August 2023
Legitimate Remote Access Tooling Abused by Threat Actors
The Aspire SOC have recently been engaged in an incident response engagement for a global manufacturing organisation. During the engagement, the team discovered and prevented the threat actor from installing and abusing ConnectWise ScreenConnect. ScreenConnect is a remote management tool legitimately used by thousands of IT teams and Managed Service Providers (MSPs) around the world. Whilst ConnectWise is a legitimate tool, the functionalities it provides and ability to blend in with normal activity, presents itself as a perfect tool for conducting malicious activity. Threat Actors are able to sign up for a ‘free trial’ on the website, without any prior authentication/checks.
Countermeasures
Aspire SOC regularly monitor for remote management and access tooling across RealProtect tenants and alert customers to any nefarious activity.
Aspire Recommendations
In addition to the monitoring that RealProtect provides, it’s important to audit and control what applications can be executed or installed in your estate. Moreover, we see organisations using multiple remote access tools making it increasingly difficult to govern. Organisations should seek to review/create their policy around permitted remote management tooling to establish a baseline of normality across the estate.
New Technique Using PDF as Container
A new technique has been actively used by attackers where seemingly harmless PDF files are crafted in such a way as to open in Microsoft Word, at which point malicious actions are triggered using macros. This technique evades that macro detection of many malware scanners. If you organisation has auto-execution of macros disabled (a good idea), this is not a threat but many organisation use legacy documents/tools that require macros to be enabled.
Countermeasures
Aspire’s SOC tooling detects the malicious behaviours should such a tool be executed on a machine (endpoint), allow containment steps to be taken.
Aspire Recommendations
We recommend disabling macros within office documents or if not possible, at least disabling auto-execution. User awareness training should remind employees of the danger of suspicious documents and downloads.
Aspire prevents Akira Ransomware Group targeting an SMB
Aspire have recently detected an attacker brute forcing a Cisco AnyConnect VPN and attempting to conduct discovery on an organisations network. Upon gaining access to the network via VPN, the actor then conducts reconnaissance to discover critical servers in the network range. The group known as Akira were seen specifically targeting SQL and backup servers. The groups discovery campaign – once initial access has been gained to the network – is careful and calculated, to avoid generating noise and risking detection. Akira are known to target small to medium businesses in the west.
Countermeasures
Aspire SOC already detect this actor and have recently prevented the group from fully compromising an organisation, being stopped at their discovery stage. Aspire worked with the organisation to harden their VPN, with MFA.
Aspire Recommendations
Enable MFA on VPN
Audit your authentication logs for brute force
Audit access to SQL databases
July 2023
Citrix Servers Targeted for Exploitation Following Discovery of New Vulnerability
The Aspire SOC performed vulnerability research of a recent Citrix ‘zero-day’ vulnerability. The team identified over 3,000 vulnerable Citrix hosts in the UK alone and notified identified businesses of the risk. This vulnerability would allow a malicious actor to gain access to the target network, execute code and stealthily operate. Citrix is commonly found in organisations worldwide for remote access and load balancing solutions, whilst a popular technology that enables business, this is a technology that should not be neglected in your patching strategy.
Aspire Recommendations
It’s recommended that you prioritise patching of critical technologies in your organisation, especially of public facing infrastructure/services. Where possible, you should reduce the exposure of public facing infrastructure/services by only allowing traffic from the IP addresses you expect traffic from.
Countermeasures
When vulnerabilities of this nature come to light, the Aspire SOC perform rapid and proactive analysis and identification of potentially impacted businesses. Guidance is sent out detailing; How to remediate the vulnerability, how to check if you’re compromised, ongoing guidance steps. The Aspire SOC also operate a managed vulnerability scanning service that can identify similar future vulnerabilities.
Aspire SOC Performs Threat Research of Threat Actor Dubbed ‘Volt Typhoon’
The Aspire SOC team have been providing specialist detection rules against an attacker groups campaign, known as ‘Volt Typhoon’. This is a group that has recently been uncovered as targeting manufacturing businesses in the US/UK, making themselves well known for their techniques solely using native tooling found in Windows systems. The SOC team have provided multiple rules for the SIEM platform that will detect their campaign, protecting any businesses that could be targets of this.
Aspire Recommendations
The Aspire SOC recognise that this activity is difficult to defend against due to its stealthy nature of utilising existing Windows administrative tools. You should review and lockdown which tools and commands can be utilised on your estate.
Countermeasures
The Aspire SOC can provide specialist support to ensure you have coverage of the latest threats across all of your technology. The SOC team at Aspire are trained and versed in countering threat actors like this.
June 2023
Adwind RAT attack attempts
June saw some of Aspire customers unsuccessfully targeted with Adwind, a “Malware as a service” platform that deploys malicious cross platform RATs (Remote Access Trojans), providing attackers with a range of tools on an infected device including keylogging, password grabbing, file transfer and surveillance.
Aspire SOC Countermeasures
The RealProtect SIEM monitors for interactions from customer estates with known malicious C & C (command and control) servers, alerting the team to the potential presence of malware on a device.
RealProtect customers with EDR are also protected by Crowdstrike’s robust defences against malicious software which supresses processes and alerts the SOC team for further action and investigation.
Recommendations
To protect against malicious software (malware), organisation should follow security best practices including least privilege, software patching, user awareness training and secure configuration. For further advice on implementing a programme of best practices, contact Aspire.
Microsoft Teams used to deploy malware
In June security researchers confirmed that Microsoft Teams’ protections around files from external sources can be trivially avoided, allowing them to deploy malware to companies using Microsoft Teams as a delivery mechanism, if the default configuration of allowing communications from external users is enabled.
Aspire SOC Countermeasures
The general endpoint protection and monitoring services provided to RealProtect customers mean that attacks levering this technique have a high likelihood of detection and containment.
Recommendations
It is recommended that the default configuration for Microsoft 365 tenancies is changed to allow communications and collaboration to external entities via exception only (via an allowlist), guides are available on Microsoft’s website, including: Create a more secure guest sharing environment | Microsoft Learn
SocGholist attacks
June also saw the SOCGholish malware attempting to establish a foothold on customer systems, it is typically deployed via legitimate websites that have been compromised by attackers. A user visits a legitimate website and is prompted by their browser to install a new security update, accepting the update downloads malicious JavaScript that begins further processes using Windows scripting tools to deploy malware and establish a persistent presence on the device.
Aspire SOC Countermeasures
The RealProtect SIEM monitors for interactions from customer estates with known malicious C & C (command and control) servers, alerting the team to the potential presence of malware on a device. RealProtect customers with EDR are also protected by Crowdstrike’s robust defences against malicious software which supresses processes and alerts the SOC team for further action and investigation.
Recommendations
To protect against malicious software (malware), organisation should follow security best practices including least privilege, software patching, user awareness training and secure configuration. For further advice on implementing a programme of best practices, contact Aspire.
May 2023
Encrypted message files in phishing attacks
Attackers are using attachment files called Restricted Permission Message File (.rpmsg). These attachments can bypass most email security gateways as the content of the file is encrypted. Users are lured to open the attachment which requires the user to gain a one-time password (OTP) or authenticate using their M365 credentials.
Once authenticated, the message is displayed to the user. This is typically another lure to an external phishing page with the objective of stealing credentials or the M365 session token to fully compromise the user’s account.
The initial vectors abuse trusted services such as Microsoft’s restricted permission messages.
Aspire countermeasures
- For our ‘O365 Monitoring’ and ‘RealProtect Complete’ customers, we’re monitoring for ‘.rpmsg’ files being
interacted with.
- We’re also reviewing how often users receive OTPs from Microsoft 365.
Further recommendations
- Consider user awareness training
- Flagging/marking external e-mails
- Blocking/filtering e-mails with the ‘.rpmsg’ attachment
APT groups continuing to exploit ‘stale’ Log4Shell vulnerabilities in IIS web servers
It has been reported this month that several APT groups have been observed exploiting old vulnerabilities in IIS web server, such as Log4Shell. These vulnerabilities are exploited for attackers to gain their initial access to organisations networks and continue orchestrating their attack, typically leading to data exfiltration and encryption.
Aspire countermeasures
- Crowdstrike EDR has strong defences against malicious webshells.
- The Aspire SIEM is capable of ingesting IIS web server logs to monitor for suspicious process execution (w3wp process) and suspicious ‘.aspx’ files.
- The Aspire Incident Response (IR) team have experience of responding to IIS attacks and exploitation incidents concerning other MS infrastructure such as Log4J/Shell, Hafnium and ProxyShell.
- Our ‘Managed Vulnerability Scanning’ (also included in RealProtect Complete) identifies and surfaces the vulnerabilities mentioned in this advisory. Reducing your time to remediate and minimising your patch management spend.
Further recommendations
- Implement a robust patch management programme that is integrated with your change management process.
- Review critical vulnerabilities that are known/likely to be exploited by actors relevant to your organisation’s risks.
Payment card skimming attacks targeting WordPress powered e-commerce websites
Akamai have identified a widespread campaign of malware installed on vulnerable WordPress websites, designed to ‘skim’ end users banking card details at checkout.
This is achieved through malicious actors gaining access to administrative privileges to WordPress websites and installing malicious JavaScript (JS) and PHP code to the website.
Moreover, whilst the main objective is to steal/exfiltrate bank card details, some of these malware variants have been observed delivering malware to the user’s workstation to steal further information.
Aspire countermeasures
- Aspire conduct regular updates of cyber threat intelligence feeds and monitor for known compromised ecommerce websites.
- Aspire’s SIEM is capable of ingesting web proxy/web gateway logs which provide visibility of suspicious web files that users have interacted with.
Further recommendations
- Consider implementation of a web security gateway, this may be achieved with adoption of SASE architecture, providing further benefits.
- Consider filtering e-commerce/shopping/retail websites as part of an acceptable use policy for corporate web browsing.
- Consider filtering low reputation e-commerce websites.
Stop Press – Exploitation of MoveIt File Transfer vulnerability leading to ransomware
This week, NCSC had published an advisory regarding the known widespread exploitation of a vulnerability in MoveIt, a file transfer service. This led to the successful data loss of companies such as British Airways, BBC and Boots due to supply chains using this product.
It has been further observed that known ransomware actors are utilising this vulnerability already, to gain access to organisations data and conduct extortion campaigns to elicit payments.
Aspire Countermeasures
Our ‘Managed Vulnerability Scanning’ (also included in RealProtect Complete) identifies and surfaces the vulnerabilities mentioned in this advisory. Reducing your time to remediate and minimising your patch management spend.
Aspires Managed SIEM is capable of monitoring for the known Indicators of Compromise (IoC) such as IP addresses, Domains, and files known to be associated with this campaign.
Further recommendations
- Implement a robust patch management programme that is integrated with your change management process.
- Review critical vulnerabilities that are known/likely to be exploited by actors relevant to your organisation’s
risks.