Cryptojacking Campaign Uses Vulnerable Drivers

May 23 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity that hooks you up with the latest threats before they reel you in! 🎣🎣🎣

Today’s hottest cybersecurity news stories:

  • πŸ‘» GHOSTENGINE exploits vulnerable drivers in crypto-jack attack

  • πŸ’Ύ Veaam Backup Enterprise Manager flaw = authentication bypass πŸ”“

  • πŸ–₯️ MS Exchange Server targeted once again, this time w/ keylogger πŸ”‘

There’s a GHOST in the ENGINE πŸ‘»πŸ‘»πŸ‘»

🚨 Cryptojacking Campaign Uses Vulnerable Drivers ⚠️

Cybersecurity researchers have discovered a cryptojacking campaign named REF4578 that uses vulnerable drivers to disable security solutions in a Bring Your Own Vulnerable Driver (BYOVD) attack. The primary payload, known as GHOSTENGINE, was detailed by Elastic Security Labs and previously tracked as HIDDEN SHOVEL by Antiy Labs.

πŸ› οΈ Complex Installation

GHOSTENGINE uses complex methods to ensure the installation and persistence of the XMRig miner. The attack starts with an executable ("Tiworker.exe") that runs a PowerShell script. This script downloads additional payloads disguised as a PNG image from a command-and-control (C2) server.

πŸ“‚ Payload and Persistence

Modules such as aswArPot.sys, IObitUnlockers.sys, and others are downloaded to the infected host. The malware disables Microsoft Defender Antivirus, clears Windows event logs, and ensures there is enough space on the C: volume to stash files in the C:WindowsFonts folder.

⏱️ Scheduled Tasks

The PowerShell script creates scheduled tasks to maintain persistence. These tasks run a malicious DLL every 20 minutes, launch the script hourly, and execute the core payload, smartsscreen.exe, every 40 minutes.

πŸ‘» Main Payload: GHOSTENGINE

Smartsscreen.exe uses a vulnerable Avast driver to deactivate security processes, complete initial infection, and execute the XMRig miner. Another vulnerable driver from IObit is used to delete security agents, allowing the XMRig client to mine cryptocurrency undetected.

πŸš€ Sophisticated Techniques

BYOVD attacks involve loading a vulnerable driver to perform privileged actions and evade detection. Despite Microsoft's Vulnerable Driver Blocklist, attackers can exploit outdated drivers, making manual updates essential for protection.

Persistent Threat 🌐

The campaign's sophistication highlights the persistent threat posed by cryptojacking and BYOVD techniques, necessitating robust and updated security measures to safeguard systems.

Learn how to scale your GRC program with automation and AI

Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.

  • Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring

  • Centralize risk and report on program impact to internal teams

  • Create your own Trust Center to proactively manage buyer needs

  • Leverage AI to answer security questionnaires faster

Join Vanta’s webinar on June 11 to learn more about scaling your GRC program with automation and AI.

Register to save your spot.

It’s not what is Veaams 😬😬😬

🚨 Critical Flaw in Veeam Backup Enterprise Manager πŸ–₯️

Users of Veeam Backup Enterprise Manager must update to the latest version due to a critical security flaw, CVE-2024-29849, which allows attackers to bypass authentication (CVSS score: 9.8).

πŸ”“ Vulnerability Details

This flaw lets unauthenticated attackers log in as any user on the Veeam Backup Enterprise Manager web interface. Other vulnerabilities include:

  • CVE-2024-29850: Account takeover via NTLM relay (CVSS score: 8.8)

  • CVE-2024-29851: NTLM hash theft by privileged users (CVSS score: 7.2)

  • Β CVE-2024-29852: Backup session log reading by privileged users (CVSS score: 2.7)

  • Β Patch and Impact πŸ› οΈ

All these issues are resolved in version 12.1.2.172. However, environments without Veeam Backup Enterprise Manager installed are not affected.

πŸ”§ Other Recent Fixes

Veeam has also fixed:

  • CVE-2024-29853: Local privilege escalation in Veeam Agent for Windows (CVSS score: 7.2)

  • CVE-2024-29212: Critical remote code execution in Veeam Service Provider Console (CVSS score: 9.9)

🚨 Exploitation by Threat Actors

Previous flaws in Veeam Backup & Replication software (CVE-2023-27532, CVSS score: 7.5) have been exploited by groups like FIN7 and Cuba to deploy ransomware, underscoring the urgency of applying these patches promptly.

Users should update their systems immediately to protect against these vulnerabilities and secure their environments from potential attacks.

Geez, stop keylogging a dead horse πŸ’€πŸ’€πŸ’€

🚨 Keylogger Malware Targets Microsoft Exchange Servers πŸ•΅οΈβ€β™‚οΈ

An unknown threat actor is exploiting vulnerabilities in Microsoft Exchange Server to deploy keylogger malware, targeting entities in Africa and the Middle East.

πŸ” Targeted Entities

  • Victims: Over 30, including government agencies, banks, IT companies, and educational institutions.

  • Countries: Russia, UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.

  • Β First compromise: 2021.

🚨 Vulnerabilities and Exploitation

The attack leverages ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) patched by Microsoft in May 2021. These flaws allow attackers to bypass authentication, elevate privileges, and execute remote code.

πŸ”— Attack Chain Details

  • Exploitation: Attackers exploit ProxyShell vulnerabilities.

  • Keylogger Deployment: Keylogger added to the server main page ("logon.aspx").

  • Credential Capture: Code injects to capture credentials accessible via a special internet path upon sign-in.

πŸ›‘οΈ Immediate Actions Required

Organizations using Microsoft Exchange Server should:

  • Update: Ensure Exchange Server instances are up-to-date.

  • Check for Compromise: Inspect the "logon.aspx" page, specifically the clkLgn() function, for inserted keylogger code.

  • Β Mitigate: Identify and delete the file storing stolen account data.

❓ Attribution Unknown

Positive Technologies cannot currently attribute the attacks to any known group or threat actor. Further investigation is needed for conclusive attribution.

Stay vigilant and ensure your systems are fortified against these exploits to protect sensitive information.

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles