Cyber Month in Review July 2022

Jack Smallpage, Information Security Officer at CyberLab, reviews the latest cyber security news and advises how to protect your data. He covers:

• • More Advice from the NCSC on Russia-Ukraine

• • HolyGhost Ransomware

• • Elastix VoIP systems hacked

• • Microsoft’s Macro Blocking Rollercoaster!

• • QNAP Checkmate

• • Atlassian Hardcoded Credentials

Welcome back to another monthly instalment of our Security Month in Review. The security world is constantly moving and evolving, with vulnerabilities, breaches and new guidance being released daily. The volume and complexity of some of these can sometimes be overwhelming and challenging to keep track of, so let’s use this article to help summarise some of this month’s highlights so that together, we can be more cyber aware.

More Advice from the NCSC on Russia-Ukraine

Arguably one of the most important topics and concerns right now is the war in Ukraine and the potential “spill-over” this can have from a cyber perspective across the globe. Since releasing its initial guidance at the start of the year, the NCSC have seen “significant cyber activity in Ukraine”, however, there is currently no evidence of any specific targeted Russian threat due to this here in the UK. Nevertheless, it is certainly a high likelihood that an increase in advanced cyber-attack will occur, and those who fail to prepare may have accidentally prepared to fail!

What Should I Do?

There have been a few reports, alerts and guidance released by cyber security authorities these last few months, so in case you have missed them, you can find two main examples from CISA and NCSC below:

NCSC’s “Actions when cyber threat is heightened” Guidance: Actions to take when the cyber threat is heightened – NCSC.GOV.UK

CISA’s April Russian State-Sponsored threat alert: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure | CISA

Given that the war in Ukraine and heightened cyber threat to us all don’t seem to be going away any time soon, the NCSC have released new guidance this month to help maintain your business’ security posture in a sustainable way: Maintaining a sustainable strengthened cyber security posture – NCSC.GOV.UK.

These types of articles and alerts are vital to any Network or Security admin. They should help you to identify areas of your network that need additional protections or support – both your systems and your people.

HolyGhost Ransomware

Microsoft released a warning this month about a group of actors from North Korea who have been developing and using ransomware in attacks since June 2021, identified as “DEV-0530”. Developing and improving on its older variants, DEV-0530 have managed to compromise several targets, which are mainly small to medium-sized businesses. With newer variants such as “SiennaBlue”, Microsoft looks into this actor’s evolution while recommending customer actions and detailing some useful indicators of compromise to help ensure your business is secured against the threat.

What Should I Do?

Outside of the obvious protections against ransomware such as frequently validated backups and restoration plans and testing, Microsoft have provided some indicators of compromise which should be used to investigate your environment for potential intrusion. For those of you with Microsoft Defender 365, Microsoft also includes a checklist to use to help ensure you are using your product to its fullest potential and securing potential blind spots. Make sure to read the article for further detail here: North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware – Microsoft Security Blog

Elastix VoIP systems hacked

Threat analysts have uncovered a large-scale campaign targeting Elastix VoIP, as detailed in a report released this month. With the campaign bearing heavy similarities and likely resurgence of the previous ENJ3CTOR3 operation which targeted Sangoma PBX in 2020, Unit 42 have now observed this more recent campaign targeting the Elastix system used in Digium Phones.

Elastix is an appliance software for unified communications that integrates tools for Asterix-based PBXs into a single interface that can be used with the Digium phones module for FreePBX. With over 500,000 unique malware samples over 3 months, the attackers are likely to have exploited a critical remote Code Execution (RCE) vulnerability (identified as CVE-2021-45461) as part of this attack, implanting a web shell to exfiltrate data by downloading and executing additional payloads inside the Digium phone software (FreePBX module written in PHP) whilst scheduling recurring tasks to ensure its persistence.

What Should I Do?

If you utilise the Elastix VoIP or similar mentioned above, then it is important, as always, that you ensure any patches are applied and relevant systems are up to date (including the RCE vulnerability mentioned). The report linked below includes further technical details on how the payloads are dropped and the various indicators of compromise you can use to identify the methods and potential occurrences on your network. Report found here: Digium Phones Under Attack: Insight Into the Web Shell Implant (paloaltonetworks.com)

Microsoft’s Macro Blocking Rollercoaster!

In a bid to keep itself and its users at the front of security best practices, Microsoft released a statement in February stating that it would be automatically blocking VBA macros in Office documents downloaded from the internet moving forward.

For those of you who may not already know, the utilisation of Macros in malicious documents such as Word or Excel, is a common method used by attackers (often through Phishing) to distribute malware onto your device. To prevent this distribution, Microsoft announced that they would automatically block VBA macros with the ‘Mark-of-the-Web’. Whilst this feature can still be disabled on a document with a legitimate requirement for Macros, Microsoft has now made this function more advanced and harder to circumvent to help prevent an end-user from bypassing the measure too easily – which the attackers have been relying on up until now.

However, rather suddenly, Microsoft pulled the plug on the plan earlier this month and issued a temporary roll-back while they “make some additional changes to enhance usability”. Since then, Microsoft have come back and set a new rollout date for the 27th of July with updates to both their end user and admin documentation for added clarity.

What Should I Do?

It is likely (depending on your business size), that the disabling of Macros will influence some of your users. Therefore, you must notify your people, explaining the dangers of macros and how to deal with legitimate macros. This Microsoft Article should provide just that: A potentially dangerous macro has been blocked (microsoft.com)

For Admins, you must work with your business and people to identify where macros are currently being used from locations such as intranet shares or sites. From there, you can determine steps to ensure those macros are appropriately saved or mitigated. You can find more guidance on this here: Macros from the internet are blocked by default in Office – Deploy Office | Microsoft Docs

QNAP Checkmate

QNAP – a Network-attached storage (NAS) vendor, warned customers to secure their devices earlier this month against the new ‘Checkmate’ ransomware targeting NAS devices. The advisory mentions that the attacks seem to focus on QNAP devices which are exposed to the internet with the SMB service enabled and employed a dictionary attack to break accounts with weak passwords.

What Should I Do?

Make sure you check all your NAS devices and identify those exposed to the internet. For those that are, QNAP recommends the following actions:

• Do not expose SMB service to the internet
• Disable SMBv1
• Update your QNAP operating system to the latest version
• Review all NAS accounts immediately to ensure all passwords are strong enough
• Back up your data and take snapshots regularly

For more detail, including how to reduce your NAS service exposure, you can view the full advisory here: Checkmate Ransomware via SMB Services Exposed to the Internet – Security Advisory | QNAP

Atlassian Hardcoded Credentials

Atlassian has patched a critical hardcoded credentials vulnerability this month in Confluence Server and Data Centre that could give vulnerable server access to remote, unauthenticated attackers. Upon enabling the ‘Questions for Confluence’ App on Confluence Server or Data Centre, a user account is created with the username “disabledsystemuser” in the “confluence-users” group with a hardcoded password. Whilst the purpose of this account was to help admins migrate data from the app to the confluence cloud, an attacker can instead exploit this to log into Confluence and access any pages the “confluence-users” group has access to.

To make matters worse, Atlassian has now revealed in a post that “An external party has discovered and publicly disclosed the hardcoded password on Twitter. It is important to remediate this vulnerability on affected systems immediately”. With the password now exposed, it is incredibly likely to be exploited in the wild, making this critical vulnerable a high priority for anyone affected.

What Should I Do?

The most important thing to identify first is whether your business is affected or not. If you use Confluence Server or Data Centre, you should look for an active user account with the following information:

• • User: disabledsystemuser

• • Username: disabledsystemuser

• • Email: dontdeletethisuser@email.com

If this account does not show up in the list of active users, your instance is not affected. If however, you do notice this account, the quickest and most efficient mitigation is to update to a non-vulnerable version of ‘Questions for Confluence’ such as:

• • 2.7.x >= 2.7.38 (compatible with Confluence 6.13.18 through 7.16.2)

• • Versions >= 3.0.5 (compatible with Confluence 7.16.3 and later)

For alternative mitigations and further detail, please see the Atlassian FAQ here: Questions For Confluence Security Advisory 2022-07-20 | Confluence Data Center and Server 7.18 | Atlassian Documentation

Conclusion

With more guidance from the NCSC and similar government authorities this month, we have plenty of systems and processes to review to ensure we stay ahead of the game regarding our business’s security. With ransomware variants like HolyGhost and Checkmate, the importance of security systems and resilient ransomware response plans are yet again reiterated, while Microsoft continue to improve their systems and methods to keep pace with the offensive opposition.

As always, it is important to reiterate that this article has not included ALL security news or vulnerabilities disclosed this month, and others such as Microsoft’s Patch Tuesday’s 0-day fix, Cisco Nexus’ remote to root bug, Atlassian Confluence’s hardcoded credential flaw, and Apple’s latest 0-day security updates are just honourable mentions as examples of other updates you should be aware of and research.

If you have been caught off-guard by some of this month’s developments, look at your security processes and see what changes you can make to ensure you don’t get caught out in the future. Just 20 minutes of research each day can help you keep on top of the significant security trends and alerts which help protect your business and keep you cyber aware!

If you have any more questions or worries, please do not hesitate to get in touch and see what CyberLab can do to help you and your security posture.