Hackers steal Microsoft Exchange credentials using IIS module

Hackers steal Microsoft Exchange credentials using IIS module

Microsoft Exchange

Threat actors are installing a malicious IIS web server module named ‘Owowa’ on Microsoft Exchange Outlook Web Access servers to steal credentials and execute commands on the server remotely.

The development of Owowa likely started in late 2020 based on compilation data and when it was uploaded to the VirtusTotal malware scanning service.

Based on Kaspersky’s telemetry data, the most recent sample in circulation is from April 2021, targeting servers in Malaysia, Mongolia, Indonesia, and the Philippines.

These systems belong to government organizations, public transportation companies, and other crucial entities.

Kaspersky underlines that the ‘Owowa’ targets aren’t limited to Southeast Asia, and they have also seen signs of infections in Europe.

Owowa infection map
Owowa infection map
Source: Kaspersky

An uncommon backdoor

Microsoft Exchange servers are commonly targeted with web shells that allow threat actors to remotely execute commands on a server and are usually the focus of defenders.

As such, using an IIS module as a backdoor is an excellent way to stay hidden. The actors can send seemingly innocuous authentication requests to OWA, evading standard network monitoring rules as well.

“IIS modules are not a common format for backdoors, especially when compared to typical web application threats like web shells and can therefore easily be missed during standard file monitoring efforts.” explains the report by Kaspersky.

Additionally, the implant persists even after the Exchange software is updated, so the infection needs to take place only once.

Kaspersky comments that the actor may rely on ProxyLogon flaws to compromise the server, which remains a problem even after being patched nine months ago.

However, the actors didn’t do a perfect job with Owowa’s development, failing to hide PDB paths in the malware executable and causing server crashes in some cases.

Powerful capabilities

Owowa specifically targets OWA applications of Exchange servers and is designed to log the credentials of users that successfully authenticate on the OWA login web page.

The login success is automatically validated by monitoring the OWA application to generate an authentication token.

Monitoring for the generation of an authentication token
Monitoring for the generation of an authentication token
Source: Kaspersky

If that happens, Owowa stores the username, password, user IP address, and the current timestamp and encrypts the data using RSA.

The actor can then collect the stolen data by manually sending a command to the malicious module.

Remote commands may also be used for executing PowerShell on the compromised endpoint, opening the way to a range of attack possibilities.

“The cyber criminals only need to access the OWA login page of a compromised server to enter specially crafted commands into the username and password fields,” – explains Kaspersky.

“This is an efficient option for attackers to gain a strong foothold in targeted networks by persisting inside an Exchange server.”

Detect and remove the IIS module

Admins can use the command ‘appcmd.exe’ or the IIS configuration tool to get a list of all loaded modules on an IIS server.

In the cases seen by the researchers, the malicious module uses the name “ExtenderControlDesigner,” as shown below.

Highlighted malicious module in list
Highlighted malicious module in the list
Source: Kaspersky

Although the researchers were led to an account on the RaidForums hacking forum while investigating, the attribution remains weak, and there are generally no associations with known actors.

Also, the carelessness in the module’s development is a sign of an unsophisticated actor that doesn’t match the targeting scope, including government entities.

In summary, this is another reminder of the importance of checking your IIS modules regularly, looking for signs of lateral movement in your network, and keeping your endpoint security shields up.

Bugs in billions of WiFi, Bluetooth chips allow password, data theft

Bugs in billions of WiFi, Bluetooth chips allow password, data theft

Billions of WiFi chips vulnerable to code execution via Bluetooth component

Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it’s possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device’s Bluetooth component.

Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation.

However, these components often share the same resources, such as the antenna or wireless spectrum.

This resource sharing aims to make the SoCs more energy-efficient and give them higher throughput and low latency in communications.

As the researchers detail in the recently published paper, it is possible to use these shared resources as bridges for launching lateral privilege escalation attacks across wireless chip boundaries.

The implications of these attacks include code execution, memory readout, and denial of service.

Resource sharing diagram of Google Nexus 5
Resource sharing diagram of Google Nexus 5
Source: Arxiv.org

Multiple flaws in architecture and protocol

To exploit these vulnerabilities, the researchers first needed to perform code execution on either the Bluetooth or WiFi chip. While this is not very common, remote code execution vulnerabilities affecting Bluetooth and WiFi have been discovered in the past.

Once the researchers achieved code execution on one chip, they could perform lateral attacks on the device’s other chips using shared memory resources.

In their paper, the researchers explain how they could perform OTA (Over-the-Air) denial of service, code execution, extract network passwords, and read sensitive data on chipsets from Broadcom, Cypress, and Silicon Labs.

CVEs reserved for the particular threat model.
CVEs reserved for the particular threat model.
Source: Arxiv.org

These vulnerabilities were assigned the following CVEs:

  • CVE-2020-10368: WiFi unencrypted data leak (architectural)
  • CVE-2020-10367: Wi-Fi code execution (architectural)
  • CVE- 2019-15063: Wi-Fi denial of service (protocol)
  • CVE-2020-10370: Bluetooth denial of service (protocol)
  • CVE-2020-10369: Bluetooth data leak (protocol)
  • CVE-2020-29531: WiFi denial of service (protocol)
  • CVE-2020-29533: WiFi data leak (protocol)
  • CVE-2020-29532: Bluetooth denial of service (protocol)
  • CVE-2020-29530: Bluetooth data leak (protocol)

Some of the above flaws can only be fixed by a new hardware revision, so firmware updates cannot patch all the identified security problems.

For example, flaws that rely on physical memory sharing cannot be addressed by security updates of any kind.

In other cases, mitigating security issues such as packet timing and metadata flaws would result in severe packet coordination performance drops.

Impact and remediation

The researchers looked into chips made by Broadcom, Silicon Labs, and Cypress, which are found inside billions of electronic devices.

All flaws have been responsibly reported to the chip vendors, and some have released security updates where possible. 

Many though haven’t addressed the security problems, either due to no longer supporting the affected products or because a firmware patch is practically infeasible.

Devices tested by the researchers against CVE-2020-10368 and CVE-2020-10367
Devices tested by the researchers against CVE-2020-10368 and CVE-2020-10367
Source: Arxiv.org

As of November 2021, more than two years after reporting the first coexistence bug, coexistence attacks, including code execution, still work on up-to-date Broadcom chips. Again, this highlights how hard these issues are to fix in practice.

Cypress released some fixes in June 2020 and updated the status in October as follows:

  • They claim that the shared RAM feature causing code execution has only been “enabled by development tools for testing mobile phone platforms.” They plan to remove stack support for this in the future.
  • The keystroke information leakage is remarked as solved without a patch because “keyboard packets can be identified through other means.”
  • DoS resistance is not yet resolved but is in development. For this, “Cypress plans to implement a monitor feature in the WiFi and Bluetooth stacks to enable a system response to abnormal traffic patterns.”

According to the researchers, though, fixing the identified issues has been slow and inadequate, and the most dangerous aspect of the attack remains largely unfixed.

“Over-the-air attacks via the Bluetooth chip, is not mitigated by current patches. Only the interface Bluetooth daemon→Bluetooth chip is hardened, not the shared RAM interface that enables Bluetooth chip→WiFi chip code execution. It is important to note that the daemon→chip interface was never designed to be secure against attacks.” – reads the technical paper.

“For example, the initial patch could be bypassed with a UART interface overflow (CVE-2021-22492) in the chip’s firmware until a recent patch, which was at least applied by Samsung in January 2021. Moreover, while writing to the Bluetooth RAM via this interface has been disabled on iOS devices, the iPhone 7 on iOS 14.3 would still allow another command to execute arbitrary addresses in RAM.”

Bleeping Computer has reached out to all vendors and asked for a comment on the above, and we will update this post as soon as we hear back.

In the meantime, and for as long as these hardware-related issues remain unpatched, users are advised to follow these simple protection measures: 

  • Delete unnecessary Bluetooth device pairings,
  • Remove unused WiFi networks from the settings
  • Use cellular instead of WiFi in public spaces.

As a final note, we would say that patching responses favor the more recent device models, so upgrading to a newer gadget that the vendor actively supports is always a good idea from the perspective of security.

Russian hacking group uses new stealthy Ceeloader malware

Russian hacking group uses new stealthy Ceeloader malware

Russian bear

The Nobelium hacking group continues to breach government and enterprise networks worldwide by targeting their cloud and managed service providers and using a new custom “Ceeloader” malware.

Nobelium is Microsoft’s name for the threat actor behind last year’s SolarWinds supply-chain attack that led to the compromise of several US federal agencies. This group is believed to be the hacking division of the Russian Foreign Intelligence Service (SVR), commonly known as APT29, The Dukes, or Cozy Bear.

While Nobelium is an advanced hacking group using custom malware and tools, they still leave traces of activity that researchers can use to analyze their attacks.

In a new report from Mandiant, researchers used this activity to uncover tactics, techniques, and procedures (TTP) used by the hacking group, as well as a new custom downloader called “Ceeloader.”

Furthermore, the researchers break Nobelium into two distinct clusters of activity attributed to UNC3004 and UNC2652, which could mean that Nobelium is two cooperating hacking groups.

Supply chain attack

Based on the activity seen by Mandiant, the Nobelium actors continue to breach cloud providers and MSPs as a way to gain initial access to their downstream customer’s network environment.

“In at least one instance, the threat actor identified and compromised a local VPN account and made use of this VPN account to perform reconnaissance and gain further access to internal resources within the victim CSP’s environment, which ultimately led to the compromise of internal domain accounts,” explained Mandiant.

In at least one other breach, the hacking group used the CRYPTBOT password-stealing malware to steal valid session tokens used to authenticate to the victim’s Microsoft 365 environment.

It is noteworthy that Nobelium compromises multiple accounts within a single environment, using each of them for separate functions, thus not risking the entire operation in the case of exposure.

“The threat actors leveraged compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell to execute commands within victim environments.” – Mandiant

“The threat actor used the protocols mainly to perform reconnaissance, distribute beacons (Cobalt Strike) around the network, as well as run native Windows commands for credential harvesting.”

A new custom “Ceeloader” malware

Nobelium is known for its development and use of custom malware that allows backdoor access to networks, the downloading of further malware, network tracing, NTLM credential theft, and other malicious behavior.

Mandiant has discovered a new custom downloader called “Ceeloader” written in C and supports the execution of shellcode payloads directly in memory.

The malware is heavily obfuscated, and mixes calls to the Windows API with large blocks of junk code to evade detection by security software.

Ceeloader communicates via HTTP, while the C2 response is decrypted using AES-256 in CBC mode.

The custom Ceeloader downloader is installed and executed by a Cobalt Strike beacon as needed and does not include persistence to allow it to automatically run when Window is started.

Nobelium has used numerous custom malware strains in the past, specifically during the Solarwinds attacks and in a phishing attack against the United States Agency for International Development (USAID).

Multiple hiding tricks

To hamper attempts at tracing the attacks, Nobelium uses residential IP addresses (proxies), TOR, VPS (Virtual Private Services), and VPN (Virtual Private Networks) to access the victim’s environment.

In some cases, Mandiant identified compromised WordPress sites used to host second-stage payloads that are fetched and launched into memory by Ceeloader.

Finally, the actors used legitimate Microsoft Azure-hosted systems with IP addresses that had proximity to the victim’s network. 

This approach helps blend external activity and internal traffic, making detecting the malicious activity unlikely and the analysis harder.

Nobelium still active

Mandiant warns that the activity of Nobelium is heavily focused on the collection of intelligence, as the researchers saw evidence of the hackers exfiltrating documents that are of political interest to Russia.

Microsoft has previously linked UNC2652 and UNC3004 to UNC2452, the group responsible for the SolarWinds supply chain attack, so it’s plausible that they are all under the same “Nobelium” umbrella.

However, Mandiant underlines that there is insufficient evidence to attribute this with high confidence.

What matters for defenders is that hackers are still leveraging third parties and trusted vendors like CSPs to infiltrate valuable target networks, so organizations must remain vigilant, constantly consider new IOCs, and keep their systems up to date.

Mandiant has updated the UNC2452 whitepaper on that front with all new TTPs observed in the 2021 campaigns.

Hundreds of SPAR stores shut down, switch to cash after cyberattack

Hundreds of SPAR stores shut down, switch to cash after cyberattack

Source: SPAR

Approximately 330 SPAR shops in northern England face severe operational problems following a weekend cyberattack, forcing many stores to close or switch to cash-only payments.

SPAR is an international supermarket franchise that operates 13,320 stores in 48 countries, but the recent security incident only affected stores in the northern part of England.

According to Lawrence Hunt & Co Ltd., which operates 25 branches across Lancashire, UK, the “total IT outage” has affected tills, credit card payment processing systems, and still prevents them from accessing emails.

James Hall and Co, a Preston-based food distributor who serves 600 SPAR stores in Lancashire, is also affected by the attack and stated the following on local media:

“We are currently aware of an online attack on our IT systems. This has affected around 330 SPAR stores across the North of England over the past 24 hours, and we are working to resolve this situation as quickly as possible.”

It is currently impacting stores’ ability to process card payments meaning that a number of SPAR stores are currently closed to shoppers or only taking cash payments.

We apologize for the inconvenience this is causing our customers, and we are working as quickly as possible to resolve the situation.”

SPAR Ribchester informed its customers yesterday that there’s, unfortunately, no estimate for restoring the systems.

SPAR Ribchester notice to customers
SPAR Ribchester notice to customers
Source: Facebook

Today, the shop remains closed along with many other SPAR points in the region, indicating that whatever trouble the cyberattack caused remains unresolved.

While the security incident carries clear signs of a ransomware attack that has locked down crucial IT systems, the nature of the cyberattack has not been officially disclosed as of yet.

BleepingComputer has reached out to all affected entities, and we will update this post as soon as we have additional information.

UK’s national cybersecurity center (NCSC) has released a statement today to inform consumers that the agency is aware of the situation and working on the evaluation of the incident.

Fake support agents call victims to install Android banking malware

Fake support agents call victims to install Android banking malware

Android malware

The BRATA Android remote access trojan (RAT) has been spotted in Italy, with threat actors calling victims of SMS attacks to steal their online banking credentials.

The variant currently in circulation is new, and according to a report by researchers at Cleafy, it can pass undetected by the vast majority of AV scanners.

BRATA was previously seen in Brazil, delivered via apps on the Google Play Store, but it appears that its authors are now selling it to foreign operators, which is not unusual in this field.

Using fake anti-spam apps

The Italian campaign was first spotted in June 2021, delivering multiple Android apps through SMS phishing, otherwise known as smishing.

Most of the malicious apps were called “Sicurezza Dispositivo” (Device Security) and were promoted as anti-spam tools.

That first wave failed in AV detection, having a 50% stealthiness rate in Virus Total. These high detection rates led to a second wave using a new variant with extremely low detection rates in mid-October.

In the second wave, the actors also expanded their targeting scope, raising the targeted financial institutes from one to three.

AntiSPAM app promoted by the threat actors
AntiSPAM app promoted by the threat actors
Source: Cleafy

Manual labor required

The attack begins with an unsolicited SMS text linking a malicious website. This text claims to be a message from the bank urging the recipient to download an anti-spam app.

The link leads to a page from where the victim downloads the BRATA malware themselves or takes them to a phishing page to enter their banking credentials.

During that step, the threat actors call the victim on the phone and pretend to be an employee of the bank, offering help with installing the app.

BRATA campaign in Italy
BRATA campaign in Italy
Source: Cleafy

The app requires multiple permissions to enable the actor to take full control of the compromised device, including the Accessibility services, view and send SMS, make phone calls, and perform screen recording.

The full list of BRATA’s capabilities includes:

  • Intercept SMS messages and forward them to a C2 server. This feature is used to get 2FA sent by the bank via SMS during the login phase or to confirm money transactions.
  • Screen recording and casting capabilities that allow the malware to capture any sensitive information displayed on the screen. This includes audio, passwords, payment information, photo, and messages. Through the Accessibility Service, the malware clicks the “start now” button (of the popup) automatically, so the victim is not able to deny the recording/casting of the owned device.
  • Remove itself from the compromised device to reduce detection.
  • Uninstall specific applications (e.g., antivirus).
  • Hide its own icon app to be less traceable by not advanced users.
  • Disable Google Play Protect to avoid being flagged by Google as suspicious app.
  • Modify the device settings to get more privileges.
  • Unlock the device if it is locked with a secret pin or pattern.
  • Display the phishing page.
  • Abuse the accessibility service to read everything that is shown on the screen of the infected device or to simulate clicks (taps) on the screen. This information is then sent to the C2 server of the attackers.
Permissions requested by the BRATA app
Permissions requested by the BRATA app
Source: Cleafy

The actors abuse these permissions to access the victim’s bank account, retrieve the 2FA code, and eventually perform fraudulent transactions.

The mule accounts used as intermediary points in this campaign are based in Italy, Lithuania, and the Netherlands.

Stay safe

As this is a mobile campaign, desktop users are excluded from infections to narrow the targeting scope to prospective victims.

If you try to open the link contained in the SMS on a PC or laptop, the website won’t be viewable. That’s a simple checking method to confirm the validity of incoming messages.

Secondly, no bank ever suggests installing any app other than the official e-banking app, which is found on the Play Store/App Store and linked to from the bank’s official website.

Finally, whenever you install an app, pay attention to the type of permission requested and consider its relevance to the app’s functionality. Do not install the app if an app is requesting too many permissions unrelated to its functionality.