14th April: Mirai Malware uses Spring4Shell exploits ++ Qbot is back – and hides in MSI Windows Installer packages ++ Security Outcomes Study by Cisco published – bad news for German security

Mirai Malware uses Spring4Shell exploits

The critical RCE vulnerability Spring4Shell is now being exploited by a Mirai botnet variant. While emergency updates helped solve the Spring4Shell a few days after it was made public, no reports of larger incidents are known so far. Trend Micro researchers have noticed the active exploitation of Spring4Shell – a critical vulnerability in VMWare’s Spring Framework’s Java-based Core module – to hack into unpatched devices before infecting them with the Mirai malware. According to Trend Micro, the first attacks happened in early April and focused on systems in Singapore.

Mirai is a malware focusing on turning Linux devices into drones of a botnet network. It was first detected in 2016 and primarily targeted home routers and OP cameras. It was used for example in an attack on Dyn, a DNS service provider, probably in order to make many websites and services like Twitter and Amazon unavailable.

This threat might well turn into a serious problem, the attacks on Singapore are considered a test run for possible larger and even more impactful future attacks.

The attack happens in three stages:
Stage 1: Send Crafted Packet using “burp suite” or “curl”

Stage 2: Decoding of packet and initiation of JSP webshell

Stage 3: execution of commands on the infected server

The servers can now be used for crypto mining or ransomware can be installed. Supply chain attacks are on the rise and pretty hard to protect from, because it is not your system directly but one your system relies on to work properly. The best fix of course is installing patches asap – and reacting quickly when a vulnerability is made public. Attackers obviously do.

Sources:

Mirai-Botnet missbraucht Spring4Shell-Sicherheitsleck | heise online

CVE-2022-22965 Analyzing the Exploitation of Spring4Shell Vulnerability in Weaponizing and Executing the Mirai Botnet Malware (trendmicro.com)

Mirai malware now delivered using Spring4Shell exploits (bleepingcomputer.com)

Attackers are abusing Spring4Shell vulnerability to spread Mirai botnet malware | The Daily Swig (portswigger.net)

Qbot is back – and hides in MSI Windows Installer packages

The Swiss National Cyber Security Centre (NCSC) detected more Qbot (a.k.a QakBot) activities focusing on Switzerland, as it reported this week.

Qbot is a modular Windows banking trojan with worm features used since at least 2007 to steal banking credentials, personal information, and financial data, as well as to drop backdoors on compromised computers and deploy Cobalt Strike beacons.

According to the NCSC the malware is spread via personalized phishing e-mails including “OneDrive”-links leading to password protected zip-files containing excel-files with macros or malicious MSI Windows Installer packages which then finally infect the system. Similar attacks are already known from for example Emotet – the difference being that with Emotet it was attachments that contained the infected files – not links OneDrive.

This once again shows us that attackers are being very inventive in finding new ways to attack their targets – especially when their old modus operandi is patched. Microsoft has begun rolling out the VBA macro autoblock feature to Office for Windows users in early April 2022, starting with Version 2203 in the Current Channel (Preview) and to other release channels and older versions later. Excel 4.0 makros were only default until 1993, but can still be used – and exploited up until today.

Qbot can lead to severe infections and damaging attacks. Security professionals should definitely keep their eyes open and watch further developments closely.
Deactivating macros, patching vulnerable systems and of course proper employee-education is necessary. Since it covers it’s malicious tracks being presented as a so far pretty secure OneDrive-link, it is necessary to make sure people are aware of these new tactics and distrust all kinds of attachments – whether direct or linking to OneDrive.

Sources:

Schadsoftware «QakBot» wieder aktiv (admin.ch)

Qbot malware found smuggled inside Windows Installer packages | TechRadar

Qbot malware switches to new Windows Installer infection vector (bleepingcomputer.com)

Schadsoftware «QakBot» wieder aktiv (admin.ch)

Security Outcomes Study by Cisco published – bad news for German security

According to Cisco’s newest Security Outcomes Study about half of security technology used in Germany is outdated and preparations for serious incidents are not sufficient.

More than 5000 security and data protection specialists from 27 countries took part in this year’s survey. Only 19% of the experts asked believe that they are able to properly handle the most important risks – internationally the lowest number.

The problem with outdated security technology is not purely German: 39% of the companies asked worldwide, 48% of the German experts – consider their IT infrastructure and the accompanying security to be too old and not sufficient.

This is actually corelating with the technologies used: Cloud-based security technology is on the rise and updated way more often than on-premise solutions.

IT landscape is getting more and more complex: compliance, hybrid working models, skill shortage and daily reports of new malware, attacks and breaches keep the historically understaffed IT department busy anyways. Often there are just not enough experts to handle all these challenges.

One solution to this problem might be automation, according to Cisco’s report. On one hand it helps simply doing more work with less resources. On the other hand it helps detect treads and react early – companies with a highly automated security can detect attacks up to 40% better than others.

Sources:

Security Outcomes-Studie, Teil 2 (cisco.com)

Die Hälfte der deutschen IT-Sicherheit ist veraltet (security-insider.de)

Cisco ‚Security Outcomes Study‘: Deutsche IT-Sicherheit veraltet – Safety & Security – Computer&AUTOMATION (computer-automation.de)


Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.