MA-939.052023: MyCERT Alert - Microsoft Azure VMs Hijacked in Cloud Cyberattack

  • 25 May 2023
  • Alert
  • microsoft, azure, vm, cloud, security

1.0 Introduction

Recently, a threat actor group tagged as “UNC3944” by cybersecurity firm Mandiant, which also known as Roasted 0ktapus and Scattered Spider has been reported to hijack by installing third-party remote management software in Microsoft Azure Virtual Machines (VMs) Serial Console targeting customer environments. In addition to avoiding all of the standard detection techniques used by Azure, this attack method also gave the attacker full administrative access to the VM. Unfortunately, cloud resources are frequently misunderstood, resulting in configuration errors that might expose these assets to attack. 

UNC3944 which also known as Roasted 0ktapus and Scattered Spider is a financially motivated threat actor which has been active since at least May 2022. Their tactics often include SIM swapping attacks followed by the establishment of persistence using compromised accounts. Using Microsoft’s cloud computing infrastructure, their campaign aims to steal data from victimized organizations. The STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit for terminating security applications were formerly credited to UNC3944. The threat actors utilized stolen Microsoft hardware developer accounts to sign their kernel drivers.

 

2.0 Impact

  • Attacker gain full access to the Azure VM.
  • Export information about the users in the tenant.
  • Gather information about the Azure environment configuration and the various VMs.
  • Creating or modifying accounts.

 

3.0 Affected System and Devices

  • Microsoft Azure Cloud VM environments

 

4.0 Technical Details

4.1 SIM Swapping Azure Admins

Initial access to the Azure administrator’s account is made possible by leveraging stolen credentials obtained through SMS phishing, a strategy used frequently by UNC3944. In order to induce help desk representatives to send a multi-factor reset code by SMS to the target’s phone number, the attackers next pretend to be the administrator when speaking with them.

However, the attacker had previously SIM-swapped the administrator’s number and ported it to their device, so they obtained the 2FA token without the victim being aware of the compromised. Mandiant has not yet discovered how the hackers carry out the SIM-swapping portion of their operation. However, prior instances have demonstrated that facilitating illegitimate number ports only requires knowing the target’s phone number and collaborating with dishonest telecom staff.

As soon as the attackers get access to the Azure environment of the targeted company, they use their administrator rights to gather data, make necessary changes to already-existing Azure accounts, or even create new ones.

Initial access diagram

Initial access diagram (Mandiant)
 

4.2 Living-off-the-Land (LotL) Tactic

In the subsequent phase of the attack, UNC3944 employs Azure Extensions to perform surveillance, collect data, disguise their malicious activities apparently innocent everyday task, and blend in with regular activity.

Azure Extensions are “add-on” features and services that may be included into an Azure Virtual Machine (VM) to enhance functionality, automate processes, etc. These extensions are stealthy and less suspicious because they are executed inside the VM and are frequently utilized for legal purpose.

The threat actor utilized “CollectGuestLogs”, one of the built-in Azure diagnostic extensions, to acquire log files from the compromised endpoint in this instance. Moreover, Mandiant has discovered evidence of the threat actor trying to misuse the following extra extensions:

Extensions the threat actor attempted to abuse (Mandiant)

 

4.3 Breaching VMs to Steal Data

After that, UNC3944 accesses the administrative console of VMs using Azure Serial Console and issues commands via a command prompt over the serial port. According to Mandiant’s assessment, the method of attack was unique in that it avoided many of the traditional detection methods employed with Azure and gave the attacker full administrative access to the VM.

Mandiant found that the first command the intruders run is “whoami” in order to identify the user who is presently signed in and obtain information necessary for more advanced exploitation. 

Using Azure Serial Console to gain access to a virtual machine (Mandiant)

The threat actors then install many commercially accessible remote administrator tools not mentioned in the study while enhancing their persistence on the VM via PowerShell.

Several commercially available remote administration tools are frequently deployed by the attacker using PowerShell in order to maintain presence on the VM, according to a Mandiant analysis.

UNC3944’s next move is to build a reverse SSH tunnel to their C2 server in order to maintain covert and ongoing access via a secure channel and get beyond network limitations and security measures.

To enable a direct access to an Azure VM using Remote Desktop, the attacker configures the reverse tunnel with port forwarding. For instance, any incoming connection to the distant machine’s port 12345 would be routed to the local host’s distant Desktop Protocol Service Port or port 3389.

After gaining access to the affected Azure VM via the reverse shell with the help of a compromised user account, the attackers only then move to take over more of the compromised environment while stealing data.

 

5.0 Recommendations
MyCERT recommends users and administrators to follow the security best practices as recommended by Microsoft for Azure Virtual Environments as follows:

  • Enable Microsoft Defender for Cloud.
  • Improve your Secure Score.
  • Require multi-factor authentication.
  • Enable Conditional Access.
  • Collect audit logs.
  • Use RemoteApps.
  • Monitor usage with Azure Monitor.
  • Encrypt your VM.

You may refer to the full guide here; https://learn.microsoft.com/en-us/azure/virtual-machines/security-recommendations

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

 

6.0    References

MA-938.052023: MyCERT Advisory - Mozilla Releases Security Advisories for Multiple Products

  • 16 May 2023
  • Advisory
  • mozilla, security, update, thunderbird, firefox

1.0 Introduction

Recently, Mozilla has released security advisories to address vulnerabilities in Thunderbird, Firefox and Firefox ESR.

2.0 Impact
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

3.0 Affected Products
Mozilla Thunderbird, Firefox and Firefox ESR

4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates:

For updates addressing lower severity vulnerabilities, see the Mozilla Foundation Security Advisories page.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-937.052023: MyCERT Advisory - Microsoft Releases May 2023 Security Updates

  • 16 May 2023
  • Advisory
  • microsoft, security, update, may

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software. 

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Windows, 10, 11 and Windows Server Operating systems. Users of Windows 7, Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates.

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s May 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the URLs below:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-934.042023: MyCERT Advisory - Cisco Releases Security Advisories for Multiple Products

  • 25 Apr 2023
  • Advisory
  • cisco, security, update

1.0 Introduction

Recently, Cisco has released security updates for vulnerabilities affecting Industrial Network Director (IND), Modeling Labs, StarOS Software, and BroadbandWorks Network Server.

2.0 Impact
A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products

  • Industrial Network Director (IND) 
  • Modeling Labs
  • StarOS Software
  • BroadbandWorks Network Server.

4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates.

For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/news-events/alerts/2023/04/21/cisco-releases-security-advisories-multiple-products

MA-933.042023: MyCERT Advisory - VMware Releases Security Update for Aria Operations for Logs

  • 25 Apr 2023
  • Advisory
  • vmware, vrealize, aria, log

1.0 Introduction

Recently, VMware has released a security update to address multiple vulnerabilities in Aria Operations for Logs (formerly vRealize Log Insight).

2.0 Impact
A cyber threat actor could exploit these vulnerabilities to take control of an affected system.

3.0 Affected Products
VMware Aria Operations for Logs (formerly vRealize Log Insight)

4.0 Recommendations
MyCERT encourages users and administrators to review VMware Security Advisory VMSA-2023-0007 and apply the necessary updates.

Kindly refer to: https://www.vmware.com/security/advisories/VMSA-2023-0007.html

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-932.042023: MyCERT Alert - Festive Season and Holiday Alert

  • 20 Apr 2023
  • Alert
  • hari raya, security, holiday

1.0 Introduction

As the Malaysian holiday for “Hari Raya Aidilfitri” approaches over the weekend and many of us will be leaving for holiday break, we would like to alert System Administrators and Internet users to ensure sufficient measures had been implemented to secure their systems and networks before leaving for the holidays.

A total of 1,307 incidents were received through the Cyber999 service between January and March 2023 with majority of incidents reported are related to fraud, malicious code, intrusion and spam. Figure 1 below shows the list of incidents by category.

Chart

Description automatically generated

                                             Figure 1: Statistics of incidents by category

There had been several security incidents since early this year such as Lockbit 3.0, Black Cat and Royal Ransomware, Fake fraud apps and banking trojan that distributed through fake cleaning service websites campaign, data breach, Shopee fake winning contest and large-scale phishing campaign that bypass MFA which we had released Alert & Advisory to address these issues. Other than that, we had also produced advisories on software vulnerabilities as well as product updates for Microsoft. Below are the URLs for some of the mentioned advisories:

Thus, we highly recommend System Administrators and Malaysian Internet users to refer to our Alerts and Advisories to practice necessary steps to prevent security incidents and minimize impacts or risks to a certain extent with preventive measures in place.

2.0 Affected System and Devices
System Administrators should practice additional precautions against any possibilities of intrusions, DDoS, phishing attacks, and malware activities such as ransomware during the festive season, by implementing proper preventive measures against the threats. Data Centers and Web Hosting Companies should also take extra precautions against any software or third party add-ons they're running by applying the latest patches or upgrades to prevent intrusions that may exploit unpatched applications.

Financial Institutions must also be vigilant against any possibilities of phishing and fraudulent activities that target Internet banking. Customers must be advised adequately on avoiding themselves becoming victims of phishing and fraudulent activities by applying safe browsing, safe email practice and safe Internet banking practice. Organizations must ensure contact information of System Administrators is made available in the event of a security incident that occurs at or originate from your site.

System Administrators and Internet users must be aware of these threats and vulnerabilities by applying necessary patches and updates by referring to MyCERT released on Alerts and Advisories on current threats and vulnerabilities.

3.0 Recommendations
Listed below are some recommendations for System Administrators:

  • Make sure systems, applications and third party add-ons are updated with latest upgrades and security patches.
  • If you're running older versions of operating systems or software, make sure they are upgraded to the latest versions as older versions may have some vulnerability that can be manipulated by intruders. Aside from that, please make sure that your web-based applications and network-based appliances are patched accordingly.
  • Refer to your respective vendors' websites for the latest patches, service packs and upgrades. Otherwise, you may also refer to MyCERT’s website for latest advisories on patches, service packs and upgrades.
  • Make sure Anti-virus software that are running on hosts and email gateways are updated with the latest signature files and are enabled to scan all files.
  • Make sure that your systems are configured properly in order to avoid incidents such as information disclosure, directory listing that are caused by system misconfiguration.
  • Make sure loggings of systems and servers are always enabled.
  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, the backup must be done daily, on a separate media and stored offline at an alternate site.
  • Organizations are recommended to apply defense in depth strategy in protecting their networks. Firewalls, intrusion prevention systems (IPS), network and host-based intrusion detection systems (IDS) can prevent and log most of the generic attacks.

Following some recommendations some recommendations for home users:

  • Make sure your PCs and browsers are up to date with the latest upgrades and security patches.
  • Install Anti-Virus software on your PCs to scans and blocks any malware to the PC. The Anti-virus should be regularly updated with the latest signature files in order to detect new worms/viruses.
  • Do not simply click on links and attachments that they receive via social networking sites or emails. Extra precautions must be taken when opening the links and attachments.
  • Do not fall victim to online scams. Take precautions against online scams that target Internet users.
  • Users are recommended the following tips and guidelines on safe Internet at our CyberSAFE website.
  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, the backup must be done on daily basis and this data should be kept on a separate device, stored offline at an alternate site.

Please take note that our physical office will be closed on 24th April 2023 respectively as they are declared as public holidays. However, incidents can be reported to Cyber999 through our other reporting channels as below and our staff is on duty to respond to the incidents. If you need to report critical incident, you can call Cyber999 via the 24x7 On Call Incident Reporting channel.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

MA-930.042023: MyCERT Alert - Google Issues New Warning For 3 Billion Chrome Users

  • 16 Apr 2023
  • Alert
  • chrome, vulnerability, security, update

1.0 Introduction

Chrome is now used by over three billion users worldwide, but every single one of them needs to update their browser urgently. Google’s Threat Analysis Group discovered vulnerability, CVE-2023-2033, stems from a “Type Confusion in V8”. Type confusion in V8 in Google Chrome prior to 112.0.5615.121 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. This occurs when a program uses one method to allocate or initialize a resource but an incompatible method then access that resource, potentially providing unsecured access to the browser’s memory.

2.0 Impact
Allow attackers to trigger browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution on compromised devices.

3.0 Affected System and Devices
Chrome version below 112.0.15615.121 on Windows, Mac and Linux.

4.0 Recommendations
MyCERT encourages users and administrators to review Google’s security updates and apply necessary updates.

To do immediate update, click the overflow menu bar (three vertical dots) in the browser’s top right corner, then Help > About Google Chrome. This will force Chrome to check for browser updates. Once the update is complete, you must restart the browser to be fully protected. 

Kindly refer to the following URLs:

https://www.google.com/chrome/update/

https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_14.html
(The new version of Google Chrome is available in the Stable Desktop Channel).

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

MA-929.042023: MyCERT Advisory - Mozilla Releases Security Advisories for Multiple Products CISA

  • 14 Apr 2023
  • Advisory
  • mozilla, firefox, thunderbird, update, security

1.0 Introduction

Recently, Mozilla has released security advisories for vulnerabilities affecting multiple Mozilla products.

2.0 Impact
A cyber threat actor could exploit these vulnerabilities to take control of an affected system.

3.0 Affected Products

  • Firefox 112, Firefox for Android 112, Focus for Android 112
  • Firefox ESR 102.10
  • Thunderbird 102.10

4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/news-events/alerts/2023/04/11/mozilla-releases-security-advisories-multiple-products

MA-926.042023: MyCERT Advisory - Microsoft Releases April 2023 Security Updates

  • 14 Apr 2023
  • Advisory
  • microsoft, update, april,

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software.

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
This release consists of security updates for the following products, features and roles.

  • .NET Core
  • Azure Machine Learning
  • Azure Service Connector
  • Microsoft Bluetooth Driver
  • Microsoft Defender for Endpoint
  • Microsoft Dynamics
  • Microsoft Dynamics 365 Customer Voice
  • Microsoft Edge (Chromium-based)
  • Microsoft Graphics Component
  • Microsoft Message Queuing
  • Microsoft Office
  • Microsoft Office Publisher
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft PostScript Printer Driver
  • Microsoft Printer Drivers
  • Microsoft WDAC OLE DB provider for SQL
  • Microsoft Windows DNS
  • Visual Studio
  • Visual Studio Code
  • Windows Active Directory
  • Windows ALPC
  • Windows Ancillary Function Driver for WinSock
  • Windows Boot Manager
  • Windows Clip Service
  • Windows CNG Key Isolation Service
  • Windows Common Log File System Driver
  • Windows DHCP Server
  • Windows Enroll Engine
  • Windows Error Reporting
  • Windows Group Policy
  • Windows Internet Key Exchange (IKE) Protocol
  • Windows Kerberos
  • Windows Kernel
  • Windows Layer 2 Tunneling Protocol
  • Windows Lock Screen
  • Windows Netlogon
  • Windows Network Address Translation (NAT)
  • Windows Network File System
  • Windows Network Load Balancing
  • Windows NTLM
  • Windows PGM
  • Windows Point-to-Point Protocol over Ethernet (PPPoE)
  • Windows Point-to-Point Tunneling Protocol
  • Windows Raw Image Extension
  • Windows RDP Client
  • Windows Registry
  • Windows RPC API
  • Windows Secure Boot
  • Windows Secure Channel
  • Windows Secure Socket Tunneling Protocol (SSTP)
  • Windows Transport Security Layer (TLS)
  • Windows Win32K

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s April 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the following URL: https://msrc.microsoft.com/update-guide/releaseNote/2023-Apr

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References
https://www.cisa.gov/news-events/alerts/2023/04/11/microsoft-releases-april-2023-security-updates

MA-923.042023: MyCERT Advisory - Adobe Releases Security Updates for Multiple Products

  • 14 Apr 2023
  • Advisory
  • adobe, security, update

1.0 Introduction

Recently, Adobe has released security updates to address multiple vulnerabilities in Adobe software.

2.0 Impact
An attacker can exploit these vulnerabilities to take control of an affected system.

3.0 Affected Products

4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates:

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

https://www.cisa.gov/news-events/alerts/2023/04/11/adobe-releases-security-updates-multiple-products

Showing 1-10 of 347 items.
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)
(not set)