Buffer overflow in some Intel(R) SSD Tools software before version mdadm-4.2-rc2 may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2023-28736

Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2022-27635

Improper access control in the Intel(R) Ethernet Controller RDMA driver for linux before version 1.9.30 may allow an unauthenticated user to potentially enable escalation of privilege via network access.

CVE-2023-25775

Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVE-2022-40982

Categories: Threat Intelligence
July saw one of the highest number of ransomware attacks in 2023 at 441. At the forefront of these attacks is, once again, Cl0p.



(Read more...)




The post Ransomware review: August 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

July saw one of the highest number of ransomware attacks in 2023 at 441, second only to a record-breaking 556 attacks in May. At the forefront of these attacks is, once again, Cl0p.

In June, Cl0p shot to the top of the charts due to their use of a zero-day exploit in MOVEit Transfer, and the story in July is no different. Using the same vulnerability, the gang attacked an additional 170 victims in July—the second highest number of attacks by a single gang all year, just two shy of MalasLockers' record in May.

Amidst all the Cl0p chaos, however, a familiar foe seems to be quietly waning: LockBit.

Known ransomware attacks by gang, July 2023

The LockBit gang is experiencing a steady four-month decline in the number of attacks it has carried out. Since April 2023, we’ve observed an average decrease of 20 attacks a month from the group. LockBit’s 107 attacks in April to 41 in July represents a 62 percent dip in activity.

We’ve seen a similar pattern from LockBit before, and it’s not unusual for ransomware gang activity to ebb and flow. Still, it’s worth mentioning that a suspected LockBit affiliate was arrested last month. At least LockBit’s July numbers, then, could be explained by them simply wanting to lay low for a bit.

When another LockBit suspected affiliate was arrested in November 2022, we also saw a similar historic low in activity from the group.

**"Big game hunting" numbers**

Research published in July by Chainanalysis showed that ransomware gangs raked in around $449 million from victims in the last six months. The driving force behind this huge number? Chainanalysis says it is “big game hunting.” the practice of targeting large, financially well-off corporations in order to secure the biggest possible payouts.

Chainanalysis also mentions an increase in payouts less than $1000, meaning smaller companies are still being targeted by ransomware gangs as well.

At around this same time last year, total payouts were slightly under $300 million—a difference of over $150 million.

One possible reason for this increase, says Chainanalysis, could be that because fewer and fewer firms are willing to pay the ransom, ransomware gangs are increasing the size of their ransom demands, the idea being to squeeze the most money possible out of the firms still willing to pay.

Malwarebytes' own data suggests that the increase in payouts could also be a simple consequence of there being more ransomware attacks in general. From March 2022 to July 2022, Malwarebytes recorded a total of 1,140 ransomware attacks. From March 2023 to July 2023, we recorded a total of 2,130.

Likely, there’s a combination of factors at play here. Our logic goes as follows:

> Bigger targets + greedier gangs + more ransomware attacks in general = Historically high payouts.

Known ransomware attacks by country, July 2023

Attacks on the US and UK are at a four-month high. Four-mouth trends on attacks in Italy, on the other hand, suggest that the country is a new regular in the monthly "Top Five" of most-attacked countries.

Known ransomware attacks by industry sector, July 2023

In an article published in October of last year, we speculated on the future evolution of ransomware and how, with the rise of double-extortion schemes, more and more gangs might pivot away from using encryptors entirely. Interestingly, new research last month by Huntress seems to support this idea—exemplified by the most active ransomware gang today no less.

In their massive zero-day exploitation sprees, **Cl0p has apparently not deployed ransomware at all**. Instead, the group has focused on simply stealing company data to then later use as leverage against victims.

This move represents a significant departure from the majority of top ransomware gangs, and it forces organizations to rethink the nature of the problem: i’s not about ransomware per se, it’s about an intruder in your network. The really dangerous thing is turning out to be the access, not the ransomware software itself. 

Cl0p's focus on exploiting zero-days for initial access is revolutionary on its own. Pairing this with a pure data-exfiltration approach could signal an even bigger paradigm shift in how ransomware gangs operate into the future.

Speaking of innovations from top gangs, last month ALPHV was observed offering an API for their data leak site. 

The new API is a conduit for swift data dissemination, helping other cybercriminals instantly access and distribute the stolen information on the dark web. The overarching goal here —especially considering that ALPHV failed to seek a ransom from recently-breached cosmetics company Estee Lauder—seems to be to pressure victims to pay as stolen data reaches wider audiences.

Time will tell if the move pays off, but if nothing else, it signals cybercriminal desperation amid declining ransomware payments.

**New players****CATCUS **

CACTUS emerged in March 2023 as a fresh strain of ransomware, zeroing in on large-scale commercial operations. Last month, they published 18 victims on their leak site.

To infiltrate systems, this gang exploits well-known vulnerabilities present in VPNs. Once CACTUS operatives gain access to a network, they enumerate local and network user accounts and reachable endpoints. Following this, they craft new user accounts and deploy their ransomware encryptor. The uniqueness of CACTUS lies in their use of specialized scripts that automate the release and activation of the ransomware through scheduled tasks.

The CACTUS leak site

**Cyclops/Knight **

Though the underworld caught wind of Cyclops in May 2023, it's only recently that evidence of their activities surfaced as new victims' details appeared on their dark web portal. In addition, they've announced a shift in branding to "Knight." Last month, they published 6 victims on their leak site.

This ransomware is versatile, capable of compromising Windows, Linux, and macOS systems alike. Cyclops stands out with its intricate encryption methodology, which mandates a unique key to decrypt the execution binary. Cyclops also comes equipped with a distinct stealer component designed to extract and transfer sensitive information.

The Cyclops/Knight leak site

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: August 2023

With BlackHat and “Hacker Summer Camp” going on over the next few weeks, this seems like the right time to step back and reflect on what’s happened so far this year.

Thursday, August 10, 2023 14:08

Welcome to this week’s edition of the Threat Source newsletter.

Between the Talos Takes episode last week and helping my colleague Hazel with the Half-Year in Review, I realized how much I had already forgotten about 2023 already.

It’s been a whirlwind, personally and professionally, and I think it’s important for the security community to take a step back occasionally, to look back on what’s already happened in a year and what that tells us about the coming months.

For me, in reading the Year in Review so far and reflecting on it on the podcast, I had completely forgotten about supply chain attacks. I personally think the MOVEit file transfer breach, and follow-on breaches and compromises, has been placed on the back burner because it’s almost too big for us to even conceive of. At this point, nearly every Fortune 500 company has been affected by this in some way.

The dangers of the MOVEit breach continue to grow, with Clop now using torrents to leak targets’ information, potentially making the leaks more dangerous and faster for bad actors to download.

The list of affected organizations grows every day, with the Clop ransomware group adding more names to its leak site, and public companies having to make disclosures about potential data leaks or theft. Yet the news around this seems to have been relegated to regular news posts about, “Company X just got added to the Clop leak site” rather than reflecting on the dangers of supply chain attacks.

I’ve written before about how we aren’t talking about supply chain attacks enough already, and this year alone we’ve seen MOVEit (which, in my opinion, kind of straddles the line as a “traditional” supply chain attack because it’s more of a data breach with more follow-on data breaches), 3CX, and another attack against CircleCI, a continuous integration platform vendor.

3CX was a big deal in the moment, but looking at the Half-Year in Review, I feel like we moved past it so quickly. Instead, headlines are still dominated by ransomware attacks and big-game hunting, which are certainly no less important on the security landscape — but it is so easy to get swept up in the day’s goings-on by looking for the latest, fastest updates on security social media.

With BlackHat and “Hacker Summer Camp” going on over the next few weeks, this seems like the right time to step back and reflect on what’s happened so far this year. This could include just taking time to look back on personal successes, team wins, or just one or two things that happened in February that you may have already forgotten about.

**The one big thing**

Our researchers recently discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that’s been going on since at least June 4. This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.

**Why do I care?**

This new actor appears to target users and companies all over the world, including a variety of English-speaking nations, Bulgaria, China and Vietnam. Victims hit with this malware are asked to pay a requested ransom in the form of Bitcoin, an amount that doubles if it’s not made within three days post-infection. This Yashma variant also appears to be harder to recover from than the average ransomware — after encrypting files, the ransomware wipes the contents of the original, unencrypted file and then replaces the file name with a “?”.

**So now what?**

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here. There are also numerous protections in place to detect and defend against this malware, as outlined in our blog post.

**Top security headlines of the week**

**Dozens of hospitals and healthcare facilities across the U.S. are still recovering after a large healthcare system was forced to take its computer systems offline** as the result of a ransomware attack. Prospect Medical Holdings, a chain that operates hospitals and outpatient facilities, in California, Connecticut, Pennsylvania and Rhode Island, first disclosed the incident last week, announcing it was having to shut down some emergency rooms and reroute ambulances to other facilities. The FBI announced it was launching an investigation into the cause, and actors behind, the attack. Some outpatient facilities, like radiology and heart health clinics, had to close altogether temporarily because they could not function without the use of the company’s computer systems. (CBS News, NBC News)

**Cult of the Dead Cow, an infamous hacking group once known for shaming companies into improving their security, is planning to launch a new app framework that puts privacy first.** The system will allow individuals and companies to create social media and messaging apps that do not hold onto users’ personal data. Traditional social media companies make a large chunk of their profits off selling that information to advertisers and other companies looking to reach certain demographics. Representatives from the hacking collective are expected to discuss the framework more at the upcoming DEF CON conference. Creators say the framework uses the in-house “Veilid” protocol for end-to-end encryption that could make it difficult for even governments to view information on the apps without proper authorization. However, they still face the challenge of convincing developers and companies to design apps that are compatible with Veilid. (Washington Post, DarkReading)

**The U.K.’s Electoral Commission revealed this week it was the target of a “complex cyber attack”** that potentially exposed the personal details of millions of British voters. The Commission said adversaries stole copies of the electoral registers from August 2021, but the breach was not discovered until October 2022. However, they’ve yet to “conclusively” determine what files, exactly, were accessed. An early report on the attack from the Electoral Commission found that the personal data found on the registers did not present a “high risk” to the individuals listed on it. However, that information could be paired with other public information or stolen data from other attacks to “identify and profile individuals.” The adversaries were removed from the network as soon as the breach was discovered in October. (Infosecurity Magazine, BBC)

**Can’t get enough Talos?**

*   What Cisco Talos knows about the Rhysida ransomware
*   Code leaks are causing an influx of new ransomware actors
*   The Need to Know: What is commercial spyware?
*   Six critical vulnerabilities included in August’s Microsoft security update
*   Cisco Talos Discusses Flaws in SOHO Routers Post-VPNFilter
*   Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware
*   Sloppy security from cybercriminals is creating a new generation of ransomware gangs

**Upcoming events where you can find Talos****Upcoming events where you can find Talos**

**BlackHat (Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**ATT&CKcon 4.0 (Oct. 24 - 25)**

McLean, Virginia

> Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.

**Most prevalent malware files from Talos telemetry over the past week**

  
**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** 1c25a55f121d4fe4344914e4d5c89747b838506090717f3fb749852b2d8109b6  
**MD5:** 4c9a8e82a41a41323d941391767f63f7  
**Typical Filename:** !!Mreader.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Generic::sheath

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 7bf7550ae929d6fea87140ab70e6444250581c87a990e74c1cd7f0df5661575b  
**MD5:** f5e908f1fac5f98ec63e3ec355ef6279  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::tpd

Reflecting on supply chain attacks halfway through 2023

WordPress WP Project Manager plugin versions 2.6.4 and below suffer from a privilege escalation vulnerability.

    Description: WP Project Manager <= 2.6.4 – Arbitrary Usermeta Update to Authenticated (Subscriber+) Privilege Escalation Affected Plugin: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt chartsPlugin Slug: wedevs-project-managerAffected Versions: <= 2.6.4CVE ID: CVE-2023-3636CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HResearcher/s: Lana Codes and Chloe Chamberland Fully Patched Version: 2.6.5The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the ‘save_users_map_name’ function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the ‘usernames’ parameter.Technical AnalysisWP Project Manager plugin is a task, project, and team management tool for WordPress. Upon closer examination of the code, we see that there is an API endpoint, the ‘save_users_map_name’ function, which updates a user’s github and bitbucket username.[View this code snippet on the blog.]  The most significant problem and vulnerability is caused by the way the explode() and in_array() functions are used to ensure that only the ‘github’ and ‘bitbucket’ meta values can be updated. Unfortunately, these functions are not sufficient to prevent exploitation, because they can be bypassed with a special character, known as a homoglyph, that acts like an underscore, however, won’t be properly “exploded” but will be saved in the database as a proper underscore.This made it possible for authenticated users, such as subscribers, to supply the ‘wp_capabilities’ array parameter with any desired role, such as administrator, when updating what should be username metadata, which would grant the user access to capabilities based on that role.As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.Disclosure TimelineJuly 9, 2023 – Discovery of the Privilege Escalation vulnerability in WP Project Manager.July 11, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.July 13, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.July 16, 2023 – The vendor confirms the inbox for handling the discussion.July 16, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.July 24, 2023 – A fully patched version of the plugin, 2.6.5, is released.August 12, 2023 – Wordfence Free users receive the same protection.ConclusionIn this blog post, we detailed a Privilege Escalation vulnerability within the WP Project Manager plugin affecting versions 2.6.4 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to elevate their privileges to those of a site administrator which could ultimately lead to complete site compromise. The vulnerability has been fully addressed in version 2.6.5 of the plugin.We encourage WordPress users to verify that their sites are updated to the latest patched version of WP Project Manager.Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on July 13, 2023. Sites still using the free version of Wordfence will receive the same protection on August 12, 2023.If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

WordPress WP Project Manager 2.6.4 Privilege Escalation

By Habiba Rashid
Operating from Europe, Lolek Hosted offered services that shielded clients' identities and turned a blind eye to the content they posted.
This is a post from HackRead.com Read the original post: Feds Seize Bulletproof Hosting Service ”Lolek Hosted”

1.  **Lolek Hosted, a prominent bulletproof hosting provider, has been dismantled in a coordinated operation by US and Polish authorities.**
2.  **The joint effort aimed to curb cybercriminals’ access to crucial tools for malicious activities by targeting the hosting platform.**
3.  **The takedown was marked by a banner on the seized website displaying logos of the FBI and IRS-CI, confirming the seizure.**
4.  **Both US and Polish authorities, along with law enforcement agencies, played vital roles in the operation, though details remain undisclosed.**
5.  **This action aligns with a broader trend of international law enforcement agencies intensifying efforts to dismantle cybercriminal networks and their supportive platforms.**

In a significant blow to cybercriminals’ anonymous infrastructure, authorities from the United States and Poland successfully dismantled the notorious bulletproof hosting provider, Lolek Hosted, this week. The joint effort aims to curtail cybercriminals’ unfettered access to critical tools for carrying out malicious activities.

As of the early hours of Tuesday, visitors to the Lolek Hosted website were met with a banner prominently displaying the logos of the Federal Bureau of Investigation (FBI) and the Internal Revenue Service – Criminal Investigation (IRS-CI). The banner stated:

> “This domain has been seized by the Federal Bureau of Investigation and Internal Revenue Service – Criminal Investigation as part of a coordinated law enforcement action taken against Lolek Hosted.”

The operation also saw the active involvement of the U.S. Attorney’s Office for the Middle District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice.

Domain seizure notice uploaded by authorities (Screenshot: Hackread.com)

Additionally, Polish authorities played a crucial role, with significant support provided by the Regional Prosecutor’s Office in Katowice and the Central Bureau for Combating Cybercrime in Krakow.

An official spokesperson from the IRS confirmed the legitimacy of the seizure notice, affirming its role in the takedown. However, both the FBI and Polish authorities refused to provide any details regarding the seizure.

Lolek Hosted, a widely used bulletproof hosting provider, has been operating since 2009 and has established itself as a key player in the realm of anonymous hosting platforms.

Operating from a European data center, the company offered services that shielded clients’ identities and turned a blind eye to the content they posted. This approach made bulletproof hosting services a haven for criminals seeking to disseminate malware, orchestrate botnet attacks, and execute various forms of cybercrime and fraud.

Archive view of the now seized Lolek Hosted domain (Screenshot: Hackread.com)

In recent years, authorities have escalated their efforts to dismantle bulletproof hosting services and other platforms aiding cybercrime by bringing the individuals responsible to justice. Notable cases include the seizure of DoubeVPN, the takedown of the infamous Safe-Inet VPN service, and the INTERPOL’s collaborative effort to dismantle the ’16shop’ phishing platform, resulting in arrests.

The joint operation involving INTERPOL, Indonesian, Japanese, and US authorities, as well as private sector partners, dismantled the ’16shop’ phishing-as-a-service platform. The platform offered phishing kits to hackers, enabling email scams to steal sensitive information from victims. 

Nevertheless, these joint efforts serve as a clear indicator that law enforcement agencies worldwide are intensifying their efforts to dismantle the foundations of cybercriminal networks, leaving no safe haven for those seeking to exploit the digital realm for illicit gains.

1.  13 Domains Linked to DDoS-For-Hire Services Seized
2.  NetWire Malware Site and Server Seized, Admin Arrested
3.  Researcher Exposes Crypto Scam Network of 300 Domains
4.  7 Domains Used in Pig Butchering Cryptocurrency Scam Seized
5.  Seized: 9 Crypto Laundering Sites Used by Ransomware Gangs

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Feds Seize Bulletproof Hosting Service ”Lolek Hosted”

Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. The attacker group Nobelium, linked with the SolarWinds attacks, has been

Threat Detection / Attack Signal

Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. The attacker group Nobelium, linked with the SolarWinds attacks, has been documented using native functionality like the creation of Federated Trusts \[1\] to enable persistent access to a Microsoft tenant.

This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement capabilities to another tenant. This attack vector enables an attacker operating in a compromised tenant to abuse a misconfigured Cross-Tenant Synchronization (CTS) configuration and gain access to other connected tenants or deploy a rogue CTS configuration to maintain persistence within the tenant. Vectra AI has not observed the use of this technique in the wild but given the historical abuse of similar functionality — Vectra AI presents details for defenders to understand how the attack would present and how to monitor for its execution. In addition, the article will review how Vectra AI customers currently have coverage — and have had coverage from day one of the functionality being released for this technique through their AI-driven detections and **Vectra Attack Signal Intelligence**TM.

**Cross-Tenant Synchronization**

CTS is a new feature from Microsoft that enables organizations to synchronize users and groups from other source tenants and grant them access to resources (both Microsoft and non-Microsoft applications) in the target tenant. CTS features build on previous B2B trust configurations enabling automated and seamless collaboration between different tenants and is a feature that many organizations will look to adopt. \[2\] \[3\]

CTS is a powerful and useful feature for organizations like business conglomerates with multiple tenants across affiliated companies, but also opens potential reconnaissance, lateral movement and persistence attacks by bad actors if not configured and managed correctly. Read on for the potential risks and attack paths that adversaries can leverage to exploit CTS to abuse trust relationships from a potentially compromised tenant to any other tenant configured with a CTS trust relationship.

*   CTS allows users from another tenant to be synced (added) into a target tenant.
*   A loosely configured CTS configuration can be exploited to move laterally from a compromised tenant to another tenant of the same or different organization.
*   A rogue CTS configuration can be deployed and used as a backdoor technique to maintain access from an external adversary-controlled Microsoft tenant.

**Assumed compromise!**

The exploitation techniques follow Assumed Compromise philosophy. The techniques used in these exploits assume that an identity has been compromised in a Microsoft cloud environment. In a real-world setting, this could originate from a browser compromise on an Intune-managed endpoint with a Microsoft-managed identity.

**Terminologies**

**Source tenant**

Tenant from where users & groups are getting synced

**Target tenant**

Tenant with resources where users & groups are getting synced

**Resources**

Microsoft applications (Teams, SharePoint, etc.) and non-Microsoft applications (ServiceNow, Adobe, etc.)

**CTS**

Abbreviation to reference 'Cross Tenant Synchronization' in this document

**CTA**

Abbreviation to reference 'Cross Tenant Access' in this document

**Compromised Account**

Adversaries initial point of access

**The Facilitator**

Important things to know about CTS configuration:

1.  New users get synced into a tenant via push (not pull). \[2\]

*   Source tenant pushes new users to sync into the target tenant.

3.  Automatic Consent Redemption setup. \[3\]

*   Enabling this eliminates the need to consent anytime new users are synced into a target tenant.

5.  Users in scope for synchronization are configured in the source tenant. \[2\]

**The Attack**

The attack techniques described in this article require certain licenses and a privileged account compromise or privilege escalation to certain roles in the compromised tenant. A Global Admin role can perform all these actions in a tenant. \[3\]

**Action**

**Source Tenant**

**Target Tenant**

**Tenant License**

Azure AD Premium P1 or P2

Azure AD Premium P1 or P2

**Configure CTA**

Security Administrator

Security Administrator

**Configure CTS**

Hybrid Identity Administrator

N/A

**Assign users to CTS configuration**

Cloud Admin or Application Admin

N/A

**Technique 1: Lateral Movement**

An attacker operating in a compromised environment can exploit an existing CTS configuration tenant to move laterally from one tenant to another connected tenant.

Figure 1 : Lateral Movement Attack Overview

1.  The attacker accesses the compromised tenant.
2.  Attacker recons the environment to identify target tenants connected via deployed Cross Tenant Access policies.

4.  Attacker reviews Cross Tenant Access policy configuration for each connected tenant to identify one with 'Outbound Sync' enabled. CTA policy with Outbound Sync enabled allows users and groups from the current tenant to be synchronized into the target tenant.

6.  From the CTA policy configuration analysis, the attacker finds a connected tenant with Outbound Sync enabled and sets the tenant as the target for lateral movement.
7.  The attacker then recons the compromised tenant to find CTS sync application that runs the job of synchronizing users and groups to the target tenant.

*   There is no straight forward way to find the CTS sync application linked to the target tenant. The attacker can enumerate through service principals in the tenant attempting to validate credentials with the target tenant to ultimately find the application that hosts the sync job to the target tenant. It can be done through a simple module like this.

10.  After identifying the CTS sync application, the attacker can modify its configuration to add the currently compromised user account to the application sync scope. This will sync the compromised user account into the target tenant and grant attacker access to the target tenant using the same initially compromised credentials.

12.  Alternatively, the attacker can also inspect the CTS sync application configuration to identify configured sync scope and act accordingly.

*   For example, if the object in sync scope is a group, then the attacker can attempt to add the compromised user account directly or indirectly to the group which will automatically allow the compromised account to be synced into the target tenant.

16.  If there are no explicit CTA inbound conditions blocking the sync in the target tenant, the compromised account will sync into the target tenant.
17.  The attacker moves laterally into the target tenant using the same initially compromised account.

**Scenario 2: Backdoor**

An attacker operating in a compromised tenant can deploy a rogue Cross Tenant Access configuration to maintain persistent access.

Figure 2: CTS Backdoor Attack Overview

1.  The attacker accesses the compromised tenant.
2.  The attacker attempts to deploy a new Cross Tenant Access Policy in the victim tenant with the following properties.

*   Add a new CTA policy with the source tenant defined as the attacker-controlled external tenant.

*   Configure the new CTA policy to enable '_Inbound Sync_'.

*   Enable '_Automatic User Consent'_ for inbound user sync.

4.  Simultaneously, the attacker also configures CTS on its external tenant.

*   The external tenant CTS setup is out of scope for this article and hence not covered here. The process of setting CTS in a source tenant is well defined by Microsoft here.

6.  The attacker can now sync new users from its tenant via push to the target victim tenant anytime in future. This grants the attacker future access to resources on the target tenant using the externally controlled account.

**Defense**

1.  The attack techniques in this document follow assumed compromise. Businesses must continue to implement and enforce security best practices to reduce the risk of account compromise.
2.  CTS Target tenants must:

1.  Avoid implementing a default inbound CTA configuration which permits all users/groups/applications from the source tenant to sync inbound. \[2\]
2.  Deploy less inclusive inbound CTA configuration such as explicitly defining accounts (if possible) or groups that can get access through CTS.
3.  Combine CTA policy with additional Conditional Access Policies to prevent unauthorized access.

4.  CTS Source tenants must:

1.  Ensure groups allowed to access other tenants via CTS (and all privileged groups in general) are properly regulated and monitored.

6.  Detect and respond at scale and speed.

**Vectra Customers:**

Vectra's existing portfolio of alerts are capable of detecting this activity even prior to understanding this operation's implication as well as the expected actions that would occur prior to this event.

The fact that there is no actual vulnerability exploited in this technique makes it harder to prevent once an adversary is in the environment with sufficient privileges. However, Vectra's AI-driven detections have been designed to detect these types of privilege abuse scenarios without having to rely on signatures or lists of known operations.

Vectra's Azure AD Privilege Operation Anomaly monitors for the underlying value of every operation in the environment and every user. The AI continuously creates a baseline of the types of actions that should be occurring in the environment and identifies cases of cloud-based privilege abuse. By focusing on the behavior of privilege abuse, Vectra is able to identify emerging techniques like the one documented here.

Figure 3: Compromised Account deploying Cross Tenant Access Policy in compromised tenant

Figure 4: Compromised account enabling Inbound Sync into the tenant

Figure 5: Compromised account enabling Automatic User Consent Redemption

Attacker actions that would occur prior to the attack such as the account access following a token theft or other forms of account compromise, would be alerted on by Vectra detections like Azure AD Unusual Scripting Engine Usage, Azure AD Suspicious Sign-on or Azure AD Suspicious OAuth Application.

**Microsoft Cloud Security Testing**

Testing environments regularly and effectively is the best way to be confident in the ability to defend against cyberattacks. MAAD-Attack Framework is an open-source attack emulation tool that combines the most commonly used attacker techniques and allows security teams to quickly and effectively emulate them in their environments via a simple interactive terminal. Check out MAAD-AF on GitHub or learn more about it here.

Security teams can use MAAD-AF module _"Exploit Cross Tenant Synchronization"_ to emulate and test against the CTS exploitation techniques in their environment.

Want to learn more?

Vectra AI is the leader in AI-driven threat detection and response for hybrid and multi-cloud enterprises. The Vectra AI Platform delivers the integrated signal powering XDR, SIEM, SOAR — whatever your pane of glass. This powerful platform equips SOC teams with hybrid attack surface coverage and real-time Attack Signal Intelligence, along with integrated, automated and co-managed response. Companies can choose the modules they need to achieve full coverage across identity, public cloud, SaaS and data center networks.

**Contact Vectra AI** today.

**References:**

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization

Interpol has announced the takedown of a phishing-as-a-service (PhaaS) platform called 16Shop, in addition to the arrests of three individuals in Indonesia and Japan.
16Shop specialized in the sales of phishing kits that other cybercriminals can purchase to mount phishing attacks on a large scale, ultimately facilitating the theft of credentials and payment details from users of popular services

Interpol has announced the takedown of a phishing-as-a-service (PhaaS) platform called 16Shop, in addition to the arrests of three individuals in Indonesia and Japan.

16Shop specialized in the sales of phishing kits that other cybercriminals can purchase to mount phishing attacks on a large scale, ultimately facilitating the theft of credentials and payment details from users of popular services such as Apple, PayPal, American Express, Amazon, and Cash App, among others.

"Victims typically receive an email with a pdf file or link that redirects to a site requesting the victims' credit card or other personally identifiable information," Interpol said. "This information is then stolen and used to extract money from the victims."

No less than 70,000 users across 43 countries are estimated to have been compromised via services offered on 16Shop.

The law enforcement operation has also led to the arrest of the site's administrator, a 21-year-old Indonesian national, along with seizing electronic items and several luxury vehicles in the process. Two other suspected facilitators, one each in Indonesia and Japan, have been apprehended based on additional intelligence.

Singapore-based cybersecurity firm Group-IB, which partook in the efforts, said over 150,000 phishing domains were created using the phishing kits to target users in Germany, Japan, France, the U.S., the U.K., and Thailand, among others.

The phishing kits were peddled on underground forums for anywhere between $60 and $150 based on the brand impersonated since at least November 2017, with the bogus pages supporting more than eight languages to serve content based on the victim's geolocation.

"Phishing kits represent archive files with a set of scripts that ensure the work of a phishing website," the company said. "This toolset enables cybercriminals with modest programming skills to deploy phishing pages quickly and in large numbers, often using them as substitutes for each other."

The disclosure comes as the international police organization said it has seized more than €2 million in connection with a crackdown on West African organized crime dubbed Operation Jackal.

To that end, the cross-border exercise has resulted in the blockade of 208 bank accounts linked to the illicit proceeds of online financial crime, 103 arrests, and the identification of 1,110 suspects.

"Black Axe, and an increasing number of other West African organized crime syndicates, is a violent mafia-style gang renowned for cyber-enabled financial fraud, in particular business email compromise schemes, romance scams, inheritance scams, credit card fraud, tax fraud, advance payment scams and money laundering," the agency noted.

The development also follows the shutdown of a bulletproof hosting service called Lolek Hosted undertaken by the U.S. government as part of a coordinated law enforcement action in partnership with Poland.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#intel