May 3: Top Threat Actors, Malware, Vulnerabilities and Exploits

The Blue Report 2024

Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.

DOWNLOAD

Welcome to Picus Security's weekly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our new threat intelligence tool will enable you to identify threats targeting your region and sector, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

May 3: Latest Vulnerabilities, Exploits and Patches

Here are the latest vulnerabilities, exploits and patches that were active in the first week of May.

CVE-2024-27322: Critical R Programming Language Vulnerability Enables RCE 

The CVE-2024-27322 (CVSS score of 8.8), vulnerability poses a severe threat to the security of the R programming language by permitting arbitrary code execution through the deserialization of untrusted data [1]. Exploitable via the loading of RDS (R Data Serialization) files or R packages, commonly exchanged among developers and data scientists, attackers can embed malicious R code within these files, triggering its execution upon interaction with the victim's system [2].

To comprehend the intricacies of this attack, understanding R's Data Serialization process is crucial. RDS serves as a serialization format specific to R, enabling the storage and transmission of data structures or objects. However, vulnerabilities arise in the deserialization phase, particularly in the R_Unserialize function, where the attack vectors are exploited. Despite inherent limitations in the RDS format, such as the absence of explicit termination commands, attackers can ingeniously leverage promise objects and lazy evaluation within the R language to execute arbitrary code once the compromised RDS file is accessed.

This vulnerability extends its reach across various sectors, including government agencies, healthcare, finance, and more, given R's widespread adoption and utilization in critical environments.

Actions to take [3]:

  • Being alert to all projects and organizations utilizing R and the ‘readRDS’ function with unverified packages.
  • Update to R Core version 4.4.0.

Sandbox Escape Vulnerabilities in Judge0 Expose Systems to Host Takeover

Three critical vulnerabilities have been uncovered in Judge0, an open-source service, which could potentially result in sandbox escapes and complete host takeover [4]. These vulnerabilities, namely CVE-2024-28185, CVE-2024-28189, and CVE-2024-29021, pose significant threats by enabling attackers to execute code outside the sandbox environment, escalate privileges, and ultimately gain full control over the Judge0 system.

CVE-2024-28185 (CVSS 10.0) arises from a lack of symlink validation within the sandbox directory, allowing attackers to exploit a specific function in Judge0 to execute arbitrary code outside the sandbox. This flaw permits attackers to overwrite scripts and execute code within the Docker container, thereby compromising the entire Judge0 system.

Similarly, CVE-2024-28189 (CVSS 10.0) acts as a bypass for CVE-2024-28185, enabling attackers to leverage the UNIX chown command on untrusted files within the sandbox. By creating symlinks to files outside the sandbox, attackers can execute commands and escalate privileges, mimicking the actions facilitated by CVE-2024-28185.

Furthermore, CVE-2024-29021 (CVSS 9.1) stems from a configuration option that permits applications to make network requests, including connections to Judge0's PostgreSQL database. Exploiting a SSRF bug, attackers can manipulate database columns to inject commands and execute code within the Docker container.

Actions to take: 

  • Judge0 version 1.13.1 addresses these vulnerabilities.

  • Users of self-hosted instances are strongly advised to update promptly to mitigate the risk of exploitation and potential compromise of their systems.

May 3: Top Threat Actors Observed In Wild

Here are the threat actors that were active in the first week of May.

ANON SEC BD Claims Responsibility for Cyberattack on Saudi Water Infrastructure

The hacktivist threat group known as ANON SEC BD has been implicated in a recent DDoS attack against the Saline Water Conversion Corporation (SWCC) in Saudi Arabia [5]. ANON SEC BD claimed responsibility for the attack, citing Saudi Arabia's diplomatic stance in the ongoing conflict in Gaza as their motive. The group has previously targeted other entities online, showcasing their capability and willingness to carry out cyberattacks. The attack targeted critical infrastructure, specifically water treatment facilities, which are vital for public health and safety.

The targeted sector in this cyberattack is the water infrastructure of Saudi Arabia, particularly the SWCC responsible for desalination projects aimed at providing clean drinking water to the population. Any disruption to SWCC's operations could have severe repercussions, not only affecting domestic water supply but also impacting industries reliant on desalinated water, such as agriculture and manufacturing. The implications of such an attack extend beyond immediate consequences, potentially eroding public trust in the safety and reliability of the water supply, leading to social unrest. The attack occurred amid heightened international tensions, highlighting the complexity of cybersecurity threats in the context of geopolitical conflicts.

May 3: Latest Malware Attacks

Here are the malware attacks and campaigns that were active in the first week of May.

The Wpeeper Android malware [6], discovered recently, employs a sophisticated evasion technique by utilizing compromised WordPress sites as intermediaries for its C2 communication, thus concealing the true location of its servers [6]

Detected in unofficial app stores posing as the Uptodown App Store, Wpeeper's backdoor functionality enables it to execute various commands on infected devices, including data theft, application enumeration, file manipulation, and remote execution. Its use of AES encryption and elliptic curve signatures ensures secure communication between the C2 and infected devices. With thousands of devices potentially compromised, the true extent of its operation remains uncertain. 

As the malware's motives and operators are unknown, potential risks include account compromise, network infiltration, intelligence gathering, identity theft, and financial fraud. Users are advised to install applications only from trusted sources like Google Play Store and activate built-in anti-malware tools to mitigate such threats.

Dev Popper Campaign: Exploiting Fake Job Interviews to Deploy Python RAT on Developers' Systems

A deceptive cyber campaign named "Dev Popper" is targeting software developers using fake job interviews to distribute a Python-based remote access trojan (RAT) [7]. In this elaborate scheme, developers are lured into downloading and running seemingly legitimate interview-related tasks from a GitHub repository. The initial contact is made by posing as employers seeking software developers, where the interview process is misused to persuade the candidates to engage with compromised files. The downloaded files, appearing as standard coding tasks, contain obfuscated JavaScript that triggers further malicious downloads, ultimately installing the Python RAT on the developer's system [8].

This RAT then enables attackers to gain extensive control over the affected systems, allowing them to execute commands remotely, access sensitive files, and capture keystrokes and clipboard data. 

While there is a suspicion of North Korean involvement, definitive attribution remains unclear. This method of exploiting professional trust and the necessity to comply with job interview requirements makes the attack particularly insidious and effective. Such tactics have been noted as characteristic of North Korean operatives in their long-standing strategy to infiltrate various high-value targets, including security researchers and tech professionals, through seemingly benign interactions.

Threat Intelligence Reports, Advisories and Warnings

Here is the summary of highlighted threat intelligence reports, advisories, and warnings issued by security researchers and authorities that garnered attention in the first week of May.

Cybersecurity Advisory: Okta Warns of Unprecedented Credential Stuffing Attacks

Okta has issued a warning about a significant increase in credential stuffing attacks targeting its identity and access management platforms [9]. These attacks utilize stolen usernames and passwords to attempt automated sign-ins on various accounts, leveraging anonymizing services such as TOR and various residential proxies to mask the attacker's location [10]. Over recent weeks, Okta has observed these attacks originating from similar infrastructure known for previous brute-force and password-spraying activities.

In response, Okta has enhanced its security measures to better detect and block these attempts at the network edge before they reach authentication stages. A new feature in Okta’s Workforce Identity Cloud (WIC) and Customer Identity Solution (CIS) allows organizations to specifically block or allow requests from anonymizing services. This capability, crucial for preventing unauthorized access, is part of Okta’s broader effort to provide robust defenses against the increasing sophistication of credential stuffing attacks. Customers are advised to enable ThreatInsight in Log and Enforce Mode, deny access from anonymizing proxies, and consider upgrading to the Okta Identity Engine, which offers additional security features such as CAPTCHA challenges for risky sign-ins and more advanced passwordless authentication options.

US Government Issues Alert on Pro-Russian Hacktivists Targeting Water Facilities with OT System Attacks

The US government, in collaboration with agencies including CISA, FBI, NSA, and international partners from Canada and the UK, has issued a warning about pro-Russian hacktivists targeting operational technology (OT) systems, particularly within the water treatment sector [11]. These attacks aim to disrupt critical infrastructure by exploiting insecure and misconfigured OT devices. Operational technology, which includes both hardware and software, is crucial for monitoring and controlling physical processes in industries such as manufacturing and critical infrastructure.

Hacktivist groups like the Cyber Army of Russia have been implicated in several recent incidents affecting water facilities in the US and Europe, with tactics including the use of the VNC protocol to manipulate human-machine interfaces (HMIs) in OT systems. Although many of these attacks result in minimal disruption, some have caused significant operational challenges. For instance, an attack on a Texas water facility led to an overflow incident. The US government's advisory stresses the importance of enhancing security measures such as updating software, strengthening passwords, and implementing multi-factor authentication to protect against these threats. The advisory also highlights the link between these hacktivist groups and more sophisticated entities like the Sandworm team, associated with Russia’s GRU, underscoring the potential severity and complexity of these threats to national and international security.

How Stolen Citrix Credentials and Lack of MFA Resulted in an $872 Million Loss for Change Healthcare.

Change Healthcare recently confirmed that a ransomware attack by the BlackCat group, originally facilitated through stolen Citrix credentials lacking multi-factor authentication, had deeper implications than previously disclosed [12]. In a new update, UnitedHealth CEO Andrew Witty shared that after the initial compromise on February 12, 2024, the attackers maintained access to the network until February 21, utilizing this period to move laterally, steal sensitive data, and eventually deploy ransomware. This extensive breach led to operational disruptions across critical healthcare services, resulting in financial damages estimated at $872 million.

Further complicating the situation, Change Healthcare admitted to paying a ransom in response to the extortion, with the aftermath of the payment leading to additional demands through RansomHub. These developments were part of the testimony given by Witty in anticipation of a House Energy and Commerce subcommittee hearing. 

The breach's serious nature prompted Change Healthcare to undertake extensive security overhauls, including system replacements and network rebuilds, aimed at preventing future incidents. Despite these efforts, recovery continues, with some services still not fully operational. This incident underscores the critical need for robust security measures, including the implementation of multi-factor authentication, to protect sensitive health data from increasingly sophisticated cyber threats.

References

[1] K. Sestito, “R-bitrary Code Execution: Vulnerability in R’s Deserialization,” HiddenLayer | Security for AI, Apr. 29, 2024. Available: https://hiddenlayer.com/research/r-bitrary-code-execution/. [Accessed: May 02, 2024]

[2] I. Arghire, “Vulnerability in R Programming Language Could Fuel Supply Chain Attacks,” SecurityWeek, Apr. 30, 2024. Available: https://www.securityweek.com/vulnerability-in-r-programming-language-enables-supply-chain-attacks/. [Accessed: May 02, 2024]

[3] N. Hewitt, “CVE-2024-27322 Vulnerability Found in R Programming Language,” TrueFort, May 01, 2024. Available: https://truefort.com/cve-2024-27322/. [Accessed: May 02, 2024]

[4] I. Arghire, “Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover,” SecurityWeek, Apr. 30, 2024. Available: https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/. [Accessed: May 02, 2024]

[5] S. Jain, “Unverified: ANON SEC BD Claims Cyberattack on Saudi Water Facilities,” The Cyber Express, Apr. 30, 2024. Available: https://thecyberexpress.com/cyberattack-on-swcc/. [Accessed: May 02, 2024]

[6] B. Toulas, “New Wpeeper Android malware hides behind hacked WordPress sites,” BleepingComputer, Apr. 30, 2024. Available: https://www.bleepingcomputer.com/news/security/new-wpeeper-android-malware-hides-behind-hacked-wordpress-sites/. [Accessed: May 02, 2024]

[7] B. Toulas, “Fake job interviews target developers with new Python backdoor,” BleepingComputer, Apr. 26, 2024. Available: https://www.bleepingcomputer.com/news/security/fake-job-interviews-target-developers-with-new-python-backdoor/. [Accessed: May 02, 2024]

[8] “New ‘Dev Popper’ Campaign Lures Developers with Job Offers, Spreads Python RAT,” Black Hat Ethical Hacking, Apr. 29, 2024. Available: https://www.blackhatethicalhacking.com/news/new-dev-popper-campaign-lures-developers-with-job-offers-spreads-python-rat/. [Accessed: May 02, 2024]

[9] “How to Block Anonymizing Services using Okta,” Okta Security. Available: https://cms.oktaweb.dev/blockanonymizers. [Accessed: May 02, 2024]

[10] B. Toulas, “Okta warns of ‘unprecedented’ credential stuffing attacks on customers,” BleepingComputer, Apr. 27, 2024. Available: https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-credential-stuffing-attacks-on-customers/. [Accessed: May 02, 2024]

[11] “[No title].” Available: https://media.defense.gov/2024/May/01/2003454817/-1/-1/0/DEFENDING-OT-OPERATIONS-AGAINST-ONGOING-PRO-RUSSIA-HACKTIVIST-ACTIVITY.PDF. [Accessed: May 02, 2024]

[12] B. Toulas, “Change Healthcare hacked using stolen Citrix account with no MFA,” BleepingComputer, Apr. 30, 2024. Available: https://www.bleepingcomputer.com/news/security/change-healthcare-hacked-using-stolen-citrix-account-with-no-mfa/. [Accessed: May 02, 2024]