Cyber Intel Brief: July 19 – 26, 2023

The Rising Tide of Active Directory Exploitation: Protect Your Network Now

We’ve all heard the adage: “An ounce of prevention is worth a pound of cure.” In cybersecurity, this rings true more than ever. Today, let’s delve into a threat that could affect many organizations, forcing us to reevaluate and strengthen our security frameworks – the exploitation of Active Directory Certificate Services (AD CS).

The threat actors demonstrated high-level capability and sophistication by exploiting an AD CS vulnerability, specifically CVE-2022-26923, to gain domain administrator privileges, putting sensitive data and operational stability at significant risk. What is scarier is that these actors could be part of a sophisticated threat group, and we assess the chance of your organization being a target of such an intrusion as moderate to high.

What happened exactly? The threat actors initially accessed the victim’s network via a VPN, using a third-party IT management account that, unfortunately, had multi-factor authentication (MFA) disabled. Once inside, they identified a server running AD CS, exploiting the vulnerability despite Microsoft’s update KB5014754 designed to counter this threat. Due to the Key Distribution Center’s configuration, the exploit was not blocked but merely logged as a warning. 

A subsequent DCSync attack was attempted but fortunately detected and thwarted by the victim’s security tools. With the threat actors likely to refine their methods based on lessons learned from this and similar attacks, it is incumbent on organizations to protect their servers running AD CS proactively. These actors may also develop new ways to exploit AD CS vulnerabilities or use more advanced tools to perform DCSync attacks, pushing the potential risk factor to new heights.

Now is the time to take action. As a trusted leader in managed detection and response, we have gleaned vital insights from analyzing the tactics, techniques, and procedures (TTPs) employed by these threat actors. We have assessed the risk and impact and are making well-informed predictions about their future behavior.

Our expert recommendation for mitigating such threats includes:

• Regular patching.
• Granular access control.
• Disabling HTTP access for AD CS.
• Strict security management of AD CS.
• Enabling MFA.
• Continuous monitoring for suspicious activity.

Active Directory Under Siege: Defending Your Domain from Sophisticated Threats

Recently IBM X-Force detailed an intrusion exploiting a vulnerability in Active Directory Certificate Services (AD CS), specifically CVE-2022–26923. Here’s what you need to know.

The threat actors initially accessed the client network through a VPN, using a third-party IT management account with disabled multi-factor authentication (MFA). Once inside, they identified a server running AD CS and exploited the vulnerability, gaining domain admin privileges.

This intrusion is particularly concerning because the threat actors bypassed a patch designed to protect against such exploitation attempts; through a flaw in the Key Distribution Center’s configuration, the intrusion was only logged as a warning, enabling the actors to carry on undetected. This shows that even the most robust security frameworks are vulnerable when critical security controls, such as patching and configuration management, are neglected.

In the face of such threats, it’s not enough to be on the defensive. Organizations must also take proactive measures to protect their networks and data. Regular patching, granular access control, disabling HTTP access for AD CS, strict security management of AD CS, enabling MFA, and monitoring for suspicious activity are some of the crucial steps you should take.

These active threat actors are more than just random cybercriminals. They have demonstrated high capability and sophistication, indicating they could be part of a well-coordinated and well-resourced threat group. The likelihood of your organization being affected by this threat is moderate to high, especially if you haven’t properly implemented necessary patches or security configurations.

Navigating the KillNet Storm: The Rise of Pro-Russian Cyber Activism

It’s no secret that the ever-evolving landscape of cybersecurity is filled with complex challenges. From threat actors capitalizing on geopolitical tensions to hacktivist collectives disrupting on a global scale, the need for robust cybersecurity has never been greater. One name making headlines is KillNet, the pro-Russian hacktivist collective that has been disrupting industries across the globe.

KillNet, a group that has been active since late 2021 and has notably ramped up its operations in recent times, has claimed responsibility for a slew of cyberattacks, including DDoS attacks, data theft, and leaks against organizations across multiple sectors. The group made headlines recently with the successful disruption of Microsoft services in June 2023 and a concerning compromise and leak of NATO documents.

What do these escalating attacks indicate? KillNet’s rapid increase in capabilities signals a substantial escalation in the threat they pose. Furthermore, its operations strongly align with Russia’s geopolitical interests, suggesting that the collective’s primary targets will likely remain in the United States and Europe.

If your organization operates in these regions or if you are a supporter of Ukraine, the likelihood of being affected by the threat posed by KillNet is worryingly high. Your servers, network infrastructure, and databases containing sensitive information could be at risk. It is crucial to safeguard against DDoS attacks, protect your data, and bolster your defenses against potential ransomware attacks.

And the threat landscape may yet evolve. KillNet’s recent collaboration with actors claiming to be from the notorious Russian ransomware group, REvil, points to a potential broadening in its tactics, techniques, and procedures (TTPs). If this collaboration proves to be true, we may witness a further expansion of KillNet’s capabilities and a possible shift in its TTPs. This could heighten the risk for organizations, particularly those operating in the financial sector. Now more than ever, we urge organizations to prioritize network hardening, data protection, and ransomware prevention measures.

The Wake of the JumpCloud Breach: Lessons Learned and Future Defense Strategies

In the cyber landscape, a company’s most valuable asset can quickly become its most significant liability – customers. We’ve seen this recently with the sophisticated supply chain attack against JumpCloud, a cloud-based directory service, and its subsequent implications for their customers. UNC4899, a suspected North Korean element within the Reconnaissance General Bureau, has been attributed to this attack, marking yet another chapter in the evolving book of supply-chain attacks.

The modus operandi of UNC4899 in the JumpCloud intrusion is multifaceted and exhibits high-level capabilities and resources. They employed advanced tactics, techniques, and procedures (TTPs), deployed multiple backdoors (FULLHOUSE.DOORED, STRATOFEAR, and TIEDYE), and used Operational Relay Boxes (ORBs) and commercial VPN providers to conceal their source address.

Such advanced exploits underscore a crucial question: how do we guard against such attacks? The answer lies in understanding the enemy and implementing robust countermeasures. UNC4899 will likely continue targeting organizations providing critical network services, particularly cryptocurrency-related ones. Their intentions seem rooted in financial gain, likely to fund their cyber espionage operations and sidestep economic sanctions.

Regarding cyber defense strategies, we recommend implementing multi-factor authentication (MFA), promoting regular security awareness training, deploying advanced endpoint protection solutions, and adopting a zero-trust architecture, among other measures. These countermeasures are designed to thwart the advanced tactics and techniques used by UNC4899 and similar threat actors.

As the North Korean cyber landscape continues to evolve towards a more streamlined approach, with increased sharing of tools and targeting efforts among different teams and operators within the Reconnaissance General Bureau (RGB), it’s more crucial than ever for organizations to prioritize proactive defense.

Lurking in Your Inbox: Understanding and Protecting Against the CVE-2023-23397 Exploit

In today’s fast-paced digital world, your inbox has become a battleground. Samples exploiting CVE-2023-23397, a critical Elevation of Privilege (EoP) that affects all supported versions of Microsoft Outlook for Windows, is a sobering testament to that reality. Here’s why:

Outlook objects (.MSG, .EML, and task attachments in TNEF formats) that exploit CVE-2023-23397 could leak the Net-NTLMv2 hash of the user currently signed into the Windows device, where the Outlook client application is running, all without the user’s interaction. Such an exploit can be used to relay authentication against other systems or perform offline cracking to extract the password.

Analysis revealed that the threat actors responsible for its exploitation leveraged a network of compromised routers to orchestrate their activities. This method showcases a highly sophisticated and stealthy approach, signifying a formidable adversary.

We recommend implementing several measures to mitigate the threat posed by this exploit. These include patching CVE-2023-23397 and CVE-2023-29324 promptly, conducting regular security awareness training for employees, implementing network segmentation, and conducting regular security assessments.

NetScaler Zero-Day Threat: Arm Your Infrastructure Against New Wave Attacks

Cybersecurity isn’t a battlefield; it’s a high-stakes game of chess. And just like chess, the dynamics change significantly when a new piece enters the game. That new piece is CVE-2023-3519, a zero-day vulnerability affecting NetScaler ADC and NetScaler Gateway.

A recent CISA Cybersecurity Advisory revealed that threat actors had exploited this zero-day vulnerability to implant a webshell on a critical infrastructure organization’s NetScaler ADC appliance. With this access, the actors could perform discovery on the victim’s active directory (AD), ultimately collecting and exfiltrating crucial AD data.

It is not the mere exploitation of this vulnerability that is concerning, but the level of sophistication and capability demonstrated by the threat actors. This incident highlights a grim reality: today’s cybercriminals are increasingly adept, utilizing advanced tools and techniques to penetrate even the most robust defenses.

We cannot understate the risk posed by CVE-2023-3519, particularly to organizations in the critical infrastructure sector. Given the widespread use of NetScaler ADC and NetScaler Gateway, the likelihood of other organizations falling prey to this threat is high. Successful exploitation of this vulnerability could lead to unauthenticated remote code execution, enabling threat actors to gain unauthorized access to sensitive data and systems, potentially leading to further lateral movement within the network.

Immediate action is required to mitigate this threat. Install the relevant updated version of NetScaler ADC and NetScaler Gateway, apply robust network segmentation controls, and review and test your security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework.

The LummaC2 Onslaught: Time to Fortify Your Cyber Defenses

In the realm of cybersecurity, threats continue to emerge at a blistering pace. The LummaC2 Stealer, a notably powerful and agile malware, has arisen due to its capabilities and alarming proliferation rate. Appearing in late 2022, LummaC2 has made a mark with its 90% reliability rate and the ability to steal around 70 different types of browser-based cryptocurrencies and 2FA extensions.

This malware has been observed being offered on dark web marketplaces. Over 127,000 LummaC2 logs were listed for sale in 2023 alone, suggesting a widespread and escalating usage of this potent threat. In fact, one prolific user, Mo####yf, has offered over 3 million logs for sale this year, including logs for Redline, Racoon, and Vidar. The evidence is clear: the LummaC2 threat is real and growing.

Organizations need to grasp the implications of falling victim to LummaC2 fully. These include substantial financial loss due to stolen cryptocurrency, the potential for follow-on malicious activity and regulatory fines for data breaches, and the cost of post-breach response and bolstering cybersecurity measures.

Maintaining up-to-date systems and software and educating employees about social engineering techniques are essential. Don’t wait for LummaC2 to land on your doorstep. Take a proactive approach today.

Latest Additions to Data Leak Sites

The surge of data leaks and ransomware attacks remains a constant threat to businesses worldwide. Over the past week, monitored data extortion and ransomware threat groups added an alarming 67 victims to their public leak sites. Of these victims, the majority (43) are U.S.-based organizations. The industry breakdown of these attacks reveals an equally troubling trend, with the Manufacturing sector taking the heaviest hit, followed by the Professional, Scientific, and Technical Services, and Information sectors.

The gravity of this situation is far from the abstract. These numbers represent organizations that may have been successfully compromised by cybercriminals who opted not to negotiate or pay a ransom. The caveat is that we can’t confirm the legitimacy of the cybercriminals’ claims. However, their audacious actions remain a stern warning. These sobering statistics underline a pressing need for proactive, robust cybersecurity measures.

CISA Adds 4 CVEs to its Known Exploited Vulnerabilities Catalog

The threat landscape perpetually evolves, throwing up new challenges and vulnerabilities at every turn. Last week alone, the Cybersecurity and Infrastructure Security Agency (CISA) added four new Common Vulnerabilities and Exposures (CVEs) to its Known Exploited Vulnerabilities Catalog, affecting vendors from Ivanti, Apple, and Adobe. The vulnerabilities allow for authentication bypass and improper access control, posing a substantial threat to organizations that rely on these systems.

With assigned CVE identifiers as CVE-2023-38606, CVE-2023-35078, CVE-2023-29228, and CVE-2023-38205, it’s clear that the digital ecosystem’s complex nature requires robust and adaptive measures for threat mitigation. The CISA has set a mitigation due date between August 10 and August 16, 2023. Organizations expose themselves to potential breaches and cyberattacks if these updates are not promptly applied.