A cyber extortion attack was implemented by the Omega ransomware group by utilizing weakly protected administrator accounts to acquire company environments, increase account permissions, and obtain unauthorized data from SharePoint libraries. Omega completed this attack without compromising an endpoint in the SharePoint Online environment. Instead, they leveraged a weakly secured administrator account for access.
This attack drew more researchers attention because typically organizations focus on and invest in ensuring their endpoints are protected, but cybercriminals can still find a way around this security measure. Companies are continuing to adopt SaaS applications to scale operations, however, these applications are not always well secured.
Obsidian first discovered this breach when Omega acquired one of Microsoft Global Administrator service accounts that was widely distributed over the internet with no multi-factor authentication. Attackers’ used this now compromised account to make themselves an Active Directory user. As a user, Omega could disable all restrictions, allowing them to have the proper permissions to do widespread damage. Once the threat actor disposed of all limitations, the attackers’ had the ability to impersonate admin globally, on SharePoint, on Exchange, across teams, and as a site collector. With the help of various administrators, the group had access to the whole online environment as well as the ability to remove 200 administrator accounts, which gave them full control in just a few hours.
After obtaining full control, Omega sent SharePoint’s data libraries to a virtual private sector host that’s linked to a web host in Russia. To aid in this unauthorized transfer, the threat actors used a server web application, “sppull”, that enables them to efficiently pull all client data from SharePoint servers. Once the data was successfully transferred, Omega used a different node.js to publicly notify the victims in this environment and essentially let the media be aware of the breach.
Cyberattacks targeting SaaS environments are on the rise. AppOmni found that since March 1st, there has been a 300% increase in SaaS attacks on Salesforce and other SaaS organizations. Now more than ever, these organizations should be aware of the correct security measures they need to take.
A fully undetectable (FUD) malware engine has been used since September 2022 to avoid antivirus detection. The intended purpose of this malware is to spread different harmful strains through various batch files. The malware engine, BatCloak, has successfully managed to remain undetected on all security solutions (79.6%) for 784 files.
Jlaive, an ordinary batch file builder, has the ability to bypass the Antimalware Scan Interface (AMSI) and encode the payload to successfully achieve security evasion. Because this antivirus evasion tool was made publicly available in September 2022, even in efforts to take it down, a developer made it accessible as open-source via GitHub and GitLab. Over time, other attackers’ have altered and replicated this in the Rust programming language. The final payload acts like a starting point and has three different loader layers: a C# loader, a PowerShell loader, and a batch loader. During this, the final payload has to be decrypted until the malware is discharged.
With its expansion into the wild, BatCloak is undergoing various updates, the most recent being ScrubCrypt. Fortinet FortiGuard Labs found a relationship between this and another operation operated by the 8220 Gang. Now, this open-source tool has been closed, which can help earn revenue and safeguard it to ensure it can’t be cloned.
UNC3886, a Chinese cyber spying group that’s well-known in the United States and Asia-Pacific region for exploiting zero-day vulnerabilities, is responsible for exploiting a zero-day vulnerability on VMware ESXi. These cyberspies exploited and performed many commands using CVE-2023-20867. This campaign would cause harm to VMware ESXi hosts, vCenter servers, and Windows virtual machines (VMs). This group has utilized malicious vSphere Installation Bundles (VIBs), which organizations use to uphold their systems and execute updates. The discharge of the VIBs will allow attackers to execute commands and manipulate their files. As well as reversing shell capabilities using VMCI sockets to gain lateral movement and persistence. Achieving this by installing two backdoor programs, VirtualPita and VirtualGate. In the latest attacks, they have collected credentials for all ESXi hosts that were on the vCenter Server from the database, vPostgreSQL, and altered and disabled certain IPs on the compromised server.
The cyber espionage group is also responsible for exploiting a zero-day vulnerability, CVE-2023-20867. This software security flaw impacts VMware Tools on these different platforms: Windows, Linux, and PhotonOS (vCenter) guest VMs. This vulnerability has been patched by a new version, VMware Tool 12.2.5. Attackers’ used this vulnerability to eliminate verification and allow attackers to perform classified actions. The zero-day vulnerability was flagged as having “low severity”, because the group had access to the ESXi software.
On Tuesday, Microsoft’s security team issued a number of software updates to patch over 70 vulnerabilities and six alarming cases that could have exposed users to malicious codes. These potential threats affected the Windows operating system and software and had not been made public or exploited.
These bugs have a CVSS severity score of 9.8 out of 10 and are known as CVE-2023-29363, CVE-2023-32014, and CVE-2023-32015. The three high-severity vulnerabilities have been noted to be observed in Windows Pragmatic General Multicast (PGM) by Windows network administrators. This protocol is designed to deliver packets to numerous members of various networks. They are hoping to resolve this issue in a fast and responsible manner so no exploitation arises.
Another harmful execution code that experts want users to be aware of in Microsoft Exchange Server is CVE-2023-320-21. This enables threat actors to avoid affairs that were exploited in the past without making an account. If exploitation is successful, then this could cause malicious code to have privileges on the system.
One of the many patches brought about this month aimed to resolve exploited malware attacks from a flaw in the Chrome system, CVE-2023-3079, was released the same day as Adobe announced their patches for the flaws that exposed users on Adobe Commerce to malicious code attacks as well. Adobe made it public that they have at least 12 security vulnerabilities. If the exploitation is successful, this could cause arbitrary code execution and file system reads, as well as a security bypass.
Big name brands such as Nike, UGG, The North Face, and hundreds more are facing a worldwide malicious phishing scam. Attackers’ are impersonating these well-known brands to gain users’ financial and account information. Threat actors have managed to construct convincing, properly operating pages, which makes it difficult to distinguish this site from the brand’s real page. This was first detected in June 2022 by Bolster AI. Since then, they have found over 3,000 domains and 6,000 websites, both inactive and active. These malicious domains were hosted by Packet Exchange Limited and Global Colocation Limited, which were identified by the domains’ IP address Autonomous System number, AS48950.
The campaign skyrocketed in January and February 2023, producing 300 active scam sites a month. These attackers’ stayed undetected by creating domains with the company’s name and where they were located (city or country) and then ending with .com, a very common top-level domain. These domains were found to be certified by a Singapore e-commerce company and ranged from 3 months to 2 years old, which played a major role in this scheme.
The longer a domain exists, the less likely it is to be flagged as malicious by the imposed security processes. Because this campaign was able to stay undetected for so long, Google Search has ranked these scam sites higher when users search for their favorite apparel or shoe brands. This has imposed a major threat, because people tend to gravitate toward clicking on the top sites that Google populates as they deem to be trustworthy. Financial information and account information that users entered on checkout pages might have been kept and sold to attackers’. Researchers advise users to skip the promoted ads on Google and to check the brand’s social media to ensure they have the correct URL.