DragonRank SEO Manipulation Campaign Targeting IIS Servers Across Asia and Europe

Overview

A cyber espionage campaign is targeting IIS servers in several countries across Asia and Europe. The DragonRank campaign emanates from a simplified Chinese-speaking actor and specializes in manipulating search engine rankings through black hat SEO. The victims of this campaign are corporate web servers, which have been hacked to deploy backdoors such as BadIIS and PlugX.

Impact

DragonRank has infected 35 IIS servers operating across a variety of industries, including media, healthcare, and manufacturing, to manipulate SEO rankings. The malware in question effectively turns the infected servers into relays to boost malicious activities by cybercriminals attempting to skew search engine results.

This step effectively increases the malware’s effectiveness since it can impact search rankings negatively in two ways. The first way relies on the malicious software being used to promote malicious websites at the top of search results. Moreover, thanks to the trojan’s capability to alter search engine algorithms, cybercriminals can access the desired impact by skewing the search results against their competitors.

As for additional attack features, the malware is capable of collecting sensitive system info and deploying credential-harvesting utilities. Finally, one of the trojan’s more dangerous features allows it to pose as the Google search engine crawler and evade some security measures.

Recommendation

To protect from DragonRank, it is vital to ensure that all web applications are updated and secured against known vulnerabilities. Server administrators should scan their systems for signs of web shell deployments, such as ASPXspy, regularly and make sure to patch the installed software. In addition, implement effective monitoring and logging to be aware of suspicious traffic patterns, including those involving the imitation of legal search engine crawlers.

Six Hackers Linked to Global Cybercrime Syndicate Arrested in Singapore

Overview

A series of raids conducted in the first half of September 2024 saw the Singapore Police Force apprehend five Chinese nationals and one Singaporean. They are believed to be part of a larger global cybercrime entity using the criminal capacity of its agents to commit a variety of illicit acts over the internet. The operation took place across various homes and small businesses in Singapore, as approximately 160 members of law enforcement took part in multiple simultaneous raids. The authorities seized a variety of phones and computing devices as well as a stockpile of cash.

Impact

Singaporean authorities have detained four Chinese and one Singaporean national. The suspects are all between 32 and 42 years old and are believed to carry on cybercrime activities globally.

A 42-year-old Chinese man is found to have credentials to access servers of known hackers, and Singaporean authorities have confiscated five laptops, six cellphones, 24,000 Singapore dollars, and $850,000 in cryptocurrency from the man.

Three other Chinese nationals have been caught having nationals’ personal data from foreign internet service providers and tools for hacking and an offensive tool, PlugX, which is a remote access trojan.

A Singaporean man was found trying to buy stolen personal information to aid the arrested individuals to carry out the purchased information. The man is held to potentially face up to five years in prison with fines or caning under the Computer Misuse Act.

Recommendation

The Singapore Police Force has not established the full scope of the activities of the cybercrime syndicate in question and has called on the general public to be cautious.

Also, give importance to strengthening cybersecurity defenses among both businesses and individuals and including regular updates of relevant software. That said, keep an eye out for potentially suspicious activities and familiarize all staff with the specifics of phishing attacks.

It is also vital to ensure that if sensitive personal or financial data are being used, the relevant systems are defended by up-to-date firewalls and multi-factor authentication. Nevertheless, the authorities have confirmed that cybercriminals abusing Singapore for illegal activities will be harshly penalized.

Fake Coding Tests Used to Spread Malware by Lazarus Group

Overview

Recently, new malicious Python packages have been identified that target software developers. These packages, disguised as coding assessments, belong to the campaign VMConnect, which is linked to the Lazarus Group – one of the North Korean state-backed actors. Development of the threat campaign was first reported in August 2023 and has since continued to target software developers under the guise of a job offer and coding challenge.

Impact

The purpose of the malicious packages is to access the developers’ systems through repositories like PyPI, GitHub, and npm. They tempt developers with the modified versions of the real Python libraries like pyperclip, and pyrebase. The malicious code resides in the form of Base64-encoded strings that are run to connect to a command-and-control server.

Once there is a connection, the server can issue commands to affect the developers’ system. The malware authors make developers hurry and solve coding tasks by a certain time to ensure the execution of the code before the developer can check it for signs of malware. The developers are also prone to be tricked by the fact that some of the fake job interview schemes pretend to be offered by real financial institutions.

Recommendation

As for protection against such attack types, developers should always be wary and review all external code or libraries before they run it. They should also avoid downloading packages from sites that are not trusted or unknown because such links only typically pop up at job assessments. As for other means of protection, both regular and updated security protocols and the usage of malware detection will be effective, responding these types of campaigns.

Microsoft Releases Critical Security Patches for Exploited Windows Vulnerabilities

Overview

Microsoft has released the Patch Tuesday update for September 2024, which includes 79 security fixes for issues across its Windows platform, with three actively exploited flaws impacting users. The vulnerabilities relate to key components of Windows that are essential for system security. Several issues introduced in the Chromium-based Edge browser release last month have also been addressed by the update.

Impact

Among the 79 flaws, seven are categorized as Critical. 71 are Important and one is Moderate.

The actively exploited vulnerabilities include:

  1. CVE-2024-38014 (CVSS score: 7.8) – Windows Installer Elevation of Privilege Vulnerability.
  2. CVE-2024-38217 (CVSS score: 5.4) – Windows Mark-of-the-Web (MotW) Security Feature Bypass.
  3. CVE-2024-38226 (CVSS score: 7.3) – Microsoft Publisher Security Feature Bypass.

Out of the new flaws discovered, the most critical is CVE-2024-43491 (CVSS: 9.8), the Windows Update Remote Code Execution Vulnerability. Even though this vulnerability has not been exploited yet, it has the highest potential for exploitation.

It is mentioned in the recent list of flaws because the previously done fixes are rolled back, and the introduced vulnerability leaves the system open to the older ones. Out of the other identified vulnerabilities, i.e., CVE-2024-38226 and CVE-2024-38217, the attackers are allowed to bypass critical security mechanisms like Microsoft Office macro restrictions. The user has to interact with a malicious file hosted on the attackers’ server. In some cases, the attacker may have physical access to the system.

Recommendation

We highly recommend users install Microsoft’s September 2024 updates as soon as possible. Microsoft has built-in mitigations and has provided out-of-band updates to address the Windows Update Remote Code Execution vulnerability. Admins should install the September 2024 Servicing Stack Update before installing the September 2024 Windows security update. Aside from Microsoft’s updates, organizations must ensure they are applying patches provided by their respective vendors, including but not limited to Adobe, Cisco, VMware, Google, Intel, and others. This is a necessary effort to ensure there are no exploits that emerge from these vulnerabilities.

Critical Security Update for Ivanti Endpoint Manager Vulnerabilities

Overview

Ivanti released critical software updates on September 11, 2024, to correct multiple vulnerabilities in Endpoint Manager. This software is popular for managing corporate IT systems. The most important of these vulnerabilities are the ten critical vulnerabilities in question, that could enable remote code execution.

Impact

The highest-rated vulnerability, CVE-2024-29847, has a CVSS score of 10, and it comes from a deserialization of untrusted data vulnerability that would allow an unauthenticated, remote attacker to run arbitrary code on affected systems.

In addition to this critical flaw, there are nine other vulnerabilities, such as CVE-2024-32840, CVE-2024-32842, and CVE-2024-32843, with a CVSS score of 9.1, which are all SQL injection vulnerabilities that allow a remote authenticated attacker to execute code with administrative rights. They affect version 2024 and 2022 SU5 and all their earlier versions.

Recommendation

Ivanti has patched five critical vulnerabilities in its Ivanti Workspace Control and Ivanti Cloud Service Appliance products. According to Advisory details published by the company, Ivanti Workspace Control 2022 contains four critical vulnerabilities.

Apply these patches ASAP.

The post WME Security Briefing 27 September 2024 appeared first on Windows Management Experts – Microsoft Solution Partner.