Advisory ID: NCC-CSIRT-081123-040
Summary: Google has issued a warning about several hackers utilizing a tool known as Google Calendar RAT (GCR), which leverages Google Calendar Events for command-and-control Operations (C2) through a Gmail account. These threat actors have shared a public proof-of-concept (PoC) exploit that uses Google's Calendar service to host C2 infrastructure. This poses a notable challenge for cybersecurity experts, as it effectively conceals malicious communications within genuine calendar events.
Threat Type(s): Malware
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Google Calendar
Platform(s): Gmail Accounts
Version(s): All Versions
Description: Valerio Alessandroni, an IT researcher, explained that to use the Google Calendar RAT for command-and-control (C2) activities, an attacker would set up a Google service account, obtain its credentials.json file, and place it in the script directory. Then, they'd create a new Google calendar and share it with the service account, modify the script to link to the calendar address, and use the event description field to execute commands.
When active on an infected device, the RAT regularly checks for such commands, executes them, and relays the output in the description field. Apart from its innovative approach, the significant advantage of the Google Cloud RAT is its operation via legitimate cloud infrastructure, making it challenging to detect and prevent.
Consequences: The threat enables malicious instructions to seamlessly integrate with authentic calendar entries, rendering it challenging for security tools to detect and prevent them.
Solution: Organizations can defend against this threat through the following ways:
- Anomaly-Based Monitoring: When an organization is developing a detection strategy, it should focus on identifying anomalies and detecting malicious activities entering its system.
- Intrusion Detection System (IDS) and Network Monitoring: Utilize tools for detecting application-level or network-level command-and-control (C2) traffic, as well as data exfiltration. The tools recommended by Google are Cloud IDS (https://cloud.google.com/intrusion-detection-system) or open-source alternatives such as Suricata (https://suricata.io/) in conjunction with Zeek (https://zeek.org/).
- Network Segmentation: Segment your networks to minimize the consequences of potential threats gaining access to more resources within your environment.
References:
https://www.darkreading.com/cloud/google-cloud-rat-calendar-events-command-and-control
https://services.google.com/fh/files/blogs/gcat_threathorizons_full_oct2023.pdf
https://pc-tablet.com/google-calendar-rat-new-threat-hides-in-plain-sight/
https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.html
https://www.blackhatethicalhacking.com/news/google-calendar-under-threat-gcr-tool-uses-it-for-command-and-control-operations/
https://www.redpacketsecurity.com/google-warns-how-hackers-could-abuse-calendar-service-as-a-covert-c-channel/
Advisory ID: NCC-CSIRT-201023-039
Summary: Security experts at VulnCheck have identified a severe zero-day vulnerability in CISCO devices utilizing the IOS XE software. This vulnerability has been actively exploited by an unidentified threat actor to establish unauthorized access to susceptible networks. A successful exploitation of this vulnerability grants the threat actor the ability to remotely execute commands at the core levels of compromised devices, including the system and iOS layers.
Threat Type(s): Vulnerability, and Man-in-the-middle attack
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Cisco Switch, Router, or Wireless LAN Controller.
Platform(s): Web User Interface of Cisco IOS XE Software
Version(s): All Versions
Description: As per the findings of the researchers, Cisco devices, both physical and virtual, running Cisco IOS XE software and having the HTTP or HTTPS Server feature enabled are susceptible to the identified exploit. Furthermore, as stated by Cisco's Talos security team, successfully exploiting this critical zero-day vulnerability permits an attacker to establish an account on the impacted device with Privileged EXEC mode (equivalent to Privilege level 15 access). Privileged EXEC mode in Cisco IOS grants full control over the compromised device, potentially enabling unauthorized actions. Subsequently, the attacker can employ this account to take command of the affected system.
Consequences: Having privileged access on the IOS XE potentially enables attackers to observe network traffic, infiltrate secured networks, and execute various man-in-the-middle attacks.
Solution:
- Cisco users should disable the HTTP/HTTPS server feature on all internet-facing devices.
- Cisco users should safeguard their devices by applying an interim solution to prevent vulnerable devices from exploitation. Look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat. Cisco advised running the following command against the device to identify if the implant is present: curl ‘-k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"’
- Users should conduct comprehensive scans to identify any instances of devices being compromised. An open-source tool made available by VulnCheck to scan for the malicious implant accessible via the following link: https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner
References:
https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/
https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
https://www.securityweek.com/tens-of-thousands-of-cisco-devices-hacked-via-zero-day-vulnerability/
https://www.securityweek.com/cisco-devices-hacked-via-ios-xe-zero-day-vulnerability/
https://www.infosecurity-magazine.com/news/cisco-critical-vulnerability-ios/
https://news.hitb.org/content/actively-exploited-cisco-0-day-maximum-10-severity-gives-full-network-control
Advisory ID: ngCERT-2023-0038
Summary: Cloud storage misconfigurations have emerged as one of the most serious threats to data security in cloud storage systems. In a recent instance, 25,000 participants in PricewaterhouseCoopers' (PwC) Nigeria Tech Talent Bootcamp were at risk of identity theft after confidential data was stolen through a misconfigured Amazon Web Services account. In another development, the World Baseball Softball Confederation (WBSC) left a data repository open, exposing approximately 50,000 files, some of which were highly sensitive. Furthermore, a misconfiguration in the San Francisco Metropolitan Transportation Commission (MTC) systems resulted in the release of over 26,000 files, exposing clients' home addresses and vehicle plate numbers. It is important to know that threat actors are always looking for vulnerabilities such as misconfigured AWS, Azure, or Google Cloud resources in order to exploit them. Given the foregoing, cloud-based digital end-users must ensure correct configuration of their data buckets to avoid data breaches.
Threat Type(s): Vulnerability
Damage/Probability: HIGH/HIGH
Description: Cloud misconfiguration is an improper configuration of a cloud system and may occur when a user or administrator fails to implement the correct security settings in a cloud application. Although there may be shared responsibilities between the cloud providers and end users, it often the obligation of the end users to ensure the proper configuration of cloud services acquired. Some common cloud misconfigurations include inadequate monitoring and logging of activities to track changes, using default credentials provided by the cloud service provider, using third-party resources, storage access misconfigurations, non-validation of cloud security controls, excessive permissions and unrestricted ports. Such vulnerabilities could be exploited by threat actors to gain access to an organisation’s storage, resulting in the theft of sensitive information such as sensitive credentials and API keys.
Consequences: Misconfigured cloud assets can be a doorway to the theft of location data, passwords, financial information, phone numbers, health records and other exploitable personal data. Threat actors may then leverage this data for phishing and other social engineering attacks.
Solution: Cloud storage end-users should:
- Ensure strict monitoring and logging of activities to keep track of changes or suspicious behaviour.
- Avoid using default credentials in the production environment.
- Conduct extensive research on the security vulnerabilities of third-party resources before opting for their services.
- Ensure that storage access is restricted to individuals within the organisation and enable robust encryption for critical data stored in the buckets.
- Apply the principle of least privilege for both machines and humans for access to all systems.
References:
Advisory ID: NCC-CSIRT-161023-038
Summary: Trend Micro security researchers discovered DarkGate, a piece of malware that is being spread via instant messaging platforms such as Microsoft Teams and Skype. On successful compromise, the malware has a wide range of features that allow its operators to remotely control the infected devices while also collecting sensitive data from web browsers and mining cryptocurrencies. Additionally, access to the victim's Skype and Microsoft Teams accounts allowed the actor to hijack an existing messaging thread and craft the naming convention of the files to relate to the context of the chat history.
Threat Type(s): Malware, and Phishing
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Android and iOS device types, including mobile phones, tablets, and CTV products.
Platform(s): Android and iOS Operating Systems
Version(s): All Versions
Description: According to the researchers, the attackers leveraged compromised Skype accounts to infect targets via a Visual Basic for Applications (VBA) loader script disguised as a PDF attachment. When read, the VBA causes the download and execution of an AutoIt script meant to start the DarkGate malware.
Moreover, malicious actors targeted Microsoft Teams users via compromised Office 365 accounts outside their organizations and a publicly available tool named TeamsPhisher. This tool enables attackers to bypass restrictions for incoming files from external tenants and send phishing attachments to Teams users.
Although, the researchers declared that it is yet unclear how the originating accounts of the messaging apps were compromised, it is hypothesized to be either through leaked credentials or a previous compromise of the parent organization.
Consequences: The malware offers a wide range feature, including concealing a Virtual Network Computing (VNC) graphical desktop-sharing system, capabilities to bypass Windows Defender, a browser history theft tool, an integrated reverse proxy, a file manager, and a Discord token stealer..
Solution:
- Organizations should enforce rules regarding instant messaging applications.
- Install and scan your system with strong and reliable anti-malware solution.
- Be wary of emails and SMS containing malicious attachments
- Utilize multifactor authentication on your system to prevent the misuse of credentials.
- Apply safe configurations and disabling external access to your Microsoft Team if not necessary.
References:
https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-through-compromised-skype-accounts/
https://heimdalsecurity.com/blog/darkgate-malware-spreaded-via-pdf-files-through-microsoft-teams-and-skype/
https://www.redpacketsecurity.com/darkgate-malware-spreads-through-compromised-skype-accounts/
https://thehackernews.com/2023/10/darkgate-malware-spreading-via.html
https://nquiringminds.com/cybernews/darkgate-malware-distributed-through-compromised-skype-and-microsoft-teams-accounts/
https://cybersecuritynews.com/hackers-abusing-skype/
https://www.techrepublic.com/article/darkgate-loader-malware-microsoft-teams/
https://www.trendmicro.com/en_us/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html
Advisory ID: NCC-CSIRT-101023-037
Summary: The PEACHPIT Ad Fraud Botnet is part of a larger operation called BADBOX, which involves the sale of off-brand mobile and connected TV (CTV) devices on popular online marketplaces and resale sites. These devices are tainted with Android malware called Triada.
The threat also allows hackers to create messaging accounts on platforms like WhatsApp by pilfering one-time passwords from the compromised devices. Additionally, it enables them to create Gmail accounts that appear legitimate and evade bot detection.
Threat Type(s): Malware
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Android and iOS device types, including mobile phones, tablets, and CTV products.
Platform(s): Android and iOS Operating Systems
Version(s): All Versions
Description: The PEACHPIT botnet’s network of associated apps was discovered in 227 countries and territories, reaching a peak of 121,000 Android devices and 159,000 iOS devices daily. Infections occurred through 39 apps that were downloaded more than 15 million times.
The attribute of this Ad fraud is the use of counterfeit apps available on significant app marketplaces like the Apple App Store and Google Play Store, as well as apps automatically downloaded onto compromised BADBOX devices. These apps contain a module responsible for creating hidden WebViews that are then used to request, render, and click on ads, and masquerading the ad requests as originating from legitimate apps.
Consequences: The malware-infected devices enabled the operators to steal sensitive data, establish residential proxy exit peers, and carry out ad fraud through fraudulent apps.
Solution:
- Do not click on ads, especially those that include typos, unfamiliar brand names, or offer services that sound too good to be true.
- If you cannot find any information on the company of a device you are buying, avoid it.
- When buying devices online, you will find a never-ending stream of good deals. When you come across one of those deals that appeals to you, the first thing you should do is research the brand device name.
- If you find information from a reliable source that indicates the brand is both legit and trustworthy, you can continue considering the purchase. Otherwise, do not even bother putting that item in your shopping cart.
References:
https://thehackernews.com/2023/10/peachpit-massive-ad-fraud-botnet.html
https://www.purevpn.com/blog/news/beware-of-devices-with-an-ad-fraud-botnet-named-peachpit/
https://www.zdnet.com/article/newly-discovered-android-malware-has-infected-thousands-of-devices/