Advisory ID: NCC-CSIRT-240823-032

Summary: Sophos researchers have uncovered Akira ransomware exploiting an undisclosed vulnerability in Cisco's virtual private network (VPN) software. This vulnerability potentially allows for authentication bypass in cases where multi-factor authentication (MFA) is not in place. The perpetrators behind Akira ransomware are capable of infiltrating corporate networks, exfiltrating data, and subsequently encrypting it.

Threat Type(s): Ransomware

Impact/Vulnerability: HIGH/HIGH

Product(s): Windows and Linux Systems

Platform(s):  Cisco Virtual Private Networks

Version(s): All Versions 

Description: The researchers noted a prevalent trend in Akira infiltrations, often initiated by threat actors utilizing compromised credentials, which can potentially be acquired from the dark web. Akira frequently gains access to targeted Windows and Linux systems through Cisco VPN services, particularly in cases where users have not implemented multi-factor authentication. Upon infecting a system with Akira, the malware takes steps to eliminate backup folders that might be employed for data recovery. Subsequently, it encrypts files with specific extensions and appends the ".akira" extension to each of them.

Cisco VPN solutions are extensively adopted in various sectors to establish secure, encrypted data transfer between users and corporate networks, especially for remote employees. According to the researchers, Akira follows the ransomware-as-a-service (RaaS) model and represents a rapidly escalating threat that capitalizes on compromised credentials to breach systems. A significant number of Akira victims lacked multi-factor authentication (MFA) on their VPNs. Additionally, the actors orchestrating Akira employ malicious email attachments, malicious ads, and pirated software as distribution vectors for the ransomware. Exploiting unpatched vulnerabilities in VPN endpoints is another avenue through which the threat spreads

Consequences: Akira’s attackers engages in double extortion tactics, exfiltrating victim’s data prior to encryption and threatening to release the data publicly unless a ransom is paid.

Solution: 

• Activate multi-factor authentication for your VPNs.
• Regularly back up your data.
• Exercise caution when encountering unexpected email attachments to prevent potential Akira ransomware infection.
• Consistently update and patch vulnerabilities in Cisco VPNs.
• Before interacting with ads, verify the authenticity of the site through its URL.

Avoid using pirated software and refrain from downloading unverified apps from Google Play.

References:

https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cisco-vpns-to-breach-organizations/

https://www.safebreach.com/resources/akira-ransomware-8base-threat-coverage/

https://www.redpacketsecurity.com/akira-ransomware-targets-cisco-vpns-to-breach-organizations/

https://cyware.com/news/akira-ransomware-targets-cisco-vpns-to-breach-organizations-120e5b1c/

https://malwaretips.com/threads/akira-ransomware-targets-cisco-vpns-to-breach-organizations.125290/

Advisory ID: NCC-CSIRT-180823-031

Summary: Coral Tayar, a researcher at Cyberint, has identified a series of account breaches on LinkedIn. This has led to numerous accounts being either locked due to security concerns or completely taken over by attackers. In some cases, victims are forced into paying a ransom to regain access, while others face the possibility of their accounts being permanently deleted. These exploits can result in account takeovers, lockouts, and difficulties in resolving issues through LinkedIn's support system.

Threat Type(s): Ransomware

Impact/Vulnerability: HIGH/HIGH

Product(s): LinkedIn

Platform(s):  LinkedIn Social Media Platform

Version(s): All Versions 

Description: According to the researchers, attackers utilized two methods in exploiting LinkedIn accounts. The first method involves a temporary account lock, where victims receive an official LinkedIn email notifying them of the security measure. In such cases, the accounts themselves are not compromised; rather, suspicious activity or hacking attempts triggered the temporary lock. It's likely that threat actors attempted to breach accounts with two-factor authentication or conducted brute force attacks on passwords, prompting LinkedIn to block these efforts.

The second method, termed as a full account compromise, is more devastating. Here, victims' LinkedIn accounts are completely hacked, preventing them from independently recovering their accounts. Threat actors follow a specific process to make account restoration impossible. They gain access to the account and change the associated email address to another address, often using addresses generated through the 'rambler.ru' mail system. Subsequently, the threat actors alter the account password. By changing the email address, they effectively prevent victims from restoring their accounts via email, rendering recovery impossible. Some victims have received ransom messages (typically demanding a small sum) to regain access, while others have observed their accounts being deleted altogether.

Consequences: Malicious individuals might capitalize on compromised profiles for social engineering, deceiving others into participating in harmful actions while posing as a trusted co-worker or manager.

Solution: 

• Check your account by promptly logging in and confirming if you still have access. Verify that all your contact information is accurate and truly yours. In case you are locked out and unable to recover through your email, reach out to LinkedIn support immediately.
• Review your email inbox for any messages sent by LinkedIn about the addition of an extra email to your account. If you did not initiate this action and discover such an email, consider it a serious red flag. Ensure that you can still log into your account, change your password, and eliminate the added email address from your contact details.
• Utilize a strong and unique password exclusively for your LinkedIn account. Avoid reusing passwords across different platforms.
• Activate the two-step verification feature for enhanced security on your LinkedIn account.

References:
https://www.bleepingcomputer.com/news/security/linkedin-accounts-hacked-in-widespread-hijacking-campaign/

https://cyberint.com/blog/research/linkedin-accounts-under-attack-how-to-protect-yourself/

https://twitter.com/search?q=linkedin%20account%20hacked

https://www.reddit.com/r/linkedin/comments/15cx1zg/mega_thread_so_your_linkedin_account_got/

Advisory ID : ngCERT-2023-0034

CVE(s): CVE-2019-9013; CVE-2022-47379; CVE-2022- 47380; CVE-2022-47381; CVE-2022-47382; CVE-2022- 47383; CVE-2022-47384; CVE-2022-47385; CVE-2022- 47386; CVE-2022-47387; CVE-2022-47388; CVE-2022- 47389; CVE-2022-47390; CVE-2022-47391; CVE-2022- 47392; CVE-2022-47393

Summary: Multiple high-severity vulnerabilities in the CODESYS V3 software development kit (SDK) were recently discovered by Microsoft's cyber physical system experts. The researchers were able to trigger a buffer overflow in a variety of industrial control system devices, revealing a number of vulnerabilities in the process. These flaws could result in a denial of service (DoS) or remote code execution (RCE) attacks.

Damage/Probability: CRITICAL/HIGH

Description: The CODESYS V3 software development kit (SDK) is a software development environment used industry-wide to program programmable logic controllers (PLCs) that aids manufacturers to implement IEC 61131-3, which is a vendor independent international standard for programmable controller programming language for industrial automation. To be able to conduct this attack, researchers had to bypass user authentication, which was done by exploiting CVE-2019-9013. This allows for the use of a “replay attack against the PLC using the unsecured username and password’s hash that were sent during the sign-in process, allowing bypass of user authentication process.” They then had to create a new channel for the attack before signing in to the device with the stolen credentials. A malicious packet that triggers buffer overflow is then inserted to exploit the vulnerabilities and gain full control of the device.

Consequences: Exploitation of any of the vulnerabilities could lead to either a Denial of Service (DoS) attack or remote code execution (RCE) attack. As these vulnerabilities affect the security of Industrial control systems that are used in critical infrastructure such as power, this could lead to major disruptions and outages. Also, it can allow attackers to create backdoors that can be used to cause mayhem or exfiltrate critical information.

The complete exploit steps are summarized as follows:

  (a) Steal credentials with CVE-2019-9013.

  (b) Create a new channel for the attack.

  (c) Sign-in to the device with the stolen credentials.

  (d) Exploit the vulnerabilities with a malicious packet that triggers buffer overflow.

  (e) Gain full control of the device.

Solution: Countermeasures to put into place include:

1. Patch any network devices that are affected. Update the device firmware to version 3.5.19.0 or higher after checking with the device manufacturers for any available fixes.

2. Regardless of whether they run CODESYS, make sure that all crucial hardware—PLCs, routers, PCs, etc.—is segmented and separated from the internet.

3. Only authorized components should be allowed access to CODESYS devices.

4. If prioritizing patching is challenging due to the nature of CVEs, which still call for a login and password, reduce risk by ensuring effective segmentation, requiring unique usernames and passwords, and minimizing the number of users who have writing authentication.  

References:

https://www.microsoft.com/en-us/security/blog/2023/08/10/multiple-high-severity-vulnerabilities-in-codesys-v3-sdk-could-lead-to-rce-or-dos/

https://securityaffairs.com/149474/security/codesys-v3-sdk-rce-dos.html

https://github.com/microsoft/CoDe16

Advisory ID: NCC-CSIRT-150823-030

Summary: Researchers at Proof point have identified an EvilProxy phishing campaign that is focused on compromising Microsoft 365 user accounts on a global scale. This campaign involves the distribution of nearly 120,000 phishing emails to over 100 organizations worldwide. The primary objective is to gain control of the cloud accounts belonging to high-level executives, with the aim of executing more advanced attacks within the organization's internal systems.

Threat Type(s): Phishing

Impact/Vulnerability: CRITICAL/MEDIUM

Product(s): Microsoft 365

Platform(s): EvilProxy phishing-as-a-Service Platform

Version(s): All Versions 

Description: Based on the researchers' discoveries, the attackers behind this campaign are leveraging an EvilProxy phishing strategy. EvilProxy operates as a phishing-as-a-service platform, utilizing reverse proxies to facilitate the exchange of authentication requests and user credentials between the targeted user and the authentic service website. Despite the commonly recommended use of multi-factor authentication (MFA) as a defense against phishing, tools like EvilProxy and similar reverse-proxy techniques are simplifying the efforts of malicious actors to bypass this security measure.

The malicious actors employ the EvilProxy service to dispatch deceptive emails that mimic reputable brands like Adobe, DocuSign, and Concur. Clicking on the embedded link guides the recipient through a sequence of open redirections via platforms like YouTube or SlickDeals, followed by subsequent redirections aimed at reducing the likelihood of detection and analysis. Ultimately, the victim arrives at an EvilProxy phishing page, which functions as a reverse proxy for the Microsoft 365 login page. This page is designed to mimic the organization's theme, lending an air of authenticity to the victim's experience.

To evade automated scanning tools, the attackers utilize specialized encoding for user email addresses. Compromised legitimate websites are exploited to upload PHP code, facilitating the decoding of the targeted user's email address. Once decoded, the user is directed to the final website, which hosts the tailored phishing page meticulously crafted for the specific target organization. 

Consequences: The phishing emails often imitate reputable and trusted services or applications while employing scan-blocking techniques to evade detection by a wide range of security tools.

Solution: Organizations can defend against this threat through the following ways:

1. User Awareness: Educate users about the associated risks when utilizing Microsoft 365.
2. Email Protection: Block and monitor malicious email threats directed at users.
3. Cloud Protection: Utilize cloud security mechanisms with the following functionalities:
   1. Detecting occurrences of account takeover (ATO) and unauthorized access to sensitive resources within the cloud environment.
   2. Ensuring accurate and timely detection of both the initial account breach and subsequent unauthorized activities, including the monitoring of service and application misuse.
   3. Incorporating automated remediation capabilities to reduce the duration of attacker presence in the system and mitigate potential harm.
4. Web Security: Isolate potentially harmful sessions initiated via links embedded in email messages.
5. FIDO: Consider adopting “Fast Identity Online” (FIDO) based physical security keys. FIDO is a technical standard designed for authenticating online user identities. It is applicable in various scenarios like fingerprint and two-factor login. This enables users to utilize biometric features or a FIDO security key for logging into their online accounts.

References:
https://www.bleepingcomputer.com/news/security/evilproxy-phishing-campaign-targets-120-000-microsoft-365-users/ 

https://www.infosecurity-magazine.com/news/evilproxy-campaign-120000-phishing/ 

https://www.darkreading.com/cloud/evilproxy-cyberattack-flood-execs-microsoft-365 

https://www.proofpoint.com/uk/blog/email-and-cloud-threats/cloud-account-takeover-campaign-leveraging-evilproxy-targets-top-level 

https://www.darkreading.com/threat-intelligence/downfall-bug-billions-intel-cpus-design-flaw