Weekly Cyber Reports

This Week in Cyber 22nd December 2023

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

22nd December, 2023


Analyst Insight

This week's cybersecurity highlights feature a new threat in the form of PikaBot malvertising, the discovery of zero-day vulnerabilities affecting SMTP, and the concerning exploitation of GitHub for sending malicious commands. Amid these challenges, there's uplifting news about US authorities successfully dismantling the BlackCat ransomware operation, offering decryption tools to more than 500 victims. Microsoft has also made strides in security by patching two vulnerabilities, preventing a potential zero-click code execution flaw in Outlook, a crucial safeguard given the widespread use of this platform. As the holiday season unfolds, heightened awareness is crucial, considering attackers often exploit the reduced cybersecurity staffing during this period. This underscores the importance of a 24/7 Managed Detection and Response (MDR) service, ensuring continuous network monitoring, even as most staff take a well-deserved break.


Microsoft Outlook Vulnerabilities: Chained Exploits for Remote Code Execution Patched in Final 2023 Updates

In August and October 2023, Microsoft addressed two security flaws in Windows that, when chained together, could lead to remote code execution on Outlook without any user interaction. Akamai security researcher Ben Barnea discovered these vulnerabilities, allowing for a full, zero-click remote code execution exploit against Outlook clients. CVE-2023-35384, identified as a security feature bypass, allows attackers to coerce the client into connecting to an attacker-controlled server and downloading a malicious sound file.

When combined with the sound parsing flaw (CVE-2023-36710), a custom sound file can be downloaded that, when autoplayed using Outlook's reminder sound feature, triggers zero-click code execution on the victim's machine. To mitigate these risks, organizations are advised to implement microsegmentation to block outgoing Server Message Block (SMB) connections to remote public IP addresses. Additionally, disabling NTLM or adding users to the Protected Users security group is recommended to prevent the use of NTLM as an authentication mechanism.


Ransomware Rises: Rhadamanthys

Having undergone a recent overhaul; Rhadamanthys has been adapted into a far more accessible and user-friendly ransomware. It now features a variety of customizable plugins, further extending its information-stealing functions, and ensuring that it is far more dynamic than previous versions. Dubbed a 'Swiss Army Knife'; Rhadamanthys' modularity allows for it to be catered by users to better infiltrate their targets. Improvements on their existing programming has increased the effectiveness of their Lua script runner, enabling it to now load 100 Lua Scrips to pilfer as much information as possible from cryptocurrency wallets, email agents, FTP services, instant messengers and note-taking apps. Even two-factor authentication apps and password managers are no longer safe from Rhadamanthys' reach.


U.S. Authorities Dismantle BlackCat Ransomware Operation, Releases Decryption Tool for Victims

The U.S. Justice Department, in collaboration with international law enforcement agencies, has successfully disrupted the BlackCat ransomware operation, deploying a decryption tool to help over 500 victims recover their files. Using a confidential human source as an affiliate, the FBI gained access to the gang's web panel, dismantling the ransomware group. BlackCat, also known as ALPHV, GOLD BLAZER, and Noberus, is a prolific ransomware-as-a-service variant and the first Rust-language-based strain. The takedown saved victims from approximately $68 million in ransom demands, showcasing the success of law enforcement against cybercrime.


Pikebot Malvertisement

The PikaBot malware loader is now part of a malvertising campaign targeting users searching for legitimate software, such as AnyDesk. Previously distributed via malspam campaigns, PikaBot enables unauthorized remote access to compromised systems, acting as a backdoor and distributor for other payloads. Prolific cybercrime threat actor TA577 is among those leveraging PikaBot in attacks, leading to the deployment of Cobalt Strike.

The latest infection vector involves a malicious Google ad for AnyDesk, redirecting victims to a fake website that points to a malicious MSI installer hosted on Dropbox. This malvertising campaign follows a pattern seen with other loaders, suggesting a common process used by various threat actors, possibly resembling a 'malvertising-as-a-service' model. The rise in malvertising underscores the increasing use of browser-based attacks to infiltrate target networks, with additional instances of malicious ads detected through Google searches for popular software like Zoom, Advanced IP Scanner, and WinSCP. The spike in malicious ads has introduced a new loader called HiroshimaNukes, utilizing various techniques to bypass detection and dropping additional malware, typically a stealer followed by data exfiltration.


SMTP Smuggling: A New Looming Threat

Last week security researcher Timo Longin unveiled a novel technique called SMTP Smuggling, a sophisticated form of email spoofing that exploits vulnerabilities in the Simple Mail Transfer Protocol (SMTP). Collaborating with the SEC Consult Vulnerability Lab, Longin identified and responsibly disclosed multiple zero-day vulnerabilities in SMTP servers globally. This technique enables threat actors to send malicious emails from seemingly legitimate addresses, posing a significant risk for targeted phishing attacks. Longin's research uncovered vulnerabilities in major email services, including GMX, Ionos, and even Microsoft Exchange Online, potentially allowing spoofed emails from millions of domains, including high-profile targets. The responsible disclosure process with GMX proved successful, but challenges were encountered with Microsoft and Cisco, the latter viewing the vulnerability as a feature rather than a bug.

The impact of SMTP Smuggling extends beyond individual services to affect widely used SMTP software like Postfix and Sendmail. This raises concerns as these software implementations comprise a significant portion of the global SMTP landscape. Despite prompt patches from Microsoft and GMX, the threat may still persist. 



Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus