<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. en-us info@decipher.sc (Amy Vazquez) Copyright 2022 3600 <![CDATA[Linux Botnet Targets Weak SSH Server Credentials]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/linux-iot-botnet-targets-weak-ssh-server-credentials https://duo.com/decipher/linux-iot-botnet-targets-weak-ssh-server-credentials

A new botnet has been observed targeting Linux devices by launching brute-forcing attacks on weak or default credentials in order to gain access to SSH servers. Researchers said the botnet’s persistence features and limited distributed denial-of-service (DDoS) capabilities both set it apart from other IoT malware families and also make its primary motivations a mystery.

The malware, named “RapperBot” by researchers due to a URL to YouTube rap music video found embedded in older samples, has rapidly evolved in its capabilities since it was first discovered in mid-June. Since then, researchers said they observed 3,500 unique IPs attempting to scan and brute-force SSH servers with the botnet’s client identification string, mostly made up of IPs from the U.S., Taiwan, and South Korea.

“We discovered that this malware family… is designed to function primarily as an SSH brute forcer with limited DDoS capabilities,” said Joie Salvio and Roy Tay with Fortinet’s Fortiguard Labs in an analysis this week. “As is typical of most IoT malware, it targets ARM, MIPS, SPARC, and x86 architectures.”

While the family borrows from the original Mirai source code - which has been online since 2017 and has led to the emergence of several different botnet variants - its features and implementation details are significantly different from other Mirai-based variants, said researchers. For instance, its built-in brute-force attack capabilities for SSH servers separates it from other IoT malware families and Mirai itself, which instead aim to launch brute-force attacks against Telnet servers that rely on weak passwords.

The botnet has also undergone several changes over the past month. While earlier samples had strings in plaintext, subsequent samples built extra obfuscation onto the strings and implemented an additional layer of XOR encoding to disguise the strings from memory scanners during execution. And in more recent samples the botnet’s developers started adding code to maintain persistence so that the threat actors have continual access to infected devices via SSH, even after the device has been rebooted, which researchers said is not something that’s typically been done in other Mirai variants.

“Apart from maintaining access to every SSH server that it brute forces, RapperBot is also very intent on retaining its foothold on any devices on which it is executed,” said researchers. “Samples from mid-July append the same aforementioned SSH key to the local "~/.ssh/authorized_keys" on the infected device upon execution. This allows RapperBot to maintain its access to these infected devices via SSH even after a device reboot or the removal of RapperBot from the device – something that is atypical to most Mirai variants.”

Additionally, while earlier samples included a brute-forcing credential list that was hardcoded in the binary, later samples retrieved the list from another port on the C2 server, allowing attackers to add SSH credentials without continually needing to update infected devices. Researchers also found some samples in late July attempting to self-propagate after compromise through a remote binary downloader; however, this functionality was removed a few days later and has not been seen in more recent samples.

These “curious changes” made to the botnet have shrouded the botnet’s motivations in mystery. RapperBot’s limited capabilities for DDoS (a typical type of attack that botnets are leveraged for) and lack of additional payloads delivered after the brute forcing takes place have left researchers questioning whether its developers are more interested in expanding their botnet for further nefarious means or simply collecting compromised SSH devices.

“At one point, samples were observed where the DDoS attack capabilities were entirely removed and added back a week later,” said researchers. “Could the DDoS functionality have been retained for masquerading as a typical DDoS botnet to avoid drawing too much attention? It is also possible that this whole campaign is still a work in progress.”

Regardless of the botnet’s motives, researchers recommend that end users set strong passwords for devices, or disable password authentication for SSH where possible, in order to block off RapperBot’s main tactic for propagation (brute-forcing attacks on SSH credentials).

<![CDATA[Slack Reset Some Users' Passwords Due to Bug in Invite Links]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/slack-reset-some-users-passwords-due-to-bug-in-invite-links https://duo.com/decipher/slack-reset-some-users-passwords-due-to-bug-in-invite-links

For more than five years, whenever a user created or revoked a shared invite link for a Slack workspace, Slack transmitted a hashed version of the user’s password to the other members of that workspace. Slack has automatically reset the passwords of the affected users and fixed the bug that led to the issue.

The bug affected about 0.5 percent of all Slack users, the company said, and Slack sent email notifications to all of those affected people on Thursday. In the notice, Slack said the issue occurred because Slack sends various types of information as hidden events through a websocket, which is open as long as a user has Slack open.

“One of the hidden events we send over the websocket is a notice that a shared invite link was created or revoked. The buge we discovered was in this invite link event along with the information about the shared invite link, the hashed password of the user who created or revoked the link was also included. The information was sent over the websocket to all users of the workspace who were currently connected to Slack,” the notice says.

The issue affected links created between April 17, 2017, and July 17, 2022, and Slack said an independent security researcher discovered and reported the bug to the company.

“This hashed password was not visible in any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers,” Slack said in a blog post.

“The hash of a password is not the same as the plaintext password itself; it is a cryptographic technique to store data in a way that is secure, but not reversible. In other words, it is practically infeasible for a password to be derived from the hash, and no one can directly use the hash to authenticate.

The issue only affected a small fraction of Slack’s user base, and the good news is that Slack supports two-factor authentication through a number of different methods, including Duo, Google Authenticator, and others. Slack users can enable 2FA in their Account settings in each individual workspace.

<![CDATA[Decipher Podcast: Source Code 8/5]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-8-5 https://duo.com/decipher/decipher-podcast-source-code-8-5

<![CDATA[Meta: Bitter APT Espionage Attack Leveraged Apple’s TestFlight Service]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/meta-bitter-apt-cyber-espionage-attack-leveraged-apple-s-testflight-service https://duo.com/decipher/meta-bitter-apt-cyber-espionage-attack-leveraged-apple-s-testflight-service

Meta has cracked down on a cyber espionage operation where attackers convinced victims to download an iOS chat application via Apple’s legitimate TestFlight service, which is meant to help developers beta-test new applications.

The attackers, which Meta attributed to the known Bitter APT, operate out of South Asia and targeted victims in New Zealand, India, Pakistan and the UK with various social engineering tactics on social media platforms like Facebook with the end goal of deploying malware on their devices. Researchers with Meta said that they don’t have any visibility into whether the unnamed chat app sent by attackers contained malicious code, but they did assess that it may have been used for further social engineering on an attacker-controlled chat medium. The use of real Apple services could aid attackers in bypassing detection and helping them to appear more legitimate, they said.

“This meant that hackers didn't need to rely on exploits to deliver custom malware to targets and could utilize official Apple services to distribute the app in an effort to make it appear more legitimate, as long as they convinced people to download Apple TestFlight and tricked them into installing their chat application,” according to Meta in its Quarterly Adversarial Threat Report, released Thursday.

The Bitter APT group, which has been active since 2013, has previously targeted the energy, engineering and government sectors with RATs that were spread via spear-phishing emails or by the exploitation of known flaws. In 2021, for instance, researchers found the group exploiting a zero-day privilege escalation flaw (CVE-2021-1732) in the Windows 10 operating system. In this most recent campaign, the attackers set up social media accounts pretending to be journalists or activists and persuading targets to click on malicious links or download malware. Researchers noted that the group “typically invested time and effort in establishing connections with its targets through various channels, including email.”

TestFlight, currently owned by Apple, is only offered to developers within the iOS Developer Program, who can use it to test iOS, iPadOS, watchOS and tvOS apps before they are released to the App Store. The service has previously been abused by attackers, with Sophos researchers in March highlighting an extension of the CryptoRom campaign where attackers targeted iPhone users by deploying fake apps via TestFlight in order to swindle victims out of bitcoin. According to Sophos researchers, attackers abused the service in order to slip by the App Store’s security screening. Up to 10,000 people can be invited to test apps via email or by sharing a public link, and up to 100 testers can support smaller internal applications; and while TestFlight apps shared via public web links must undergo a review of code builds by the App Store, the smaller email-based distribution approach does not require such a security review by the App Store, they said.

Meta took down the accounts linked to these attacks, blocked their domain infrastructure from being shared on its social media services and notified targeted victims. Meta said it also has notified Apple about attackers leveraging TestFlight, but does not have further insight into any subsequent steps that Apple took after it was notified. Apple did not respond to a request for comment.

The company found Bitter APT also using a variety of other tactics to target victims with malware, leveraging a mix of link-shortening services, compromised websites and third-party hosting providers. In one case, researchers found the APT using a new custom Android malware family, which they called Dracarys. In a technique similar to many other Android malware families, Dracarys abused Android operating system accessibility services - a legitimate feature that grants apps certain permissions in order to help users with disabilities - in order to access sensitive data like text messages.

“Bitter injected Dracarys into trojanized (non-official) versions of YouTube, Signal, Telegram, WhatsApp, and custom chat applications capable of accessing call logs, contacts, files, text messages, geolocation, device information, taking photos, enabling microphone, and installing apps,” according to Meta. “While the malware functionality is fairly standard, as of this writing, malware and its supporting infrastructure has not been detected by existing public anti-virus systems.”

Meta also uncovered a campaign by the Pakistan-linked APT36 targeting military personnel, government officials and human rights organization employees in Afghanistan, India, Pakistan, UAE and Saudi Arabia. The attackers posed as recruiters for both legitimate and fake companies as well as military personnel in order to target victims, and shared malicious links to attacker-controlled sites where they hosted malware. In several cases the malware used was XploitSPY, a commodity Android malware available on GitHub. Researchers said APT36’s campaign points to a broader trend of espionage groups using low-cost, off-the-shelf malicious tooling, rather than investing in developing their own tooling.

“This is notable for two reasons,” Nathaniel Gleicher, head of Security Policy with Meta said on a Thursday press call. “First, it democratizes access to these tools. More bad actors can use them, more bad actors will engage in cyber espionage, the barrier to entry is lower. Second, because these tools are commoditized - there are many, many off-the-shelf malware systems that someone can leverage - it means sophisticated threat actors can hide in the noise, making it harder to tell who is doing what and why.”

Both campaigns were uncovered as part of Meta’s efforts to remove malicious and inauthentic behavior from its platforms, with the company regularly cracking down on disinformation and cyber espionage operations, such as malicious activity by two Iranian threat groups that was disclosed in April.

<![CDATA[F5 Patches Serious Flaws in BIG-IP]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/f5-patches-serious-flaws-in-big-ip https://duo.com/decipher/f5-patches-serious-flaws-in-big-ip

F5 has released fixes for a long list of vulnerabilities in its BIG-IP line of security appliances, including one that could allow a remote attacker to take complete control of a target appliance.

The company patched 21 vulnerabilities in all, many of which are high-severity flaws that can give an attacker some level of control over an appliance or allow traffic disruption. The bugs don’t affect F5 Cloud Services or Threat Stack.

Perhaps the most useful vulnerability to an attacker is CVE-2022-35728, which is related to the way that BIG-IP boxes handle iControl REST tokens, which are used for authentication for local and remote users.

“A remote unauthenticated attacker may be able to reuse, for a limited time, an authenticated user's iControl REST token generated from the Configuration utility and access through the management port and/or self IP addresses to execute arbitrary system commands, create or delete files, or disable services. There is no data plane exposure; this is a control plane issue only,” the F5 advisory says.

That vulnerability affects versions 13.x-17.x of BIG-IP, as well as some versions of BIG-IP SPK, and BIG-IQ Centralized Management. For organizations that can’t install the updated versions immediately, there is a workaround that will mitigate this vulnerability.

“You can block all access to the iControl REST interface of your BIG-IP or BIG-IQ system through self IP addresses. To do so, you can change the Port Lockdown setting to Allow None for each self IP address in the system. If you must open any ports, you should use the Allow Custom option, taking care to disallow access to iControl REST,” the advisory says.

“By default, iControl REST listens on TCP port 443 or TCP port 8443 on single NIC BIG-IP VE instances. If you modified the default port, ensure that you disallow access to the alternate port you configured. If you must expose port 443 on your self IP addresses and want to restrict access to specific IP ranges, you may consider using the packet filtering functionality built into the BIG-IP system.”

Among the other bugs F5 patched in its Aug. 3 release is another vulnerability related to the iControl REST functionality, which affects an undisclosed endpoint. This flaw affects BIG-IP versions 13.x-17.x.

“In Appliance mode, an authenticated user with valid user credentials assigned the Administrator role may be able to bypass Appliance mode restrictions. This is a control plane issue; there is no data plane exposure. Appliance mode is enforced by a specific license or may be enabled or disabled for individual Virtual Clustered Multiprocessing (vCMP) guest instances,” the F5 advisory says.

The same mitigation strategy applies to this vulnerability (CVE-2022-35243).

The majority of the other vulnerabilities patched in this release are related to denial-of-service, performance degradation, or increased memory usage.

<![CDATA[NVIDIA Fixes High-Severity Flaws in Graphics Drivers For Windows, Linux]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/nvidia-fixes-high-severity-flaws-in-graphics-drivers-for-windows-linux https://duo.com/decipher/nvidia-fixes-high-severity-flaws-in-graphics-drivers-for-windows-linux

NVIDIA, which makes graphics processing units (GPUs) for gaming systems, high-end PCs and handheld devices, has issued fixes for several high-severity vulnerabilities in its graphics drivers for Windows and Linux that in some cases could lead to code execution.

The graphics driver (also known as the NVIDIA GPU Display Driver) is the software component that allows the device’s operating system and application to use its enthusiast gamer-optimized graphics hardware. NVIDIA’s graphics driver has previously been found to contain serious flaws, including ones disclosed in May that could allow attackers to execute arbitrary code and, in some cases, perform guest-to-host escapes on systems running virtual machines.

“This update addresses issues that may lead to denial of service, information disclosure, escalation of privileges, code execution, or data tampering,” said NVIDIA in its Tuesday security release.

NVIDIA’s release includes three flaws that exist in the kernel mode layer (nvlddmkm.sys) of the graphics driver for Windows. One of these (CVE-2022-31606) is a hole in the kernel mode layer handler for the DxgkDdiEscape interface. The interface fails to properly validate data, potentially allowing an attacker “with basic user capabilities” to trigger an out-of-bounds access in kernel mode. This in turn could lead to denial-of-service attacks, information disclosure, privilege escalation or data tampering, said NVIDIA.

Two other high-severity flaws (CVE-2022-31617 and CVE-2022-31610) allow a local user with basic capabilities to “cause an out-of-bounds read, which may lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.” These vulnerabilities are addressed in updates for impacted R515, R510, R470 and R450 Windows driver branch versions.

The security update also includes two flaws stemming from the graphics driver for Linux. One flaw (CVE-2022-31607) in the kernel mode layer (nvidia.ko) stems from improper input validation. This could enable a local attacker to launch an array of attacks, including denial of service, privilege escalation, data tampering and “limited information disclosure.” Another vulnerability (CVE-2022-31608) exists in an optional D-Bus configuration file. Here, “a local user with basic capabilities can impact protected D-Bus endpoints, which may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering,” according to NVIDIA. The updates for impacted versions of Linux driver branches R515, R510, R470, R450 and R390 address these flaws.

NVIDIA also released updates for several flaws in its VGPU software, which include an error in the vGPU plugin that allows a guest VM to allocate resources that the guest is typically not authorized to allocate. According to NVIDIA, exploitation of this flaw could lead to loss of data integrity and confidentiality, denial of service or information disclosure.

<![CDATA[VMware Warns of Critical Authentication Bypass Flaw]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/vmware-warns-of-critical-authentication-bypass-flaw https://duo.com/decipher/vmware-warns-of-critical-authentication-bypass-flaw

UPDATE - VMware is urging administrators to immediately patch a critical-severity authentication bypass vulnerability, which if exploited could allow a remote attacker with network access to a vulnerable user interface to skip authentication and obtain administrative privileges.

The vulnerability (CVE-2022-31656) exists in VMware’s Workspace ONE Access (formerly Identity Manager) identity management solution - which has been impacted by several serious VMware vulnerabilities over the past year - and vRealize Automation, an infrastructure management platform for configuring IT resources and automating container-based application delivery. Currently, VMware said it has not observed exploitation of the vulnerability in the wild. Further details of the flaw are scant; however, Petrus Viet with VNG Security, who discovered the flaw, said that a technical writeup and proof-of-concept exploit are “soon to follow.”

“Given the history of attacks targeting VMware Workspace ONE instances, organizations should apply these patches immediately,” said Claire Tills, senior research engineer with Tenable's Security Response Team, in a Tuesday alert. “This urgency is compounded by the fact that a proof-of-concept is forthcoming from the researcher who discovered the flaw.”

A VMware spokesperson said that CVE-2022-31656 is a variant of CVE-2022-22972, an authentication bypass vulnerability patched by VMware in May along with a privilege escalation error (CVE-2022-22973). The flaw, also in VMware Workspace ONE Access and vRealize Automation, was highlighted by the Cybersecurity and Infrastructure Security Agency (CISA) in an emergency directive that warned that threat actors would quickly develop methods for exploitation and ordered federal civilian executive branch agencies to apply updates by May 23.

"When a security researcher finds a vulnerability, it often draws the attention of other security researchers who bring different perspectives and experience to the research," said the VMware spokesperson. "CVE-2022-31656, reported by PetrusViet, is a variant of CVE-2022-22972. The update provided in our previous security advisory on May 18 removes CVE-2022-22972 from the environment, but it does not remove this new variant, CVE-2022-31656."

“On its own, an attacker could achieve administrative access with CVE-2022-31656, but from there, they would be able to exploit several other vulnerabilities patched in this release that allow for remote code execution and full system compromise."

Along with the authentication bypass flaw, VMware on Tuesday also issued patches for nine other vulnerabilities across its products, including an important-severity JDBC injection remote code execution flaw (CVE-2022-31658) in VMware Workspace ONE Access and vRealize Automation and an important-severity SQL injection remote code execution bug (CVE-2022- 31659) in VMware Workspace ONE Access. Both of these flaws could be exploited by an attacker with administrator privileges and network access, according to VMware. Tills noted that the authentication bypass achieved with CVE-2022-31656 would allow attackers to exploit these two authenticated remote code execution flaws addressed in the release.

“The biggest concern with this flaw is its potential for use in exploit chains,” said Tills. “On its own, an attacker could achieve administrative access with CVE-2022-31656, but from there, they would be able to exploit several other vulnerabilities patched in this release that allow for remote code execution and full system compromise. The main mitigating factor is that the attacker would need network access to the user interface.”

While workarounds are available for CVE-2022-31656, VMware recommends that organizations apply patches.

“These vulnerabilities are authentication bypass, remote code execution, and privilege escalation vulnerabilities,” said Bob Plankers, staff security and compliance architect at VMware. “It is extremely important that you quickly take steps to patch or mitigate these issues in on-premises deployments. If your organization uses ITIL methodologies for change management, this would be considered an ‘emergency’ change.”

This article was updated on Aug. 3 with a VMware spokesperson's statement.

<![CDATA[Firefox 103 Fixes Serious Memory Safety Flaws]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/firefox-103-fixes-serious-memory-safety-flaws https://duo.com/decipher/firefox-103-fixes-serious-memory-safety-flaws

Mozilla has fixed several vulnerabilities in Firefox, including some high-severity memory safety bugs and an odd bug that could allow an attacker to supply a remote path and cause network problems.

The most serious of the flaws are the memory safety bugs, which Mozilla did not call out specifically or describe in detail. But the company said the vulnerabilities may have led to code execution.

“Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code,” the advisory says.

Firefox 103 also fixes a somewhat unusual flaw that an attacker could use to disrupt network traffic.

“When opening a Windows shortcut from the local filesystem, an attacker could supply a remote path that would lead to unexpected network requests from the operating system. This bug only affects Firefox for Windows,” the advisory says.

Firefox on Android is affected by a separate vulnerability that could allow an attacker to cause a denial-of-service condition on a target device.

“When visiting a website with an overly long URL, the user interface would start to hang. Due to session restore, this could lead to a permanent Denial of Service,” the advisory says.

Firefox users should upgrade to version 103 as soon as possible to protect against these vulnerabilities.

<![CDATA[Manjusaka Attack Framework Primed For Cybercriminal Adoption]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/manjusaka-attack-framework-primed-for-cybercrime-adoption https://duo.com/decipher/manjusaka-attack-framework-primed-for-cybercrime-adoption

Researchers have unearthed a new attack framework, called Manjusaka, which they warn is primed for adoption across the threat landscape.

The framework has a freely available command-and-control (C2) and extensive credential theft capabilities, and it was developed with the ability to easily create implants with custom configurations. With these factors in mind, researchers believe Manjusaka has potential to gain traction in the world of offensive technologies that are widely available to and used by crimeware and APT operators.

Manjusaka’s developer claims that it has an adversary implant framework similar to the Cobalt Strike or Sliver platforms, both of which are legitimate security tools that have been used by attackers for intrusion and exploitation operations. Cobalt Strike is a commercial adversary simulation platform used for security testing operations, while Sliver is meant to be used by red teams with implants supported on Windows, Linux and macOS. Researchers with Cisco Talos said that while the Manjusaka implants do have capabilities similar to those featured in these popular tools, "there are some deficiencies in their implementation when compared to Cobalt Strike and Sliver."

“As defenders, it is important to keep track of offensive frameworks such as Cobalt Strike and Sliver so that enterprises can effectively defend against attacks employing these tools,” said Asheer Malhotra and Vitor Ventura, researchers with Cisco Talos in Tuesday research. “Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world.”

Manjusaka has both EXE and ELF implant versions with various features that researchers said are typical for these types of framework implants, including capabilities to control infected endpoints via executing arbitrary commands, to create, manage and delete files on the system and to take screenshots of the victim’s desktop. The implants, once executed, collect comprehensive system information from the endpoint and information about the TCP and UDP network connections on the victim’s system (including local network addresses, remote addresses and owning Process IDs).

Manjusaka also has extensive credential theft abilities, sniffing out Wi-Fi login passwords, as well as credentials for Chromium-based browsers (such as Google Chrome, Chrome Beta, Microsoft Edge and more) and for Premium Navicat, a graphical database management utility that can connect to various database types, like MySQL, Oracle, Mondo and SQLite (of note, the ELF implant variant, though mostly similar to its Windows counterpart, only has the Premium Navicat credential theft capabilities).

“Although we haven't observed widespread usage of this framework in the wild, it has the potential to be adopted by threat actors all over the world.”

The framework is written in the modern programming languages, with the C2 written in Golang with a User Interface in Simplified Chinese, the written language used in mainland China, and the implants written in the Rust programming language for Windows and Linux. Since the framework was made public in March, Cisco Talos researchers said they observed a steady development cycle for introducing new features to Manjusaka.

Researchers first came across Manjusaka after spotting a malicious Microsoft Word document with a Cobalt Strike beacon, which was created in June and mentioned a COVID-19 outbreak in the Haixi Mongol and Tibetan Autonomous Prefecture, Qinghai Province. While looking at this malicious document injection chain, researchers found an implant used to instrument Manjusaka infections contacting the same IP address as the Cobalt Strike beacon, meaning the threat actor using the Cobalt Strike beacon in this campaign was also using Manjusaka framework implants.

Upon closer investigation into Manjusaka’s C2 executable on GitHub, researchers found that its developers had created a design diagram for the communications between different components of the framework; however, many of these components are not yet freely available in the C2 binary. For instance, the diagram details communication capabilities over HTTP, TCP and websockets, but the freely available C2 version can only communicate via HTTP. The design diagram is a clue that the framework may be under active development with more of these capabilities coming soon, or that the developer intends to provide the capabilities as a service or tool in the future, with the freely available C2 providing a demo copy of the framework for evaluation.

Manjusaka’s developers have also created the framework so it can easily integrate new targeted platforms, like MacOSX or “more exotic flavors of Linux as the ones running on embedded devices.” At the same time, researchers noted the simplicity of the framework's C2 deployment, which involves a single self-contained file running on Linux that can be deployed by anyone that can download it from GitHub. Researchers said that while usage observed in the wild of Manjusaka has been limited so far, its various capabilities and flexible, freely available framework could mean an uptick of adoption by cybercriminals in the future.

The popularity of tools like Cobalt Strike shows the demand for these types of frameworks, which are packed with capabilities and operationalized C2 infrastructure that reduce the legwork needed by adversaries while launching attacks. The use of publicly available or leaked frameworks also makes attribution more difficult for analysts, said Cisco Talos researchers, allowing cybercriminals to sidestep detection. In June 2021, researchers with Proofpoint said that malicious use of Cobalt Strike in campaigns is increasing, with threat actor use of the tool going up 161 percent from 2019 to 2020. Organizations need to stay diligent in protecting against these types of tools and frameworks used by cybercriminals, said Malhotra and Ventura.

“In-depth defense strategies based on a risk analysis approach can deliver the best results in the prevention,” said Malhotra and Ventura. “However, this should always be complemented by a good incident response plan which has been not only tested with tabletop exercises and reviewed and improved every time it's put to the test on real engagements.”

<![CDATA[Qakbot Attack Uses Email Threads Hijacked From ProxyLogon Compromises]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/qakbot-attack-uses-email-threads-hijacked-from-proxylogon-compromises https://duo.com/decipher/qakbot-attack-uses-email-threads-hijacked-from-proxylogon-compromises

Attackers are using hijacked email threads, harvested in bulk from previous Microsoft ProxyLogon attacks, in order to send messages to victims that deliver the Qakbot malware.

The campaign utilizes a known tactic that researchers with Cisco Talos call external thread hijacking. Attackers first compromise third-party Exchange servers and exfiltrate their email threads for later use. At a later date, they then use a script to process these aggregated emails at bulk into spoofed responses to email contacts the victim had previously corresponded with, with links to malicious URLs that lead to the deployment of Qakbot.

“After parsing the emails they then seek to weaponize them, but don’t have access to the actual Exchange server that sent the messages initially, just copies of the emails from the ones that received them,” said Nate Pors, senior incident response commander with Cisco Talos. “In this case, they spoofed the addresses to make them appear to come from the original recipient.”

The QakBot campaign was observed as recently as June and coincides with a resurgence of Qakbot that researchers have observed over the past few months, with the malware in March spotted targeting enterprise organizations to infect them with a tangle of payloads. Researchers said due to ongoing investigations they can’t describe victimology; however, higher-value targets could include companies that have potentially strong or trusted relationships with their email contacts, which would make spoofed emails from the attacker seem more legitimate. Qakbot, which has been around since 2007 when it first emerged as a banking trojan, has since grown into a multi-purpose malware with multiple functionalities, including tools for performing reconnaissance, exfiltrating data and delivering other payloads. Qakbot’s modular nature gives it flexibility for keeping up with the changing threat landscape, allowing attackers to pick and choose the components needed for specifically tailored attacks.

Researchers assess that the hijacked email threads were likely stolen in an earlier campaign that targeted the ProxyLogon flaw in vulnerable Microsoft Exchange servers. The dates of the old emails matched the timeframe of the ProxyLogon exploitation campaign, and Pors said that researchers were able to match a public breach disclosure from one of the identified source organizations.

One red flag for spotting an external thread hijacking attack is if the email is from a spoofed, external sender address, even if the existing email thread looks familiar, said researchers. Another telltale sign is the use of old email threads that may be from 2021 or even 2020 (though Talos observed one email thread as recently as May 2022, indicating that attackers may be using newly harvested threads). Finally, researchers said to keep an eye out for emails with a "malformed" appearance, which may be partly legitimate but also coupled with malicious content or that contain partially scrubbed emails.

External thread hijacking shares similarities with email thread hijacking, where attackers use a single compromised organization’s emails to deliver their threat, as opposed to a bulk aggregation of multiple organizations’ harvested emails. External thread hijacking is advantageous to threat actors as it potentially increases the amount of threads to weaponize, said Pors along with Terryn Valikodath with Cisco Talos, in Wednesday research.

“This many-to-one approach is unique from what we have generally observed in the past and is likely an indirect effect of the widespread compromises and exfiltration of large volumes of email from 2020 and 2021,” said researchers.

<![CDATA[Decipher Podcast: Source Code 7/29]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-7-29 https://duo.com/decipher/decipher-podcast-source-code-7-29

<![CDATA[Samba Fixes Serious Password-Reset Flaws]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/samba-fixes-serious-password-reset-flaws https://duo.com/decipher/samba-fixes-serious-password-reset-flaws

Many current versions of the Samba SMB file server contain a vulnerability that can allow a user on the server to change the administrator's password and take complete control of the domain.

The vulnerability (CVE-2022-32744) affects Samba versions 4.3 and later and is a result of the way that the Key Distribution Center for Kerberos handles password-reset requests. The root cause of the bug is that the KDC will accept kpasswd–or password reset–requests that are encrypted with any key that it knows. A valid user on the system could abuse this to forge a password-reset request for another user and encrypt it with his own key.

“Tickets received by the kpasswd service were decrypted without specifying that only that service's own keys should be tried. By setting the ticket's server name to a principal associated with their own account, or by exploiting a fallback where known keys would be tried until a suitable one was found, an attacker could have the server accept tickets encrypted with any key, including their own,” an advisory from the Samba maintainers says.

“A user could thus change the password of the Administrator account and gain total control over the domain. Full loss of confidentiality and integrity would be possible, as well as of availability by denying users access to their accounts.”

Samba released a fix for the issue on Wednesday, along with patches for several other vulnerabilities. The most serious of the other bugs is also related to the KDC and password resets. A user could exploit this vulnerability (CVE-2022-2031) to gain access to other services on the domain.

“The KDC and the kpasswd service share a single account and set of keys. In certain cases, this makes the two services susceptible to confusion. When a user's password has expired, that user is requested to change their password. Until doing so, the user is restricted to only acquiring tickets to kpasswd,” the advisory says.

However, a vulnerability meant that the kpasswd's principal, when canonicalized, was set to that of the TGS (Ticket-Granting Service), thus yielding TGTs from ordinary kpasswd requests. These TGTs could be used to perform an Elevation of Privilege attack by obtaining service tickets and using services in the forest. This vulnerability existed in versions of Samba built with Heimdal Kerberos. A separate vulnerability in Samba versions below 4.16, and in Samba built with MIT Kerberos, led the KDC to accept kpasswd tickets as if they were TGTs, with the same overall outcome.”

If installing the updated versions isn’t an immediate option, the workaround for both of these vulnerabilities is to disable the kpasswd protocol.

<![CDATA[Atlassian Confluence Hardcoded Credentials Bug Actively Exploited]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/atlassian-confluence-hardcoded-credentials-bug-actively-exploited https://duo.com/decipher/atlassian-confluence-hardcoded-credentials-bug-actively-exploited

An Atlassian critical Confluence hardcoded credentials vulnerability that was fixed last week is now under active exploitation.

The flaw (CVE-2022-26138) can be exploited by a remote, unauthenticated attacker that knows the hardcoded password for a specific account on the Questions for Confluence app in order to gain access to all non-restricted pages in Confluence. Atlassian fixed the flaw on July 20, but the company a day later warned that an external party had publicly disclosed the hardcoded password on Twitter, and the flaw was likely to be exploited.

“Unsurprisingly, it didn’t take long for Rapid7 to observe exploitation once the hardcoded credentials were released, given the high value of Confluence for attackers who often jump on Confluence vulnerabilities to execute ransomware attacks,” said Glenn Thorpe with Rapid7 in a Wednesday analysis.

The flaw stems from the disabledsystemuser account that helps assist administrators migrating data from the app to Confluence cloud. When a disabledsystemuser account is created on the Questions for Confluence app, it uses a hardcoded password. From there, the account is added to the confluence-users group, which allows the viewing and editing of all non-restricted pages in Confluence by default. The flaw only exists when the Questions for Confluence app is enabled, with the specific impacted versions including Questions for Confluence 2.7.34 and 2.7.35, and Questions for Confluence 3.0.2. That said, uninstalling the Questions for Confluence app does not remediate the flaw, Atlassian warned.

"Exploitation efforts at this point do not seem to be very widespread, though we expect that to change. The good news is that the vulnerability is in the Questions for Confluence app and not in Confluence itself, which reduces the attack surface significantly," said Erick Galinkin, principal artificial intelligence researcher at Rapid7. "At this point, the vulnerability has been public for a relatively short amount of time. Coupled with the absence of meaningful post-exploitation activity, we don't yet have any threat actors attributed to the attacks."

Atlassian announced the issue along with two other critical bugs that exist in the Servlet Filters in Java. These flaws (CVE-2022-26136 and CVE-2022-26137) can be exploited by remote unauthenticated attackers.

Both Rapid7 researchers and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged impacted organizations to mitigate the vulnerability immediately, especially because attackers place a high value on Atlassian products. Previously in June, for instance, threat actors targeted a zero-day flaw (CVE-2022-26134) in the Atlassian Confluence Server and Data Center that allowed remote code execution without authentication. Attackers, including nation-state actors, exploited the flaw in order to deploy web shells, botnets, cryptocurrency mining malware and ransomware.

“Organizations using on-prem Confluence should follow Atlassian’s guidance on updating their instance or disabling/deleting the account,” said Thorpe.

<![CDATA[Decipher Podcast: Sean Zadig]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-sean-zadig https://duo.com/decipher/decipher-podcast-sean-zadig

<![CDATA[North Korean Attackers Use Malicious Browser Extension to Steal Email]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/north-korean-attackers-use-malicious-browser-extension-to-steal-email https://duo.com/decipher/north-korean-attackers-use-malicious-browser-extension-to-steal-email

A notorious attack group based in North Korea has been deploying a malicious browser extension for Chrome and Edge that is capable of stealing email content from open Gmail sessions and replacing the victim’s browser preference files.

The extension has been in use for nearly a year and the group that is deploying it, known mainly as Kimsuky, is using it as a post-exploitation tool to maintain persistence on the victim’s machine. Researchers at Volexity identified the extension, which they’re calling SHARPEXT, during some incident response engagements. Unlike may other malicious browser extensions, SHARPEXT does not exist to steal credentials, but is designed specifically to steal data from victims’ email inboxes. The attackers manually install the extension with a VBS script after initial compromise of the machine.

In order to install the extension, the attackers go to the trouble of replacing the Preferences and Secure Preferences files for the target Chromium-based browser, which is not an easy process.

“The Secure Preferences file contains a known-good state of the user’s profile information. Upon startup of Chromium-based browsers, if the Preferences files do not match the loaded configuration, the current configuration will be replaced by the contents of the Secure Preferences file. The Chromium engine has a built-in mechanism that requires the Secure Preferences file contains a valid "super_mac" value to prevent manual editing of this file,” Volexity researchers Paul Rascagneres and Thomas Lancaster said in an explanation of the attack.

To accomplish the task of replacing the Secure Preferences file, the attackers collect specific information from the browser and then generate a new file, which then runs on browser start-up. The attackers, who Volexity refers to as SharpTongue, then use a second script to hide some of the extension’s actions and any windows that might appear to warn victims about anomalous activity. The extension then runs a pair of listeners that look for specific types of activity in browser tabs.

“The first versions of the malicious extension encountered by Volexity only supported Gmail accounts. The latest version supports both Gmail and AOL mail accounts The purpose of the response parsing is to steal email and attachments from a user's mailbox. The extension can generate web requests to download additional email from the web page,” the researchers said. Kimsuky/SharpTongue is a well-known and highly active threat group aligned with North Korea that is mostly associated with cyberespionage attacks and IP theft operations. The group uses a number of custom tools and malware, including Babyshark. The SHARPEXT extension is under active development and Volexity’s researchers said its installation is customized for each individual victim.

“The use of malicious browser extensions by North Korean threat actors is not new; this tactic has typically been used to infect users as part of the delivery phase of an attack. However, this is the first time Volexity has observed malicious browser extensions used as part of the post-exploitation phase of a compromise,” the researchers said.

“By stealing email data in the context of a user's already-logged-in session, the attack is hidden from the email provider, making detection very challenging. Similarly, the way in which the extension works means suspicious activity would not be logged in a user's email “account activity” status page, were they to review it.”

SHARPEXT has been installed on Chrome, Edge, and the Whale browser, which is a South Korean application.

<![CDATA[Experts Urge Congress to Pressure Commercial Spyware Vendors]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/experts-urge-congress-to-pressure-commercial-spyware-vendors https://duo.com/decipher/experts-urge-congress-to-pressure-commercial-spyware-vendors

For years, civil society groups, security researchers, and human rights organizations have been fighting against and warning about the use of commercial spyware to target activists, journalists, dissidents and other vulnerable groups, with limited success. Now, those organizations are asking the United States intelligence community to step in and wield its considerable power to take away the tools mercenary spyware vendors supply to state actors and other customers.

Companies such as NSO Group and Candiru that sell commercial spyware advertise their wares as means to keep tabs on suspected terrorists or criminals and often claim that they do not sell to repressive regimes and control their systems tightly. But researchers and activists have found many examples of these tools being used by governments and private organizations to target dissidents, journalists, and others. Researchers at the Citizen Lab at the University of Toronto’s Munk School have documented the abuses of tools such as NSO Group’s Pegasus for many years, including the targeting of politicians in Catalonia, Poland, Thailand, and elsewhere in recent years.

In a hearing on Wednesday, researchers from Citizen Lab and Google detailed the extent of the use and abuse of these tools for members of the House Select Committee on Intelligence, and said that the companies’ claims of controlling their tools ring false.

“The facts don’t bear this out. Abuse has been a feature of this technology since day one,” John Scott-Railton, a senior researcher at Citizen Lab, said during the hearing. “It is inevitable that nonstate actors will get their hands on these capabilities and cause immeasurable harm.”

That harm was on clear display during the testimony of Carine Kanimba, a U.S. citizen who was born in Rwanda and was targeted by NSO Group’s Pegasus spyware last year. Kanimba’s adoptive father, a permanent U.S. resident and vocal activist for democracy in Rwanda, was kidnapped in Dubai and rendered back to Rwanda, where he was sentenced to 25 years in prison. Forensic analysis of Kanimba’s phone in the months after her father’s kidnapping revealed the presence of Pegaus.

“The reports show that the spyware triggered into operation as I walked with my mother into a meeting with the Belgian Minister of Foreign Affairs. It was active during calls with the US Presidential Envoy for Hostage Affairs team and the U.S. State Department, as well as when speaking with US human rights groups. This surveillance is illegal under U.S. law and allowed the Rwandan government to always stay a step ahead as we fought to keep our father alive and secure his release,” she said in her testimony.

The use of these tools is no secret, and the federal government has taken action recently to limit their use, specifically in the U.S. In November 2021, the Department of Commerce placed NSO Group and Candiru, two prominent Israeli spyware vendors, on the Entity List, effectively prohibiting American companies from doing business with them. And security researchers regularly expose the tools spyware vendors sell, as well as the exploits and vulnerabilities they use. In order to remain effective against modern devices such as iPhones and Android phones, spyware vendors need access to zero day vulnerabilities and exploits, bugs and techniques that have not yet been disclosed publicly. Many vendors have their own teams of internal researchers who look for new vulnerabilities and develop exploits for them, but they also will buy new bugs from outside researchers.

This supply of zero days and exploits is what keeps the trains running for spyware vendors, and Scott-Railton and Shane Huntley, director of Google’s Threat Analysis Group, which tracks state actors and other high-level attackers, said that the efforts of private researchers to limit that supply and its effectiveness can only go so far.

“Taking them on has to be a team sport. We all have our own visibility into this but we do not have some of the capabilities that the intelligence community has and the things they’re authorized to do,” Huntley said.

“There is very good cooperation in this community, and there needs to be, because each of us sees some part of the picture. We can’t let the adversaries take advantage of any disconnection. We have a common enemy here. This is not a competition.”

“If the U.S. intelligence community identified these zero days–and it could–and submitted them to the big tech companies, you could burn their houses down."

The various U.S. intelligence agencies employ some of the top offensive research and attack teams that do their own vulnerability research and exploit development and have the demonstrated means and capabilities to gain access to just about any target they choose. Scott-Railton said that capability could be put to good use in exposing the stockpiles of zero days and exploits spyware vendors maintain.

“If the U.S. intelligence community identified these zero days–and it could–and submitted them to the big tech companies, you could burn their houses down,” he said.

“I’d encourage the intelligence community to identify and disrupt the activities of these companies. Doing business with governments, getting acquired by a U.S. company or even doing business with police departments in the U.S. is the golden prize for spyware companies. I’d encourage Congress to look at all those areas as ways to engage.”

Huntley also suggested that the U.S. and other governments should use their economic and diplomatic power to pressure spyware vendors and the countries in which they operate.

“Additionally, the U.S. government should consider a full ban on Federal procurement of commercial spyware technologies and contemplate imposing further sanctions to limit spyware vendors’ ability to operate in the U.S. and receive U.S. investment. The harms from this industry are amply evident by this point, and we believe they outweigh any benefit to continued use,” Huntley said in his written testimony.

“Finally, we urge the United States to lead a diplomatic effort to work with the governments of the countries who harbor problematic vendors, as well as those who employ these tools, to build support for measures that limit harms caused by this industry. Any one government’s ability to meaningfully impact this market is limited; only through a concerted international effort can this serious risk to online safety be mitigated.”

Also on Wednesday, Microsoft published details about the operations of a vendor in Austria called DSIRF that Microsoft said was responsible for the development and sale of a toolset called Subzero.

<![CDATA[Cyber Mercenary Leveraged Windows Zero Day in Subzero Malware Attack]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/cyber-mercenary-leveraged-windows-zero-day-in-subzero-malware-attack https://duo.com/decipher/cyber-mercenary-leveraged-windows-zero-day-in-subzero-malware-attack

A cyber mercenary targeted European and Central American victims in “limited attacks” that leveraged multiple Microsoft and Adobe flaws - including a recently patched Windows zero-day bug - in order to deploy malware called Subzero.

Microsoft said that the cyber mercenary, which it tracks as Knotweed, is an Austria-based private-sector offensive actor called DSIRF "that ostensibly sells general security and information analysis services to commercial customers." Cyber-mercenary threat groups typically develop and offer an array of hacking and surveillance services to individuals and governments globally. This specific actor has been observed both developing and selling the Subzero malware to third parties, but also using its own infrastructure in some attacks, “suggesting more direct involvement.” Researchers have observed victims - including law firms, banks and consultant companies - in various countries, such as Austria, the UK and Panama.

“MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks,” said Microsoft researchers in a Wednesday analysis. “These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF.”

The Subzero malware was deployed via exploit chains that leveraged several vulnerabilities, including a zero-day Windows flaw (CVE-2022-22047) used in attacks for privilege escalation. The bug, which Microsoft patched in its regularly scheduled July security updates, exists in the Windows Client Server Runtime Subsystem (CSRSS); if exploited by an attacker, the important-severity flaw could be used to escape sandboxes and achieve system-level code execution.

An Adobe Reader remote code execution flaw was also targeted as part of the exploit chain. While they were not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, researchers assessed with “medium confidence” that this flaw is a zero-day exploit given Knotweed’s use of other zero days.

“The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process,” said researchers. “The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved.”

“We welcome Congress’s focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

Researchers observed several other vulnerabilities being leveraged in exploit chains to deploy Subzero including three Windows privilege escalation bugs (CVE-2021-31199, CVE-2021-31201 and CVE-2021-3648) and an Adobe Reader flaw (CVE-2021-28550). Beyond these exploit chains, Subzero was also seen being deployed via an Excel file that masqueraded as a real estate document, but was actually a malicious macro.

After initial access, a downloader shellcode was executed that retrieved a second-stage malware from the actor-operated command-and-control (C2) server; this main payload, which resided exclusively in memory to avoid detection, had a variety of capabilities, including keylogging, capturing screenshots, stealing files, and running remote shells and arbitrary plugins. Knotweed was also observed using custom utility tools that it had developed called Mex and PassLib, which dumped credentials from web browsers, Windows credential manager and email clients.

Microsoft’s hope in sharing information (like malware signatures) linked to cyber mercenary groups like Knotweed with its customers and industry partners is to improve detection of these attacks. Other companies in the tech industry have made similar steps, with Google in June applying its Safe Browsing protection feature to more than 30 domains linked to several hack-for-hire operations. These hack-for-hire firms had targeted a range of accounts, including Gmail and AWS accounts, in order to carry out corporate espionage attacks against firms, as well as campaigns that target human rights and political activists, journalists and other high-risk users worldwide.

The public sector is also calling attention to spyware and cyber mercenary commercial firms, with the Intelligence Authorization Act, a bill recently passed by the House Intelligence Committee, including several parts that crack down on firms selling surveillance technology. In a Wednesday House Permanent Select Committee on Intelligence Hearing about “Combating the Threats to U.S. National Security from the Proliferation of Foreign Commercial Spyware,” Microsoft and other firms described how they are increasingly seeing cyber mercenaries selling their tools to authoritarian governments in order to target human rights activists, journalists, dissidents and others.

“We welcome Congress’s focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world,” said Cristin Goodwin, general manager with Microsoft’s Digital Security Unit, on Wednesday. “We will continue to advocate around policy solutions to address the dangers caused when [private-sector offensive actors] build and sell weapons.”

<![CDATA[U.S. Government Grapples With Cyber Incident Reporting Pain Points]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/cyber-incident-reporting-pain-points-a-government-push-and-public-perception https://duo.com/decipher/cyber-incident-reporting-pain-points-a-government-push-and-public-perception

After seizing $500,000 from a North Korean state-sponsored group in May, the Justice Department (DoJ) was quick to point out that one of the group’s ransomware victims - a Kansas-based healthcare provider - was the reason it was able to trace the money after the provider notified the FBI when it was attacked.

The promotion of cyber incident reporting has emerged as a priority not only for the DoJ, but for several agencies across the U.S. government - including the Cybersecurity and Infrastructure Security Agency (CISA) - over time, but especially on the heels of recent high-profile ransomware attacks. An increased number of tips on incidents could help authorities both support victims but also better understand the cybercrime landscape, reasons that were touted by Deputy Attorney General Lisa O. Monaco recently at the International Conference on Cyber Security, who said the cooperation of the Kansas-based healthcare provider allowed authorities to identify the ransomware strain and recover ransom payments of previously unknown victims.

“Thanks to rapid reporting and cooperation from a victim, the FBI and Justice Department prosecutors have disrupted the activities of a North Korean state-sponsored group deploying ransomware known as ‘Maui,’” said Monaco in a statement.

The U.S. government faces an uphill battle. The right incentives are needed for organizations that have historically feared reputational backlash. At the same time, concerns remain about the government’s bandwidth to process, analyze, respond to and effectively share data once it has actually been reported.

However, from a long-term perspective, security professionals agree that more consistent cyber incident data reporting could translate to a fuller picture about the scope, scale and impact of ransomware attacks, which in turn could help interpret whether certain steps are effective or not in hindering cybercriminals, such as sanctions by governments.

“At the plainest level, it's giving the government a sense of whether the policy tools, including regulatory tools, and other measures it’s taking to measure ransomware, are actually having an impact,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology (IST) and co-chair of the IST’s Ransomware Task Force. “Without the information, we’re kind of flying blind. There’s not an ability to use the full scope of the government's authorities to manage this risk with an imperfect information environment.”

“Without the information, we’re kind of flying blind.”

Historically, cyber incident reporting has been hindered by the stigma of being a victim of a breach or cyberattack. Companies like Uber and CafePress have actively attempted to cover up security incidents. Stifel said that businesses have ongoing, longstanding concerns about liability and reputational damage. Opportunities remain for the government to better articulate the “scope of liability protection” for sharing information, she said.

“No one wants to be the first one, or second one, or third one to say ‘we shared this information with the government and we were protected;’ that still doesn’t help them with reputational risk,” said Stifel. “We’re also not yet in the place where the market rewards companies for being more transparent about that. More conversation needs to happen around those competing issues.”

DoJ officials have praised FireEye's role in the discovery of the SolarWinds attack - where malware was installed in SolarWinds software updates that the company said impacted fewer than 100 customers - as “model behavior” in hopes of highlighting the benefits of incident reporting. FireEye, one of the victims of the 2020 supply-chain attack, disclosed the incident publicly, helping to unearth the full scope of the campaign and its impact on other companies. However, the government needs to go a step further beyond commending businesses that report cyber incidents and provide them with actual incentives and even rewards, Stifel argued. She added, the government grants available for state and local government entities to help them address security risks and threats mark potential progress in this area.

“I think we’re still on the incentives piece where… [we’re asking] could we be offering more to victims coming forward to incentivize their disclosure to the government? Is there something like a safe harbor that would be useful? Could we offer them support - not to pay the ransom - but in the form of resources or grants to rebuild systems in the event of an incident?”

“If you look at the ways you could report to the U.S. government, it’s all over the map.”

Over time, the government has relied on regulatory policies for cyber incident reporting. However, the current regulatory landscape is made up of a patchwork of different guidelines across several agencies, adding layers of complexity to the process of reporting incidents.

Research from the R Street Institute in June tracked at least 24 existing cybersecurity incident and breach reporting policies (not including state, local, tribal and territorial reporting mandates) that showcased variations in the authoritative agencies receiving the reports, the scope of reporting, the definition of disclosure and the timeline to disclosure.

“You have to report the same information to a lot of different entities, and this isn’t even at the state level,” said Sofia Lesmes, senior research associate, Cybersecurity and Emerging Threats with the R Street Institute. “So you could hypothetically see some businesses or banks saying ‘well, I already reported to the government once, why do I have to now to three different banking institutions?’”

The targeting for many of these policies ranges from a 2016 policy from the Coast Guard that requires Maritime Transportation Security Act-regulated vessels to report on security breaches, to a 2021 TSA security directive that requires transportation operators to report incidents to CISA. Also varying are the timelines for reporting; a final rule approved by the Federal Deposit Insurance Corporation (FDIC) in March mandated that banks notify federal regulators of security incidents within 36 hours; while a set of amended rules proposed by the U.S. Securities and Exchange Commission (SEC) would require publicly traded companies to disclose security incidents within four days after they have been determined.

Stifel said that the government needs to work toward a system that makes it “as easy as possible” for entities that want to report a cyber incident.

“If you look at the ways you could report to the U.S. government, it’s all over the map,” she said. “We really do need to be working towards some sort of baseline where even small businesses or SMBs could support the information ecosystem in a more holistic manner that better equips us to manage the risk.”

“A lot of this was already coming down the pike before Colonial Pipeline.”

While these efforts existed long before the hack of Colonial Pipeline, the resulting Cyber Incident Reporting for Critical Infrastructure Act that was signed into law in March 2022 brought with it a renewed focus not just on reporting requirements for critical infrastructure sectors with built-in liability protections, but also an overall effort by the governments to better improve and standardize federal incident reporting.

“A lot of this was already coming down the pike before Colonial Pipeline,” said Mary Brooks, resident fellow, Cybersecurity and Emerging Threats with the R Street Institute. “We were tightening this for years, there was an awareness that the government did not know as much as it wanted to know about industry, and that that limited it from a national security perspective. Colonial Pipeline just blew it up more.”

Under the law, critical infrastructure operators must report cyber incidents to CISA within 72 hours and report ransomware payments within 24 hours. The act also calls for the Department of Homeland Security (DHS) to establish a Cyber Incident Reporting Council, which is tasked with creating a list of recommendations for Congress on how the government can “coordinate, deconflict and harmonize Federal incident reporting requirements.” CISA, which already oversees several incident reporting regulations including the Federal Incident Notification Requirements (effective in 2017) that require federal civilian executive branch agencies to disclose security incidents to the agency and OMB, has until 2024 to develop proposals for finalized rules for the Cyber Incident Reporting for Critical Infrastructure Act.

Different government agencies are also undertaking their own efforts around incident reporting. In its strategic goals for the coming fiscal years, the FBI recently said it planned to increase the percentage of reported ransomware incidents “from which cases are opened, added to existing cases, or resolved or investigative actions are conducted within 72 hours” to 65 percent. The FBI did not respond to a request for comment about previous reporting percentages; however, in June officials said that less than 25 percent of NetWalker ransomware victims reported incidents to law enforcement.

“Incident reporting is an element, but it’s not an end in itself.”

Moving the needle on cyber incident reporting is important, but arguably more significant are the processes government agencies leverage to receive, analyze and respond to that data. Mark Montgomery, senior fellow at the Foundation for Defense of Democracies, stressed that the end goal is not reporting, but rather the ability to create a speedier transmission of information and analysis of that information.

“Incident reporting is an element, but it’s not an end in itself,” said Montgomery. “It’s a means to an end of a better understanding of the threat environment, and then really long term a better more ubiquitous sharing of information.”

At the same time, security experts like Eleanor Fairford, deputy director for incident response with the National Cyber Security Centre have previously pointed out a problematic lack of response by government officials once an incident is reported. In order to keep up with the influx of data on cyber incidents being reported, government agencies need a quality information sharing and distribution system as well as professional statisticians with the capabilities to sift through the data and understand the trends that are occurring (a database with such capabilities is also one of the many factors in the Cyber Incident Reporting for Critical Infrastructure Act that CISA is continuing to flesh out).

The Cyberspace Solarium Commission has proposed the establishment of a Bureau of Cyber Statistics for the U.S. government, which would serve as an agency for collecting and analyzing data related to cyber incidents and cybercrime, and sharing that data with federal agencies, the private sector and the public. National Cyber Director Chris Inglis last year expressed support for the idea.

“We absolutely have to build the infrastructure for data sharing, so that this information begins to become easily transferable,” said Montgomery. “This information after it is shared has to be analyzed and then also needs to be shared with others so that we each can have a good understanding of what the threat signals are out there, and what the tactics and procedures used by the attackers are.”

Overall, the government is taking steps in the right direction around cyber incident reporting, and Stifel said she hopes that public perception around data breach reporting will change in the future, particularly with more collaboration between private and public entities around cybersecurity.

“I do think it will change," she said. "I hope it will change… with the evolution of the market rewarding good cybersecurity, it’s reasonable to expect to see less shame in the next 10 years or so."

<![CDATA[TSA Updates Security Requirements For Pipeline Operators]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/tsa-reissues-security-directive-requirements-for-pipeline-operators https://duo.com/decipher/tsa-reissues-security-directive-requirements-for-pipeline-operators

A revised Security Directive from the Transportation Security Administration (TSA) focuses on giving oil and natural gas pipeline owners more flexibility in meeting cybersecurity requirements by relying on “performance-based,” rather than “prescriptive,” measures.

The TSA, which is part of the DHS, had previously outlined an updated Security Directive in July 2021 on the heels of the Colonial Pipeline ransomware attack in May 2021. However, a Politico report in March outlined struggles by pipeline operators that were trying to comply with this original directive, which they said pushed security practices developed for information technology systems rather than operational technology (OT) systems. TSA Administrator David Pekoske said that the department has since worked with the pipeline industry to address these issues before reissuing the latest Security Directive, which goes into effect on July 27.

“The directive establishes a new model that accommodates variance in systems and operations to meet our security requirements,” said Pekoske in a statement last week. “We recognize that every company is different, and we have developed an approach that accommodates that fact, supported by continuous monitoring and auditing to assess achievement of the needed cybersecurity outcomes.”

These security outcomes include the development of network segmentation policies and controls to make sure systems can still safely operate if they have been compromised; the creation of access control measures to prevent unauthorized access; the buildout of monitoring and detection policies to sniff out any threats; and the application of security updates for systems “in a timely manner using a risk-based methodology.”

In order to meet these outcomes, operators are required to establish a Cybersecurity Implementation Plan, approved by the TSA, which outlines the specific security measures in place. They must also develop an incident response plan that includes the steps that the operators will take in the event of a security incident that causes operational or business disruption. Finally, they must create a Cybersecurity Assessment Program that helps proactively test and audit the effectiveness of these security measures and identify flaws across devices, networks and systems.

“While the threat landscape is still very diverse, I still believe that the most significant risk that pipeline operators face is the threat of criminal ransomware operators impacting their production."

The outcry against the previous directive highlights, in part, the very different environmental factors that OT systems face compared to IT systems. For instance, factors like critical downtime and the complexity of legacy systems often complicate the process of patch management. The previous directive said that pipeline operators could make a request to get permission to use their own techniques if these security requirements were unattainable. However, according to the Politico report this led to a quick backup due in part to an unanticipated volume of requests and limited staffing at the TSA.

The new directive comes with wording that intends to give more flexibility to deal with these factors. For instance, when it comes to applying multi-factor authentication or other security controls to improve password authentication, “if an owner/operator does not apply multi-factor authentication for access to industrial control workstations in control rooms regulated under 49 CFR parts 192 or 195, the owner/operator shall specify what compensating controls are used to manage access,” specified the new directive.

“In general, it appears that the TSA listened to the feedback provided by the industry on the prior security directive, and moved this recent directive towards a more objective set of achievable requirements rather than prescriptive,” said Marty Edwards, vice president of Operational Technology Security at Tenable. “However, it still appears that there are a number of fairly prescriptive requirements that pipeline operators will be required to comply with. This is an incredibly difficult balance to try to get right, and from my perspective, the TSA has done a reasonable job with this new set of security measures.”

In the fourteen months since the Colonial Pipeline attack, the pipeline sector has faced an “evolved and intensified” security threat, reinforcing the need for improved security measures, said the TSA. Edwards said the “bottom line” is that investment needs to continue in OT cybersecurity, both in the pipeline sector and across all critical infrastructure sectors.

“While the threat landscape is still very diverse, I still believe that the most significant risk that pipeline operators face is the threat of criminal ransomware operators impacting their production,” said Edwards. “Ensuring a baseline standard of care and implementing basic cybersecurity protections goes a long way to prevent these types of attacks from succeeding.”

<![CDATA[New CosmicStrand UEFI Rootkit Variant Found]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-cosmicstrand-uefi-rootkit-variant-found https://duo.com/decipher/new-cosmicstrand-uefi-rootkit-variant-found

Researchers have discovered a new variant of a UEFI rootkit that has been in existence since at least 2016 and has been used to target individual victims in several countries, including China, Russia, and Iran. The malware has only been found on machines that have motherboards with the Intel H81 chipset, and researchers are not certain how attackers were able to gain access to the targeted machines initially.

The newly discovered rootkit is known as CosmicStrand and it has a long, complex execution chain whose ultimate goal is to drop a kernel-mode implant on Windows machines and stay hidden and persistent for as long as possible. CosmicStrand was discovered in some firmware images for ASUS and Gigabyte motherboards, but researchers at Kaspersky who discovered the rootkit were unsure how it got into the firmware in the first place, but posited that a common vulnerability may be the culprit.

“In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup, triggers a long execution chain which results in the download and deployment of a malicious component inside Windows,” the Kaspersky analysis says.

“Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware. This could be achieved through a precursor malware implant already deployed on the computer or physical access.”

Researchers at Qihoo360 in China discovered earlier versions of this malware family five years ago.

UEFI rootkits are quite rare and typically have been seen in highly targeted attacks. This type of malware is designed specifically to infect computers at the lowest level and to enable an attacker to maintain persistence, even through reboots and OS reinstalls. The UEFI (unified extensible firmware interface) connects the firmware to the operating system, and performs many of the same functions as the older BIOS systems. Targeting the UEFI firmware can give an attacker a tremendous advantage, but it is also a difficult trick to pull off.

“UEFI malware authors face a unique technical challenge: their implant starts running so early in the boot process that the operating system (in this case Windows) is not even loaded in memory yet – and by the time it is, the UEFI execution context will have terminated. Finding a way to pass down malicious code all the way through the various startup phases is the main task that the rootkit accomplishes,” the Kaspersky analysis says.

CosmicStrand gets its kernel shellcode payload from one of two C2 servers and the payload arrives in several separate chunks, which are then reassembled into bytes that are mapped to kernel space. The researchers were not able to retrieve the payload delivered by the C2 servers.

“We did, however, find a user-mode sample in-memory on one of the infected machines we could study, and believe it is linked with CosmicStrand. This sample is an executable that runs command lines in order to create a user (“aaaabbbb”) on the victim’s machine and add it to the local administrators group,” the researchers said.

Kaspersky did not specify the number of victims targeted with CosmicStrand, but said they all appeared to be private citizens and are located in China, Iran, Vietnam, and Russia.The researchers said the malware likely was developed by a Chinese-speaking actor and identified several similarities between CosmicStrand and the MyKings botnet malware, including some identical code.

Earlier this year, Kasperksy identified anoother UEFI rootkit called MoonBounce that was used against one known victim.