Vercara’s Open-Source Intelligence (OSINT) Report – November 15 – November 21, 2024

Phishing emails increasingly use SVG attachments to evade detection. 

(TLP: CLEAR) Threat actors are increasingly leveraging Scalable Vector Graphics (SVG) attachments in phishing campaigns and malware distribution due to their unique properties and ability to evade detection. Unlike traditional image formats like JPG or PNG, which rely on pixels, SVG files use text-based mathematical formulas to create images through shapes, lines, and text. This makes SVGs scalable without quality loss and capable of embedding additional functionalities, such as HTML and JavaScript, which threat actors exploit. SVG attachments are being used to mimic legitimate interfaces like login forms, such as fake Excel spreadsheets, to steal user credentials. They can also deliver malware by prompting users to download malicious files from remote servers or automatically redirect browsers to phishing sites using embedded JavaScript. Because SVG files are textual representations of images, they are often overlooked by security software, with many samples uploaded to VirusTotal showing minimal detections. Receiving an SVG attachment is rare in legitimate email communications and should raise immediate suspicion. Unless you are expecting such files, particularly as a developer, it is safer to delete them. This growing trend highlights the need for user vigilance and more robust detection mechanisms to combat evolving cyber threats. 

(TLP: CLEAR) Comments: While SVGs are generally benign, their text-based nature and support for embedded scripts make them a significant concern in cybersecurity, especially when used in email attachments or web content. Malicious actors could craft malicious SVGs for several purposes such as embed malicious scripts, phishing, malware delivery, browser redirects and potentially evade detection. Some suggested mitigation strategies include email filtering, endpoint protection and inspect attachments. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users. This can be done via a protective DNS or forward web proxy solution with website categories feeds. 

OWASP Web Security Top 10 A03:2021 – Injection: An application is vulnerable to attack when: 

• User-supplied data is not validated, filtered, or sanitized by the application. 
• Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter. 
• Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. 
• Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.” 
• One way to validate input on the server side is through a Web Application Firewall. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), can detect and block malware delivery and command and control (C2) techniques such as phishing, domain generation algorithms, and DNS tunneling to reduce both the quantity and impact of infections. 

Vercara’s Web Application Firewall, UltraWAF, protects your applications from data breaches, defacements, malicious bots, and other web application-layer attacks. By protecting your applications no matter where they are hosted, UltraWAF simplifies your operations through consistently configured rules with no provider restrictions or hardware requirements. 

Source: https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/  

Security plugin flaw in millions of WordPress sites gives admin access. 

(TLP: CLEAR) A critical authentication bypass vulnerability (CVE-2024-10924) has been identified in the WordPress plugin Really Simple Security (formerly “Really Simple SSL”), affecting both free and Pro versions. The plugin, widely used on over four million websites, offers features like SSL configuration, two-factor authentication (2FA), and real-time vulnerability detection. Disclosed by Wordfence, the flaw allows remote attackers to bypass authentication and gain full administrative control of affected sites. The issue lies in the improper handling of authentication within the plugin’s REST API for 2FA. Specifically, the function check_login_and_get_user() fails to properly reject invalid login_nonce values, enabling attackers to authenticate using only a valid user_id. The flaw is exploitable when 2FA is enabled, potentially leading to large-scale automated attacks. The vulnerability impacts plugin versions 9.0.0 through 9.1.1.1. A patch (version 9.1.2) was released on November 12, 2024, for Pro users and November 14 for free users. Hosting providers have been advised to enforce updates and scan for vulnerable installations, but many sites remain at risk, with approximately 3.5 million still unpatched as of recent data. Website administrators are urged to verify they are using version 9.1.2 or later to secure their sites. Pro users with expired licenses must manually update, as auto-updates are disabled in such cases. 

(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:  

• Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks. 
• Actively running and up to date as applicable.  
• Generating audit logs.  
• Configured to either block web-based attacks or generate an alert that is immediately investigated. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. Its always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats. 

Source: https://www.bleepingcomputer.com/news/security/security-plugin-flaw-in-millions-of-wordpress-sites-gives-admin-access/  

Botnet exploits GeoVision zero-day to install Mirai malware. 

(TLP: CLEAR) A malware botnet is actively exploiting a zero-day vulnerability (CVE-2024-11120) in outdated GeoVision devices, likely using them for DDoS attacks or cryptomining operations. The vulnerability, rated critical with a CVSS score of 9.8, is an OS command injection flaw that allows unauthenticated attackers to execute arbitrary system commands remotely. It affects several end-of-life GeoVision models, including video servers and digital video recorders, which are no longer supported by the vendor and will not receive security patches. Approximately 17,000 vulnerable devices are exposed online, with the majority located in the United States. The malware appears to be a variant of the Mirai botnet, known for its use in DDoS attacks and cryptomining. Compromised devices may exhibit signs such as overheating, sluggish performance, or arbitrary configuration changes. To mitigate risks, users should reset affected devices, update passwords to strong alternatives, disable remote access, and secure devices behind firewalls. Ideally, unsupported devices should be replaced with models that receive regular updates. If replacement is not feasible, devices should be isolated on a dedicated network segment and monitored closely. 

(TLP: CLEAR) Comments: GeoVision is a company that produces Internet-of-Things (IoT) devices such as IP cameras, digital and network video recorders, video management software as well as access control systems. Malicious actors look to infect IoT devices with botnet malware due to users not keeping these devices current with that latest firmware and security updates/patches. Additionally, IoT devices are widely used both in residential and business settings which give malicious actors a large pool of potential targets to infect to build a large botnet infrastructure. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Vercara’s UltraDDoS Protect. 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect can accept traffic in an always-on or on-demand mode with DNS and API-based integration options that can adapt to your existing technology stack and operational practices. UltraDDoS Protect also includes a variety of options to automate detection to mitigation so that DDoS attacks can be thwarted immediately or within seconds. 

Source: https://www.bleepingcomputer.com/news/security/botnet-exploits-geovision-zero-day-to-install-mirai-malware/  

Ngioweb botnet fuels NSOCKS residential proxy network exploiting IoT devices. 

(TLP: CLEAR) The Ngioweb malware botnet has been instrumental in fuelling the NSOCKS residential proxy service, as well as others like VN5Socks and Shopsocks5, according to findings from Lumen Technologies. Originating from a botnet of over 20,000 IoT devices, primarily small office/home office (SOHO) routers and other internet-connected devices, Ngioweb enables its operators to sell infected devices as residential proxies for malicious activities such as credential stuffing, DDoS attacks, and global traffic obfuscation. The botnet, operated by the financially motivated group Water Barghest, infects devices running Windows and Linux by exploiting vulnerabilities and zero-day flaws, rapidly turning them into proxies in as little as 10 minutes. The operation is highly automated and efficient, with over 35,000 active bots at any given time, two-thirds of which are based in the U.S. Infected devices include those from major vendors like NETGEAR, Hikvision, and Zyxel. The monetization process involves selling access to these proxies through services like NSOCKS, which allows buyers to route traffic through over 180 countries, targeting specific locations or domains like .gov or .edu. Prices for access range between $0.20 and $1.50 per device for 24 hours, depending on the device type and infection duration. These proxies are often used to obscure malicious activities, making them attractive to cybercriminals and advanced persistent threat (APT) groups. In response, telecom firms like Lumen are blocking traffic associated with the botnet infrastructure. However, the demand for residential proxies is expected to grow, presenting ongoing risks as these services enable attackers to launch large-scale, targeted, and globally distributed attacks. 

(TLP: CLEAR) Comments: The Ngioweb botnet was first identified in 2018 and is a sophisticated botnet that normally targets Internet-of-Things (IoT) devices and office/home office (SOHO) routers turning them into proxies for malicious activities. This botnet has been linked to financially motivated threat actors and is widely used for credential stuffing, Distributed Denial-of-Service (DDoS) attacks and cryptomining. It is assessed that by October 2024, this botnet consisted of over 20,00 infected IoT devices with two-thirds of infected devices being in the United States. Ngioweb-infected devices are monetized as proxies through platforms like NSOCKS where individuals can use the infected devices for residential proxy services, DDoS attacks and/or cryptomining. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.IR-04: “Adequate resource capacity to ensure availability is maintained.” Businesses, particularly those located within NATO and allies, should maintain constant vigilance and regularly test and enhance their cybersecurity defensive capabilities, specifically DDoS mitigation strategies, architecture, monitoring, and procedures. 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect is operated by our dedicated, 24/7 Security Operations Center that works to mitigate attacks against infrastructure, applications, and supporting services. Their work is backed by industry-leading Service Level Agreements (SLAs) for mitigation timeliness and effectiveness. 

Source: https://thehackernews.com/2024/11/ngioweb-botnet-fuels-nsocks-residential.html 

Source: https://blog.lumen.com/one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet/?utm_source=rss&utm_medium=rss&utm_campaign=one-sock-fits-all-the-use-and-abuse-of-the-nsocks-botnet  

Cyberattack at French hospital exposes health data of 750,000 patients. 

(TLP: CLEAR) A data breach at a French hospital exposed the medical records of 750,000 patients, with the attack linked to a compromised MediBoard account by the Softway Medical Group. The hacker, known as ‘nears,’ claimed access to the patient records of over 1.5 million people and attempted to sell access to sensitive healthcare systems in multiple hospitals. The breached data includes personal and medical information such as names, birth dates, addresses, health card histories, and prescriptions, raising significant risks of phishing, scamming, and social engineering. Softway Medical Group clarified that the breach resulted from stolen credentials used by the hospital’s privileged account and not from vulnerabilities or misconfigurations in their software. The attacker also advertised access to MediBoard accounts for various French hospitals, enabling potential buyers to view and manipulate patient records, billing information, and appointments. The breach has been traced to hospitals under the Aléo Santé group, accessed via a single compromised MediBoard account. Though the stolen data has yet to be sold, its potential online leak could expose it to broader misuse by the cybercrime community, further exacerbating privacy and security risks for affected patients. 

(TLP: CLEAR) Comments: The healthcare industry is a prime target for malicious actors due to its sensitive patient data, reliance on outdated systems, and critical, high-stakes operations. Electronic health records, IoT medical devices, and telehealth platforms offer a wealth of exploitable vulnerabilities, while the high value of personal health information (PHI) on the dark web incentivizes data breaches. Ransomware attacks are particularly prevalent, as healthcare providers often pay to restore access to systems that are vital for patient care. Additionally, the lack of robust cybersecurity measures and expertise in many organizations, coupled with insider threats and pandemic-driven pressures, exacerbate risks. These attacks can lead to significant financial losses, regulatory penalties, reputational damage, and even patient harm, highlighting the urgent need for stronger cybersecurity defences. 

(TLP: CLEAR) Recommended best practices/regulations: Department of Health and Human Services Fact Sheet: Ransomware and The Health Information Portability and Accountability Act (HIPAA): “The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Some of these required security measures include: 

• Implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks. 
• Implementing procedures to guard against and detect malicious software. 
• Training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections. 
• Implementing access controls to limit access to ePHI to only those persons or software programs requiring access. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click. 
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://www.bleepingcomputer.com/news/security/cyberattack-at-french-hospital-exposes-health-data-of-750-000-patients/