This Week in Cyber 7th October 2022

Microsoft Zero Days Vulnerabilities Exploited

Late last week, Microsoft announced that a threat actor was able to breach MS Exchange servers in August 2022 by using two newly disclosed zero-day flaws together to attack around 10 organisations. This was first discovered by a Vietnamese cybersecurity company called GTSC while performing incident response for one of their customers. According to the Microsoft Threat Intelligence Center, the attackers were able to install a web shell called Chopper which allowed them to carry out remote keyboard commands, which they then used to perform Active Directory reconnaissance and data exfiltration. There was a further warning that it could get worse in the coming days as it becomes more accessible and well known to other threat actors and they figure out ways to drop malicious programs like rootkits and ransomware.

The 2 critical vulnerabilities are - CVE-2022-41040 / CVE-2022-41082, which are both rated at a severity of 8.8 / 10 and are both needed in tandem to achieve remote execution. A workaround has been documented by Microsoft here to mitigate the issue but it was essentially nullified by how easy it could be to bypass. They have yet to release an official patch. We have been in contact with all Telesoft MDR customers running on-premise Microsoft Exchange detailing the on-going threat hunts we are carrying out to identify any malicious behaviour associated with the 2 vulnerabilities.

Lazarus Deploying Rootkits via Dell Driver Vulnerability

North Korean funded threat actor Lazarus has appeared again, deploying rootkits to Windows users through an exploit found in a Dell firmware driver. This attack has been labelled as a BYOVD attack – Bring Your Own Vulnerable Driver makes up another variant of their Operation In(ter)caption campaign that’s largely been directed at defence industries throughout Europe and Asia. This attack began as a spear-phishing email campaign aimed at an aerospace company in the Netherlands which contained malicious Amazon documents. When the document is accessed, trojan droppers are distributed, setting up weaponised versions of FingerText, a plugin for notepad++ that can allow commands to be remotely executed, and sslSniffer which analyses network traffic and can be used to create fake domain certificates. This attack also allowed for a backdoor to be installed on the victim’s PC which can be used for access and to expand into the wider network.

The issue was caused by a high severity kernel memory issue in a Dell driver, tracked as CVE-2021-21551 and first published on the 5th of April 2021. The issue related to this vulnerability has to do with the privilege escalation ability in dbutil_2_3.sys which essentially allows a threat actor to gain root / admin access to a compromised system. This was patched back in November 2021 and this attack shows the importance of making sure all software and firmware patches are up to date, so vulnerabilities like this cannot be exploited. Telesoft offers Continuous Vulnerability Assessment as part of its comprehensive Network and Cloud MDR offerings.

Indian retailer found using MD5 encryption to store customers ‘encrypted’ passwords A CyberNews research team found a database hosted on AWS which contained 18.2GB of unprotected customer details. The online retailer is an Indian based retailer called Highrich which generates 50,000 monthly visits. The database contained personal information, emails and phone numbers which were all completely unencrypted and unprotected. Highrich did attempt to encrypt the users’ passwords, but they opted to choose MD5 as their encryption algorithm. MD5 has long been deprecated and is susceptible to collisions which allow an attacker to view the passwords in plain text easily. The CyberNews research team stated, ‘We discovered vast amounts of information stored on each customer, It could be used for identity theft and credential stuffing’. The dataset has now been closed and hopefully no harm has been done but it shows that companies are still neglecting proper data protection principles and are failing to secure their cloud infrastructure.

Malicious ToR browser link found in a popular YouTube channels description

Kaspersky have found victims that have installed a trojanized version of the ToR windows installer executable. A popular Chinese YouTube video has been viewed over 64,500 times and within the description there is a link to the malicious ToR installer. The YouTube channel is based in Hong Kong and hopes that unsuspecting users search for the ToR downloader as it is prohibited in China. Once the malicious installer has been downloaded, the executable stores user browsing history and data entered into website forms. Kaspersky have also stated that ‘one of the libraries bundled with the malicious Tor Browser is infected with spyware that collects various personal data and sends it to a command-and-control server’. Google who owns YouTube are very security driven and has measures in place to help prevent malicious links on their site however they have not commented thus far on how this link managed to bypass their security.

2.1 Million Australian Telecoms Customers Affected by Optus Hack

Optus are a giant telecommunications company based in Australia, it was disclosed on Monday that nearly 2.1 million of its current and previous customers had sensitive information leaked due to a data breach caused by a threat actor using the alias ‘optusdata’. The breach resulted in the exposure of personal information (email addresses, phone numbers, dates of birth), at least 1 form of id number and the expired credentials of a further 900,000 customers. The total number of records exposed was close to 9.8 million in total, however, leaked credentials of the other 7.7 million customers were either invalid or no longer current.

Some customers have also been notified as having their drivers license numbers, and Medicare ID’s stolen in the attack. The initial incident was reported on the 22nd of September 2022 and the Australian authorities had launched ‘Operation Hurricane’ in an attempt to identify the criminals involved and try and protect the victims from fraud. ‘Optusdata’ leaked a small sample of the stolen data belonging to 10,200 customers and demanded a ransom of $1m to avoid more leaks, however they have since dropped the demand, apologised for the crime, and destroyed the ‘only copy’ of the data, due to increased public attention. It is unclear whether ‘optusdata’ is 1 person or a group, but the authorities are attempting to find the attackers and safeguard the 10,200 victims who have had their data made public.