Advisory

TWiC | ChatGPT, New CISA and NSA Advisory, Microsoft Blocking Add-ins, New Malware Using Google Ads

The nGuard Security Advisory for this week covers several important topics related to cyber security threats. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued warnings that remote desktop tools are being used to breach US federal agencies; ChaptGPT being used to create malicious output; Microsoft is set to block Excel add-ins that have been used for office exploits; and a new malware called “Rhadamanthys” has been discovered that uses Google Ads to redirect users to fake software downloads.

CISA & NSA Warn Remote Desktop Tools Are Being Used to Breach US Federal Agencies

The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning that financially motivated hackers have compromised federal agencies using legitimate remote desktop software. The hackers used phishing emails to lure victims to a malicious site that impersonated high-profile companies, including Microsoft and Amazon, and prompted the victims to call the hackers who then tricked employees into visiting the malicious domain. This led to the download of legitimate remote access software which the hackers then used in a refund scam to steal money from victims’ bank accounts. CISA also warned that the attackers could use legitimate remote access software as a backdoor for maintaining persistent access to government networks.

nGuard often can obtain remote access to victim’s computers using legitimate remote access tools like TeamViewer. nGuard’s Social Engineering assessment could help prevent these types of attacks by testing an organization’s resistance to phishing and other types of social engineering tactics.

ChaptGPT Malicious Prompt Engineering

OpenAI’s ChatGPT, a large-scale AI-based natural language generator, was released in late 2022 and has demonstrated the potential of AI for both good and bad. ChatGPT is a chatbot that is built on top of OpenAI’s GPT-3 family of large language models. It is designed to respond to prompts with accurate and unbiased answers. However, the concept of ‘prompt engineering’ has been used to manipulate the system and force it to respond in a specific manner desired by the user. This has led to the malicious potential of social engineering. A Finnish security firm recently published an extensive and serious evaluation of prompt engineering against ChatGPT, focusing on the generation of phishing, various types of fraud, and misinformation. They found they were able to quickly create convincing phishing emails that were well written and free of typos and grammatical errors. They also were able to create writing styles to match a given input which could lead to ‘deep fakes’ impersonating someone’s writing style. Last, they were able to make requests that forced ChatGPT to transfer their opinion within the response. The idea of prompt engineering is something still not fully understood but certainly has shown the power of a tool like ChatGPT can have.

nGuard’s MECC (Managed Event Collection and Correlation) can help protect against malicious ChatGPT attacks by collecting and analyzing log data from various sources, including chatbot interactions. MECC can then alert security teams to potential threats and provide them with the information they need to investigate and respond to the attack. Additionally, nGuard is adding UEBA (User and Entity Behavior Analytics) to its MECC solution. UEBA leverages AI and Machine Learning to help protect against malicious ChatGPT attacks by analyzing user behavior and identifying anomalies that may indicate a security incident. This can include detecting when a user or bot is attempting to access sensitive information or perform unauthorized actions. UEBA can then alert security teams to potential threats and provide them with the information they need to investigate and respond to the attack. Additionally, UEBA can also help to detect compromised user account and bot impersonation.

Microsoft Set to Block Excel Add-in Used for Office Exploits

Microsoft is set to block XLL files from the internet in a bid to prevent cyber attackers from exploiting the “add-ins” function of Excel to run malicious code on a victim’s computer. An XLL file is an Excel Dynamic Link Library, a type of Microsoft Excel add-in used to extend the functionality of the spreadsheet software. XLL files contain custom functions and macros written in C or C++, and can be used to perform tasks that are not possible with the built-in Excel functions. The feature, set to be released in March, is a response to an increasing use of XLL files by attackers which offer a way to read and write data within spreadsheets, add custom functions and interact with Excel objects across platforms. However, experts have said that the feature may not be effective if users ignore the warning that XLL files could contain malicious code, and attackers are likely to continue to find new ways to compromise systems.

nGuard’s Security Awareness Training services can help with this threat by educating employees on how to identify and avoid phishing attempts, both in the form of emails and websites. The training can cover topics such as how to spot suspicious emails, what to look for in a legitimate and illegitimate website, and how to recognize the signs of a phishing attempt.

Rhadamanthys Malware Using Google Ads to Redirect to Fake Software Downloads

A new malware strain called “Rhadamanthys Stealer” is being spread by redirects from Google Ads that pretend to be download sites for popular remote-workforce software, such as Zoom and AnyDesk. The malware is sold on the dark web as malware-as-a-service and is spread through two methods: carefully crafted phishing sites, and phishing emails with malicious attachments. The malware can steal sensitive data such as browser history and account login credentials, including crypto-wallet information. It is also able to detect if it is running in a controlled environment and will terminate its execution if so. As mentioned earlier in this Advisory, nGuard’s Social Engineering assessment and Security Awareness training can prepare your organization and employees for these types of attacks. Help your organization stay vigilant against the latest attack vectors and keeping up to date by assessing your employees and organization on an annual basis at a minimum.

NIST’s Retirement of SHA-1: The Clock is Ticking

Introduction
The National Institute of Standards and Technology (NIST) has announced that the SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life. This algorithm, which has been in use since 1995 as part of the Federal Information Processing Standard (FIPS) 180-1, is a slightly modified version of SHA, the first hash function the federal government standardized for widespread use in 1993. As today’s increasingly powerful computers are able to attack the algorithm, NIST has announced that SHA-1 should be phased out by December 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms.

Importance of SHA-1
SHA-1, whose initials stand for “secure hash algorithm,” has served as a building block for many security applications such as validating websites, SSL certificates and digital signatures. It secures information by performing a complex mathematical operation on the characters of a message, producing a short string of characters known as a hash. It is impossible to reconstruct the original message from the hash alone, but knowing the hash provides an easy way for a recipient to check whether the original message has been compromised, as even a slight change to the message alters the resulting hash dramatically. However, today’s more powerful computers can create fraudulent messages that result in the same hash as the original, potentially compromising the authentic message. These “collision” attacks have been used to undermine the security of SHA-1 in recent years.

Recommendations
At nGuard, we recommend that organizations still using SHA-1 for security conduct a thorough network and database assessment to identify and address vulnerabilities. Our team of experts can assist with this transition by identifying any instances of SHA-1 usage and recommend a migration plan. Additionally, our web application testing can also lead to the discovery of data hashed with SHA-1, further highlighting the need for an upgrade.

Conclusion
In conclusion, SHA-1 has reached the end of its life, and organizations should consider migrating to the more secure SHA-2 or SHA-3 algorithms as soon as possible. It is important to note that NIST will stop using SHA-1 in its last remaining specified protocols by Dec. 31, 2030. And by that date, NIST plans to:

Publish FIPS 180-5 (a revision of FIPS 180) to remove the SHA-1 specification.
Revise SP 800-131A and other affected NIST publications to reflect the planned withdrawal of SHA-1.
Create and publish a transition strategy for validating cryptographic modules and algorithms.

As a result, modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government. Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance, so that The Cryptographic Module Validation Program (CMVP) has time to respond.

Don’t Let Zero-Day Vulnerabilities Spoil Your Holidays

In this article, we will be discussing several recent developments in cybersecurity. First, we will cover the FortiOS SSLVPN Buffer Overflow, a vulnerability that allows attackers to execute arbitrary code on affected devices. Next, we will discuss new Atlassian security flaws, which have been discovered in several of the company’s popular software tools. We will also examine the issue of JSON requests bypassing Web Application Firewalls and how this can leave systems vulnerable to attacks. Finally, we will discuss Apple’s efforts to patch iPhone and iPad Zero-Days, which are vulnerabilities that have not yet been publicly disclosed. These topics highlight the ongoing importance of staying vigilant and taking steps to protect against emerging threats in the digital landscape.

FortiOS SSL-VPN Heap-Based Buffer Overflow Discovered

FortiGuard Labs has published a critical advisory warning of a heap-based buffer overflow vulnerability in FortiOS SSL-VPN. This may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. The vulnerability is assigned the number FG-IR-22-398, has a CVSSv3 9.3 rating and has been confirmed to be exploited in the wild. FortiGuard Labs has included the indicators of compromise (IOCs) for FortiOS administrators to review the integrity of their systems. It is recommended that organizations upgrade to an unaffected version of FortiOS and follow FortiGuard’s advice to review existing systems for signs of compromise. To stay on top of new vulnerabilities like this, nGuard recommends having, at a minimum, quarterly vulnerability scans conducted on your internal and external environments. In addition, to get a full view of what an attacker could do if they gain access to your network, annual internal and external penetration testing is recommended.

Security Flaws Discovered in Atlassian Products

CloudSEK researchers have identified a flaw in Atlassian products Jira, Confluence, and BitBucket that could be exploited by threat actors to take over corporate Jira accounts. The researchers found that even if a password is changed with 2FA enabled, cookies are not invalidated and only expire when a user logs out or after 30 days. As a result, threat actors can restore Jira, Confluence, Trello, or BitBucket sessions using stolen cookies, even if they do not have access to the multi-factor authentication or one-time PIN required for 2FA. With over 10 million users across 180,000 companies, including 83% of Fortune 500 firms, Atlassian products are widely used, and threat actors are actively exploiting the flaw to compromise enterprise Jira accounts. CloudSEK is releasing a free tool that allows companies to check if their compromised computers and Jira accounts are being advertised on dark web marketplaces. Additionally, conducting a web application penetration test can help discover vulnerabilities with session cookies and other areas, using the OWASP Top 10 as the foundation of the assessment.

Web Application Firewalls Bypassed by JSON Requests

Researchers at Claroty have discovered that web application firewalls (WAFs) from Amazon Web Services, Cloudflare, F5, Imperva and Palo Alto are vulnerable to malicious requests that use the JavaScript Object Notation (JSON) format to obfuscate database commands and escape detection. This technique allows attackers to access and potentially change data as well as compromise the application. The researchers found that WAFs do not understand commands written in JSON, while major SQL databases do. This allows attackers to forward malicious requests to the back-end database without detection. WAFs are widely used to protect against application attacks, but they are not foolproof. A 2020 survey found that 40% of security professionals claimed at least half of application attacks had bypassed the WAF. This research shows that even if you have security devices in place, they can be bypassed. nGuard can find the vulnerabilities within your web applications before an attacker can by performing a web application penetration test.

Apple Send Updates to Patch New Zero-Day

Apple has released security updates for iOS, iPadOS, macOS, tvOS, and Safari to address a zero-day vulnerability that could result in the execution of malicious code. The issue, which has been given the code name of CVE-2022-42856, has been described as a type of confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content. This could lead to arbitrary code execution, with Apple saying it is aware of a report that the issue may have been actively exploited against versions of iOS released before iOS 15.1. It is thought that the issue involved social engineering or a watering hole attack, with the devices being infected when visiting a rogue or legitimate-but-compromised domain via the browser. The company has addressed the issue with improved state handling.

TWiC | Hackers Keep up the Pressure Over the Holidays

Over the past few weeks, we have seen some interesting stories develop in the world of cyber security. It seems that attackers are not slowing down for the holiday season, with LastPass revealing yet another security breach, Killnet boasting of a DDoS attack targeting Musk’s Starlink services and the U.S. banning Chinese telecom companies. nGuard examines these new developments in this week’s security advisory.

Killnet Gloats About DDoS Attacks Downing Starlink, White House
Starlink services were disrupted last week, and it may have been caused by a hacking organization called Killnet. The group is notorious for making all of its communications public on Telegram. After digging into the reports of a massive DDoS attack, Trustwave discovered that many Starlink customers complained about service disruptions on Reddit. Other groups like Anonymous and Halva have also claimed responsibility for participating in the DDoS attack, although Killnet appears to be the main culprit here.

LastPass Reveals Another Security Breach
According to the CEO of LastPass, the popular password manager has been breached again. This company investigated unusual activity involving a third-party cloud storage service that it uses with its parent company, GoTo. A hacker was able to access some of the password managers’ source code using information obtained from a previous security breach. It is highly likely that the attacker was limited to the development environment but they had access to “certain elements” of customer information. The company maintains that no password information was divulged because it remains encrypted.

U.S. Banned Chinese Telecom & Surveillance Cameras That Pose National Security Threat
The U.S. has placed multiple Chinese-based firms on a ban list after they were identified as national security threats. The U.S. has decided to ban the import and sale of equipment from Huawei, ZTE, Hytera Communications, Hikvision, Dahua, Pacific Network Corp, along with its subsidiary ComNet (USA) LLC, and China Unicom (Americas) Operations Limited. FCC Chairwoman Jessica Rosenworcel said, “The FCC is committed to protecting our national security by ensuring that untrustworthy communications equipment is not authorized for use within our borders, and we are continuing that work here.”

In order to access sensitive data and disrupt important services, attackers constantly work behind the scenes to discover and exploit flaws in software. A high priority should be given to protecting your organization from malicious actors at all times. Continual penetration testing and vulnerability management can help you close security holes in your environment. Your employees can stay on top of their game by receiving security awareness training and participating in social engineering simulations. With nGuard, you can enhance your organization’s security posture and prevent data breaches.

Foreign Cyber Threats Risk National Security

Over the last week there have been several major stories in the international community involving Russia, Iran and China. Russian code was discovered in in the U.S. Army and CDC applications; Iranian hackers used Log4Shell to compromise a U.S. Federal agency; the China-based APT group, Billbug, was able to compromise a Certificate Authority (CA) as part of an espionage campaign. Check out each story below for more detail.

Russian Company Pushwoosh Code Found in U.S. Army & CDC Applications
The company Pushwoosh, an organization that offers data processing for applications, has been disguising itself as a U.S. organization based out of Washington, D.C. and Maryland. However, Reuters has discovered Pushwoosh is, in fact, a Russian backed company whose HQ is based out of Novosibirsk, Siberia. Since it is a company registered to the Russian government and pays taxes to the Russian government, they must comply with the laws of Russia. This would require sharing data when and if requested by the Russian government. Pushwoosh code has been implemented in a U.S. Army application that is used as an information portal for the National Training Center. The code was removed earlier in the year with the reason stated as “security issues.” The CDC was using Pushwoosh code within many public-facing applications but has since removed the code. In addition to the U.S. Army and the CDC, Pushwoosh code is used in over 8,000 applications in the iOS App store and the Google Play store including the likes of UEFA, Deloitte, Coca-Cola, McDonald’s and Unilever. Max Konev, the founder of Pushwoosh, is claiming his company “has no connection with the Russian government of any kind” and that all data is stored in either the US or Germany. At this time, evidence has not been brought forward showing Pushwoosh has shared any data with the Russian Government, but that does not mean they have not or could not in the future.

Iranian Hackers Used Log4Shell to Compromise a U.S. Federal Agency
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has credited an Iranian-sponsored group for compromising an unpatched VMWare Horizon server owned by a U.S. Federal agency using the Log4Shell vulnerability. CISA responded to the incident over the summer and discovered crypto mining software was installed on the server. The attackers pivoted through the network to compromised credentials and the domain controllers (DC), then installed reverse proxies in order to maintain their persistent access. CISA believes the original compromise happened in February of 2022. Once the group had access, they added a rule within Windows Defender to the allow list on the C:\ drive. This led to the ability to download PowerShell scripts, execute malicious code like PSExec and Mimikatz, which aided in furthering the attack. Additionally, the attackers changed the password for a local administrator account.

nGuard detailed the Log4Shell vulnerability back in January. If you feel Log4Shell is still an issue within your organization nGuard offers Log4j scanning, consulting services, log management and event collection and penetration testing services.

Billbug, a China-Based APT Compromised a Certificate Authority
Billbug, a state-sponsored APT group, was able to compromise an unknown Certificate Authority as a part of an espionage campaign. If the attackers could successfully gain access to the certificates, they could use them to sign their own malware in order to bypass security checks and intercept and successfully decrypt HTTPS traffic. The Symantec Threat Hunting team was able to make this discovery and report it to the affected Certificate Authority. At this time there is no evidence or indication that Billbug was able to compromise or gain access to any digital certificates.

OpenSSL Downgrades Panic Bug After Days of Anxiety

Initial Report
On October 27th it was reported by Dark Reading that organizations have five days to get ready for what the OpenSSL Project defined as a “serious” vulnerability impacting versions 3.0 and up of the widely used cryptographic library for encrypting digital communications. They caution that enterprises would rush to remedy the problem as soon as possible if this vulnerability turns out to be another Heartbleed flaw, which was the most recent serious vulnerability to affect OpenSSL.

Favorable News
We now have some good news after five days since the initial revelations of an internet-reshaping major flaw in OpenSSL. Instead of the critical rating that initially alarmed the online community, CVE-2022-37786 and CVE-2022-3602 have been published as high-rated vulnerabilities. According to OpenSSL:

“A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.”

As a result, the vulnerability is considerably harder to exploit than what was initially suggested.

Remediation
The two CVE reports published on November 1st indicate this issue as being present in OpenSSL versions 3.0.0 to 3.0.6. Despite the fact that these flaws are not as severe as anticipated, it is still advised that all businesses identify their OpenSSL implementations and update to version 3.0.7 right away. At this point, according to OpenSSL, there is no evidence that this vulnerability has been exploited in the wild and no operational exploit that could result in code execution. A list of notable operating systems and application runtimes which are packaged with a vulnerable version of OpenSSL has been established by the Computer Emergency Response Team (CERT) for the Netherlands.

What Now?
nGuard is ready to assist clients in detecting and mitigating OpenSSL vulnerabilities. nGuard can identify whether or not a vulnerable version of OpenSSL is present in your environment by performing vulnerability scans and penetration testing against both external and internal facing services. Organizations may feel at ease knowing that OpenSSL versions that are insecure are being fixed in their environments by carrying out these scans on a frequent basis.