Google Calendar RAT Proof-of-Concept

Summary: Google’s Cybersecurity Action Team released in their Threat Horizons Q3 2023 Threat Horizons Report announced that multiple threat actors are sharing a recently published Proof-of-concept exploit that uses Google Calendar events as a C2 (command and control) infrastructure. The exploit was independently published earlier this year in June 2023 and has not yet been seen being actively used in the wild.

The exploit connects the attacker to the victim’s calendar via a Google Calendar link which then allows them to place commands in the event description field. It will then periodically poll the events of the Calendar and execute the commands which will then automatically update the event description with the command’s output.

Why it matters: Threat actors have increasingly been using cloud services to launch their attacks. Public cloud infrastructure such as ones offered by Google, Microsoft, and Amazon are cheap and they allow malicious actors to blend in with legitimate traffic. The attackers use the legitimacy of their cloud infrastructure to help distribute malware at a large scale. It is a reason that hacking into the cloud has been a growing trend in cybersecurity. This combination makes it difficult for blue team and defenders to determine if the detected traffic is authentic. This proof-of-concept exploit hides by connecting to Google owned servers.

Sumo Logic Breach

Summary: Sumo Logic announced the discovery of a potential security incident on November 03, 2023. The company discovered the use of compromised credentials to access a Sumo Logic AWS account. No impacts to the network or system were discovered and Sumo Logic assures that the customer information remains encrypted. Nevertheless, Sumo Logic locked down their exposed infrastructure and rotated exposed credentials.

Sumo Logic is currently investigating the activity and has implemented improved monitoring and new fixes to prevent similar events from occurring. In the meantime, Sumo Logic recommends:

  • We recommend that customers rotate credentials that are either used to access Sumo Logic or that you have provided to Sumo Logic to access other systems. Specifically:
  • What we advise you rotate immediately:
  • What you could also rotate as an additional precautionary measure:
  • Sumo Logic installed collector credentials
  • Third-party credentials that have been stored with Sumo for the purpose of data collection by the hosted collector (e.g., credentials for S3 access)
  • Third-party credentials that have been stored with Sumo as part of webhook connection configuration
  • User passwords to Sumo Logic accounts

Why it matters: Sumo Logic is a well-known log monitoring and data analytics company commonly used as a SIEM. SIEMs are tools used by organizations to determine security threats and vulnerabilities. Breaching Sumo Logic through compromised credentials allows threat actors access to the customer accounts. Although Sumo Logic states that customer information remains encrypted, it is still important for companies to proactively follow Sumo Logic’s recommendations to ensure the security of the company’s account.

Citrix Bleed Widely Exploited Via LockBit Ransomware

Summary: Multiple threat actors are actively exploiting a recently disclosed critical security flaw in Citrix NetScaler to obtain initial access to target environments. Citrix Bleed, known to be leveraged by LockBit 3.0 affiliates, allows threat actors to bypass password requirements and multifactor authentication (MFA), leading to successful session hijacking of legitimate user sessions on Citrix NetScaler web application delivery control (ADC) and Gateway appliances. Tracked as CVE-2023-4966 (CVSS score: 9.4), the vulnerability was addressed by Citrix last month but not before it was weaponized as a zero-day at least since August 2023.

On October 10, 2023, Citrix released security updates to address CVE-2023-4966 along with another unrelated vulnerability giving organizations the chance to patch for the vulnerability. NetScaler ADC and NetScaler Gateway version 12.1 are now End-of-Life (EOL) and are also vulnerable. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication products are not impacted.

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerability:

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
  • NetScaler ADC 13.1-FIPS before 13.1-37.164
  • NetScaler ADC 12.1-FIPS before 12.1-55.300
  • NetScaler ADC 12.1-NDcPP before 12.1-55.300

Why it matters: Shortly after the public disclosure, Google-owned Mandiant revealed it’s tracking four different uncategorized (UNC) groups involved in exploiting CVE-2023-4966 to target several industry verticals in the Americas, EMEA, and APJ. The development once again underscores the fact that vulnerabilities in exposed services continue to be a primary entry vector for ransomware attacks. On Oct. 23, Citrix released a blog, providing recommended next steps and a link to Mandiant’s Oct. 17 guidance for remediating and reducing risks related to CVE-2023-4966: Remediation for Citrix NetScaler ADC and Gateway Vulnerability (CVE-2023-4966).

‘ClearFake’ Browser Update Malware Strikes macOS

Summary: The ‘ClearFake’ fake browser update campaign has expanded to macOS, targeting Apple computers with Atomic Stealer (AMOS) malware. The ClearFake campaign started in July 2023 targeting Windows users with fake Chrome update prompts that appear on breached sites via JavaScript injections. On November 17, 2023, a threat analyst reported that ClearFake had started pushing DMG payloads to macOS users visiting compromised websites.

ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password. Cybercriminals are currently being offered “Amos Atomic MacOS Stealer” via a dedicated Telegram channel. In the channel, which was opened on April 9th, the author offers to rent access to a web panel and provide a disk-image based installer for $1000/month.

Why it matters: Payload distribution is left up to the crimeware actor renting the package, so methods vary, but so far observed samples have been seen masquerading as installers for legitimate applications like the Tor Browser or pretending to offer users cracked versions of popular software including Photoshop CC, Notion, Microsoft Office and others. Even after several months following the discovery and reports on Atomic, the payload is undetected by roughly 50% of AV engines on VirusTotal. All Safari browser updates are distributed through macOS’s Software Update, and other browser updates can be obtained from the official App Store; therefore, any prompts to update via the web should be ignored.

Critical Vulnerability in CrushFTP

Summary: A critical vulnerability has been disclosed in CrushFTP after being discovered by security researchers. Assigned CVE-2023-43177, the vulnerability could allow an unauthenticated attacker to access files stored on the server, execute code remotely, or obtain plaintext passwords. The disclosure comes as a proof-of-concept (PoC) exploit has been released for a critical remote code execution vulnerability in the CrushFTP solution (CVE-2023-43177) that could be weaponized by an unauthenticated attacker. “This vulnerability is critical because it does NOT require any authentication,” CrushFTP noted in an advisory released at the time. “It can be done anonymously and steal the session of other users and escalate to an administrator user.”

The vulnerability was discovered in August 2023, tracked as CVE-2023-43177, by Converge security researchers, who responsibly reported it to the vendor. The developers released a fix overnight in version CrushFTP 10.5.2. The CrushFTP exploit is conducted through an unauthenticated mass-assignment vulnerability, exploiting the AS2 header parsing to control user session properties. This allows attackers to read and delete files, potentially leading to complete system control and root-level remote code execution. The attackers can send payloads to the CrushFTP service on specific ports (80, 443, 8080, 9090) using web headers, which leave log traces.

Why it matters: Having established admin access, the attacker can exploit flaws in the admin panel’s handling of SQL driver loading and database configuration testing (testDB) to execute arbitrary Java code. According to Converge’s report, there are roughly 10,000 public-facing CrushFTP instances and likely many more behind corporate firewalls. The attack surface is sizable even though the number of vulnerable instances hasn’t been determined. It’s vital to implement the recommended security measures as soon as possible, as the publicly disclosed exploit details of CVE-2023-43177 are likely to be used by hackers in opportunistic attacks.

Security Tip of the Month – Holiday Booking Scams

Summary: With the holiday season coming, it is important to be aware of holiday scams. These scams are a variant of standard phishing scams. These scams usually involve booking airlines and accommodations.

One of the newer scams is the recent scam where hackers use the authentic accounts of the hotels to message customers. These messages claim that there has been an issue with the user’s payment verification and that they need to re-enter their credit card information within four or 12 hours or else their booking will be cancelled.

Why it matters: The holiday season is prime time for people to book trips. A recent study shows that half of all Americans plan on spending money on flights or hotels this year’s holiday season. This number allows scammers to have a large target of victims. Usually, scammers implement a sense of urgency to trick users into providing their credentials faster so that they do not have time to think properly whether the received message is authentic. Travel is stressful in general and during holidays in particular, giving a sense of urgency towards booking flights and accommodation adds pressure to the victims.