This week we briefed our clients on the Microsoft Quad 7 password spray attacks and EmeraldWhale's theft of credentials from Git configuration files.
KEY TAKEAWAYS
A new blog from Microsoft Security details a covert botnet they call CovertNetwork-1658, also known as 'Quad 7' that has been conducting password spray attacks and 'intrusion activity' against Microsoft customers since August 2023. Microsoft assesses that the botnet is controlled by a Chinese threat actor tracked as Storm-0940. The botnet consists of thousands of SOHO routers, mostly TP-Link, but also Zyxel, Asus, D-Link, NETGEAR, and more. At any given time, approximately 20% of the botnet infrastructure will conduct password spray attacks against its target.
Usually, it will attempt only a single authentication attempt per account per day. Due to the low volume of attempts per account, this will not trigger any authentication brute-force rules, and is much harder to detect than a typical brute-force attack.
Once a password is correctly guessed by the botnet, the threat actor operators will typically use the compromised credentials to gain access to the target infrastructure within the same day. They then use scanning and credential dumping tools to elevate access and move laterally, followed by installation of remote access trojans to maintain persistence. The attack culminates with exfiltration of data.
How to Protect Your Organization
This type of password attack is successful when poor password hygiene is used. Typically, threat actors will look for exposed credentials from other data breaches, and then attempt to use the same or similar password against the targeted accounts.
For a full list of protective measures, readers are strongly encouraged to read the full Microsoft blog here.
Resources:
Security researchers at Sysdig reported on a recently discovered operation they call 'EmeraldWhale', which looked for exposed Git configuration files. In many cases, developers leave credentials, API keys, and access tokens in these files for convenience. EmeraldWhale used a series of automated tools to scrape these exposed Git configuration files, extract credentials, and then leverage those credentials to steal further data from the Git repository, even if the repository itself is private.
Who was targeted?
There is evidence EmeraldWhale scanned at least 500 million IP addresses across the internet, looking for any self-hosted Git server with the '/.git/config' file exposed. Even in private repositories, misconfigurations of the server can leave this path exposed to the internet. Any tokens discovered in this initial process were verified, and if valid, were used to download the full repository. Once downloaded, the repository would be scanned for further authentication secrets for AWS, cloud, and email service providers.
How to Protect Your Organization
Resources:
Vulnerability Roundup
Security researchers at the Pwn2Own Ireland 2024 competition discovered two 0-day vulnerabilities in QNAP devices. The first is tracked as CVE-2024-50388, a command injection flaw in HBS 3 Hybrid Backup Sync version 25.1.x, which is QNAP's disaster recover and data backup solution. Administrators are urged to patch to version 25.1.1.673 or later.
The second 0-day is tracked as CVE-2024-50387, and is a SQL injection vulnerability in QNAP's SMB Service versions 4.15.x and h4.15.x. Administrators are urged to patch to SMB Service 4.15.002 and h4.15.002 or later.
Reporting from Mandiant shows a flaw in Fortinet FortiManager called "FortiJump" has been actively exploited as a 0-day since at least June 2024. The reports shows evidence at least 50 servers were successfully targeted. The vulnerability, tracked as CVE-2024-47575, is due to missing authentication in the FortiGate to FortiManager Protocol. It allows any attacker-controlled FortiManager or FortiGate device with a valid certificate to register themselves to any exposed FortiManager server. Even if the connected device is unauthorized, the vulnerability allowed for the attacker to then execute API commands on the FortiManager device and steal configuration data about other managed devices.
In addition to applying the patch released from Fortinet, the vendor recommends only allowing authorized IP addresses to connect to the FortiManager device, as well as preventing unknown FortiGate devices from registering using the 'set fgfm-deny-unknown enable' command.
Broadcom issued an update to their security advisory addressing CVE-2024-38812, a critical remote code execution vulnerability in vCenter Server. A threat actor with network access to the vCenter Server can trigger the vulnerability with a single specially crafted packet. The original patch for this vulnerability that was issued in September did not fully fix the issue. Administrators are strongly encouraged to apply the new updates to versions 8.0 U3d, 8.0U2e, and 7.0 U3t.
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.