Vercara’s Open-Source Intelligence (OSINT) Report – May 3 – May 9, 2024

New TunnelVision Attack Allows Hijacking of VPN Traffic Via DHCP Manipulation

(TLP: CLEAR) The article discusses a new cyber-attack called TunnelVision, which enables threat actors to evade security measures by utilizing DNS tunneling techniques. This attack method allows malicious actors to covertly exfiltrate data from a victim’s network without being detected by traditional security measures.

(TLP: CLEAR) Comments: TunnelVision poses a significant threat to organizations as it can bypass firewalls and other security protocols, potentially leading to data breaches and other security incidents. The article emphasizes the importance of implementing robust security measures to mitigate the risks associated with TunnelVision attacks.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”

One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. It is advised that organizations should conduct periodic network assessments to identify/close nonessential ports and protocols that expand their potential attack surface. If organizations require certain ports and protocols to be exposed to the internet for business operations, they should then establish security in depth as well as change all default usernames/passwords and create complex passwords that are harder to brute force. (TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.

Source: https://thehackernews.com/2024/05/new-tunnelvision-attack-allows.html

Source: https://www.wired.com/story/tunnelvision-vpn-attack/

Kremlin-Backed APT28 Targets Polish Institutions in Large-Scale Malware Campaign

(TLP: CLEAR) The article reports on the activities of APT28, a cyber espionage group believed to have ties to the Russian government, targeting Polish government entities and private organizations. APT28, also known as Fancy Bear, is notorious for its sophisticated tactics and has been involved in various cyber-attacks globally.

(TLP: CLEAR) Comments: NATO and the United States are conducting the Defender 24 exercise in Poland and other eastern European countries, and this attack is more than likely in response to this large scall NATO/US military exercise. The group’s recent activities in Poland highlight ongoing geopolitical tensions and the continued use of multi-domain operations to include cyber-attacks as a tool for espionage and influence operations. The article underscores the importance of enhanced cybersecurity measures and vigilance to mitigate the threat posed by state-sponsored cyber actors like APT28.

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed.

• “An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware.
• “The deployed anti-malware solution(s):
  • Detects all known types of malware.
  • Removes, blocks, or contains all known types of malware.
• “Any system components that are not at risk for malware are evaluated periodically to include the following:
  • A documented list of all system components not at risk for malware.
  • Identification and evaluation of evolving malware threats for those system components.
  • Confirmation whether such system components continue to not require anti-malware protection.

“The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1.”

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections.

Source: https://thehackernews.com/2024/05/kremlin-backed-apt28-targets-polish.html

Source: https://cybernews.com/cyber-war/russian-cyberattack-apt28-polish-gov-malware-campaign/

Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery

(TLP: CLEAR) The article discusses the Mirai botnet’s exploitation of vulnerabilities in Ivanti’s ConnectWise software, a remote management and monitoring tool. Mirai, a notorious botnet known for launching large-scale DDoS attacks, is now targeting ConnectWise vulnerabilities to compromise devices and recruit them into its network.

(TLP: CLEAR) Comments: This poses a significant threat to organizations that use ConnectWise, as compromised devices can be used for various malicious activities, including DDoS attacks and data theft. The article highlights the importance of promptly patching vulnerabilities and implementing necessary security measures to protect against Mirai and other botnet attacks.

TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• “Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depends on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attributes and tagging those associated with known DGA attributes, such as high entropy.

NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected”

• Organizations should have a well-defined incident response plan in place that outlines the procedures to follow in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real-time, such as Vercara’s UltraDDoS Protect.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://thehackernews.com/2024/05/mirai-botnet-exploits-ivanti-connect.html

Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

(TLP: CLEAR) The article discusses a new malware called Hijack Loader, which employs a process injection technique to evade detection and execute malicious payloads. This technique allows the malware to inject its code into legitimate processes, making it difficult for security software to detect and mitigate.

(TLP: CLEAR) Comments: Hijack Loader poses a significant threat as it can download and execute additional malware payloads, leading to further compromise of the victim’s system. The article emphasizes the importance of implementing security measures, such as endpoint detection and response (EDR) solutions, to detect and mitigate the threat posed by Hijack Loader and similar malware variants.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION

“Control:

• “a. Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
• “b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
• “c. Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection; and
• “d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.”

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://thehackernews.com/2024/05/hijack-loader-malware-employs-process.html

APT42 Hackers Pose as Journalists to Harvest Credentials and Access Cloud Data

(TLP: CLEAR) The article reports on the activities of APT42, a sophisticated cyber espionage group associated with the Chinese government, posing as journalists to target individuals involved in various industries, including defense, government, and finance. APT42’s tactics involve sending phishing emails containing malicious attachments disguised as press releases or interview requests. These emails exploit vulnerabilities in Microsoft Office to deploy malware payloads, enabling the group to gain unauthorized access to victims’ systems and steal sensitive information.

(TLP: CLEAR) Comments: APT42’s use of social engineering techniques, combined with its exploitation of software vulnerabilities, underscores the group’s advanced capabilities and strategic targeting approach. By impersonating journalists, APT42 aims to deceive targets and exploit their trust to infiltrate organizations and gather intelligence. The article highlights the importance of implementing cybersecurity measures, such as email filtering, software patching, and user awareness training, to mitigate the threat posed by APT42 and similar threat actors. Additionally, organizations should remain vigilant and exercise caution when interacting with unsolicited emails, especially those claiming to be from journalists or media outlets, to avoid falling victim to phishing attacks.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”

One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

It is highly advised that organizations have a robust and continuous cybersecurity training program that teaches their employees how to identify malicious emails and other social engineering attacks. (TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations. Vercara’s Web Application Firewall, UltraWAF, protects your applications from data breaches, defacements, malicious bots, and other web application-layer attacks. By protecting your applications no matter where they are hosted, UltraWAF simplifies your operations through consistently configured rules with no provider restrictions or hardware requirements.

Source: https://thehackernews.com/2024/05/apt42-hackers-pose-as-journalists-to.html