The number of APT groups targeting organizations in Ukraine as part of the war with Russia continues to grow, as researchers have identified a new threat actor that has compromised agricultural, government, and transportation organizations in the country with a previously unseen attack framework and backdoor known as PowerMagic.

The group, which researchers at Kaspersky discovered and is as-yet unnamed, likely uses spear phishing as its initial access vector, luring victims to an attacker-controlled URL that directs them to a ZIP archive. That archive contains an LNK file and a PDF decoy document that in some cases is named in a similar way to the LNK file to add legitimacy. If the victim opens the LNK file, it will download and execute an MSI file hosted on a remote server. That eventually leads to the installation of the PowerMagic backdoor, which is written in PowerShell and uses OneDrive and Dropbox folders to transport files.

PowerMagic is a relatively simple backdoor, communicating with a remote C2 server to receive and execute commands and upload the results to the cloud storage sites. But its real purpose appears to be to install the CommonMagic framework, which has a number of individual modules and features.

“All the victims of PowerMagic were also infected with a more complicated, previously unseen, modular malicious framework that we named CommonMagic. This framework was deployed after initial infection with the PowerShell backdoor, leading us to believe that CommonMagic is deployed via PowerMagic,” an analysis of the framework by Kaspersky researchers says.

“The CommonMagic framework consists of several executable modules, all stored in the directory C:\ProgramData\CommonCommand. Modules start as standalone executable files and communicate via named pipes. There are dedicated modules for interaction with the C&C server, encryption and decryption of the C&C traffic and various malicious actions.”

CommonMagic has the ability to download new executable modules and also has a pair of plugins. One of the plugins takes a screenshot of the infected machine every three seconds, and the other grabs the contents of any connected USB drive. CommonMagic and PowerMagic don’t have any specific connections to known attack groups.

“So far, we have found no direct links between the samples and data used in this campaign and any previously known actors. However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it,” the Kaspersky researchers said.

Last week, researchers at SentinelOne detailed recent intrusions in Ukrainian organizations by a low-profile Russian APT group known as Winter Vivern. That team has targeted Ukrainian government agencies, as well as organizations in Poland.

The maintainers of the curl library have released version 8.0.0, which addresses six security vulnerabilities, including an authentication bypass in the way that the library handles FTP connections.

The release of libcurl 8.0.0 coincides with the 25th anniversary of the initial release of the tool, which is used in countless projects and apps. Most of the vulnerabilities fixed in this version are relatively low severity, with the authentication bypass being the most serious of the six. That bug (CVE-2023-27535) derives from the fact that libcurl reused FTP connections.

“libcurl would reuse a previously created FTP connection even when one or more options had been changed that could have made the effective user a very different one, thus leading to the doing the second transfer with wrong credentials,” the advisory says.

“libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, several FTP settings were left out from the configuration match checks, making them match too easily.”

Among the other vulnerabilities patched in the new version is a bug (CVE-2023-27538) that is nearly identical to an older one related to SSH connections that had been fixed previously, but that fix was incomplete.

“libcurl would reuse a previously created connection even when an SSH related option had been changed that should have prohibited reuse,” the advisory says.

“libcurl keeps previously used connections in a connection pool for subsequent transfers to reuse if one of them matches the setup. However, two SSH settings were left out from the configuration match checks, making them match too easily.”

There is also a vulnerability related to the implementation of SFTP in curl that can allow an attacker to get around filtering.

“Curl's SFTP implementation offers a special feature in the path component of URLs: a tilde (~) character as the first path element in the path to denotes a path relative to the user's home directory. This is supported because of wording in the once proposed to-become RFC draft that was to dictate how SFTP URLs work. Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element,” the advisory says.

“Using a path like /~2/foo when accessing a server using the user dan (with home directory /home/dan) would then quite surprisingly access the file /home/dan2/foo. This can be taken advantage of to circumvent filtering or worse.”

Users should upgrade to version 8.0.0 to protect against these flaws.

Chris Morales, CISO at Netenrich, has held various roles throughout his career before becoming a CISO, including ones advising and designing incident response and threat management programs for enterprise organizations. Morales talks about the skills needed when pursuing the CISO track. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.

Lindsey O’Donnell-Welch: You have had roles around cybersecurity engineering, consulting, sales and research. Talk about the transition of making the jump into the CISO track.

Chris Morales: Yeah, actually, the funny thing is, I had to get out of engineering first. At some point, I was there writing code. And back then, when you're developing, there were no standards, there was no compliance, there were no rules. There was nothing. There was McAfee AV, there was Check Point firewall, and it was all people knew, so we had to innovate. I don't know how it happened, but I naturally had this progression where people started asking me to go start doing a lot of work with customers and spending a lot of time with them. Then I realized I didn't want to be in engineering, and they put me in the field and I was sitting there - we had the fortune of having 80 to 90 percent market share - and I sat there with people like Experian, Qualcomm, Disney, Citibank, and we were like “you need to do intrusion detection,” which is what threat detection is today. We're like, “hey, we built these tools.” I remember sitting there, and there was this guy, William Sun who was an engineer at CoreLogic, who said “this is great. How do I use it?” And I remember sitting there going, “I don't know.” I know that sounds stupid. But I realized that the business process modeling network looks like the secure software development lifecycle. I went and learned it, because I needed to figure out how you use this product. I started writing operational process in 2004 and 2005, so I could sell products that we built. And then I realized when someone on the other side was asking how to use them, I was saying how do you use this? And those were the early days of SOC operational process and incident response process. And then we built the managed service around it. And so I started writing operational processes, and I ended up helping build a SOC for Experian, Qualcomm, Disney; only by right of being there first, and no one else knew what was happening.

Lindsey O’Donnell-Welch: Can you talk a little bit about the challenges around the CISO role?

Chris Morales: I actually got offered the role of CISO several times in the past and I said no. Because for a long time, a CISO was just a fuse box; they were hired so they could be fired when something went wrong. They never had budgets, they never had power, they would hire some really smart technical guy. I have friends who got into it, because they would do penetration testing and assessments. And people would say, "You'd be a great CISO." But they were horrible at the job. Because it was a communication issue. They were never taken seriously. It needed to evolve, and it never evolved, but it finally caught up. We just had a bunch of technical people who were not connected to the business and who were not making real decisions, and no one cared. Now it's become part of the business and it has to, but it's still a struggle.

"Over the last few years manufacturing was looking at Industry 4.0 and the industries that used to be the least technology driven, and the most basic, became actually probably the most technology driven."

Lindsey O’Donnell-Welch: How have these perceptions of CISOs changed over time?

Chris Morales: There are - And I didn't make this up, I'm riffing on it, it's something I read at Forrester some time ago - there are like, at least four different types of CISOs. And that's correlated to the type of companies and their perception. So there's different perceptions, and different maturities in different industries. The ones who have had the longest career, sadly, maybe, in my mind, are the ones that worked in industries that were highly compliance driven, and had to do it. And a lot of CISOs sadly drove a lot of it because finance understands fee penalties - like PCI, HIPAA - and they're like, "Oh, I hired you to make sure I pass compliance." They're very non disruptive. They're very much like, "Oh, you just have to pass compliance."

The problem is they call it chief security officer, but I tell people in my team, "we're just risk advisors." We're not here to remove risk, because the business wants to take risk. They want us to help advise them on how to manage it. What's interesting is that will correlate to a lot of the other stuff about the type of industry and things like that. The big thing is the perception of risk of the company, and the people running it and their appetite for it. A good example of that is when some of the recent ransomware stuff has hit, like JBS [a Brazil-based meatpacking company] who got hit and paid $11 million. They literally did not care at all before that event. They heard “digital” and went, "What do we care? We distribute and supply steaks to grocery stores." Over the last few years manufacturing was looking at Industry 4.0 and the industries that used to be the least technology driven, and the most basic, became actually probably the most technology driven. And they transformed but didn't pay attention, because they still don't understand the nature of the problem. So manufacturing, healthcare, retail. Even hospitals didn't think that way. They all have massive networks of massive amounts of data now. They all get hit bad, and that happened because they didn't actually care before. And it became reality. So I say this, because this is an exact conversation I have with every CTO: I ask them, what do you actually care about? What do you want me to manage for you? What are you afraid of? What's your appetite? What's your paranoia?

So everybody's going to evolve out of mandates and compliance, but they're going to always be bitter about it because they're like, "We're doing this because we have to." But lots of people are becoming hyper aware. Like JBS, I promise you, they never want to spend $11 million in one payment again. Whatever cost you thought that was, they now have a hard number. And so then back to the CFO, the hardest thing for most technologists is mapping that to money. And then they're like, "how am I a business enabler?" You're not, you're a risk advisor, but the company wants to take risks. So you have to ask yourself, it's not about saying no, the question is, how do you let people take more risk? Because risk equals more money. How do you take more risk?

The FBI and German authorities have taken down the infrastructure of one of the more notorious cryptocurrency mixing services on the darkweb, ChipMixer, which authorities allege was a major hub of money laundering activity for organized crime and ransomware groups.

The operation was a joint effort between the FBI, the German Federal Criminal Police Office, and agencies in Belgium, Poland, and Switzerland, along with support from Europol. As part of the operation, authorities seized four servers, 1909 Bitcoins, and seven terabytes of data from the ChipMixer infrastructure. The U.S. also charged Minh Quốc Nguyễn of Vietnam with money laundering and other crimes in connection with the ChipMixer operation.

"Beginning in and around August 2017, as alleged in the complaint, Nguyễn created and operated the online infrastructure used by ChipMixer and promoted ChipMixer’s services online. Nguyễn registered domain names, procured hosting services and paid for the services used to run ChipMixer through the use of identity theft, pseudonyms, and anonymous email providers," the Department of Justice said in a release.

ChipMixer is one of the many platforms that specializes in mixing cryptocurrency assets in such a way that it is much more difficult to trace the transactions and blockchain trail. Ransomware and cybercrime groups rely on mixing services to help turn their stolen or otherwise ill-gotten assets into clean cryptocurrency that they can then turn into hard currency. Authorities allege that ChipMixer laundered about $3.75 billion in assets.

“The ChipMixer software blocked the blockchain trail of the funds, making it attractive for cybercriminals looking to launder illegal proceeds from criminal activities such as drug trafficking, weapons trafficking, ransomware attacks, and payment card fraud. Deposited funds would be turned into “chips” (small tokens with equivalent value), which were then mixed together - thereby anonymising all trails to where the initial funds originated,” a statement from Europol on the operation says.

“The investigation into the criminal service suggests that the platform may have facilitated the laundering of 152 000 Bitcoins (worth roughly EUR 2.73 billion in current estimations) in crypto assets. A large share of this is connected to darkweb markets, ransomware groups, illicit goods trafficking, procurement of child sexual exploitation material, and stolen crypto assets.”

The takedown of ChipMixer is the latest in a series of actions by the United States government against ransomware groups and the broader ecosystem that supports and enables them. In November, U.S. authorities arrested an alleged member of the LockBit ransomware group, in February they sanctioned alleged members of the Trickbot group, and in 2021 indicted two alleged members of the REvil ransomware group and seized $6 million in assets. The U.S. government also has targeted the financial holdings of ransomware operators, seizing millions in ransom payments from several different groups, including a portion of the ransom paid in the Colonial Pipeline attack.

Europol alleges that several ransomware groups, including Zeppelin, SunCrypt, Mamba, Dharma or Lockbit, used ChipMIxer to launder ransom payments.

“This morning, working with partners at home and abroad, the Department of Justice disabled a prolific cryptocurrency mixer, which has fueled ransomware attacks, state-sponsored crypto-heists and darknet purchases across the globe,” said Deputy Attorney General Lisa Monaco. “Today’s coordinated operation reinforces our consistent message: we will use all of our authorities to protect victims and take the fight to our adversaries. Cybercrime seeks to exploit boundaries, but the Department of Justice’s network of alliances transcends borders and enables disruption of the criminal activity that jeopardizes our global cybersecurity.”

There is no shortage of bold and brazen APT groups operating in the interests of the Russian government, and many of them are not too concerned with staying under the radar. But there is a lesser-known team that has been targeting government and private organizations in Ukraine, Poland, and other countries, especially those organizations that are supporting Ukraine in its defense against the Russian invasion.

The group is known as Winter Vivern and was first exposed by researchers at Domain Tools in 2021 when they came across malicious documents used in campaigns targeting organizations in a number of countries, including Lithuania, the Vatican, Italy, Ukraine, and India. Since then, the group has remained relatively unexamined as compared to other APT teams, but researchers from SentinelOne recently uncovered some attacks targeting Ukrainian and Polish organizations, including a telecommunications company.

The campaigns typically use phishing lures that are modified versions of legitimate government documents of particular interest to the intended target. They also sometimes create copies of legitimate government websites to phish for credentials. The targeting is by no means random.

“In early 2023, Winter Vivern targeted specific government websites by creating individual pages on a single malicious domain that closely resembled those of Poland's Central Bureau for Combating Cybercrime, the Ukraine Ministry of Foreign Affairs, and the Security Service of Ukraine,” a new analysis by Tom Hegel of SentinelOne’s SentinelLabs says.

“Looking back at less recent activity, we can see in December 2022 the group likely targeted individuals associated with the Hochuzhit.com (“I Want to Live”) project, the Ukraine government website offering guidance and instructions to Russian and Belarus Armed Forces seeking to voluntarily surrender in the war. In these attacks the threat actor made use of macro-enabled Excel Spreadsheet to infect the target.”

Winter Vivern uses a variety of tools in its operations, including some legitimate Windows utilities. But it also has some of its own malware at its disposal. One tool is known as Aperetif and is disguised as a malware scanner.

“APERETIF is a trojan, automating the collection of victim details, maintaining access, and beaconing outbound the actor controlled domain marakanas[.]com. As with the previous script, the trojan makes use of WHOAMI within PowerShell in its initial activity to beacon outbound for further instructions and/or downloads,” Hegel said.

To deliver Aperetif, Winter Vivern used compromised WordPress sites, but the group also has demonstrated the ability to exploit vulnerabilities for initial access.

“Their ability to lure targets into the attacks, and their targeting of governments and high-value private businesses demonstrate the level of sophistication and strategic intent in their operations. The dynamic set of TTPs and their ability to evade the public eye has made them a formidable force in the cyber domain,” Hegel said.

The SentinelOne researchers said that Winter Vivern may not be one of the noisier APT teams, but it appears to be doing its job, which is supporting the interests of the Russian and Belorussian governments.

“​​Our analysis indicates that Winter Vivern's activities are closely aligned with global objectives that support the interests of Belarus and Russia's governments,” Hegel said.

Microsoft has released fixes for two vulnerabilities that have been exploited in the wild, including a critical bug in Outlook that affects all versions of Outlook for Windows.

That vulnerability was discovered by the Ukrainian CERT and Microsoft said that an attacker based in Russia has exploited the bug in targeted attacks recently.

“Through joint efforts, Microsoft is aware of limited targeted attacks using this vulnerability and initiated communication with the affected customers. Microsoft Threat Intelligence assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe,” Microsoft said in a blog post.

The bug is an elevation of privilege flaw in Outlook related to the way that Outlook handles messages with some specific properties.

“CVE-2023-23397 is a critical EoP vulnerability in Microsoft Outlook that is triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No user interaction is required,” the Microsoft post says.

“The connection to the remote SMB server sends the user’s NTLM negotiation message, which the attacker can then relay for authentication against other systems that support NTLM authentication.”

This vulnerability does not affect Outlook on other platforms or Outlook online.

The second vulnerability (CVE-2023-24880) that has been exploited in the wild is a SmartScreen bypass in Windows that affects Windows 10, 11, and many versions of Windows Server.

“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defenses, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOTW tagging,” the Microsoft advisory says.

Researchers at Google’s Threat Analysis Group discovered the SmartScreen bypass vulnerability and found that cybercriminals were using it to deliver the Magniber ransomware, mainly to victims in Europe.

“The attackers are delivering MSI files signed with an invalid but specially crafted Authenticode signature. The malformed signature causes SmartScreen to return an error that results in bypassing the security warning dialog displayed to users when an untrusted file contains a Mark-of-the-Web (MotW), which indicates a potentially malicious file has been downloaded from the internet,” Benoit Sevens of TAG said in a post.

CC by 2.0 license photo by Web Summit.

For the last nine months, a previously unknown Russian-speaking threat actor has been targeting government, energy, and international organizations in Azerbaijan, Kyrgyzstan, Tajikistan, as well as European countries, with cyberespionage campaigns that employ a range of commodity and custom malware tools.

The campaigns are the work of a group that researchers from Cisco Talos have named YoroTrooper and they have been ongoing since at least June 2022. The threat actor uses phishing as the initial attack vector and tailors the emails and attachments to the specific target organization, setting up either typosquatting or lookalike domains for each target. YoroTrooper has compromised embassies of Turkmenistan and Azerbaijan, and also stole credentials from at least one account in a European health care agency. The group uses RATs and information stealer malware in its campaigns, but also has some custom Python implants in its arsenal.

Although there are some overlaps and links with some existing attack teams, including the PoetRAT group, Talos researchers assess that YoroTrooper is a separate entity running its own operations.

“Espionage is the main motivation for this threat actor, according to the tactics, techniques and procedures (TTPs) we have analyzed. To trick their victims, the threat actor either registers malicious domains and then generates subdomains or registers typo-squatted domains similar to legitimate domains from CIS entities to host malicious artifacts,” Asheer Malhotra and Vitor Ventura of Talos wrote in a post about the YoroTrooper campaigns.

“The initial attack vectors are phishing emails with a file attached, which usually consists of an archive consisting of two files: a shortcut file and a decoy PDF file. The shortcut file is the initial trigger for the infection, while the PDF is the lure to make the infection look legitimate.”

YoroTrooper uses several different tools in its intrusions, including the LodaRAT malware, which has been attributed to the Kasablanka cyber espionage group. LodaRAT is not a publicly available tool, but there are several individual groups using it. YoroTrooper also employs some custom Python malware, including a script designed to steal credentials from Google Chrome and a RAT that can exfiltrate data from a target system.

The typical intrusion begins with a phishing email and an attachment, which usually includes a malicious RAR or ZIP archive that contains an LNK file. The LNKs in turn download a remote HTA file.

“The malicious HTA files employed in this campaign have seen a steady evolution with the latest variant downloading the next-stage payload: a malicious EXE-based dropper and a decoy document. All these tasks are accomplished by running PowerShell-based commands,” the Talos analysis says.

The YoroTropper campaigns first surfaced in June 2022 and have evolved over time, both in terms of victims and tools.

“It is worth noting that while this campaign began with the distribution of commodity malware such as AveMaria and LodaRAT, it has evolved significantly to include Python-based malware. This highlights an increase in the efforts the threat actor is putting in, likely derived from successful breaches during the course of the campaign,” the Talos post says.

The most recent YoroTrooper campaigns from January and February have targeted organizations in Uzbekistan and the group has evolved its tactics, sometimes deploying a Meterpreter payload or a custom keylogger.

Beginning on March 13, GitHub wil start requiring some form of multifactor authentication for every individual who contributes code on the platform. The change, which has been a year in the making, will happen gradually and start with small groups of developers, but ultimately will include all of the more than 100 million developers who contribute to projects by the end of 2023.

The requirement, announced last May, is part of an effort to prevent account takeovers and by extension protect the integrity of the open source software supply chain. By its nature as the largest software collaboration platform, GitHub is a prime target for attackers looking to take over maintainers' or developers’ accounts. Account takeovers have been an issue for many large platform providers for several years, and inserting malicious code into popular open source projects has become a favorite tactic for attackers. Rather than address the issue piecemeal, GitHub officials decided to move the security of every developer on the platform forward.

“It’s a long-running problem but we also know two-factor adoption is remarkably low, and for us we don’t want to wait any longer. It’s a worthwhile investment from an engineering and documentation standpoint for people to understand why this is important and why it matters. We still see account takeovers by way of social engineering,” said Mike Hanley, GitHub CSO and senior vice president of engineering.

“I don’t think we can make progress fast enough on this as a community.”

The gradual rollout of the 2FA mandate will start will small cohorts on March 13. The developers involved in those groups will get email notifications and see a banner on the site informing them that they have 45 days to enroll in some method of 2FA. GitHub is not mandating a specific form of 2FA, but is strongly recommending that developers use hardware security keys if at all possible, but 2FA apps and SMS also are options.

“There are different levels of security and recommended best practices We want people to adopt the best available form factor and strength that are available to them,” Hanley said.

“We are hoping that others will follow us on this and we felt like it was our responsibility to do this."

“SMS is still pretty prevalent around the world and will be for quite some time. It’s important for us to be available to those developers and give them the best avail security measure. It’s a tradeoff because we all know SMS is fraught, but at the moment we feel like it’s best to make it available for now. There’s an econ barrier to security keys and we don’t want to exclude anyone.”

GitHub has some experience to lean on in this process, having already gone through it with the npm package-management platform that the company bought a few years ago. Takeovers of npm accounts without 2FA enabled were a common issue, so GitHub began rolling out mandatory 2FA use for npm package maintainers in December 2021. That process went smoother than expected, Hanley said, and gave the company the confidence to make the same change on GitHub.

“Publisher and maintainer accounts were very valuable targets for malicious actors because they can pull that package and insert malware. The reaction on npm was to push ahead with 2FA. We anticipated more challenges and were surprised by how few issues came up. There’s never a good time to be interrupted and enroll in this,” Hanley said.

“We learned a lot from what it would take to do that as we’re working our way through the cohorts, but GitHub is different in terms of size and scale.”

GitHub is not alone in pushing its community toward 2FA adoption. Last year, PyPi, the Python project index, began requiring 2FA for the maintainers of critical projects, and RubyGems also requires 2FA for popular projects.

“We are hoping that others will follow us on this and we felt like it was our responsibility to do this,” Hanley said.

A new version of the ubiquitous Apache HTTP Server released Tuesday fixes two important security flaws that can allow an attacker to perform HTTP smuggling attacks against a vulnerable server.

One of the flaws (CVE-2023-27522) is an HTTP response smuggling bug, while the other (CVE-2023-25690) is an HTTP request smuggling vulnerability. The former vulnerability affects versions 2.4.30 through 2.4.55 of the Apache HTTP Server, while the latter affects 2.4.0 through 2.4.55. Both bugs are fixed in version 2.4.56.

For an installation of the Apache HTTP Server to be affected by CVE-2023-26590, the mod_proxy function must be enabled. That module is designed to enable a proxy, cache, or gateway for the Apache server.

“Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution,” the Apache advisory says.

“For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" "http://example.com:8080/elsewhere?$1"; [P] ProxyPassReverse /here/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning.”

The second vulnerability also is related to the way that the mod_proxy module behaves.

“HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi.Special characters in the origin response header can truncate/split the response forwarded to the client,” the advisory says.

The Apache HTTP Server is the most widely deployed web server in the world and is used widely in both hosting and enterprise environments. Organizations running vulnerable versions should upgrade as soon as is practicable to protect against these flaws.

European authorities have arrested two alleged members of the core team behind the DoppelPaymer ransomware operation that has targeted organizations in several countries, including Germany, Ukraine, and the United States.

The law enforcement action took place on Feb. 28, and included authority from Germany, Ukraine, the Netherlands, and the U.S. One suspect was arrested in Germany and the second was taken into custody in Ukraine. DoppelPaymer isn’t the most prolific or well-known ransomware operation, but it has done plenty of damage since first came onto the scene about four years ago. The group has hit a variety of organizations, including at least one hospital.

The ransomware itself is related to the older BitPaymer variant and often is seen in intrusions associated with the Emotet malware, which has been a common component of many ransomware attacks.

“This ransomware appeared in 2019, when cybercriminals started using it to launch attacks against organisations and critical infrastructure and industries. Based on the BitPaymer ransomware and part of the Dridex malware family, DoppelPaymer used a unique tool capable of compromising defence mechanisms by terminating the security-related process of the attacked systems,” Europol said in a statement.

“The DoppelPaymer attacks were enabled by the prolific EMOTET malware. The ransomware was distributed through various channels, including phishing and spam emails with attached documents containing malicious code — either JavaScript or VBScript. The criminal group behind this ransomware relied on a double extortion scheme, using a leak website launched by the criminal actors in early 2020.”

The double extortion model–which involves demanding a ransom for decryption of data as well as a separate payment to prevent the release of stolen information–is more and more common now and has proven to be both effective and profitable for many groups.

As part of the operation against the DoppelPaymer suspects, authorities seized computers and other devices, which they are forensically analyzing.

“At the same time, and despite the current extremely difficult security situation that Ukraine is currently facing due to the invasion by Russia, Ukrainian police officers interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group. The Ukrainian officers searched two locations, one in Kiev and one in Kharkiv. During the searches, they seized electronic equipment, which is currently under forensic examination,” Europol said.

Bryan Willett, CISO at Lexmark, talks about why a “silver bullet” doesn’t exist in security and what he describes as a “multi-pronged” approach to building out a security program. Below is a transcribed version of the interview, which is part of a series of conversations by Decipher with CISOs across the security industry.

Lindsey O’Donnell-Welch: How did you get into cybersecurity from the start and specifically into this CISO role?

Bryan Willett: I have an electrical engineering degree, I started in the industry as a firmware developer, I had that role for about four or five years, and quickly got into management. Around 2008, I took a role within product development as the network and security manager. So I managed a team that handled both networking on our firmware and security on our firmware, which took me down interesting paths that I had not been down before; everything from dealing with ISO committees to certifications on products to a very focused effort on hardening of products, building out the security development lifecycle. So [looking at] how you teach developers how to develop something securely, and how do you keep that top of mind for them, as well as owning product roadmaps around security. I did that for a while. And one of the things that became sort of an accidental responsibility was really answering customer request-for-pricing type questions; they came in with extensive questions around security and the posture of the organization. And owning that, I realized that there were concerns coming up from customers that were much broader than just the product. It was focused on the holistic environment of the corporation, and the risks that the corporation could present to a product that the customer was buying. And through that, I realized that we needed to go and look at ways to have third parties help, to some extent, attest that Lexmark had the right processes and controls in place to protect the product. So from that, we went off and looked at several paths, we chose going down ISO 27001 as a path, and I was leading that within my development product security manager role. Right around the time that I really started to pick that up, our CIO at the time realized that he needed to make a bigger investment in security within the IT organization, and he opened a position for a head of security. And I interviewed for it. And we both agreed it needed to be a CISO role. And so we established it as the CISO office and started developing an overall program around securing our IT infrastructure. But then that quickly expanded beyond just securing IT infrastructure, it still had tentacles back into product security, it got into supply-chain security, and it ended up taking on a much broader role as well with a customer facing role, in talking with our customers regularly about our security program, and in bridging much of what I just described to you, how the security program leads to delivering secure products.

Lindsey O’Donnell-Welch: Can you talk about some of the top challenges that you've faced as a CISO?

Bryan Willett: Probably the first one I would say is gaining user confidence in your program. But let's go back to when I first started in this, I was really working on changing the culture of the organization as a whole, the corporation as a whole, in terms of security and what people should and shouldn't do on their workstations and what they even have the permissions to do. You're only going to be successful doing that, if you've gained the confidence of your user base. And I did that through a lot of town halls, a lot of department meetings, senior staff meetings, to help them understand what the risks are, what we're doing and why we're doing it. So that's probably first and foremost. The second part would be that you have to recognize that risk is throughout your organization. And you cannot solely view that this role is an IT system role only. You have partners throughout the business who are - well, I say partners, friends of IT, right - business areas who are developing business applications, I have R&D organizations that are developing products and SAS offerings, and I have salespeople out there who are trying to do anything they can to satisfy a customer. All of those more than likely involve data or services or something moving around that requires some eyes on it from a security lens. And building the relationships with those business areas, such that they are ready to engage you as they start on new projects and seek your team's input and incorporate that input into their process, that is an ongoing effort, it is not a one time and forget. You're constantly having to do that.

“Building the relationships with those business areas, such that they are ready to engage you as they start on new projects… that is an ongoing effort.”

Lindsey O’Donnell-Welch: As part of this “ongoing effort” of building a security culture in a business, what are the first steps there and who needs to be involved?

Bryan Willett: I think it's a multi-pronged approach there. So first is, of course, myself and my team getting out there and being visible to the business. I think it's important that we are transparent to the business and helping them understand what we're seeing, so it explains why we're doing what we're doing, but also to raise awareness. I also think it's important to do things like phish testing with your employees, helping them realize that the attacker, that person phishing your organization, can be extremely crafty, and giving them snippets of what that feels like. I think that's important for them to live it firsthand and realize, "oh, man, you got me, you got me." But thankfully, I got them with a test. And they can recognize that they need to be more aware. So the next part is trying to build champions out in the community. And I approach that in multiple ways. We have things like lunch and learns, where we invite people who are interested to come in and talk on topics. But secondly, my hiring approach is one where I try to find people who have an interest in security that are from areas of the business, bring them into my team to actually work within the business or the security practice, let them have that role for a couple of years, so they can gain the experience and understand our perspective, but then for their own career development, send them on out, get them back into the business and let them become advocates for us within the business.

Lindsey O’Donnell-Welch: What are some of the top challenges that businesses are facing currently when it comes to cybersecurity?

Bryan Willett: The attackers are getting better. We've all heard it, the fact that many of the attack tools have become either open source or as a service, that just enhances the ability of - I don't want to say lay people - but people with less skills that can now quickly get into the hacking business. So that's one part of it. The second part is, I'm going to say the economy. So when we look at the economy, there is a headwind coming in for a lot of companies right now in terms of revenue, which results in expense challenges. And so a lot of organizations are going to have to look carefully at where they're spending their expense funding they have available, and making sure that is in the most impactful areas for the risks that are present to that organization. And then talent. Getting good talent is hard. We have taken a bit of a hybrid approach. And you've heard me describe it a little before, of getting people out of the business and bringing them up into the security space and raising their security IQ, but also finding people external who have high IQ, bringing them in so that they can they can help; one, with our mission, but two, help with that broader security IQ in the organization.

“In reality, if you focus on those fundamentals, you're going to be in a much better position than spending all your money on the latest amazing tool.”

Lindsey O’Donnell-Welch: In your experience, how have you seen the CISO job change over time, either in responsibilities or in relationships with others across the organization?

Bryan Willett: I remember the conversation very, very clearly, when I first was considering taking this role, I had a conversation with the vice president of R&D, because I owned product security at the time, and I still wanted some influence, but I was going into an IT security role. And he very clearly said, “you're going into IT security, you don't own product security when you take that role.” What I have seen evolve from that mentality, though, is a recognition that security risk is much broader than that. And I hit on it earlier, that if an attacker gained access to my environment, they have the potential for getting into our products, getting into our source code and manipulating that, or they have the potential of getting into maybe our manufacturing process and manipulating that. And when you start to look at that overall risk matrix or perspective, you realize that it's not just the data, it's also the potential collateral damage that could happen if somebody got in your environment, and you have to holistically look across all areas of the business. So that's probably the first is, as a CISO, if you're limiting yourself to just IT security and your aperture isn't wider than that, you're setting yourself up for a tough day in the future. So that's one. Two, and I hit on this a little bit earlier, but supply-chain security is becoming huge. It is a huge concern for anybody buying software or hardware. And it's important for an organization to have a champion somewhere that is driving that mission forward. For me, I found it important that we do that, we being the security organization. The reason that we took that banner and ran with it is we're probably in the best position looking both at third-party risk, because we look at that regularly. We also work with customers on their concerns around security, and holistically looking between that and the certifications we have to get anywhere in our products, we were well positioned to start looking into the supply-chain side, and where are the risks both on the development side, and the manufacturing and then the logistics side of delivering a product. So that was a key area. The third area for me would be that as a CISO, it started as a very technical role, it really was someone who was an IT practitioner who got elevated into a CISO type title. Where I see it going, though, is definitely someone with a lot more business acumen, understanding what the business strategy is, understanding what the security organization's impact on that strategy could be, and figuring out how to be an enabler for that. I see that as being a big part of the security role in the future.

Lindsey O’Donnell-Welch: What top security advice would you have for organizations?

Bryan Willett: First and foremost would be focusing on just fundamental security hygiene, cyber hygiene. If you look at something like the CIS 18 framework, they do a very nice job of laying out what your priorities in an organization should be in order to further better secure your environment. And they've done such a nice job that when you go look at your fundamental cyber hygiene, you should really be prioritizing those in order. You need to know what assets are on your network, you need to make sure that you have developed hardening standards for those, you need to measure that, you are compliant to those hardening standards. You need to be able to patch those systems, you need to be able to monitor those systems, you need to be able to manage identity. So many times, I think individuals or organizations think there's a silver bullet out there to solve all your security problems. In reality, if you focus on those fundamentals, you're going to be in a much better position than spending all your money on the latest amazing tool.

The attacker who gained access to the LastPass cloud storage service last year and made off with some customer data gained initial access to the company’s systems after compromising an engineer’s home machine and stealing the employee’s company credentials, access the LastPass vault, and eventually gain access to the keys for Amazon S3 buckets that stored customer data and encrypted vault data.

The path that the attacker took to that destination is not a typical one, and it highlights an issue that has faced corporate security teams for many years: employees accessing sensitive corporate resources from personal machines. The shift to remote work for more people since 2020 has exacerbated the problem, but it’s one that IT and security organizations have been wrestling with for the better part of two decades and employees’ home machines and networks aren’t always included in corporate threat models.

In the case of the LastPass incident, there are a lot of moving parts and the operation that eventually led to the compromise of the S3 credentials and access to customer data and backups comprised two distinct intrusions. In the first incident, the attacker compromised a developer’s account and was able to steal some LastPass source code and other data. The company’s security team ejected the attacker from the network on Aug. 12, but the attacker immediately began a separate operation focused on performing reconnaissance and exfiltration of more data.

In the second operation, the attacker was able to use some of the information stolen previously to identify the LastPass Amazon cloud storage environment and begin stealing data. In order to accomplish that, the attacker needed to get the decryption keys for the encrypted credentials stolen previously.

“Due to the security controls protecting and securing the on-premises data center installations of LastPass production, the threat actor targeted one of the four DevOps engineers who had access to the decryption keys needed to access the cloud storage service,” LastPass said in an update on Monday.

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.”

“This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package."

This attack path is not simple or direct, but the idea of an attacker targeting a privileged employee’s personal accounts or devices as a way into a corporate network is far from novel. It’s a time-worn technique and often a successful one, though the ways in which attackers use it have evolved over time. Social media has made life much easier for attackers looking to gather information about a target company’s employees, their interests, locations, and personal lives, which then can be used in social engineering attacks or other operations. And if an attacker is able to compromise a personal device that a privileged employee uses for work purposes, it can be especially difficult to deal with, as the personal device may not have corporate monitoring or detection capabilities enabled.

On the corporate side, detection also can be difficult if the attacker has valid credentials and is performing tasks that aren’t completely abnormal for the compromised account.

“Alerting and logging was enabled during these events, but did not immediately indicate the anomalous behavior that became clearer in retrospect during the investigation. Specifically, the threat actor was able to leverage valid credentials stolen from a senior DevOps engineer to access a shared cloud-storage environment, which initially made it difficult for investigators to differentiate between threat actor activity and ongoing legitimate activity,” LastPass said.

“Ultimately AWS GuardDuty Alerts informed us of anomalous behavior as the threat actor attempted to use Cloud Identity and Access Management (IAM) roles to perform unauthorized activity.”

As part of the intrusion, the attacker also was able to steal one of the two parts of the 256-bit hidden master passwords used by organizations that integrate LastPass with an identity provider. In those implementations, one component of that secret, known as K1, is stored in the organization’s identity provider, while the other part, known as K2, is stored by LastPass in its production database.

“The K2 component was exfiltrated by the threat actor as it was stored in the encrypted backups of the LastPass MFA/Federation Database for which the threat actor had decryption keys,” LastPass said in a support article.

Enterprises that use LastPass in this way may need to change the K1 and K2 components of the organization-wide master password.

The technology market has evolved in such a way over the last few decades that not only is a certain level of defects in software and hardware accepted, it’s expected, and the responsibility for using those technologies safely and compensating for those flaws has somehow landed on customers. Jen Easterly wants to change that. Now.

"We’ve normalized the fact that technology products are released to market with hundreds or thousands of defects when that would be unacceptable in any other industry. We’ve normalized the fact that security is relegated to IT people or the CISO in enterprises, but few have the ability to incentivize the changes that would help,” Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), said during a speech at Carnegie Mellon University Monday.

“This pattern of ignoring increasingly severe problems is a signal of the normalization of deviant behaviors. Collectively, we’ve become accustomed to a deviance of what we’d all think would be a norm for manufacturers, which is to create a safe product.”

The problem is essentially twofold. The first part is that, despite decades of research and warnings from software security experts, many technology providers do not have the practices and norms in place to develop products securely from the beginning. The premium often is on time-to-market and adding features, which can push security and reliability concerns much farther down the priority list, especially if they’re seen as obstacles to meeting deadlines or ship dates. Part of this also comes from the lack of formal education many developers have in secure coding practices, an issue that has been of concern for many years.

"We need security designed in from the beginning, right out of the box, without added cost. Memory safe language, secure coding practices, the attributes of secure coding by design will evolve over time,” Easterly said.

“Strong security has to be a standard feature of virtually every technology product. The fact that we’ve accepted a monthly patch Tuesday as normal is more evidence of our acceptance of operating at the accident boundary.”

Building security in from the earliest stages of the product development lifecycle is a simple idea, but it’s not easy to execute and requires considerable investment from the company in terms of both time and resources. Many large technology companies have formal secure software development life cycle (SDLC) programs that define processes for making security a core part of the product development process, but that’s not the norm for even mid-tier technology providers, let alone small companies. Finding developers and engineers with secure coding and development training is not a simple matter, nor is preventing the introduction of vulnerabilities into code in the first place.

“We must applaud and encourage progress while recognizing the need to do more. This threat environment is only getting more and more complex."

That’s where the shift to developing in memory safe languages–those that can prevent common memory safety vulnerabilities–comes in. Moving to languages such as Rust, Go, and others that are considered memory safe can make a big difference in the security of software.

“We need to make memory safe languages ubiquitous in colleges globally. Make a security course a graduation requirement, make it part of every class,” Easterly said.

The second part of the problem, which in many ways derives from the first, is that much of the responsibility for addressing security problems in software and hardware falls on customers and consumers. A security vulnerability that leads to a compromise of a system or a breach of an organization often is seen as the fault of the person or organization using the product, rather than that of the manufacturer.

“We find ourselves blaming the user for failures of technology. Manufacturers are using us, the users, as crash test dummies and the situation isn’t sustainable. We need a new model in which responsibility for technology safety is shared based upon an organization’s ability to bear the burden. A model that emphasizes collaboration as a prerequisite for self preservation and a recognition that a cyber threat to one organization is a safety threat to all organizations,” Easterly said.

“This would begin with tech products that put the safety of the customer first, rebalancing risk onto organizations like major tech manufacturers much more suited to managing cyber risks.”

Addressing these issues requires a long-term approach and not simply a new set of regulations or industry standards. Easterly said it will require the leaders of technology companies to focus explicitly on building safer products, provide transparency into their development and manufacturing processes, and an understanding that the burden of safety should not fall solely (or even mainly) on customers. Part of that transparency commitment should be the use of software bills of materials (SBOM) to provide insight into what components and libraries a given product includes, she said.

“We must applaud and encourage progress while recognizing the need to do more. This threat environment is only getting more and more complex,” Easterly said.

Researchers have found a new payload delivered by the Wslink malware downloader and say that it is possibly part of the cache of tools maintained and deployed by the Lazarus Group attack that is aligned with the government of North Korea.

In 2021, ESET researchers discovered the Wslink loader, which has a couple of unique characteristics, most notably its ability to run as a server rather than as a client. Like other loaders, Wslink serves as a way for the actors who deploy it to download and install other pieces of malware or tools onto a compromised machine. At the time that ESET analyzed the loader, the researchers were not able to find the payload that Wslink delivered, but they recently identified a payload, which they call WinorDLL64.

The payload was found on a handful of victim machines in locations that the Lazarus Group has targeted in its past operations, including Europe and North America. There also are some overlaps in the code of WinorDLL and other samples used by the Lazarus Group, including Bankshot and GhostSecret. The ESET researchers identified some behavioral similarities with known Lazarus Group tools, as well, but were not definitive in their opinion that WinorDLL is deployed by the group.

In terms of its functionality, the newly found payload is not exotic but is effective nonetheless.

“WinorDLL64 serves as a backdoor that most notably acquires extensive system information, provides means for file manipulation, and executes additional commands. Interestingly, it communicates over a TCP connection that was already established by its loader and uses some of the loader’s functions,” Vladislav Hrčka of ESET said in a new analysis of the payload.

“The backdoor is a DLL with a single unnamed export that accepts one parameter – a structure for communication. The structure contains a TLS-context – socket, key, IV – and callbacks for sending and receiving messages encrypted with 256-bit AES-CBC that enable WinorDLL64 to exchange data securely with the operator over an already established connection.”

The WinorDLL payload is designed to accept a few commands, such as executing a Powershell command, compressing and downloading a directory, creating or killing a process, gathering system information, or listing files in a directory.

The Lazarus Group is a tenacious and prolific attack team that is closely aligned with the interests of the North Korean government and has conducted some very large operations in the past. The group maintains a large arsenal of custom tools and malware that it deploys as needed.

“Wslink’s payload is dedicated to providing means for file manipulation, execution of further code, and obtaining extensive information about the underlying system that possibly can be leveraged later for lateral movement, due to specific interest in network sessions. The Wslink loader listens on a port specified in the configuration and can serve additional connecting clients, and even load various payloads,” Hrčka said. “WinorDLL64 contains an overlap in the development environment, behavior, and code with several Lazarus samples, which indicates that it might be a tool from the vast arsenal of this North-Korea aligned APT group.”

While many successful attack campaigns employ custom malware and tools, sometimes those aren’t necessary and simple, freely available tools are all that’s needed to get the job done. A recently uncovered campaign that has targeted organizations in Asia in the medical and shipping industries has shown highly targeted lures and time-tested techniques still work.

The campaign began in October 2022 and researchers at Symantec found that the attackers deployed a range of phishing lure documents tailored to each victim organization and used a range of open source and other freely available tools to gather intelligence on target networks and maintain persistence. The attackers, which Symantec named Hydrochasma, did not appear to steal any data from the victim networks, but may be laying the groundwork for that down the road.

“The tools deployed by Hydrochasma indicate a desire to achieve persistent and stealthy access to victim machines, as well as an effort to escalate privileges and spread laterally across victim networks,” a new analysis of the campaign published Wednesday says.

“While Symantec researchers didn’t observe data being exfiltrated from victim machines, some of the tools deployed by Hydrochasma do allow for remote access and could potentially be used to exfiltrate data. The sectors targeted also point towards the motivation behind this attack being intelligence gathering.”

The start of the intrusions appear to be targeted phishing emails with lure documents attached that have subject lines designed to be relevant for the victims, such as engineering candidate resumes or product specifications. In one instance, the attackers installed the Fast Reverse Proxy tool on a compromised machine, and then eventually installed the Meterpreter payload from the Metasploit framework. Meterpreter is used for persistence and allows the attackers to execute remote commands.

The Hydrochasma attackers also use a variety of other common tools in this campaign, including Cobalt Strike beacons, the Procdump Sysinternals tool, the BrowserGhost password dumping tool, and various proxies and VPNs.

“The lack of custom malware used in this attack is also notable. Relying exclusively on living-off- the-land and publicly available tools can help make an attack stealthier, while also making attribution more difficult. Symantec did not see evidence to link this activity to a known actor, prompting us to create the new actor identity of Hydrochasma for those behind this activity,” the Symantec researchers said.

UPDATE--Fortinet has released a fix for a critical vulnerability in many versions of its FortiNAC product that can allow an attacker to execute arbitrary code with root privileges.

The flaw (CVE-2022-39952) lies specifically in the web server in the FortiNAC system and a remote attacker could exploit it to gain control of the file name and path on the server. Researchers at Horizon3 have released a proof-of-concept exploit for the bug, which specifically affects the keyUpload servlet.

Researchers at Shadowserver have seen exploit attempts against this vulnerability in the last couple of days.

“Examining the contents of keyUpload.jsp, we see that the unauthenticated endpoint will parse requests that supply a file in the key parameter, and if found, write it to /bsc/campusMgr/config.applianceKey. After successfully writing the file, a call to Runtime().Exec() executes a bash script located at /bsc/campusMgr/bin/configApplianceXml,” Zach Hanley of Horizon3 said in an analysis of the flaw.

“Just before the call to unzip, the bash script calls cd /. Unzip will allow placing files in any paths as long as they do not traverse above the current working directory. Because the working directory is /, the call unzip inside the bash script allows any arbitrary file to be written.”

The bug affects the following versions of the FortiNAC appliance software: 9.4.0, 9.2.0 through 9.2.5, 9.1.0 through 9.1.7, 8.8, 8.7, 8.6, 8.5, and 8.3.

“Similar to the weaponization of previous archive vulnerability issues that allow arbitrary file write, we use this vulnerability to write a cron job to /etc/cron.d/payload. This cron job gets triggered every minute and initiates a reverse shell to the attacker,” Hanley said.

“We first create a zip that contains a file and specify the path we want it extracted. Then, we send the malicious zip file to the vulnerable endpoint in the key field. Within a minute, we get a reverse shell as the root user.”

The fixed versions of FortiNAC are 9.4.1, 9.2.6, 9.1.8, and 7.2.0.

This story was updated on Feb. 23 to add information about exploit attempts.

A new version of the ClamAV malware scanner released this week fixes a critical remote code execution vulnerability that an attacker can exploit without any authentication.

The vulnerability (CVE-2023-20032) affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier of the ClamAV scanning engine and is patched in version 1.0.1.

“This vulnerability is due to a missing buffer size check that may result in a heap buffer overflow write. An attacker could exploit this vulnerability by submitting a crafted HFS+ partition file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the ClamAV scanning process, or else crash the process, resulting in a denial of service (DoS) condition,” the advisory from Cisco, which owns ClamAV, says.

The new version also includes a fix for a less-serious information leak vulnerability (CVE-2023-20052) that affects the same versions as the RCE bug.

“This vulnerability is due to enabling XML entity substitution that may result in XML external entity injection. An attacker could exploit this vulnerability by submitting a crafted DMG file to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to leak bytes from any file that may be read by the ClamAV scanning process,” the advisory says.

Both vulnerabilities affect a handful of versions of the Cisco Secure Endpoint. The fixed releases are version 1.20.2 for Linux, version 1.21.1 for Mac, and version 7.5.9 and 8.1.5 for Windows. The RCE flaw also affects the Secure Web Appliance and is fixed in version 14.0.4-005 and 15.0.0-254.