Canary Trap’s Bi-Weekly Cyber Roundup – Oct. 27, 2023
- October 27, 2023
- Canary Trap
Welcome to the second edition of Canary Trap’s “Bi-Weekly Cyber Roundup” for October 27, 2023! In this ever-evolving landscape of cybersecurity, staying informed about the latest developments is vital. Our bi-weekly publication is your trusted source for the most current news, trends, and threats that impact the digital security realm.
We’ll jump into the latest developments to arm ourselves with knowledge and tackle the challenges of our increasingly interconnected world. From persistent issues like default admin passwords to crucial guidance from US government agencies on phishing prevention, our aim is to keep you informed, alert, and prepared.
- Default Admin Passwords Still a Common Issue
After analyzing more than 1.8 million pages recognized as administrative interfaces, researchers uncovered a concerning trend: 40,000 of these portals utilized “admin” as the access password, marking it as the most commonly used credential among IT professionals.
The study was undertaken from January to September 2023 by Outpost24‘s research team, which also reported a growing dependency on factory-set passwords. The top ten passwords identified through the research featured a mix of easily predictable and default options, including:
Outpost24’s team elaborated on their findings, stating, “While our list of top 20 passwords primarily includes known and easily guessable combinations, the fact that these were linked to administrative portals suggests that malicious actors have ample opportunities to target users with elevated privileges.”
The researchers also emphasized the ongoing activities of cybercriminal syndicates known as “traffers,” who specialize in deploying malware to compromise administrators and exfiltrate their credentials.
To safeguard passwords and, consequently, organizational data, two primary strategies are advocated. The first focuses on the adoption of standard best practices for password security, and the second stresses the importance of averting malware infections.
Password Security Best Practices
Begin with the basics. Never employ default passwords. Always generate unique, robust, and complex passwords for each account. Utilize tools such as Specops Password Auditor, an Outpost24 product, to monitor your Active Directory environment for vulnerabilities related to password security, like identical or expired passwords and stale admin accounts.
Anti-Malware Best Practices
To effectively counter evolving threats like Traffers malware, employ contemporary anti-malware solutions, including endpoint detection and response platforms. Disable browser settings that save passwords, as these stored credentials can be easily retrieved by malware. Always scrutinize URLs after ad clicks for any anomalies, such as typos in the domain or divergent content, and abstain from using unauthorized software on both corporate and personal devices.
- US Government Agencies Release New Phishing Guidance
The United States Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC), has unveiled a comprehensive guide that outlines prevalent phishing strategies and offers mitigation recommendations.
Phishing attacks are predicated on social engineering tactics wherein threat actors deceive individuals into divulging their login credentials or visiting harmful websites designed to introduce malware or pilfer login data. This compromised information is subsequently used to infiltrate enterprise networks and other digital assets.
In scenarios involving credential theft via phishing, malicious actors often masquerade as trustworthy entities such as managers or IT staff to disseminate phishing emails. These emails are engineered to coax the recipients into disclosing their usernames and passwords. Furthermore, the agencies’ guidance highlights that attackers are increasingly leveraging mobile devices to distribute phishing messages across various chat platforms and are utilizing Voice over Internet Protocol (VoIP) to forge caller IDs.
To mitigate the risks associated with credential theft through phishing, organizations are urged to adopt robust multi-factor authentication (MFA) measures. However, organizations are cautioned against deploying weak MFA variants like MFA without Fast Identity Online (FIDO) or Public Key Infrastructure (PKI)-based MFA, push-notification MFA lacking number matching, and SMS or voice-based MFA methods.
Malware-driven phishing attacks also exploit the impersonation of reliable sources. The aim is to trick the email recipient into activating a malevolent attachment or clicking a harmful link, which then triggers the installation of malware. This can lead to a myriad of consequences, including unauthorized initial access, data exfiltration, system incapacitation, and privilege elevation.
Perpetrators have been spotted employing freely accessible tools to execute spear-phishing campaigns. They also transmit malicious attachments incorporating macro scripts or distribute harmful links and files via popular messaging platforms.
To counter the likelihood of successful phishing exploits, organizations should focus on educating their workforce about social engineering schemes, apply stringent firewall configurations, enable robust email security features to filter out dubious or malevolent emails, employ email and messaging surveillance, implement phishing-resistant MFA, halt redirection to untrustworthy domains, block recognized malevolent domains and IP addresses, limit user administrative privileges, and adhere to the principle of least privilege while also blocking the execution of macros and malware.
For software developers, the agencies stipulate the integration of ‘secure-by-design’ and ‘secure-by-default’ principles during the software development lifecycle to reduce the efficacy of phishing attacks on end-users.
This updated advisory is designed to serve as a cybersecurity roadmap for organizations of all sizes, including a specialized section focused on the unique needs and resource constraints of small-to-medium enterprises (SMEs).
- Critical Cisco IOS XE Zero-Day Discovered
A severe security vulnerability in Cisco’s IOS XE operating system, identified as CVE-2023-20198, has been exploited to compromise thousands of devices exposed online, according to the latest disclosure from Cisco. The vulnerability, with a maximum severity score of 10 on the Common Vulnerability Scoring System (CVSS), resides in the Web User Interface (Web UI) component of the IOS XE software.
Cisco has acknowledged that this zero-day vulnerability has been actively exploited, allowing the attacker to acquire administrative-level access on the affected IOS XE devices. Subsequently, the attacker appears to exploit an older remote code execution (RCE) vulnerability, CVE-2021-1435, as a means to deploy a Lua-based implant on the compromised systems. This pattern of attacks has demonstrated a global reach.
Wider Scope Than Initially Reported
While Cisco’s security alert referred to reports from several customers regarding unusual activity linked to this vulnerability, Jacob Baines, the CTO of VulnCheck, indicates that the extent of the infections may be much larger than initially understood. VulnCheck’s preliminary analysis has identified a minimum of 10,000 infected Cisco IOS XE systems. This figure is based on scans of just half of the vulnerable devices that are publicly searchable on platforms like Shodan and Censys.
Baines notes that the infections appear to be geographically widespread, with compromised IPs originating from multiple countries globally. The nature of the attack—whether opportunistic or targeted—is somewhat ambiguous. While most opportunistic attacks often utilize publicly known or research-developed proof-of-concept (PoC) exploits, this campaign differs. “The attackers didn’t just leverage a zero-day vulnerability but also deployed a unique implant, which doesn’t align with an opportunistic approach,” Baines states.
Nonetheless, the large number of exploited systems suggests a less discriminative strategy, adds Baines.
Single Perpetrator Likely Responsible
The homogeneity of the implants across compromised systems suggests that a single entity is likely orchestrating these attacks. Baines notes that locating vulnerable targets remains straightforward due to the persistent unpatched status of the initial authentication-bypass vulnerability.
Other cybersecurity researchers, like those at Detectify, also observed expansive online activity exploiting this zero-day. Their assessment aligns with Baines’, noting that the attackers are broadly targeting all visible vulnerable systems. “They appear to be exploiting every system they can find first, and then determining its value later,” a researcher from Detectify explained.
Patches Have Rolled Out
Cisco has provided the following update as of October 23: “Identified an updated version of the implant. Provided a new curl command to check for infected devices. Fixes for CVE-2023-20198 and CVE-2023-20273 started to roll out on October 22.”
- Citrix Issues Alert on Active Exploitation of Vulnerability in NetScaler ADC and Gateway Devices
Citrix has released a high-priority security advisory, cautioning administrators about active attacks leveraging a critical flaw—designated as CVE-2023-4966—in its NetScaler ADC and Gateway hardware. The company disclosed this vulnerability in a security bulletin on October 10.
Citrix stated, “We have observed active exploitation of CVE-2023-4966 on unprotected appliances.” The firm’s Cloud Software Group emphatically recommends immediate updates to the following versions of NetScaler ADC and Gateway:
- NetScaler ADC and Gateway 14.1-8.50 and subsequent releases
- NetScaler ADC and Gateway 13.1-49.15 and subsequent 13.1 versions
- NetScaler ADC and Gateway 13.0-92.19 and subsequent 13.0 versions
- NetScaler ADC 13.1-FIPS 13.1-37.164 and subsequent 13.1-FIPS versions
- NetScaler ADC 12.1-FIPS 12.1-55.300 and subsequent 12.1-FIPS versions
- NetScaler ADC 12.1-NDcPP 12.1-55.300 and subsequent 12.1-NDcPP versions (Now End-of-Life)
Target Demographics and Industry Segments
The sectors primarily targeted by these attacks, according to Mandiant, include professional services, technology, and government entities.
Citrix has now corroborated that it has verified real-world attacks exploiting this vulnerability. The company’s recent update states, “We have credible evidence of targeted attacks exploiting this vulnerability, particularly affecting session hijacking.”
For organizations using affected builds, particularly as a gateway (e.g., VPN virtual server, ICA proxy, CVPN, RDP proxy) or as an AAA virtual server, Citrix strongly suggests installing the advised builds immediately. They emphasize that no alternative workarounds exist for this critical issue.
In addition to updating, Citrix also advises administrators to terminate all active and lingering sessions by executing the following command sets:
kill icaconnection -all
kill rdp connection -all
kill pcoipConnection -all
kill aaa session -all
clear lb persistentSessions
The United States Cybersecurity and Infrastructure Security Agency (CISA) has incorporated CVE-2023-4966 into its Known Exploited Vulnerabilities Catalog, mandating federal agencies to rectify the issue by November 8.
- Record Breaking Month for Ransomware Attacks – September 2023
Ransomware Incidents Surge in September After Brief August Respite, According to NCC Group Data.
In contrast to a comparatively quieter August, September witnessed an unparalleled escalation in ransomware activities. NCC Group’s recent analytics reveal that 514 distinct ransomware attacks took place in September, outstripping the 459 attacks that were recorded in March 2023. Notably, March’s figures were substantially influenced by the Fortra GoAnywhere data exfiltration campaigns carried out by Clop.
Interestingly, Clop demonstrated minimal activity during September, raising speculation that the advanced cybercriminal group may be in the planning stages for an imminent, large-scale offensive.
The record-breaking statistics for September were primarily driven by a diverse range of threat actors. Leading the pack were LockBit 3.0 with 79 instances, followed by the newly emerged LostTrust with 53 attacks, and BlackCat accounting for 47 attacks.
Emerging Threat Landscape
LostTrust, a newcomer, rocketed straight to the second position in terms of the number of attacks. The group is suspected to be a reiteration of MetaEncryptor, as evidenced by substantial overlaps in their codebases. LostTrust has already demonstrated its potency by successfully encrypting numerous organizational networks, with some victims even suffering data leaks.
Another fresh entrant, RansomedVC, which has been leveraging threats of GDPR reporting in its extortion tactics, registered 44 attacks, as per NCC’s records. It is important to clarify that some of the attacks attributed to RansomedVC were later discovered to be overstated.
Remarkably, approximately 20% of all attacks in September originated from newly established ransomware operations, emphasizing their propensity for aggressive expansion and scalable capabilities.
Geographic and Sectorial Targets
Regionally speaking, North America bore the brunt of the attacks, constituting 50% of the total incidents. Europe came in second with 30%, while Asia accounted for 9%.
In relation to the sectors most targeted, ‘industrials’—which encompasses construction, engineering, and commercial services—were hit with 169 attacks. This was followed by ‘consumer cyclicals,’ including retail, media, and hotels, experiencing 94 attacks. Technology sectors, such as software, IT services, networking, and telecommunications, witnessed 52 incidents, whereas healthcare sectors were subjected to 38 attacks.
Trends and Projections for 2023
The NCC Group’s comprehensive analysis underscores that from January to September 2023, close to 3,500 ransomware attacks have been recorded. Projections now suggest that the year-end total is likely to approach a staggering 4,000 attacks. This aligns with an earlier Chainalysis report, which had anticipated 2023 to set new records in terms of ransomware payments based on projected trends.
Despite considerable efforts from law enforcement agencies to mitigate these cyber threats, ransomware persists as an ever-evolving menace. Criminal organizations continue to refine their tactics, deploying increasingly sophisticated initial access strategies as well as more clandestine payloads, thereby maintaining their position as a mutable and persistent cybersecurity threat.