Weekly Top 10 – 04.2.2024- SharePoint and AMD Vulnerabilities, Password Spraying VPN Attacks, Tycoon 2FA, and More.

WEEKLY TOP TEN: April 2, 2024, 17:09 GMT

1. CISA Warns: Hackers Actively Attacking Microsoft SharePoint Vulnerability
   
   CISA has issued a warning about active hacker exploitation of a critical vulnerability in Microsoft SharePoint Server (CVE-2023-24955), which allows authenticated attackers with site owner privileges to execute remote code. This vulnerability joins CVE-2023-29357, which is listed in CISA’s known exploited vulnerabilities catalog. These two vulnerabilities were recently demonstrated in an exploit chain at Pwn2Own Vancouver 2024. Patches for these vulnerabilities were released in 2023, while failure to patch has allowed for exploitation in the wild.
2. ZenHammer Attack Targets DRAM on Systems With AMD CPUs
   
   Researchers at ETH Zürich have demonstrated Rowhammer attacks against DDR4 and DDR5 memory, which utilize a defense mitigation known as Target Row Refresh (TTR) which should prevent Rowhammer attacks. They have targeted devices powered by AMD Zen 2 and Zen 3 processors, dubbing the attack ZenHammer.
   
   The ETH Zürich researches state “Rowhammer is a DRAM vulnerability caused by the interference between different rows that store data. This vulnerability enables attackers to change values in memory they are not supposed to have access to, ultimately enabling privilege escalation and escaping from sandboxes.”
   
   ZenHammer was able to circumvent TTR by reverse engineering DRAM address functions and optimizing refresh synchronization, enabling successful bit flips on a significant portion of tested Zen 2 and Zen 3 devices. It was able to trigger bit flips on seven Zen 2 processors, six Zen 3 processors, and one Zen 4 processor. This is notable due to it being the first report of a successful bit flip on a DDR5 processor.
3. Exposing a New BOLA Vulnerability in Grafana
   
   Palo Alto Unit 42 researchers have demonstrated and discovered a new Broken Object Level Authorization vulnerability (CVE-2024-1313) that impacts Grafana, which is a popular open-source data observability and visualization platform. This vulnerability allows low-privileged Grafana users to use publicly available snapshot keys to delete dashboards belonging to other organizations. Additionally, Unit 42 researchers have found an API endpoint which allows any user to create snapshots without enforcing complexity checks on secret keys. This would allow for denial-of-service attacks along with brute-force exploitation. As of March 26, 2024, Grafana has released a patch to resolve this vulnerability and suggests updating promptly.
4. Cisco warns of password-spraying attacks targeting VPN services
   
   Cisco has alerted customers about an ongoing password-spray attack which is targeting Remote Access VPN (RAVPN) services on Cisco firewall devices. Cisco has included a mitigation guide which contains IoC and recommendations to harden RAVPN environments. Security researcher Aaron Martin has been investigating this activity and states that it is likely linked to a malware botnet he has named “Brutus”. Martin notes that the botnet currently relies on 20,000 IP addresses worldwide, utilizes IP rotation, as well as specific usernames that are not from a data dump. Attribution is currently unknown, but Martin has identified IPs which signal that this may be the work of APT29.
5. Hackers exploit Ray framework flaw to breach servers, hijack resources
   
   Ray is a popular open-source AI framework developed by Anyscale, used by many popular applications to train LLMs such as ChatGPT. “ShadowRay” is a new campaign targeting Ray environments that are not following security recommendations (CVE-2023-48022). The vulnerability allows for remote code execution, giving access to production database creds, access tokens, private AI models, and more. Anyscale does not classify this as a vulnerability, rather as a bug due to the flaw being exploitable only in environments that are not following security recommendations. Security researchers have discovered hundreds of exposed Ray servers which have been compromised, giving attackers full access. On March 28th, Anyscale has released a blog post explaining the issue and has announced tools to help defend against the vulnerability.
6. Tycoon 2FA: an in-depth analysis of the latest version of the AiTM phishing kit
   
   Tycoon 2FA is an Adversary-in-The-Middle (AiTM) phishing kit which has been active since August 2023. Tycoon is distributed as a Phishing-as-a-Service (PhaaS) platform, allowing for widespread usage of the malicious kit. In February 2024, a new version was released and distributed in the wild. The Tycoon kit allows threat actors to host a reverse proxy server, serving malicious login pages which look authentic. These pages will forward inputs to a legitimate server while capturing and exfiltrating the login information. This allows threat actors to bypass 2FA as the victim will input their 2FA into the reverse proxy server, giving the threat actor all the info they need to steal user accounts. Security researches have identified over 1200 domain names utilizing Tycoon2FA since August 2023.
7. New Darcula phishing service targets iPhone users via iMessage
   
   Continuing with PhaaS news, “Darcula” is in the news for utilizing over 20,000 domains to spoof brands and steal credentials. Darcula is unique in that it does not utilize SMS, instead it uses RCS and iMessage, allowing for more convincing phishing attempts. Security researchers at Netcraft state that Darcula has been used for numerous high-profile phishing attacks over the last year. Their research shows that Darcula employs modern technologies to continuously update its kits, while maintaining a high level of impersonation on crafted sites. While iMessage does have protections built in for phishing links, Darcula attempts to circumvent these with social engineering.
8. SeeSeeYouExec: Windows Session Hijacking via CcmExec
   
   Mandiant’s security researchers have discovered novel attack methods utilizing the System Center Configuration Manager (SCCM). SCCM is a comprehensive management solution by Microsoft designed to facilitate the deployment, management, and security of devices and applications within an organization’s network. CcmExec is a windows service that manages software deployment and updates. Mandiant explains a simple exploitation path utilizing AppDomainManager injection to manipulate the process spawned by CcmExec, which allows for remote code execution. The attack chain requires administrator privileges, afterwards the attacker will upload a malicious DLL and point the CcmExec configuration file to load the DLL. Mandiant has also developed CcnPwn, a tool to easily facilitate the attack.
9. TheMoon malware infects 6,000 ASUS routers in 72 hours for proxy service
   
   “TheMoon” is an emerging malware botnet which has been seen infecting thousands of home office routers and IoT devices. This botnet is associated with the “Faceless” proxy service which utilizes infected devices as proxies, allowing threat actors to anonymize their activities. Security researchers at Black Lotus Labs have been investigating the latest campaign and have discovered over 7000 infected devices, with the primary target being ASUS routers. The ASUS models targeted in this attack are in end-of-life allowing attackers to utilize known vulnerabilities in the outdated firmware.
10. Revealed: Facebook’s “Incredibly Aggressive” Alleged Theft of Snapchat App Data
    
    Shifting gears to more familiar threats, recent court documents have just revealed that Facebook had created a VPN to steal analytics and user data from competitors such as Snapchat, YouTube and Amazon. This operation, dubbed “Ghostbusters” allowed Facebook to intercept and decrypt SSL-protected traffic. They utilized their VPN to be an Advisory-in-the-Middle attack, stealing a vast amount of private data from competitors. The VPN created by Facebook was shut down in 2019, and Zuckerberg has previously denied knowing about the project.