Cyber Threat Intelligence Briefing - September 25, 2023

Welcome back to another week of Cyber Threat Intelligence (CTI). This week's report highlights lessons learned from the recent MGM breach and a vulnerability roundup.

Viva Las Vegas: Lessons Learned From the MGM Breach

On September 11, 2023, news quickly spread of a major ransomware attack on one of Las Vegas's largest casino chains, MGM.

Initially, there were conflicting reports on who was responsible for the attack, but in the days following, the Russian ransomware gang ALPHV confirmed that one of their affiliates, most commonly known as Scattered Spider, carried out the attack.  ALPHV claims they will soon be publishing data that was stolen from MGM networks.

Regardless of who committed the attack, this specific case highlights a growing method that threat actors leverage to gain initial access into their target environments: vishing.  

What is Vishing?

Vishing, short for voice phishing, is an increasingly popular social engineering technique where the threat actor contacts the target over the phone, pretending to be someone trusted within the organization or even a vendor or contractor, with the intended goal of getting the target to either reveal sensitive information or even reset passwords and multi-factor authentication (MFA).

Due to the nature of this methodology, IT helpdesks are frequent targets.  Vishing attacks are remarkably effective. Phishing attacks are three times more effective if there is a phone call (vishing) component of the attack, according to a recent IBM report.

The Impact of Vishing

If executed correctly, with just a single phone call, a threat actor can get valid credentials to highly privileged accounts

In the case of the MGM attack, with a single phone call to the help desk, the threat actor was able to get valid administrator credentials.

When coupled with using a single sign-on (SSO) solution such as Okta, this was all the threat actor needed to gain access to their entire network.

From this point forward, detecting malicious activity is extremely difficult, as every action from the threat actor appears as though it is being done by a legitimate user with the proper privileges. No malware or exploitation of vulnerable software is required for the threat actor to fully compromise the network.

How to Combat Vishing

A proper defense-in-depth strategy is required to combat this type of attack. Gaining access to a single account should not allow for the complete compromise of the entire network.

Steps organizations can take to combat vishing are:

• User Awareness and Education: Vishing heavily relies on humans being the weakest point in the cybersecurity posture of an organization.  While many organizations do have regular phishing training, it is very rare that users are educated or tested on vishing.  Helpdesk employees should especially be made aware of this increasingly popular attack technique.

• Implement Phishing-Resistant Multi-Factor Authentication (MFA), such as FIDO2 WebAuthn, for highly privileged accounts.

• Consider additional identity verification steps for the help desk, especially for highly privileged accounts, including MFA challenges and even secondary authorization or approval from management.

• Limit the number of Super Administrator roles to only what is necessary.

• Additional steps for security identity management can be found here.

Additional Resources

• https://www.msn.com/en-us/money/companies/the-chaotic-and-cinematic-mgm-casino-hack-explained/ar-AA1gTHDO
  
• https://arstechnica.com/security/2023/09/a-phone-call-to-helpdesk-was-likely-all-it-took-to-hack-mgm/
  
• https://permiso.io/blog/lucr-3-scattered-spider-getting-saas-y-in-the-cloud
  
• https://www.bleepingcomputer.com/news/security/mgm-casinos-esxi-servers-allegedly-encrypted-in-ransomware-attack/

Vulnerability Roundup

Apple Zero-Days

On September 21, Apple released an emergency security update addressing three new zero-days that were observed being exploited in the wild.

CVE-2023-41991 and CVE-2023-41993 are vulnerabilities with certificate validation in the Security framework and WebKit browser engine that can allow for an attacker to bypass validation with malicious apps or gain code execution using specially crafted webpages.

CVE-2023-41992 is a privilege escalation flaw in the Kernel Framework. Affected devices include iPhone 8 and newer, iPad mini Gen 5 and newer, MacOS running Monterey and newer, and Apple Watch Series 4 and newer.

Users are urged to apply the security update as soon as possible. Official security advisories from Apple can be found here and here.

Juniper RCE

Four medium-severity CVEs were disclosed by Juniper Networks this month.

CVE-2023-36844 and CVE-2023-36845 are 'PHP environment variant manipulation', and CVE-2023-36846 and CVE-2023-36847 'Missing authentication for Critical Function') in Juniper SRX firewalls and EX switches were disclosed.

Soon after, CVE-2023-36845 and CVE-2023-36846 were chained together to create a remote code execution (RCE) exploit PoC code.

This week, an additional PoC code was released later that gained RCE using only CVE-2023-36845.

An estimated 12,000 Juniper firewalls are vulnerable across the internet.

A free scanner on GitHub to help identify vulnerable deployments can be found here.

The full advisory from Juniper with additional details on the vulnerabilities and remediation can be found here.

Atlassian Security Bulletin

In the September Security Bulletin from Atlassian, vulnerabilities were disclosed across a range of products, including Jira Service Management, Confluence, Bitbucket, and Bamboo. 

The most severe of these is an RCE vulnerability in Bitbucket (CVE-2023-22513). Users are urged to patch as soon as possible.

Additional information on the vulnerabilities and remediation can be found on the Atlassian support page here.

Microsoft Patch Tuesday

Of note in the September edition of Patch Tuesday are two actively exploited 0-days, CVE-2023-36802 (Microsoft Streaming Service Proxy Elevation of Privilege), which allows attackers to gain SYSTEM privileges, and CVE-2023-36761 (MS Word Information Disclosure), which allows the attacker to steal NTLM hashes when the user is tricked into opening a malicious document.

As with all Microsoft security updates, users are urged to apply these patches immediately.  

Microsoft 'Themebleed' RCE

Rounding out vulnerabilities disclosed in Microsoft Patch Tuesday is a critical RCE vulnerability (CVE-2023-38146) known as 'ThemeBleed'. Proof-of-concept code has been published for this vulnerability.

This vulnerability can be exploited by tricking a user into opening a specially crafted .THEME file. While downloading .THEME files triggers the mark-of-the-web security warning to users; this can be bypassed by the attacker if the file is placed within a .THEMEPACK file, which is also a CAB archive file.

In addition to applying the Microsoft security patches, it is recommended to block unusual file types from being downloaded at the email gateway. Only file types that are meant for legitimate business use cases should be allowed.

PacketWatch publishes this report and other cybersecurity threat intel to the security community for free via our blog. If you want personalized threat intel, contact us today to learn about our enterprise threat intelligence services.

Disclaimer

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.