This Week in Cyber 23rd February 2024

Analyst Insight

The top headline in cybersecurity this week revolves around the takedown of the Lockbit ransomware group orchestrated by the U.K. National Crime Agency (NCA). The unfolding events have captivated observers as details gradually emerged throughout the week. Initially, the Lockbit website was defaced, hinting at forthcoming revelations with a tantalising countdown. As the timer expired, it became evident that the NCA, in collaboration with the Cronos Task Force, dealt a severe blow to the gang, releasing decryption keys, freezing cryptocurrency accounts, and apprehending members. For years, the Lockbit ransomware syndicate has terrorised organisations, amassing over $120 million in ill-gotten gains. With the group now severely crippled, the United States is offering a $15 million bounty for information leading to the apprehension of its leaders. As details unfolded, another significant development emerged with the disclosure of a high-risk vulnerability in ConnectWise ScreenConnect, a widely used remote access tool. Security experts sounded the alarm, highlighting the potential for exploitation to bypass authentication, leading to data theft or malware deployment. ConnectWise swiftly responded with patches, urging immediate application for on-premise users.

In other cybersecurity developments, vulnerabilities have surfaced in VMware, WordPress, and Android devices, underscoring ongoing challenges in safeguarding digital ecosystems. Additionally, the SSH-Snake tool, initially launched in early 2024 as an open-source resource, has been co-opted by threat actors, highlighting the inherent risks associated with powerful tools. This serves as a stark reminder that while such tools may offer valuable utility for legitimate purposes, they also present potential avenues for exploitation by malicious actors.

Operation Cronos: NCA Strikes Major Blow Against LockBit Cybercrime Syndicate

LockBit, a notorious cybercrime syndicate, faced a significant setback as the U.K. National Crime Agency (NCA) led Operation Cronos to disrupt its operations. The agency seized LockBit's source code and intelligence, highlighting that paying ransom does not ensure data deletion. Two LockBit actors were arrested, and over 200 cryptocurrency accounts linked to the group were frozen. Indictments were unsealed against two Russian nationals accused of LockBit attacks in the U.S. The operation dismantled LockBit's services and affiliate servers, retrieving decryption keys and disrupting its ransomware-as-a-service model. LockBit's double extortion tactics, involving data theft and ransom, were thwarted, with authorities seizing the infrastructure used for data exfiltration. LockBit attacks affected thousands worldwide, netting over $120 million. The NCA hailed the operation's success in damaging LockBit's capability and credibility, signaling a significant blow to the cybercriminal group.

Exploited WordPress Theme Vulnerability: Bricks Theme at Risk

A critical security vulnerability in the Bricks WordPress theme, identified as CVE-2024-25600, is being exploited by attackers to execute arbitrary PHP code on vulnerable WordPress sites. This flaw, affecting all Bricks versions up to 1.9.6, allows unauthenticated attackers to achieve remote code execution. The theme developers released version 1.9.6.1 on February 13, 2024, to address the issue promptly after its discovery. Although no proof-of-concept exploit has been released, technical details indicate that the vulnerability lies in the prepare_query_vars_from_settings() function, where inadequate nonce validation allows malicious commands to be executed. WordPress security experts have cautioned against relying solely on nonces for security and advise users to update their Bricks theme to the latest version to protect against potential exploitation. Wordfence has reported over three dozen attack attempts targeting this vulnerability since its disclosure on February 10, 2024, emphasising the urgency of applying the security patches. With an estimated 25,000 active installations, the Bricks theme poses a significant risk to WordPress sites, highlighting the importance of proactive security measures.

Mass Resurgence of Anatsa Banking Trojan Targeting Androids

Since November, research groups have been tracking the rapid resurgence of the Anatsa banking trojan. Five malicious droppers have been identified on the Google Play Store, some of which reached high positions in the “Top New Free” category. These droppers initially seem harmless and operate as their disguise, in one case a phone cleaner. However, soon after enough victims have downloaded the app, malicious code is introduced to communicate with a C2 server. These droppers have been identified as having used a variety of methods including abusing the AccessibilityService to discretely complete the installation process of the trojan.

Research groups have suggested that over 100,000 installations of these disguised droppers have taken place, sharing similar numbers with an earlier campaign that saw 130,000 installations. Despite ongoing attempts from Google to protect users from malicious apps, campaigns such as these are proof that the arms race can go either way at any time. There will always be threat actors who are more cunning and innovative than the rest. Relying on basic protections will never be enough, active monitoring is still the ideal way to identify malicious traffic and activity as it happens to prevent such actors from compromising your users.

VMware Advisory: Uninstall EAP

VMware has issued a critical security advisory, urging users to uninstall the Enhanced Authentication Plugin (EAP) after the discovery of a severe vulnerability. Tracked as CVE-2024-22245 with a CVSS score of 9.6, the flaw is identified as an arbitrary authentication relay bug that could enable a malicious actor to trick a domain user into relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). Ceri Coburn from Pen Test Partners is credited with discovering the twin vulnerabilities, including a session hijack flaw (CVE-2024-22250, CVSS score: 7.8), which allows a malicious actor with unprivileged local access to a Windows operating system to seize a privileged EAP session. The vulnerabilities exclusively impact users who have added EAP to Microsoft Windows systems for connecting to VMware vSphere via the vSphere Client. Despite Broadcom-owned VMware stating that the flaws will not be addressed, users are strongly recommended to remove the plugin entirely to mitigate potential threats.

Open Source SSH-Snake Tool Being Used By Malicious Actors

SSH-Snake, initially designed as a network mapping tool, has been hijacked by threat actors for malicious purposes. It's a self-modifying worm that utilizes SSH credentials to spread across networks autonomously, identifying targets through credential locations and shell history files. Originally released in January 2024, it's heralded as a potent tool for automatic network traversal, exploiting SSH private keys to create a comprehensive network map. This fileless worm not only enables lateral movement but also offers stealth and flexibility, making it more dangerous than typical SSH worms. Threat actors have been observed deploying SSH-Snake to harvest credentials and IP addresses, leveraging its capabilities in real-world attacks. Despite its developer's intentions for legitimate use, SSH-Snake underscores the importance of proactive security measures and the dangers of negligent infrastructure design. This revelation coincides with the emergence of Lucifer, a botnet campaign exploiting vulnerabilities in Apache Hadoop and Apache Druid for cryptocurrency mining and DDoS attacks, highlighting the ongoing threats posed by insecure systems and open-source solutions.

High-Risk Vulnerability in ConnectWise ScreenConnect Sparks Security Concerns

Security experts are sounding the alarm about a high-risk vulnerability in ConnectWise ScreenConnect, a widely used remote access tool. The flaw, deemed "trivial and embarrassingly easy" to exploit, enables attackers to bypass authentication, potentially leading to data theft or deployment of malicious code. ConnectWise disclosed the vulnerability on February 19 after being informed about it on February 13. Although initially, there were no signs of public exploitation, ConnectWise later confirmed incidents of compromised accounts. The company has released patches for the vulnerability and urges immediate application for on-premise users. The severity of the situation is underscored by Huntress, which reports active exploitation and warns of a potential ransomware surge due to the widespread use of the software. In response, government agencies like CISA are investigating the issue and offering guidance to mitigate risks.