Vercara’s Open-Source Intelligence (OSINT) Report – October 4 – October 10, 2024

50+ vulnerabilities uncovered in RPKI security framework for internet routing. 

(TLP: CLEAR) The article discusses the Resource Public Key Infrastructure (RPKI), a security framework designed to improve the integrity of Internet routing by linking specific IP address blocks and Autonomous System Numbers (ASNs) with their legitimate holders. By using cryptographic certificates called Route Origin Authorizations (ROAs), RPKI ensures that only authorized entities can announce IP prefixes through the Border Gateway Protocol (BGP). This enhances routing security, addressing BGP’s inherent vulnerability to attacks. Despite its growing adoption—covering over 50% of announced prefixes and being enforced by 25% of networks—RPKI still faces challenges. Researchers from ATHENE & Goethe-Universität Frankfurt and ATHENE & TU Darmstadt uncovered 53 vulnerabilities in RPKI, highlighting gaps in implementation across specifications, software, operations, and deployment. The system’s weaknesses, including inconsistent validation results, bugs, and operational complexity, hinder its ability to fully secure BGP routing. Many networks still run RPKI in a “fail open” mode, accepting “NotFound” or “Invalid” routes to prevent isolation. RPKI has gained momentum, particularly after endorsement by the White House as part of a cybersecurity strategy, but further refinement is needed. Recommendations include improving RPKI standards, developing automated management tools, and addressing the increased attack surface resulting from RPKI’s deployment. 

(TLP: CLEAR) Comments: Malicous actors could take advantage of misconfigured or lack of Resource Public Key Infrastructure (RPKI) Route Origin Authorizations (ROAs) to conduct hijacking which could lead to traffic interception or denial of service. Implementing ROAs strengthens the integrity of Border Gateway Protocol (BGP) routing which reduces the risk of malicious actors diverting or disrupting network traffic.  

(TLP: CLEAR) Recommended best practices/regulations: American Registry for Internet Numbers (ARIN) recommends the following best practices: 

• Accurate Resource Certification: Ensure that your organization holds valid resource certificates for the IP prefixes you intend to advertise. These certificates, issued by a Regional Internet Registry (RIR), confirm your authority over specific Internet number resources. 
• Precise ROA Configuration: When creating a ROA, accurately specify the origin AS and the IP prefix. Utilize the ‘maxLength’ field to define the most specific prefix length your AS is authorized to advertise. This precision helps prevent route hijacking by ensuring that only your AS can announce the specified prefixes. 
• Avoidance of Duplicate and Overlapping ROAs: Configure each prefix-AS pair uniquely to prevent conflicts. Duplicate or overlapping ROAs can lead to validation errors, potentially disrupting legitimate routing announcements. 
• Regular Monitoring and Renewal: ROAs have a limited lifespan; for instance, ARIN’s ROAs are created with a 90-day validity period and auto-renew after 80 days. Consistently monitor the status of your ROAs and ensure they are renewed appropriately to maintain routing security. 
• Utilization of Trusted Tools and Validators: Employ reputable RPKI validators to verify the authenticity of ROAs and resource certificates. Regularly update these tools to align with current standards and practices. 
• Comprehensive Documentation and Training: Maintain detailed records of your RPKI configurations and ensure that relevant personnel are trained in managing ROAs and interpreting validation results. Proper documentation facilitates continuity and aids in troubleshooting. 

(TLP: CLEAR) Vercara: Vercara’s UltraDDoS Protect uses BGP to onramp traffic by routing traffic through the Vercara AS.  Customers can use RPKI and ROA to validate their routes to UltraDDoS Protect for both on-demand and always-on deployment modes. 

Vercara’s UltraDNS and other platforms use RPKI and ROA to protect their IP spaces and routing to prevent route hijacks and ensure our security as a platform provider. 

Source: https://cybersecuritynews.com/rpki-security-vulnerabilities-exposed/  

North Korean hackers attacking U.S. organizations with unique hacking tools. 

(TLP: CLEAR) The article discusses recent cyber extortion attacks carried out by the North Korean state-sponsored hacking group Stonefly (also known as Andariel, APT45, and Silent Chollima). This group has been targeting U.S. organizations with sophisticated malware and custom tools, with a focus on financially motivated attacks, though their ransomware deployment attempts have mostly failed. In August 2023, Stonefly executed intrusions using a unique custom malware called Backdoor.Preft (also known as Dtrack or Valefor), along with misleading techniques such as fake certificates, including a fake Tableau certificate. The group’s toolkit includes tools like Preft, Nukebot, Mimikatz, Sliver, and more. These attacks highlight their growing technical capabilities and evolving tactics to bypass cybersecurity defenses Symantec’s Threat Hunter Team warns of the persistent danger posed by such state-sponsored actors and stresses the need for strong security measures and global cooperation. Stonefly has a history of cyber operations, progressing from basic DDoS attacks in 2009 to more advanced techniques, including ransomware and cyber espionage. The group’s activities have caught the attention of the U.S. Justice Department, which indicted North Korean hacker Rim Jong Hyok for cyberattacks between 2021 and 2023. Despite a $10 million reward for information leading to his capture, Stonefly continues its operations against high-profile U.S. targets, including healthcare, military, and governmental organizations. 

(TLP: CLEAR) Comments: The Stonefly group has been around since 2015 and are part of a broader constellation of threat actors associated with North Korea’s efforts to gather intelligence by targeting government, defence and infrastructure industries and are known for both espionage and financially motivated operations. Threat actors will continue to develop more advanced Tactics, Techniques and Procedures (TTPs) to evade detection, so they are able to access targeted networks and establish persistence. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.3: “Anti-malware mechanisms and processes are active, maintained, and monitored. 

“The anti-malware solution(s) is kept current via automatic updates.  

“The anti-malware solution(s):   
• Performs periodic scans and active or real-time scans.   
OR   
• Performs continuous behavioural analysis of systems or processes.  

“If periodic malware scans are performed to meet Requirement 5.3.2, the frequency of scans is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.” Regular updating of anti-malware definitions and performing periodic scans requires processing and disk input/output. As a result, most updates and scans happen overnight, resulting in a detection gap of up to several days depending on the type of device. Protective DNS solutions can update their detection rules in real-time and provide support for network-based behavioural analytics. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defence in Depth against malware, phishing, and other abuses:  

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.  
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one click of a button.  
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.  
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://cybersecuritynews.com/north-korean-hackers-u-s-attacks/  

New Gorilla botnet launches over 300,000 DDoS attacks across 100 countries. 

(TLP: CLEAR) The article highlights the discovery of a new botnet malware family called Gorilla (also known as GorillaBot), which is inspired by the leaked Mirai botnet source code. The cybersecurity firm NSFOCUS identified that Gorilla issued over 300,000 attack commands between September 4 and September 27, 2024, with an average of 20,000 commands per day aimed at launching distributed denial-of-service (DDoS) attacks. The botnet has targeted over 100 countries, with China, the U.S., Canada, and Germany being the most attacked. It primarily uses various DDoS attack techniques, including UDP flood, SYN flood, and ACK flood, and takes advantage of the connectionless nature of the UDP protocol to spoof IP addresses and generate significant traffic. Gorilla is versatile, supporting multiple CPU architectures (ARM, MIPS, x86_64, and x86) and connecting to one of five command-and-control (C2) servers to await instructions. It also exploits a known vulnerability in Apache Hadoop YARN RPC, which allows remote code execution, a flaw that has been abused since 2021. The malware achieves persistence by creating a service file in the “/etc/systemd/system/” directory and configuring it to run at system startup, as well as adding commands to other system files to ensure execution during startup or user login. It uses encryption algorithms and various counter-detection techniques commonly associated with the Keksec group to maintain long-term control over IoT devices and cloud hosts. 

(TLP: CLEAR) Comments: Botnets like GorillaBot are dangerous due to the scale and the anonymity they offer malicious actors, making it difficult to trace back to the command-and-control (C2) servers. These botnets are composed of diverse types of devices such are Internet of Things (IoT) devices, personal computers, and even servers that have been exploited using vulnerabilities or weak credentials. Since the Mirai botnet code was leaked in September 2016 researchers have identified hundreds of variants. Malicious actors will continue to modify the original Mirai source code to target different devices, networks or take advantage of newly identified vulnerabilities. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected”. Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Vercara’s UltraDDoS Protect. 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect can detect DDoS attacks and scrub your internet traffic through countermeasures, processes, and practices that are built upon more than 20 years of expertise in thwarting threats, delivered through a carrier-grade global infrastructure that has been engineered to provide the highest standards of availability, reliability, and scale. 

Source: https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.html  

Hackers exploiting DNS tunneling service to bypass network firewalls. 

(TLP: CLEAR) The article focuses on DNS tunneling, a hacking technique that exploits the DNS protocol to exfiltrate data and maintain control over compromised systems. By embedding encoded data in DNS queries and responses, threat actors bypass firewalls and evade detection. Recently, Unit 42 of Palo Alto Networks uncovered ongoing DNS tunneling attacks used to bypass network firewalls by targeting DNS communications over port 53, often left unmonitored. In this method, attackers first infect a system with malware, then encode DNS stolen data into DNS subdomain queries, transmitting it to attacker-controlled DNS servers. These DNS tunneling attacks can also create a hidden command-and-control (C2) channel, allowing attackers to send instructions back to the compromised systems. The technique has been used by groups like Evasive Serpens and Obscure Serpens against critical infrastructure. 

Palo Alto Networks identified four major malicious campaigns: FinHealthXDS, which targets the finance and healthcare sectors; RussianSite, involving over 100 domains with ties to Russian infrastructure; 8NS, which uses a consistent DNS configuration across multiple domains; and NSfinder, targeting victims via adult websites to steal credit card information using Trojans like IcedID and RedLine. These campaigns share common attributes, including infrastructure setup, DNS configurations, encoding methods, and target selection, making DNS tunneling a significant threat in the cybersecurity landscape. The report also lists various domains, IP addresses, and malware samples associated with these campaigns. 

(TLP: CLEAR) Comments: DNS tunnelling is a sophisticated cyber-attack method where malicious actors abuse the Domain Name Systems (DNS) protocol to establish covert communication channels between compromised systems and a command-and-control (C2) server. This technique is particularly dangerous because DNS traffic is often overlooked or under-monitored by traditional network defences which makes it an ideal avenue for exfiltration of data and persistent C2 communication.  

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://cybersecuritynews.com/hackers-exploiting-dns-tunneling/  

Single HTTP request can exploit 6M WordPress sites. 

(TLP: CLEAR) A critical vulnerability (CVE-2024-47374) was discovered in the WordPress LiteSpeed Cache plug-in, installed over 6 million times. The flaw, an unauthenticated stored cross-site scripting (XSS) issue, allows attackers to escalate privileges and inject malicious code, potentially leading to redirects, ads, and other harmful HTML payloads on affected websites. The flaw affects LiteSpeed Cache through version 6.5.0.2, and users are urged to update to version 6.5.1 immediately to mitigate risks. The vulnerability was found by a security researcher named “TaiYou” and reported to Patchstack on September 24, 2024. In addition to the primary XSS flaw, two other vulnerabilities, including another XSS and a path traversal issue, were identified. However, CVE-2024-47374 is considered the most dangerous and likely to be exploited by attackers. This XSS vulnerability occurs due to improper sanitization in the “Vary Group” functionality, which outputs user-supplied input without sanitizing or escaping it on the admin page. This could allow attackers to inject malicious scripts that run in the context of the website. A patch was issued by LiteSpeed Cache developers and validated the same day, with version 6.5.1 addressing all three vulnerabilities. Administrators of WordPress sites using the plug-in are advised to update to the patched version immediately. Patchstack also recommends applying proper escaping, sanitization, and authorization checks to further protect against such vulnerabilities in WordPress plug-ins. 

(TLP: CLEAR) Comments:  

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:   

Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.  

Actively running and up to date as applicable.  

Generating audit logs.  

Configured to either block web-based attacks or generate an alert that is immediately investigated.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, can defend critical applications with even the most complex workflows and prevent the most common threats that target the application layer, such as SQLi, XSS, and CSRF. 

Source: https://www.darkreading.com/endpoint-security/single-http-request-exploit-6m-wordpress