What’s the issue?

The United States and international cybersecurity authorities discovered a cluster of activity associated with a People’s Republic of China (PRC) state-sponsored cyber actor known as Volt Typhoon. This activity targets networks across critical infrastructure sectors, and there is a potential for similar techniques to be used worldwide.

What’s the risk?

This attacker employs “living off the land” tactics, using built-in network administration tools to carry out their objectives. This allows them to evade detection by blending in with normal Windows systems and network activities. They avoid endpoint detection and response (EDR) products and are nearly undetectable in default logging configurations. Some of the built-in tools used by the actor include wmic, ntdsutil, netsh, and PowerShell.

What’s the solution?

The joint advisory provides hunting guidance and best practices to detect this activity. It includes examples of the actor’s commands and detection signatures to aid network defenders. However, it’s important to note that some of the behavioral indicators also can be legitimate system administration commands, requiring further investigation.

Please check CISA’s website for the joint advisory at http://cisa.gov

Important Action

To enhance cybersecurity posture against this threat actor, we recommend implementing the following mitigations:

• Harden domain controllers and monitor event logs for suspicious process creations.
• Limit port proxy usage and investigate unusual IP addresses and ports in command lines, registry entries, and firewall logs.
• Review perimeter firewall configurations for unauthorized changes.
• Monitor for abnormal account activity and impossible logons.
• Forward log files to a centralized logging server and monitor for log clearing.
• Enable logging on edge devices and network management devices.
• Configure Windows security logs to include “audit process creation” and “include command line in process creation events.”

If you have any questions or need assistance with implementing these mitigations, please reach out to our team at D1 Defend.

CISA Requiring Federal Agencies to patch known iPhone and Mac OS exploits immediately!

What’s the issue?

Apple has released emergency security updates to address two zero-day vulnerabilities that have been exploited in recent attacks affecting iPhones, iPads, and Macs. These vulnerabilities could allow attackers to execute arbitrary code with kernel privileges or execute malicious code on hacked devices.

What’s the risk?

Although the exploits were likely used in highly targeted attacks, it’s essential to install these emergency updates as soon as possible to prevent potential attacks.

The list of affected devices is extensive and includes the following:

· iPhone 8 and later,

· iPad Pro (all models),

· iPad Air 3rd generation and later,

· iPad 5th generation and later,

· iPad mini 5th generation and later, and

· Macs running macOS Ventura.

What’s the solution?

Apple has released updates for these vulnerabilities in iOS 16.4.1, iPadOS 16.4.1, macOS Ventura 13.3.1, and Safari 16.4.1, with improved input validation and memory management.

Important Action

To secure your devices against these vulnerabilities, it’s crucial to install the updates released by Apple as soon as possible. We strongly advise updating all iOS, iPadOS, and macOS devices immediately to address the two zero-day vulnerabilities.

This is a serious, wide-reaching issue and the Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive calling for patching of these vulnerabilities by federal agencies by May 1st, 2023.

If you have any questions, concerns or would like to discuss proper patch management please reach out to our team here at D1 Defend.

Active intrusion campaign targeting users of the 3CX softphone telephony platform. The threat actor group, LABYRINTH CHOLLIMA, associated with the Democratic People’s Republic of Korea, is suspected to be behind this campaign.

CrowdStrike’s Intelligence Team has identified unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp, a softphone application from 3CX.

WHY IS THIS A BIG DEAL?

The trojanized malware is signed with 3CX’s certificate, creating complexity for prevention using traditional security controls. The malicious activity includes beaconing to actor-controlled infrastructure, deployment of second-stage payloads, and, in a small number of cases, hands-on-keyboard activity.

The 3CX CEO Nick Galea has been quoted by numerous sources urging users to uninstall the affected software, which includes versions 18.12.407 and 18.12.416 of the Windows application. The Macintosh application also appears to be impacted.

We recommend two steps: first if you have application control set up in your environments make sure this product is blacklisted and cannot run. Then go through and uninstall it.

We also recommend searching your software lists using your RMM to make sure it is not installed on any devices you may be unaware of.

MORE DETAILS: HOW CAN THIS BE DETECTED, SO FAR…

CrowdStrike has behavioral preventions and atomic detectors targeting the abuse of 3CXDesktopApp. If you are a customer, please ensure that your prevention policies are properly configured with “Suspicious Processes” enabled. (This may not be on by default.) We recommend locating the presence of 3CXDesktopApp software in your environment by using the provided queries and hunting for historical presence of indicators in third-party tooling (if available).

Todyl also is tracking the campaign and has released preventions and detections across multiple Todyl modules, in addition to active threat hunting from the MXDR Team. Todyl’s ATI (Adversary Threat Intelligence) team is continuing to monitor developments and coordinating with both the MXDR and Detection Engineering teams.

As of March 29th, 10:43AM MT, VirusTotal showed that most antivirus vendors were not detecting this attack. However, other vendors like Sophos and SentinelOne and ESET have reportedly been marking the 3CX desktop application as malicious.

The actions mentioned in the links below significantly reduce the risk of infection for tenants leveraging CrowdStrike as well as Todyl’s Endpoint Security, SIEM, and SASE modules. However, it is still necessary to audit both you and your client’s environments thoroughly for the presence of 3CX associated malware.

PROTECTIVE ACTION

As this campaign is still developing, it’s crucial to take immediate action to protect your customers from this threat. We recommend that you contact your security vendors to stay informed about their response to this attack. It’s also essential to regularly monitor your environment for any suspicious activities and follow the recommendations provided in the links below. By taking these measures, you can help ensure the safety and security of your business and your customers.

· CrowdStrike Tech Alert (requires a CrowdStrike login) – https://supportportal.crowdstrike.com/s/article/Tech-Alert-CrowdStrike-Tracking-Active-Intrusion-Campaign-Targeting-3CX-Customers

· Todyl’s Blog Post – https://www.todyl.com/blog/post/threat-advisory-3cx-softphone-telephony-campaign

· Please take a look at the Atomic Indicators in this Reddit post from CrowdStrike in order to use them within your own security stack to search for indications of compromise – https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/

A critical vulnerability (CVE-2023-23397) in Microsoft Outlook/365 applications suite is actively being exploited in the wild, requiring urgent patching.

Why worry about CVE-2023-23397?

The CVSS 9.8 bug allows remote, unauthenticated attackers to breach systems and steal credentials by sending a specially crafted email. The malicious email triggers automatically when processed by the Outlook client, even before being viewed in the Preview Pane.

What is impacted by CVE-2023-23397?

This vulnerability affects 32 and 64-bit versions of Microsoft 365 Apps for Enterprise, Office 2013, 2016, and 2019 (including LTSC).

How the attack works

The attack is initiated through a malicious email that causes a connection from the victim to a location under attacker control, leaking the Net-NTLMv2 hash of the victim to the attacker who can then authenticate as the victim.

What you can do about CVE-2023-23397

Microsoft suggests mitigations such as adding users to the “Protected Users Security Group” and blocking TCP 445/SMB outbound from your network. The vulnerability was found by CERT-UA, Microsoft Incident Response, and Microsoft Threat Intelligence.

At least 15 European organizations in government, military, energy, and transportation sectors have been targeted with the attacks attributed to Russian military intelligence.

We strongly advise immediate patching or implementation of the suggested mitigations. Remember with patching, start with a test group first. For more information on patch best practices, I’d recommend watching SecOps 140: Windows 10 & 11 Patching.

Further attacks are expected as the patch is reverse-engineered, and more threat actors identify the exploit.

If you have any questions, concerns or would like further information, please do not hesitate to reach out to our security desk or one of our security advisors.

On Monday, January 23rd, CISA officially recognized and posted an advisory (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) for both public and private entities warning against a set of exploits that bring a high risk of abuse.

Attackers are actively exploiting a number of Zoho ManageEngine products including but not limited to: Active Directory 360, ADSelfServicePlus, ADManagerPlus, EndPoint Central, & EndPoint Central MSP.

According to a recently released security advisory (https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html) connected to a confirmed CVE (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-47966), at least 24 individual ManageEngine products may be affected by this critical exploit.

The exploit allows for remote code execution which can instantly lead to total SYSTEM level access. A scan of internet facing devices estimates that at least 10% of all exposed instances of ManageEngine products may be vulnerable.

If the ManageEngine products currently or have ever had SAML authentication enabled, they may be vulnerable. Remediation relies on having the latest patches, so please refer to this advisory page (https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html) to download the necessary upgrades/hot fixes for your product.

Since this exploit covers such a wide range of ManageEngine products, now might be a good time to run a Galactic scan on your environment as well as your clients for previously unknown software that may belong to the Zoho ManageEngine family.

ManageEngine products are heavily used both within the MSP space as well as across enterprises worldwide. Federal agencies are being given 3 weeks, until February 13th to patch these exploits. Please check your environments for this vulnerability.

Based on previous data from the dark-web and underground sources, we have seen that ManageEngine products are a prime target (https://www.bleepingcomputer.com/news/security/hackers-sell-access-to-your-network-via-remote-management-apps/) for both cyber-attackers and brokers of stolen data.

If you have any questions, concerns or would like further information, please do not hesitate to reach out to our security desk or one of our security advisors.