Advisory ID: ngCERT-2024-0033

Summary: 

ngCERT is issuing an urgent security advisory regarding a high-severity vulnerability in Veeam Backup and Replication (VBR) software, recently exploited by ransomware groups. The flaw is designated CVE-2023-27532, affecting VBR versions 12 and below. Threat actors exploit this weakness by obtaining encrypted and plaintext credentials stored in the configuration database, which is further used to elevate privileges and execute arbitrary code on affected systems. The successful exploitation of the vulnerability may result in malware installation, system takeover, data exfiltration and ultimately ransomware attacks. It is pertinent to note that, the Phobos ransomware group recently exploited this flaw in a ransomware attack on a cloud infrastructure, within the Nigerian Cyberspace. Accordingly, users are strongly advised to implement the latest security patches from VBR, and other mitigation steps recommended herein.

Threat Type(s): Ransomware

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Microsoft Exchange server, SQL Server, Windows Server, Linux Server, Oracle, Azure, AWS, VMware, Hyper-V

Platform(s): WIndows and Linux Operating Systems

Version(s): All Versions

Description: 

The CVE-2023-27532 is a critical vulnerability in Veeam Backup & Replication (VBR) software, which allows unauthorized users to access sensitive information, including encrypted credentials. Cybercriminals exploit this flaw by connecting to the exposed Veeam services (C:\ProgramFiles\Veeam\Backup and Replication\Backup\Veeam.Backup.Service.exe) on port TCP 9401, where they can issue requests to extract confidential data from backup infrastructure without proper authentication. To exploit CVE-2023-27532, attackers typically scan for unpatched Veeam instances exposed to the internet. Once they locate a vulnerable system, they bypass authentication mechanisms by sending crafted requests directly to the service, allowing them to obtain critical information, such as administrative credentials. With this information, attackers can escalate privileges, gain unauthorized access to the backup environment, and even compromise the entire network. Such an exploit can lead to severe consequences, including data breaches, ransomware deployment, or malicious data manipulation, as the backup servers often store highly sensitive and valuable information.

Solution: 

•  Avoid downloading or opening attachments in emails received from untrusted sources or unexpectedly received from trusted users.
• Block the malicious external IP addresses and other malicious IP addresses on your network.
• Ensure that the assets/systems operating system, applications, antivirus, and plugins are up to date.
• Activate built-in security features on endpoint devices which scan applications for malware.
• Consider implementing stronger security measures, including firewalls, intrusion detection/prevention systems, anti-phishing solution, endpoint detection    and response solution including anti-malware software.
• Enforce a strong password policy, implement regular password changes.
• Disable unnecessary services and open ports on endpoint devices and servers within your agency. Only enable services and open ports that are essential for day-to-day operations.

References:

• https://thehackernews.com/2024/07/new-ransomware-group-exploiting-veeam.html

• https://cisometric.com/articles/ransomware-alert-estateransomware-exploits-veeam-backup-software

• https://cirt.gy/article/al2024_15-veeam-backup-replication-software-security-flaw-exploited-by-new-ransomware-group-estateransomware-15th-july-2024/

Advisory ID: NCC-CSIRT-170924-009

Summary: 

Researchers from Trend Micro's Zero Day Initiative have discovered a newly identified Windows vulnerability, exploited as a zero-day to execute code via the disabled Internet Explorer browser. This vulnerability, tracked as CVE-2024-43461, is classified as a high-severity issue. It was addressed in a patch released on Tuesday, September 10, 2024, over two months after it had already been exploited in the wild.

Threat Type(s): Vulnerability, Zero-Day Attack

Impact/Vulnerability: CRITICAL/HIGH

Product(s): MS Windows

Platform(s): Internet Explorer bowser

Version(s): All Versions

Description: 

The research revealed that the security flaw is a spoofing vulnerability in a component of Internet Explorer’s Web Archive file format. This format combines HTML code and its related resources (such as images) into a single file, even when these resources are linked externally in the webpage's HTML. Despite Internet Explorer being disabled, the platform remains in Windows and is still utilized by certain applications in specific scenarios.

The vulnerability arises from how Internet Explorer handles user prompts after a file download. A maliciously crafted file name can conceal the true file extension, tricking users into thinking the file is safe. Exploiting this flaw, an attacker could execute code under the current user’s privileges.

Solution: 

The vulnerability identified as CVE-2024-43461 was exploited as part of an attack chain involving the CVE-2024-38112 flaw prior to July 2024. To ensure complete protection against this threat, users are advised to install both the Windows July 2024 security updates, which addressed CVE-2024-38112, as well as the Windows September 2024 updates. Links to the relevant security updates are provided below:

https://support.microsoft.com/en-us/topic/july-9-2024-kb5040437-os-build-20348-2582-5b28d9b8-fcba-43bb-91e6-062f43c7ec7c

https://support.microsoft.com/en-us/topic/september-10-2024-kb5043076-os-builds-22621-4169-and-22631-4169-215aad1e-3f3f-44bd-9868-91a2bd450a07

References:

• https://www.securityweek.com/microsoft-says-recent-windows-vulnerability-exploited-as-zero-day/

• https://www.securityweek.com/apt-exploits-windows-zero-day-to-execute-code-via-disabled-internet-explorer/

• https://www.securityweek.com/microsoft-says-windows-update-zero-day-being-exploited-to-undo-security-fixes/

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43461

• https://www.zerodayinitiative.com/advisories/ZDI-24-1207/

Advisory ID: NCC-CSIRT-110924-008

Summary: 

Researchers from anti-malware vendor ESET have identified a sophisticated phishing technique targeting iOS and Android users. The tactic involves using web applications that imitate legitimate banking software, enabling cybercriminals to bypass security measures and steal users' login credentials.

These fraudulent web apps closely replicate the interfaces of well-known financial institutions, making it difficult for users to detect the deception. Once victims enter their credentials, the information is transmitted to attackers, granting them unauthorized access to sensitive banking accounts.

Threat Type(s): Phishing, and Malvertising

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Apple and Android based Mobile Devices

Platform(s): iOS and Android OS

Version(s): All Versions

Description: 

According to the researchers, attackers leveraged Progressive Web Applications (PWAs) on Apple devices—websites packaged to resemble standalone apps. These PWAs, built using web technologies, are platform-agnostic and do not require users to enable third-party app installations. On Android devices, the attackers utilized WebAPKs, a technology that allows web apps to be installed as native applications, appearing as if they were downloaded from Google Play.

In the observed attacks, iOS users were instructed to add the PWA to their home screens, while Android users were prompted to approve custom pop-ups before installing the WebAPK. WebAPKs, considered enhanced versions of PWAs, mimic native apps and do not trigger warnings on Android devices, even when installation from third-party sources is disabled. Moreover, the apps’ information pages falsely indicated that they were downloaded from Google Play.

When users opened the phishing link, they were redirected to a webpage mimicking the official Google Play or Apple Store, or the targeted bank’s website. They were then prompted to install an updated version of the banking app, which led to the installation of the malicious software without triggering any security alerts. Once installed, the PWA or WebAPK placed an icon on the home screen, and opening it led directly to a phishing login page designed to steal users' credentials.

Solution: 

•  Users should avoid installing apps that are not available on official platforms like the Play Store or Apple App Store.
• Always verify any messages received via SMS, email, or social media before taking action.
• If prompted to update an app via text message, visit the official website or app store to confirm the update before proceeding.
• Be cautious when dealing with Progressive Web Applications (PWAs) and avoid installing them from untrusted or suspicious websites.
• Utilize a reliable security solution that can detect and block websites using PWAs and WebAPKs for phishing attacks.
• Multi-factor authentication and user education on phishing threats are essential to enhance security.

References:

• https://www.bleepingcomputer.com/news/security/hackers-steal-banking-creds-from-ios-android-users-via-pwa-apps/ 

• https://www.securityweek.com/new-phishing-technique-bypasses-security-on-ios-and-android-to-steal-bank-credentials/ 

• https://www.show.it/en/new-phishing-technique-bypasses-security-on-ios-and-android-to-steal-bank-credentials/ 

• https://news.ycombinator.com/item?id=41312984 

• https://www.welivesecurity.com/en/eset-research/be-careful-what-you-pwish-for-phishing-in-pwa-applications/

Advisory ID: NCC-CSIRT-260824-007

Summary: 

ESET malware researcher Lukas Stefanko has identified a new Android malware called NGate. This malware is capable of stealing funds from payment cards by transmitting data collected by the near-field communication (NFC) chip to an attacker’s device. With NGate, attackers can emulate the victims' cards, allowing them to make unauthorized payments or withdraw cash from ATMs.

Threat Type(s): Malware, and Phishing

Impact/Vulnerability: CRITICAL/HIGH

Product(s): Android Devices

Platform(s): Android OS

Version(s): All Versions

Description: 

The attack begins with malicious texts, automated calls with pre-recorded messages, or malvertising, which trick victims into installing a malicious progressive web app (PWA) on their devices. These PWAs, disguised as urgent security updates, mimic the official icon and login interface of the targeted bank to steal client credentials. The apps require no special permissions upon installation, instead exploiting the web browser's API to gain access to the device's hardware components.

After the phishing stage, the victim is further deceived into installing NGate during the second phase of the attack. Once installed, NGate activates an open-source tool called 'NFCGate,' which enables on-device capturing, relaying, replaying, and cloning of NFC data. This tool can function without the device being rooted. NGate captures NFC data from payment cards near the infected device and transmits it to the attacker, either directly or via a server. The attacker can then save this data as a virtual card and use it to withdraw cash from ATMs or make payments at point-of-sale (PoS) systems.

Solution: 

• If you are not actively using NFC, you can mitigate the risk by disabling your device's NFC chip. On Android, click Settings > Connected devices > Connection preferences > NFCand turn the toggle to the off position.
• Only install bank apps from the bank's official webpage or Google Play.
• Ensure the bank app you are using is not a WebAPK

References:

• https://thehackernews.com/2024/08/new-android-malware-ngate-steals-nfc.html 

• https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-discovers-ngate-android-malware-which-relays-nfc-traffic-to-steal-victims-cash-from-atms-1/