Log-in attacks, Ransomware gangs, Autohack with LLMs-Feb 18-24, 2024- F5 SIRT- This Week in Security

Hello 2024, Arvin here as your editor for this edition. As this is my first TWIS this year, let me start with "Let's keep our organizations secured, shall we?"


1st on the list of news for This Week In Security covering  Feb 18-24 2024, a report from IBM X-Force and CrowdStrike where they report that a huge surge in cyber attacks are using valid credentials and other techniques spoofing legitimate users. "Threat actors have really focused on identity – taking a legitimate identity, logging in as a legitimate user, and then laying low, staying under the radar by living off the land and using legitimate tools,".  F5 can help in preventing brute force, credential stuffing / reuse attacks. BIG-IP ASM/Adv WAF security policy and rich functionalities in F5 Distributed Cloud surely can fit any deployment and offer mitigations.

Next is ConnectWise's critical bug - an authentication bypass and a path traversal combo. There is no mitigation. Only an upgrade to a fixed version mitigates the vulnerability. This vulnerability is an RCE and can allow an attacker to take over a vulnerable installation. The week prior, MS also released  CVE-2024-21410, a critical cve on MS Exchange. Patching and enabling  Extended Protection for Authentication (EPA) for Exchange Servers mitigates the vulnerability.

A research on LLMs auto-hijacking websites - I'm not surprised that it will come to this at some point. LLMs provisioned with tools for accessing APIs, automated web browsing, and feedback-based planning can be weaponized to exploit websites with vulnerabilities.  Like in the 1st news, if the door is open (in the 1st news was for use of valid, leaked credentials) - meaning vulnerabilities are present in the first place, it will be easier for attackers to abuse them. So as I shared in my previous TWIS, keep systems up to date and secure access to your applications. Stand up BIG-IP ASM/Adv WAF Security Policies , DoS and Bot Defense profiles or F5 Distributed Cloud services will help in providing mitigations for your web applications, regardless if it was manually or automatically delivered exploits.

ALPHV, the notorious ransomware gang we have seen in previous TWIS editions is still wreaking havoc. "The advice from both CISA and the FBI is that victims should not pay ransom demands to cybercriminals" is sound advice and I think is the key takeaway. Prevention starts at keeping systems up to date and secured, implementing security controls such as MFA, network segmentation, WAFs (ASM/Adv WAF/NGINX App protect/F5 XC), BIG-IP SSL Orchestrator (dynamic, policy-based decryption, encryption, and traffic steering through security inspection devices), BIG-IP AFM (FW, IPS/IDS, DoS protection) and similar solutions. Continuous improvement of Security Culture should also be on the top of the list - educating users on the threats of phishing, vhishing, smshing and many other social engineering attacks and developing good security hygiene and habits (locking your computer, prevent tailgating, reading security news like F5 SIRT TWIS!) can help prevent potential breaches. In similar news, "LockBit ransomware gang has over $110 million in unspent bitcoin". Surely it is currently stuck, and I do hope these paid ransom can be recovered, but, this is the result of paying ransom.

That’s it for This Week In Security. I hope you find it educational. Stay Safe and Secure!

Orgs are having a major identity crisis while crims reap the rewards

Identity-related threats pose an increasing risk to those protecting networks because attackers – ranging from financially motivated crime gangs and nation-state backed crews – increasingly prefer to log in using stolen credentials instead of exploiting vulnerabilities or social engineering.

In two separate reports published on Wednesday, IBM X-Force and security biz CrowdStrike found a huge surge in cyber attacks using valid credentials and other techniques spoofing legitimate users.

IBM's threat hunters found a 71 percent year-over-year increase in the volume of attacks using valid credentials in 2023. "And that's huge," Michelle Alvarez, a manager for IBM X-Force's strategic threat analysis team, told The Register.

Specifically, compromised valid accounts represented 30 percent of all incidents that X-Force responded to in 2023 – pushing that attack vector to the top of the list of cyber criminals' most common initial access points for the first time ever. X-Force also found that cloud account credentials make up 90 percent of for-sale cloud assets on the dark web.

Meanwhile phishing, also at 30 percent, tied with valid account abuse as the top initial access vector in 2023. However, the overall volume of phishing attacks was down by 44 percent compared to 2022 – which IBM attributes, in part, to the use of valid credentials to gain initial access.

"It was clear to us that last year, attackers were logging in versus hacking in," Alvarez said.

The X-Force 2024 Threat Intelligence Index is based on monitoring or more than 150 billion security events per day in more than 130 countries, plus data from its threat intel, incident response, red team and Red Hat Insights.

When the front door's open …

"Identity is the number one thing that organizations need to be thinking about," warned Adam Meyers, head of counter adversary operations at CrowdStrike. "Adversaries have figured out that it's the easiest and fastest way in."

CrowdStrike's 2024 Global Threat Report – gleaned from analyzing the 230 criminal groups that it tracks – found a similar uptick in identity-related threats. In addition to using stolen credentials, the security biz spotted attackers targeting API keys and secrets, session cookies and tokens, one-time passwords, and Kerberos tickets throughout last year.

"Threat actors have really focused on identity – taking a legitimate identity, logging in as a legitimate user, and then laying low, staying under the radar by living off the land and using legitimate tools," Meyers explained.

This echoes the security shop's earlier threat hunting report published in August, which found a 312 percent year-over-year increase in the use of remote monitoring and managing tools.

"These are tools that would likely be used by administrators, so less likely to be something that will catch attention – especially if it was deployed by a legitimate user," Meyers said. "Threat actors are really trying to camouflage themselves with legitimate behavior or things that look legitimate and are harder to peel away."

Beware the bears

Nation-state linked attackers also conducted their share of identity-based attacks last year.

One of the Kremlin's goon squads, Cozy Bear, has been conducting credential phishing campaigns using Microsoft Teams messages to steal MFA tokens for Microsoft 365 accounts since at least late May 2023.

Using valid credentials for initial access helps attacks evade detection. According to CrowdStrike, they typically obtain these legitimate identities via accidental credential leakage, brute-force attacks, phishing/social engineering, credential stealers, access brokers, insecure self-service password-reset services and insider threats.

"Then once they have that identity, they're able to enroll or bypass multi-factor authentication, and then move laterally," Meyers observed, noting that in some cases last year – ahem, Microsoft – MFA wasn't even deployed.

"Identity-based and social-engineering attacks are the number one thing that organizations are getting popped by," Meyers added. "And this continues to be the biggest problem."

Exploiting the latest max-severity ConnectWise bug is 'embarrassingly easy'

Infosec researchers say urgent patching of the latest remote code execution (RCE) vulnerability in ConnectWise's ScreenConnect is required given its maximum severity score.

The vulnerability has been given a maximum 10/10 CVSS rating by ConnectWise, one that outside researchers agree with given the potential consequences of a successful exploit.

In disclosing the maximum-severity authentication bypass vulnerability (CWE-288), ConnectWise also revealed a second weakness - a path traversal flaw (CWE-22) with an 8.4 severity rating.

The company's initial February 19 disclosure mentioned there being no evidence to suggest that the vulnerabilities, neither of which yet have CVE identifiers, were being actively exploited but this has since changed.

To achieve RCE, Huntress demonstrated its method to target the ScreenConnect setup wizard on machines that already had the software installed.

If an attacker is able to launch the setup wizard, they only need to partially complete the process – the part that registers the initial admin user to get things in motion. By registering the initial admin user and skipping the rest, the internal user database will be overwritten, deleting all local users except the one specified by the attacker.

"Once you have administrative access to a compromised instance, it is trivial to create and upload a malicious ScreenConnect extension to gain RCE," Huntress said. "This is not a vulnerability, but a feature of ScreenConnect, which allows an administrator to create extensions that execute .Net code as SYSTEM on the ScreenConnect server."

The path traversal vulnerability can also lead to Zip Slip attacks, the researchers said, but would require an attacker to have admin-level access in order to achieve RCE with it.

This vulnerability would be exploitable after taking advantage of the authentication bypass flaw, which itself would offer attackers RCE, so performing a Zip Slip attack wasn't exactly necessary.

"For on-premise users, we offer our strongest recommendation to patch and update to ScreenConnect version 23.9.8 immediately," Huntress said.

ConnectWise said it will be releasing fixed versions of releases 22.4 through 23.9.7 soon, but the recommendation is, like in most cases where possible, to upgrade to the latest available version.

It should be said that there are no temporary mitigation steps provided in lieu of patching so upgrading really is the only way out of this.

Data from internet monitoring biz Shadowserver indicates that there are around 3,800 vulnerable ConnectWise instances currently running, with the vast majority located in the US.


Crims found and exploited these two Microsoft bugs before Redmond fixed 'em

CVE-2024-21410: Elevation of privilege in Microsoft Exchange Server, which can be exploited by a remote unauthenticated miscreant to impersonate users. Patching this requires extra steps.

How to weaponize LLMs to auto-hijack websites

AI models, the subject of ongoing safety concerns about harmful and biased output, pose a risk beyond content emission. When wedded with tools that enable automated interaction with other systems, they can act on their own as malicious agents.

Computer scientists affiliated with the University of Illinois Urbana-Champaign (UIUC) have demonstrated this by weaponizing several large language models (LLMs) to compromise vulnerable websites without human guidance. Prior research suggests LLMs can be used, despite safety controls, to assist [PDF] with the creation of malware.

Researchers Richard Fang, Rohan Bindu, Akul Gupta, Qiusi Zhan, and Daniel Kang went a step further and showed that LLM-powered agents – LLMs provisioned with tools for accessing APIs, automated web browsing, and feedback-based planning – can wander the web on their own and break into buggy web apps without oversight.

They describe their findings in a paper titled, "LLM Agents can Autonomously Hack Websites."

"In this work, we show that LLM agents can autonomously hack websites, performing complex tasks without prior knowledge of the vulnerability," the UIUC academics explain in their paper.

"For example, these agents can perform complex SQL union attacks, which involve a multi-step process (38 actions) of extracting a database schema, extracting information from the database based on this schema, and performing the final hack."

In an interview with The Register, Daniel Kang, assistant professor at UIUC, emphasized that he and his co-authors did not actually let their malicious LLM agents loose on the world. The tests, he said, were done on real websites in a sandboxed environment to ensure no harm would be done and no personal information would be compromised.

"We used three major tools," said Kang. "We used the OpenAI Assistants API, LangChain, and the Playwright browser testing framework.

"The OpenAI Assistants API is basically used to have context, to do the function calling, and many of the other things like document retrieval that are really important for high performance. LangChain was basically used to wrap it all up. And the Playwright web browser testing framework was used to actually interact with websites."

The researchers created agents using 10 different LLMs: GPT-4, GPT-3.5, OpenHermes-2.5-Mistral-7B, LLaMA-2 Chat (70B), LLaMA-2 Chat (13B), LLaMA-2 Chat (7B), Mixtral-8x7B Instruct, Mistral (7B) Instruct v0.2, Nous Hermes-2 Yi (34B), and OpenChat 3.5.

The first two, GPT-4 and GPT-3.5, are proprietary models operated by OpenAI while the remaining eight are open source. Google's Gemini model, said to be at least as capable as GPT-4 in its latest iteration, was not available at the time.

The researchers had their LLM-agents probe test websites for 15 vulnerabilities, including SQL injection, cross-site scripting, and cross-site request forgery, among others. The open source models that were tested all failed.

But OpenAI's GPT-4 had an overall success rate of 73.3 percent with five passes and 42.7 percent with one pass. The second place contender, OpenAI's GPT-3.5, eked out a success rate of only 6.7 percent with five passes and 2.7 percent with one pass.

"That's one of the things we find very surprising," said Kang. "So depending on who you talk to, this might be called scaling law or an emergent capability. What we found is that GPT-4 is highly capable of these tasks. Every open source model failed, and GPT-3.5 is only marginally better than the open source models."


ALPHV gang claims it's the attacker that broke into Prudential Financial, LoanDepot

The ALPHV/BlackCat ransomware group is claiming responsibility for attacks on both Prudential Financial and LoanDepot, making a series of follow-on allegations against them.

Both US companies recently confirmed (here and here) cybersecurity incidents via Form 8-K filings with the Securities and Exchange Commission (SEC), but neither document mentioned the involvement of ransomware.

Neither company has had any of their stolen data leaked at this stage, although if negotiations continue to stall as ALPHV says they have (presuming its claims are true), then a data dump may not be too far away.

The advice from both CISA and the FBI is that victims should not pay ransom demands to cybercriminals, and in many cases this is followed.


  • Prioritize remediating known exploited vulnerabilities.
  • Train users to recognize and report phishing attempts.
  • Enable and enforce multifactor authentication.

When ransom demands aren't paid, however, victims are often "punished" by having their attacks publicized, before continued non-compliance with the criminals' demands leads to data disclosure. That's the double extortion model.

ALPHV has now made a number of inflammatory allegations against both victims, which of course should be taken with a substantial grain of salt given that they are indeed criminals.

In the case of Prudential Financial, the gang has alleged that the company fibbed in its regulatory filing, which claimed the attackers broke in on February 4 and systems were contained a day later.

"The claims… are categorically false. We continue to have uninterrupted access to their network and are actively exfiltrating information," ALPHV alleged on its site. "This can be verified as we sent the CEO, CIO, and legal person an email today showing evidence of this [as of] Feb 15."

The gang said it is currently looking for customers who may wish to buy the stolen data, but will consider releasing it for free. This follows Prudential's claim that it had seen no evidence of customer or client data being stolen. It made no such exclusions for other data types.

If the allegations are true, the company could face a backlash from the SEC and investors. However, it's worth remembering that ALPHV made a name for itself towards the back end of last year for weaponizing regulators against ransomware victims.

Evasive ALPHV

The ALPHV ransomware group continues to frustrate US authorities by terrorizing major organizations under its watch after surviving a takedown attempt in December.

It's not often a cybercrime operation can withstand and overcome attempts to shutter it after international law enforcement sets out to dismantle its infrastructure, but that's what happened in December when ALPHV wrestled the feds for control of its site over the space of a few days.

It seems the BlackCat does indeed have nine lives, as they say.

When the FBI's initial seizure splash page appeared on the outfit's dark web site, followed by press releases lauding the takedown and release of a decryptor, infosec watchers believed one of the world's most notorious ransomware gangs had fallen like so many before it.

Fast-forward two months and it's like nothing happened. The group's website is back up and running and affiliates continue to claim major attacks on Western organizations.

Most recently, it allegedly broke into Canada's Trans-Northern Pipelines – an attack on a critical infrastructure organization that naturally brings back memories of DarkSide's Colonial Pipeline incident.

It may also not be a coincidence, given that ALPHV is linked to BlackMatter, which itself was linked to DarkSide.

Towards the end of last week, the US announced that it would offer a maximum total reward of $15 million for information leading to the identification or location of ALPHV leadership members and/or their arrest.


LockBit ransomware gang has over $110 million in unspent bitcoin

The LockBit ransomware gang received more than $125 million in ransom payments over the past 18 months, according to the analysis of hundreds of cryptocurrency wallets associated with the operation.

Following the LockBit takedown in Operation Cronos, the National Crime Agency (NCA) in the U.K. with support from blockchain analysis company Chainalysis identified more than 500 cryptocurrency addresses being active.

After hacking LockBit’s infrastructure, law enforcement obtained 30,000 Bitcoin addresses used for managing the group’s profits from ransom payments.

Updated Feb 27, 2024
Version 11.0

Was this article helpful?

No CommentsBe the first to comment