May 23 2024
Welcome to Gone Phishing, your daily cybersecurity that hooks you up with the latest threats before they reel you in! π£π£π£
Todayβs hottest cybersecurity news stories:
π» GHOSTENGINE exploits vulnerable drivers in crypto-jack attack
πΎ Veaam Backup Enterprise Manager flaw = authentication bypass π
π₯οΈ MS Exchange Server targeted once again, this time w/ keylogger π
Cybersecurity researchers have discovered a cryptojacking campaign named REF4578 that uses vulnerable drivers to disable security solutions in a Bring Your Own Vulnerable Driver (BYOVD) attack. The primary payload, known as GHOSTENGINE, was detailed by Elastic Security Labs and previously tracked as HIDDEN SHOVEL by Antiy Labs.
π οΈ Complex Installation
GHOSTENGINE uses complex methods to ensure the installation and persistence of the XMRig miner. The attack starts with an executable ("Tiworker.exe") that runs a PowerShell script. This script downloads additional payloads disguised as a PNG image from a command-and-control (C2) server.
π Payload and Persistence
Modules such as aswArPot.sys, IObitUnlockers.sys, and others are downloaded to the infected host. The malware disables Microsoft Defender Antivirus, clears Windows event logs, and ensures there is enough space on the C: volume to stash files in the C:WindowsFonts folder.
β±οΈ Scheduled Tasks
The PowerShell script creates scheduled tasks to maintain persistence. These tasks run a malicious DLL every 20 minutes, launch the script hourly, and execute the core payload, smartsscreen.exe, every 40 minutes.
π» Main Payload: GHOSTENGINE
Smartsscreen.exe uses a vulnerable Avast driver to deactivate security processes, complete initial infection, and execute the XMRig miner. Another vulnerable driver from IObit is used to delete security agents, allowing the XMRig client to mine cryptocurrency undetected.
π Sophisticated Techniques
BYOVD attacks involve loading a vulnerable driver to perform privileged actions and evade detection. Despite Microsoft's Vulnerable Driver Blocklist, attackers can exploit outdated drivers, making manual updates essential for protection.
Persistent Threat π
The campaign's sophistication highlights the persistent threat posed by cryptojacking and BYOVD techniques, necessitating robust and updated security measures to safeguard systems.
Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.
Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring
Centralize risk and report on program impact to internal teams
Create your own Trust Center to proactively manage buyer needs
Leverage AI to answer security questionnaires faster
Join Vantaβs webinar on June 11 to learn more about scaling your GRC program with automation and AI.
Users of Veeam Backup Enterprise Manager must update to the latest version due to a critical security flaw, CVE-2024-29849, which allows attackers to bypass authentication (CVSS score: 9.8).
π Vulnerability Details
This flaw lets unauthenticated attackers log in as any user on the Veeam Backup Enterprise Manager web interface. Other vulnerabilities include:
CVE-2024-29850: Account takeover via NTLM relay (CVSS score: 8.8)
CVE-2024-29851: NTLM hash theft by privileged users (CVSS score: 7.2)
Β CVE-2024-29852: Backup session log reading by privileged users (CVSS score: 2.7)
Β Patch and Impact π οΈ
All these issues are resolved in version 12.1.2.172. However, environments without Veeam Backup Enterprise Manager installed are not affected.
π§ Other Recent Fixes
Veeam has also fixed:
CVE-2024-29853: Local privilege escalation in Veeam Agent for Windows (CVSS score: 7.2)
CVE-2024-29212: Critical remote code execution in Veeam Service Provider Console (CVSS score: 9.9)
π¨ Exploitation by Threat Actors
Previous flaws in Veeam Backup & Replication software (CVE-2023-27532, CVSS score: 7.5) have been exploited by groups like FIN7 and Cuba to deploy ransomware, underscoring the urgency of applying these patches promptly.
Users should update their systems immediately to protect against these vulnerabilities and secure their environments from potential attacks.
An unknown threat actor is exploiting vulnerabilities in Microsoft Exchange Server to deploy keylogger malware, targeting entities in Africa and the Middle East.
π Targeted Entities
Victims: Over 30, including government agencies, banks, IT companies, and educational institutions.
Countries: Russia, UAE, Kuwait, Oman, Niger, Nigeria, Ethiopia, Mauritius, Jordan, and Lebanon.
Β First compromise: 2021.
π¨ Vulnerabilities and Exploitation
The attack leverages ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) patched by Microsoft in May 2021. These flaws allow attackers to bypass authentication, elevate privileges, and execute remote code.
π Attack Chain Details
Exploitation: Attackers exploit ProxyShell vulnerabilities.
Keylogger Deployment: Keylogger added to the server main page ("logon.aspx").
Credential Capture: Code injects to capture credentials accessible via a special internet path upon sign-in.
π‘οΈ Immediate Actions Required
Organizations using Microsoft Exchange Server should:
Update: Ensure Exchange Server instances are up-to-date.
Check for Compromise: Inspect the "logon.aspx" page, specifically the clkLgn() function, for inserted keylogger code.
Β Mitigate: Identify and delete the file storing stolen account data.
β Attribution Unknown
Positive Technologies cannot currently attribute the attacks to any known group or threat actor. Further investigation is needed for conclusive attribution.
Stay vigilant and ensure your systems are fortified against these exploits to protect sensitive information.
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!