Forgotten Boa, Aurora botnet, Kerberos & Twitter - Nov 19th-25th - F5 SIRT - This Week in Security
Hello there, Arvin is your editor for the F5 SIRT This Week in Security edition covering news from 19th to 25th November.
First on the list, an investigation by Microsoft on forgotten Boa Web Servers deployed in the energy sector and targeted by an APT in previous research. Boa Web Server is discontinued/obsolete software since 2005 and likely have existing vulnerabilities – as noted, CVEs were found in 2017 and 2021, however, as per the report, its being used by IoT devices and is a hot target. Ideally, vendors of IoT devices should not use obsolete software where fixing vulnerabilities and security issues are next to impossible. As a general best practice, securing access to the management and application interfaces of these IoT devices by only allowing expected and trusted users, networks and peer IoT devices access in a secure mesh. F5 has a reference solution on IoT Security that customers may consider. NIST also has multiple guidance documents in securing IoT environments.
Bot herders constantly scan the internet for vulnerable systems, in general connection with the obsolete boa webserver, once compromised, it can be made part of a bot network. While not directly (maybe?) the target to add to its bot herd, Aurora, a multi-purpose botnet adopted by multiple cybercriminals over the past few months and has gained popularity among threat actors. Aurora (malware) bot net has multiple features - infostealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a loader. Threat actors/Traffers using Aurora malware, based on the reference research, targets windows machines and steals valuable data from the compromised system and the mode of its initial delivery is enticing a victim to access a video link. As an end user with potentially valuable data, it is important to be mindful of the links being accessed and when in doubt, don’t click. Follow your IT organizations security policies in case of similar events such as in phishing attempts.
Fixing and breaking and fixing Kerberos Authentication in Windows Server. Microsoft released an Out of Band update to fix sign in failures or other Kerberos authentication issues. Kerberos fixes released in the November patch tuesday was when the initial breakage was introduced. This issue affected Domain Controllers. All sorts of problems happen when the Windows Domain Controller is unavailable for authenticating clients and applications, so like any good Windows System Administrator, it would be best to install the update.
Twitter is in the news as it will grant amnesty to previously suspended accounts. The way I read it, it’s a business decision. See tweet link from Mr. Musk below.
Users of sports betting site DraftKings had an account takeover security event recently as user passwords from a previous breach may have been used thru credential stuffing. As end users of services, while easier said than done, users should never resort to password reuse as this may cause potential account takeover when correct password is found and used on another site. Better than nothing, use strong and unique passwords. Use of Multi Factor Authentication should also be in tandem with password authentication and most sites support them. As the issue was initiated thru credential stuffing, F5 Distributed Cloud has excellent features combatting application attacks – in particular, against credential stuffing. Have a look at F5 Distributed Cloud Client-Side Defense.
CISA updated a very informative document, the Infrastructure Resilience Planning Framework. The IRPF “is meant for state, local, tribal, and territorial (SLTT) entities looking to include critical infrastructure security and resilience in their planning, in the face of evolving threats.” Why I said its very informative because on my initial read, it “can be used by any organization to improve resilience planning”. PDF link is included below. See page 41 to the last page for a summary of the processes and terms used in the document.
I hope the security news I picked are helpful to You and widen our range of security knowledge. Till next time! Stay Safe and Secure!
We in F5 SIRT invest a lot of time to understand the frequently changing behaviour of bad actors. Bad actors are a threat to your business, your reputation, and your livelihood. That’s why we take the security of your business seriously. When you’re under attack, we’ll work quickly to effectively mitigate attacks and vulnerabilities, and get you back up and running. So next time you are under security emergency please contact F5 SIRT
Forgotten Boa Web Server targeted
Microsoft is warning organizations about the risks associated with the discontinued Boa web server after vulnerabilities affecting the software were apparently exploited by threat actors in an operation aimed at the energy sector.
In 2021, threat intelligence company Recorded Future reported seeing a Chinese threat group targeting operational assets within India’s power grid. In April 2022, the cybersecurity firm published a new report describing attacks launched by a different Chinese state-sponsored threat actor against organizations in India’s power sector.
Targets included several State Load Despatch Centres (SLDCs) responsible for carrying out grid control and electricity dispatch operations. These SLDCs maintain grid frequency and stability through access to supervisory control and data acquisition (SCADA) systems.
Microsoft has analyzed the IP addresses included in those IoCs and determined that they hosted Boa, an open source web server designed for embedded applications. The problem is that Boa has been discontinued since 2005, but it’s still present in many IoT devices.
“Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa,” Microsoft said in a blog post.
A Shodan search reveals hundreds of thousands of internet-exposed Boa web servers, including many in South Korea, Taiwan and the United States.
While Boa is no longer maintained, vulnerabilities are still being found in the web server, such as CVE-2017-9833, which allows arbitrary file access, and CVE-2021-33558, which can lead to information disclosure.
Aurora Botnet gaining popularity from threat actors
Aurora, a multi-purpose botnet being advertised on underground forums since April, has been adopted by multiple cybercriminals over the past few months, cybersecurity firm Sekoia.io reports.
Packing information stealing, remote access, and downloader capabilities, the malware is written in Golang and initially emerged on Russian-speaking underground forums, being offered as a malware-as-a-service (MaaS) by a threat actor calling themselves ‘Cheshire’.
“Aurora is another infostealer targeting data from browsers, cryptocurrency wallets, local systems, and acting as a loader. As multiple threat actors, including traffers teams, added the malware to their arsenal, Aurora Stealer is becoming a prominent threat. [T]hreat actors widely distribute it using multiple infection chains including phishing websites masquerading legitimate ones, YouTube videos and fake “free software catalogue” websites,” Sekoia.io concludes.
Traffers are threat actors playing a key role in the augmentation of the threat surface, and more generally in non-legitimate traffic generation. SEKOIA observed hundreds of advertisements aiming at recruiting traffers to distribute information stealers. Further investigation led us to identify a structure and a common modus operandi to most traffers teams distributing stealers.
https://www.securityweek.com/multi-purpose-botnet-and-infostealer-aurora-rising-fame
https://blog.sekoia.io/traffers-a-deep-dive-into-the-information-stealer-ecosystem/
https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar/
Fixing and breaking and fixing Kerberos Authentication in Windows Server
Microsoft is rolling out fixes for problems with the Kerberos network authentication protocol on Windows Server after it was broken by November Patch Tuesday updates.
Updates released November 8 or later that were installed on Windows Server with the Domain Controller duties of managing network and identity security requests disrupted Kerberos authentication capabilities, ranging from failures in domain user sign-ins and Group Managed Service Accounts authentication to remote desktop connections not connecting.
Microsoft issued emergency out-of-band (OOB) updates that can be installed in all Domain Controllers, saying that users don't need to install other updates or make changes to other servers or client devices to resolve the issue. Also, any workarounds used to mitigate the problem are no longer needed and should be removed
https://www.theregister.com/2022/11/21/microsoft_kerberos_fix_windows/
https://learn.microsoft.com/en-us/windows/release-health/windows-message-center#2961
Twitter Account Amnesty
Twitter CEO Elon Musk has decided to allow suspended accounts back onto the micro-blogging service.
Musk used the same process for this decision as he did when restoring access to a Florida Man who once held high elected office in the US – an utterly unscientific and easy to manipulate poll of Twitter users.
The amnesty comes despite Musk having previously promised to form a content moderation council before making any decision about reinstating accounts.
https://www.theregister.com/2022/11/25/twitter_suspeded_account_amnesty/
Sports Betting site credential stuffing attack results in dollars lost
A credential stuffing attack that affected sports betting biz DraftKings resulted in as much as $300,000 being stolen from customer accounts.
The Boston-based company said that its systems were not breached but that the login information of the impacted customers was stolen elsewhere and applied to their DraftKings accounts, where the same passwords were reused.
"Hacked, account drained, and an automated email response" from DraftKings, one customer wrote on Reddit. "2FA was set up without a user's permission, redirected to an unknown phone number and now we can't log in to our account."
Another wrote: "Fortunately for me they didn't get the chance to withdraw. Tried to deposit $5 and it failed, so they couldn't withdraw through the card. All support has done is 'restrict my account' so they can 'investigate' we'll see what happens."
This is only the latest cautionary tale about the dangers of using the same login data for multiple online accounts and helps to fuel the demand by some tech vendors like Microsoft, Google, and Apple for the industry to move away from passwords as an authentication tool and toward alternatives, such face or fingerprint scanning
F5 Distributed Cloud has excellent features combatting application attacks – in particular, against credential stuffing. Have a look at F5 Distributed Cloud Client-Side Defense.
https://www.theregister.com/2022/11/22/draftkings_credential_stuffing_attack/
https://www.f5.com/cloud/products/client-side-defense
CISA Infrastructure Resilience Planning Framework update
The US Cybersecurity and Infrastructure Security Agency (CISA) this week announced the addition of new tools and guidance to the Infrastructure Resilience Planning Framework (IRPF).
Initially released in 2021, the IRPF (PDF) is meant for state, local, tribal, and territorial (SLTT) entities looking to include critical infrastructure security and resilience in their planning, in the face of evolving threats. IRPF can be used by any organization to improve resilience planning.
The framework can help understand and communicate on how the community benefits from infrastructure resilience; identify the impact of threats and hazards; prepare relevant entities for evolving threats and hazards; integrate critical infrastructure security and resilience into planning and investment decisions; and recover faster from disruptions.
“This dataset provides users with guidance on how and where to find publicly accessible geospatial information system (GIS) on critical infrastructure assets via the Homeland Infrastructure Foundation-Level Data (HIFLD) site, as well as several other GIS sites,” CISA explains.
https://www.securityweek.com/cisa-updates-infrastructure-resilience-planning-framework
Regarding "Sports Betting site credential stuffing attack results in dollars lost"
Aside from the "F5 Distributed Cloud Client-Side Defense" mitigation for the account takeover attempts, I would also suggest to look at "F5 Distributed Cloud Bot Defense"
Distributed Cloud Bot Defense protects against a broad set of bot-based attacks including credential stuffing, account takeover, fraud, and account abuse.