Cyber Threat Intelligence Report

This week we briefed our clients on the dangers of web browser-based password managers, alternatives, and new application vulnerabilities from vendors.

 KEY TAKEAWAYS 

• Ransomware gangs targeting credentials stored in web browsers. 
• Critical and high-severity vulnerabilities in Microsoft, Chrome, and SAP. Patch now!

Do You Know Where Your Passwords Are?

While many organizations have made progress with enforcing complex password requirements and implementing MFA, there is an often overlooked aspect of password management: Where are those passwords stored? The answer in many cases is the user's web browser. This fundamentally unsafe practice is pushed as a secure feature by web browsers in ads like this. Password managers are a great way to store and maintain complex passwords, but web browser password managers are trivially easy for threat actors to scrape and steal data from.

In a recent security blog by Sophos, they highlight a ransomware intrusion from the Qilin ransomware gang, where the group was able to steal Google Chrome passwords from almost every user in the organization.

Attack Breakdown

The Qilin ransomware group (or possible an initial access broker that then sold access to Qilin) was able to gain a foothold in the target environment via compromised valid credentials for their VPN portal which did not have multi-factor authentication (MFA) enabled. Once in the environment, Qilin was able to pivot to the domain controller. The group then created a logon-based Group Policy Object (GPO) containing two scripts. The first was a PowerShell script containing code that would scrape credentials from Google Chrome, the second was a batch script that would run the PowerShell script. Based on how the GPO was configured, these scripts would trigger each time the user logged into their domain-joined work machine.

Other Ransomware Groups Targeting Browser Data

This tactic is not unique to the Qilin ransomware group. In a recent Incident Response (IR) engagement, PacketWatch observed the Akira ransomware gang leveraging the open-source hacking tool Impacket to scrape stored web browser credentials from over a dozen users.

The Fallout

Not only do users store work credentials in their browsers, but they tend to store personal account data for 3rd party websites as well. This means that if a threat actor is able to harvest web browser credentials, not only do they potentially gain further access into the organization, but they also now have the ability wreak havoc on the personal accounts of the employees. Threat actor access to banking, healthcare, and other personal accounts are all possible depending on what was stored in the web browser.

How to Protect Your Organization

It is possible to prevent users from storing passwords in web browsers via GPO. This guide details steps on how to disable the built-in password managers for Edge, Chrome, and Firefox. 

There are several alternatives for managing credentials outside of the web browser password managers. First are 3rd party password managers such as PassPortal, BitWarden, and 1Password. Services like these have enterprise solutions and have plugins for all major web browsers making it easy to use for the user. While attacks on these types of managers do exist, it requires more effort from the threat actor and can limit widespread credential harvesting methods such as those used by Qilin. The most secure method for managing user access is the use of hardware-based authentication solutions, such as YubiKey. These hardware keys use the FIDO2 open authentication standard, which uses public key cryptography instead of regular passwords. YubiKeys can be used for passwordless authentication, or as a more secure form of MFA.

Resources:

• https://news.sophos.com/en-us/2024/08/22/qilin-ransomware-caught-stealing-credentials-stored-in-google-chrome/
  
• https://support.dashlane.com/hc/en-us/articles/360012461279-Disable-Chrome-Edge-and-Firefox-password-managers-using-GPO
  
• https://github.com/fortra/impacket
  
• https://www.yubico.com/authentication-standards/fido2/
  
• https://attack.mitre.org/techniques/T1555/005/

Vulnerability Roundup

Exploit Code Released for CVE-2024-38077

A critical remote code execution (RCE) vulnerability in the Microsoft Windows Remote Desktop Licensing Service (RDL) was disclosed and patched in the July Patch Tuesday updates. Successful exploitation allows for the attacker to take control of the vulnerable server without any interaction from a user. Earlier this month, proof-of-concept exploit code was published on GitHub. Administrators are strongly encouraged to apply the July update patches, and block RDP access from the open internet.

• https://securityonline.info/exploitable-poc-released-for-cve-2024-38077-0-click-rce-threatens-all-windows-servers/
• https://github.com/violinbear/CVE-2024-38077-RDP
  
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38077
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-38077/details

Critical Vulnerability in Windows TCP/IP Stack for IPv6

As part of the August Patch Tuesday, Microsoft disclosed a critical vulnerability in its implementation of IPv6, tracked as CVE-2024-38063. Per the Microsoft advisory, and unauthenticated attacker could repeatedly send specially crafted IPv6 packets to a vulnerable Windows machine which could then lead to remote code execution. Proof-of-concept code has been published in the wild. However, both in the PoC research as well as independent vulnerability research, it appears that the ability to successfully achieve full RCE on a vulnerable machine is very difficult and not practical. The vulnerability could still be used to achieve a denial of service (DoS) condition. Administrators are urged to apply the Microsoft patch as soon as possible, and disable IPv6 if it is not necessary in production. Windows devices with IPv6 disabled are unaffected by this vulnerability.

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063
  
• https://www.bleepingcomputer.com/news/microsoft/zero-click-windows-tcp-ip-rce-impacts-all-systems-with-ipv6-enabled-patch-now/
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-38063/details
  
• https://x.com/f4rmpoet/status/1825472703223992323
  
• https://github.com/Sachinart/CVE-2024-38063-POC

Google Patches Another 0-Day Exploited in the Wild

Google recently released a security advisory which includes details CVE-2024-7971, a type confusion vulnerability in Chrome's V8 JavaScript engine. The advisory states they are aware this vulnerability has been exploited in the wild. Fixes for this flaw are included in the 128.0.6613.84/85 version for Windows and MacOS, and version 128.0.6613.84 for Linux. Administrators are urged to apply this update as soon as possible.

• https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html
  
• https://www.bleepingcomputer.com/news/security/google-fixes-ninth-actively-exploited-chrome-zero-day-in-2024/

Critical SAP Authentication Bypass

Business software company SAP released a security bulletin highlighting multiple vulnerabilities, including a critical authentication bypass tracked as CVE-2024-41730. Per the advisory, SAP BusinessObjects Business Intelligence Platform instances versions 430 and 440 with Single Sign On enabled on Enterprise Authentication, an unauthorized user can get a logon token using a REST endpoint, which can lead to full compromise of the system. Administrators are urged to apply the security updates as soon as possible.

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2024.html
  
• https://www.bleepingcomputer.com/news/security/critical-sap-flaw-allows-remote-attackers-to-bypass-authentication/
  
• https://platform.socradar.com/app/threatfeed/cve/CVE-2024-41730/details

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.