Security Vulnerability of the Week 12/09/22 – Application Security – Cloud Security – Infrastructure Security
Previous Issues of vulnerability Weekly
- Security Vulnerability Weekly 22/08/22 – Apple Vulnerability, Android Bugdrop Vulnerability, WordPress, CISA, and recent Hacks to Mailchimp and Twilio – Apple Vulnerability, CISA new vulnerability for September, Bugdrop new android vulnerabilities, recent hacks to twilio exposing digital ocaean clients and Mailchimp hack
- Security Vulnerability of the Week 08/08/22 – Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 25/07/22– Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 10/07/22 – OPENSSL Hearbleed2, Apache Common, CuteBoi NPM exploit, Iconburst NPM exploit, Orbit attack, Follina Weaponization, Chrome’s latest vulnerabilities
- Security Vulnerability of the Week 04/07/22 – Jenkins massive plugins issue , zoho, Exchange backdoors, Edge high vuln
This week we deep dive into Linux Malware, Windows patched 64 vuln with zero-day, Uber Hack Timeline, GTA 6/Rockstar Hack
INFRA/Network
Linux Sparkling Goblin APT Group using a variant of SideWalk Linux backdoor to attack systems
Linux variant of a backdoor known as SideWalk was used to target Hong Kong university.
Slovak cybersecurity firm ESET detected the malware in the university’s network and attributed the backdoor to a nation-state actor dubbed SparklingGoblin. The unnamed university was already targeted by the group in May 2020 during the student protests.
“The group continuously targeted this organization over a long time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations,” ESET said in a report shared with The Hacker News.
SparklingGoblin is the name given to a Chinese advanced persistent threat (APT) group with connections to the Winnti umbrella (aka APT41, Barium, Earth Baku, or Wicked Panda).
The Group attacked mostly south-eastern Asian targets (specialising in academia).
The group has used SideWalk, an espionage attack group it tracks under the moniker Grayfly, while pointing out the malware’s similarities to Crosswalk.
The latest research from ESET dives into SideWalk’s Linux counterpart (originally called StageClient in July 2021), with the analysis also uncovering that Specter RAT, a Linux botnet that came to light in September 2020, is in fact an early Linux variant of SideWalk as well.
Aside from multiple code similarities between the SideWalk Linux and various SparklingGoblin tools, one of the Linux samples has been found using a command-and-control address (66.42.103[.]222) that was previously used by SparklingGoblin.
Full news: https://thehackernews.com/2022/09/sparklinggoblin-apt-hackers-using-new.html
Ransomware Lorenz Exploit Mitel VoIP Systems
The group behind the Mitel hack and Lornenz has been exploiting a patched critical flaw in Mitel MiVoice COnnector.
The operators behind the Lornenz ransomware operation have been exploiting a now-patched critical security flaw in Mitel MiVoice Connect to obtain a foothold into target environments for follow-on malicious activities.
“Initial malicious activity originated from a Mitel appliance sitting on the network perimeter,” researchers from cybersecurity firm Arctic Wolf said in a report published this week.
“Lorenz exploited CVE-2022-29499, a remote code execution vulnerability impacting the Mitel Service Appliance component of MiVoice Connect, to obtain a reverse shell and subsequently used Chisel as a tunnelling tool to pivot into the environment.”
Full news: https://thehackernews.com/2022/09/lorenz-ransomware-exploit-mitel-voip.html
New Research Warn self-spreading malware via YouTube.
The malware has been targeting the gaming community for the one that searches a quick win. Gamers looking for cheats on YouTube are being targeted with links to rogue password-protected archive files. Once opened, the malware launch a crypto miner.
“The videos advertise cheats and cracks and provide instructions on hacking popular games and software,” Kaspersky security researcher Oleg Kupreev said in a new report published today.
Microsoft Security Update (13 Sept) Fixes 64 New Flaws, Including a Zero-Day
Security patch day for Microsoft releasing and fixing 64 new security flaws, including a zero-day.
The patches are in addition to 16 vulnerabilities that Microsoft addressed in its Chromium-based Edge browser earlier this month.
Attackers have been exploiting CVE-2022-37969 (CVSS score: 7.8) a vulnerability affecting the Windows Common Log File System (CLFS) Driver. The vulnerability, a privilege escalation, could be leveraged by an adversary to gain SYSTEM privileges on an already compromised asset.
Vulnerability EPSS Score: 0.01178 and low usage (4.5% of activity in monitored Honeynet)
Currently, the vulnerability sits at 10-25K; before, it was around 50-100K while unpatched. 
“In terms of CVEs released, this Patch Tuesday may appear on the lighter side in comparison to other months,” Bharat Jogi, director of vulnerability and threat research at Qualys, said in a statement shared with The Hacker News.
CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 (CVSS score: 7.8) since the start of the year, the latter of which was resolved by Microsoft as part of its April 2022 Patch Tuesday updates.
It’s not immediately clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other critical flaws of note are as follows –
- CVE-2022-34718 (CVSS score: 9.8) – Windows TCP/IP Remote Code Execution Vulnerability
- CVE-2022-34721 (CVSS score: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
- CVE-2022-34722 (CVSS score: 9.8) – Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
- CVE-2022-34700 (CVSS score: 8.8) – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
- CVE-2022-35805 (CVSS score: 8.8) – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
Hacks
GTA 6 source code leaked on rockstar game hack
An early version of GTA6 and gameplay videos have been leaked by a hacker that claims to have stolen GTA5 and GTA 6 source code
threat actor ‘teapotuberhacker’ shared a link to a RAR archive containing 90 stolen videos.
RAR archive containing the 90 leaked GTA 6 videos
However, the threat actor says they accept offers over $10,000 for the GTA V source code and assets but are not selling the GTA 6 source code.
Selling GTA V source code on Telegram
Source: BleepingComputer
Some of the underground forums where hacked data gets disclosed showed the attacker leaking proof of content.
In an unverified claim, the threat actor claimed he was behind the recent cyberattack on Uber and leaked screenshots of source code from Grand Theft Auto V and Grand Theft Auto 6 as further proof.
Bloomberg’s Jason Schreier confirmed the leak was valid after speaking to sources at Rockstar.
Uber Hack Timeline
The hack timeline seems still to be verified
The attacker entered the system through a system administrator attack (SMS phishing).
We are not going to cover extensively the uber hack but a brief mention and what we know so far.
The attacker simply bombarded the employee with credentials verification and authentication request and finally called the target playing on his fatigue.
Hackers claim to have used an MFA Fatigue attack
Source: Kevin Beaumont
attack and pretended to be Uber IT support to convince the employee to accept the MFA request.
After that attempt, there was no knowledge of how he gained access to credentials.
This social engineering tactic has become very popular in recent attacks against well-known companies, including Twitter, MailChimp, Robinhood, and Okta.
The hacker progressed accessing VPN credentials (no known path on how he got them).
The VPN access was protected by MFA, and the threat actor managed to authorize an authentication request from one user pretending to be IT support.
In organizations big like Uber MFA fatigue and authentication fatigue can get those processes often overlooked.
—-
In a conversation between the threat actor and security researcher Corben Leo, the hacker said they were able to gain access to Uber’s Intranet after conducting a social engineering attack on an employee.
As the Uber account was protected with multi-factor authentication, the attacker allegedly used an MFA Fatigue attack and pretended to be Uber IT support to convince the employee to accept the MFA request.
Hackers claim to have used an MFA Fatigue attack.
Source: Kevin Beaumont
—-
After gaining access, the actor started scanning the network for juicy treasures.
As part of these scans, the hacker says they found a PowerShell script containing admin credentials for the company’s Thycotic privileged access management (PAM) platform, which was used to access the login secrets for the company’s other internal services.
“ok so basically uber had a network share \\[redacted]pts. The share contained some PowerShell scripts.
One of the PowerShell scripts contained the username and password for an admin user in Thycotic (PAM) Using this i was able to extract secrets for all services, DA, DUO, Onelogin, AWS, Gsuite”
As full disclaimer all those information is speculation from articles and research, no information has been verified by uber, we still await the full report.
Once access the credentials the attacker got hold
- Internal Systems for vulnerability Like Hacker One
- Slack access
- Vulnerability reporting like Sentinel One
According to Yuga Labs security engineer Sam Curry, the hacker also had access to the company’s HackerOne bug bounty program, where they commented on all of the company’s bug bounty tickets.
Comment left by the hacker on HackerOne submissions
Source: Curry
Sentinel One internal System
The attacker revealed himself to the network with a message on hacker one bug bounty programme of uber, slack
Uber employees confirming that they have been receiving unsolicited NSFW pictures
The attacker also had access to break glass credentials from the leaked information.
On Friday afternoon, Uber posted an additional update stating that the investigation is still ongoing but could share these additional details:
- We have no evidence that the incident involved access to sensitive user data (like trip history).
- All our services are operational, including Uber, Uber Eats, Uber Freight, and the Uber Driver app.
- As we shared yesterday, we have notified law enforcement.
- Internal software tools that we took down as a precaution yesterday are coming back online this morning.
Just as a note, it is a very stressful time for anyone working at uber.
Previous Issues of vulnerability Weekly
- Vulnerability of the Week PiPI, python extractor, telegram, Cisco, Samsung hack, Qnap Dedbolt variant – This week we deep dive into PiPI, python extractor, telegram, Cisco, Samsung hack, Qnap Dedbolt variant
- Security Vulnerability Weekly 22/08/22 – Apple Vulnerability, Android Bugdrop Vulnerability, WordPress, CISA, and recent Hacks to Mailchimp and Twilio – Apple Vulnerability, CISA new vulnerability for September, Bugdrop new android vulnerabilities, recent hacks to twilio exposing digital ocean clients and Mailchimp hack
- Security Vulnerability of the Week 08/08/22 – Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
- Security Vulnerability of the Week 25/07/22– Atlassian Hardcoded Credentials, Sonicwall GSM, Cisco Nexus, Microsoft Macro, Vmware Fix, Mac OS spotlight vulnerability and more
Security Vulnerability of the Week 10/07/22 – OPENSSL Hearbleed2, Apache Common, CuteBoi NPM exploit, Iconburst NPM exploit, Orbit attack, Follina Weaponization, Chrome’s latest vulnerabilities
