Cyber security

First week documentation

Topic : well known attacks Date: 21/03/2022

Student : N v gopi sainath

FBI, CISA Warn of Russian Hackers

Exploiting MFA and PrintNightmare Bug
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the
Federal Bureau of Investigation (FBI) have released a joint advisory warning
that Russia-backed threat actors hacked the network of an unnamed non-
governmental entity by exploiting a combination of flaws.

"As early as May 2021, Russian state-sponsored cyber actors took advantage
of a misconfigured account set to default [multi-factor authentication]
protocols at a non-governmental organization (NGO), allowing them to enroll
a new device for MFA and access the victim network," the agencies said.

"The actors then exploited a critical Windows Print Spooler vulnerability,

'PrintNightmare' (CVE-2021-34527) to run arbitrary code with system
privileges."
The attack was pulled off by gaining initial access to the victim organization
via compromised credentials – obtained by means of a brute-force password
guessing attack – and enrolling a new device in the organization's Duo MFA.

It's also noteworthy that the breached account was un-enrolled from Duo due
to a long period of inactivity, but had not yet been disabled in the NGO's
Active Directory, thereby allowing the attackers to escalate their privileges
using the PrintNightmare flaw and disable the MFA service altogether.

"As Duo's default configuration settings allow for the re-enrollment of a new
device for dormant accounts, the actors were able to enroll a new device for
this account, complete the authentication requirements, and obtain access
to the victim network," the agencies explained.
Turning off MFA, in turn, allowed the state-sponsored actors to authenticate
to the NGO's virtual private network (VPN) as non-administrator users,
connect to Windows domain controllers via Remote Desktop Protocol (RDP),
and obtain credentials for other domain accounts.

In the final stage of the attack, the newly compromised accounts were
subsequently utilized to move laterally across the network to siphon data
from the organization's cloud storage and email accounts.

To mitigate such attacks, both CISA and FBI are recommending organizations
to enforce and review multi-factor authentication configuration policies,
disable inactive accounts in Active Directory, and prioritize patching
for known exploited flaws.

2. German Government Warns Against Using

Russia's Kaspersky Antivirus Software

Germany's cyber-security authority has warned against using anti-

virus software from Russian headquartered company Kaspersky.

The Federal Office for Information Security (BSI) issued the statement in light of the
conflict in Ukraine.
Russian information-technology businesses could be spied on or forced to launch
cyber-attacks, it said.
Kaspersky told BBC News the warning had been "made on political grounds" and it had
no ties to the Russian government.

'Offensive operations'
The BSI made no allegation of current problems with Kaspersky's products but said the
conflict in Ukraine and Russian threats against the European Union, Nato and Germany
brought with them the risk of cyber-attacks.
"A Russian IT manufacturer can carry out offensive operations itself, be forced against
its will to attack target systems, or be spied on as a victim of a cyber operation without
its knowledge or as a tool for attacks against its own customers," the warning said.

The BSI recommends Kaspersky anti-virus products are replaced with

alternatives - but carefully, to avoid weakening defences.
In 2017, President Donald Trump signed legislation banning Kaspersky software's use
within the US government
 The same year, UK's National Cyber Security Centre announced it would write to all
government departments, warning against using Kaspersky products for systems
related to national security.

New "B1txor20" Linux Botnet Uses DNS

3.

Tunnel and Exploits Log4J Flaw

The malware was first spotted on February 9, 2022, when 360Netlab’s honeypot system
captured an unknown ELF file that was spreading by exploiting the Log4J
vulnerability.

The name B1txor20 is based on the file name “b1t” used for the propagation and the
XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes.

The B1txor20 Linux backdoor uses DNS Tunnel technology for C2 communications,
below is the list of the main features implemented by the threat:

 SHELL
 Proxy
 Execute arbitrary commands
 Install Rootkit
 Upload sensitive information
 New Variant of Russian Cyclops Blink
4.

Botnet Targeting ASUS Routers

Cyclops Blink which has been identified as a Russian state-sponsored botnet linked to
the Sandworm or Voodoo Bear advanced persistent threat (APT) group is now
targetting Asus home Wi-Fi routers.

"Cyclops Blink, an advanced modular botnet that is reportedly linked to the Sandworm
or Voodoo Bear APT group, has recently been used to target WatchGuard Firebox
devices according to an analysis performed by the UK’s National Cyber Security Centre
(NCSC). We acquired a variant of the Cyclops Blink malware family that targets Asus
routers," Trend Micro recently said in a statement.
"This report discusses the technical capabilities of this Cyclops Blink malware variant
and includes a list of more than 150 current and historical command-and-control (C&C)
servers of the Cyclops Blink botnet. Our data also shows that although Cyclops Blink is
a state-sponsored botnet, its C&C servers and bots affect WatchGuard Firebox and
Asus devices that do not belong to critical organisations or those that have an evident
value on economic, political, or military espionage," the antivirus firm added.
The security researchers at the Japanese antivirus firm mentioned that it is likely that
the Cyclops Blink botnet’s main purpose is to build an infrastructure for further attacks
on high-value targets and not harming right now. The Cyclops Blink malware was first
spotted in February infecting Firebox small-business network-security appliances made
by WatchGuard.
Meanwhile, Asus was made aware of the attacks and had earlier said in a statement on
its Product Security Advisory page that the company is also looking into Cyclops Blink
and taking remediation measures.
 Denial-of-service attack knocked Israeli
5.
government sites offline

A distributed denial-of-service attack against an Israeli telecommunication provider took

Israeli government sites offline temporarily on Monday, the Israel National Cyber
Directorate confirmed in a tweet.

The statement said that services were back online, but internet watchdog NetBlocks
reported that some government websites remained unavailable outside of the country.
The Israeli Embassy did not return a request for comment. NetBlocks attributed the
disruption to attacks on network suppliers Bezeq and Cellcom. The attack also
disrupted non-government websites.

In a DDoS incident, attackers flood the target websites with fake traffic to render them
inoperable.

A “defense establishment source” told Haaretz, which first reported the attack, that a
nation-state or large organization was believed to be behind it and that it was the largest
cyberattack in the history of the country. The Israeli government has not specifically
attributed the responsible hackers.

Israel is a frequent target of Iran-affiliated hacking groups which have a strong history of
denial-of-service and more destructive attacks. Israel has often been accused of lobbing
its own attacks against Iran, one of its biggest regional rivals. U.S. and U.K. cyber
officials have accused Iranian government-affiliated hackers of using the conflict in
Ukraine as cover for escalating their malicious cyber-activity.