Dark Reading's digest of the other don't-miss stories of the week, including YouTube account takeovers and a sad commentary on cyber-pro hopelessness.

There's no such thing as a slow week for cybercrime, which means that covering the waterfront on all of the threat intelligence and interesting stories out there is a difficult, if not impossible, task. This week was no exception and, in fact, seemed to offer a veritable trove of important happenings that we would be remiss not to mention.

To wit: Dangerous malware campaigns! Info-theft! YouTube Account Takeovers! Crypto under siege! Microsoft warnings!

In light of this, Dark Reading is debuting a weekly "in case you missed it" (ICYMI) digest, rounding up important news from the week that our editors just didn't have time to cover before.

This week, read on for more on the following, ICYMI:

*   Smart Factories Face Snowballing Cyberactivity
*   Lazarus Group Likely Behind $100M Crypto-Heist
*   8220 Gang Adds Atlassian Bug to Active Attack Chain
*   Critical Infrastructure Cyber Pros Feel Hopeless
*   Hacker Impersonates TrustWallet in Crypto Phishing Scam
*   Cookie-Stealing YTStealer Takes Over YouTube Accounts
*   Follina Bug Used to Spread XFiles Spyware

**Smart Factories Face Snowballing Cyberactivity**

A whopping 40% of smart factories globally have experienced a cyberattack, according to a survey out this week.

Smart factories – in which industrial Internet of things IIoT) sensors and equipment are used to reduce costs, obtain telemetry, and bolster automation – are officially a thing, with the digitization of manufacturing well underway. But cyberattackers are taking notice too, according to Capgemini Research Institute.

Among sectors, heavy industry faced the highest volume of cyberattacks (51%). Those attacks take many forms, too: 27% of firms have seen an increase of 20% or more in bot-herders taking over IIoT endpoints for distributed denial-of-service (DDoS) attacks; and 28% of firms said they have seen an increase of 20% or more in employees or vendors bringing in infected devices, for instance.

"With the smart factory being one of the emblematic technologies of the transition to digitization, it is also a prime target for cyberattackers, who are scenting new blood," according to the report.

At the same time, the firm also uncovered that in nearly half (47%) of organizations, smart factory cybersecurity is not a C-level concern.

**Lazarus Group Likely Behind $100M Crypto-Heist**

Security researchers are laying the $100 million hack of the Horizon Bridge crypto exchange at the feet of North Korea's notorious Lazarus Group advanced persistent threat.

Horizon Bridge enables users of the Harmony blockchain to interact with other blockchains. The heist occurred June 24, with the culprits making off with various cryptoassets, including Ethereum (ETH), Tether (USDT), Wrapped Bitcoin (WBTC), and BNB.

According to Elliptic, there are strong indications that Lazarus is behind the incident. The group not only carries out classic APT activity like cyber-espionage, but also acts as a money-earner for the North Korean regime, researchers noted.

The thieves in this case have so far sent 41% of the $100 million in stolen crypto assets into the Tornado Cash mixer, Elliptic noted, which essentially acts as a money launderer.

**8220 Gang Adds Atlassian Bug to Active Attack Chain**

The 8220 Gang has added the latest critical security vulnerability affecting Atlassian Confluence Server and Data Center to its bag of tricks in order to distribute cryptominers and an IRC bot, Microsoft warned this week.

The Chinese-speaking threat group has been actively exploiting the bug since it was disclosed in early June.

"The group has actively updated its techniques and payloads over the last year. The most recent campaign targets i686 and x86\_64 Linux systems and uses RCE exploits for CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access," Microsoft's Security Intelligence Centre tweeted.

**Critical Infrastructure Cyber Pros Feel Hopeless**

A staggering 95% of cybersecurity leaders at critical national infrastructure organizations in the UK say they could see themselves leaving their jobs in the next year.

According to a survey from Bridewell, 42% feel a breach is inevitable and don't want to tarnish their career, while 40% say they are experiencing stress and burnout which is impacting their personal life.

Meanwhile more than two -thirds of the respondents say that the volume of threats and successful attacks has increased over the past year – and 69% say it is harder to detect and respond to threats.

**Hacker Impersonates TrustWallet in Crypto Phishing Scam**

More than 50,000 phishing emails sent from a malicious Zendesk account made their way to email boxes in recent weeks, looking to take over TrustWallet accounts and drain funds.

TrustWallet is an Ethereum wallet and a popular platform for storing non-fungible tokens (NFTs). Researchers at Vade said that the phish impersonates the service, using a slick and convincing TrustWallet-branded site to ask for users' password recovery phrases on a sleek TrustWallet phishing page.

The emails, meanwhile, are unlikely to trigger email gateway filters, since they're being sent from Zendesk.com, which is a trusted, high-reputation domain.

"As NFTs and cryptocurrencies overall have seen a significant downturn in recent weeks, on-edge investors are likely to react quickly to emails about their crypto accounts," according to Vade's analysis this week.

**Cookie-Stealing YTStealer Takes Over YouTube Accounts**

A never-before-seen malware-as-a-service threat has emerged on Dark Web forums, aimed at taking over YouTube accounts.

Researchers at Intezer noted that the malware, which it straightforwardly calls YTStealer, works to steal YouTube authentication cookies from content creators in order to feed the underground demand for access to YouTube accounts. The cookies are extracted from the browser’s database files in the user’s profile folder.

"To validate the cookies and to grab more information about the YouTube user account, the malware starts one of the installed web browsers on the infected machine in headless mode and adds the cookie to its cookie store," according to the analysis. "\[That way\] the malware can operate the browser as if the threat actor sat down on the computer without the current user noticing anything."

From there, YTStealer navigates to YouTube’s Studio content-management page and nabs data, including the channel name, how many subscribers it has, how old it is, if it is monetized, if it's an official artist channel, and if the name has been verified.

**Follina Bug Used to Spread X-Files Spyware**

A rash of cyberattacks is underway, looking to exploit the Microsoft Follina vulnerability to lift scores of sensitive information from victims.

Follina is a recently patched remote code-execution (RCE) bug that's exploitable through malicious Word documents. It started life as an unpatched zero-day that quickly caught on among cybercrime groups.

According to a Cyberint Research Team report shared with Dark Reading via email, analysts found several XFiles stealer campaigns where Follina vulnerability was exploited as part of the delivery phase.

"The group that is selling the stealer is a Russia-region based and is currently looking to expand," researchers said. "Recent evidence suggests worldwide threat actor campaigns \[underway\]."

The stealer sniffs out data from all Chromium-based browsers, Opera, and Firefox, including history, cookies, passwords, and credit card information. It also lifts FTP, Telegram and Discord credentials, and looks for predefined file types that are located on the victim's Desktop along with a screenshot. It also targets other clients, such as Steam, and crypto-wallets.

ICYMI: A Microsoft Warning, Follina, Atlassian, and More

It didn't have to be this way: So far 2022's tranche of zero-days shows too many variants of previously patched security bugs, according Google Project Zero.

So far this year, a total of 18 security vulnerabilities have been exploited as unpatched zero-days in the wild, according to an analysis – and half of those were preventable flaws.

According to Google's Project Zero, nine of the issues were simply variants of previously patched bugs, with four being variants of previous 2021 in-the-wild zero-day bugs. Since these are closely related to security weaknesses that have been seen before, it blows a hole in the theory that zero-day exploits are so advanced that defenders can't hope to catch them, Project Zero's Maddie Stone notes.

"\[After\] the original in-the-wild zero-day \[was\] patched, attackers came back with a variant of the original bug," she explains in a Thursday blog post. "Many of the 2022 in-the-wild 0-days are due to the previous vulnerability not being fully patched."

The slate of 2022 zero-days affects a wide range of platforms, including Apple iOS, Atlassian Confluence, Chromium, Google Pixel, Linux, WebKit, and, of course, Windows (including the Follina and PetitPotam vulns).

In some these cases (Windows win32k and Chromium), the proof-of-concept attack path was patched but not the root cause, so attackers could trigger the original vulnerability through a different path. In other cases, such as PetitPotam, the original vulnerability was patched but "at some point regressed so that attackers could exploit the same vulnerability again," Stone says.

"The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method," she says. "To do that effectively, we need correct and comprehensive fixes."

18 Zero-Days Exploited So Far in 2022

An unauthenticated remote code execution vulnerability found in Zoho’s compliance tool could leave organizations exposed to an information disclosure catastrophe, new analysis shows.

A critical vulnerability in Zoho’s widely used compliance tool, ManageEngine ADAudit Plus, which monitors changes to Microsoft Active Directory, leaves endpoints vulnerable to unauthenticated users. A successful exploit could allow an attacker to take over an entire enterprise network, Horizon3.ai researchers warn.  

ADAudit Plus offers a path into an organization’s workstations, servers, and file servers, giving IT admins access to a range of users, groups, permissions, and login credentials, as well as security policies. ADAudit Plus also enables users to collect security events from agents running on other machines in the domain through endpoints that agents use to upload events.

The platform’s ability to offer deep access into a company’s internal IT ecosystem heightens the potential for a nightmare-scenario level of data exposure in the event of a breach.

The CVE-2022-28219 vulnerability enables malicious actors to easily take over a network for which they already have initial access. Malicious actors could exploit this vulnerability to deploy ransomware, exfiltrate sensitive business data, or disrupt business operations.

They could also then go on to exploit XML External Entities (XXE), Java deserialization, and path traversal vulnerabilities to wreak additional havoc, according to an in-depth analysis this week by Horizon3.ai.

**Inside the Vulnerability**

Horizon3.ai discovered some of the ADAudit Plus endpoints used for reporting were unauthenticated.

“One of the first things that stood out was the presence of a /cewolf endpoint handled by the CewolfRenderer servlet in the third-party Cewolf charting library,” the analysis states. “This is the same vulnerable endpoint from CVE-2020-10189, reported against ManageEngine Desktop Central.”

It added, “This gave us a large attack surface to work with because there’s a lot of business logic that was written to process these events. While looking for a file-upload vector, we found a path to trigger a blind XXE \[XML External Entity injection\] vulnerability in the ProcessTrackingListener class, which handles events containing Windows scheduled task XML content.”

The vulnerability was disclosed to Zoho in March, which released a new build, ADAudit Plus 7060, to fix the issue. The patch fixes the vulnerability by removing the /cewolf endpoint altogether, instead using a secure version of DocumentBuilderFactoryin the ProcessingTrackingListener class and requiring authentication in the form of an agent GUID between agents and ADAudit Plus.

**High Stakes, Plus Exploitation Difficult to Detect**

Horizon3.ai chief architect Naveen Sunkavally explains that ManageEngine products are very common in the enterprise and have been favorite targets of attackers over the years.

“ADAudit Plus is a tool that's used for compliance and auditing, which is a common need for many companies spanning different verticals,” he says. “This vulnerability has been found to be present in many types of environments, from healthcare and technology to construction and local governments.”

Just last fall, ManageEngine ADSelfService Plus, Desktop Central, and ServiceDesk Plus were all actively targeted by attackers using previously undisclosed zero days (CVE-2021-44515, CVE-2021-44077, and CVE-2021-40539) that are now part of the CISA Known Exploited Vulnerabilities (KEV) list.

The latest vulnerability is easy to exploit without any prior knowledge and can yield the "keys to the kingdom,  Sunkavally explains. To boot, exploitation is not that easy to detect because it makes use of the natural behavior of the ADAudit Plus application.

“ADAudit Plus is an attractive target for attackers because it integrates with Active Directory and stores high-privileged domain user credentials,” Sunkavally says.

He notes an attacker with initial access to a compromised network could exploit this vulnerability to extract these high-privileged credentials, move laterally, and take over the entire network.

“We've seen real-world environments where just exploiting this vulnerability alone is enough to take over the enterprise,” Sunkavally adds.

He advises businesses using ADAudit Plus to upgrade to build 7060 or later and ensure ADAudit Plus is configured with a dedicated service account with restricted privileges.

“This vulnerability is not one to hold off on patching,” he says.

**Buggy ManageEngine Has History of Vulnerabilities**

This is not the first time the ManageEngine suite was found to have vulnerabilities. Last September a joint advisory from the FBI and CISA warned of APT attackers exploiting a critical authentication bypass vulnerability in ManageEngine ADSelfService Plus.

While Zoho moved to fix the vulnerabilities, less than a month later Palo Alto Networks issued a warning that many companies are still vulnerable.

Most recently, an elusive attack targeting SolarWinds' Orion network management software, dubbed the Supernova cyberattack, exploited a ManageEngine flaw in the software running on a victim's server.

Critical ManageEngine ADAudit Plus Vulnerability Allows Network Takeover, Mass Data Exfiltration

There were a record number of zero-day attacks last year, but some basic cyber-hygiene strategies can help keep your organization more safe.

Few security exploits are the source of more sleepless nights for security professionals than zero-day attacks. Just over Memorial Day weekend, researchers discovered a new vulnerability enabling hackers to achieve remote code execution within Microsoft Office. Dubbing the evolving threat the Follina exploit, researchers say all versions of Office are at risk. And because blue teams have no time to prepare or patch their systems to defend against these software vulnerabilities, crafty threat actors can take advantage, taking their time after they've accessed an organization's environment to observe and exfiltrate data while remaining completely unseen.

And though sophisticated threat actors and nations have exploited zero-days for nearly two decades, last year saw a historic rise in the number of vulnerabilities detected. Both Google and Mandiant tracked a record number of zero-days last year, with the caveat that more zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal, though. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there's some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.

**How Do Zero-Days Work?**

Typically, what a zero-day will do is gain access to an environment through a vulnerability previously unseen, then it stealthily maps the environment and, when ready, launches the attack. This is far too late for an incident response team to prevent further damage. Staying alert for these slow-burn attacks requires an approach to security that prioritizes looking for certain techniques and behaviors that a hacker or known threat group may use, rather than scanning for specific pieces of malware. In other words, ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.

While it might sound like a broken record, patching is integral to protection against exploits. As soon as a proof of concept (PoC) is made public on the Dark Web or more legitimate forums like GitHub, most vendors will develop a patch. Staying on top of guidance from industry organizations like (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploits that are most relevant and most risky to your organization.

However, zero-day exploits are those that the vendor doesn't know exist, and therefore no patch is available. It's very difficult to defend against these without protections and detections that are broad enough to identify tactics, techniques, and procedures. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense.

Above all, investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur. By placing hands on keyboards and unlocking visibility into all aspects of an ecosystem, a security team can more readily detect hints that a zero-day might be targeted against them and deploy necessary patches. For example, if a robot you operate in the US randomly connects to a server in Ukraine without any other unusual behavior, it might signal that a zero-day has been leveraged. And while there may have been an initial access into your robot or environment through a zero-day, having a broad view of your IT security ecosystem, along with technologies like artificial intelligence, can alert an incident response team to create a patch for a vulnerability as soon as possible.

Thankfully, even though more zero-days are being discovered than ever before, they're still relatively rare in the world of cybersecurity. Up until the last several years, zero-day exploits were mostly identified and held closely by national governments, who wanted to save them to deploy whenever necessary. But the commercialization of hacking groups, including ransomware-as-a-service platforms, has created an ecosystem incentivizing the purchasing and selling of zero-days, often with the financial or technological resources of a nation-state in support.

With such capable attackers, virtually every business should be worried — from large companies that serve as final targets for hackers, to smaller companies that can serve as stepping stones in a sequence of attacks. The constant of security operations can detect and mitigate threat actors from lurking behind the scenes of an IT ecosystem through a zero-day exploit, no matter the origin. So, while patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.

Zero-Days Aren't Going Away Anytime Soon & What Leaders Need to Know

Plus: Google issues fixes for Android bugs, and Cisco, Citrix, SAP, WordPress, and more issue major patches for enterprise systems.

June has seen the release of multiple security updates, with important patches issued for the likes of Google's Chrome and Android as well as dozens of patches for Microsoft products, including fixes for a Windows zero-day vulnerability that attackers had already exploited. Apple updates were absent at the time of writing, but the month also included some major enterprise-focused patches for Citrix, SAP, and Cisco products.

Here’s what you need to know about the major patches released in the past month.

Microsoft

Microsoft’s Patch Tuesday release was pretty hefty in June, including fixes for 55 flaws in the tech giant’s products. This Patch Tuesday was particularly important because it addressed an already exploited remote code execution (RCE) issue in Windows dubbed Follina, which Microsoft has been aware of since at least May.

Tracked as CVE-2022-30190, Follina—which takes advantage of vulnerabilities in the Windows Support Diagnostic tool and can execute without the need to open a document—has already been used by multiple criminal groups and state-sponsored attackers.

Three of the vulnerabilities addressed in Patch Tuesday affecting Windows Server are RCE flaws and rated as critical. However, the patches seem to be breaking some VPN and RDP connections, so be careful.

Google Chrome

Google Chrome updates continue to come thick and fast. That’s no bad thing, as the world’s most popular browser is by default one of the biggest targets for hackers. In June, Google released Chrome 103 with patches for 14 vulnerabilities, some of which are serious.

Tracked as CVE-2022-2156, the biggest flaw is a use-after-free issue in Base reported by Google’s Project Zero bug-hunting team that could lead to arbitrary code execution, denial of service, or corruption of data. Worse, when chained with other vulnerabilities the flaw could lead to full system compromise.

Other issues patched in Chrome include vulnerabilities in Interest Groups, WebApp Provider, and a flaw in the V8 Javascript and WebAssembly engine.

Google Android

Of the multiple Android security issues Google patched in June, the most severe is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed, Google said in its Android Security Bulletin.

Google also released updates for its Pixel devices to patch issues in the Android Framework, Media Framework, and System Components.

Samsung users seem to have gotten lucky with Android updates of late, with the device maker rolling out its patches very quickly. The June security update is no different, reaching the Samsung Galaxy Tab S7 series, Galaxy S21 series, Galaxy S22 series, and the Galaxy Z Fold 2 straightaway.

Cisco

Software maker Cisco released a patch in June to fix a critical vulnerability in Cisco Secure Email and Web Manager and Cisco Email Security Appliance that could allow a remote attacker to bypass authentication and log in to the web management interface of an affected device.

The issue, tracked as CVE-2022-20798, could be exploited if an attacker enters something specific on the login page of the affected device, which would provide access to the web-based management interface, Cisco said.

Citrix

Citrix has issued a warning urging users to patch some major vulnerabilities that could let attackers reset admin passwords. The vulnerabilities in Citrix Application Delivery Management could result in corruption of the system by a remote, unauthenticated user, Citrix said in a security bulletin. “The impact of this can include the reset of the administrator password at the next device reboot, allowing an attacker with ssh access to connect with the default administrator credentials after the device has rebooted,” the company wrote.

Citrix recommends that traffic to the Citrix ADM’s IP address be segmented from standard network traffic. This diminishes the risk of exploitation, it said. However, the vendor also urged customers to install the updated versions of Citrix ADM server and Citrix ADM agent “as soon as possible.”

SAP

Software firm SAP has released 12 security patches as part of its June Patch Day, three of which are serious. The first listed by SAP relates to an update released on April 2018 Patch Day and applies to the browser control Google Chromium used by the firm’s business clients. Details of this vulnerability aren’t available, but it has a severity score of 10, so the patch should be applied straightaway.

Another major fix concerns an issue in the SAProuter proxy in NetWeaver and ABAP Platform, which could allow an attacker to execute SAProuter administration commands from a remote client. The third major patch fixes a privilege escalation bug in SAP PowerDesigner Proxy 16.7.

Splunk Enterprise

Splunk has released some out-of-band patches for its Enterprise product, fixing issues including a critical-rated vulnerability that could lead to arbitrary code execution.

Labeled CVE-2022-32158, the flaw could allow an adversary to compromise a Universal Forwarder endpoint and execute code on other endpoints connected to the deployment server. Thankfully, there’s no indication that the vulnerability has been used in any real-world attacks.

Ninja Forms WordPress Plug-In

Ninja Forms, a WordPress plug-in with over a million active installations, has patched a serious issue that’s probably being used by attackers in the wild. “We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection,” security analysts at the WordPress Wordfence Threat Intelligence team said in an update.

This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present, researchers said.

The flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. WordPress appears to have performed a forced automatic update for the plug-in, so your site may already be using one of the patched versions.

Atlassian

Australian software company Atlassian has released a patch to fix a zero-day flaw that’s already being exploited by attackers. Tracked as CVE-2022-26134, the RCE vulnerability in the Confluence Server and Data Center can be used to backdoor internet-exposed servers.

GitLab

GitLab has issued patches for versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition and Enterprise Edition. The updates contain important security fixes for eight vulnerabilities, one of which could allow for account takeover.

With this in mind, the firm “strongly recommends” that all GitLab installations be upgraded to the latest version “as soon as possible.” GitLab.com is already running the patched version.

You Need to Update Windows and Chrome Right Now

Microsoft is urging organizations that don't have automatic updates enabled to update to the latest version of Linux Server Fabric to thwart the "FabricScape" cloud bug.

Microsoft this week disclosed a serious container-escape vulnerability in its widely used Azure Service Fabric technology, which gives attackers a way to gain root privileges on the host node and take over all other nodes in the cluster.

The privilege-escalation bug is only exploitable on Linux containers, though it is present in Windows container environments as well, Microsoft said in an advisory Tuesday. Security researchers from Palo Alto Networks reported the bug — which they have dubbed FabricScape — along with a fully operational exploit, on Jan. 30, 2022. Microsoft released a fix for the issue (CVE-2022-30137) on June 14, but details on the bug were just released this week.

The fix has been applied to all customers that are subscribed to Microsoft's automatic update service, but others will need to manually patch to the latest version of Service Fabric. "Customers whose Linux clusters are automatically updated do not need to take further action," the company said in its bug disclosure announcement.

**A Privilege-Escalation Issue**

Service Fabric is a Microsoft container-orchestration technology — like Kubernetes. Numerous organizations use it as a platform-as-a-service to deploy and manage containers and microservices-based cloud applications across a cluster of machines. Palo Alto Networks used Microsoft data to estimate that Service Fabric hosts more than 1 million applications daily across millions of cores.

The bug that Palo Alto Network discovered exists in a logging function with high privileges in a Service Fabric component called Data Collection Agent (DCA). Researchers from the security vendor's Unit 42 threat intelligence team found that an attacker with access to a compromised container could exploit the vulnerability to escalate privileges and gain control of the host node and, from there, escape it and attack the entire cluster.

"The vulnerability allows attackers to take over the entire Service Fabric environment if they get a hold of a single application," says Ariel Zelivansky, director of security research at Palo Alto Networks. This allows attackers to perform lateral movement and to steal, destroy, or manipulate data. Other actions that an attacker could take by exploiting FabricScape include deploying ransomware or hijacking systems for cryptomining.

"If an organization hosts all of its applications, and possibly credentials, on Service Fabric, an attacker can gain control of all of those," Zelivansky says.

For an attack to be successful, a threat actor would first need to find a way to compromise a containerized workload on a Linux Service Fabric cluster, Microsoft said. The attacker would then need to trigger the DCA to run the vulnerable function in a manner that results in a so-called "race condition" where malicious code can be introduced into the environment.

**PoC: Exploiting the Flaw**

Researchers at Palo Alto Networks were able to exploit the vulnerability on Azure Service Fabric using a container under their control and a simulated compromised workload. They found the attack only worked if the compromised container had access to Service Fabric runtime data — something that is granted by default in single-tenant environments but less common in multitenant setups.

"Any application that is powered by a Service Fabric Linux cluster with runtime access, which is granted by default, is affected," Zelivansky said. Last year, Palo Alto Networks discovered another set of vulnerabilities in the Azure Container Instances (ACI) platform that allowed for a similar container escape.

Microsoft urged organizations using Service Fabric to review containerized workloads in both Linux and Windows environments that had access to host clusters. "By default, a \[Service Fabric\] cluster is a single-tenant environment and thus there is no isolation between applications," Microsoft said. All applications running in these single tenant environments are considered trusted and therefore have access to Service Fabric runtime, Microsoft said.

Thus, organizations that want to run untrusted application in a Service Fabric cluster should take additional measures to create isolation between applications and should remove access to Service Fabric runtime for those untrusted apps, Microsoft said.

Zelivansky says the first layer of defense against vulnerabilities such as FabricScape is focusing on the application itself, limiting the possibility of an attack by remediating known vulnerabilities in their code. They can also limit exposure to the Internet.

However, he offers a caveat: "But the reality is that even if an application is safe from any known vulnerability, zero-day vulnerabilities could be discovered and exploited in any code. And \[software\] supply-chain attacks such as typosquatted or malicious packages are becoming more common than before," he says.

Zelivansky says organizations running Linux Service Fabric clusters should check their cluster version and verify the version is at least 9.0.1035.1. "An organization should check if they have Linux-based applications on Service Fabric. If the answer is yes, we recommend giving top priority to addressing this vulnerability now that its full details are out."

**Cloud Vulnerabilities in Cyberattackers' Sights**

Vulnerabilities in cloud products and services have become a growing concern for organizations — and not just because of the security risks associated with them. In many cases, organizations also have a hard time keeping track of cloud vulnerabilities because of the absence of a common vulnerability enumeration (CVE) program for cataloging them. Because many cloud-security issues are considered the service provider's sole responsibility, there often has been little disclosure of these issues, leaving organizations in the dark about whether they might have been exposed to a specific threat.

This week researchers at Wiz launched a new community-based cloud vulnerability database aimed at addressing this lack of information. The database currently contains information on some 70 previous security issues in cloud products and services. Anyone can add to the database going forward. The goal is to make it a central repository for information on cloud threats in the absence of a formal program like MITRE's CVE program for information security flaws.

Patch Now: Linux Container-Escape Flaw in Azure Service Fabric

See how these novel, sophisticated, or creative threats used techniques such as living off the land to evade detection from traditional defensive measures — but were busted by AI.

We're now halfway through 2022, and already we have seen a range of cyberattacks, familiar and unfamiliar, disrupting organizations. However, we have also seen uplifting stories of successful threat detection efforts, as well.

In this article, we will look at five novel, sophisticated, or creative threats that used techniques such as "living off the land" to evade detection by traditional defensive measures. These threats were all discovered by artificial intelligence (AI) technology, which can spot subtle deviations in device and user behavior and autonomously enforce "normal," stopping a threat in its tracks.

**1\. Leading Laboratory Interrupts Dark Web Insider Threat With AI**

Cyberattacks against the healthcare sector hit record highs last year, and for these organizations cyber threats can have severe real-world consequences. One of Darktrace's healthcare clients is a company specializing in the research, development, and manufacturing of innovative in vitro diagnostic tests for disease, conditions, and infections.

In March, this company was targeted by a malicious insider threat. An employee was looking to exploit their access within the organization to sell proprietary intellectual property, perhaps even medical supplies, on the Dark Web. The employee was detected using Tor on a company device to connect to a Dark Web pharmaceutical market forum.

Malicious or compromised insiders can be difficult to identify because their privileged access and knowledge of company workings allow them to evade detection by traditional security tools. In order to protect intellectual property from insider threat, organizations need to augment security teams with AI-powered technology to stop malicious activity in real time.

In this case, given that no other company device had visited the Tor network in the past, Darktrace's AI flagged the activity to the security team, who were then able to investigate the employee and discover their malicious intentions.

**2\. Babuk Double-Extortion Ransomware Neutralized at a Technology Manufacturer**

Babuk is a double-extortion ransomware strain that has successfully attacked high-value organizations around the world since 2021. In February 2022, however, it targeted a multinational technology manufacturer that had deployed AI cybersecurity. The targeted company facilitates the adoption of smart medical devices as well as electric and autonomous vehicles. This means uptime is important, and ransomware poses a significant risk.

The first sign of a threat came in the early hours of the morning, when the AI detected a company device performing network scanning and making unusual connections to other internal devices. Based on its understanding of the device's usual "pattern of life," the AI identified this out-of-the-ordinary behavior as malicious and calculated a response.

The AI was able to stop this attack without interfering with normal business operations in the company's office or on the manufacturing floor. It blocked only the malicious connections, while allowing the rest of the compromised device's operations to continue.

Once the attack had been stopped, a post-compromise analysis conducted by the AI revealed that the compromised device had indeed been attempting to distribute files with "babyk" extensions. These attacks often strike out of hours, so defenders of critical infrastructure should consider using artificial intelligence to allow their organizations to self-defend against advanced threats.

**3\. HR-Spoofing Attack Targets Employees at Private Equity Firm**

Phishing and spoofing emails continue to be the favorite initial entry point for cyberattackers. Earlier this year, a private equity firm looking to bolster its email security efforts trialed an AI email security solution and detected a targeted spoofing attack almost immediately.

The attackers had tailored their email to imitate the company's internal HR communications, titling it "Q3 Commission 2021 and Agenda" and designing it to look like a SharePoint Microsoft document. To a company employee, this email would not have looked at all out of place in their inbox.

Further investigation showed the email to be part of a wider trend of targeted phishing campaigns that use fake Microsoft branding to trick employees. The exact motivations of this attack are unknown because it was stopped in its earliest stages, but attacks like it are often launched with the aim of causing operational disruption or conducting IP and financial theft.

**4\. Ransomware Attack Against a Financial Services Provider Halted**

In March 2022, a South African financial services firm decided to try out Darktrace's technology and immediately uncovered an in-progress ransomware attack attempting to encrypt its most valuable data.

The first sign of compromise was a company mail server making unusual HTTP connections to an external endpoint and communicating with a malicious server via the Internet. Its understanding of the business and this particular mail server's normal behavior allowed the AI to identify the threatening activity.

The compromised server was then seen attempting to perform network reconnaissance and lateral movement to increase its presence within the organization. Further investigation revealed that attackers had obtained the credentials of 11 employees, including several C-level executives. With the attack spreading fast, more and more company devices began attempting to communicate with the malicious external server.

The AI quickly interrupted further attempts at communication with the malicious server but allowed normal business operations to continue. With the attack safely contained, Darktrace helped the company's security team to conduct a full investigation and ensure that the attack had been completely neutralized.

**5\. AI Stops Log4j Exploit at a Global Financial Services Provider**

The Log4Shell vulnerability that went public at the end of 2021 is one of the most serious and widespread exploits on record. It is thought by some to have affected hundreds of millions of devices and, as a zero-day, it has evaded lots of traditional security tools.

Fortunately, AI security has been able to mitigate the effects of Log4Shell for many of the organizations it protects. One of these, a global financial services provider with assets of over $5 billion, was targeted in March 2022.

The attackers used a Log4j vulnerability to gain access to one of the company's virtual desktop infrastructure (VDI) servers, from which they attempted to scan the surrounding network and spread throughout the enterprise. The server began downloading a shell script from a suspicious external endpoint, prompting an immediate alert from the company's AI-driven security measures.

Convinced of the severity of the threat by the alert, the company's security team promptly deployed AI technology to take precise action against the threat and maintain the regular business activities on the VDI server.

Fast action from this AI-driven response technology blocked the malicious connections and prevented the threat from progressing further, very likely saving the company from a ransomware attack.

5 Surprising Cyberattacks AI Stopped This Year

A new commercial spyware for governments, called Hermit, has spotted in the wild. It affects iOS and all Android versions.
The post Hermit spyware is deployed with the help of a victim’s ISP appeared first on Malwarebytes Labs.

Google’s Threat Analysis Group (TAG) has revealed a sophisticated spyware activity involving ISPs (internet service providers) aiding in downloading powerful commercial spyware onto users’ mobile devices. The spyware, dubbed Hermit, is reported to have government clients much like Pegasus.

Italian vendor RCS Labs developed Hermit. The spyware was spotted in Kazakhstan (to suppress protests against government policies), Italy (to investigate those involved in an anti-corruption case), and Syria (to monitor its northeastern Kurdish region), all deployed by their respective governments.

Hermit affects Android and iOS devices and is described as a modular spyware. This means it can download pieces of itself (modules) for additional functionalities, making it customizable to suit client needs, from a C2 (command and control) server.

Unlike NSO’s Pegasus, Hermit is not as stealthy. But at its core, it functions like any government-grade spyware. It can read SMS and chat messages, view passwords, intercept calls, record calls and ambient audio, redirect calls, and pinpoint precise locations of victims.

Hermit also roots all infected Android devices, giving itself deeper access to phone features and user data. On iOS, Hermit is packed with six exploits, two of which were targeting zero-day vulnerabilities. According to Google’s report, these are the following exploits:

*   CVE-2018-4344 internally referred to and publicly known as LightSpeed.
*   CVE-2019-8605 internally referred to as SockPort2 and publicly known as SockPuppet
*   CVE-2020-3837 internally referred to and publicly known as TimeWaste.
*   CVE-2020-9907 internally referred to as AveCesare.
*   CVE-2021-30883 internally referred to as Clicked2, marked as being exploited in-the-wild by Apple in October 2021.
*   CVE-2021-30983 internally referred to as Clicked3, fixed by Apple in December 2021.

A Hermit spyware campaign starts off as a seemingly authentic messaging app users are deceived into downloading. A government actor also poses as a mobile carrier over SMS—sometimes with the help of the target’s ISP—to socially engineer targets into downloading the spyware masquerading as a tool to “fix” their internet connection.

Both Apple and Google have already notified their users regarding this spyware, and then some. Apple revoked the legitimate certificates Hermit abused to reside on iPhone devices, while Google beefed up its Google Play Protect security app to block Hermit from running. Google also pulled the plug on Hermit’s Firebase account, which it uses to communicate with its C2.

When questioned by TechCrunch, RCS Labs provided a statement, which we have replicated in part below:

> RCS Lab exports its products in compliance with both national and European rules and regulations. Any sales or implementation of products is performed only after receiving an official authorization from the competent authorities. Our products are delivered and installed within the premises of approved customers. RCS Lab personnel are not exposed, nor participate in any activities conducted by the relevant customers.

Providers of government-grade spyware like Pegasus and Hermit always claim to have legitimate reasons for creating malware. But as we’ve seen and heard from countless reports, they are mainly used to spy on journalists, activists, and human rights defenders.

Hermit spyware is deployed with the help of a victim’s ISP

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed PwnKit to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.
The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week moved to add a Linux vulnerability dubbed **PwnKit** to its Known Exploited Vulnerabilities Catalog, citing evidence of active exploitation.

The issue, tracked as CVE-2021-4034 (CVSS score: 7.8), came to light in January 2022 and concerns a case of local privilege escalation in polkit's pkexec utility, which allows an authorized user to execute commands as another user.

Polkit (formerly called PolicyKit) is a toolkit for controlling system-wide privileges in Unix-like operating systems, and provides a mechanism for non-privileged processes to communicate with privileged processes.

Successful exploitation of the flaw could induce pkexec to execute arbitrary code, granting an unprivileged attacker administrative rights on the target machine and compromising the host.

It's not immediately clear how the vulnerability is being weaponized in the wild, nor is there any information on the identity of the threat actor that may be exploiting it.

Also included in the catalog is CVE-2021-30533, a security shortcoming in Chromium-based web browsers that was leveraged by a malvertising threat actor dubbed Yosec to deliver dangerous payloads last year.

Furthermore, the agency added the newly disclosed Mitel VoIP zero-day (CVE-2022-29499) as well as five Apple iOS vulnerabilities (CVE-2018-4344, CVE-2019-8605, CVE-2020-9907, CVE-2020-3837, and CVE-2021-30983) that were recently uncovered as having been abused by Italian spyware vendor RCS Lab.

To mitigate any potential risk of exposure to cyberattacks, it's recommended that organizations prioritize timely remediation of the issues. Federal Civilian Executive Branch Agencies, however, are required to mandatorily patch the flaw by July 18, 2022.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Active Exploitation of 'PwnKit' Linux Vulnerability in the Wild

The previously unknown state-sponsored group is compromising industrial targets with the ShadowPad malware before burrowing deeper into networks.

A previously unknown Chinese-speaking advanced persistent threat (APT) is exploiting the ProxyLogon Microsoft Exchange vulnerability to deploy the ShadowPad malware, researchers said — with the end goal of taking over building-automation systems (BAS) and moving deeper into networks.

That's according to researchers at Kaspersky ICS CERT, who said that the infections affected industrial control systems (ICS) and telecom firms in Afghanistan and Pakistan, as well as a logistics and transport organization in Malaysia. The attacks came to light in October but appear to date back to March 2021.

"We believe that it is highly likely that this threat actor will strike again and we will find new victims in different countries," according to Kaspersky's Monday analysis.

In this specific spate of attacks, Kaspersky observed a unique set of tactics, techniques, and procedures (TTPs) linking the incidents together, including attackers compromising BAS engineering computers as their initial access point. Researchers noted this is an unusual move for an APT group, despite proof-of-concept malware being available for such platforms.

"Building-automation systems are rare targets for advanced threat actors," said Kirill Kruglov, security expert at Kaspersky ICS CERT, in the alert. "However, those systems can be a valuable source of highly confidential information and may provide the attackers with a backdoor to other, more secured, areas of infrastructures."

The attacks also threaten the physical integrity of buildings, researchers warned. BAS infrastructure unites operational features, such as electricity, lighting, HVAC systems, fire alarms, and security cameras, so they can be managed from a single management console.

"Once a BAS is compromised, all processes within that are at risk, including those relating to information security," according to Kaspersky's alert about the attacks.

In a real-world example of this rare kind of attack, last December a building automation engineering firm suddenly lost contact with hundreds of its BAS devices, including light switches, motion detectors, shutter controllers, and others — after being locked down with the system's own digital security key, which the attackers hijacked. The firm had to revert to manually flipping on and off the central circuit breakers in order to power on the lights in the building.  

**ProxyLogon Leads to ShadowPad Malware in Stealthy Infections**

In many cases, the cyberattackers exploited the ProxyLogon remote code-execution (RCE) vulnerability in MS Exchange (CVE-2021-26855), the firm added. When used in an attack chain, the exploits for these ProxyLogon could allow an attacker to authenticate as the Exchange server and deploy a Web shell so they can remotely control the target server.

ProxyLogon was disclosed in March 2021 after being exploited as a zero-day bug by a Chinese state-sponsored group that Microsoft calls Hafnium — but soon a dizzying array of threat groups piled on to exploit the issue to enable different kinds of attacks.

In this case, once in, the APT deploys the ShadowPad remote access Trojan (RAT) — a popular backdoor and loader used by various Chinese APTs. According to previous analysis from Secureworks, ShadowPad is advanced and modular, first deployed by the "Bronze Atlas" threat group in 2017. "A growing list of other Chinese threat groups have deployed it globally since 2019 in attacks against organizations in various industry verticals," the report noted.

Kaspersky researchers said that in the BAS attacks, "The ShadowPad backdoor was downloaded onto the attacked computers under the guise of legitimate software."

Specifically, the malware originally masqueraded as the mscoree.dll file, which is a Microsoft library file essential for the execution of "managed code" applications written for use with the .NET Framework. As such, the malware was launched by the legitimate AppLaunch.exe application, which itself was executed by creating a task in the Windows Task Scheduler. Last fall, the attackers switched to using the DLL-hijacking technique in legitimate software for viewing OLE-COM objects (OleView). The Windows Task Scheduler is also used in the newer approach. In both cases, using such living-off-the-land tools (i.e., legitimate native software) means that the activity is unlikely to raise any system-intrusion flags.

After the initial infection, the attackers first sent commands manually, then automatically, to deploy additional tools. Researchers said those included the following:

*   The CobaltStrike framework (for lateral movement)
*   Mimikatz (for stealing credentials)
*   The well-known PlugX RAT
*   BAT files (for stealing credentials)
*   Web shells (for remote access to the Web server)
*   The Nextnet utility (for scanning network hosts)

"The artifacts found indicate that the attackers stole domain-authentication credentials from at least one account in each attacked organization (probably from the same computer that was used to penetrate the network)," according to Kaspersky. "These credentials were used to further spread the attack over the network … we do not know the ultimate goal of the attacker. We think it was probably data harvesting."

**How to Protect Against APT Attacks Targeting BAS, Critical Infrastructure**

The attacks develop "extremely rapidly," Kaspersky said, so early-state detection and mitigation is key to minimizing damage. The researchers recommended the following best practices to protect industrial infrastructure, including BAS footprints:

*   Regularly update operating systems and any application software that are part of the enterprise's network. Apply security fixes and patches to operational-technology (OT) network equipment such as BAS, as soon as they are available.
*   Conduct regular security audits of OT systems to identify and eliminate possible vulnerabilities.
*   Use OT network traffic monitoring, analysis, and detection solutions for better protection from attacks that potentially threaten OT systems and main enterprise assets.
*   Provide dedicated OT security training for IT security teams and OT engineers.
*   Provide the security team responsible for protecting ICS with up-to-date threat intelligence.
*   Use layered security solutions for OT endpoints and networks.

Tag

#zero_day