Brief #46: HTTP/2 Flaws, Latrodectus Malware, Microsoft Exchange Breach

Greetings from week 14!

In this week's cybersecurity roundup I cover critical incidents and developments, from the discovery of severe HTTP/2 vulnerabilities to the emergence of new malware strains like Latrodectus and JSOutProx, as well as insights from the US Cyber Safety Board's report on a preventable Microsoft Exchange Online intrusion.

🌐 This Week in Cybersecurity

New JSOutProx Malware Targets Financial Institutions in APAC and MENA

• Sophisticated Attack Framework: JSOutProx, first identified in 2019, is a complex malware that utilizes both JavaScript and .NET to interact with a core module on the victim's machine, enabling it to load various plugins for additional malicious activities.
• Abuse of GitHub and GitLab: The recent campaign, detected in February 2024, involved the actors hosting malicious payloads on GitHub and GitLab repositories, disguising them as PDF files to evade detection. The repositories were quickly removed and recreated to manage multiple payloads and targets.
• Expanded Targeting: While previously attributed to SOLAR SPIDER's phishing campaigns targeting financial institutions across Africa, the Middle East, South Asia, and Southeast Asia, the new version of JSOutProx has broadened its scope to the APAC and MENA regions, intensifying the cybercriminal footprint.
• Main Features: The JSOutProx malware features complex obfuscation and a modular plugin architecture, enabling it to execute various malicious actions such as shell command execution, file manipulation, persistence, and remote control. The malware's unique use of the Cookie header field in its C2 communications and the targeting of government and financial organizations in multiple countries suggest that it may have been developed by actors from China or those affiliated with it.

US Cyber Safety Board Releases Report on Preventable Microsoft Exchange Online Intrusion by China-Linked Hackers

• Intrusion Details: In July 2023, Microsoft reported an intrusion into its Exchange Online system by Storm-0558, a hacking group affiliated with the People's Republic of China. The CSRB conducted a 7-month independent review of the incident.
• Key Findings: The CSRB found that the intrusion was preventable and stemmed from Microsoft's deprioritization of enterprise security investments and rigorous risk management. The report recommends Microsoft develop a public plan with timelines for making fundamental, security-focused reforms.
• Recommendations for Cloud Providers: The CSRB recommends cloud service providers implement modern control mechanisms, baseline security practices, default audit logging standards, emerging digital identity standards, and transparent incident/vulnerability disclosure practices. Providers should also develop more effective victim notification and support.
• Recommendations for Government: The report advises updating the FedRAMP authorization program, establishing a process for discretionary special reviews of Cloud Service Offerings after high-impact incidents, and having NIST incorporate feedback on observed cloud security threats and incidents into its standards and frameworks.

HTTP/2 CONTINUATION Flood Vulnerabilities Enable Severe DoS Attacks

• New HTTP/2 vulnerabilities discovered: Researcher Barket Nowotarski identified "CONTINUATION Flood" vulnerabilities in various HTTP/2 implementations that can lead to denial of service (DoS) attacks.
• Improper handling of CONTINUATION frames: Many HTTP/2 implementations do not properly limit or check CONTINUATION frames, which are used for stitching fragmented header blocks. Attackers can send an extremely long string of frames without setting the 'END_HEADERS' flag, causing server crashes due to out-of-memory conditions or CPU resource exhaustion.
• Severe impact across multiple implementations: Several HTTP/2 implementations are affected, including Node.js, Envoy, Tempesta FW, amphp/http, Go's net/http and net/http2 packages, Apache Httpd, Apache Traffic Server, and Envoy. The vulnerabilities can cause memory leaks, excessive memory consumption, and CPU exhaustion, potentially crashing servers with a single TCP connection in some cases.

The CONTINUATION Flood vulnerabilities pose a significant threat to web servers, as HTTP/2 is widely adopted and the attacks can be difficult to detect without advanced frame analytics. System administrators should promptly upgrade impacted servers and libraries to mitigate the risk of exploitation by threat actors seeking to incorporate these new DDoS techniques into their attacks.

New Latrodectus Malware Emerges as Potential Successor to IcedID

• Latrodectus Malware Identified: Proofpoint researchers first observed the new Latrodectus malware being distributed in email campaigns in late November 2023. While usage decreased in December and January, it increased again in February and March 2024.
• IcedID Campaign ID Patterns: While investigating Latrodectus, Proofpoint researchers identified patterns in derived IcedID campaign IDs that could be correlated to specific threat actors over time. Most actors used themed IDs (e.g. cars, geography) that remained consistent across years of activity, providing valuable attribution insights.
• Threat Actor Usage and Capabilities: Latrodectus was first distributed by initial access broker TA577, known for distributing Qbot, and later used almost exclusively by TA578 since January 2024. The malware acts as a downloader with sandbox evasion functionality to download payloads and execute arbitrary commands.
• Infrastructure Analysis: Team Cymru's research into Latrodectus infrastructure revealed Tier 1 C2 servers and a Tier 2 proxy server. Connections were found between Latrodectus and IcedID backend infrastructure, including the use of specific jumpboxes by operators, indicating the same threat actors are likely responsible for both malware families.

Multiple Healthcare Providers and Vendors Report Data Breaches Affecting Over 300,000 Individuals

• M&D Capital Premier Billing Suffers Cyberattack: A Queens, NY billing service provider discovered unauthorized access to its network exposing PHI of 284,326 individuals including names, SSNs, financial data, and medical information. Additional safeguards implemented post-incident.
• Ethos Senior Services Confirms Data Breach: Cybersecurity incident at the Massachusetts-based provider potentially exposed PHI of 14,503 individuals. Data included names, addresses, insurance details, and treatment information, with some SSNs also exposed. Individual notifications to be mailed.
• Tri-City Healthcare District Detects Unusual Network Activity: The California healthcare district's systems were accessed by an unauthorized party, potentially compromising files with patient names and SSNs for 7,847 individuals. Incident response includes security hardening and identity theft protection for those affected.
• Dental Health Services Experiences Data Disclosure Error: An emailing mistake exposed some plan member data to certain employer group customers. While data was encrypted, passwords were separately emailed before the error was caught. No misuse expected due to limited data involved.

🛠️ Security Tools

• Parrot OS - Distribution similar to Kali, with a focus on privacy and forensic analysis.
• The Hive Project - Scalable, open-source and free security incident response platform.
• XlsGen - Generates tiny Excel BIFF8 files embedding 4.0 Macros.

🚀 Startup Watch

• Permiso, a cloud security firm, has raised $18 million in a Series A funding round to expand its cloud identity tracking and threat detection platform. By creating 'meta' identities for authorized users and continuously updating its detection library, Permiso aims to help defenders stay ahead of adversaries by identifying potentially malicious behavior early on, even when legitimate credentials are used.
• Veracode has acquired Longbow Security, a startup that specializes in automated root cause analysis technology for identifying the underlying causes of serious security vulnerabilities. By integrating Longbow's technology into its platform, Veracode aims to provide its customers with a comprehensive solution that automates vulnerability prioritization, remediation, and continuous monitoring across applications, code, and cloud infrastructure, ultimately reducing risk and enhancing overall security posture.
• Microsoft backed Rubrik, a cybersecurity platform founded in 2014, has filed for a U.S. initial public offering (IPO) amid a growing wave of companies turning to capital markets. Rubrik provides cloud-based ransomware protection and data-backup software solutions to over 6,000 customers, including notable names like Nvidia and Home Depot.

📚 Recommended Reads

• Microsoft's new Outlook for Windows has transformed the email app into a surveillance tool for targeted advertising, sharing user data with 801 third parties. While Microsoft claims that collecting user data is to provide rich, interactive experiences, the company's pivot towards advertising revenue reveals its true intentions of capitalizing on the captive user base within its walled garden.
• Bounty Hunter discovered a race condition vulnerability in Medium's clap system, which allows manipulating the clap count of any article or comment. While Medium downplayed the severity and offered a low bounty, I believe this bug could significantly impact writers' reputations and earnings on the platform if exploited maliciously.
• Google's Threat Analysis Group (TAG) and Mandiant released their annual review of zero-day vulnerabilities exploited in the wild in 2023, revealing a significant increase compared to the previous year. The report provides valuable insights into the evolving threat landscape and offers recommendations for individuals and organizations to enhance their security posture, emphasizing the importance of transparency, disclosure, and building strong security foundations to combat the growing prevalence of zero-day exploits.

⭐️ 3 Ways I Can Help You

1. Work with me. I love helping people! Let's discuss your challenges, career, or ask me anything about cybersecurity in 25 minutes.
2. Get access to Cyber Strategy OS. My curated collection of valuable resources for every cybersecurity professional..
3. Looking for something different? Reach out.

If this sparked your interest, I'd love to hear from you in the comments. Stay tuned for more and consider following me on LinkedIn and X.

Nikoloz