Weekly Cyber Reports

This Week in Cyber 22nd September 2023

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

21st September, 2023


Retool's Security Breach: A Lesson in Cybersecurity

On August 29, 2023, software provider Retool faced a security breach, affecting 27 cloud customers. Fortunately, on-premises and managed accounts remained untouched. This incident underscores the ever-changing tactics used in cyberattacks and vulnerabilities in standard security methods.The breach began with a spear phishing attack on August 27, 2023. Attackers used text messages to trick an employee into clicking a fake link and sharing information on a fake Multi-Factor Authentication (MFA) form.

What's concerning is that Google Authenticator unknowingly saved MFA codes in the cloud, turning what was thought to be strong security into something weaker. This highlights the need for more reliable alternatives like hardware security keys.Lessons from this incident include the constant threat of social engineering, the importance of multiple layers of security, and the need to involve humans in security processes. Organizations should adopt a "trust as little as possible" approach and understand their unique security risks. Retool's experience serves as a reminder to enhance cybersecurity practices across the industry.

Trend Micro Resolves Actively Exploited Zero-Day Vulnerability in Apex One

Through swift action Trend Micro has been able to effectively mitigate a CVE found being exploited in the wild. This actively exploited zero-day vulnerability, CVE-2023-41179, was found within several of their endpoint security products; including Apex One, Apex One SaaS, and Worry-Free Business Security. The flaw allowed for threat actors to execute arbitrary code, but it required the attacker to fist gain access to the product's administrative console. Pilfered or stolen credentials would've been required beforehand, making the exploitation of the vulnerability that much more difficult.

Nonetheless, Trend Micro strongly advises that users update to the latest version of their products. Trend Micro also suggest restricting access to the vulnerable device to only include trusted networks. Whilst the exact nature of the attacks exploiting this vulnerability remains undisclosed, the Japan CERT has already issued a warning. Continued vigilance and swift action is required in order to stay ahead of threat-actors in this perpetual game of cat-and-mouse.

Middle East Telecoms Under Attack by New Threat Group 'ShroudedSnooper'

Recent findings by Cisco Talos have unveiled a fresh cyber threat, "ShroudedSnooper," menacing telecommunication service providers in the Middle East. This group employs a cunning backdoor named HTTPSnoop. HTTPSnoop is a stealthy implant that utilizes inventive techniques to interface with Windows HTTP kernel drivers and devices. It lurks to intercept incoming requests for specific HTTP(S) URLs and even permits operators to run arbitrary code on the compromised device. Alongside HTTPSnoop, researchers identified another tool called "PipeSnoop," capable of accepting and executing arbitrary shellcode through a named pipe.

The concerning part is that ShroudedSnooper's tactics and procedures do not align with any known threat actors, making them a mysterious and potent adversary.

Of Cats and Spiders; The Recent MGM Attack

The recent cyber attack against MGM Resorts International, which shows no signs of letting up, is a stark reminder that social engineering can devastate even some of the largest corporations. The threat-actors exploited a known Okta vulnerability that allowed them to deploy their own IDP and user database into the associated system for MGM resorts. From there they engaged in social engineering, using vishing, to pressure the IT help desk into resetting the MFA for highly privileged users. With that achieved they were able to leverage the identity federation features, then moving on to impersonate users within the organization.

Whilst MGM swiftly shut down the Okta servers after the finding; it was already too late and the damage had been done. The hackers spread their ransomware through more than a thousand ESXi hypervisors on September 11th. Okta, shortly after, confirmed that their platform was involved in the ransomware attack on MGM resorts. With this wide-spread influence and control the attackers were able to negatively impact the customer experience of MGM Resorts. By bringing down slot machines, making digital room keys non-functional, and by reducing the capacity for online booking; it appears that they're attempting to pressure MGM into paying the ransom.

Moreover it appears that this attack may have been orchestrated by multiple groups. Whilst Scattered Spider are rumoured to be involved, it appears that ALPHV/Blackcat have also claimed responsibility. Scattered Spider primarily consists of UK and US citizens and have a reputation for their ability to conduct social engineering attacks, they have been deploying ALPHV's encryption in the months leading up to the attack. BlackCat/ALPHV ransomware group have claimed responsibility, further muddying Scattered Spider's apparent involvement in the attack. It remains unclear if the two are truly connected in this attack.

AWS Faces a Hidden Threat: The AMBERSQUID Cloud-Native Cryptojacking Operation

The Sysdig Threat Research Team has recently exposed a menacing cloud-native cryptojacking operation called AMBERSQUID, which has sent shockwaves through Amazon Web Services (AWS). What makes AMBERSQUID particularly insidious is its unique approach. Unlike most cryptojackers that target commonplace AWS services, AMBERSQUID exploits less-conventional AWS tools like AWS Amplify, AWS Fargate, and Amazon SageMaker. This innovative tactic allows the attackers to fly under the radar of traditional security measures, causing victims potential losses of over $10,000 per day.

The attack's origins point towards Indonesian cybercriminals who have a history of leveraging cryptojacking as a lucrative source of income. They initially used Docker Hub to distribute their malicious payloads, ensuring that static scanning wouldn't raise any alarms. However, the true threat emerges when these containers are executed, revealing their cross-service cryptojacking capabilities. With an elaborate network of AWS services, from Amplify to SageMaker, AMBERSQUID presents a formidable challenge for incident response, as it demands identifying and eliminating miners across multiple exploited services. The cryptojacking landscape has just become more perilous, emphasizing the need for robust security measures across all AWS services.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus