WME Security Briefing 18 September 2024

WME Cybersecurity Briefings No. 027

Fortinet Data Breach via Third-Party Cloud: A Security Alert

Overview

Fortinet confirms a huge data breach impacting a number of its customers. The incident involves unauthorized access to files stored on their cloud drive. The breach came to light when a hacker, using the pseudonym “Fortibitch,” leaked 440GB of customer data on BreachForums. This breach raises concerns about the security of data stored in third-party cloud services.

Impact

Fortinet says the breach affected approximately 0.3% of its 775,000 customers. So, that means about 2300+ organizations. The compromised data includes financial and marketing docs, product info, HR data from India, and some employee information. However, they reported no evidence of malicious activity involving this data. But the breach did not compromise Fortinet’s internal corporate network.

Threat intelligence reports add that the hacker leaked the data after failed ransom negotiations with Fortinet. Although the breach is considered limited, it shows the heightened risk of data exposure from third-parties.

Recommendation

  1. MFA should be made mandatory for accessing cloud environments like SharePoint.
  2. Employees should only have access to essential files and data.
  3. Avoid over-permissioning users in cloud environments.
  4. Monitor Cloud Assets and repositories for sensitive data.
  5. Encrypt Data, both in transit and at rest.
  6. Implement Zero-Trust principles.

Cyber Campaign Targets Middle East Human Rights Studies

Overview

In June 2024, cybersecurity company, Kaspersky, detected a targeted cyber campaign against government entities in the Middle East and MalaysiaTropic Trooper, a Chinese-speaking hacker group, was identified as the perpetrator of the attack, presenting a shift in the group’s tactics. It targeted human rights studies in general and the Israel-Hammas conflict in particular. The campaign was executed against a public web server suspected of using Umbraco, an open-source content management system, to host human rights-related data.

Impact

Concerning the Thailand-based UmbrellaBird APT’s method of deploying new attack tools against Asian entities to deliver malware, the strategy implies the likely deployment of Crowdoor, a variant of the SparrowDoor backdoor, against the detected systems to perform lateral movement and data collection within the compromised servers.

Tropic Trooper executed the attack by launching a DLL side-loading attack against web solutions and applications like Adobe ColdFusion and Microsoft Exchange. It employed the more recently tested versions for maximal damage and subsequent delivery of the more commonly used Cobalt Strike tool to enable persistent, deep network infiltration. The ongoing increase in the quantity of recently uploaded malware samples further attests to this fact.

Recommendation

All organizations deploying vulnerable applications, like Adobe ColdFusion and Microsoft Exchange, should install the most recent security updates to maximize safety. In addition, if a compromised server is suspected of hosting valuable human rights study data or other information of critical importance, all reports of internal movement and external communication should be carefully monitored.

Finally, in this specific case, advanced threat detection solutions should be employed to detect and eliminate any subsequent attacks against the same compromised server, potentially deploying Crowdoor, Covenant, or Cobalt Strike. You may also need a CMS security configurations review run to eliminate all lags and vulnerabilities and restrict access to sensitive data.

Veeam Addresses Critical Vulnerabilities with Security Update

Overview

Veeam is a prominent backup and disaster recovery solution vendor. It has recently uploaded security patches for 18 security issues in several software products. Five of the recognized issues are critical and can cause remote code execution. The update aims to eliminate these critical perils and improve the target servers’ overall security to protect them from exploit dangers.

Impact

The identified vulnerabilities can lead to remote code execution, theft of sensitive credentials, and authentication bypass.

The highest-risk vulnerabilities include:

  • CVE-2024-40711 (CVSS score: 9.8): Backup & Replication; allows unauthorized remote code execution.
  • CVE-2024-42024 (CVSS score: 9.1): Veeam ONE; lets an attacker with Agent service account credentials perform remote code execution.
  • CVE-2024-42019 (CVSS score: 9.0): Veeam ONE; attackers can access the NTLM hash of the Veeam Reporter Service.
  • CVE-2024-38650 (CVSS score: 9.9): Veeam Service Provider Console (VPSC) enabling attackers to access NTLM hash data.
  • CVE-2024-39714 (CVSS score: 9.9): This flaw allows low-privileged users to upload arbitrary files to the VPSC server.

Also, 13 other high-severity issues were addressed.

Recommendation

For this reason, the new patch installation is recommended for all the companies using Veeam. The security update will eliminate the risks of the perils mentioned above. The corrupted products are as follows:

  • Veeam Backup & Replication (version 12.2)
  • Veeam Agent for Linux (version 6.2)
  • Veeam ONE (version 12.2)
  • Veeam Service Provider Console (version 8.1)
  • Veeam Backup for Nutanix AHV and Oracle Linux Virtualization Manager

The weaknesses are critical for initiating a ransomware infection. For this reason, organizations’ admins need to implement these changes ASAP.

U.S. Government Seizes Pro-Russian Disinformation Domains in Major Crackdown

Overview

The U.S. Department of Justice made a decisive move on September 5, 2024, to stop the pro-Russian propaganda operation Doppelganger by seizing 32 internet domains coordinating the distribution of disinformation. It appears that this crisis response is related to the broader strategy to stop the effort of Russian influence through spreading fake news, disinformation, and propaganda that would risk the upcoming presidential elections in 2024 and ongoing international support for Ukraine. It should be noted that Doppelganger was a Russian-directed operation supported by entities like Social Design Agency and Structura National Technology.

Impact

The seized domains mirrored reputable media outlets like Fox News and Der Spiegel, among others, and disseminated Russian-generated propaganda under the guise of credible journalism. Paid influencers, social media advertisements, and fake profiles were leveraged to amplify these messages, helping direct unsuspecting viewers to these misleading domains.

Recommendation

Admins and cybersecurity teams need to enhance the monitoring of domain registrations. They also need to scrutinize any media outlet that may seem suspicious or newly registered. Organizations should also stay vigilant for any further attempts at disinformation. To help your cause, you can reinforce social media scrutiny protocols to mitigate exposure to future influence operations.

MacroPack Utilized to Deliver Advanced Malware: Havoc, Brute Ratel, and PhantomCore

Overview

Recent reports demonstrate that cyber threat actors are increasingly utilizing a red teaming tool, MacroPack, to deliver sophisticated malware variants such as Havoc, Brute Ratel, and PhantomCore.

MacroPack is designed to generate Office documents, Visual Basic scripts, and Windows shortcuts. It is primarily used in penetration testing and social engineering assessments. The software’s creator is a French developer named Emeric Nasi, who initially invented it to help IT professionals educate their employees on phishing threats.

Impact

Currently, cyber attackers are using the same mechanism to distribute their malicious payloads through seemingly innocuous and fake documents. The activity has been noticed in multiple countries, including China, Pakistan, Russia, and the U.S., with related files discovered on VirusTotal as part of the ongoing campaign.

The fake documents contain non-obfuscated VBA subroutines, which were never tied to any previous malicious activities. In addition, MacroPack generates a Markov chain to produce meaningful and realistic variable and function names that further complicate the discovery process. The typical attack chain in the MacrosPack campaign usually contains three steps:

  • Sending of an Office document that contains VBA code generated by MacroPack.
  • Decoding the next-level payload.
  • Delivery and execution of the final malware.

The key payloads identified are Havoc, Brute Ratel, and a brand-new PhantomCore variant, which was previously noticed by the Head Mare hacktivist group. The themes of the lures vary exponentially: they can span from asking to enable macros in the most basic documents to the impersonation of high-ranking military officials and the sending of seemingly original military files. It seems that multiple cyber threat actors are involved in this campaign.

Recommendation

Organizations need to keep a strict security posture when dealing with Office documents, especially ones from unknown or untrusted sources. Disabling the macros in any Office application becomes a simple yet crucial step to avoid risks from an attack that exploits MacroPack. Your security teams should also ensure your security systems are updated with the latest malware detection tools that possess defense mechanisms that can recognize and destroy evasion tools used by MacroPack.

Apache OFBiz Update Addresses Remote Code Execution Vulnerability

Overview

Recently, a security update was published for the open-source enterprise resource planning system Apache OFBiz. The flaw is classified as high severity and identified as CVE-2024-45195 with a CVSS score of 7.5. The affected systems include Linux and Windows. The vulnerability exists in all previous OFBiz versions and utilizes missing authorization checks that allow authenticated attackers to execute code in the server. In other words, this vulnerability is a security bypass for CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856. If exploited, CVE-2024-45195 allows attackers to execute arbitrary code in the server without needing authentication.

Impact

This vulnerability stems from a desynchronization issue between the controller and view map state, which wasn’t fully resolved in earlier patches. Therefore, it becomes particularly vulnerable if previous flaws are exploited to bypass authentication and authorization checks affecting Apache OFBiz login screens as a front door. More specifically, any code could inject SQL queries and gain remote access to companies’ systems.

Similar vulnerabilities, CVE-2024-32113 and CVE-2024-38856, have already been publicly exploited, with the former being responsible for deploying Mirai botnet malware.

Recommendation

System managers and users are strongly advised to update their Apache OFBiz to version 18.12.16. This latest patch addresses CVE-2024-45195 and a critical server-side request forgery (SSRF) vulnerability (CVE-2024-45507, CVSS score: 9.8) that could compromise system systems. Ensure that all previous patches have been applied. Also, verify that the updated version includes proper authorization checks to prevent further exploits.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

WME Cybersecurity Briefings No. 028
Cyber Security

WME Security Briefing 27 September 2024

DragonRank SEO Manipulation Campaign Targeting IIS Servers Across Asia and Europe Overview A cyber espionage campaign is targeting IIS servers in several countries across Asia and Europe. The DragonRank campaign emanates from a simplified Chinese-speaking actor and specializes

Click Here to Read Full Article »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=