NCSC issue advisory highlighting the Iranian-APT ransomware threat
The National Cyber Security Centre and its allies have issued a joint advisory underlining the malicious behaviour displayed by Iranian advanced persistent threat (APT) groups who are associated with Iran’s Islamic Revolutionary Guard Corps (IRGC).
The advisory explains the Iranian-APT actors are targeting critical national infrastructure (CNI) with unpatched Microsoft Exchange, Forti OS, and VMware Horizon Log4j to facilitate their ransomware operations.
The below vulnerabilities are highlighted as being pertinent to the Iranian-APT group’s current operations and it is strongly advised all organisations apply the necessary patches.
Log4j:
CVE-2021-44228, CVE-2021-45046, and CVE-2021- 45105.
Microsoft Exchange:
CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
CVE-2021-31196, CVE-2021-31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470.
FortiOS:
CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
For further guidance on additional mitigating controls, please refer to the CISA article here.
Uber: Social engineering & MFA fatigue
On the 15/09/2022 Uber, the technology giant, experienced a breach conducted using social engineering and MFA fatigue that led to some of their internal systems being unavailable for several days.
The attack was conducted by an individual going by the name of ‘teapotuberhacker’ who is presumed to be linked to the Lapsus$ group.
The adversary gained initial access using an external contractor’s leaked credentials; the contractor’s personal device became infected with malware that stole their Uber credentials. The adversary then purchased the contractor’s credentials and began their campaign of relentlessly trying to log in. Since the contractor had set up MFA, each time the attacker tried to log in they would receive an MFA push notification.
Initially, the contractor declined each MFA prompt denying the attacker access to Uber’s network; however, the adversary persistently triggered the MFA push notification which led to the contractor eventually accepting it, allowing the attacker to log in to Uber’s network.
Once on the network, the attacker escalated their privileges by compromising other Uber accounts, which allowed them to access several of Uber’s internal tools, one being Slack where they posted a message to the company-wide channel announcing that Uber had been breached.
explaining that the adversary was not able to access any sensitive customer PII data, they were only able to access the company HackerOne dashboard, G-Suite, OpenDNS, Slack messages, and financial information such as invoices.
Zero-Day – ProxyNotShell
GTSC is a Vietnamese cyber security vendor who published an article on 28/09/2022 explaining that they had detected adversaries actively exploiting a Microsoft Exchange zero day. After the GTSC blue team identified the traffic, they handed it over to their red team who reverse engineered and replicated the exploit, confirming that it was indeed a Microsoft Exchange zero-day. Once confirmed GTSC reported the findings to the Zero-day Initiative which can be seen under ZDI-CAN-18333 and ZDI-CAN-18802.
The vulnerability can be exploited using the same exploit path used in the ProxyShell zero-day leading to this zero-day being dubbed ‘ProxyNotShell’ as it requires the attacker to have valid non-admin credentials unlike the original ProxyShell. Microsoft have confirmed Exchange 2013, 2016, 2019, and Outlook Web App (OWA) are all susceptible to this vulnerability. Exchange Online is NOT vulnerable, unless you use a hybrid exchange, explained here by Kevin Beaumont.
Following the submission of the zero-days Microsoft triaged and confirmed the zero-day in CVE-2022–41040 and CVE-2022–41082. Additionally, Microsoft published a customer advisory highlighting how to mitigate the vulnerability and a threat hunting guide.
The mitigating controls include implementing a URL rewrite rule and disabling remote PowerShell access for non-admins, when disabling remote PowerShell be cautious as implementing it too strictly could break your exchange cluster.
Microsoft have changed the URL rewrite rule several times since the article was initially released as security researchers have found ways to bypass each iteration, therefore, you should continue to monitor the article until an official patch is released.
Aspire is here to help
With the threat landscape always changing, utilising the best and latest threat prevention technologies is vital to protect your organisation and clients
At Aspire we help organisations stay ahead of emerging security threats. Our RealProtect Managed Cyber Security Services provide 24/7/365 managed detection and response, via our UK-based Cyber Security Operations Centre.
Have a question about any of our products? Get in touch with our Cyber Security Specialists today.
Dean Wright
