Advisories

1.0 Introduction

Recently, The US Cybersecurity & Infrastructure Security Agency (CISA) and partners released a joint advisory for a sophisticated cyber espionage tool used by Russian cyber actors. The advisory titled Hunting Russian Intelligence “Snake” Malware provides technical descriptions of the malware’s host architecture and network communications, and mitigations to help detect and defend against this threat.

2.0 Impact
Snake can be considered to be the most sophisticated cyber espionage tool designed and used for long-term intelligence collection on sensitive targets. The sophistication of Snake stems from three principal areas. 

First, Snake employs means to achieve a rare level of stealth in its host components and network communications. 

Second, Snake’s internal technical architecture allows for easy incorporation of new or replacement components. This design also facilitates the development and interoperability of Snake instances running on different host operating systems. We have observed interoperable Snake implants for Windows, MacOS, and Linux operating systems. 

Lastly, Snake demonstrates careful software engineering design and implementation, with the implant containing surprisingly few bugs given its complexity.

3.0 Affected Products
Windows, MacOS, and Linux operating systems.

4.0 Recommendations
MyCERT urges organizations to review the advisory for more information and apply the recommended mitigations and detection guidance.

Kindly refer to https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a for more information on Snake malware.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/alerts/2023/05/09/cisa-and-partners-disclose-snake-malware-threat-russian-cyber-actors

1.0 Introduction

Recently, a threat actor group tagged as “UNC3944” by cybersecurity firm Mandiant, which also known as Roasted 0ktapus and Scattered Spider has been reported to hijack by installing third-party remote management software in Microsoft Azure Virtual Machines (VMs) Serial Console targeting customer environments. In addition to avoiding all of the standard detection techniques used by Azure, this attack method also gave the attacker full administrative access to the VM. Unfortunately, cloud resources are frequently misunderstood, resulting in configuration errors that might expose these assets to attack. 

UNC3944 which also known as Roasted 0ktapus and Scattered Spider is a financially motivated threat actor which has been active since at least May 2022. Their tactics often include SIM swapping attacks followed by the establishment of persistence using compromised accounts. Using Microsoft’s cloud computing infrastructure, their campaign aims to steal data from victimized organizations. The STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit for terminating security applications were formerly credited to UNC3944. The threat actors utilized stolen Microsoft hardware developer accounts to sign their kernel drivers.

2.0 Impact

• Attacker gain full access to the Azure VM.
• Export information about the users in the tenant.
• Gather information about the Azure environment configuration and the various VMs.
• Creating or modifying accounts.

3.0 Affected System and Devices

• Microsoft Azure Cloud VM environments

4.0 Technical Details

4.1 SIM Swapping Azure Admins

Initial access to the Azure administrator’s account is made possible by leveraging stolen credentials obtained through SMS phishing, a strategy used frequently by UNC3944. In order to induce help desk representatives to send a multi-factor reset code by SMS to the target’s phone number, the attackers next pretend to be the administrator when speaking with them.

However, the attacker had previously SIM-swapped the administrator’s number and ported it to their device, so they obtained the 2FA token without the victim being aware of the compromised. Mandiant has not yet discovered how the hackers carry out the SIM-swapping portion of their operation. However, prior instances have demonstrated that facilitating illegitimate number ports only requires knowing the target’s phone number and collaborating with dishonest telecom staff.

As soon as the attackers get access to the Azure environment of the targeted company, they use their administrator rights to gather data, make necessary changes to already-existing Azure accounts, or even create new ones.

Initial access diagram (Mandiant)
 

4.2 Living-off-the-Land (LotL) Tactic

In the subsequent phase of the attack, UNC3944 employs Azure Extensions to perform surveillance, collect data, disguise their malicious activities apparently innocent everyday task, and blend in with regular activity.

Azure Extensions are “add-on” features and services that may be included into an Azure Virtual Machine (VM) to enhance functionality, automate processes, etc. These extensions are stealthy and less suspicious because they are executed inside the VM and are frequently utilized for legal purpose.

The threat actor utilized “CollectGuestLogs”, one of the built-in Azure diagnostic extensions, to acquire log files from the compromised endpoint in this instance. Moreover, Mandiant has discovered evidence of the threat actor trying to misuse the following extra extensions:

Extensions the threat actor attempted to abuse (Mandiant)

4.3 Breaching VMs to Steal Data

After that, UNC3944 accesses the administrative console of VMs using Azure Serial Console and issues commands via a command prompt over the serial port. According to Mandiant’s assessment, the method of attack was unique in that it avoided many of the traditional detection methods employed with Azure and gave the attacker full administrative access to the VM.

Mandiant found that the first command the intruders run is “whoami” in order to identify the user who is presently signed in and obtain information necessary for more advanced exploitation. 

Using Azure Serial Console to gain access to a virtual machine (Mandiant)

The threat actors then install many commercially accessible remote administrator tools not mentioned in the study while enhancing their persistence on the VM via PowerShell.

Several commercially available remote administration tools are frequently deployed by the attacker using PowerShell in order to maintain presence on the VM, according to a Mandiant analysis.

UNC3944’s next move is to build a reverse SSH tunnel to their C2 server in order to maintain covert and ongoing access via a secure channel and get beyond network limitations and security measures.

To enable a direct access to an Azure VM using Remote Desktop, the attacker configures the reverse tunnel with port forwarding. For instance, any incoming connection to the distant machine’s port 12345 would be routed to the local host’s distant Desktop Protocol Service Port or port 3389.

After gaining access to the affected Azure VM via the reverse shell with the help of a compromised user account, the attackers only then move to take over more of the compromised environment while stealing data.

5.0 Recommendations
MyCERT recommends users and administrators to follow the security best practices as recommended by Microsoft for Azure Virtual Environments as follows:

• Enable Microsoft Defender for Cloud.
• Improve your Secure Score.
• Require multi-factor authentication.
• Enable Conditional Access.
• Collect audit logs.
• Use RemoteApps.
• Monitor usage with Azure Monitor.
• Encrypt your VM.

You may refer to the full guide here; https://learn.microsoft.com/en-us/azure/virtual-machines/security-recommendations

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours)  
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

6.0    References

• https://www.darkreading.com/endpoint/mechanics-of-a-crypto-heist-how-sim-swappers-can-steal-cryptocurrency
• https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial
• https://thehackernews.com/2023/05/threat-group-unc3944-abusing-azure.html
• https://cyware.com/news/unc3944-threat-group-uses-azure-built-in-tools-to-abuse-azure-vms-d7d3d66f
• https://www.bleepingcomputer.com/news/security/hackers-use-azure-serial-console-for-stealthy-access-to-vms/
• https://learn.microsoft.com/en-us/azure/virtual-machines/security-recommendations

1.0 Introduction

Recently, Mozilla has released security advisories to address vulnerabilities in Thunderbird, Firefox and Firefox ESR.

2.0 Impact
A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. 

3.0 Affected Products
Mozilla Thunderbird, Firefox and Firefox ESR

4.0 Recommendations
MyCERT encourages users and administrators to review the following advisories and apply the necessary updates:

• Security Vulnerabilities fixed in Firefox 113 Mozilla Foundation Security Advisory 2023-16 - https://www.mozilla.org/en-US/security/advisories/mfsa2023-16/
• Security Vulnerabilities fixed in Firefox ESR 102.11 Mozilla Foundation Security Advisory 2023-17 - https://www.mozilla.org/en-US/security/advisories/mfsa2023-17/
• Security Vulnerabilities fixed in Thunderbird 102.11 Mozilla Foundation Security Advisory 2023-18 - https://www.mozilla.org/en-US/security/advisories/mfsa2023-18/

For updates addressing lower severity vulnerabilities, see the Mozilla Foundation Security Advisories page.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/alerts/2023/05/09/mozilla-releases-security-advisories-multiple-products
• https://www.mozilla.org/en-US/security/advisories/

1.0 Introduction

Recently, Microsoft has released updates to address multiple vulnerabilities in Microsoft software. 

2.0 Impact
An attacker can exploit some of these vulnerabilities to take control of an affected system.

3.0 Affected Products
Windows, 10, 11 and Windows Server Operating systems. Users of Windows 7, Windows Server 2008 R2, or Windows Server 2008 need to purchase the Extended Security Update to continue receiving security updates.

4.0 Recommendations
MyCERT encourages users and administrators to review Microsoft’s May 2023 Security Update Guide and Deployment Information and apply the necessary updates.

Kindly refer to the URLs below:

• https://msrc.microsoft.com/update-guide/releaseNote/2023-May
• https://msrc.microsoft.com/update-guide/deployments

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://www.cisa.gov/news-events/alerts/2023/05/09/microsoft-releases-may-2023-security-updates
• https://msrc.microsoft.com/update-guide/releaseNote/2023-May
• https://msrc.microsoft.com/update-guide/deployments

1.0 Introduction

MyCERT observed cybercriminals had exploited a malicious Android application in a campaign targeting internet users in Malaysia. The campaign is targeting online shoppers and consumers. The target victim will be lured to click links leading to fake sites impersonating “Dive Deals”, an e-commerce and voucher platform quite popular in a neighbouring country, Singapore. 

The victim will choose the item to purchase and be instructed to download a malicious Android application to complete the payment process. The threat actor set up the websites to tempt potential victims to domains similar to their impersonating services. The malicious application and websites will capture and steal sensitive credit card information and banking credentials. The malicious APK can also intercept SMSs and steal the secure OTP code during transactions without the victims noticing.

2.0 Impact
Financial loss. Disclosure of credit card information and banking credentials.

3.0 Affected Products
Android mobile devices

4.0 Other related alerts programs and advisories

Below are references to similar campaigns:

• MA-790.072020: MyCERT Alert - SMSSpy using Malaysian Law Enforcement as theme
• MA-695.012018: MyCERT Alert - Fake Bank Negara Malicious APK - New Variant
• MA-694.012018: MyCERT Alert - Fake Bank Negara Malicious APK
• MA-834.052022: MyCERT Alert - SMSSpy campaign to steal Malaysian banking user credential
• MA-840.062022: MyCERT Alert - Kempen SMSSpy bagi Mencuri Maklumat Peribadi Perbankan Pengguna Internet Malaysia 

5.0 Indicators of Compromise
Table 1: List of indicators of compromise used in the campaign:

Table 2: List indicator of compromise  – IP addresses

6.0 Recommendations
The application can retrieve information from the victim’s phone and be used for other malicious purposes. As CERT, we would highly recommend the followings:
• Verify an application permission and the application author or publisher before installing it.
• Avoid side loading (installing from non-official sources) when you can. If you need to install Android software from a source other than the trusted marketplace, ensure that it comes from a reputable source.
• Do not click on adware or suspicious URL sent through SMS/messaging services.
• Malicious program could be attached to collect users' information.
• Always run a reputable anti-virus on your smartphone/mobile devices, and keep it up to date regularly.
• Update the operating system and applications on smartphone/tablet, including the browser, to avoid any malicious exploits of security holes in out-dates versions.
• Do not root or 'Jailbreak' your phone.
• Contact relevant authorities such as MyCERT of CyberSecurity Malaysia for any inquiries and assistance related to this threat.
 

Generally, MyCERT advises the users of these devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please get in touch with MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

1. MA-790.072020: MyCERT Alert - SMSSpy using Malaysian Law Enforcement as theme
   https://www.mycert.org.my/portal/advisory?id=MA-790.072020
2. MA-690.122017: MyCERT Alert - Fake PDRM Malicious APK
   https://www.mycert.org.my/portal/advisory?id=MA-690.122017
3. MA-695.012018: MyCERT Alert - Fake Bank Negara Malicious APK - New Variant
   https://www.mycert.org.my/portal/advisory?id=MA-695.012018
4. MA-694.012018: MyCERT Alert - Fake Bank Negara Malicious APK
   https://www.mycert.org.my/portal/advisory?id=MA-694.012018
5. https://www.virustotal.com/gui/ip-address/139.162.61.96/relations
6. https://www.virustotal.com/gui/file/fc9d34436b4711d6f586903d07a99b089ca5aa61f931febd57abba9a7135d98d/relations
7. https://twitter.com/esetresearch/status/1526440685460672512?s=24&t=xveoIxTaZLIdhpnzy-YSag
8. https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credentials-android-malware/
9. https://notes.netbytesec.com/2022/05/scam-and-malicious-apk-targeting.html
10. MA-834.052022: MyCERT Alert - SMSSpy campaign to steal Malaysian banking user credential-https://www.mycert.org.my/portal/advisory?id=MA-834.052022

1.0 Introduction

On May 3, 2023, Cisco released an advisory to address a critical vulnerability in the web-based management system of the Cisco SPA112 2-Port Phone Adapters. The vulnerability is tracked as CVE-2023-20126 and has a CVSS score of 9.8.

2.0 Impact
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters
could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware. A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.

There are currently no reports yet of an active exploitation of this vulnerability.

3.0 Affected Products
This vulnerability affects all firmware releases for Cisco SPA112 2-Port Phone Adapters.

Moreover, Cisco has not released and will not release firmware updates to address the vulnerability, because Cisco SPA112 2-Port Phone Adapters have entered the end of-life process and are no longer supported.

4.0 Recommendations
MyCERT encourage constituents to discontinue using the product, as well as verify if any other similar – possibly also no longer supported – products are in use.

Generally, MyCERT advises the users of this devices to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 09:00 -18:00 MYT 
Web: https://www.mycert.org.my 
Twitter: https://twitter.com/mycert 
Facebook: https://www.facebook.com/mycert.org.my

5.0    References

• https://cert.europa.eu/static/security-advisories/CERT-EU-SA2023-026.pdf
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-spa-unauth-upgrade-UqhyTWW
• https://www.bleepingcomputer.com/news/security/cisco-phone-adapters-vulnerable-to-rce-attacks-no-fix-available/