote process injection, both of which bypass memory allocation, permission settings, and thread creation. This uniqueness poses challenges for Endpoint Detection and Response (EDR) systems in detecting the method. Mockingjay's discovery follows recent reports of other attack methods, including one that exploits the ClickOnce deployment technology in Visual Studio for arbitrary code execution and initial access.

Massive Europol Operation: EncroChat Takedown Leads to Thousands of Arrests and Seizure of €900 Million

In a groundbreaking operation, Europol has announced the successful takedown of EncroChat, an encrypted messaging platform favored by organized crime groups. The joint investigation by French and Dutch authorities uncovered over 115 million conversations among 60,000 users, leading to a remarkable outcome almost three years later. The operation resulted in the arrest of 6,558 suspects, including high-value targets, and the seizure of an astounding €900 million in illicit criminal proceeds. The confiscated assets include €739.7 million in cash, €154.1 million frozen in bank accounts, drugs, vehicles, weapons, and more. EncroChat, known for its promise of "perfect anonymity," was extensively used by organized crime rings and drug trafficking groups for various nefarious activities, including drug deals, money laundering, extortion, and even murders. This operation underscores the determination and effectiveness of law enforcement agencies in dismantling criminal networks facilitated by encrypted communication platforms, sending a strong message to organized crime worldwide