Introduction

The National Cyber Coordination and Command Centre (NC4) continuously monitors the cyber security threat level in Malaysia. In view of the several critical vulnerabilities that have been disclosed and exploited in the wild, NC4 would like to remind System Administrators and Internet users to implement sufficient cyber security measures to ensure that devices, systems, and networks are secure and practice good cyber hygiene.

Impact

A successful exploit will lead to data encryption, information theft, and extortion demands. This will also lead to attacks that leverage stolen credentials to gain unauthorised access, potentially compromising accounts, financial information, and sensitive data.

These attacks cause severe business disruptions and costly recovery processes.

Brief Description

Over the year, NC4 has observed and examined multiple ransomware group behaviours, which indicates that the majority have a tendency to exploit a limited number of distinct vulnerabilities frequently, demonstrating specialisation in their selection of targets. For instance, Magniber has specifically targeted vulnerabilities in Microsoft products, whereas CL0P has a preference for exploiting weaknesses in file transfer platforms like Accellion and SolarWinds. 

On the other hand, vulnerabilities in widely used enterprise software like Microsoft Exchange are commonly targeted by various ransomware families. These vulnerabilities can be exploited by individuals with basic knowledge, often by manipulating commonly used protocols like HTTP or SMB. Threat actors often depend on publicly accessible curl code or Metasploit modules. The widespread presence of these vulnerable applications in networks makes them appealing vectors.

It is interesting to note that even though threat actors actively share information about published vulnerabilities on underground forums and messaging platforms, they refrain from openly discussing the specific methods they use to exploit these vulnerabilities in their operations. Actors tend to focus on potentially vulnerable technology stacks and software vendors rather than individual flaws. 

A study conducted in 2023 revealed that a significant 41 percent of security breaches involved the illicit use of stolen credentials. This finding matches with the observation that threat actors have started utilising bots and stolen credentials, often obtained through info-stealing malware or purchased directly from Access Brokers who offer combo lists either on the clear or dark web. By using this method, threat actors will be able to skip several phases of cyber kill chains to perform credential stuffing and have the ability to automate login attempts and bypass essential security controls without much resistance.

NC4 strongly advises all Malaysian organisations to implement essential preventive measures in order to safeguard against cyber attack. Failure to do so could result in operational disruptions and compromise the security of the organisation's infrastructure, data, and systems.

Affected Product

Ransomware: Microsoft Exchange, Windows (Print Spooler, Netlogon), Log4J, Fortigate appliance, Citrix networking appliances

*please take note that this is a non-exhausting list

System Affected

Credential Stuffing: Any system or device requiring login credentials, especially those with weak authentication protocols and lack of security measures in place (rate limiting, blacklisting, MFA).

Recommendation

Organisations are advised to be vigilant and to take the following actions:

1. Patching: Apply security patches promptly, particularly for widely exploited vulnerabilities like ProxyShell.
2. Network Controls: Block unnecessary inbound HTTP/HTTPS requests and closely monitor exploit code targeting protocols like SMB.
3. Preparation: Analyse threat actor group targeting patterns to prioritise defensive measures.
4. Credential Hygiene: Enforce strong passwords, implement multi-factor authentication (MFA) at the transaction level, and educate users on phishing awareness.
5. Identity Management: Limit access permissions, adhere to the principle of least privilege, and regularly log and analyse account management activity.
6. Endpoint Protection: Use legit antivirus and endpoint detection & response (EDR) to further enhance security measures on work or personal devices to prevent credential leaks through malware infection.