The PacketWatch Intelligence Team
PacketWatch returns in 2024 with our bi-weekly threat intelligence report. This week, we cover the return of Qbot, a Google Oauth cookie hijacking technique, and a vulnerability roundup.
We've also enriched our original threat intelligence report to include resources from our partner in cyber threat intelligence, SOCRadar. You may need a registered SOCRadar account to view their threat intelligence resources.
The Return of Qbot
In late August 2023, the FBI announced Operation 'Duck Hunt,' which successfully dismantled the existing infrastructure for the infamous Qakbot (Qbot) malware that was known for infecting over 700,000 computers worldwide. Qbot malware was widely used as an initial infection point for ransomware operations. The FBI linked Qbot to over 40 ransomware attacks across a variety of industry verticals.
Although in early October, Cisco Talos documented a ransomware campaign linked to Qbot-affiliated threat actors, it was not until December 15, 2023, that Microsoft disclosed evidence of a new Qbot phishing campaign targeting the hospitality industry.
In this new campaign, a malicious PDF is sent in a phishing email. Within the PDF is a link to download a digitally signed Windows Installer (.msi) file. The Qbot execution is triggered via an embedded DLL file. Also of note with this campaign is the timestamp showing the payload was generated on December 11, and a previously unseen version of the malware was observed, indicating the malware is still under active development. IOCs for this campaign can be found below.
Qbot Phishing Campaign IOCs
C2 IP Addresses
- 45[.]138.74.191
- 65[.]108.218.24
MSI File Hash
50e22aa4b3b145fe1193ebbabed0637fa381fac3
How To Protect Your Organization
As with most malware delivered via phishing emails, there are several steps organizations can take to reduce the risk of infection:
- User awareness and training - Users should scrutinize the sender's email address and be instructed to never click or download attachments from untrusted senders.
- Deploy, configure, and maintain an EDR solution across all endpoints.
- Ensure all endpoints are patched regularly.
SOCRadar Resources
- Threat Actors: Qbot - Read key insights, access Yara/Sigma Rules, and view over 44,000 IOCs
Additional Resources
- https://www.bleepingcomputer.com/news/security/qakbot-botnet-dismantled-after-infecting-over-700-000-computers/
- https://blog.talosintelligence.com/qakbot-affiliated-actors-distribute-ransom/
- https://twitter.com/MsftSecIntel/status/1735856754427047985
Google OAuth Cookie Hijack 0-day
Over the last several weeks, multiple info-stealer malware variants have begun incorporating a session-hijacking technique that abuses an undocumented endpoint in Google Oauth called "MultiLogin". This exploit allows threat actors to maintain access to a victim's account, even after they have reset their password. It centers around a service GIAIA ID and an encrypted token found in the Chrome 'token_service' table, which can be manipulated and leveraged against the MutliLogin endpoint to generate new Google service cookies.
In a detailed report published by CloudSEK, it is implied that Google attempted to quietly prevent abuse of this exploit by performing "IP-based restrictions on cookie regeneration". However, in late November, the Lumma stealer malware incorporated a workaround to bypass those restrictions.
As of this writing, this exploit still works, and over a half dozen info-stealer variants have added this exploit to their code base. Until Google issues a formal patch, the best protection is to prevent infection from the info-stealer malware in the first place. Strong defense-in-depth measures, especially modern EDR solutions, are the best protection against this malware.
Additional Resources
- https://www.cloudsek.com/blog/compromising-google-accounts-malwares-exploiting-undocumented-oauth2-functionality-for-session-hijacking
- https://www.bleepingcomputer.com/news/security/malware-abuses-google-oauth-endpoint-to-revive-cookies-hijack-accounts/
Vulnerability Roundup
CVE-2023-49070: Zero-Day in Apache OfBiz
In early December, a critical authentication bypass vulnerability (CVE-2023-49070) was disclosed for Apache's OfBiz open-source ERP system. This issue was fixed in version 18.12.10 on December 5.
Last week, researchers at SonicWall discovered that the patch for this vulnerability did not completely fix the issue. The vulnerability for the original 'fixed' version is tracked as CVE-2023-51467, and states that the authentication bypass can lead to Server-Side Request Forgery (SSRF). This CVE is now fixed in version 18.12.11.
Of note, Apache OfBiz is part of Atlassian JIRA, which is widely used across enterprises worldwide. As these vulnerabilities have been observed being actively exploited, administrators are urged to patch them as soon as possible.
SOCRadar Resources
Additional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-49070
- https://nvd.nist.gov/vuln/detail/CVE-2023-51467
- https://www.bleepingcomputer.com/news/security/apache-ofbiz-rce-flaw-exploited-to-find-vulnerable-confluence-servers/
- https://thehackernews.com/2023/12/critical-zero-day-in-apache-ofbiz-erp.html
CVE-2023-7027: New Chrome Zero-Day
A new heap-based buffer overflow vulnerability in the WebRTC framework was disclosed by Clement Lecigne and Vlad Stolyarov from Google's Threat Analysis Group, CVE-2023-7027. Successful exploitation can lead to arbitrary code execution.
Google has acknowledged that an exploit for this vulnerability exists in the wild. Administrators are urged to patch to Chrome version 120.0.6099.129/130 for Windows and 120.0.6099.129 for MacOS. As the WebRTC framework is open-source and supported by multiple browsers, administrators should apply fixes to other vulnerable browsers as they become available.
Terrapin
Security researchers from Ruhr University Bochum disclosed an intricate set of vulnerabilities in SSH. While the details of this vulnerability are beyond the scope of this report, successful exploitation of these vulnerabilities allows for the attacker to downgrade the public key algorithms used for user authentication and can disable built-in protections against keystroke timing attacks in OpenSSH 9.5.
One key aspect of these vulnerabilities is that in order for the attacker to exploit them, they must be a man-in-the-middle on the network. This greatly reduces the potential attack surface. However, since the vulnerabilities affect default configurations of OpenSSH, it is recommended that administrators upgrade to OpenSSH version 9.6p1.
Additional Resources
- https://jfrog.com/blog/ssh-protocol-flaw-terrapin-attack-cve-2023-48795-all-you-need-to-know/
- https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
Outlook Zero-Click RCE Chain
Recent research published by Ben Barnea from Akamai found here and here details how two previously patched vulnerabilities in Microsoft Outlook could be chained together to achieve zero-click remote code execution.
The two vulnerabilities in question are CVE-2023-35384, a security feature bypass in Windows HTML Platforms, and CVE-2023-36710, an RCE flaw in Windows Media Foundation Core. These bugs received fixes from Microsoft in August and October of 2023.
The first flaw (CVE-2023-35384) allows the attacker to coerce the Outlook client to download a malicious sound file from an attacker-controlled server. The vulnerability could also be used to leak NTLM credentials to the attacker. The specially crafted sound file, which can be autoplayed using the Outlook's reminder sound feature, can then exploit CVE-2023-36710 to get zero-click remote code execution.
In addition to patching, it is also recommended to ensure outbound SMB connections are blocked to public IP addresses and to disable NTLM or add users to the 'Protected Users security group', which prevents the use of NTLM authentication.
Additional Resources
- https://www.akamai.com/blog/security-research/chaining-vulnerabilities-to-achieve-rce-part-one
- https://www.akamai.com/blog/security-research/chaining-vulnerabilities-to-achieve-rce-part-two
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35384
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36710
More Ivanti Vulnerabilities
Ivanti released security advisory to address 13 critical vulnerabilities found in its Avalanche enterprise mobile device management solution. Many of these vulnerabilities allow for unauthenticated remote attackers to gain remote code execution with no user interaction.
These vulnerabilities affect all supported versions of Avalanche versions 6.3.1 and above. Administrators are urged to patch to the latest version, 6.4.2, as soon as possible.
Additional Resources
- https://forums.ivanti.com/s/article/Avalanche-6-4-2-Security-Hardening-and-CVEs-addressed?language=en_US
- https://www.bleepingcomputer.com/news/security/ivanti-releases-patches-for-13-critical-avalanche-rce-flaws/
Make sure to stay up to date with all PacketWatch's cybersecurity content by subscribing to our monthly newsletter, delivered each last Tuesday of the month.
PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you are interested in personalized threat intel, contact us today to learn about our enterprise threat intelligence services.
Disclaimer
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.