Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, October 27, 2022, 7:29 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


LV Ransomware Operator Buys Network Access, Uses ProxyShell

The LV ransomware seems to be based on REvil (a.k.a. Sodinokibi), although the relationship between the groups operating them is uncertain. However, LV breaches are surging, according to researchers at Trend Micro, who have provided an analysis of one particular intrusion.

Back in December 2021, a threat actor claiming to operate LV posted on a cybercrime forum seeking to connect to network access brokers in an attempt to buy access to networks in a range of industries. This seems to have been successful, with multiple breaches around the world. In the reported case, an affiliiate of the LV threat actor was able to use the ProxyShell vulnerability to drop a web shell and then execute a chain of PowerShell scripts, culminating in a backdoor.

From there, were able to use Mimikatz, NetScan and Advanced Port Scanner to harvest credentials and discover servers, including the domain controller. A compromised admin account was then used to access the domain controller, after which the ransomware code was uploaded and a scheduled task used to deploy the ransomware across the domain.

Fahmy, Mohamed, Sherif Magdy and Ahmed Samir, LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company, blog post, 25 October 2022. Available online at https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html.

Education Sector Targeted by Vice Ransomware Operator

One good (!) point in favour of the LV ransomware group is that their post seeking access brokers specifically excluded the healthcare and education sectors. However, other groups are not so choosy, as the LA Unified School District, and many other institutions, can attest. In fact, one group, tracked by Microsoft as DEV-0832 Vice Society, seems to be particularly interested in the education sector, both in the US and globally.

Vice Society seems to favour low-hanging fruit - poorly-secured networks - and uses a wide range of TTP's which are common to ransomware operators. These include Powershell scripts, initial compromise via unpatched systems, use of LOLbins and other tools including commodity ransomware such as BlackCat, QuantumLocker and Zeppelin, as well as generic backdoors like the SystemBC remote access trojan. This suggests that either they adapt to the victim's defences, or that there are multiple operators working under the Vice Society umbrella. They also deploy tools to Linux systems.

Vice Society makes extensive use of customized PowerShell scripts for credential harvesting and post-exploitation discovery, as well as staging of tools via network shares. Interestingly, they seem to favour data exfiltration over encrypting files, in some cases not bothering to proceed to encryption.

The Microsoft report provides suggested mitigations.

Uncredited, DEV-0832  (Vice Society) opportunistic ransomware campaigns impacting US education sector, blog post, 25 October 2022. Available online at https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/.

Medibank Breach Goes from Bad to Worse to Worst

As previously reported, the breach of Australian health insurance company Medibank has continued to become more severe. From an initial report that no data had been exfiltrated, to a report that only one subsidiary and particular accounts were affected, as Medibank's internal and third-party responders have dug deeper, the news has got worse. The latest revelation is that all Medibank, ahm and international student customers' personal data had been accessed.

Now, whether it has actually been exfiltrated remains an open question, for outsiders at least. But one would have to assume that it has, and that the information - including sensitive health-claims data - of 4 million current customers, along with an unknown number of former customers, are now at elevated risk.

We have previously seen, in the case of Finnish mental healthcare provider Vastamo, that when the breached enterprise refuses to pay a ransom, the attacker will turn to extorting the individual patients. We can only hope this does not eventuate, for the sake of the affected patients and also Medibank itself, which at this stage, has only suffered a sharp drop in its share price after the resumption of trading on the ASX and the costs of incident response. Vastamo did not survive for long after the scandal surrounding its breach broke,

Terzon, Emilia and Samuel Yang, Medibank says all customers' personal data compromised by cyber attack, ABC News, 26 October 2022. Available online at https://www.abc.net.au/news/2022-10-26/medibank-hack-criminals-access-hack-data/101578438.

RCE Vulnerability in Melis Platform CMS Now Patched

Many content management systems and e-commerce platforms are based on the Laminas PHP framework, formerly known as Zend. During routine static analysis of these projects, Sonar researchers found three critical vulnerabilities in Melis Platform, a business-oriented CMS used by many large enterprises.

These lead to a potential insecure deserialization vulnerability, which will allow object injection via the PHP $_POST variable, which is set by the user, based on form content. The question faced by the researchers was, is it exploitable? To do this, an attacker has to find a chain of calls to methods in available classes - called a Popchain - that can be triggered from the vulnerable section of code and will execute a malicious action, such as creating a file or executing a command.

They found the required code in the Laminas cache code, in particular a method which saves to disk "deferred items that have not been committed", and were able to use this to create a .PHP file and get it executed. This is an interesting example of the capabilities of static code analysis tools, although some ingenuity is subsequently required to craft a proof-of-concept exploit.

A patch for Melis Platform is now available, and users are urged to update to version 5.0.1 or above.

El Ouerghemmi, Karim  and Thomas Chauchefon, Remote Code Execution in Melis Platform, blog post, 18 October 2022. Available online at https://blog.sonarsource.com/remote-code-execution-in-melis-platform/.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons LicenseCopyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

Tags: