TL;DR
- QakBot Botnet Takedown: Law Enforcement Strikes Back
- Smashing Enter Key to Bypass TPM-Protected Full Disk Encryption
- MSSQL Servers Under Siege: DBJammer Campaign Unleashes Freeworld Ransomware
- Cybercriminals Turn to Malicious AI Tools for Next-Gen Attacks
- Exploit Released for Critical VMware SSH Auth Bypass Vulnerability
QakBot Botnet Takedown: Law Enforcement Strikes Back
- U.S. law enforcement dismantles the QakBot botnet, operated by the Gold Lagoon threat group.
- A custom DLL was distributed to infected devices to terminate the QakBot process.
- Over $86 million in cryptocurrency seized, and the botnet had received roughly $58 million in ransoms.
- The operation impacted devices in the U.S., France, Germany, the Netherlands, Romania, Latvia, and the UK.
On August 29, 2023, U.S. law enforcement agencies announced a significant takedown of the QakBot botnet, also known as Qbot. Operated by the financially motivated Gold Lagoon threat group, QakBot has been active since 2007 and is known for facilitating ransomware attacks. The takedown involved a technical operation where a custom Dynamic Link Library (DLL) was distributed to infected devices. This DLL contained code that could cleanly terminate the running QakBot process on the host.
The operation was unique in its approach. The DLL used a method involving a named pipe that QakBot uses for inter-process communication. A specific command, qpcmdbotshutdown, was sent via this pipe to shut down the botnet's activities. This method effectively bypassed QakBot's persistence mechanisms, ensuring the malware would not run if the host system was restarted.
The FBI also redirected traffic flowing through QakBot servers to bureau-controlled servers and downloaded a malware uninstaller file onto each infected device. The operation was global, impacting devices not just in the U.S. but also in several European countries. The Justice Department seized more than $86 million in cryptocurrency profits from QakBot operations, highlighting the financial scale of this cybercrime network.
The takedown represents a significant blow to cybercriminal operations and showcases the effectiveness of technical countermeasures combined with international cooperation.
Smashing Enter Key to Bypass TPM-Protected Full Disk Encryption
- A vulnerability allows attackers to bypass TPM-based disk encryption on Linux computers during the early boot process.
- The issue affects systems using Red Hat's Clevis and Dracut software for unattended unlocking of LUKS full disk encryption.
- The exploit involves sending rapid keypresses, effectively fuzzing the password input, which eventually leads to a root shell in the early boot environment.
- No specialized hardware is required; the attack can be executed using an Arduino board to emulate rapid keypresses.
A recent advisory from Pulse Security has unveiled a critical vulnerability that allows attackers to bypass Trusted Platform Module (TPM)-protected disk encryption on Linux systems. Specifically, the vulnerability affects Ubuntu 20.04 computers that use Red Hat's Clevis and Dracut software for unattended LUKS (Linux Unified Key Setup) full disk encryption. Under normal circumstances, an attacker would only see a login prompt and would not be able to gain direct access to the encrypted system. However, the exploit involves sending rapid keypresses during the early boot process, effectively fuzzing the password input. This can be done using an Arduino board to emulate a keyboard, sending keypresses at a rate much faster than a human could. After a minute or two, the system gives up trying to unlock the disk and provides a root shell in the early boot environment. From here, the attacker can manually unlock the disk using the TPM and gain access to sensitive data. This vulnerability poses a significant risk, especially for systems that need to operate in potentially hostile environments.
MSSQL Servers Under Siege: DBJammer Campaign Unleashes Freeworld Ransomware
- Threat actors are targeting exposed Microsoft SQL (MSSQL) servers using brute-force attacks in a campaign called DBJammer.
- The attackers deploy a new variant of Mimic ransomware called Freeworld.
- Sophisticated tooling includes enumeration software, RAT payloads, and credential-stealing software.
- The campaign exhibits rapid execution and high levels of sophistication, including system and registry modifications to establish persistence.
A new cybersecurity threat is looming over organizations that rely on Microsoft SQL (MSSQL) servers. Dubbed as the DBJammer campaign, this attack begins with threat actors brute-forcing their way into exposed MSSQL databases. Once inside, they use the servers as a beachhead to launch a variety of payloads, including Remote Access Trojans (RATs) and a new variant of Mimic ransomware known as Freeworld.
The Freeworld ransomware is particularly noteworthy for its presence in binary file names and ransomware extensions. The attackers are well-equipped, using a range of tools for system enumeration, exploitation, and credential stealing. They also make extensive system and registry modifications to impair defenses and establish persistence on the host. For instance, they disable User Account Control (UAC) remote restrictions and ensure that Network Level Authentication is not required for Remote Desktop Protocol (RDP).
The campaign is not only sophisticated in its tooling but also in its execution speed, indicating a high level of preparation and possibly signaling an ongoing, targeted operation. Given the complexity and rapid escalation of these attacks, organizations are advised to limit their MSSQL services' exposure to the internet and strengthen account credentials.
Cybercriminals Turn to Malicious AI Tools for Next-Gen Attacks
- Cybercriminals are increasingly using dark AI tools like WormGPT, PoisonGPT, and FraudGPT for malicious activities.
- These tools are available for sale on the dark web and are designed to bypass traditional security measures.
- Experts warn that we are less than a year away from a successful cyberattack being credited to such AI tools.
- The underground economy is exploring business models for these tools, with some being offered on a subscription basis.
The future of cybersecurity is facing a new challenge with the rise of dark AI tools. These are AI-driven software designed for malicious activities such as phishing, malware creation, and exploiting vulnerabilities. Notable examples include WormGPT, which can create phishing emails to bypass spam filters, and FraudGPT, designed for creating malware and identifying vulnerabilities.
The underground economy is actively exploring the profitability of these tools. They are often advertised on a subscription basis, with prices ranging from €100 for one month to $700 for a year. The alarming part is that 51% of IT professionals predict that a successful cyberattack attributed to these dark AI tools is imminent within a year.
While some experts question the legitimacy of these tools, suggesting they may just be "wrapper services" that redirect to legitimate AI models, the threat they pose is real and evolving. Organizations need to be prepared for a future where cybercriminals are increasingly leveraging AI for malicious purposes.
Exploit Released for Critical VMware SSH Auth Bypass Vulnerability
- A severe SSH authentication bypass vulnerability has been discovered in VMware's Aria Operations for Networks, formerly known as vRealize Network Insight.
- The vulnerability is tracked as CVE-2023-34039 and has been patched by VMware.
- Security researchers have released a proof-of-concept exploit that targets all Aria Operations for Networks versions from 6.0 to 6.10.
- VMware highly recommends applying security patches to mitigate the flaw, as the exploit code has been published online.
A critical SSH authentication bypass vulnerability has been identified in VMware's Aria Operations for Networks, previously known as vRealize Network Insight. The flaw, designated as CVE-2023-34039, was discovered by security analysts at ProjectDiscovery Research and has been patched by VMware. The vulnerability allows remote attackers to bypass SSH authentication on unpatched appliances and gain access to the tool's command line interface (CLI).
The root cause of this issue lies in hardcoded SSH keys that VMware forgot to regenerate. This oversight makes it possible for attackers to execute low-complexity attacks without requiring user interaction. A proof-of-concept (PoC) exploit targeting versions 6.0 to 6.10 of the software has been released by Summoning Team vulnerability researcher Sina Kheirkhah.
This vulnerability is particularly alarming because it comes on the heels of another arbitrary file write vulnerability (CVE-2023-20890) that could allow attackers to gain remote code execution after obtaining admin access. Given the severity and the release of the PoC exploit, it is crucial for administrators to apply the necessary security patches immediately to prevent potential attacks.
