In both cases, initial access was made through TeamViewer from the same source point, as explained by security researchers at Huntress. This suggests that the same threat actor was responsible for these access attempts. Evidence of this was found by the researchers in a log file named connections_incoming.txt generated by the remote access tool.

Indications of Lockbit 3.0 Deployment The ransomware execution occurred through a batch file named PP.bat placed on the desktops of the compromised systems. While the attack on the first system seems to have been successful but limited to that system, on the second system, security software prevented the encryption of data despite multiple attempts by the attacker to execute the ransomware.

The specific ransomware used is not disclosed by the Huntress researchers. However, according to Bleeping Computer, indications from the researchers suggest that the malware was based on Lockbit 3.0. A ransomware builder for Lockbit 3.0 was released as early as 2022, and since then, various hacker groups have been utilizing this ransomware developed by the Lockbit gang.

Insecure Passwords as a Possible Entry Point It remains unclear how exactly the attacker managed to take control of the respective TeamViewer instances. The manufacturer of the remote support software told Bleeping Computer that most cases of unauthorized access are due to loosened default security settings of TeamViewer, including the use of insecure passwords, which is only possible in outdated versions of the software.

Indeed, there have been cases in the past where attackers utilized access credentials obtained from known data breaches to take over TeamViewer accounts and infiltrate associated devices. Additionally, trojanized versions of the remote support tool have been circulated to take over remote systems. Therefore, the recent attacks do not necessarily imply a vulnerability in TeamViewer.

The developer of the software recommends users to protect their systems by using complex passwords and two-factor authentication, regularly updating the tool, and restricting access to connected machines through the Allowlist feature. An article detailing best practices for secure unattended access via TeamViewer is available on the provider’s website.

The vulnerability arises due to the use of an insecure function, enabling malicious actors to overwrite arbitrary memory. The affected versions include various iterations prior to 20.4R3-S9, 21.2R3-S7, 21.3R3-S5, 21.4R3-S5, 22.1R3-S4, 22.2R3-S3, 22.3R3-S2, 22.4R2-S2, 22.4R3, 23.2R1-S1, 23.2R2, 23.4R1, and later.

As interim measures until the patches are applied, users are advised by Juniper Networks to either disable J-Web or limit access solely to trusted hosts.

Additionally, Juniper Networks has addressed a high-severity bug in Junos OS and Junos OS Evolved, identified as CVE-2024-21611 with a CVSS score of 7.5. This vulnerability, exploitable by an unauthenticated, network-based attacker, could lead to a DoS scenario.

Although there’s no evidence of active exploitation in the wild, Juniper Networks encountered multiple security vulnerabilities in its SRX firewalls and EX switches in the previous year, which were exploited by threat actors. Data from Censys, an attack surface management firm, indicates that as of January 11, 2024, more than 11,500 J-Web interfaces are accessible online, with a significant number located in South Korea, the U.S., Hong Kong, China, and India.

CVE-2023-6548 could potentially enable remote code execution (RCE) within the appliances’ management interface. Despite its low 5.5 CVSS rating for an RCE bug, it necessitates the attacker to be authenticated, albeit with low-level privileges, and to possess access to NetScaler IP (NSIP), Subnet IP (SNIP), or cluster management IP (CLIP) with management interface access.

Furthermore, this vulnerability remains non-exploitable if the management console and related technologies are not configured for exposure to the public internet, as NetScaler’s configuration guidelines recommend it to be set up solely on a private network. TLDR: Adhering to Citrix’s instructions should ensure the safety of your appliances.

The downside? As per Shadowserver, just over 1,400 Netscaler management interfaces are exposed on the internet as of Wednesday afternoon.

The second bug, identified as CVE-2023-6549, could potentially trigger a denial-of-service attack, boasting an 8.2 CVSS rating. A successful exploit necessitates the appliance to be configured as a gateway (e.g., VPN virtual server, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server providing authentication, authorization, and accounting controls.

“Exploits of these CVEs on unmitigated appliances have been observed,” according to a Tuesday security alert from Citrix.

These flaws solely impact customer-managed NetScaler ADC and NetScaler Gateway, hence customers utilizing Netscaler-managed services need not fret about any of this.

Affected products include:

Customers are advised to install updated versions: “We recommend immediate application of fixes,” according to the vendor’s guidance.

In response to The Register’s inquiries, Citrix mentioned being aware of “only a limited number of exploits in the wild.”

“The vulnerabilities only apply to customer-managed instances and do not apply to cloud managed services,” the vendor added. “NetScaler recommends customers apply the fixes quickly before the exploitation becomes widespread.”

The US Cybersecurity and Infrastructure Security Agency has promptly added the two vulnerabilities to its Known Exploited Vulnerabilities Catalog.

And while this may evoke memories of Citrix-Bleed, the vendor assures that these new bugs under attack are unrelated to that zero-day. Citrix Bleed, of course, is the critical information-disclosure bug affecting NetScaler ADC and NetScaler Gateway, disclosed in October and utilized to infect victims with ransomware and pilfer, among other data, millions of Comcast Xfinity subscribers’ personal information.

Unlike Citrix Bleed, the latest security flaws do not facilitate data exfiltration, rendering them less appealing to potential digital thieves and ransomware crews.

A couple of Tenable security research engineers offered insights on the vulnerabilities. Satnam Narang and Scott Caveza noted that although these mark the second and third zero-days for Citrix appliances in the last four months, “the impact from these two new zero-day vulnerabilities is not expected to be as significant as Citrix Bleed.”

“Nonetheless, organizations employing these appliances in their networks should apply the available patches as soon as possible,” the duo added.

According to the Microsoft-owned subsidiary, the issue came to their attention on December 26, 2023. They promptly addressed the problem on the same day and rotated all conceivably compromised credentials as a proactive measure.

The rotated keys encompass various crucial aspects such as the GitHub commit signing key, GitHub Actions, GitHub Codespaces, and Dependabot customer encryption keys. Consequently, users relying on these keys are advised to import the updated versions.

Despite the severity of the vulnerability, identified as CVE-2024-0200 with a CVSS score of 7.2, there is no indication of it being previously exploited in the wild. GitHub’s Jacob DePriest emphasized that while the vulnerability also affects GitHub Enterprise Server (GHES), exploitation necessitates an authenticated user with an organization owner role logged into an account on the GHES instance, thereby mitigating potential risks significantly.

Additionally, GitHub addressed another critical bug, tracked as CVE-2024-0507 with a CVSS score of 6.5, which could allow an attacker with access to a Management Console user account with the editor role to elevate privileges through command injection.

These measures follow a previous incident where GitHub replaced its RSA SSH host key, used for securing Git operations, due to brief exposure in a public repository, demonstrating the company’s commitment to proactive security measures.

Initially observed by Lacework in December 2022, AndroxGh0st, a Python-based malware, has spawned similar tools such as AlienFox, GreenBot (also known as Maintance), Legion, and Predator.

This cloud attack tool can breach servers with known vulnerabilities to access Laravel environment files and pilfer credentials from prominent applications like AWS, Microsoft Office 365, SendGrid, and Twilio.

Among the vulnerabilities exploited are CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework).

Lacework highlighted AndroxGh0st’s capabilities in SMTP abuse, including scanning, exploiting exposed credentials and APIs, and deploying web shells. Specifically for AWS, the malware scans and parses AWS keys, and can even generate keys for brute-force attacks.

Compromised AWS credentials are utilized to create new users, user policies, and, in some cases, set up new AWS instances for further malicious scanning activities.

These functionalities render AndroxGh0st a formidable threat capable of downloading additional payloads and maintaining persistent access to compromised systems.

Alex Delamotte, a senior threat researcher at SentinelLabs, noted the prevalence of AndroxGh0st-related user-agent strings in network connections scanning honeypots. Delamotte praised CISA’s issuance of an advisory against such threats, highlighting the rarity of cloud-focused malware advisories.

This advisory coincides with the recent revelation by SentinelOne regarding a distinct tool named FBot, employed by attackers to breach web servers, cloud services, content management systems, and SaaS platforms.

Delamotte emphasized the trend of the cloud threat landscape borrowing code from various tools, integrating them into a comprehensive ecosystem, exemplified by AlienFox and Legion leveraging AndroxGh0st and FBot, respectively.

The alert follows NETSCOUT’s report of a significant surge in botnet scanning activity since mid-November 2023, peaking at nearly 1.3 million distinct devices on January 5, 2024. The majority of source IP addresses are traced back to the U.S., China, Vietnam, Taiwan, and Russia.

NETSCOUT’s analysis revealed a rise in the use of inexpensive or free cloud and hosting servers by attackers to establish botnet launch pads, leveraging trials, free accounts, or low-cost accounts to maintain anonymity and minimize overhead.