<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Thu, 13 May 2021 10:17:00 -0400 en-us info@decipher.sc (Amy Vazquez) Copyright 2021 3600 <![CDATA[Transparent Tribe APT Expands Windows Malware Arsenal]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/transparent-tribe-apt-evolves-windows-malware-arsenal https://duo.com/decipher/transparent-tribe-apt-evolves-windows-malware-arsenal Thu, 13 May 2021 10:17:00 -0400

The advanced persistent threat (APT) group known as Transparent Tribe is expanding the types of malware in its arsenal and its victimology in a slew of attacks that hone in on Windows devices.

The group (also known as APT36 and Mythic Leopard), known for its campaigns centered around information theft and espionage, has been around since 2013 and has historically targeted primarily Indian military and defense personnel with the CrimsonRAT malware.

However, new Thursday research by Cisco Talos researchers shed light on how the group continues evolving several parts of its attack vector, including expanding its victimology and making its lures more targeted. And the group is also now deploying the ObliqueRAT malware in addition to CrimsonRAT, indicating an evolution of its toolset.

“Transparent Tribe relies heavily on the use of maldocs to spread their Windows implants,” said Asheer Malhotra, Justin Thattil and Kendall McKay, researchers with Cisco Talos, on Thursday. “While CrimsonRAT remains the group’s staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal.”

Researchers observed various malicious documents distributing the malware as part of Transparent Tribe campaigns. It remains unclear how the maldocs are delivered to victims, said researchers, but they suspect they were likely sent as attachments via phishing emails, based on the threat actor’s previous behaviors and the targeted nature of the lure. For instance, earlier campaigns would deliver phishing maldocs to victims, which contained malicious VBA macros that extracted either the CrimsonRAT executable or a ZIP archive embedded in the maldoc.

In these more recent campaigns, researchers also noted that the attackers took extra steps to ensure that their attack chain appeared more legitimate, by hosting their malicious payloads on compromised websites (rather than embedding the malware directly in the document), for instance. In order to initially compromise organizations, researchers said the group uses fake domains that both mimic legitimate Indian military and defense organizations, as well as malicious domains that mimic content-hosting and file-sharing websites, such as drivestransfer[.]com and file-attachment[.]com.

In one instance, researchers uncovered a fake domain registered by the attackers, masquerading as a website for the Center For Land Warfare Studies (CLAWS), which is an India-based think tank covering national security and military issues (the fake domain is clawsindia[.]com, while the real domain is claws[.]in). In another attack earlier this year, the attackers utilized a clone website of the Indian Industries Association’s legitimate website in order to host and distribute ObliqueRAT artifacts. This website was cloned using a free website copying program called HTTrack.

“While CrimsonRAT remains the group’s staple Windows implant, their development and distribution of ObliqueRAT in early 2020 indicates they are rapidly expanding their Windows malware arsenal.”

These maldocs reflect how the lures for the attacks have shifted as well. While attackers used more generic themes - such as popular news topics - since 2019, starting in mid-2020 they started primarily distributing military-themed maldocs, which masqueraded as logistical or operational documents. For instance, one maldoc was disguised as a health advisory on COVID-19 procedures for defense training establishments.

“These examples highlight Transparent Tribe’s heavy reliance on social engineering as a core TTP and the group’s efforts to make their operations appear as legitimate as possible,” said researchers.

While the attackers are still primarily targeting military and defense personnel, they have also expanded their victimology to include an array of other organizations, including diplomatic entities, defense contractors, research organizations and conference attendees. One maldoc for instance purported to be an agenda for a dialogue series by the Heart of Asia Society 2020, leading researchers to believe that attackers were targeting the attendees of this conference.

Transparent Tribe has also expanded the breadth of the malware that they are delivering. While CrimsonRAT has been a staple implant for the group, “since 2020 the attackers have focused on diversifying their malware arsenal and infection tactics,” said Malhotra.

CrimsonRAT, a prolific malware family that is written in .NET, can be utilized by attackers to steal credentials from browsers, capture screenshots, collect antivirus software information and list the running processes, drives and directories from victim machines. ObliqueRAT meanwhile is a remote access trojan with known activity dating back to November 2019, which once downloaded exfiltrates various information including system data, a list of drives and a list of running processes. Campaigns previously spreading ObliqueRAT have also utilized steganography by hiding the payload in seemingly benign image files hosted on compromised websites.

Malhotra said that the introduction of ObliqueRAT into the threat group’s arsenal has given it an opportunity to constantly evolve and “become more and more lethal.”

Moving forward, Malhotra believes that the group will continue to target military and government entities based on political and strategic motivations - as well as continually evolve its implants, stealth mechanisms and social engineering tactics to infect high-value victims.

“Based on our findings, Transparent Tribe’s tactics, techniques, and procedures (TTPs) have remained largely unchanged since 2020, but the group continues to implement new lures into its operational toolkit,” said researchers. “The variety of maldoc lures Transparent Tribe employs indicates that the group continues to rely on social engineering as a core component of its operations.”

<![CDATA[Biden Signs Executive Order Aiming to Bolster Federal Security]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/biden-signs-executive-order-aiming-to-bolster-federal-security https://duo.com/decipher/biden-signs-executive-order-aiming-to-bolster-federal-security Thu, 13 May 2021 08:00:00 -0400

President Joe Biden on Wednesday signed an executive order with sweeping requirements aimed at beefing up federal cybersecurity, which tackles overarching issues plaguing the U.S. government, from supply-chain security to outdated security models.

At the top of the executive order’s list are step-by-step measures to modernize federal government security practices, new requirements for federal contractors to report cyber incidents and mandates aimed at enhancing supply-chain security by implementing security essentials for software purchased by the government.

In a statement, the Biden administration pointed to recent cybersecurity incidents - such as the SolarWinds supply-chain hack that roiled enterprises and government agencies, and a recent ransomware attack on the Colonial Pipeline, a key portion of the fuel-delivery network in the eastern United States - as a “sobering reminder” of increasing sophisticated malicious activity from both nation-state actors and cybercriminals.

In the wake of incidents like these, “incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” according to the executive order. “The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid.”

Incident Reporting Requirements for IT Contractors

The executive order aims to improve how information about threats and incidents is shared by removing contractual “barriers.” According to the Biden administration, the federal government contracts with IT and operational technology (OT) service providers (such as cloud service providers) that have “unique insight into cyber threat and incident information on Federal Information Systems” - however, current contractual restrictions may limit the sharing of such threat data with agencies responsible for investigating cyber incidents.

The executive order strives to overcome this hurdle by mandating that officials review current contract requirements and language for these IT and OT service providers, and ultimately recommend updates ensuring that service providers collect and share cyber incident data to any agency with which they have contracted.

“Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed, and maintained by or for the Federal Government,” according to the executive order.

Public and private sector collaboration has long been encouraged by government officials and security industry stalwarts alike. The executive order plays into this idea by mandating the development of a cyber incident review board, which will be co-chaired by government and private sector leads and will analyze cyber incidents to make concrete recommendations for improving cybersecurity.

Software Supply-Chain Security Measures

The executive order also takes a hard look at software supply-chain security, with a new mandate that the Secretary of Commerce develop guidelines that will be used to evaluate security for software and the developers and suppliers behind the software. These guidelines may include best practices such as auditing trust relationships and providing a purchaser a Software Bill of Materials (SBOM) for each product, for instance. Once these guidelines are in place, the order also calls for the development of a pilot program that will create an “energy star” type of label for the government to quickly determine whether software has been developed securely.

The executive order also calls for the initiation of pilot programs to educate the public on the security issues around Internet-of-Things (IoT) devices and software development practices, which would create cybersecurity criteria - including better testing - for a consumer labeling program for these devices.

“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit,” according to the Biden administration. “This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up."

Modernizing Federal Government Security

Another piece of the executive order revolves around modernizing federal government security by adopting security best practices. Within 180 days, the order will require agencies to adopt multi-factor authentication and encryption “to the maximum extent consistent with Federal records laws and other applicable laws,” for instance. Part of this also includes the development of a plan to secure cloud services, with the executive order directing agencies that use cloud technology to do so in a “coordinated, deliberate way,” in order to better prevent and remediate cyber incidents.

The executive order also pushes for agencies to deploy an endpoint detection and response (EDR) initiative to “support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response,” as well as the development of a plan to implement zero trust architecture. Other requirements include the creation of a standard playbook for responding to cyber incidents; taking steps to improve detection of cybersecurity incidents on federal government networks and the improvement of investigative and remediation capabilities via the enforcement of robust and consistent logging practices.

The executive order comes on the heels of various efforts by the government to grapple with widespread cybersecurity issues. This has included the creation of a new task force that has developed a broad set of recommendations to help address the ransomware epidemic; as well as slapping a sweeping set of sanctions against Russian companies for supporting what the Biden administration called “malign behavior” by the Russian government, including the SolarWinds intrusion.

Chris Vickery, director of cyber risk research with UpGuard, said that overall the executive order is a “step in the right direction.”

“I think the overall idea that people should get is that the government is starting to open their eyes a little bit when it comes to security,” he said. Issues addressed by the order, such as supply-chain security, “raises the alarm on something that security professionals have been warning about for a long time,” he stressed.

<![CDATA[Colonial Pipeline Attack Puts DarkSide Ransomware Under Scrutiny]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/colonial-pipeline-attack-puts-darkside-ransomware-under-scrutiny https://duo.com/decipher/colonial-pipeline-attack-puts-darkside-ransomware-under-scrutiny Wed, 12 May 2021 00:00:00 -0400

The DarkSide ransomware that infected the IT network of the Colonial Pipeline Company last week has not been on the scene for even a year yet, but in that time it has grown into one of the premiere ransomware-as-a-service threats, with an affiliate network comprising several distinct threat actors and a streamlined, professional backend infrastructure to provide custom malware, support, and payment assistance. Although DarkSide had stayed out of the public eye until recently, the attack on Colonial Pipeline has brought unwanted attention from law enforcement and the U.S. government, attention that will likely be quite bad for business.

The attack on Colonial Pipeline, which controls and distributes the lion’s share of fuel in the southeast and mid-Atlantic, hit the company’s IT infrastructure on Friday, but the staff was able to disconnect affected systems before the ransomware could spread to its operational technology (OT) network. That quick action likely prevented a much more damaging incident, though it also necessitated the shutdown of the fuel pipeline for precautionary reasons. Some of the feeder lines have come back online, and Biden administration officials said Tuesday that the company is planning to make a decision by the end of the day Wednesday on whether to restart the mainlines. The FBI is heading the investigation into the attack, and President Joe Biden said Monday that he plans to put more pressure on ransomware actors, both domestically and internationally.

“The FBI is engaged to assess and address this attack. It’s a criminal act, obviously. My administration takes this very seriously. We have efforts underway with the FBI and Department of Justice to disrupt and prosecute ransomware criminals. My admin will be pursuing a global effort of ransomware attacks by transnational criminals, who often use global money laundering networks to carry them out,” Biden said.

The Department of Justice has indicted a number of alleged ransomware actors in recent years, including some in North Korea and Russia, and the federal government has also taken down some of the payment and technical infrastructure used by ransomware operators. But most of those moves have had little effect, as the people involved are foreign nationals and are unlikely to actually be prosecuted in the U.S. The Department of the Treasury has sanctioned people and groups associated with ransomware operations, as well, putting financial pressure on them.

Ransomware operations are optimized to make money, and to do so as quickly and efficiently as possible. Intense public attention on their actions is generally suboptimal, and the Colonial Pipeline incident has dragged the DarkSide operation out into the light for all to see.

“There has been a refined focus for many parts of the U.S. government to track this down. There is always the question of what does the pointy end of the spear look like when you’re dealing with actors most likely from a country that protects them,” said James Shank, senior security evangelist and architect at Team Cymru, a threat intelligence firm.

“There are a lot of good signs that I see from how the U.S. is responding. It’s very clear the White House is engaged.”

“It might be true that this was accidental and they didn’t anticipate this was going to rise to the level of the White House having press briefings on it."

Researchers have been following DarkSide since it first emerged in August 2020 and then began studying it more closely when the affiliate program launched three months later via an advertisement from an actor known as “darksupp” on an underground forum. Partners who join the affiliate network keep 25 percent of their ransom earnings for any payments less than $500,000, with the fees decreasing as the ransom increases, according to a detailed new report on DarkSide by FireEye Mandiant, which has investigated many DarkSide incidents.

“In addition to providing builds of DARKSIDE ransomware, the operators of this service also maintain a blog accessible via TOR. The actors use this site to publicize victims in an attempt to pressure these organizations into paying for the non-release of stolen data. A recent update to their underground forum advertisement also indicates that actors may attempt to DDoS victim organizations,” the report says.

“DARKSIDE RaaS affiliates are required to pass an interview after which they are provided access to an administration panel. Within this panel, affiliates can perform various actions such as creating a ransomware build, specifying content for the DARKSIDE blog, managing victims, and contacting support.”

The RaaS model that the DarkSide creators have honed and refined has been in use for several years and has proven to be very profitable for many ransomware developers. It’s a simple idea at its core: A developer (or team of developers) creates a new strain of ransomware, and then rents it out to partners or affiliates who deploy it against target organizations. The affiliates then pay the developers a certain percentage of whatever ransoms they collect and move on to the next target. Other ransomware variants that have employed this model include REvil and Babuk, and some of the threat actors that have been known to deploy DarkSide have also used one or the other of those variants. Researchers at Flashpoint said there is likely some direct connection between REvil and DarkSide.

“The design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear similarities to REvil ransomware, which is of Russian origin and has an extensive affiliate program. This shows the evolution path of this ransomware and ties it to other Russian-origin ransomware families,” an analysis by Flashpoint published Tuesday says.

Like other RaaS operations, DarkSide is not just one group but has several separate components. The threat actors deploying it use a variety of techniques and tools in their intrusions, including several different initial access methods. While phishing remains a popular method, groups deploying DarkSide also have used password spraying against VPNs, and at least one group used an exploit for a vulnerability in the SonicWall SSL VPN that was a zero day at the time, according to Mandiant’s research. DarkSide operators are supposed to be prohibited by the developers from targeting organizations such as hospitals, government agencies, and schools, likely as a way to avoid attracting attention. The Colonial Pipeline doesn’t fall into any of those specific categories, but critical infrastructure attacks do tend to draw attention, and given the level of preparation and care involved in most DarkSide operations, it may have been a mistake, if not an accident.

“It might be true that this was accidental and they didn’t anticipate this was going to rise to the level of the White House having press briefings on it. This is going to shine an uncomfortable light on them,” Shank said.

“But it’s difficult to think it was completely unwitting. They get a feel for their target and how much they can pay. I don’t necessarily think it was a total surprise.”

<![CDATA[FragAttacks Bugs Plague Wi-Fi Devices]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/fragattacks-bugs-plague-wi-fi-devices https://duo.com/decipher/fragattacks-bugs-plague-wi-fi-devices Wed, 12 May 2021 00:00:00 -0400

A new research paper uncovered an array of design and implementation flaws that affect Wi-Fi devices. The vulnerabilities can allow an attacker within radio range of a victim to steal user information - however, they are difficult to exploit.

The research, by Mathy Vanhoef, postdoctoral researcher in computer security at New York University Abu Dhabi, disclosed the flaws stemming from the 802.11 standard that underpins Wi-Fi. This standard is designed to connect Wi-Fi devices efficiently to the router - and ensure they stay connected - by establishing the pace of data transmission.

The bugs affect all modern security protocols of Wi-Fi - from the original security protocol of Wi-Fi released in 1997, which exists on old networks, called Wired Equivalent Privacy (WEP), up to the latest Wi-Fi Protected Access 3 (WPA3) specification.

“Interestingly, our aggregation attack could have been avoided if devices had implemented optional security improvements earlier,” said Vanhoef in the research paper, called “Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" and released Tuesday. “This highlights the importance of deploying security improvements before practical attacks are known.”

In analyzing open-source Wi-Fi stacks and systematically inspecting the 802.11 standard, Vanhoef found three design flaws, existing in processes called frame fragmentation and aggregation that center around transmitting digital data transmissions called frames. For this reason, the collective set of vulnerabilities is named FragAttacks (fragmentation and aggregation attacks).

When looking at the design flaws, one (CVE-2020-24588) exists in the frame aggregation feature of the standard. This feature allows for the communication of frames on a shared channel by sending two or more data frames in a single transmission. The design issue here stems from the fact that when an unauthenticated flag is flipped in the header of a frame, the encrypted payload will be parsed as containing one or more aggregated frames instead of a normal network packet. Attackers can abuse this design error to inject arbitrary frames, and then intercept a victim’s traffic by making it use a malicious DNS server.

The other two flaws (CVE-2020-24587 and CVE-2020-24586) exist in the process of frame fragmentation, which splits up large frames into smaller fragments with the aim to improve performance in networks with large distances. These issues stem from the fact that, while all fragments of a frame are encrypted under the same key, receivers are not required to double check that this is the case. Also, a receiver is not required to remove incomplete fragments from memory when connecting to a different network.

“We abuse this to inject malicious fragments into the fragment cache, i. e., memory, of the victim and thereby inject arbitrary packets,” said Vanhoef. “Most devices were affected by at least one of these attacks.”

In a real-world attack, these flaws could allow an adversary to intercept the data of someone when they visit an insecure website - for instance, the username and password, said Vanhoef. That said, Vanhoef stressed that these design flaws are, on their own, tedious to exploit in practice, because abusing them requires user interaction or is only possible when using uncommon network settings.

“The first category of attacks, where sensitive data is stolen, is harder for an attacker to abuse,” said Vanhoef. “The attacker needs to be within range of the victim's Wi-Fi network and the attacker somehow has to trick the user into clicking a link. This means the first category of attacks is less concerning in practice.”

“Interestingly, our aggregation attack could have been avoided if devices had implemented optional security improvements earlier. This highlights the importance of deploying security improvements before practical attacks are known."

Researchers also uncovered “widespread” implementation flaws that are related to frame aggregation and fragmentation. These nine flaws are caused by programming mistakes in Wi-Fi products and can be exploited on their own or make it easier to abuse the uncovered design issues. And, in contrast to the first category of flaws, in order to exploit these implementation issues, an adversary would only need to be within range of a vulnerable Wi-Fi network, said Vanhoef.

One of the more common implementation issues is that receivers do not check whether all fragments belong to the same frame. This means that an attacker could forge frames by mixing the fragments of two different frames, said Vanhoef. Other implementations also contain an array of errors making it possible to mix encrypted and plaintext fragments, to inject plaintext aggregated frames by disguising them as handshake messages, and to inject plaintext fragmented (broadcast) frames, he said.

These flaws “can be abused to attack insecure smart home devices or outdated computers (for instance an outdated Windows 7 computer),” said Vanhoef. “Concretely, if a Wi-Fi network is vulnerable, an attacker can remotely control such outdated devices.”

The flaws come on the heels of a nine-month coordinated disclosure period. According to the Industry Consortium for Advancement of Security on the Internet (ICASI), various vendors whose products are affected are in the process of deploying - or have already deployed - mitigations addressing the flaws, including Microsoft, Sierra Wireless, Juniper Networks, HPE/Aruba Networks and Cisco Systems.

“There is no evidence of the vulnerabilities being used against Wi-Fi users maliciously, and these issues are mitigated through routine device updates that enable detection of suspect transmissions or improve adherence to recommended security implementation practices,” said the Wi-Fi Alliance in a security update.

Security issues in Wi-Fi have previously opened devices up to data-stealing attacks. An attack called key installation (KRACK) disclosed in 2017 enabled attackers to decrypt encrypted traffic, steal data and inject malicious code. Another vulnerability in Wi-Fi chips found in February 2020, dubbed Kr00k by researchers, allowed attackers to eavesdrop on Wi-Fi communications.

Despite these flaws, the security of Wi-Fi has significantly improved over the past years, said Vanhoef. However, the latest set of vulnerabilities shows the importance of continually analyzing even the most well-known security protocols.

“Additionally, it shows that it's essential to regularly test Wi-Fi products for security vulnerabilities, which can for instance be done when certifying them,” said Vanhoef.

<![CDATA[Decipher Podcast: Ken Munro]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-ken-munro https://duo.com/decipher/decipher-podcast-ken-munro Tue, 11 May 2021 00:00:00 -0400

<![CDATA[Microsoft Fixes Publicly Known Flaws in Security Update]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/microsoft-fixes-previously-disclosed-flaws-in-security-update https://duo.com/decipher/microsoft-fixes-previously-disclosed-flaws-in-security-update Tue, 11 May 2021 00:00:00 -0400

Microsoft released patches for 55 vulnerabilities - including three publicly known flaws - as part of its regularly-scheduled monthly security release, Tuesday.

Overall, Microsoft’s May Patch Tuesday advisory addressed four critical flaws - all of which can allow for remote code execution - as well as 50 important-severity vulnerabilities and one moderate-severity bug. None of the flaws are listed as being actively exploited, according to Microsoft.

The fixed bugs exist in various Microsoft products, including Microsoft Windows, .NET Core and Visual Studio, Internet Explorer, Microsoft Office, SharePoint Server, Open-Source Software, Hyper-V, Skype for Business and Exchange Server.

The three publicly known flaws include an important-severity elevation of privilege flaw in .NET Core and Visual Studio (CVE-2021-31204), which was previously disclosed on GitHub. According to an explanation of the flaw on GitHub, the flaw "exists in .NET 5.0 and .NET Core 3.1 when a user runs a single file application on Operating Systems based on Linux or macOS.”

Other previously disclosed flaws that were fixed on Tuesday include an important-severity common utilities remote code execution bug (CVE-2021-31200) and a moderate-severity security feature bypass flaw in Microsoft Exchange Server (CVE-2021-31207).

Microsoft additionally patched a slew of critical-severity flaws, including an HTTP protocol stack flaw (CVE-2021-31166) that could enable remote code execution. The flaw ranks 9.8 out of 10 on the CVSS scale. According to Dustin Childs, with Trend Micro’s Zero Day Initiative, an attacker could be unauthenticated to exploit the flaw, and would simply need to send a specially crafted packet to an affected server. Childs stressed that businesses should “definitely put this on the top of your test-and-deploy list.”

“That makes this bug wormable, with even Microsoft calling that out in their write-up,” according to Childs in an analysis. “Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well.”

Also addressed was a remote code execution bug (CVE-2021-28476) in Hyper-V, which has the highest severity rating of all vulnerabilities for this month with a CVSS score of 9.9. The other two critical-severity flaws disclosed by Microsoft include a vulnerability in OLE Automation (CVE-2021-26419) that could enable remote code execution, and a memory corruption bug in Microsoft’s Scripting Engine (CVE-2021-28461) affecting Internet Explorer. Exploitation of this latter flaw, which could allow for remote code execution, is “more likely” according to Microsoft.

Microsoft also patched a remote code execution flaw in Visual Studio (CVE-2021-27068) and an information disclosure vulnerability (CVE-2020-24587) in Windows wireless networking that allows an attacker to disclose the contents of encrypted wireless packets on an affected system.

The May security updates come on the heels of Microsoft’s April fixes, which included four new zero days in Exchange Server that the National Security Agency discovered and disclosed to the company.

<![CDATA[DarkSide Ransomware Attack on Colonial Pipeline a Worrying Precedent]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/darkside-ransomware-attack-on-colonial-pipeline-a-worrying-precedent https://duo.com/decipher/darkside-ransomware-attack-on-colonial-pipeline-a-worrying-precedent Mon, 10 May 2021 00:00:00 -0400

A ransomware attack on the Colonial Pipeline, a key portion of the fuel-delivery network in the eastern United States, has not only caused concerns about the potential disruption of the fuel supply, but also about the continued willingness of foreign adversaries to target critical infrastructure.

The attack took place on Friday and the company responded by taking some of its IT and physical systems offline, and as a result its main distribution lines are still offline. The FBI is investigating the incident and the White House has formed an interagency task force to handle the response, which is being led by the Department of Energy.

“On May 7, Colonial Pipeline Company learned it was the victim of a cybersecurity attack and has since determined that the incident involved ransomware. Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring,” Colonial Pipeline Company said in a statement.

While this situation remains fluid and continues to evolve, the Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach. This plan is based on a number of factors with safety and compliance driving our operational decisions, and the goal of substantially restoring operational service by the end of the week.

Ransomware attacks on enterprises in virtually every sector are an everyday occurrence, and the cybercrime groups behind them have shown a willingness to go after whatever targets they believe will be most profitable. During the pandemic, hospitals and health care providers have been frequent targets, as have organizations involved in vaccine research and distribution. State and local government agencies have fallen victim to ransomware, as have dozens of critical infrastructure organizations over the last few years, but the Colonial Pipeline attack is unique in its targeting and its potential disruptive effects.

“It is the largest cyber attack in terms of the energy infrastructure here in the United States and that is very disruptive,” Robert M. Lee, CEO of Dragos, said in an interview on CNN Monday.

On Monday, the FBI said the DarkSide ransomware was the culprit in the Colonial Pipeline attack.

“The FBI confirms that the Darkside ransomware is responsible for the compromise of the Colonial Pipeline networks. We continue to work with the company and our government partners on the investigation,” the FBI said.

“If countries aren’t enforcing the rules and making sure they’re taking care of their criminal sector, there is some culpability."

DarkSide is a relatively new ransomware that emerged in 2020 and the actors who deploy it are typically quite organized and use a custom ransomware executable for each victim, according to an analysis by Digital Shadows researchers. Like all ransomware operators, they go where the money and leverage are and they have been quite successful and active in the last year.

“Targeting pipelines and distribution channels like ths attack on the Colonial Pipeline Co. makes sense - ransomware is about extortion and extortion is about pressure. Impacting fuel distribution gets peoples’ attention right away and means there is increased pressure on the responding teams to remediate the impact,” said James Shank, chief architect, community services, for threat intelligence firm Team Cymru, and a member of the Ransomware Task Force.

“Doing so during a time when the pandemic response has created other distribution and supply chain problems, many of which will require timely and efficient distribution of goods, adds to the pressure. This emphasizes the need for a coordinated effort that bridges public and private sector capabilities to protect our national interests. We can not think of these attacks as impacting private companies only - this is an attack on our country’s infrastructure.”

Ransomware has become a national security concern as foreign adversaries have deployed it against both public and private targets, disrupting business and government operations, and now, the Colonial Pipeline attack shows operators are willing to take the attacks wherever they see a potential profit.

“Cybercriminals have been allowed to run amok while governments have mainly watched from the sidelines, unclear on whether cybercrime is a national security level threat. If there was any remaining doubt on that front, let’s dispense with it now. Too many lives are at stake,” Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, said during a congressional hearing on ransomware last week.

The response from the federal government to the Colonial Pipeline attack will be an interesting test case. In the past, the Department of Justice and Department of the Treasury have issued indictments and financial sanctions against individuals and groups involved in ransomware operations, but those have been in response to cumulative campaigns, not discrete incidents.

“If countries aren’t enforcing the rules and making sure they’re taking care of their criminal sector, there is some culpability,” Lee said.

“There is that symbiotic relationship that the U.S. government would be appropriate to take a look at.”

<![CDATA[Lemon Duck Botnet Shifts Tactics in Microsoft Exchange Server Attacks]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/lemon-duck-botnet-shifts-tactics-in-microsoft-exchange-server-attacks https://duo.com/decipher/lemon-duck-botnet-shifts-tactics-in-microsoft-exchange-server-attacks Mon, 10 May 2021 00:00:00 -0400

The Lemon Duck cryptocurrency-mining botnet has been ramping up its targeting of unpatched Microsoft Exchange servers with a revamped malware toolkit and new obfuscation tactics.

Researchers previously warned that Lemon Duck, which has been active since at least the end of December 2018, is “one of the more complex” mining botnets. The botnet delivers a final payload that is a variant of the Monero cryptocurrency mining software XMR in order to generate revenue.

Now, a renewed slew of attacks by Lemon Duck, starting in April, reflects an updated infrastructure, new tactics, techniques and procedures (TTPs) that better obfuscate the botnet’s activities, as well as the incorporation of new tools, like Cobalt Strike, in the botnet’s toolkit, warned researchers with Cisco Talos in a Friday report.

“During our analysis of recent Lemon Duck campaigns, we observed that the threat actor is now leveraging new infrastructure, incorporating additional tools and functionality into their attack methodology and workflow, and putting more emphasis on obfuscating various components used throughout the infection process in an attempt to more effectively evade detection and analysis,” said Caitlin Huey, threat intelligence and interdiction, and Andrew Windsor, information security analyst, of Cisco Talos.

Researchers first observed the surge of April attacks in an increase in the volume of DNS queries being made to four Lemon Duck domains. While previous Lemon Duck queries mostly originated from Asia, researchers noted that these newer domain resolution requests were originating from North America, Europe and Southeast Asia, as well as a spike in queries originating from India for one Lemon Duck domain.

The botnet is targeting an infamous set of Microsoft Exchange flaws, known collectively as ProxyLogon, which are tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065. Microsoft released a patch in March for the flaws, which can be chained together to create a pre-authentication remote code execution (RCE) exploit - however, servers that remain vulnerable are still being exploited by various threat actors, including the Prometei botnet. Microsoft first observed Lemon Duck being dropped by attackers in exploits of the ProxyLogon flaw in March.

However, in the more recent attacks using the ProxyLogon flaws, the botnet attempts to download and execute payloads for Cobalt Strike DNS beacons, said Huey and Windsor. Cobalt Strike, a commercially-available penetration-testing tool, sends out beacons to detect network flaws, and has historically been utilized by attackers to exfiltrate data and deliver malware.

Researchers said that the use of Cobalt Strike payloads represents an evolution in the toolset used by this threat actor, “demonstrating that they continue to refine their approach to the attack lifecycle over time as they identify opportunities to increase their efficiency as well as the effectiveness of their attacks,” they said.

Another previously undocumented TTP utilized in these recent attacks is Lemon Duck’s use of a new tactic to obsfucate their command-and-control (C2) server domains. The actors behind Lemon Duck are now generating decoy domains on East Asian top-level domains (TLDs) to mask connections to their legitimate C2 domain, said researchers. Huey and Windsor said that these fake domains are used in an intermediate PowerShell call during the infection process, in order to download additional data and payloads from the actor’s C2 server.

"Lemon Duck operators... appear to be implementing new exploit code and targeting additional software vulnerabilities over time to ensure that they can continue to spread malware to new hosts and maintain the size of the botnet and revenue stream being generated by compromised hosts."

“By writing the fake domain along with the real C2 IP address to the Windows host's file any http calls to the fake domains will instead be rerouted to the actor’s C2 server without having to use the actual C2 domain name except for the initial call to retrieve the associated IP address,” said Huey and Windsor.

Another notable piece here is that all of the TLDs are country-code specific (such as .cn, .kr and .jp) for China, South Korea and Japan. Country code top-level domains (ccTLDs) are commonly used for websites in their respective countries and languages, as opposed to more generic and globally used TLDs such as ".com" or ".net," said researchers.

“This may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments,” said Huey and Windsor. “Due to the prevalence of domains using these ccTLDs, web traffic to the domains using the ccTLDs may be more easily attributed as noise to victims within these countries.”

Once devices have been infected, Lemon Duck touts self-propagating capabilities and a modular framework, giving it the flexibility to spread across network connections to infect additional systems that then become part of the Lemon Duck botnet.

“Lemon Duck operators have previously employed several exploits for vulnerabilities, such as SMBGhost and Eternal Blue, and appear to be implementing new exploit code and targeting additional software vulnerabilities over time to ensure that they can continue to spread malware to new hosts and maintain the size of the botnet and revenue stream being generated by compromised hosts,” said researchers.

Looking ahead, researchers said that the attackers’ reliance on new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques, may enable them to operate more effectively for longer periods within victim environments. In particular, they believe Lemon Duck attackers will continue zeroing in on the ProxyLogon flaws, which continue to plague businesses who have not yet applied Microsoft’s patches for the vulnerabilities to their vulnerable Exchange servers.

Crypto-mining malware continues to serve as an effective and consistent method for cybercriminals to make money. Huey and Windsor said that while other types of financially motivated attacks, such as ransomware, are “noisy,” crypto-mining malware stays under the radar and uses system resources to generate guaranteed revenue over a longer period of time.

“This is a big difference as ransom payments aren’t guaranteed and are a one-time payout versus crypto-mining malware, which can generate a steady paycheck for the bad guys,” said Huey and Windsor.

<![CDATA[The Tightrope Walk of Vulnerability Disclosure Windows and Patch Adoption]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/the-tightrope-walk-of-vulnerability-disclosure-windows-and-patch-adoption https://duo.com/decipher/the-tightrope-walk-of-vulnerability-disclosure-windows-and-patch-adoption Fri, 07 May 2021 00:00:00 -0400

Researchers and vendors must strike a delicate balance when developing vulnerability disclosure windows, to factor in an increasingly intricate patch development and adoption process as an ever-growing tangle of vulnerabilities is uncovered.

A 2021 trial version for a vulnerability disclosure timeline, announced last month by Google’s Project Zero team - its team of security analysts tasked with finding zero-day flaws - reflects the varying challenges relating to the patching process that companies must navigate when developing disclosure windows. Previously, Project Zero’s policy mandated that disclosure should occur 90 days after an initial vulnerability report, regardless of when the bug is fixed. However, the new trial gives an additional 30-day leeway period for publishing the technical details, if the issue has been fixed within 90 days, with the intent of providing a cushion period for businesses to then apply those patches.

Researcher disclosure window deadlines are important because they put pressure on vendors to roll out patches in a timely manner. As of April 30, Project Zero said that there are 1,797 vulnerabilities in a "fixed" state in their issue tracker, and 73 vulnerabilities have been disclosed without a patch being available to users - meaning that over the total lifetime of Project Zero, 95.9 percent of issues have been fixed under deadline.

Casey Ellis, founder and CEO of Bugcrowd, said Project Zero's move marks an acknowledgement of the patch adoption "lag" that often exists on top of these deadlines.

“The addition of the 30 days extension from Project Zero reflects a third dynamic, the lag which often exists between patch release and a meaningful percentage of the user population having installed the patch,” said Ellis.

Patch Adoption Challenges

Project Zero’s previous disclosure policy was also a trial that was proposed in 2020, intending to give vendors the flexibility to prioritize shipping the fix earlier in the 90-day cycle rather than later. The overall goal behind this policy was to help quicken patch development - the deployment of patches by vendors - and patch adoption - the ultimate application of these patches by end users to affected systems.

“In practice however, we didn't observe a significant shift in patch development timelines, and we continued to receive feedback from vendors that they were concerned about publicly releasing technical details about vulnerabilities and exploits before most users had installed the patch,” said Tim Willis, senior security engineering manager with Google Project Zero. “In other words, the implied timeline for patch adoption wasn't clearly understood.”

Patch adoption remains a significant challenge for end-user organizations, which are struggling to keep up with a steady stream of critical and high-severity vulnerabilities on top of the regularly-scheduled monthly security updates issued by vendors. A November Bitdefender report revealed that almost two-thirds of vulnerabilities in organizations that have not been patched are older than 2018 - meaning that organizations are open to security holes for which patches have been available for years. The report painted a grim picture of the patch landscape, revealing deep-rooted challenges for organizations in adopting patches for operating systems and applications in an active and timely manner. For instance, 52 percent of organizations reported having a manual patching procedure instead of an automated one, making their patch process more complex, according to the report.

The concept of patch adoption adds another layer to the development of vulnerability disclosure windows. Willis noted that security at the end-user level doesn’t improve when a bug is found or fixed - the end users must be aware of the bug and patch their devices. Project Zero’s new additional 30-day period aims to fix this issue by making the patch adoption piece a more “explicit part” of the vulnerability disclosure policy.

“By giving a 30-day window for patches to roll out … It’s an indicator that updates aren’t being applied,” said Brian Gorenc, director at Trend Micro’s Zero Day Initiative. “This leads to a completely different discussion on why people don’t install patches, but the fact is that many people don’t trust updates.”

Putting Pressure on Patch Development

Patch development is another complex process that researchers are mulling when they develop disclosure windows. Willis said that the goal of Project Zero’s disclosure window is not only for vendors to develop patches more quickly and have the correct processes in place to effectively get those patches to end users, but also to be more thorough in their patches.

“Too many times, we've seen vendors patch reported vulnerabilities by ‘papering over the cracks’ and not considering variants or addressing the root cause of a vulnerability,” said Willis. “One concern here is that our policy goal of ‘faster patch development’ may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss.”

One challenge is that vulnerabilities are continually being discovered on various vendor platforms. Microsoft Exchange ProxyLogon flaws, for instance, disclosed in March left businesses scrambling to patch their systems - however, a month later cybercriminals continued to sniff out vulnerable systems used to deploy malware. Other flaws, such as the critical vulnerability in the Windows Netlogon Remote Protocol known as Zerologon (CVE-2020-1472) or a nasty bug in Oracle WebLogic Server (CVE-2020-14882), have caused headaches both for vendors and end users for over a year.

“This rising volume makes it harder for vendors to respond to everything, and it could lead to bugs being missed or dropped unintentionally,” said Gorenc. “Some companies have a mature response process and can handle the load, but others may struggle.”

Another issue rises from the fact that different vendors deal with patching in varying ways, which can make disclosure policies hard to apply across the board. For instance, deploying a patch for a bug in a website, which is centralized, accessible and likely has a recent codecase, may be a much more seamless process than issuing a fix for flaws in a fleet of satellites in the sky, mission-critical devices or medical devices, which may be decentralized, difficult to access or dependent on uptime.

For researchers, factoring in these varying patching challenges when looking at disclosure windows presents an “interesting balancing act,” said Bugcrowd’s Ellis. Should a policy timeline be too short, users of the affected products face the risk of exploitation - but should it be too long, there’s a substantial risk that the vendor won’t act with the appropriate urgency necessary to protect users, said Ellis.

“The 30-day extension provides some grace here and signals a very clear expectation that these types of products will be targeted and they should be stepping up efforts to reduce vulnerability remediation and user base dwell time,” Ellis said.

The Future of Disclosure Windows

Google Project Zero’s 2021 trial will also include an array of other changes beyond the additional 30 day leeway period. For instance, it will include a disclosure deadline of seven days for issues that are being actively exploited in-the-wild against users. However, unlike the previous 2020 trial policy, if the issue is fixed within seven days, Project Zero said it would publish technical details 30 days after the fix. And, unlike before, vendors can request a three-day grace period for in-the-wild bugs.

On the heels of Project Zero’s proposed trial changes, Ellis said, other researchers might be more open to tweaking their disclosure deadlines for similar reasons that the Project Zero team has laid out, provided there is open communication and agreement.

“Researchers looking to take a practice leadership position communicating vendor empathy might adopt these same types of policies,” he said.

<![CDATA[Decipher Podcast: Peter Baker]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-peter-baker https://duo.com/decipher/decipher-podcast-peter-baker Thu, 06 May 2021 00:00:00 -0400

<![CDATA[Lawmakers Search For Solution to Ransomware Pandemic]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/lawmakers-search-for-solution-to-ransomware-pandemic https://duo.com/decipher/lawmakers-search-for-solution-to-ransomware-pandemic Thu, 06 May 2021 00:00:00 -0400

The waves of ransomware that have swept through the United States during the last year have not only become a serious menace for enterprises but have moved into the realm of a threat to national security, experts told lawmakers Wednesday.

What began as a nuisance to consumers several years ago and then evolved into perhaps the most pressing threat to enterprises at the moment, is also now a major part of the agenda in Washington as the new administration tries to get a handle on cybersecurity in general and ransomware specifically. Following last week’s release of a report from the Ransomware Task Force that recommended tighter cooperation between private sector groups, government agencies, and law enforcement, the House Committee on Homeland Security held a hearing on the ransomware threat, and the assessment the members heard from their witnesses was a dim one.

“To put it simply, we are on the cusp of a global digital pandemic driven by greed. Underlying factors are rooted in the digital dumpster fire with our seemingly pathological need to connect everything to the internet,” Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, said during the hearing.

“Cybercriminals have been allowed to run amok while governments have mainly watched from the sidelines, unclear on whether cybercrime is a national security level threat. If there was any remaining doubt on that front, let’s dispense with it now. Too many lives are at stake.”

Ransomware attacks torment enterprises and government agencies alike, and though the Department of Justice has indicted a number of foreign citizens associated with ransomware groups and the Office of Foreign Asset Control has sanctioned groups and individuals for their roles in attacks, those moves have done little to stem the tide. Adding to the problem is the cooperation between some ransomware groups and the governments of some of the countries from which they operate. In April, the Department of the Treasury formally tied the Evil Corp cybercrime and ransomware group to the Russian FSB intelligence service. The U.S. government has also tied the government of North Korea to ransomware operations and said that the operations help fund the government’s activities.

During Wednesday’s hearing, Krebs and other witnesses assured the committee members that these were not idle claims.

“To put it simply, we are on the cusp of a global digital pandemic driven by greed."

“Ransomware gangs and foreign intelligence services are working hand in glove now.Those are the linkages that we really need to explore. That for me is what tipped ransomware over into a clear national security threat,” Krebs said.

John Davis, a retired Army major general and now vice president at Palo Alto Networks, said some foreign governments view cybercrime groups as handy proxies for malicious cyber activities and disinformation campaigns.

“State actors now see an opportunity to leverage non-state entities, and it’s also useful as a way to circumvent sanctions. We have seen various states that have begun to embrace this idea to undermine democracy,” Davis said.

While the seriousness of the ransomware threat is not in question, the best way to address it is far from certain. One thing that does seem certain is the need for more funding at both the federal and state levels to upgrade technology and provide for better investigative and response capabilities when ransomware hits. Rep. Yvette Coleman (D-N.Y.), chairwoman of the Homeland Security committee, said she plans to introduce the State and Local Cybersecurity Improvement Act in the next few days, a bill that would provide $500 million in grants to state, local, tribal, and territorial governments for cybersecurity. While funding can help agencies shore up their defenses and recover if they fall victim to ransomware, removing the financial incentives for cybercrime groups to engage in ransomware attacks in the first place is another top priority for legislators.

The Ransomware Task Force’s report recommends that states amend their breach disclosure laws to require that organizations disclose ransomware payments before making them. While some legislators have advocated making ransomware payments illegal, that’s unlikely to happen. A payment-disclosure requirement, which could give law enforcement agencies a running start on tracing the payments and their recipients, seems more practical and workable.

“Payments should be made as a very last resort, and maybe they should be logged,” Krebs said.

Requiring the disclosure of payments for government agencies is a simpler task than doing so for private companies, and may be the logical place to start.

<![CDATA[Stealthy Windows Rootkit Slips Attackers Past Detection]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/attackers-rely-on-stealthy-windows-rootkit-in-targeted-campaign https://duo.com/decipher/attackers-rely-on-stealthy-windows-rootkit-in-targeted-campaign Thu, 06 May 2021 00:00:00 -0400

Researchers have uncovered what they call a highly-evasive Windows rootkit, being utilized by cybercriminals in a targeted campaign to infiltrate the networks of high-profile organizations since at least 2018.

The rootkit, which researchers with Kaspersky in a new report call Moriya (due to string artifacts within the malware’s binaries) has been utilized by an unknown actor to deploy backdoors on public-facing servers. Less than 10 victims have been targeted so far in the campaign, which researchers call TunnelSnake, including two large regional diplomatic organizations in Asia and Africa.

The rootkit, which allows attackers to snoop in on victim network traffic, is unique in that it maintains “a considerable amount of stealth,” said researchers, including its leveraging of Windows drivers, covert communications channels and proprietary malware.

“The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations,” said Mark Lechtik, senior security researcher with Kaspersky, on Thursday.

Researchers believe that attackers first infect victims with Moriya through targeting vulnerable web servers in victims’ networks. In one incident, for instance, attackers used the China Chopper webshell to infect an organization’s mail server. They then leveraged that infection to map the victim’s network and deploy other tools in it, including the rootkit. Once downloaded, Moriya acts as a backdoor that enables attackers to inspect all incoming traffic to the victim’s system, filter out packets that are marked as designated for the malware and respond to them - ultimately providing attackers with a covert channel to issue shell commands and receive back their outputs.

Researchers also observed a set of post-exploitation tools with an array of functionalities on a target in South Asia that they assessed could be in use by the same attacker. These include network discovery capabilities - used to scan the internal network in order to detect further vulnerable services - through an HTTP scanner command-line tool and a DCOM scanner command-line utility. Also discovered were two versions of a malware called Bouncer - previously identified by FireEye Mandiant in 2013 - in order to spread to other hosts in targeted networks. The malware acts as a backdoor, providing features that can be used to control a remote host and achieve lateral movement.

Finally, several multi-platform utilities were used to establish connections with remote hosts and exfiltrate data, including two known ones called Earthworm, which creates tunnels between compromised hosts in order to transfer data, and Termite, which provides additional tools in order to download and upload files between compromised hosts. Researchers also detected another tool, called Tran, under the filename "tmp," which is utilized to transfer data between compromised hosts.

Moriya itself has two traits that make it particularly evasive, said researchers. First, the attackers can inspect all packets in the privileged kernel mode with the use of a Windows driver. This allows them to drop the packets of interest before they are actually processed by the network stack - meaning that they are not detected by security solutions. The rootkit also waits for incoming traffic, rather than initiating a connection to the command-and-control (C2) server itself. On the attacker’s end, this means there is no need to incorporate a C2 address in the malware’s binary or maintain a steady C2 infrastructure - making it more difficult to trace the attacker’s footprints, said researchers.

That said, researchers were still able to detect the campaign due to its utilization of the commodity China Chopper webshell and use of open-source legacy code, named DSEFIX v1.0, to map the unsigned driver to kernel memory space and execute it from its entry point.

"While rootkits are not as common nowadays as they were in the past, they still represent a class of highly powerful malware implants that are in use by a handful of APT actors."

While researchers did not attribute the attack to a known threat actor, they said based on the tactics, techniques and procedures (TTPs) used in the campaign they “suppose” that the cybercriminals are Chinese-speaking. Several clues point to this conclusion, including the fact that the targeted entities in the campaign were previously attacked by Chinese-speaking actors, and that some of the tools utilized by attackers - including China Chopper - have previously been used in campaigns attributed to well-known Chinese-speaking threat groups, they said.

Lechtik said the campaign ceased the usage of the tools described in the research as soon as they were detected. However, he warned that with the campaign's activity dating back to at least 2018, the threat actor is likely able to evolve and tailor its toolset to target environments.

“This indicates the group conducting these attacks may well still be active and retooling for additional operations in the area of interest outlined in this publication, as well as other regions,” he said.

While rootkits - which typically allow attackers to intercept core I/O operations conducted by the underlying operating system - give cybercriminals high privileges in the system, overall, researchers pointed to the number of Windows rootkits in the wild decreasing dramatically. This is due to Microsoft’s implementation of several protections, such as Driver Signature Enforcement, which makes it more difficult to load and run new code in kernel space, as well as Kernel Patch Protection, which protects code in the Windows kernel from being modified by unknown software or data.

That said, the abilities of these rootkits to camouflage into the fabric of the operating system give attackers a high level of stealth, and the majority of still-active Windows rootkits are being used by high-profile advanced persistent threat (APT) attacks, researchers noted.

“While rootkits are not as common nowadays as they were in the past, they still represent a class of highly powerful malware implants that are in use by a handful of APT actors,” said Lechtik. “In that sense, we don't expect a wide deployment of them in systems worldwide, but for the few advanced groups that are capable of deploying them and staying under the radar, they will likely remain in the wild for years to come.”

<![CDATA[Apple Patches WebKit Zero Days in iOS, macOS and Safari]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/apple-patches-webkit-zero-days-in-ios-macos-and-safari https://duo.com/decipher/apple-patches-webkit-zero-days-in-ios-macos-and-safari Wed, 05 May 2021 00:00:00 -0400

A week after releasing a major new version of iOS with a considerable number of security patches Apple has pushed an emergency update that includes fixes for two WebKit vulnerabilities that are being actively exploited.

One of the vulnerabilities is an integer overflow (CVE-2021-30663) and the other is a memory corruption bug (CVE-2021-30665), and both can lead to remote code execution on vulnerable iPhones and iPads. Apple released iOS 14.5.1 on Monday to address the vulnerabilities.

“Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” the Apple advisory says.

Apple also pushed emergency patches in iOS 12.5.3 for two additional actively exploited WebKit vulnerabilities for older iPhones and iPads. Those two vulnerabilities are similar to the other two WebKit flaws, though one is a use-after-free flaw and the other is a buffer overflow vulnerability. Both can lead to remote code execution, and attackers have already been targeting them, according to Apple.

Since just the beginning of this year, Apple has patched seven separate WebKit vulnerabilities that were exploited in the wild.

WebKit has been the security Achilles heel of iOS, especially in the last few years as more and more vulnerabilities in the framework have emerged. Apple has spent an untold amount of time and money creating a walled garden around iOS, through the restrictions in the App Store, requirements for developer code signing, and a host of security features in iOS itself. But WebKit, which is the engine for Safari and other iOS browsers, has been a different story.

Since just the beginning of this year, Apple has patched seven separate WebKit vulnerabilities that were exploited in the wild, and virtually no regular iOS or Safari update goes by without a fix for at least one WebKit vulnerability.

Apple also released a new version of Safari for macOS Catalina and Big Sur that includes patches for the same bugs that were fixed in iOS 14.5.1.

<![CDATA[Echoes on the Wire: Dan Kaminsky's Hacker Legacy]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/echoes-on-the-wire-dan-kaminskys-hacker-legacy https://duo.com/decipher/echoes-on-the-wire-dan-kaminskys-hacker-legacy Wed, 05 May 2021 00:00:00 -0400

CC-By-2.0 image by Pinguino from Flickr.

<![CDATA[ICS Security Requires Private-Public Sector Synergy]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/ics-security-requires-private-public-sector-synergy https://duo.com/decipher/ics-security-requires-private-public-sector-synergy Wed, 05 May 2021 00:00:00 -0400 U.S. government officials are calling for better collaboration with private-sector companies when it comes to stomping out the core security issues that afflict critical infrastructure, which run the gambit from poor visibility into networks to a dearth of resources.

Rep. James Langevin (D-R.I.), chairman for the House Armed Services Subcommittee on Intelligence and Emerging Threats and Capabilities, which handles issues related to cybersecurity, said that tightened partnerships between the public and private sector will help the government understand the inherent security challenges that beset critical infrastructure companies and put real-time threat intelligence into better context.

“At the top of the agenda is creating a joint collaborative environment between the government and the private critical infrastructure sector, so that the left hand knows what the right hand is doing,” he said on Tuesday at Hack the Capitol 4.0, which brings together policymakers and technology experts to discuss underlying critical infrastructure security challenges.

The security of industrial control systems (ICS), utilized to operate or automate critical infrastructure, has long caused concerns - however, these worries have come to a head on the heels of several incidents, including an attacker accessing a Florida town’s water treatment system and attempting to raise the level of sodium hydroxide in the water to a dangerously high level; as well as several ransomware groups targeting industrial companies, including an attack last year on a U.S.-based natural gas facility that shut down operations for two days.

While ICS environments long existed in an isolated state, they are becoming increasingly connected to the network, opening an array of potential security holes - including exposure on the internet, weak network segregation and a lack of basic security controls like authentication. At the same time, the level of sophistication necessary for targeting ICS networks is decreasing. It’s not only nation state-level actors targeting critical infrastructure anymore, as seen when a 22-year-old man allegedly attempted to access a Kansas public water system’s computers in order to tamper with its disinfectant levels in 2019.

“The track record is clear - there will still be rogue actors and nation states in the mix,” said Chris Inglis, the former deputy director of the National Security Agency (NSA), who has been nominated by the Biden administration to serve as the first National Cyber Director. “We don’t operate in a vacuum in this. Cybercriminals will come at us - we don’t have the luxury of asking them to freeze in place.”

“I hope CISA can strengthen its bonds and create relationships with non-vendor, non-federal hunters to look at federal and state systems."

The government has recently been honing in on critical infrastructure and ICS security, with the NSA releasing an advisory outlining steps for companies to stop malicious cyber activity against connected operational technology (OT), the hardware and software that monitors industrial equipment in order to detect or cause changes. At a higher level, the Biden administration has announced the development of a 100-day plan with the goal of protecting the electric grid against cyberattacks, which a spokesperson said is “a pilot of the administration’s broader cybersecurity initiative planned for multiple critical infrastructure sectors.”

Langevin stressed that strengthening the Cybersecurity and Infrastructure Security Agency (CISA) is a key recommendation in addressing the serious visibility gaps in OT going forward. While the Biden administration in April proposed a budget of over $2.1 billion for CISA in fiscal year 2022 - around $110 million more than it was allocated in fiscal year 2021 - Langevin advocates for allocating at least $400 million in additional funding to CISA’s budget in fiscal year 2022, arguing that the agency needs to be “resourced properly” in order to help protect OT.

However, beyond budgetary initiatives and security advisories, an increased level of collaboration is also needed, said Langevin. He noted that the government has taken the first steps in ramping up teamwork between the private and public sectors with the implementation of Sector Risk Management Agencies. These agencies are designated to 16 critical infrastructure sectors - including healthcare, water, energy and more - and serve as a way for critical infrastructure owners and operators to collaborate with federal departments and agencies.

This necessary cooperation also applies to CISA, with Langevin encouraging the agency to bring in security researchers in residence, as well as work with third-party partners in addressing OT concerns.

“I hope CISA can strengthen its bonds and create relationships with non-vendor, non-federal hunters to look at federal and state systems,” he said.

“The government’s problem is that it doesn’t do a good job speaking the language of the business - what do you need to do, and why do you need to do it - and that piece needs to happen as part of the larger discussion.”

This heightened level of collaboration will help the government better understand how to approach defensive and offensive strategies when it comes to ICS security. David Weinstein, an associate partner with McKinsey & Company where he specializes in cybersecurity, said that it’s risky to apply existing IT strategies utilized by the government to OT. Some of these existing strategies “don’t account for the nuances of OT network, and it’s a night and day comparison,” he said. “IT and OT couldn’t be more different in their design, use and security.”

For instance, ICS may throw a wrench into the technicalities behind the concept of defending forward. This concept, initially articulated in the 2018 Department of Defense Cyber Strategy, calls for actively going head-to-head with adversaries by disrupting their capabilities to conduct cyberattacks. This means both blocking cyberattacks as well as building “more lethal” cyber capabilities. But when it comes to defending forward for ICS, “the devil’s in the details,” said Marie O’Neill Sciarrone, CEO of Tribal Tech. For instance, “meaty policy questions” relating to cyber - such as how enemies are defined, or how malicious intent is defined - are often left undiscussed, she said. One big challenge of defending forward as it relates to ICS is the level of risk and reward associated with the concept.

“With the industrial control system environment being physical infrastructure, it creates a unique question around the impact,” said Sciarrone. “If you decide to defend forward, what happens? What are the unknown consequences of those actions? You need to be careful with what you decide to do... because this isn’t traditional warfare where you fire a bullet and it’s gone... it can ricochet back to you.”

Weinstein, instead, pointed to the need for more of a deterrence strategy for blocking nation state actors from accessing ICS environments.

“We’re not doing enough blocking and tackling to reach those actors,” he said. “A deterrence strategy would go hand-in-hand with what the industry is doing to protect their networks, and make it...harder and more costly for criminals to access those systems.”

Overall, experts on the technology side say that the government needs to do a better job understanding the inherent challenges that OT teams face at the day-to-day level - including limited resources and personnel. Sciarrone said that the private sector wants to hear actionable information that specifically relates to the cost center.

“At the end of the day, the government doesn’t control infrastructure - the private sector does,” said Sciarrone. “The government’s problem is that it doesn’t do a good job speaking the language of the business - what do you need to do, and why do you need to do it - and that piece needs to happen as part of the larger discussion.”

<![CDATA[Dell Patches High-Severity Firmware Update Driver Flaws]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/dell-patches-high-severity-firmware-update-driver-flaws https://duo.com/decipher/dell-patches-high-severity-firmware-update-driver-flaws Tue, 04 May 2021 00:00:00 -0400

Dell has issued patches for five high-severity vulnerabilities in its firmware update driver, impacting Dell desktops, laptops, notebooks and tablets. If exploited, these flaws may allow attackers to locally escalate to kernel-mode privileges.

The five flaws stem from a firmware update driver component, which is responsible for Dell firmware updates through the Dell Bios Utility. This module, the DBUtil firmware update driver, comes pre-installed on most Dell machines running Windows. Researchers with SentinelLabs who discovered the flaws said that they have remained undisclosed for 12 years.

“These high severity vulnerabilities, which have been present in Dell devices since 2009, affect hundreds of millions of devices and millions of users worldwide,” said Kasif Dekel, senior security researcher at SentinelLabs. “While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild… with hundreds of million of enterprises and users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action.”

The flaws (collectively tracked as CVE-2021-21551) were reported to Dell on Dec. 1 and rank 8.8 on the CVSS scale. Dell on Tuesday issued patches for the flaw in its DSA-2021-088 advisory.

The flaws include two memory corruption vulnerabilities and two lack of input validation flaws, which all enable local elevation of privilege; and a code logic issue that can allow for denial-of-service attacks.

One significant issue stems from the firmware update driver accepting Input/Output Control (IOCTL) requests sans any Access Control List (ACL) requirements, which are meant to block unauthorized users from certain resources. Because these ACL requirements don’t exist, IOCTL requests can be invoked by a non-privileged user.

“Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges; thus, some IOCTL functions can be abused ‘by design,’” said Dekel.

Another issue with the driver that Dekel highlighted makes it possible to run I/O instructions in kernel mode. Researchers said that this issue is less trivial to exploit and might require “using various creative techniques” to achieve elevation of privileges. Finally, the firmware update driver exposes various functions. This can allow for read/write issues, enabling attackers to escalate their privileges.

“A classic exploitation technique for this vulnerability would be to overwrite the values of Present and Enabled in the Token privilege member inside the EPROCESS of the process whose privileges we want to escalate,” said Dekel.

In order to exploit the escalation privilege flaws, attackers must be local; however, they don’t need administrator privileges. If attackers are able to exploit these flaws, they would be allowed to escalate their privileges and run code in kernel mode. This could enable them to carry out further malicious actions, such as bypassing security products, said researchers.

“An attacker with access to an organization’s network may also gain access to execute code on unpatched Dell systems and use this vulnerability to gain local elevation of privilege,” said Dekel. “Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.”

Researchers said that in order to give Dell customers the opportunity to remediate the vulnerability, they are withholding sharing the proof-of-concept (PoC) code until June 1. In the meantime, both researchers and Dell stress that customers should update their systems.

We remediated a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting certain Windows-based Dell computers," said a Dell spokesperson. "We have seen no evidence this vulnerability has been exploited by malicious actors to date... Thanks to the researchers for working directly with us to resolve the issue.

<![CDATA[Pulse Secure Releases Patch for VPN Flaw Used in Active Attacks]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/pulsesecure-releases-patch-for-vpn-flaw-used-in-active-attacks https://duo.com/decipher/pulsesecure-releases-patch-for-vpn-flaw-used-in-active-attacks Mon, 03 May 2021 00:00:00 -0400

Two weeks after researchers warned that attackers in China were exploiting a newly discovered vulnerability in the Pulse Connect Secure VPN appliance, the company has released a patch for that flaw, along with several others that can be used for remote code execution.

The vulnerability that surfaced in April (CVE-2021-22893) is in fact a collection of several use-after-free bugs in Pulse Connect Secure. Attackers have been exploiting the flaws for some time, perhaps as long as several years. Specialists from Mandiant discovered the attack activity a few months ago during the course of an incident response investigation and said a newly identified group the company calls UNC2630 was exploiting the flaws. Other groups may also have been targeting the vulnerabilities.

“Early this year, Mandiant investigated multiple intrusions at defense, government, and financial organizations around the world. In each intrusion, the earliest evidence of attacker activity traced back to DHCP IP address ranges belonging to Pulse Secure VPN appliances in the affected environment,” FireEye researchers wrote in an analysis of the intrusions.

“We observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows, which ultimately allowed the actor to use legitimate account credentials to move laterally into the affected environments. In order to maintain persistence to the compromised networks, the actor utilized legitimate, but modified, Pulse Secure binaries and scripts on the VPN appliance.”

The Pulse Connect Secure VPN is used for remote access in a range of organizations, includoing enterprises and government agencies. Targeting VPN flaws can be a profitable exercise for attackers, as it can provide a reliable access method for further movement inside a network. In addition to the use-after-free vulnerabilities, Pulse Secure also released fixes for three other critical bugs, including a buffer overflow in the Collaboration Suite, and a command-injection bug and unrestricted upload flaw in Pulse Connect Secure.

“Multiple vulnerabilities were discovered and have been resolved in Pulse Connect Secure (PCS). This includes an authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. Many of these vulnerabilities have a critical CVSS score and pose a significant risk to your deployment,” the PulseSecure security advisory says.

The vulnerabilities affect versions of Pulse Connect Secure versions prior to 9.1R11.4

“As sophisticated threat actors continue their attacks on U.S. businesses and government agencies, we will continue to work with our customers, the broader security industry, law enforcement and government agencies to mitigate these threats. Companywide we are making significant investments to enhance our overall cyber security posture, including a more broad implementation of secure application development standards,” Phil Rich, CSO of Pulse Secure, said in a post.

<![CDATA[Rust-Based Buer Malware Variant Emerges]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/rust-based-buer-malware-variant-emerges https://duo.com/decipher/rust-based-buer-malware-variant-emerges Mon, 03 May 2021 00:00:00 -0400

Cybercriminals behind the Buer malware loader are using a new variant, rewritten in the Rust programming language, as a way to sidestep detection and make their attack chain more effective, warn researchers.

The new variant of Buer, called RustyBuer, is “unusual” because malware is typically not rewritten in a completely different way, said researchers with Proofpoint on Monday. Overall, Rust is becoming increasingly popular as a programming language, as it is more efficient, easy to use and has a broader range of features than languages like C.

“Despite existing since 2019, the new variant of Buer loader malware suggests threat actors continue to modify their payloads in a likely attempt to evade detection,” said Kelsey Merriman, Bryan Campbell and Selena Larson, with Proofpoint. “When paired with the attempts by threat actors leveraging RustyBuer to further legitimize their lures, it is possible the attack chain may be more effective in obtaining access and persistence.”

Buer, first identified in August 2019, is a trojan downloader utilized to compromise systems and act as a foothold to deliver additional malicious payloads. The loader is sold to cybercriminals through a “malware-as-a-service” payment model.

The new variant poses challenges for signature-based detections that are based on how the malware behaves when executed in a sandbox environment, said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

“Malware written in C and malware written in Rust will behave differently in a sandbox environment,” said DeGrippo. “For example, RustyBuer uses its own TLS library. While the malware executed as expected, we had to make a few adjustments so that we could see all of the C2 communications.”

RustyBuer, along with the previous variant of Buer written in C, were found being distributed in early April, in a spate of spear-phishing emails that so far have targeted over 200 organizations across more than 50 verticals. These emails purport to be shipping notices from DHL Support, an international courier and package delivery company. They inform victims that they contain “international information” regarding a shipping order and ask them to download a file, named “Private File.”

Once clicked, the attached malicious Microsoft Word or Excel documents use macros to drop the malware variant. Of note, the macros leverage an Application Bypass (Windows Shell DLL via LOLBAS) to evade detection from endpoint security mechanisms, said researchers.

"Based on the frequency of RustyBuer campaigns... researchers anticipate we will continue to see the new variant in the future."

Researchers noted that this campaign has used differing lure techniques from previous attacks, with RustyBuer attachments containing more detailed content to better engage the recipient. For instance, the malicious Excel attachments distributing RustyBuer contain multiple security software brand logos, in an attempt to add legitimacy to the document.

Once RustyBuer is dropped, it establishes persistence by using a shortcut (.LNK) file to run at startup. Then, the loader distributes the Cobalt Strike Beacon as a second-stage payload. Cobalt Strike is a legitimate security tool utilized by penetration testers, which has become increasingly popular with cybercriminals. However, researchers noted, not all identified campaigns contained a second-stage payload. They believe that this stems from some cybercriminals operating as access-as-a-service providers; attempting to establish initial access in victim environments and then selling this access to other bad actors in underground marketplaces. Buer loader has previously been used in access-as-a-service campaigns, according to Sophos researchers.

Other than its lure and the programming language used, there are many similarities between RustyBuer and the original Buer loader. For instance, the command-and-control (C2) requests used by RustyBuer are nearly identical to the requests used in the latest version of Buer. Previous Buer campaigns have also deployed Cobalt Strike as a second-stage payload.

DeGrippo said that Rust is not commonly used by threat actors at this time - however, there are examples of Rust-based malware in public repositories, as well as malware reported by security firms such as the Convuster macOS adware. Programming languages go in and out of style based on ease of syntax, memory management and other factors, she said.

“Malware authors, like software programmers will choose a programming language that supports their requirements,” said DeGrippo. “As Rust becomes more popular for fulfilling those requirements, it will be used by both legitimate programmers and threat actors."

The Buer loader has previously been spotted as recently as February, when researchers with Infoblox uncovered a Buer campaign using invoice-themed lures to persuade victims to download and open Microsoft Excel (XLS) documents, which contained malicious macros and distributed the malware.

Looking ahead, researchers anticipate this activity will continue. “Based on the frequency of RustyBuer campaigns... researchers anticipate we will continue to see the new variant in the future,” they said.

<![CDATA[BadAlloc Memory Flaws Found in Dozens of IoT, Embedded Devices]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/badalloc-memory-flaws-found-in-dozens-of-iot-embedded-devices https://duo.com/decipher/badalloc-memory-flaws-found-in-dozens-of-iot-embedded-devices Fri, 30 Apr 2021 00:00:00 -0400

Microsoft researchers have uncovered more than 25 memory allocation vulnerabilities that affect a long list of real time operating systems (RTOS) and libraries that are used in IoT and medical devices, operational technology devices, and industrial control systems.

The vulnerabilities are all the result of the use of vulnerable memory functions in the libraries and RTOS, and attackers could use them for remote code execution. Microsoft’s Section 52 research team disclosed the flaws publicly Thursday but reported them privately to all of the affected vendors, as well as the Cybersecurity Infrastructure and Security Agency. Although the vulnerabilities exist in a huge range of devices, Microsoft’s researchers said they had not seen any evidence of exploitation yet. MIcrosoft named the group of vulnerabilities BadAlloc.

Among the vendors whose products are affected are Amazon, Google, ARM, Samsung, and Texas Instruments, but the number of affected devices would be nearly impossible to estimate. Many of those devices likely will never be patched, and others won’t be patched for months because of where they’re located in OT or ICS networks.

“IoT devices because of their placement can be difficult to patch. OT devices elevate that problem to a much higher level because organizations usually can’t patch unless there’s an approved downtime window, and that could three or six months down the road,” said Grant Geyer, chief product officer at Claroty, an OT security firm.

These types of vulnerabilities are by no means new and the risks of using these memory functions without input validation are very well known and well documented. A group of security researchers gave a talk about similar issues at Black Hat in 2002. Memory allocation bugs still emerge in applications all the time, despite many years of improvements in mitigations and input validation. The IoT and embedded systems world is a completely different story, though, and not a positive one.

“Our research shows that memory allocation implementations written throughout the years as part of IoT devices and embedded software have not incorporated proper input validations. Without these input validations, an attacker could exploit the memory allocation function to perform a heap overflow, resulting in execution of malicious code on a target device,” Microsoft said.

“The common wisdom is that OT gear is this brown field, obsolete devices. But these issues show that the green field, newer gear is just as much of an issue."

“The vulnerabilities exist in standard memory allocation functions spanning widely used real-time operating systems (RTOS), embedded software development kits (SDKs), and C standard library (libc) implementations. Given the pervasiveness of IoT and OT devices, these vulnerabilities, if successfully exploited, represent a significant potential risk for organizations of all kinds.”

Most of the vendors with affected products have released updates or patches for the vulnerabilities, however Texas Instruments has not published updates for its SimpleLink platform.

Claroty’s Geyer said the breadth of the issues Microsoft found was surprising, as are the vulnerabilities themselves.

“What’s surprising to me is how many RTOS didn’t implement safety checks when using memory safety tools like malloc. The variety of devices that are affected is huge. There could be tens or hundreds of millions,” he said.

“The common wisdom is that OT gear is this brown field, obsolete devices. But these issues show that the green field, newer gear is just as much of an issue and needs to be cared for, as well.”

CISA has released mitigations for organizations that are not able to patch affected devices, including removing Internet exposure for control system devices.

<![CDATA[Threat Group Exploits SonicWall Flaw to Deploy FiveHands Ransomware]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/threat-group-exploits-sonicwall-flaw-to-deploy-fivehands-ransomware https://duo.com/decipher/threat-group-exploits-sonicwall-flaw-to-deploy-fivehands-ransomware Fri, 30 Apr 2021 00:00:00 -0400

Researchers observed a new ransomware variant, called FiveHands, being deployed by an “aggressive” financially motivated threat group in January and February.

According to a FireEye Mandiant report, the UNC2447 group exploited a critical SonicWall vulnerability (CVE-2021-20016) prior to a patch being available. The group leveraged this exploit as a foothold in order to deploy the previously-discovered SombRAT malware, as well as FiveHands.

“UNC2447 monetizes intrusions by extorting their victims first with FiveHands ransomware followed by aggressively applying pressure through threats of media attention and offering victim data for sale on hacker forums,” said researchers with FireEye Mandiant.

UNC2447 (“UNC” being FireEye’s designation for unclassified threat groups) was first discovered by researchers in November, when they observed the group using a PowerShell dropper in an attempt to install malware at two unnamed companies. In January, the UNC2447 group was then observed exploiting the SonicWall flaw, a critical SQL injection vulnerability in Secure Mobile Access (SMA) 100 Series VPN appliances, which allows unauthenticated attackers to achieve remote code execution. Before SonicWall patched the flaw in February, it revealed that it had "identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products."

Justin Moore, threat analyst with Advanced Practices at FireEye Mandiant, said researchers have not observed any FiveHands intrusions since patches have been deployed - however, organizations that have not yet patched their systems remain at a high risk of compromise from any group.

“While the most recent details of the FiveHands attacks are currently published in the blog, including hashes and comparisons to other ransomware variants, there have been at over 100 SonicWall SMA 100 series VPN compromises during this campaign,” said Moore. “UNC2447 related actors have credentials for these organizations and may still have access to deploy ransomware despite patches being applied.”

Researchers said they believe that the FiveHands ransomware is a new rewrite of the existing DeathRansom ransomware, which was first observed in November 2019. FiveHands, which is written in C++, shares several features, functions and coding similarities with DeathRansom. However, researchers noted that the function calls and code structure used to implement the majority of its functions are written differently. One significant departure from DeathRansom is FiveHands' use of a memory-only dropper, which upon execution expects a command line switch of -key followed by the key value necessary to perform decryption of its payload, said researchers. Additional code in the ransomware - not found in DeathRansom - uses the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted, they said.

“The payload is stored and encrypted with AES-128 using an IV of ‘85471kayecaxaubv,’” they said. “The decrypted FiveHands payload is immediately executed after decryption.”

Researchers also noted similarities between FiveHands and HelloKitty, a ransomware that has also been reportedly built from DeathRansom. While both FiveHands and HelloKitty share several high-level functionalities with DeathRansom, both have their own marked differences. For instance, similar to HelloKitty, FiveHands lacks a language check, which was used by DeathRansom to check for several languages on infected systems.

In addition to FiveHands, UNC2447 was deploying SombRAT, malware first reported in November by Blackberry Cylance researchers, who noted that the backdoor's primary purpose is to download and execute plugins provided via the C2 server. The version of SombRAT utilized in this attack features additional obfuscation to evade detection and discourage analysis, said researchers.

Researchers said that while they observed FiveHands being deployed by UNC2447, not all intrusions may have been conducted by this group. They believe that FiveHands - along with HelloKitty - may be used in attacks by different groups participating in underground affiliate programs.

“Based on technical and temporal observations of HelloKitty and FiveHands deployments, Mandiant suspects that HelloKitty may have been used by an overall affiliate program from May 2020 through December 2020, and FiveHands since approximately January 2021,” they said.

Researchers warn that UNC2447 continues to pose a threat to organizations - particularly as ransomware attacks continue to hit companies worldwide. The issue has turned the heads of both tech companies and government regulators: This week, for instance, a ransomware task force announced it had developed a broad set of recommendations to help address these ransomware attacks.

“UNC2447 has been observed targeting organizations in Europe and North America and has consistently displayed advanced capabilities to evade detection and minimize post-intrusion forensics,” researchers said.