Vercara’s Open-Source Intelligence (OSINT) Report – August 1 – August 8, 2024

Hackers exploit misconfigured Jupyter Notebooks with repurposed Minecraft DDoS Tool. 

(TLP: CLEAR) The article discusses a new distributed denial-of-service (DDoS) attack campaign that targets misconfigured Jupyter Notebooks. This campaign, named “Panamorfi” by the cloud security firm Aqua, uses a Java-based tool called “mineping” to launch TCP flood DDoS attacks. Mineping, originally designed for Minecraft game servers, is repurposed in this attack to overwhelm target servers with numerous TCP connection requests. The attack chain involves exploiting publicly accessible Jupyter Notebook instances, where attackers use the wget command to download a ZIP file from a file-sharing site called Filebin. This ZIP file contains two Java archive (JAR) files: conn.jar and mineping.jar. The conn.jar file connects to a Discord channel, triggering the execution of the mineping.jar file to carry out the DDoS attack, with the results sent back to the Discord channel. The campaign has been linked to a threat actor named “yawixooo,” who has a GitHub account containing a Minecraft server properties file. The article notes that this is not the first time Jupyter Notebooks have been targeted. In October 2023, a Tunisian threat actor known as “Qubitstrike” also exploited Jupyter Notebooks for illicit cryptocurrency mining and cloud environment compromises. 

(TLP: CLEAR) Comments: Malicious actors continue to look for ways to interject their malicious code into legitimate code repositories in hopes that it will be unknowingly in-cooperated into legitimate code or software. Organizations should have a well-defined secure code development policy and ensure that both static and dynamic code reviews are conducted prior to implementing new code into production systems.  

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected”  

Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real-time, such as Vercara’s UltraDDoS Protect. 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect delivers DDoS mitigation and protection with competitive pricing tailored to your budget. Secure and reliable, it defends your online assets against DDoS threats, offering a flexible range of solutions for any organizational need. 

Source: https://thehackernews.com/2024/08/hackers-exploit-misconfigured-jupyter.html  

New Cryptokat ransomware released allegedly claiming fast encryption. 

(TLP: CLEAR) The article introduces a new ransomware named “CryptoKat,” which has recently appeared on the dark web, raising significant concerns in the cybersecurity community. Reported by the cybersecurity analyst MonThreat, CryptoKat is noted for its advanced features and high threat level. 

CryptoKat stands out due to its use of AES (Advanced Encryption Standard) for encrypting files, offering strong security. Its rapid encryption process, which uses maximum disk speed, allows it to quickly lock down a victim’s data, making it difficult for users to detect and stop the attack before significant damage occurs. The ransomware also employs unique executable files, enabling it to evade traditional antivirus detection. It operates stealthily, without triggering any Windows pop-ups, and exploits vulnerabilities in Windows 11 to increase its impact. A particularly troubling aspect is that the decryption key is not stored on the victim’s machine, meaning even if the ransomware is removed, the encrypted files remain inaccessible without paying the ransom. CryptoKat’s release is seen as a significant development in the realm of cybercrime, with its advanced capabilities making it a serious threat. Cybersecurity experts are advising both individuals and organizations to bolster their security measures and stay vigilant against this new ransomware. 

(TLP: CLEAR) Comments: The ability for malicious actors to encrypt data in such a quick manner enforces the need for a well-developed security-in-depth IT infrastructure to not only mitigate against malware entering the network but also block any malicious traffic to Command and Control servers to download secondary payloads. Malicious actors look to encrypt as much data as possible prior to being detected to hold the organization hostage until a ransom is paid. It is highly advised that organizations have a robust and continuous cybersecurity training program that teaches their employees how to identify malicious emails and other social engineering attacks. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections. 

Source: https://cybersecuritynews.com/cryptokat-ransomware-was-released/  

Threat actors announced Doubleface ransomware, claims fully undetectable. 

(TLP: CLEAR) The article discusses the emergence of a new ransomware variant called “Doubleface,” which claims to be fully undetectable by major antivirus software. Announced by its creators on the dark web, Doubleface is designed with sophisticated features, including a unique dual-layer encryption method that combines AES-128 and RSA-4096 algorithms. Each file’s AES encryption key is randomly generated and then encrypted with an RSA key, making decryption nearly impossible without the correct RSA decryption key. Developed using C/C++, Doubleface is touted as highly efficient and includes advanced capabilities such as Anti-Virtual Machine, Anti-Debugging, and Anti-Sandbox features. These functions make it particularly difficult for cybersecurity experts to detect and counteract the ransomware. The creators have claimed that Doubleface has successfully evaded detection by major antivirus programs like Windows Defender, Avast, Kaspersky, and AVG. They are selling the ransomware at $500 per stub, with the source code priced at $10,000. They also warn that incorrect decryption attempts will result in the destruction of all files. This announcement has raised significant concern in the cybersecurity community, emphasizing the need for robust and adaptive security measures as cybercriminals continue to develop increasingly sophisticated threats. 

(TLP: CLEAR) Comments: It is highly advised that organizations have a robust and continuous cybersecurity training program that teaches their employees how to identify malicious emails and other social engineering attacks. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”  

By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website category feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole.   

Source: https://cybersecuritynews.com/doubleface-ransomware-claims/  

Microsoft 365 anti-phishing feature can be bypassed with CSS. 

(TLP: CLEAR) Researchers have identified a method to bypass the “First Contact Safety Tip” in Microsoft 365, a feature designed to warn users when they receive an email from an unfamiliar address. This anti-phishing measure can be hidden through the manipulation of CSS (Cascading Style Sheets) within the HTML of an email, rendering the safety tip invisible to the recipient. The technique involves altering specific HTML and CSS elements to hide the warning message and even spoof security icons, making phishing emails appear more legitimate. Despite the potential risks, Microsoft has opted not to address the issue immediately, stating that it does not meet their threshold for immediate action as it relies on social engineering. They acknowledged the finding but emphasized the importance of users practicing good online habits and caution when handling emails from unknown sources. 

(TLP: CLEAR) Comments: Social engineering attacks are one of the primary methods that malicous actors are able to introduce malware into a targeted network. The ability for malicious actors to bypass security measures that are designed to help individuals identify potential social engineering attacks increases the risk of malware being installed within networks. Organizations should have a detailed and well-developed security-in-depth security posture that looks at mitigating against the cyber-kill chain associated with malware. Cyber security training can help mitigate the initial attack vector where a first-staged payload is introduced. Once the first-stage payload is within a network it normally reaches backout to another remote server to download the second stage that normally contains the most malicious code of the attack. Having a protective DNS solution that monitors and evaluates DNS queries can help identify potential communication to malicious remote servers and block that communication can block the download of the second-stage payload. Organizations should also have robust network monitoring that can detect abnormal network activity and alert network defenders for additional examination.  

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF): Developed by the National Institute of Standards and Technology (NIST), this framework provides guidelines for managing cybersecurity risks. It emphasizes layered security measures across different functions such as Identify, Protect, Detect, Respond, and Recover. 

ISO/IEC 27001: An international standard for information security management systems (ISMS), ISO/IEC 27001 encourages a defence-in-depth approach by requiring a comprehensive set of security controls across various domains, such as access control, cryptography, and physical security. 

Center for Internet Security (CIS) Controls: CIS Controls are a set of best practices for securing IT systems and data. They recommend implementing multiple layers of security measures, such as secure configurations, continuous vulnerability management, and controlled use of administrative privileges. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections. 

Source: https://www.bleepingcomputer.com/news/security/microsoft-365-anti-phishing-feature-can-be-bypassed-with-css/  

Apache Cloudstack vulnerability exposes API & secret keys to admin accounts. 

(TLP: CLEAR) The Apache CloudStack project has released long-term support (LTS) security updates, versions 4.18.2.3 and 4.19.1.1, to address two critical vulnerabilities: CVE-2024-42062 and CVE-2024-42222. These vulnerabilities pose significant risks to the integrity, confidentiality, and availability of CloudStack-managed infrastructure. 

CVE-2024-42062 affects versions 4.10.0 up to 4.19.1.0 and allows domain admins to access all users’ API and secret keys, including those of root admins, due to an access permission flaw. This could enable unauthorized operations and lead to data loss or denial of service. 

CVE-2024-42222 impacts version 4.19.1.0, resulting from a regression in the network listing API. This flaw allows unauthorized access to network details, compromising tenant isolation and potentially leading to unauthorized data access. 

Users are strongly advised to upgrade to versions 4.18.2.3 or 4.19.1.1 to mitigate these vulnerabilities, skipping version 4.19.1.0 if applicable, and to regenerate all user keys for enhanced security. The swift release of these updates by the Apache CloudStack project underscores the importance of maintaining up-to-date software and promptly addressing security issues. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP API Top 10, API9:2023 “Improper Inventory Management”:   

• “Inventory all API hosts and document important aspects of each one of them, focusing on the API environment (e.g., production, staging, test, development), who should have network access to the host (e.g., public, internal, partners), and the API version.  

• “Inventory integrated services and document important aspects such as their role in the system, what data is exchanged (data flow), and their sensitivity.  

• “Document all aspects of your API such as authentication, errors, redirects, rate limiting, cross-origin resource sharing (CORS) policy, and endpoints, including their parameters, requests, and responses.  

• “Generate documentation automatically by adopting open standards. Include the documentation built into your CI/CD pipeline.  

• “Make API documentation available only to those authorized to use the API.  

• “Use external protection measures such as API security specific solutions for all exposed versions of your APIs, not just for the current production version.  

• “Avoid using production data with non-production API deployments. If this is unavoidable, these endpoints should get the same security treatment as the production ones.  

• “When newer versions of APIs include security improvements, perform a risk analysis to inform the mitigation actions required for the older versions. For example, whether it is possible to backport the improvements without breaking API compatibility or if you need to take the older version out quickly and force all clients to move to the latest version.” 

(TLP: CLEAR) Vercara: Vercara UltraAPI offers a comprehensive solution to the complex challenges security teams face in safeguarding API applications against cyber threats. It provides thorough discovery of the entire API landscape, including external and internal APIs, assesses API risk posture to highlight critical vulnerabilities needing remediation, and delivers real-time protection to prevent API attacks, ensuring data safety, preventing fraud, and avoiding business disruptions. This solution stands out by addressing every phase of the API security lifecycle, promoting best practices in security and governance to eliminate risks effectively. 

Source: https://cybersecuritynews.com/apache-cloudstack-vulnerability/