CERT-W Newsletter January 2021

Ethical Hacking & Incident Response

Posted on

Monthly indicators

TOP ATTACKSolarWinds aftermaths
On the 11th of January, a website presumably owned by the actors behind the SolarWinds breach has surfaced, claiming to be selling data obtained using the SolarWinds backdoor. The site, using the domain solarleaks.net, displays only a pgp signed message, in which the actors share the links to download the stolen information, which has already been encrypted. The domain solarwinds.net has a sister domain located in the dark web, presumably to provide access in case of a takedown.
Simultaneously, a growing number of cybersecurity vendors like CrowdStrike, Fidelis, FireEye, Malwarebytes, Palo Alto Networks and Mimecast are confirming being targeted in the espionage attack. “What started out as the SolarWinds attack is slowly turning out to be perhaps the most sophisticated and wide-reaching cyber-campaign we have ever seen,” Ami Luttwak, CTO and co-founder of Wiz “It encompasses multiple companies used as backdoors to other companies, numerous tools and novel attack methods. This is far more than SolarWinds.”
TOP EXPLOITLaptops given to British schools came preloaded with remote-access worm
A shipment of laptops supplied to British schools by the Department for Education to help kids learn under lockdown came preloaded with Gamarue – an old remote-access worm from the 2010s. This software nasty doesn’t just spread from computer to computer, it also tries to connect to outside servers for instructions to carry out. From what we know a batch of 23,000 computers, the GeoBook 1E running Windows 10, made by Shenzhen-headquartered Tactus Group, contained the units that were loaded with malware.
TOP LEAKHacker leaks data of 2.28 million dating site user
The dating site’s data has been shared as a free download on a publicly accessible hacking forum known for its trade in hacked databases. The leaked data, a 1.2 GB file, appears to be a dump of the site’s users database. Some of the most sensitive data points included in the file include: Real names; Email addresses; City, state, and ZIP details; Body details; Dating preferences; Marital status; Birth dates; Latitude and longitude; IP addresses; Bcrypt-hashed account passwords; Facebook user IDs; and Facebook authentication tokens. Messages exchanged by users were not included in the leaked file; however, this does not make the entire incident less sensitive.

Cybercrime watch

Arrest, seizure tied to NetWalker ransomware
U.S. and Bulgarian authorities this week seized the dark web site used by the NetWalker ransomware cybercrime group to publish data stolen from its victims. NetWalker is a ransomware-as-a-service crimeware product in which affiliates rent access to the continuously updated malware code in exchange for a percentage of any funds extorted from victims. In connection with the seizure, a Canadian national suspected of extorting more than $27 million through the spreading of NetWalker was charged in a Florida court.
International action targets Emotet crimeware
Authorities across Europe said they’d seized control over Emotet, a prolific malware strain and cybercrime-as-service operation. Investigators say the action could help quarantine more than a million Microsoft Windows systems currently compromised with malware tied to Emotet infections. The law enforcement action included the arrest of several suspects in Europe thought to be connected to the crimeware gang and the take down of various servers that communicate with infected systems.
Duch insider attack on Covid-19 data
Dutch police have arrested two individuals in Amsterdam for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground. The arrests came after an investigation by RTL Nieuws reporter Daniel Verlaan who discovered ads for Dutch citizen data online, advertised on instant messaging apps like Telegram, Snapchat, and Wickr. According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases, and as they were working from home, they could easily take photos of their screens.

Vulnerability watch

CVE-2021-1300Cisco SD-WAN Vulnerability
CVSS score: 9.8 CRITICAL

Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks (SD-WAN) solutions for business users. One of them is this buffer-overflow flaw stems from incorrect handling of IP traffic; an attacker could exploit the flaw by sending crafted IP traffic through an affected device, which may cause a buffer overflow when the traffic is processed. Ultimately, this allows an attacker to execute arbitrary code on the underlying operating system with root privileges.

CVE-2021-1257Cisco Digital Network Architecture CSRF Vulnerability
CVSS score : 8.8 HIGH

The flaw exists in the web-based management interface of the Cisco DNA Center, which is a centralized network-management and orchestration platform for Cisco DNA. An attacker could exploit the vulnerability by socially engineering a web-based management user into following a specially crafted link, say via a phishing email or chat. If the user clicks on the link, the attacker can then perform arbitrary actions on the device with the privileges of the authenticated user.

CVE-2021-1647Microsoft Defender Remote Code Execution Vulnerability
CVSS score : 7.8 HIGH

It could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack.