News You Might’ve Missed. November 2022

What's new this month in the news for MSPs? New Azure Cosmos DB vulnerability disclosed by Microsoft; phishing attack compromises 130 Dropbox GitHub repositories; FBI says Hive ransomware attacked over 1,300 businesses, extorting $100m, and more.

Let's see what it's all about.

New Azure Cosmos DB Vulnerability Disclosed by Microsoft

Orca Security researchers recently shared details about a vulnerability in Microsoft’s Azure Cosmos DB that allowed an attacker unauthenticated access under specific conditions. They’ve named the vulnerability “CosMiss.”

This vulnerability requires an attacker to have knowledge of the “forwardingld” of a Cosmos DB Notebook, the universally unique identifier of the Notebook Workspace. If an attacker has the information, they would have full permissions on the Notebook and never need to authenticate. These permissions include read-write access, can overwrite code delivering remote code execution (RCE), and code injection.

The Azure Cosmos DB is Microsoft’s fast NoSQL database. Microsoft uses it in its e-commerce platforms and for storing catalog information for the retail industry.

Jupityr Notebooks come built into Azure’s Cosmos DB. Developers use them to perform certain functions such as exploration, machine learning, data cleaning, and transformation. The primary issue is the lack of an authentication check on the Cosmos DB Jupityr Notebook.

The researcher says the lack of authentication is a significant risk, since developers use these notebooks to create code and they will usually contain private information, such as private keys and secrets.

The researchers made a proof of concept that demonstrated the vulnerability of Cosmos DB through an Azure Table API and Serverless Capacity mode. During the deployment, they also validated the exploit on the provisioned Core SQL API. Researchers showed that deleting, overwriting, and injecting code is possible with access to the notebook.

Before Orca researchers shared their findings publicly, they reached out to MSRC, and Microsoft patched this critical vulnerability the next day. The research termed the response fast and impressive compared to the SynLapse vulnerability the researchers discovered in January, which took until April to properly patch.

Phishing Attack Compromises 130 Dropbox GitHub Repositories

Dropbox Inc. was the victim of a successful phishing attack where hackers accessed 130 GitHub software code repositories. The attacker targeted Dropbox staff with phishing emails leading to fake login pages, where one finally succumbed to the scam.

Fortunately, this security breach did not impact user Dropbox accounts, but it did provide the threat actor with developer tools, including API Keys. Dropbox said no passwords, content, or payment info were compromised during the attack, but it provided the details as part of its commitment to privacy, security, and transparency.

This attack started on October 13 when suspicious activity was flagged. GitHub notified Dropbox, leading to the discovery that the email phishing scam successfully duped an employee during their investigation. Dropbox discovered that the threat actor was masquerading as Circle Internet Services, Inc. and accessing specific GitHub accounts of theirs.

The attacker impersonated CircleCIDevOps (which uses GitHub credentials to log in) in all its phishing emails. The email phishing scam provided employee login details to the hackers and prompted the victim to use their hardware-based authentication key to send an OTP to the attack website. All of this opened the gates to the attackers, letting them into GitHub repositories to steal whatever information they wanted.

The threat actors accessed code in the repositories that holds some credentials, along with files and apps used by Dropbox developers. These files had application programming interface keys, along with a few thousand email addresses and names that belong to Dropbox employees, past and current customers, vendors, and sales leads. Dropbox said it has over 700 million registered users.

While customers are not at risk at this time, any breaches in the security involving internal developer information is a significant concern. The theft of the API keys means the hackers can analyze them for exploitable vulnerabilities and provide other types of tokens or keys that may help the cybercriminals widen their access.

Dropbox responded to the breach by hiring external forensic experts to verify changes and conducting internal reviews. They reported the attack to law enforcement and regulators.

Going forward, the company has plans to move to the WebAuthn login standard, because it is less vulnerable to phishing attacks and more secure overall.

FBI Says Hive Ransomware Attacked Over 1,300 Businesses, Extorting $100m

According to the Federal Bureau of Investigation, the Hive ransomware group has extorted $100 million from over 1,300 organizations throughout the US. They shared the information in a report in a recent joint advisory published with the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services.

The advisory’s primary objective was to share IOCs from Hive and TTPs that the FBI found during their investigation into Hive’s ransomware campaigns. They hope this information will help security professionals defending organizations in finding malicious activity related to Hive affiliates, and that this will reduce and mitigate its impact.

The FBI stated, “Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks.” They also noted that the cybercriminals have been using Hive ransomware since June 2021 and up through November 2022, so far as is currently known. The threat actors target critical infrastructure and many types of businesses.

Hive ransomware operators target victims across a wide breadth of industries, including communications, information technology, government facilities, critical manufacturing, and specifically public health and healthcare.

Hospitals are a typical target in ransomware attacks because cybercriminals think they are more apt to succumb to their demands due to their patients’ critical needs, putting them more at risk.

To gain access to a network, the ransomware group uses many different intrusion techniques, such as breaching the RDP, VPN, or taking advantage of other vulnerabilities in remote networking protocols in most cases. Alternatively, the group sent out phishing emails to staff where they distributed malicious attachments that, once opened, provided access to the internal networks.

Once in the network, the ransomware encrypts the storage and locks down the network. Subsequently, it is not possible for anyone to access or use the computers. Since the victim can’t get into the system without obtaining a decryption key, this is where the ransom part of the attack occurs.

Hive is a double-extortion type of ransomware; should the victim not pay the ransom, the group publishes their private information and files on a public site.

The FBI and CISA again stated they don’t encourage paying the ransom, as this may embolden ransomware gangs in widening their targets. Besides, making the payment does not guarantee that a victim will regain access to their files.

US Companies Under Attack in New Black Basta Ransomware Campaign

Cybereason Inc. issued a warning this month that the Black Basta ransomware group is running campaigns that actively target US companies.

We first saw Black Basta emerge in April, and analysts say it may be an offshoot of Conti ransomware and has similar TTPs. All Black Basta payment sites, data leak blogs, recovery portals, negotiation tactics, and victim communications bear striking similarities with Conti operations.

Black Basta is actively targeting businesses in New Zealand, Australia, Canada, the UK, and the US. It is a double-extortion type of ransomware that will steal data and encrypt it, locking victims out of their systems. The data it steals is then used to extort a ransom payment from its victims. If the payment is not made, the group will publish the stolen files and private information.

Analysts note that, as of its latest campaign, Black Basta has started using QakBot or QBot malware to gain access and move within a victim’s network. QBot began operations in 2019 and has been used in many notable ransomware attacks, including one against Fujifilm Holding Corp. in 2020.

After QBot has access to the target’s network, it installs a backdoor that allows the operators to install other malicious payloads. Most recently, that payload has been ransomware in Black Basta campaigns.

Black Basta is described as widespread and has a high severity rating. It primarily uses QakBot to target US organizations and acts fast on those phishing victims it successfully compromises.

Cybereason recommends that all organizations reset AD access, identify and block all malicious network connections, and engage in incident response.

Long-Discontinued Boa Web Servers Targeted By Hackers, Says Microsoft

Hackers are targeting a long-discontinued web server primarily in India, says Microsoft. The MSTI unit issued a detailed report this month sharing details about the attacks that Recorded Future says started in April and target web servers running Boa. Although it was officially discontinued in 2005, organizations still use the Boa web server in IOT devices, which hackers know.

Many vendors still use the Boa web server across many development kits for software and IoT devices. Since there has been no further development and only limited patching, Boa is full of vulnerabilities, leading hackers to target Boa devices to infiltrate networks to harvest data and private information. What’s more, many may not even know that their systems run services using Boa.

Researchers traced the connection between insecure Boa installations and the April attacks on Indian companies through the IP addresses used. This data leads to response headers deemed suspicious in combination with Boa, but that’s where it takes a shocking turn. Over 10% of the discovered IP addresses are actively connected to critical infrastructures such as petroleum and related fleet services.

The revealed Boa web services are not only in India, although it was at the top of the list. Researchers found over 1 million internet-connected Boa server components in one week.

What’s interesting is that IoT vendors are installing Boa in new equipment now. Boa comes with SDKs, which could be one reason. These have critical functions that operate systems on chips implemented in microchips. Vendors such as RealTek Semiconductor Corp. include Boa and, while RealTek provides patches to address vulnerabilities, not all vendors do.

Researchers from Microsoft say network system operators should use classification and discovery methods to identify devices with vulnerabilities in addition to patching.

165 YARA Rules Released by Google to Detect Cobalt Strike Attacks

YARA, a leading red team pen-testing tool, is frequently repurposed by cyberattackers. To address the issue, Google has developed 165 rules that will stop Cobalt Strike in its tracks.

Until recently, YARA was so frequently abused that its publisher implemented a vetting system for potential buyers. Malicious threat actors responded by using cracked versions of the software.

Google’s Cloud Security team has developed a clever way to counteract the malicious uses of the software that won’t affect legitimate ones: version detection.

Even though threat actors can easily access Cobalt Strike through pirating, updating the illegitimate versions isn’t usually feasible. It’s a straightforward way for Google researchers to identify possible malicious use of the software by looking at the version of the software and flagging any version except the latest one.

Google researchers generated signatures for all the components by analyzing the Cobalt Strike JAR files going back ten years – 165 in all. They released them as open-source rules on GitHub after bundling all the signatures in a VirusTotal collection.

GCTI had released a similar set of signatures to detect Silver earlier in November, according to Bleeping Computer. The CNC framework has been replacing Cobalt Strike as some cybercriminal groups' preferred choice of repurposed security tool.

That's a Wrap for News You Might've Missed

I hope this update has been helpful. MSP360 is your resource for MSP news. Stay home, stay safe and healthy, and remember to check back next month for more highlights.