05/11/2023-05/17/2023 11 New Vulnerabilities Expose OT Networks, New Flaw in WordPress Plugin, New Stealthy Variant of Linux Backdoor And More

1. Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks

Several security vulnerabilities in cloud management platforms linked to three industrial cellular router vendors were revealed by Israeli cybersecurity firm OTORIO at the Black Hat Asia 2023 conference. These vulnerabilities could expose operational technology (OT) networks to external attacks, impacting critical infrastructure sectors like substations, water utilities, oil fields, and pipelines. The weaknesses affect the cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks. Exploiting the vulnerabilities could enable remote code execution, full control over devices and OT networks, exfiltration of sensitive information, and unauthorized access with elevated permissions. The flaws involve weak asset registration mechanisms, security configuration flaws, and issues in external APIs and interfaces. Collaboration with Claroty also led to the discovery of additional vulnerabilities in Teltonika Networks’ RMS and RUT router firmware, allowing arbitrary code execution and command injection.

2. New ‘MichaelKors’ Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems

MichaelKors, a new ransomware-as-a-service (RaaS) operation, has recently emerged, targeting Linux and VMware ESXi systems as of April 2023. Cybersecurity firm CrowdStrike has observed an increasing trend of cybercriminals focusing on ESXi, despite its lack of support for third-party agents or antivirus software. This makes the widely used ESXi hypervisor an appealing target for attackers, a technique known as hypervisor jackpotting. Furthermore, leaked Babuk source code from September 2021 has been utilized by 10 different ransomware families, including Conti and REvil, to develop lockers for VMware ESXi hypervisors. Various e-crime groups such as ALPHV (BlackCat), Black Basta, Defray, and others have also updated their tactics to target ESXi. Attackers exploit compromised credentials, gain elevated privileges, and leverage known vulnerabilities to breach ESXi hypervisors and gain unrestricted access to underlying resources. To mitigate the impact of hypervisor jackpotting, organizations are recommended to avoid direct access to ESXi hosts, enable two-factor authentication, take periodic backups of ESXi datastore volumes, apply security updates, and conduct security posture reviews.

3. XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks

Researchers have uncovered an ongoing phishing campaign, named MEME#4CHAN, that utilizes a unique attack chain to distribute the XWorm malware. The attacks have primarily targeted manufacturing firms and healthcare clinics in Germany. The campaign employs meme-filled PowerShell code and heavily obfuscated XWorm payloads to infect victims. The attackers use reservation-themed lures in phishing emails, tricking recipients into opening malicious documents. Rather than relying on macros, the threat actors exploit the Follina vulnerability to drop an obfuscated PowerShell script. This script bypasses Antimalware Scan Interface (AMSI), disables Microsoft Defender, establishes persistence, and executes the .NET binary containing XWorm. The PowerShell script includes a variable named “$CHOTAbheem,” possibly indicating a Middle Eastern or Indian background of the attackers, although attribution remains unconfirmed. XWorm is a readily available malware with various features for stealing sensitive information from infected systems.

4. New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows

A new variant of a Linux backdoor called BPFDoor has been discovered by cybersecurity firm Deep Instinct. BPFDoor, previously documented by PwC and Elastic Security Labs in May 2022, is associated with a Chinese threat actor known as Red Menshen. The malware is designed to establish persistent remote access to compromised environments, particularly targeting telecom providers in the Middle East and Asia. BPFDoor utilizes Berkeley Packet Filters (BPF) technology for network communications and command execution, enabling threat actors to evade firewalls and filter unnecessary data. The latest variant of BPFDoor demonstrates increased evasiveness by removing hard-coded indicators, incorporating encryption with libtomcrypt, and utilizing a reverse shell for command-and-control communication. It avoids termination by ignoring operating system signals and establishes an encrypted reverse shell session with the C2 server. BPFDoor’s ability to remain undetected for an extended period reflects its sophistication, as cybercriminals increasingly target Linux systems prevalent in enterprise and cloud environments.

5. New Flaw in WordPress Plugin Used by Over a Million Sites Under Active Exploitation

A security vulnerability has been discovered in the Essential Addons for Elementor WordPress plugin, potentially allowing attackers to gain elevated privileges. The flaw, tracked as CVE-2023-32243, was addressed in version 5.7.2 of the plugin. Successful exploitation of the vulnerability could enable an unauthenticated user to reset the password of any user on the affected site. This could result in the compromise of administrator accounts and complete control over the website. The issue has existed since version 5.4.0 of the plugin. The disclosure follows a previous severe flaw found in the same plugin, and it coincides with a wave of attacks targeting WordPress sites with SocGholish malware. The attackers are using compression techniques to conceal the malware and evade detection. Additionally, a malvertising campaign has been identified that tricks visitors to adult websites with fake Windows update ads, leading to the installation of the “Invalid Printer” loader, which can deploy the Aurora information stealer malware.

6. Babuk Source Code Sparks 9 Different Ransomware Strains Targeting VMware ESXi Systems

The leak of the Babuk ransomware code in September 2021 has led to the development of multiple ransomware families targeting VMware ESXi systems. As many as nine different ransomware variants have emerged since late 2022 and early 2023, all based on the leaked Babuk source code. The availability of the source code has allowed cybercriminals with limited expertise to target Linux systems effectively. Among the ransomware strains based on the Babuk code are Cylance, Rorschach (also known as BabLock), and RTM Locker. The analysis by SentinelOne also reveals overlaps between Babuk and other ransomware families like Conti and REvil (also known as REvix), indicating the adoption of Babuk features in their code. Additional ransomware families, such as LOCK4, DATAF, Mario, Play, and Babuk 2023 (also known as XVGV), have also incorporated various elements from the Babuk code. However, there are no significant similarities found between Babuk and ALPHV, Black Basta, Hive, LockBit, ESXiArgs, suggesting a misattribution. SentinelOne also notes that actors may turn to Babuk’s Go-based NAS locker, as Go programming language continues to gain popularity among threat actors. In a separate development, threat actors associated with the Royal ransomware, believed to be former members of Conti, have introduced an ELF variant capable of targeting Linux and ESXi environments, expanding their attack capabilities.

7. Hackers Use Azure Serial Console For Stealthy Access To VMs

A financially motivated cybergang tracked by Mandiant as ‘UNC3944’ is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.
From there, the attackers abuse the Azure Serial Console to install remote management software for persistence and abuse Azure Extensions for stealthy surveillance.
Mandiant reports that UNC3944 has been active since at least May 2022, and their campaign aims at stealing data from victim organizations using Microsoft’s cloud computing service.
UNC3944 was previously attributed to creating the STONESTOP (loader) and POORTRY (kernel-mode driver) toolkit to terminate security software.
The threat actors utilized stolen Microsoft hardware developer accounts to sign their kernel drivers.