This article highlights another native functionality, which, if leveraged by an attacker, allows persistent access to a Microsoft cloud tenant and lateral movement to other tenants. Attackers can exploit misconfigured Cross-Tenant Synchronization (CTS) configurations to access other connected tenants or deploy a rogue CTS configuration for persistence within a tenant. Vectra AI notes that this technique has not been seen in the wild but urges defenders to understand and monitor for its execution. Vectra AI customers are already protected against this technique through their AI-driven detections and Vectra Attack Signal Intelligence.

Cross-Tenant Synchronization (CTS) is a new Microsoft feature enabling organizations to synchronize users and groups from other source tenants to access resources in the target tenant. While useful for organizations like business conglomerates, CTS can pose risks if not properly managed, creating potential for reconnaissance, lateral movement, and persistence attacks.

The exploitation techniques assume a compromised identity in a Microsoft cloud environment, potentially originating from a browser compromise on an Intune-managed endpoint.

Key points about CTS configuration include:

• New users are synced into a tenant via push from the source tenant.
• Automatic Consent Redemption setup eliminates the need for new user consent.
• Users in scope for synchronization are configured in the source tenant.

The attack techniques require certain licenses and privileged account compromise in the compromised tenant. Techniques include lateral movement by exploiting existing CTS configurations to move from one tenant to another and deploying a rogue Cross Tenant Access configuration for persistent access.

Defensive measures include avoiding default inbound CTA configurations that permit all users/groups/applications from the source tenant to sync inbound and deploying more exclusive inbound CTA configurations. Source tenants should ensure regulated and monitored access for groups allowed to access other tenants via CTS.

Vectra’s AI-driven detections can identify privilege abuse scenarios, focusing on behavior rather than relying on signatures or lists of known operations.

For security testing, the MAAD-Attack Framework is an open-source tool that emulates common attacker techniques, including a module “Exploit Cross Tenant Synchronization” to test against CTS exploitation.

Vectra AI, a leader in AI-driven threat detection and response, offers a platform providing hybrid attack surface coverage and real-time Attack Signal Intelligence, integrating with XDR, SIEM, and SOAR solutions.

The vulnerability, classified as CVE-2022-40609: Unsafe Deserialization Flaw, enables a remote attacker to execute arbitrary code by transmitting specially crafted data. It has been assigned a high-risk CVSS Score of 8.1.

The products impacted and their respective versions are:

• IBM SDK, Java Technology Edition: Versions 8.0.8.0 and earlier, with a fix available in Version 7.1.5.19.
• IBM SDK, Java Technology Edition: Versions 7.1.5.18 and earlier, with a fix in Version 8.0.8.5.

This issue is categorized under CWE-502: Deserialization of Untrusted Data in the Common Weakness Enumeration.

In response, Red Hat has issued patches for Red Hat Enterprise Linux 7 Supplementary and Red Hat Enterprise Linux 8. Notably, Red Hat Enterprise Linux 7 with Java 1.7.1-ibm is outside the support scope, as per Red Hat’s policies and advisory.

Additionally, Tenable has released Nessus plugins for detecting this vulnerability:

• Plugin ID 179134: “IBM Java 7.1 < 7.1.5.19 / 8.0 < 8.0.8.5” with a CRITICAL severity rating.
• Plugin ID 179054: “RHEL 7: java-1.8.0-ibm (RHSA-2023:4160)” rated as HIGH severity.

Users are advised to update to the latest versions to mitigate the risk from potential exploitation by threat actors.

The non-profit said the attacks take advantage of CVE-2023-3519, a critical code injection vulnerability that could lead to unauthenticated remote code execution.

The flaw, patched by Citrix last month, carries a CVSS score of 9.8.

The largest number of impacted IP addresses are based in Germany, followed by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil.

The exploitation of CVE-2023-3519 to deploy web shells was previously disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which said the attack was directed against an unnamed critical infrastructure organization in June 2023.

The disclosure comes as GreyNoise said it detected three IP addresses attempting to exploit CVE-2023-24489 (CVSS score: 9.1), another critical flaw in Citrix ShareFile software that allows for unauthenticated arbitrary file upload and remote code execution.

The issue has been addressed in ShareFile storage zones controller version 5.11.24 and later.

Attack surface management firm Assetnote, which discovered and reported the bug, traced it to a simpler version of a padding oracle attack.

“[Cipher Block Chaining] mode and PKCS#7 padding are the default values for AES encryption in .NET,” security researcher Dylan Pindur said.

“Look at how it behaves when invalid versus valid padding is provided. Does it result in an error? Are the errors different? Does it take longer or shorter to process? All of these can lead to a potential padding oracle attack.”

Update#
The Shadowserver Foundation, in an update shared on August 7, 2023, said it identified close to 7,000 vulnerable, unpatched NetScaler ADC and Gateway instances online and that CVE-2023-3519 is being exploited to drop PHP web shells on vulnerable servers for remote access.

Daniel Moghimi, a senior research scientist at Google, highlighted that Downfall attacks exploit a significant flaw present in a vast number of contemporary processors used in both personal and cloud computing. This vulnerability allows a user to intrude and extract data from other users on the same system.

The Downfall attack, specifically, can circumvent Intel’s Software Guard Extensions (SGX) by exploiting memory optimization features in processors with AVX2 and AVX-512 instruction sets. It employs transient execution attack techniques like Gather Data Sampling (GDS) and Gather Value Injection (GVI), which could potentially let untrusted applications bypass isolation barriers and access data from other programs.

Intel has acknowledged Downfall as a medium severity issue leading to potential information disclosure and has proposed a microcode update for mitigation. However, this fix might reduce system performance by up to 50%. The company also notes that newer processors like Alder Lake and Sapphire Rapids are not impacted.

Inception, another attack method, targets AMD Zen CPUs, including Zen 4 processors, by leaking kernel memory. This method is based on Phantom speculation and Training in Transient Execution (TTE), similar to Spectre-V2 and Retbleed attacks.

Additionally, a new approach named Collide+Power poses a threat across various processor types. It works by combining attacker data with other application data in the CPU’s internal memory system, causing a leakage in power consumption. This technique can leak data across different programs and security domains, although the current leakage rates are relatively low.

These discoveries underscore the ongoing challenge in the tech industry of maintaining a balance between optimizing performance and ensuring robust security. As processors become more advanced, they also become more vulnerable to sophisticated attacks, making it crucial for manufacturers and users to stay vigilant and employ necessary security measures.

EvilProxy, first identified by Resecurity in September 2022, is known for its capability to breach accounts across multiple platforms, including Apple iCloud, Google, Microsoft, and social media sites. Available on a subscription basis, it costs about $400 to $600 monthly, with higher prices for targeting specific platforms like Google.

These Phishing-as-a-Service (PhaaS) toolkits represent an evolution in cybercrime, enabling less technically skilled criminals to execute sophisticated phishing schemes easily. These kits offer features like bot and proxy detection, making them more effective and accessible.

The recent attack wave begins with phishing emails disguised as messages from trusted services, leading victims to fake login pages that capture their credentials. Interestingly, the campaign avoids targeting users from Turkish IP addresses, possibly indicating the attackers’ origin.

Successful account takeovers lead to further exploitation, like adding new MFA methods for sustained access, conducting financial fraud, stealing data, or selling the accounts. Even with MFA, these sophisticated attacks pose a significant threat.

Parallel to this, Imperva uncovered a Russian-based phishing campaign targeting credit card and bank information via WhatsApp since May 2022. This scam involves creating fake websites mimicking legitimate ones across various languages and industries.

Another tactic, as eSentire notes, involves targeting marketing professionals on LinkedIn to distribute HawkEyes, a .NET-based malware loader, which then deploys Ducktail, a malware focused on hijacking Facebook Business accounts. The attackers manipulate these accounts for unauthorized access and potential exploitation.

Additionally, the TargetCompany ransomware has recently introduced a new variant of malware, along with several malicious tools for maintaining persistence and conducting covert operations, which are rapidly gaining popularity.

Researchers at Trend Micro in the field of cybersecurity have identified an ongoing campaign that links Remcos RAT with the TargetCompany ransomware. In comparison to previous instances, these new deployments employ fully undetectable packers. Telemetry data and external sources for threat hunting provided early samples during the development phase. Meanwhile, researchers have identified a victim who fell prey to this targeted technique.

The Ransomware Infection Chain follows a pattern similar to previous cases, where the latest TargetCompany ransomware initially exploits weak SQL servers for deployment in the initial stage. It then aims to establish persistence through various methods, including altering URLs or paths until the execution of Remcos RAT is successful.

When initial attempts are thwarted, threat actors turn to fully undetectable (FUD) packed binaries. The FUD packer used by Remcos and TargetCompany ransomware is reminiscent of BatCloak, featuring a batch file outer layer followed by PowerShell for decoding and executing LOLBins.

Notably, this variant incorporates Metasploit (Meterpreter), which is an unexpected move by this group. Their usage of Metasploit serves various purposes, such as querying/adding a local account, deploying GMER, IObit Unlocker, and PowerTool (or PowTool). Subsequently, Remcos RAT proceeds to its final phase, downloading and activating TargetCompany ransomware while maintaining FUD packing.

FUD Packing gained attention in an earlier wave that exploited OneNote, employing the PowLoad and CMDFile technique with an actual payload. The ‘cmd x PowerShell loader’ gained popularity and was eventually adopted by TargetCompany ransomware operators in February 2022.

Although the CMDFiles initially seemed similar, they were used by different malware families like AsyncRAT, Remcos, and TargetCompany ransomware. Differences emerged during execution, as AsyncRAT employed decompression and decryption, while Remcos and TargetCompany loaders solely decompressed the payloads.

An examination of network links related to PowerShell revealed a new TargetCompany ransomware variant linked to the second version with a ‘C&C connection’ using ‘/ap.php.’

The use of FUD by malware threat actors allows them to evade security solutions, particularly off-the-shelf technologies that are susceptible to broader threats. It is speculated that more packers could emerge, so early detection is crucial for countering FUD packers due to their unconventional coding flow.

Recommendations:

1. Enable firewall protection.
2. Limit access to your systems.
3. Change default ports for added security.
4. Implement secure account management practices.
5. Use strong passwords.
6. Enforce account lockout policies.
7. Regularly review and deactivate unwanted SQL CLR assemblies.
8. Encrypt data in transit.
9. Monitor SQL server activity.
10. Keep your system and installed software up to date with the latest updates and patches.

Inception was revealed shortly after the discovery of “Zenbleed,” another critical vulnerability targeting AMD Zen 2 processors. This new exploit is a type of transient execution attack, emerging from a combination of the previously identified Phantom speculation attack (CVE-2022-23825) and Training in Transient Execution (TTE). Inception manipulates the CPU into misinterpreting an XOR instruction as recursive, leading to a stack buffer overflow and enabling the leakage of data from unprivileged processes on AMD Zen CPUs. Notably, it can circumvent all existing mitigations for speculative execution attacks.

The threat posed by Inception is significant, particularly in cloud computing environments where multiple organizations share hardware infrastructure. This vulnerability could compromise data integrity across various virtual platforms, cloud providers, and hardware manufacturers.

In response, AMD has acknowledged the potential for the attack to be triggered by malware, though they have not identified any instances of this occurring in the wild. The company recommends that users maintain up-to-date software and employ malware detection tools. To mitigate the threat, AMD has released microcode updates for “Zen 3” and “Zen 4” CPU architectures. “Zen” and “Zen 2” CPUs are reportedly safe due to their inherent design, which flushes branch-type predictions. Furthermore, AMD plans to issue updated AGESA versions to OEMs, ODMs, and motherboard manufacturers, as detailed in their security bulletin.

For hackers with advanced access on a compromised host, this presents an opportunity to establish a stronghold by generating a token to set up the tunnel from the infected machine. They can update the tunnel via the Cloudflare Dashboard, enabling activities on the target machine and then disabling them to avoid detection.

A concerning aspect is the use of the tunnel’s Private Networks feature by adversaries to access a network’s IP addresses secretly, effectively being on the same network as the compromised host. This technique has been employed in real-world attacks, as seen in two separate incidents targeting the Python Package Index (PyPI) repository, where malicious packages downloaded cloudflared for remote access via a Flask web application.

To counteract this misuse, organizations using Cloudflare can limit their services to specific data centers and set up alerts for unexpected Cloudflared tunnel traffic. Additionally, implementing robust logging to track unusual commands, DNS queries, and outbound connections, and blocking downloads of the cloudflared executable are recommended for detecting unauthorized tunnel usage.

The Mozilla VPN client for Linux has a vulnerability that enables any user on a system with the client installed to apply arbitrary VPN configurations due to a flaw in authentication checks. Matthias Gerstner, a security engineer at Suse, discovered this security flaw and reportedly informed Mozilla about it on May 4th, according to The Register.

This vulnerability allows malicious actors to manipulate existing VPN setups or establish new ones, potentially rerouting the target system’s network traffic through a specific server where it can be intercepted and analyzed.

Any User Can Modify VPN Configuration As Gerstner explains in a post on Openwall, he was able to trace the security loophole to version 2.14.1 of the Mozilla VPN client. The issue appears to be an inadequately implemented Polkit authorization logic (formerly Policykit) for the privileged process “mozillavpn linuxdaemon”. The code executed within it asks the Polkit authorization service to determine if, instead of the user, the D-Bus service is authorized to change the state of the VPN connection. “Since the D-Bus service of Mozilla VPN runs as root, this will always be the case,” Gerstner notes, regardless of which user initiated the change and what privileges they have.

As a result, an attacker could specifically reroute network traffic and make the user believe they have a secure VPN connection. Additionally, the vulnerability could be used to “execute a denial-of-service against an existing VPN connection or other integrity violations.”

The fact that this security flaw has become public without a patch being available is attributed to questionable communication on Mozilla’s part. Since the SUSE team did not receive a reliable statement for a “coordinated disclosure,” they decided to publish the details of the vulnerability on August 3rd – 90 days after Mozilla was first informed of the issue.

When asked by The Register, a Mozilla spokesperson stated that the exact timeline was uncertain, but the organization is expected to release further information about the security flaw, registered as CVE-2023-4104, on the upcoming Monday.