CISA Urges Patching of Cisco ASA Flaw Exploited in Ransomware Attacks
CISA added CVE-2020-3259 as an old Cisco ASA vulnerability exploited by ransomware, to its KEV catalogue urging organizations using the tools to address it as soon as possible. The vulnerability affects Cisco’s security appliances: Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products and can be exploited by a remote, unauthenticated attacker to obtain potentially sensitive information from an affected device’s memory, including access credentials.
The vulnerability can be exploited against devices that have the Anyconnect SSL VPN feature enabled.
The flaw was patched by Cisco in 2020, but it recently started making headlines after cybersecurity firm Truesec found evidence suggesting that it has been exploited by the Akira ransomware group.
“An analysis of the eight latest incident response missions conducted by Truesec, where Akira ransomware had been deployed, and the Cisco Anyconnect SSL VPN was confirmed as the entry point, showed that at least six of the compromised devices were running different versions of the vulnerable software,” Truesec said in late January.
The agency has instructed government agencies to address the vulnerability by March 7, but all organizations are strongly urged to ensure their systems cannot be penetrated via this vulnerability.
Using the compromised credentials, the attackers accessed an internal VPN, performed reconnaissance of the on-premises environment, and executed LDAP queries on a domain controller.
The organization, which CISA has not named, failed to remove the account of the former employee, which allowed the threat actor to conduct reconnaissance and discovery activities.
The credentials, which offered access to two virtualized servers, namely SharePoint and the employee’s workstation, were obtained from another data breach, and could be found “in publicly available channels containing leaked account information”, CISA says.
From the SharePoint server, the attackers extracted the credentials of a second employee and used them to authenticate to the on-premises Active Directory and Azure AD, gaining administrative privileges.
The attackers posted information stolen from the government organization, including documents containing host and user information and metadata, on a dark web forum, which triggered an investigation.
The user account was immediately disabled and the two virtualized servers taken offline. The victim organization also changed the credentials for the second compromised account and removed its administrative privileges.
“Neither of the administrative accounts had multifactor authentication (MFA) enabled,” CISA notes.
According to the agency, the threat actor executed LDAP queries on the domain controller using an open source tool to collect user, host, and trust relationship information, and posted the resulting text files for sale on the dark web.
For file, folder, and directory discovery, the threat actor authenticated to various endpoints using the CIFS protocol, typically employed for shared access to files. In total, the attackers authenticated to 16 services.
Organizations are advised to review current administrative accounts and remove those that are not necessary, restrict the use of multiple administrator accounts for one user, create separate admin accounts for on-premises and cloud environments, implement the principles of least privilege, and implement phishing-resistant MFA.
Furthermore, they should promptly remove unnecessary accounts, maintain a robust asset management policy, keep all systems and applications updated, prevent personal devices from connecting to the network, evaluate user permissions, enable logging, use tools to identify attack paths, employ strong password management policies, store credentials securely, and validate their security controls.
A LockBit ransomware operation has been disrupted by law enforcement by hacking the hackers. The operation has made 2 arrests with more than 200 cryptocurrency accounts being frozen. They took down 34 servers and closed 14,000 rogue accounts. LockBit leaks websites and law enforcement has targeted their websites with 22 of them being offline or displaying seizure messages. The LockBit group did respond and said that only the servers using PHP were compromised by the FBI but not their backup servers using PHP were not impacted. This law enforcement, FBI, agencies in Canada, Australia, France, Germany, Switzerland, Sweden, Finland, Netherlands, Japan, and Europol were all a part of the operation.
https://www.infosecurity-magazine.com/news/linux-malware-migo-targets-redis/
A sophisticated malware campaign called “Migo” has been discovered, targeting Redis, a popular data store system. Migo uses novel tactics, including new Redis system weakening commands, to compromise servers and mine cryptocurrency on Linux hosts. Distributed as a Golang ELF binary, Migo features compile-time obfuscation and a modified rootkit to conceal its activities. The attack involves disabling Redis configuration options, executing malicious payloads to mine cryptocurrency, and using compile-time obfuscation and a rootkit to evade detection. Migo persists using systemd service and timer units and modifies the system’s host file to block outbound traffic to cloud provider domains. This demonstrates the evolving techniques of cloud-focused attackers and poses challenges for incident forensics.
Researchers have discovered a new variant of the NAT Slipstreaming technique that can completely bypass enterprise firewalls and NAT gateways by abusing flaws in supporting protocols like H.323 and FTP. The attack tricks the network perimeter into opening access to any internal IP address, allowing unmanaged devices like IP cameras and industrial controls to be reached remotely from the internet. Major browser vendors have patched the attack vector, but many NAT devices will likely remain affected due to legacy protocol dependencies. This poses severe risks of external compromise for the multitude of embedded devices found on internal networks that are rarely patched and authenticated. The findings underscore weaknesses in the evolution of NAT firewalls over the last 30 years, as convenience and address conservation took priority over security in their design. https://www.armis.com/research/nat-slipstreaming-v2-0/
Google has launched the AI Cyber Defense Initiative to enhance cybersecurity using artificial intelligence. This initiative focuses on scaling threat detection, malware analysis, and incident response through AI. The company has also introduced Magika, an open-source AI tool for malware detection, and is offering $2 million in research grants to support AI security advancements.
https://www.securityweek.com/websites-hacked-via-vulnerability-in-bricks-builder-wordpress-plugin/
Attackers are taking advantage of a recently patched vulnerability in the Bricks Builder plugin for WordPress, as reported by WordPress security company Patchstack. The vulnerability, tracked as CVE-2024-25600, is a remote code execution (RCE) flaw that allows attackers to execute arbitrary PHP code on affected WordPress websites without authentication. Bricks released patches on February 13 with version 1.9.6.1, urging users to update promptly to mitigate the risk. The first exploitation attempts were observed on February 14, with attacks originating from multiple IP addresses. Bricks Builder, a visual site builder for WordPress, has approximately 25,000 active installations in its premium version.
CISA Urges Patching of Cisco ASA Flaw Exploited in Ransomware Attacks
CISA added CVE-2020-3259 as an old Cisco ASA vulnerability exploited by ransomware, to its KEV catalogue urging organizations using the tools to address it as soon as possible. The vulnerability affects Cisco’s security appliances: Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products and can be exploited by a remote, unauthenticated attacker to obtain potentially sensitive information from an affected device’s memory, including access credentials.
The vulnerability can be exploited against devices that have the Anyconnect SSL VPN feature enabled.
The flaw was patched by Cisco in 2020, but it recently started making headlines after cybersecurity firm Truesec found evidence suggesting that it has been exploited by the Akira ransomware group.
“An analysis of the eight latest incident response missions conducted by Truesec, where Akira ransomware had been deployed, and the Cisco Anyconnect SSL VPN was confirmed as the entry point, showed that at least six of the compromised devices were running different versions of the vulnerable software,” Truesec said in late January.
The agency has instructed government agencies to address the vulnerability by March 7, but all organizations are strongly urged to ensure their systems cannot be penetrated via this vulnerability.
https://www.securityweek.com/cisa-urges-patching-of-cisco-asa-flaw-exploited-in-ransomware-attacks
Ex-Employee’s Admin Credentials Used in US Gov Agency Hack
https://www.securityweek.com/ex-employees-admin-credentials-used-in-us-gov-agency-hack/
A threat actor gained access to a US government organization’s network using the compromised credentials for a former employee’s administrative account, the US cybersecurity agency CISA says.
Using the compromised credentials, the attackers accessed an internal VPN, performed reconnaissance of the on-premises environment, and executed LDAP queries on a domain controller.
The organization, which CISA has not named, failed to remove the account of the former employee, which allowed the threat actor to conduct reconnaissance and discovery activities.
The credentials, which offered access to two virtualized servers, namely SharePoint and the employee’s workstation, were obtained from another data breach, and could be found “in publicly available channels containing leaked account information”, CISA says.
From the SharePoint server, the attackers extracted the credentials of a second employee and used them to authenticate to the on-premises Active Directory and Azure AD, gaining administrative privileges.
The attackers posted information stolen from the government organization, including documents containing host and user information and metadata, on a dark web forum, which triggered an investigation.
The user account was immediately disabled and the two virtualized servers taken offline. The victim organization also changed the credentials for the second compromised account and removed its administrative privileges.
“Neither of the administrative accounts had multifactor authentication (MFA) enabled,” CISA notes.
According to the agency, the threat actor executed LDAP queries on the domain controller using an open source tool to collect user, host, and trust relationship information, and posted the resulting text files for sale on the dark web.
For file, folder, and directory discovery, the threat actor authenticated to various endpoints using the CIFS protocol, typically employed for shared access to files. In total, the attackers authenticated to 16 services.
Organizations are advised to review current administrative accounts and remove those that are not necessary, restrict the use of multiple administrator accounts for one user, create separate admin accounts for on-premises and cloud environments, implement the principles of least privilege, and implement phishing-resistant MFA.
Furthermore, they should promptly remove unnecessary accounts, maintain a robust asset management policy, keep all systems and applications updated, prevent personal devices from connecting to the network, evaluate user permissions, enable logging, use tools to identify attack paths, employ strong password management policies, store credentials securely, and validate their security controls.
https://www.securityweek.com/law-enforcement-hacks-lockbit-ransomware-delivers-major-blow-to-operation/
A LockBit ransomware operation has been disrupted by law enforcement by hacking the hackers. The operation has made 2 arrests with more than 200 cryptocurrency accounts being frozen. They took down 34 servers and closed 14,000 rogue accounts. LockBit leaks websites and law enforcement has targeted their websites with 22 of them being offline or displaying seizure messages. The LockBit group did respond and said that only the servers using PHP were compromised by the FBI but not their backup servers using PHP were not impacted. This law enforcement, FBI, agencies in Canada, Australia, France, Germany, Switzerland, Sweden, Finland, Netherlands, Japan, and Europol were all a part of the operation.
https://www.infosecurity-magazine.com/news/linux-malware-migo-targets-redis/
A sophisticated malware campaign called “Migo” has been discovered, targeting Redis, a popular data store system. Migo uses novel tactics, including new Redis system weakening commands, to compromise servers and mine cryptocurrency on Linux hosts. Distributed as a Golang ELF binary, Migo features compile-time obfuscation and a modified rootkit to conceal its activities. The attack involves disabling Redis configuration options, executing malicious payloads to mine cryptocurrency, and using compile-time obfuscation and a rootkit to evade detection. Migo persists using systemd service and timer units and modifies the system’s host file to block outbound traffic to cloud provider domains. This demonstrates the evolving techniques of cloud-focused attackers and poses challenges for incident forensics.
Researchers have discovered a new variant of the NAT Slipstreaming technique that can completely bypass enterprise firewalls and NAT gateways by abusing flaws in supporting protocols like H.323 and FTP. The attack tricks the network perimeter into opening access to any internal IP address, allowing unmanaged devices like IP cameras and industrial controls to be reached remotely from the internet. Major browser vendors have patched the attack vector, but many NAT devices will likely remain affected due to legacy protocol dependencies. This poses severe risks of external compromise for the multitude of embedded devices found on internal networks that are rarely patched and authenticated. The findings underscore weaknesses in the evolution of NAT firewalls over the last 30 years, as convenience and address conservation took priority over security in their design. https://www.armis.com/research/nat-slipstreaming-v2-0/
Google has launched the AI Cyber Defense Initiative to enhance cybersecurity using artificial intelligence. This initiative focuses on scaling threat detection, malware analysis, and incident response through AI. The company has also introduced Magika, an open-source AI tool for malware detection, and is offering $2 million in research grants to support AI security advancements.
https://www.forbes.com/sites/daveywinder/2024/02/15/new-google-security-includes-gmail-magic-protection–ai-cyber-defense-initiative/?sh=293707307575
https://www.securityweek.com/websites-hacked-via-vulnerability-in-bricks-builder-wordpress-plugin/
Attackers are taking advantage of a recently patched vulnerability in the Bricks Builder plugin for WordPress, as reported by WordPress security company Patchstack. The vulnerability, tracked as CVE-2024-25600, is a remote code execution (RCE) flaw that allows attackers to execute arbitrary PHP code on affected WordPress websites without authentication. Bricks released patches on February 13 with version 1.9.6.1, urging users to update promptly to mitigate the risk. The first exploitation attempts were observed on February 14, with attacks originating from multiple IP addresses. Bricks Builder, a visual site builder for WordPress, has approximately 25,000 active installations in its premium version.