SISA Weekly Threat Watch

SISA Weekly Threat Watch

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. A multimillion-dollar global online credit card scam uncovered

ReasonLabs, a cybersecurity firm, has revealed a massive operation that allegedly stole millions of dollars from credit cards between 2019 to earlier this year. The fraudster’s plan includes running a large false network of dating websites with working customer service departments. Once the websites are operational, the con artists pressure the payment processors to provide credit card acceptance. The scammers scan the darknet for thousands of stolen credit cards and purchase them before charging them for the services on their bogus website.

The scammers behind this scheme most likely employed proxies to build multiple fake dating websites. All the websites allude to the bogus domain https://dateprofits[.]com as an affiliate management program. As a best practice, all cardholders must review their monthly billing statements and immediately report any erroneous charges. No matter how little the charge may be, failing to notify it provides threat actors plenty of time to carry out their plans.

2. Microsoft confirms new Exchange Zero-Days being used in attacks

Microsoft has confirmed the existence of two recently discovered zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019. Authentication to the exchange server is necessary to successfully exploit the Server-Side Request Forgery (SSRF) vulnerability CVE-2022-41040. On successful exploitation, it may be coupled with CVE-2022-41082 to enable remote code execution (RCE) using the PowerShell Remoting Service.

With full user access coupled with the privileges attached to the account, the attacker can view, change, or delete data as well as create new accounts. The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns. Microsoft also suggests admins block the 5985/TCP and 5986/TCP Remote PowerShell ports to prevent attacks. It is also recommended to apply automated patch management to enterprise assets on a more frequent basis to update applications.

3. FARGO Ransomware (Mallox) being distributed to vulnerable MS-SQL Servers

FARGO, like GlobeImposter, is a well-known ransomware that targets weak MS-SQL servers. According to the researchers, the MS-SQL process on the compromised machine starts the ransomware infection by downloading a .NET file using cmd.exe and powershell.exe. Additional malware, including the locker, is retrieved by the payload, which then generates and executes a BAT file that shuts down services and processes.

The ransomware payload then attempts to delete the registry key for the open-source ransomware “vaccine” known as Raccine by injecting itself into AppLaunch.exe, a legitimate Windows process. The malware then creates the ransom note (named “RECOVERY FILES.txt”) and renames the locked files with the extension “.Fargo3”. Using strong and unique passwords and keeping all the machines up to date with the latest security patches is essential to stay protected from such attacks.

4. New malware Backdoors VMware ESXi Servers to hijack virtual machines

Hackers have developed a new technique for establishing persistence on VMware ESXi hypervisors, allowing them to control virtual machines for Windows and Linux and vCenter servers covertly. The threat actor, identified as UNC3886, modified the acceptance level from “community” to “partner” in the XML descriptor for the VBI used in the attack to mislead anyone looking into it.

The attacker also used the ‘—force’ flag to install the malicious VIBs. Using these methods, the threat actor infected the compromised ESXi server with the malware known as VirtualPita and VirtualPie. These two malwares allow the execution of unrestricted commands, file uploads and downloads, and the starting and stopping of the logging system. To prevent systems from getting compromised, it is recommended to use vCenter Single Sign-On and consider decoupling ESXi and vCenter Servers from Active Directory. Additionally, centralized logging of ESXi environments is also essential for both proactive detection of potential malicious behavior and event investigation.

5. SolarMarker APT returns in a new Watering Hole Attack

The infamous SolarMarker threat actor group has declared its return and changed its attack strategy. In watering hole attacks, it is now using fake Chrome browser updates to distribute malware that steals information under the same name. These websites that are built using open-source content management systems (CMS) usually have security flaws and are therefore easy to compromise.

The SolarMarker hackers initially hired SEO poisoning to entice professionals and exploit code documents. However, the strategy of faking Chrome updates to mislead employees indicates that the attackers are trying a new way to spread their data-stealing malware. Implementing appropriate endpoint monitoring and user awareness policies can help detect and prevent such threats. It is also recommended to avoid downloading files from unknown websites as even a seemingly harmless action like looking for a template or agreement form can lead to infection.

See you next week with more interesting cybersecurity bites!

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics