Advisory ID: ngCERT-2023-0039

Summary: Users of the Google Chrome browser and Apple systems have lately been reported as vulnerable to malicious hackers who may exploit flaws discovered on the platforms. Vulnerabilities discovered recently in Google Chrome and Apple systems, particularly in the operating systems (OS) of the iPhone, iPad, Mac computers, Apple Watch, Apple TV, and Safari internet browser, may allow hackers to acquire control of the devices. As a result, individuals and organizations must take proactive actions to defend themselves from potential threats.

Threat Type(s): Malware

Damage/Probability: HIGH/HIGH

Description: Vulnerabilities in an IT system are flaws, features, or user error that can be exploited by an attacker to compromise IT infrastructure. Cybercriminals use a variety of hacking techniques to exploit flaws in web browsers and devices. Hackers find a flaw or weakness that allows them to download and execute malicious malware (typically after a user visits or clicks on a compromised URL or file). Following that, the code can automatically download and run other malicious code or steal vital corporate information. Phishing is another prevalent tactic used by hackers. In this case, attackers send phishing emails with exploit kits targeting at web browsers. Victim clicks on a link or attachment in the email, which opens a malicious page in their web browser, which can subsequently exploit an unpatched vulnerability to deploy malware packages or steal browser data.

Consequences: The exploitation of vulnerabilities in the aforementioned systems could result in:

i. Denial of services.

ii. Data exfiltration

iii. Identity theft.

iv. Financial losses

Solution: Service providers have issued security patches to reduce the dangers. Regardless, all users are encouraged to immediately:

• Update their devices, software, and systems to the latest versions.
• Clear browser history to erase stored credentials or passwords.
• Clear cookies, as they can allow hackers to access email services without a user’s
• Avoid clicking on malicious links that could compromise their browsers.

References:

https://www.thenationalnews.com/business/technology/2023/10/29/uae-issues-security-alert-for-google-chrome-and-apple-system -users/

https://fastcompanyme.com/news/uae-issues-security-warning-fo r-google-chrome-and-apple-users

Advisory ID: NCC-CSIRT-081123-040

Summary: Google has issued a warning about several hackers utilizing a tool known as Google Calendar RAT (GCR), which leverages Google Calendar Events for command-and-control Operations (C2) through a Gmail account. These threat actors have shared a public proof-of-concept (PoC) exploit that uses Google's Calendar service to host C2 infrastructure. This poses a notable challenge for cybersecurity experts, as it effectively conceals malicious communications within genuine calendar events.

Threat Type(s): Malware

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Google Calendar

Platform(s): Gmail Accounts

Version(s): All Versions

Description: Valerio Alessandroni, an IT researcher, explained that to use the Google Calendar RAT for command-and-control (C2) activities, an attacker would set up a Google service account, obtain its credentials.json file, and place it in the script directory. Then, they'd create a new Google calendar and share it with the service account, modify the script to link to the calendar address, and use the event description field to execute commands.

When active on an infected device, the RAT regularly checks for such commands, executes them, and relays the output in the description field. Apart from its innovative approach, the significant advantage of the Google Cloud RAT is its operation via legitimate cloud infrastructure, making it challenging to detect and prevent.

Consequences: The threat enables malicious instructions to seamlessly integrate with authentic calendar entries, rendering it challenging for security tools to detect and prevent them.

Solution: Organizations can defend against this threat through the following ways:

• Anomaly-Based Monitoring: When an organization is developing a detection strategy, it should focus on identifying anomalies and detecting malicious activities entering its system.
• Intrusion Detection System (IDS) and Network Monitoring: Utilize tools for detecting application-level or network-level command-and-control (C2) traffic, as well as data exfiltration. The tools recommended by Google are Cloud IDS (https://cloud.google.com/intrusion-detection-system) or open-source alternatives such as Suricata (https://suricata.io/) in conjunction with Zeek (https://zeek.org/).
• Network Segmentation: Segment your networks to minimize the consequences of potential threats gaining access to more resources within your environment.

References:

https://www.darkreading.com/cloud/google-cloud-rat-calendar-events-command-and-control

https://services.google.com/fh/files/blogs/gcat_threathorizons_full_oct2023.pdf

https://pc-tablet.com/google-calendar-rat-new-threat-hides-in-plain-sight/

https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.html

https://www.blackhatethicalhacking.com/news/google-calendar-under-threat-gcr-tool-uses-it-for-command-and-control-operations/

https://www.redpacketsecurity.com/google-warns-how-hackers-could-abuse-calendar-service-as-a-covert-c-channel/

Advisory ID: NCC-CSIRT-201023-039

Summary: Security experts at VulnCheck have identified a severe zero-day vulnerability in CISCO devices utilizing the IOS XE software. This vulnerability has been actively exploited by an unidentified threat actor to establish unauthorized access to susceptible networks. A successful exploitation of this vulnerability grants the threat actor the ability to remotely execute commands at the core levels of compromised devices, including the system and iOS layers.

Threat Type(s): Vulnerability, and Man-in-the-middle attack

Impact/Vulnerability: HIGH/CRITICAL

Product(s): Cisco Switch, Router, or Wireless LAN Controller.

Platform(s): Web User Interface of Cisco IOS XE Software

Version(s): All Versions

Description: As per the findings of the researchers, Cisco devices, both physical and virtual, running Cisco IOS XE software and having the HTTP or HTTPS Server feature enabled are susceptible to the identified exploit. Furthermore, as stated by Cisco's Talos security team, successfully exploiting this critical zero-day vulnerability permits an attacker to establish an account on the impacted device with Privileged EXEC mode (equivalent to Privilege level 15 access). Privileged EXEC mode in Cisco IOS grants full control over the compromised device, potentially enabling unauthorized actions. Subsequently, the attacker can employ this account to take command of the affected system.

Consequences: Having privileged access on the IOS XE potentially enables attackers to observe network traffic, infiltrate secured networks, and execute various man-in-the-middle attacks.

Solution: 

• Cisco users should disable the HTTP/HTTPS server feature on all internet-facing devices.
• Cisco users should safeguard their devices by applying an interim solution to prevent vulnerable devices from exploitation. Look for unexplained or newly created users on devices as evidence of potentially malicious activity relating to this threat. Cisco advised running the following command against the device to identify if the implant is present:    curl ‘-k -X POST "https[:]//DEVICEIP/webui/logoutconfirm.html?logon_hash=1"’

• Users should conduct comprehensive scans to identify any instances of devices being compromised. An open-source tool made available by VulnCheck to scan for the malicious implant accessible via the following link: https://github.com/vulncheck-oss/cisco-ios-xe-implant-scanner

References:

https://arstechnica.com/security/2023/10/actively-exploited-cisco-0-day-with-maximum-10-severity-gives-full-network-control/

https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

https://www.securityweek.com/tens-of-thousands-of-cisco-devices-hacked-via-zero-day-vulnerability/

https://www.securityweek.com/cisco-devices-hacked-via-ios-xe-zero-day-vulnerability/

https://www.infosecurity-magazine.com/news/cisco-critical-vulnerability-ios/

https://news.hitb.org/content/actively-exploited-cisco-0-day-maximum-10-severity-gives-full-network-control

Advisory ID: ngCERT-2023-0038

Summary: Cloud storage misconfigurations have emerged as one of the most serious threats to data security in cloud storage systems. In a recent instance, 25,000 participants in PricewaterhouseCoopers' (PwC) Nigeria Tech Talent Bootcamp were at risk of identity theft after confidential data was stolen through a misconfigured Amazon Web Services account. In another development, the World Baseball Softball Confederation (WBSC) left a data repository open, exposing approximately 50,000 files, some of which were highly sensitive. Furthermore, a misconfiguration in the San Francisco Metropolitan Transportation Commission (MTC) systems resulted in the release of over 26,000 files, exposing clients' home addresses and vehicle plate numbers. It is important to know that threat actors are always looking for vulnerabilities such as misconfigured AWS, Azure, or Google Cloud resources in order to exploit them. Given the foregoing, cloud-based digital end-users must ensure correct configuration of their data buckets to avoid data breaches.   

Threat Type(s): Vulnerability

Damage/Probability: HIGH/HIGH

Description: Cloud misconfiguration is an improper configuration of a cloud system and may occur when a user or administrator fails to implement the correct security settings in a cloud application. Although there may be shared responsibilities between the cloud providers and end users, it often the obligation of the end users to ensure the proper configuration of cloud services acquired. Some common cloud misconfigurations include inadequate monitoring and logging of activities to track changes, using default credentials provided by the cloud service provider, using third-party resources, storage access misconfigurations, non-validation of cloud security controls, excessive permissions and unrestricted ports. Such vulnerabilities could be exploited by threat actors to gain access to an organisation’s storage, resulting in the theft of sensitive information such as sensitive credentials and API keys.

Consequences: Misconfigured cloud assets can be a doorway to the theft of location data, passwords, financial information, phone numbers, health records and other exploitable personal data. Threat actors may then leverage this data for phishing and other social engineering attacks.

Solution: Cloud storage end-users should:

1. Ensure strict monitoring and logging of activities to keep track of changes or suspicious behaviour.
2. Avoid using default credentials in the production environment.
3. Conduct extensive research on the security vulnerabilities of third-party resources before opting for their services.
4. Ensure that storage access is restricted to individuals within the organisation and enable robust encryption for critical data stored in the buckets.
5. Apply the principle of least privilege for both machines and humans for access to all systems. 

References:

• https://cybernews.com/security/san-francisco-mtc-bart-data-leak/ 
• https://cybernews.com/security/wbsc-data-leak-passports/
• https://cybernews.com/security/pwc-nigeria-tech-bootcamp-ids-exposed/
• https://securityintelligence.com/articles/why-cloud-misconfigurations-major-issue/