Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories.
NOTE: Except where indicated, this report is released as TLP: CLEAR, and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
Table of Contents
Cloudflare hacked using auth tokens stolen in Okta attack.
(TLP: CLEAR) Recent reporting highlights Cloudflare’s recent disclosure of malicious activity that compromised various systems on their network back in November 23, 2023. According to the company, an unnamed ‘nation state attacker’ accessed its Confluence wiki, Jira bug database, and Bitbucket source code management system. The company confirmed that no customer data or systems were affected by the intrusion, which according to Cloudflare was effectively blocked within 24 hours.
Cloudflare went on to state that by leveraging credentials compromised during the Okta breach of October 2023, threat actors were able to gain unauthorized entry and access an AWS environment, as well as Atlassian Jira and Confluence. However, according to Cloudflare, it found no evidence the threat actor accessed its global network, customer database, configuration information, data centers, SSL keys, workers deployed by customers, or any other information except from the “data in the Atlassian suite and the server on which our Atlassian runs”. In response to the security incident, over 5,000 production credentials were systematically rotated and approximately 5,000 systems underwent meticulous examination and remediation. Test and staging environments were isolated through physical segmentation. Cloudflare has indicated that the objective behind the assault was to extract detailed intelligence about the company’s infrastructure, presumably aiming to secure a more entrenched position within the network.
(TLP: CLEAR) Analyst Comments: Okta is an identity and access management services provider that previously reported a data breach on 23 October 2023, allowing unauthorized access to files, including session tokens, which could be used for potential hijacking attacks. The company later revealed that at least 134 customers were impacted by the breach and some files were HAR files containing session tokens, which could be used for session hijacking attacks. Furthermore, many businesses have reportedly been targeted with stolen Okta credentials, Cloudflare being one of them.
(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.
UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks. Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
LockBit reigns supreme in soaring ransomware landscape.
(TLP: CLEAR) Recent intelligence reporting has revealed a significant escalation in ransomware attacks, with an 80% increase recorded from October to December 2023, in stark contrast to the figures from the preceding year. In this wave of cyberattacks, an alarming number of 1,262 entities were targeted and subsequently featured on data leak platforms, encompassing a diverse spectrum of sectors including manufacturing, construction, and a variety of professional services, spanning scientific and technical domains. Reporting suggests LockBit ransomware was at the forefront of these incidents, responsible for compromising 275 entities whose data was subsequently published on its leak site.
Trailing behind, Play ransomware was identified as the second most prolific, impacting 110 victims. This was followed closely by ALPHV/BlackCat with 102 victims, NoEscape with 76, and 8Base rounding out the list with 75 breaches.
(TLP: CLEAR) Analyst Comments: LockBit is a ransomware-as-a-service (RaaS) group that has been active since September 2019. The ransomware syndicate has emerged as a formidable powerhouse in the cybercriminal landscape, notorious for orchestrating a relentless onslaught of ransomware attacks targeting organizations and businesses across various sectors without discrimination, seeking to exploit vulnerabilities for monetary gain. During November 2023, the group claimed responsibility for compromising 484 distinct targets. This wave of attacks was largely facilitated by affiliates exploiting the Citrix Bleed vulnerability, which they used as a primary attack vector to gain initial access. That said, organizations should update and patch their systems and applications when updates are available.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or ransomware detonation. Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.
Source: https://www.infosecurity-magazine.com/news/lockbit-reigns-supreme-soaring/
PurpleFox malware infects 2,000+ Ukrainian computers for DDoS and cryptojacking.
(TLP: CLEAR) The Computer Emergency Response Team of Ukraine (CERT-UA) recently issued a critical alert, warning that an invasive malware strain known as ‘DirtyMoe’ (or ‘PurpleFox’) had successfully compromised upwards of 2,000 computer systems across the country. Leveraging Indicators of Compromise (IoCs) provided by cybersecurity firms Avast and TrendMicro, CERT-UA has adeptly monitored instances of PurpleFox malware infiltrating Ukrainian computer systems, cataloging the malicious campaign under the unique code ‘UAC-0027’. Furthermore, the full scope of this cyber infiltration remains uncertain; however, reporting suggests thorough investigations are in progress to ascertain further details of the breach, including whether it has impacted governmental agencies or the personal computing devices of citizens. CERT-UA later provided additional IoCs and remediation steps, such as isolating systems that run outdated OS versions and software using VLAN or physical network segmentation with incoming/outgoing filtering to prevent further proliferation.
(TLP: CLEAR) Analyst Comments: DirtyMoe (or PurpleFox) is a highly modular botnet armed with rootkit and backdoor capabilities used in malicious cryptomining and Distributed Denial-of-Service (DDoS) operations. The malware spreads by infiltrating widely-used software equipped with MSI installers and employs various methods for self-propagation. By obfuscating its IP addresses, it is able to mask its digital footprint on compromised networks. Investigators later reported that during the course of surveilling PurpleFox throughout January 2024, a network of 486 intermediary control servers was detected, predominantly situated within compromised devices in China. It was later highlighted that this network has been expanding at a rate of approximately 20 new IP addresses each day. The continual operations of this network are being monitored under the designation UAC-0027.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or ransomware detonation. Vercara UltraDDoS Protect provides flexible, automated, and Always On protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://cert.gov.ua/article/6277422
U.S. warn of Chinese cyber threats in wake of FBI botnet takedown.
(TLP: CLEAR) On Wednesday January 31, 2024, the U.S. Department of Justice (DOJ) and the FBI announced the recent dismantling of a sophisticated botnet (‘KV Botnet’) which compromised hundreds of small office and home office (SOHO) routers across the United States. According to government officials, the complex network was masterminded by a state-backed Chinese threat actor known as ‘Volt Typhoon’. The DOJ reported that the bulk of the compromised routers intertwined within the KV Botnet architecture were vulnerable Cisco and NetGear routers. These routers had transitioned into ‘end of life’ status, effectively severing their lifeline to the critical security patches and software updates previously provided by their manufacturer, leaving them vulnerable and prone to exploitation. Furthermore, in efforts to dismantle the botnet, officials employed the malware’s own communication channels to dispatch remote commands to the compromised routers within U.S. These commands were meticulously crafted to eradicate the KV Botnet’s malicious payload and to fortify the routers against future incursions. The FBI executed a comprehensive communication strategy, ensuring that each individual impacted by the operation was informed. This was achieved through direct outreach or, in cases where direct contact details were absent, by meticulously coordinating with the respective internet service providers, thus guaranteeing that every victim was aware and informed about the ongoing operation.
(TLP: CLEAR) Analyst Comments: Since its emergence in 2021, Volt Typhoon has masterfully orchestrated its operations, leveraging a blend of legitimate tools and sophisticated living-off-the-land (LotL) tactics. This approach enables the malware to stealthily navigate and maintain a prolonged presence within compromised networks, all while meticulously collecting sensitive data, remaining virtually undetected. Organizations should make it best practice to routinely update their network appliances as soon as patches become available in order to prevent potential compromises from threat groups like Volt Typhoon. If your device has reached end-of-life support, it is recommended to upgrade to a new appliance that is still receiving updates from manufacturers.
(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.
UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. KV Botnet was also used to provide DDoS services– Vercara UltraDDoS Protect provides flexible, automated, and Always On protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://cyberscoop.com/chinese-cyber-threats-fbi-operation-botnet/
Microsoft Teams phishing pushes DarkGate malware via group chats.
(TLP: CLEAR) Recently surfaced reporting highlights emerging phishing campaigns that are exploiting Microsoft Teams group chat invitations to cunningly distribute malicious attachments. These deceptive tactics result in the installation of DarkGate malware payloads, insidiously compromising the targeted systems. According to researchers, the attackers orchestrated their attack by utilizing what appears to be a hijacked Teams user account (or domain), dispatching over 1,000 malicious group chat invitations on Teams, showcasing a sophisticated level of infiltration. With its vast user base of 280 million monthly participants, Microsoft Teams has emerged as a prime target for cyber adversaries. Operators of DarkGate are exploiting this trend by maneuvering their malware through Microsoft Teams, specifically targeting organizations where administrators have overlooked tightening their defenses by leaving the External Access setting enabled. Reporting indicates that once the malware is installed on a victim’s system, it will then begin to reach out to its command-and-control server (C2); this server has already been previously confirmed by security researchers. Investigators have reported to have successfully mitigated the attack, averting any substantial harm. In the aftermath, they have disseminated a set of remediation guidelines and Indicators of Compromise (IoC), enabling organizations to safeguard their networks by cross-referencing and fortifying their defenses accordingly.
(TLP: CLEAR) Analyst Comments: Initially documented in November 2018, DarkGate is a commodity malware incorporating a wide range of features to harvest sensitive data from web browsers, conduct cryptocurrency mining, and allow its operators to remotely control the infected hosts. In the aforementioned campaign, if a targeted user accepts the malicious group chat request, the threat actor uses social engineering techniques to trick them into downloading a file to their device. For the majority of enterprises, deactivating External Access in Microsoft Teams is highly recommended unless it’s indispensable for routine business operations.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/#darkgate
FritzFrog returns with Log4Shell and PwnKit, spreading malware.
(TLP: CLEAR) The FritzFrog botnet has recently been detected leveraging the Log4Shell vulnerability, primarily focusing its attack vectors on internal network components that commonly slip through the patching process. According to historical reporting, this approach is a deviation from the conventional patterns of Log4Shell attacks that predominantly target systems exposed to the internet. Instead, FritzFrog propagates within internal networks, exploiting organizations’ inadequate attention to patching and securing internal assets. FritzFrog exhibits a sophisticated blend of strategies to penetrate networks, notably through the brute-forcing of weak SSH passwords and meticulous scanning of system logs on breached hosts, aiming to pinpoint further vulnerable targets within the network. Investigators later released additional Indicators of Compromise (IoC), and recommended the following two mitigation strategies: using network segmentation and detecting the common malware tactics, techniques, and procedures.
(TLP: CLEAR) Analyst Comments: The propagation of the FritzFrog botnet is predominantly driven by leveraging weak SSH passwords and exploiting Log4Shell vulnerabilities. To effectively mitigate the botnet’s impact, it’s crucial to establish strong password policies and prioritize prompt system patching. With its capacity for continuous evolution and the adoption of innovative methods, FritzFrog has executed over 20,000 attacks, affecting more than 1,500 entities since it first surfaced in 2020.
(TLP: CLEAR) Vercara: Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or ransomware detonation.
Source: https://thehackernews.com/2024/02/fritzfrog-returns-with-log4shell-and.html
New malware emerges in attacks Exploiting Ivanti VPN vulnerabilities.
(TLP: CLEAR) Recent intelligence reporting has revealed a sophisticated new malware strain attributed to the China-based threat group currently being tracked as, UNC-5221. This formidable malware specifically targets devices using Ivanti Connect Secure VPN and Policy Secure, marking a significant development in cybersecurity threat landscapes. Along with deploying its malicious web shells like BUSHWALK and CHAINLINE, this malware masterfully exploits vulnerabilities CVE-2023-46805 and CVE-2024-218867, granting it the ability to execute commands at will. Furthermore, Germany’s Federal Office for Information Security (BSI) has observed a series of system compromises within the nation.
Responding to the escalating situation, Ivanti has not only recognized the issue but also revealed two more vulnerabilities, CVE-2024-21888 and CVE-2024-21893. Notably, the latter is currently being exploited, albeit by a select group of attackers, highlighting the urgency and significance of these cybersecurity challenges. Further guidance for network defenders has been provided, encompassing indicators of compromise (IOCs), YARA rules for threat detection, and a comprehensive guide for system hardening.
(TLP: CLEAR) Analyst Comments: Reporting suggests UNC5221, the threat actor orchestrating the aforementioned intrusions, has cast its net across a diverse spectrum of sectors deemed crucial to China’s strategic interests. Researchers have determined that UNC5221 adeptly utilizes tactics, techniques, and procedures (TTPs) aligned with zero-day exploitation. This strategy essentially features an infrastructure and an array of tools that resonate with the established patterns of operations associated with entities engaged in Chinese espionage endeavors.
(TLP: CLEAR) Vercara: Vercara UltraWAF helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility.
Vercara UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks. Vercara UltraDDR (DNS Detection and Response) filters internal DNS responses from users as well as machines using both defined categories including botnet C&C as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or ransomware detonation.
Source: https://thehackernews.com/2024/02/warning-new-malware-emerges-in-attacks.html
Source: https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.
