<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Fri, 09 Apr 2021 00:00:00 -0400 en-us info@decipher.sc (Amy Vazquez) Copyright 2021 3600 <![CDATA[IcedID Trojan Finding New Ways to Slip Past Defenses]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/icedid-trojan-finding-new-ways-to-slip-past-defenses https://duo.com/decipher/icedid-trojan-finding-new-ways-to-slip-past-defenses Fri, 09 Apr 2021 00:00:00 -0400

Since the takedown of the Emotet malware operation in January by law enforcement agencies, security researchers have watched the malware landscape closely, wondering if another trojan would take up the slack. It appears that IcedID is making an effort to fill the void Emotet left, using rigged Excel spreadsheets as the delivery mechanism in a campaign that has been ongoing since the beginning of the year.

IcedID is not a new entrant on the malware scene by any means. It’s been in circulation for several years and in the past it has been part of the extended Emotet universe. Emotet often was used as an installer and conduit for other malware attacks, and in some campaigns attackers would use it to install IcedID after the initial infection. Like other banking trojans, IcedID mainly exists to gather credentials for banking sites and other targeted sites that the attackers can then use. There are a number of different versions of the malware and IcedID has numerous capabilities, including process injection and process hooking, and it has been used by several high-level cybercrime groups in the last few years.

Recently, researchers at Uptycs, a security analytics firm, have seen a large volume of malicious Microsoft Excel sheets that contain hidden malicious code that, when triggered through a macor, will eventually lead to a download of IcedID. Since Jan. 1, the Uptycs researchers identified more than 15,000 HTTP requests to the IcedID command-and-control servers from more than 4,000 of the malicious spreadsheets. The Excel files typically have some name that’s designed to entice victims to open them. Including words such as “claim”, “overdue”, or “refusal”.

"We believe that IcedID will emerge as an incarnation of Emotet, moving towards a Malware-as-a-Service."

Victims who do open the files will see a screen instructing them to enable macros in order to see the full contents of the sheet. When macros are enabled, the malicious formula embedded in the sheet will execute. The malware authors have used several different techniques to hide the formula itself, including writing in white type on the white background.

“The macros which are distributed across various cells download three DLL files with the .dat extension from the command-and-control (C2) servers to “C:\Users\Admin” - Hodas.vyur, Hodas.vyur1 and Hodas.vyur2. These DLL files are executed using - "rundll32 DllName, DllRegisterServer",” an analysis of the campaign by Uptycs researchers Ashwin Vamshi and Abhijit Mohanta says.

“The IceID loader then retrieves information about the victim PC and sends it over the C2 server in an encoded form.”

In a separate campaign identified by Microsoft, attackers are using emails generated by the contact forms on company websites to send links to Google sites that ask victims to sign in with their Google credentials. Once that's done, the site will download a zip file that includes code that will eventually download IcedID.

"In this campaign, we tracked that the malicious email that arrives in the recipient’s inbox from the contact form query appears trustworthy as it was sent from trusted email marketing systems, further confirming its legitimacy while evading detection. As the emails are originating from the recipient’s own contact form on their website, the email templates match what they would expect from an actual customer interaction or inquiry," Microsoft's 365 Defender Threat Intelligence Team said.

As attackers fill out and submit the web-based form, an email message is generated to the associated contact form recipient or targeted enterprise, containing the attacker-generated message. The message uses strong and urgent language (“Download it right now and check this out for yourself”), and pressures the recipient to act immediately, ultimately compelling recipients to click the links to avoid supposed legal action.

This campaign is using the threat of legal action, along with the legitimate Google URL to add urgency and legitimacy to the messages.

In the past, IcedID has mainly been used in campaigns targeting victims in North America, and it has functioned as a banking trojan. Although it has some connections to other pieces of malware, it has not typically functioned as a dropper, as Emotet did. Emotet would often install either IcedID or Trickbot and it was also used as a conduit for the Ryuk ransomware. But with Emotet off the board, IcedID could be primed to make an entry into the malware-as-a-service realm.

“Given our recent observations, we believe that IcedID will emerge as an incarnation of Emotet, moving towards a Malware-as-a-Service (MaaS) model to distribute malware,” Vamshi and Mohanta said.

<![CDATA[Iron Tiger APT Updates Toolkit in 18-Month Malware Campaign]]> lodonnellwelch@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/iron-tiger-apt-updates-toolkit-in-18-month-malware-attack https://duo.com/decipher/iron-tiger-apt-updates-toolkit-in-18-month-malware-attack Fri, 09 Apr 2021 00:00:00 -0400

The Iron Tiger threat group has upgraded its toolkit, as seen in an 18-month campaign by the advanced persistent threat (APT) actor targeting a gambling company in the Philippines.

The incident sheds light on the recent evolution of Iron Tiger (also known as LuckyMouse, Emissary Panda and APT27), which is a Chinese cyberespionage threat group that has been active since 2010. A new Trend Micro report found that over time, Iron Tiger has updated its toolkit to include a new method for launching its malware, and has also adopted a new rootkit used for hiding backdoors.

The threat actors “are able to quickly pivot and change techniques despite existing network defenses,” said Jamz Yaneza, research manager at Trend Micro. “They can update their tools or even modify quickly, which means tracking and detecting these modifications within the organization can be difficult.”

The attack on the unnamed company is part of an overarching campaign on gambling companies first uncovered in 2019, after an incident response operation was conducted by Talent-Jump, Inc. The company contacted Trend Micro researchers to conduct further malware analysis, who called the campaign “Operation DRBControl.”

Trend Micro’s Friday report linked the Iron Tiger threat group to the attack: “After finding multiple tools belonging to the Iron Tiger threat actor, it is likely that the new malware families that we found during the Operation DRBControl investigation came from the same threat actor,” they said.

Trend Micro researchers said that since they did not perform the incident response themselves, they were not in a position to analyze exactly how cybercriminals gained initial access - and obtained persistence for so long.

“However, it is likely the attacker kept some accesses after the initial compromise,” said Daniel Lunghi, threat researcher at Trend Micro. “One option is that they used credentials they dumped during the first compromise, or that they found in the recorded keystrokes. Another possibility is that they exploited vulnerabilities to come back.”

While researchers could not confirm a primary infection vector behind the attack, previously, Iron Tiger has relied on watering hole attacks, as well as the leveraging of weaponized documents (exploiting Equation Editor flaw CVE-2018-0798, for instance) to gain a foothold on systems. It has also been observed targeting vulnerabilities, including a Microsoft Sharepoint flaw, CVE-2019-0604, and Microsoft Exchange server flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065).

“This is a unique industry with a constant large cash flow. Huge sums of money and different financial transfer schemes... give more opportunity for abuse.”

Further investigation into the attack revealed how Iron Tiger has upgraded its toolset over time. As part of the initial incident response, researchers discovered the threat group utilizing the HyperBro malware, a remote access trojan (RAT) used to gain access to infected systems. It also utilized a rootkit called Pandora, which performs backdoor functions.

More recently, researchers observed the threat group in December utilizing the SysUpdate malware sample as part of the attack. This malware, which was previously discovered and linked to Iron Tiger by researchers in 2018, has remote access capabilities such as managing files and processes, launching a command shell, interacting with services, taking screenshots, and uploading and downloading additional malware payloads.

Previously, the malware variant utilized by Iron Tiger was loaded by a known process, involving three files. These included a legitimate executable, a malicious dynamic-link library (DLL) file loaded by the executable, and a binary file that contained obfuscated code.

The attack on the gambling company revealed a new process, where SysUpdate was loaded using five files in its infection routine. In this process, a shellcode was utilized that decompressed and loaded a launcher in memory. This launched, then decoded, two encrypted files: One (data.res) containing two SysUpdate versions; and another (config.res) containing the SysUpdate configuration, such as the command-and-control (C2) server address.

Researchers said this update is “a smart move on the attacker’s side” in terms of obfuscation, as it splits information between various different files, making it harder to extract and analyze the malware.

In April 2020, researchers also found Iron Tiger making new use of a rootkit to hide its backdoors. The rootkit was taken from a public GitHub repository and was used to hide processes, files and services.

Beyond this particular attack, researchers said Iron Tiger has expanded its target base to include other industries - including governments, banks, telecommunication providers and the energy sector - in different countries in the Middle East and Southeast Asia over the past 18 months.

However, the gambling sector has proved to be lucrative for threat groups in general, researchers said, because “quite simply, it’s where the money is.” A multitude of cyberattacks have hit gambling companies and casinos over the past year, including ones in October against two casinos in Idaho that led to their temporary shutdown. Southeast Asia, in particular, has a strong economy for gambling because of overall population growth and "a general propensity for gambling" - making it opportunistic for threat actors, said researchers.

“This is a unique industry with a constant large cash flow,” said Yaneza. “Huge sums of money and different financial transfer schemes... give more opportunity for abuse.”

<![CDATA[Attackers Target European Industrial Firms With Cring Ransomware]]> lodonnellwelch@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/attackers-target-european-industrial-firms-with-cring-ransomware https://duo.com/decipher/attackers-target-european-industrial-firms-with-cring-ransomware Thu, 08 Apr 2021 00:00:00 -0400

Cybercriminals are targeting unsecured Fortinet VPN servers in order to infect European industrial organizations with a new family of ransomware, called Cring.

While the Swisscom Computer Security Incident Response Team (CSIRT) previously warned of the Cring ransomware being deployed by human operated actors in January, at the time it was unclear how the ransomware initially infected organizations’ networks. Research from Kaspersky released this week now points to cybercriminals exploiting a flaw in Fortinet’s Fortigate VPN servers, in order to then deploy the ransomware.

“Victims of these attacks include industrial enterprises in European countries,” Vyacheslav Kopeytsev, senior security researcher with Kaspersky, said. “At least in one case, an attack of the ransomware resulted in a temporary shutdown of the industrial process due to servers used to control the industrial process becoming encrypted.”

While conducting an incident investigation on two facilities that were successfully attacked, Kaspersky researchers found that cybercriminals had targeted CVE-2018-13379, a previously-disclosed path traversal vulnerability in the FortiOS SSL VPN web portal. Unauthenticated and remote attackers could exploit this flaw to download FortiOS system files by making specially-crafted HTTP resource requests. From there, they could access a file, “sslvpn_websession,” which contains usernames and passwords stored in cleartext, said researchers.

When the vulnerability was first disclosed in 2019, Fortinet issued a patch in FortiOS 5.4.13, 5.6.8, 6.0.5 or 6.2.0 and above. Fortinet has also published a series of advisories over the years urging users to update to protect against the flaw. More recently, last week the FBI and Cybersecurity & Infrastructure Security Agency (CISA) released a joint advisory warning of advanced persistent threat (APT) actors targeting CVE-2018-13379 "to gain initial access to multiple government, commercial, and technology services."

“The security of our customers is our first priority," a Fortinet spokesperson said. "Upon resolution we have consistently communicated with customers as recently as April 2021."

Further investigation into the Cring ransomware attack revealed careful reconnaissance by the cybercriminals. The attackers performed test connections to the VPN Gateway, seemingly to check that the device was using a vulnerable software version. They also carefully analyzed the victim’s infrastructure and used this information to prepare their own infrastructure and toolsets.

“The attackers may have identified the vulnerable device themselves by scanning IP addresses,” said Kopeytsev. “Alternatively, they may have bought a ready-made list containing IP addresses of vulnerable Fortigate VPN Gateway devices. In autumn 2020, an offer to buy a database of such devices appeared on a dark web forum.”

Upon exploiting the flaw, attackers then downloaded Mimikatz, an offensive tool often used to retrieve cleartext passwords, which they leveraged to steal Windows account credentials and ultimately compromise the account of the domain administrator.

Then, a malicious PowerShell script was deployed across other systems on the network, which then decrypted a Cobalt Strike Beacon backdoor and gave attackers remote control over the infected systems. Attackers also downloaded a cmd script onto compromised machines, which then deployed a PowerShell (called “kaspersky” in an attempt to cloak its malicious activity as that of security solutions, said researchers). Finally, the Cring ransomware was downloaded and launched. The Cring ransomware halted various database servers (such as Microsoft SQL) and backup systems that were used on systems selected for encryption, said Kopeytsev.

“If they manage to steal the domain administrator's credentials (as in this case), they get almost unlimited control over all systems in the organization's network."

The ransomware then targeted various files for encryption, including .zip, .rar, .doc, .ndf (Microsoft SQL Server secondary database files), .ora (Oracle database files) extensions and various others.

“The malware started to encrypt files using strong encryption algorithms, which means that files could not be decrypted without knowing the RSA private key held by the attackers,” said Kopeytsev. “Each file was encrypted using AES and the AES encryption key was in turn encrypted using an RSA public key hard-coded into the malicious program’s executable file. The RSA key size was 8,192 bits.”

The ransom note, saved in the file !!!!WrReadMe!!!.rtf, asked victims to pay a ransom of two Bitcoins (currently worth about $115,482). For the incident analyzed by Kaspersky, Kopeytsev confirmed that servers were restored from backups with some data loss, but that no ransom was paid. He noted, researchers have no evidence to point to any specific threat actor behind the attack.

The impact of such ransomware attacks are particularly detrimental to industrial organizations that rely on critical systems. For instance, a 2019 ransomware attack on Norwegian aluminum maker Norsk Hydro forced the company to shut down several plants. The Cring ransomware has a similar impact, as the attack forced impacted organizations to halt the industrial process, said Kopeytsev.

“If they manage to steal the domain administrator's credentials (as in this case), they get almost unlimited control over all systems in the organization's network,” said Kopeytsev. “As we have seen, encrypting some critical systems allows attackers to temporarily stop production.”

As the campaign started in January and is still ongoing, Kopeytsev urged organizations to deploy updates for the years-old Fortinet vulnerability. Other best practices include updating any anti-malware protection solutions to the latest versions and changing active directory policies so that users may only log into systems that are required by their operational needs.

“The primary causes of the incident include the use of an outdated and vulnerable firmware version on the Fortigate VPN server (version 6.0.2 was used at the time of the attack), which enabled the attackers to exploit the CVE-2018-13379 vulnerability and gain access to the enterprise network,” Kopeytsev said.

<![CDATA[Decipher Podcast: Charles Shirer]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-charles-shirer https://duo.com/decipher/decipher-podcast-charles-shirer Thu, 08 Apr 2021 00:00:00 -0400

<![CDATA[Apple Details Crackdown Efforts On Invasive Ad Tracking]]> lodonnellwelch@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/upcoming-apple-tools-crack-down-on-invasive-ad-tracking https://duo.com/decipher/upcoming-apple-tools-crack-down-on-invasive-ad-tracking Wed, 07 Apr 2021 00:00:00 -0400

Apple is detailing new tools that it says will curb advertisers’ abilities to track users' behavior while they browse apps and websites on their devices. The new features are part of an overarching crackdown by Apple on tracking mechanisms, which will be enforced in its upcoming release of the iOS 14.5, iPadOS 14.5 and tvOS 14.5 operating system versions.

The two mechanisms described this week aim to give advertisers the flexibility to measure how users interact with their ads, without using invasive tracking tactics. The first feature, called SKAdNetwork, lets advertisers track the number of times an app was installed after users saw ads for it, but does not share any user or device-level data. The second feature, called Private Click Measurement, exists for apps in iOS and iPadOS 14.5, and enables advertisers to analyze the impact of ads that lead users to websites, but minimizes data collection that uses on-device processing.

“After a user clicks on an ad for a product in an app, the web browser itself, using Private Click Measurement can give advertisers information that a user clicked on their ad, and that it led to a certain outcome on their website, such as a visit or a purchase — without giving them information about who specifically clicked on the ad,” Apple said.

The tools are part of Apple's App Tracking Transparency rules, which will be enforced in its upcoming operating system versions and require explicit permissions by users in order for developers to access advertising identifiers. These identifiers, which Apple calls Identifiers For Advertisers (or IDFA), are assigned by iOS to each device and allow developers to track user behavior across websites and apps, in order to target them with ads. Any number of identifiers could also be used for tracking beyond IDFA, such as email addresses or phone numbers, according to Apple.

When a user is browsing websites or opening apps on their phone, in the background advertisers are bidding in an auction to show their ads on that app or website. As part of this bidding process, typically advertising networks gather data from user devices, including the app being used, location and an advertising ID. This information gives potential advertisers a better sense of users' behavior and whether their characteristics align with the advertiser’s target audience.

SKAdNetwork and Private Click Measurement apply to the winner of this auctioning process, whose ad appears in front of the app user. This advertiser then has an option to measure how the ad affects user behavior, in a process called ad attribution. For instance, if the ad is for an app, the advertiser would try to track whether the user installed that app.

“The latest privacy changes are part of an unstoppable trend to increase the protection of user privacy."

Chris Hazelton, director of security solutions at Lookout, said the change gives users more control over how much of their personal information is being shared.

“Now, Apple has created levers for users to more easily pick and choose the developers with which they share personal information,” said Hazelton.

In addition to blocking IDFA access, users will also be able to see which apps have requested permission to track them under their Settings and make changes. Apple warned, if developers are found to be tracking users who opt out of this tracking measure, they will be required to update their practices or may be rejected from the App Store.

For developers, unless they have received permission from the user to enable tracking, the device's advertising identifier value will be all zeros and they will not be able to track them. The app will be sent a signal that shares that the user has asked not to be tracked, according to Apple. App Tracking Transparency has generated pushback from developers who argue that the rules will create obstacles for small businesses by affecting their ability to use their advertising budgets efficiently. One such critic, Facebook, has previously argued that the rules are “about profit, not privacy” and that “it will force businesses to turn to subscriptions and other in-app payments for revenue, meaning Apple will profit and many free services will have to start charging or exit the market.”

Privacy experts hope that Apple’s new measures will lead to a privacy push overall by other mobile device companies. According to a Bloomberg report, Google is weighing the development of its own Android alternative for Apple’s tracking opt-in requirement, for instance. Google, which assigns users its own version of an advertising identifier called Advertising ID, did not respond to a request for comment.

“The latest privacy changes are part of an unstoppable trend to increase the protection of user privacy,” said Lookout’s Hazelton. “The goal is to create a common, easily understandable format for users to see how their personal data is collected and used by developers and their partners. It will make it easier for users to question whether free services from developers are worth the cost in terms of privacy and security of their own data.”

While no official date has been revealed for the release of iOS 14.5, iPadOS 14.5, and tvOS 14.5, Apple said that App Tracking Transparency will roll out in the next few weeks.

<![CDATA[Q&A: Idan Plotnik]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/q-and-a-idan-plotnik https://duo.com/decipher/q-and-a-idan-plotnik Wed, 07 Apr 2021 00:00:00 -0400

Idan Plotnik, CEO of Apiiro Security, recently joined Dennis Fisher on the Decipher podcast to talk about taking a risk-based approach to software development and security. This is a condensed and edited version of the conversation.

Dennis Fisher: Where did the idea for this technology came from? Was it a problem that you had seen that you thought, okay, I have an idea for solving this?

Idan Plotnik: I'm in the industry for 19 years plus my last startup was acquired by Microsoft and I was a general manager for engineering at Microsoft. You want to move from waterfall methodologies to agile development methodologies, but on the other hand, you don't want to release code with risks. You want to be able to assess the risk based on multi-dimensional approach and do you need manual processes? You need the risk assessment questionnaires. You need to make sure the people that answer these questionnaires really understand. It's a challenge that I felt. And then I went to other large organizations and I asked them if they have the same challenge while releasing code to production. And then we said, Hey, this, this is going to be a huge problem.

Dennis Fisher: Microsoft obviously has a pretty mature SDLC, so they understand how code should be developed and assessed. And you're looking for all these known problems. How different is the way that a large organization, such as Microsoft, handles it from an SMB or a start-up?

Idan Plotnik: It's a very, very good and complex question. So even in a mature, secure development life cycle processes, you start from a threat model, and then you go to add this security design review, and then you go through compliance reviews in some cases, and then you go through a security code review, and then you go through penetration testing and then you go through vulnerability scannings throughout the CI/CD pipeline. And then you're overwhelmed. You're saying, what's going on here? Like I have one person that is responsible for security across 100 developers. This is the best case, by the way, the ratio is one to 100 in the best case scenario. And then this guy says, Hey, what's going on here? I went through all the processes. I did all the phases, but now I have a thousand vulnerabilities. I have 2000 tasks to do, to remediate where what's first.

I'm telling you from experience that you need to decide if you block the product from getting into your customer's hands or you release it with risks. And this is the fundamental problem that our product solves. Do you need to focus on risky code changes? Okay. What are the material changes that you are introducing into your application, if you're changing the layout of your login page, who cares versus you changed the logic of an API that is responsible for money transfer. This is a risky change. Now I'm not talking about vulnerabilities. I'm talking about a fundamental change that you're taking all these changes and passing them through the same vulnerability scanning pipeline. We are saying something else, we are saying let's differentiate between changes. And we will not only differentiate between changes based on their technical aspects. We will differentiate between changes across their attack surface technical impact. What's the business impact of the change? And what's the business impact of the application? What's the knowledge and the behavior of the developers that made these material changes? And only then we will decide which changes will go through.

Dennis Fisher: Humans are terrible at assessing risk. I think that's one of the things that I've learned over the last 20 years. We're not good at that.

Idan Plotnik: It's not only that we are not good with that. It's a simple thing that our mind cannot hold so many risk factors. And when I say risk factors, I mean, like where do you deploy this application? Is it on-prem, is it in the cloud? What's the knowledge of your contributors? What is the risk of the application code? What's the attack surface? What's the outcome from your third party scanning tools or what are the security controls? So many risk factors that a human being cannot calculate. You need a machine to do that for you, and then just point you to the right direction and say, go here on this specific change. This is the most risky change in your application. Go and have a meaningful conversation with the developer or the compliance officer, because you added PII to the application.

"There are so many risk factors that a human being cannot calculate. You need a machine to do that for you."

Dennis Fisher: Software security experts for years have been saying, we need to build secure software and get the security people involved as early in the process as possible. It's a lot more efficient than trying to secure something after the fact. And this to me seems like something that is completely built to work in that process, the way that software is built and delivered now, as opposed to the way it was delivered 20 years ago.

Idan Plotnik: I totally agree. And I think everyone bought into it. For the last, I don't know, 16 months, I was talking with more than 250 companies from 50 developer shops to 20,000 developers. Everyone bought the idea that they need to integrate security as early as they can. Now, the problem is, and from our point of view, getting security into the CI/CD pipeline, in some cases it's good, but it's too late. You want security to be in on the design phase to tell you to prioritize across all the feature requests, all the user stories to prioritize, what are the most risky features that are going to be developed in the next release, and then handle them at the design phase and run the contextual threat models or security design reviews as early as you can. I can say it depends on what your development processes are, but you can run the security assessment or the risk assessment on your develop branch or the feature branch or the main branch before you trigger the vulnerability scanning processes. And there, at this point, you can do a few things. One, as I told you, you can trigger automatic workflows and say, if I have these types of changes, I need to bring in a pen tester before I even release this code throughout the pipeline, because a pen tester might find vulnerabilities that you can't find in automatic tools. And if he will find these vulnerabilities or material changes, then when it will go through the pipeline, it will reduce the noise that I will get at the end of the process.

Dennis Fisher: Is there a way to introduce this kind of technology and mindset for developers as they're learning to code at university or in their initial jobs out of school where they're trying to figure out how software is actually built?

Idan Plotnik: So there are things that you can do, and there are things that you can't do for example, to learn the basics. You can learn the basics for writing secure software, of course, but there are risks that you can't teach at school again. I'm going back to the example of I'm a developer. I accidentally added your home address and amount of money that you have in the bank to an internet-facing API. It's not a vulnerability, but it's a risk. I can't teach you this. This is based on the context of the application based on the context of the company that you are working on. And, and so the answer is yes, the basics, but no, for the other risks that are taken from the essence of the application or the business, the industry that you are in this is what we are trying to automate.

Dennis Fisher: The context piece of it to me is what really makes the big difference. There's all these different ways to find bugs in code. But if you don't have a context for this developer has a lot of experience with this application, knows what the risks are, knows he or she made this change in this way. Or it's a completely inexperienced developer who is new to this project, and probably shouldn't have made this change. There's a big difference. You know, people love to talk about security as a series of trade-offs, but the context matters in those kinds of decisions

Idan Plotnik: Spot on. We're trying to put context into the code changes that you are doing. And not, as I mentioned, not only the context that it is technical, the context, who are you, what's your knowledge across the history, or let's say, you're working in this organization for five years. And for the last four years, you worked as a backend developer, and now you're working as a front-end developer. We will look at you, even if you're working for five years at the same company, we will look at you as a risk.

<![CDATA[EtterSilent Builder Gains Momentum in Malware Campaigns]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/ettersilent-builder-gains-momentum-in-malware-campaigns https://duo.com/decipher/ettersilent-builder-gains-momentum-in-malware-campaigns Tue, 06 Apr 2021 00:00:00 -0400

Cybercrime groups are using a new malicious document builder known as EtterSilent as part of recent campaigns that have dropped a number of different malware strains, including TrickBot and Bazar loader.

The EtterSilent builder is one of a handful of utilities that aspiring cybercriminals can buy on underground forums to help them construct effective and authentic-looking malicious documents to use in phishing or ransomware campaigns. The builders can produce specific types of documents, such as Word or Excel documents, that contain malicious content, such as exploits or malicious macros. Attackers can then use the documents as lures in their campaigns without going through the effort of building the documents themselves.

In the case of EtterSilent, researchers have seen it used recently by several separate cybercrime groups to deliver fake DocuSign templates to victims. The builder can produce two different types of documents: one that contains an exploit for an old Office vulnerability, or one that uses a malicious macro. EtterSilent first emerged in the middle of last year, and while it has taken some time for it to gain momentum, it’s rolling now.

“There has been a steady rise recently and it has been persistent and is gaining notoriety now. It is quite cheap for a builder, at just a few dollars per build, and I think that combined with the fact that the authors spent considerable time on obfuscation is making it quite popular,” said Brandon Hoffman, CISO at Intel 471, which analyzed recent campaigns using EtterSilent.

Those campaigns have used different lures, but the DocuSign template can be an especially effective one, given that DocuSign is a very common tool in enterprise environments and many people are accustomed to seeing such notifications in their inboxes.

“That relationship with Bazar is interesting, and there have been a rash of follow-ups that have dropped Ryuk."

“The malicious document, when opened, shows a template that poses as DocuSign, the popular software that allows individuals and organizations to electronically sign documents. The maldoc then leverages Excel 4.0 macros stored in a hidden sheet, which allow an externally-hosted payload to be downloaded, written to disk and executed using regsvr32 or rundll32. From there, attackers can follow up and drop other assorted malware,” researchers from Intel 471 said in a post on the builder.

The sale and use of builders is part of the larger cybercrime ecosystem, which has its own division of labor, specialized developers, initial access brokers, ransomware operators, and payment processors. Hoffman said EtterSilent fits neatly into that economy and is emblematic of the wide variety of tools available to cybercriminals and the ways in which they can be pieced together to deliver full campaigns.

“When you look at the extended kill chain, it’s interesting to see this builder dropping maldocs, which then lead to another loader, and then potentially to ransomware. It speaks to the variety of services people are consuming on the underground,” Hoffman said.

“There are entire marketplaces dedicated to just selling initial access, so even if you don’t have the skills to move laterally or take over Active Directory once you’re in, you can sell that access to someone else.”

Intel 471 intelligence analysts have seen EtterSilent used by several popular banking trojans, including BakBot, Qbot, and Gozi, and the backend infrastructure for these campaigns is being hosted by a well-known bulletproof hosting provider, Yalishanda. The builder has also been seen in campaigns involving BazarLoader, a piece of malware that’s closely associated with TrickBot.

“That relationship with Bazar is interesting, and there have been a rash of follow-ups that have dropped Ryuk,” Hoffman said.

<![CDATA[Ongoing Attacks Target SAP Flaws, Unsecured Accounts]]> lodonnellwelch@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/ongoing-attacks-target-sap-flaws-unsecured-accounts https://duo.com/decipher/ongoing-attacks-target-sap-flaws-unsecured-accounts Tue, 06 Apr 2021 00:00:00 -0400

Security researchers are warning of an influx of attacks targeting SAP enterprise applications that have not been updated to address vulnerabilities for which patches are available, or that utilize accounts with weak or default passwords.

Starting in mid-2020, threat actors launched at least 300 successful attacks on unprotected SAP instances, according to a Tuesday report released jointly by SAP and Onapsis. These include exploits of six vulnerabilities, some of which can give full control over unsecured applications. Though SAP has released patches for all of these vulnerabilities, the targeted businesses had not applied the updates, or were using unsecured SAP user accounts.

SAP recommends customers to apply the security and review patches immediately after they have been released via the SAP Security Notes," according to an SAP spokesperson. "SAP takes customer security seriously and collaborates with external security researchers including research companies in ensuring that vulnerabilities discovered in our software are patched at the earliest.

Impacted are various SAP applications, which help organizations manage their mission-critical business processes, including software for enterprise resource planning, supply-chain management, product lifecycle management and customer relationship management. More than 40,000 organizations utilize SAP applications, including 92 percent of the Forbes Global 2000, according to SAP.

For organizations that have not taken the steps to secure their SAP software, the attacks could have dire consequences, according to an alert this week from the U.S. Cybersecurity & Infrastructure Security Agency (CISA). If exploited, the flaws could enable attackers to steal sensitive data, launch financial fraud or ransomware attacks, disrupt mission-critical business processes or even halt operations.

“We captured over 50 hours of hands-on-keyboard exploit activity during the nine months of observations,” Mariano Nunez, CEO of Onapsis, said. “In one instance, we saw an attacker connecting from five different IPs with geo-location in four different countries remotely breaking in and accessing sales orders and sensitive HR data, which would be a direct violation of GDPR.”

“Sophisticated threat actors have been observed chaining together multiple vulnerabilities to target specific SAP applications to maximize impact and potential damage."

Multiple attacks stemmed from the targeting of unsecured, high-privilege SAP user account settings. These accounts, installed on SAP environments during deployment and configuration, used default or weak passwords, making it easy for attackers to launch brute-force attacks and compromise the accounts.

Researchers also observed attackers targeting six flaws, including CVE-2020-6287 (in SAP NetWeaver Application Server Java systems), a critical flaw that, if exploited, could give attackers an initial foothold on the targeted application. Attackers also targeted CVE-2018-2380 (in SAP’s customer relationship management software) and CVE-2016-9563 (in SAP NetWeaver AS Java), which could give authenticated attackers operating system-level access to launch various further attacks; and CVE-2010-5326 (in SAP NetWeaver AS Java), which allows threat actors to execute operating system commands without authentication and ultimately gain full control of the SAP business information and processes.

Attackers also targeted CVE-2016-3976 (in SAP NetWeaver AS Java) and CVE-2020-6207 (in SAP Solution Manager). These flaws, if exploited, can be used for lateral movement across the business network in order to compromise other systems.

“Sophisticated threat actors have been observed chaining together multiple vulnerabilities to target specific SAP applications to maximize impact and potential damage,” according to the report.

The report also pointed to cybercriminals becoming more sophisticated overall in their attacks on software from SAP, which deploys patches on a regular basis every month. Researchers found exploit attempts in some cases were observed in as little as 72 hours from the release of a patch. And, new unprotected SAP applications that were provisioned in cloud environments were discovered and attacked in less than three hours, they said.

Both SAP and Onapsis recommend organizations protect themselves from these attacks by immediately performing a compromise assessment on SAP applications that are still exposed to the targeted flaws, with internet-facing SAP applications being prioritized. In addition, companies should assess all applications in the SAP environment for risk as soon as possible and apply the relevant SAP security patches and secure configurations; and assess SAP applications to uncover any misconfigured high-privilege user accounts.

“While SAP issues monthly patches and provides best practices for configuring systems, it is ultimately the responsibility of the customer or their service provider to apply mitigations in a timely manner and properly configure systems to keep critical business processes and data protected and in compliance,” according to the report.

<![CDATA[Decipher Podcast: Idan Plotnik]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-idan-plotnik https://duo.com/decipher/decipher-podcast-idan-plotnik Mon, 05 Apr 2021 00:00:00 -0400

<![CDATA[U.S. Senators Press Ad Exchanges on Data Privacy]]> lodonnellwelch@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/u-s-senators-press-ad-exchanges-on-data-privacy https://duo.com/decipher/u-s-senators-press-ad-exchanges-on-data-privacy Mon, 05 Apr 2021 00:00:00 -0400

A group of U.S. senators are pressuring eight digital advertising exchanges - including Twitter, Google and AT&T - to reveal how they share American users’ data with foreign entities.

The concern is that the processes behind auctioning Americans’ personal information to companies could lead to sale of the data to hedge funds, political campaigns, and governments, who could then use them for malicious purposes, said the group of senators in several letters. These letters were sent to major players in the ad exchange space, including AT&T, Index Exchange, Google, Magnite, OpenX, PubMatic, Twitter and Verizon.

“Few Americans realize that some auction participants are siphoning off and storing ‘bidstream’ data to compile exhaustive dossiers about them,” according to the group of senators in the letters. “In turn, these dossiers are being openly sold to anyone with a credit card, including to hedge funds, political campaigns, and even to governments.”

Ad exchanges are digital marketplaces where publishers sell, and advertisers purchase, ad inventory (this is done directly, versus via ad networks, which act as an intermediary between buyers and sellers). The exchanges are facilitated via an auction process used to place targeted digital advertisements, called “real-time bidding.”

During the process of real-time bidding, ad publishers (typically the websites where ads will be displayed) will add their inventories for ad impressions (that represent each time an ad is displayed in a website visited by a user) into an auction pool. Bidders, who want to advertise their services on the publishers’ site, then will pick which impression they want to purchase. This is based on real-time information including the previous behavior of targeted users, the time of the data, the position of the ad and more.

This all happens in less than 100 milliseconds, meaning when a user of a certain website clicks through that website, in the background the real-time bidding is occurring in order to pick out the advertisement that user will see.

However, for most online ads, although only one company wins the auction, hundreds of firms that are also participating may receive sensitive data about the potential ad recipient. Dr. Johnny Ryan, senior fellow at The Irish Council for Civil Liberties and the Open Markets Institute, said this type of information is being shared “billions of times a day."

Ryan said, shared data may include a unique ID for users, what they are reading or watching, their location, descriptions of their devices, unique tracking IDs (or a cookie identification to allow advertising companies to build long-term profiles of users) and IP addresses (depending on the version of “real time bidding” system). In some cases a data broker segment ID may also be available.

“This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc. (depending on the version of bidding system),” said Ryan.

“This information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns.”

Ryan said, public industry standards exist for what type of data can and should be sent as part of the real-time bidding process, including a standard from Google and from the Interactive Advertising Bureau.

However, despite these standards concerns have previously been raised over various U.S. federal agencies, as well as data brokers, who have collected data from digital marketplaces meant for advertising. A group of senators in July, for instance, sent a letter to Federal Trade Commmission (FTC) Chairman Joseph Simons urging him to further investigate the data privacy policies associated with real-time bidding. The letter claimed data broker Mobilewalla had used location and race data to profile participants in Black Lives Matter protests.

Beyond the U.S., “this information would be a goldmine for foreign intelligence services that could exploit it to inform and supercharge hacking, blackmail, and influence campaigns,” senators said.

Senators on Friday requested the eight ad exchanges disclose the specific information on users that is being provided to auction participants, including their devices, the websites they are accessing and apps they are using. They also asked the ad exchanges to disclose all companies (both foreign and domestic) they have provided bidstream data to in the past three years, which are not “contractually prohibited from sharing, selling, or using the data for any purpose unrelated to bidding on and delivering an ad.” In addition, ad exchanges are being asked to detail their efforts in auditing any compliancy efforts with contractual restrictions for sharing or selling bidstream data.

The senators - including Senators Ron Wyden (D-Ore.), Bill Cassidy (R-La.), Kirsten Gillibrand (D-N.Y.), Mark Warner (D-Va.), Sherrod Brown (D-Ohio), and Elizabeth Warren (D-Mass.) - asked companies to respond by May 4.

Of the eight companies contacted by senators, AT&T and Google responded to a request for comment. An AT&T spokesperson said, “we received the letter and will respond as requested, but we have thorough processes in place to protect the data referenced in the letter.”

A Google spokesperson said: "Privacy and transparency are core to how our ads services work.”

“We never sell people’s personal information and all ad buyers using our systems are subject to stringent policies and standards, including restrictions on the use and retention of information they receive,” said the spokesperson.

<![CDATA[Kansas Water Utility Attack Underscores Security Limitations in Municipalities]]> lodonnellwelch@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/kansas-water-utility-attack-underscores-security-limitations-in-municipalities https://duo.com/decipher/kansas-water-utility-attack-underscores-security-limitations-in-municipalities Fri, 02 Apr 2021 00:00:00 -0400

Tight budgets and a lack of resources are driving innumerable security troubles for water facilities, as evidenced by the indictment this week of a 22-year-old man who allegedly accessed a Kansas public water system’s computers in order to tamper with its disinfectant levels.

The indictment alleges that Wyatt Travnichek remotely logged into the Ellsworth County Rural Water District’s computer system without authorization on March 27, 2019, and then proceeded to shut down the processes behind the facility’s cleaning and disinfecting procedures. According to the Department of Justice, Travnichek was a former employee of the water facility from 2018 until January 2019, where part of his job was remotely logging into the facility’s computer system to monitor the plant after hours.

A representative with the Ellsworth County Rural Water District said the incident did not have an impact on customers.

“We continually monitor water quality,” said the representative.

The incident underscores the dangers that can result from unauthorized access to public water plant systems, which collect, treat and distribute water for drinking. Two months ago, an attacker was briefly able to access a system used to monitor the city’s water supply in an Oldsmar, Fla., water treatment facility. The attacker attempted to raise the level of sodium hydroxide in the public drinking water to a dangerously high level, but automated systems caught the incident and reversed the change.

Security experts say that many water facility environments are wrought with a myriad of security challenges, many of which are ingrained in budgetary factors. The majority of the nation’s more than 50,000 drinking water and 16,000 wastewater treatment plants are municipality owned, meaning their operating revenues rely primarily on the rates that they charge customers. The process of raising rates for taxpayers means facilities need to “jump through policy hoops,” making it difficult to squeeze cybersecurity into the budget, said Marty Edwards, vice president of OT Security with Tenable.

“If the only way for funding is going in front of taxpayers and getting a bond or levy passed to invest that money, it’s not as easy as a privately owned corporation that can go to the board of directors,” said Edwards.

A limited budget also means limited personnel. Ellsworth County Rural Water District’s public water system facility serves water directly in segments of eight counties and indirectly to two more counties, through 1,500 retail customers and 10 wholesale accounts, according to its website. For all of this, the facility has eight personnel in its operations segment, consisting of plant operators and distribution operators.

While larger cities can afford entire security teams to maintain systems, in plants from mid-size or smaller counties electricians or engineers must shoulder both the water operations maintenance and security responsibilities. Other municipalities, meanwhile, contract the work off to a third-party service provider. For these latter two instances, “the primary responsibility isn’t security, it’s making sure that the water’s running,” said Edwards.

A tight budget and staff makes it challenging to keep up with even the most basic security issues. Various facility processes, like pumps used to move water, are controlled by industrial control systems (ICS), such as programmable logic controllers that start or stop the processes based on varying values. However, the custom software behind these systems is rarely updated, and is typically tethered to obsolete operating systems, such as Windows 3.1.

“Cybersecurity has not been built in, and while this is slowly changing, most of it is insecure by design."

“These (ICS) systems, physically connected to the processes, were not historically on the network,” said Gus Serino, principal ICS security analyst with the Dragos Threat Operations Center. “Cybersecurity has not been built in, and while this is slowly changing, most of it is insecure by design. With these insecure but critical assets being exposed to a network, if there’s a compromise and you have an adversary who understands what they’re looking for, this network access gives them what they need (to launch an attack).”

In the Oldsmar, Fla. hack, the water plant’s computers, which were connected to the control systems, used an outdated Windows 7 operating system. Other security issues plagued the environment: All computers used the same password for remote access and lacked firewall protection, for instance.

These security challenges have an alarming potential impact, should they allow for a system to be tampered with. In the case of the Ellsworth County Rural Water District, Travnichek allegedly targeted water disinfecting procedures. In a June incident, Israeli officials reported that cybercriminals with Iran’s Islamic Revolutionary Guard Corps attempted to hack the country’s water supply, in order to raise the chlorine. In both cases, raising chlorine to high levels in water can have dangerous safety impacts if ingested. However, experts stress that in reality, there are many checks and balances in place at water plants that realistically would prevent such an attack.

“These incidents are not something we need to be fearful of,” said Chris Sistrunk, technical manager of ICS/OT consulting at Mandiant. “We don’t need to lose sleep over them. But it’s something we should be aware of and work on. Generally, engineers try to design a system where it will be as safe as possible, and have a known state.”

While the attacker in the Oldsmar, Fla., hack changed the level of sodium hydroxide’s value from 100 parts per million to a dangerous 11,100 parts per million, for instance, it would have taken 24 to 36 hours to actually reach the public water supply, according to city officials. During that length of time, it’s likely the change would be discovered via manual testing and other protective measures that in place, said Sistrunk.

Tenable’s Edwards is also encouraged by the fact that more engineers are turning to Consequence-driven Cyber-informed Engineering (CCE), which is a methodology that focuses on proactively removing significant cyber risk from operational technology processes, by creating physical limits so that processes would shut down if some type of catastrophic damage occurs.

“Even if the system is owned by attackers, and they manipulate this in the worst way, equipment is designed in a way where the worst type of damage can’t occur,” said Edwards. “We’re seeing more engineers look at systems with a cyber informed reference.”

Right now, Edwards said his number one recommendation for water plants is creating an asset inventory that lists all devices on the network, giving more visibility and control over the environment and paving the way for a risk-based vulnerability management plan.

“These incidents are not something we need to be fearful of."

Remote access, another security pain point, should be blocked, said Michael Arceneaux, managing director with WaterISAC, a security information guide for the water and wastewater sector. Water plants often use remote access software for third-party contracting and monitoring functions, but as seen in the Oldmar, Fla., attack (where the attacker leveraged the facility’s remote access software TeamViewer) it can also lead to security issues.

“One issue is remote access… it is used and it can be necessary, but we advise against it,” said Arceneaux. “We also recommend assessing networks, equipment and devices and understanding basic cyber hygiene such as access controls and better passwords.”

Other security recommendations are more basic, such as making sure employees are educated about phishing and other email-based threats, installing firewalls, keeping all systems (including ICS software) patched and ensuring that passwords are constantly changed, particularly after employees are offboarded. Arceneaux speculated, this last recommendation may have been a preventative factor for the Ellsworth County Rural Water District hack, which allegedly involved a former employee of the plant.

Looking forward, Tenable’s Edwards is optimistic that awareness is increasing for critical infrastructure security, both across the government and within water facilities themselves.

“As a nation, we need to invest heavily in our cybersecurity assets, and I’m seeing good proposals being made and discussions about grant projects to augment resources,” he said.

<![CDATA[Enterprises Are Patching Faster, Reducing Vulnerability Debt]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/enterprises-are-patching-faster-reducing-vulnerability-debt https://duo.com/decipher/enterprises-are-patching-faster-reducing-vulnerability-debt Thu, 01 Apr 2021 00:00:00 -0400

Enterprise defenders have to deal with a massive number of vulnerabilities every month, and while that volume isn’t likely to drop off any time soon, new data shows that companies continue to improve the speed and efficiency with which they’re patching those flaws.

It can be tempting to think of vulnerability management and patching as the same thing, but that’s not really accurate. Patching is one component of vulnerability management, a broader discipline that also requires assessments, prioritization, and mitigation of vulnerabilities within an environment. Determining which bugs are the most serious, pose the biggest risk to the organizations, and require the most immediate attention is vital for enterprises, especially those with limited resources. But focusing on higher-risk vulnerabilities can provide a good return, by removing the most likely initial access vectors for attackers.

Data compiled by Kenna Security from measurements of its customers’ remediation efforts shows that companies are fixing more of those high-risk vulnerabilities faster now than they were just a year ago. Looking at the time it takes for organizations to fix 50 percent of the occurrences of a given vulnerability in their systems, Kenna found that time had dropped from 158 days last year to just 27 days this year. That measurement shows a steep curve in the number of companies patching in the first couple of months after a high-risk vulnerability is disclosed, and then it gradually flattens out as you get three or six or nine months past the initial publication. For high-risk flaws--which Kenna defines as those for which exploit code is available or exploitation activity has been seen in the wild--patching as quickly as possible is crucial.

“We like to apply that lens to it because the high-risk vulnerabilities are the ones that matter the most, and people are definitely getting better at patching those over time,” said Ed Bellis, CTO and founder of Kenna Security.

“We would expect companies to get better, especially with the higher-risk stuff. But the velocity of patching has increased as well for the higher-risk vulnerabilities.”

“Companies that are really good at patching have a lot of automation and tooling in place."

Kenna’s data, which is collected from the company’s customers in a broad range of verticals, shows that 78 percent of the high-risk flaws are patched within six months, and that more than 13 percent of those vulnerabilities are still unpatched a year after the fix was released. That’s a wide window of exposure for attackers to climb through, and adversaries certainly pay attention to patch release cycles amd know when MIcrosoft, Oracle, Cisco, and other large vendors push out fixes. For high-visibility bugs, like the Exchange vulnerabilities disclosed last month or the F5 bugs revealed recently, attackers are quite likely to go after them quickly, knowing that defenders will prioritize those patches and take many vulnerable machines off the table quickly. Many larger organizations also have automated processes in places to deploy patches that come out on a regular schedule, as MIcrosoft’s do.

But that still leaves plenty of green field for attackers to target vulnerabilities in less-visible applications and devices.

“Companies that are really good at patching have a lot of automation and tooling in place. The massive volume of patches is coming from companies like Microsoft, but so is most of the remediation that companies are doing,” Bellis said.

“People have gotten very good at patching Microsoft vulnerabilities and they have probably operationalized it. But as they get farther away from that, to things like Linux boxes, bespoke applications, IoT devices, and that kind of thing, it’s a different story.”

It’s important to note, Bellis said, that Kenna’s customers are clearly a self-selecting population of enterprises that take a risk-based approach to vulnerability management, so they are likely to be more mature in the patching and remediation activities. But the data from those organizations does paint a pretty clear picture of things trending in the right direction. In addition to the decrease in the half-life of a given vulnerability, Kenna also recorded an increase, from 66 percent to 71 percent, in the number of companies that are either breaking even or reducing the number of vulnerabilities in their systems in any 30-day period. This measurement, called capacity, shows that fewer companies were losing ground in that fight this year than last.

“That capacity metric slightly improved this year, but it’s improved more than anything else over the last three years,” Bellis said.

<![CDATA[Iranian APT Group Phosphorus Targets Medical Researchers]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/iranian-apt-group-phosphorus-targets-medical-researchers https://duo.com/decipher/iranian-apt-group-phosphorus-targets-medical-researchers Wed, 31 Mar 2021 09:20:00 -0400

An attack group known as Charming Kitten or Phosphorus that is tied to the Iranian government recently ran a highly targeted credential-theft campaign against senior personnel in medical institutions and research facilities in the United States and Israel, using rigged PDFs as a lure and possibly signaling a change in targeting for the group.

The campaign occurred in December 2020 and researchers discovered that the Phosphorus group targeted a small, quite specific group of people in the medical research field. The attackers used the familiar spear-phishing technique, although the lure itself is a little odd, given that the targets are all in the medical field. The group, which Proofpoint calls TA453, sent emails to the potential victims with the subject line, “Nuclear weapons at a glance: Israel”. The body of the email contains some information on Israel’s nuclear capabilities and a link to a website controlled by the attackers. If the victim clicks on the link, the site serves a phishing page that asks the victim to enter credentials for Microsoft OneDrive. The campaign is known as BadBlood and researchers said it shared some similarities with other known campaigns by the same group.

“Attempting to use any other hyperlink in the webpage results in the same redirect to the same forged Microsoft login page, except for the "Create one!" link. This tab leads to the legitimate Microsoft Outlook ‘Sign Up’ page,” a report from Proofpoint, which discovered the campaign, says.

“Once an email is entered by the user and ‘Next’ is clicked, the page prompts for a password. Once a user enters their credentials, they are then redirected to Microsoft’s OneDrive where the benign ‘Nuclear weapons at a glance: Israel’ document is hosted.”

This kind of highly targeted campaign is typical of APT groups, and medical professionals and researchers have become prime targets in the last year as the COVID-19 pandemic has stretched on. There have been a number of APT campaigns that targeted COVID-19 vaccine research and manufacturing facilities in recent months, but the new Phosphorus campaign targeted medical professionals in oncology, genetics, and neurology, not epidemiology or infectious disease research.

"TA453's credential phishing campaigns typically target a small number of indiviiduals, which is a departure from other Iranian APTS," said Sherrod DeGrippo, senior director of threat detection and response at Proofpoint.

The attack group is known to have targeting and collection that aligns with Iran’s Islamic Revolutionary Guard Corps.

“TA453 targeted less than 25 senior professionals at a variety of medical research organizations located in the US and Israel. Proofpoint analysis of the targets’ publicly available research efforts and resumes indicate TA453 targeted individuals with a background in either genetics, oncology, or neurology,” the Proofpoint report says.

“These medical professionals appear to be extremely senior personnel at a variety of medical research organizations. Additionally, TA453 targeting Israeli organizations and individuals is consistent with increased geopolitical tensions between Israel and Iran during 2020.”

"While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be an outlier."

The Phosphorus group has been active for several years and has not escaped the notice of law enforcement officials and security and technology companies. In 2019, Microsoft conducted a takedown of a large swath of the Phosphorus infrastructure, taking over 99 separate domains used in the group’s phishing campaigns and later that year the company published details of a campaign in which Phosphorus targeted people associated with the 2020 presidential campaigns, journalists, and government officials. The group has also been known to target defense companies and government agencies.

Proofpoint’s researchers said the recent campaign can’t be seen as definitive proof of a change in the group’s tasking or targeting. It could be an anomaly, or part of a larger effort to establish footholds in a broader set of networks.

“As collaboration for medical research is often conducted informally over email, this campaign may demonstrate that a subset of TA453 operators have an intelligence requirement to collect specific medical information related to genetic, oncology, or neurology research. Alternatively, this campaign may demonstrate an interest in the patient information of the targeted medical personnel or an aim to use the recipients' accounts in further phishing campaigns. While this campaign may represent a shift in TA453 targeting overall, it is also possible it may be an outlier, reflective of a specific priority intelligence tasking given to TA453,” the researchers said.

DeGrippo said that TA453 seems to have left off its phishing efforts since this campaign ended.

"While multiple domains with lure documents are still available as of this report, we have not seen any further credential phishing camapigns since December," she said.

<![CDATA[Video Game Malware Raises Unforeseen Remote Work Threats]]> lodonnellwelch@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/video-game-malware-raises-unforeseen-remote-work-threats https://duo.com/decipher/video-game-malware-raises-unforeseen-remote-work-threats Wed, 31 Mar 2021 00:00:00 -0400

With more people using their personal devices for work during the COVID-19 pandemic, threats that would typically only affect consumers are now posing unforeseen risks to enterprise networks, too, including a new malware campaign targeting video game enthusiasts, researchers warn.

New research from Cisco Talos shed light on an ongoing campaign that uses game-modding tools as a disguise to infect victims with malware, such as information stealers. Though the targets of the campaign are gamers, researchers say it poses a “serious threat to enterprise networks” as companies continue to grapple with securing their remote workforces.

“The biggest threat here is that people’s (personal) systems are getting infected, and then they are using corporate networks on those same machines,” Holger Unterbrink, threat researcher with Cisco Talos, said. “With COVID-19 and work-from-home (workforces), the chances of this type of attack affecting companies has definitely increased.”

While the majority of workforces have been remote for more than a year now, companies continue to struggle with securing their infrastructure in a work-from-home environment. Recent research from Lynx Software found that 76 percent of 1,000 U.S. employees surveyed were using a personal device for work “at least sometimes.” Less than half (49 percent) of respondents said their organizations had strengthened their cybersecurity measures since the start of the pandemic.

With this particular malware attack, researchers worry that employees may be downloading tools used to alter video games from suspicious sources, on the same personal machine they use for their jobs. The attack starts with advertisements or "How To" videos on YouTube or other social media channels, which promise game-modding tools for video games like first-person shooter game CrossFire, for instance.

These channels point victims to seemingly legitimate files, which purport to allow users to install cheat codes into video games or make other game modifications. The concept of using such cheats inside games is already considered a “gray area” by official video games, making it easier for cybercriminals to convince users to download software from potentially shady environments, said Unterbrink.

“It’s a form of social engineering… the motivation is high to accept the risk,” said Unterbrink. “People know they’re doing something that’s not 100 percent correct, so they can only get these cheats from questionable sources.”

However, once downloaded, the files actually deploy a complex Visual Basic-based cryptor, which is designed to obfuscate malware code so it can’t be easily detected using signature-based scanners. In this case, the cryptor uses several obfuscation tactics that make it difficult to detect the final payload, including injecting its code into a new process to hide the payload from simple anti-malware tools. And, it could pose a challenge for security analysts who aren’t familiar with Visual Basic 6, researchers said.

“(Employees) are now not risking just their private PC, now they are sharing these resources with their company."

The final executed payload is XtremeRAT, an information stealer that has been around since at least 2010. The RAT has various malicious functionalities, including allowing attackers to download files, capture images of the desktop and record devices’ webcams or microphones.

With attackers armed with these capabilities, it’s game over should a device that’s also being used for corporate functions be infected, said Unterbrink.

“With this attack, (cybercriminals) are getting full control of the victims’ laptop,” said Unterbrink. “They can access all resources the employee has access to and misuse their accounts.”

A successful cyberattack would give cybercriminals access to email services if they are utilized on the personal device. This could not only expose sensitive corporate information, but allow for subsequent phishing attacks that leverage victims’ legitimate corporate email accounts, making them seem more trustworthy.

Beyond campaigns that leverage video game mods, other types of threats - typically targeted at consumers - are now posing a threat to enterprises due to remote work. For instance, attackers have been leveraging COVID-19 lures to draw in victims with promises of vaccines.

“(Employees) are now not risking just their private PC, now they are sharing these resources with their company,” said Unterbrink. “They need to be more responsible.”

With the threat of employees utilizing their personal devices during remote work, companies should ensure their workers’ devices are armed with antivirus and two-factor authentication protections. Proper employee education is also in order, including making sure that end users only download software from trusted sources, said Unterbrink.

Cisco Talos researchers said it's also critical for companies to have a multi-layered security architecture in place that can detect abnormal behavior.

“It isn't unlikely that the adversaries will manage to bypass one or the other security measures, but it is much harder for them to bypass all of them,” according to researchers with Cisco Talos. “These campaigns and the refinement of the TTPs being used will likely continue for the foreseeable future.”

<![CDATA[Cybercriminals Home in on Manufacturers]]> lodonnellwelch@decipher.sc (Lindsey O’Donnell-Welch) https://duo.com/decipher/cybercriminals-home-in-on-manufacturers https://duo.com/decipher/cybercriminals-home-in-on-manufacturers Tue, 30 Mar 2021 00:00:00 -0400

Weak security implementations and flawed organizational structures are opening up manufacturing floors as lucrative targets for cybercriminals, with more than half of manufacturers saying they have experienced disruptive cyberattacks in a recent survey.

New data from Trend Micro, which surveyed 500 security decision makers who were part of large manufacturing firms across the U.S., Germany and Japan, found that 61 percent of manufacturers have experienced a “cybersecurity incident.” According to Trend Micro researchers, this encompasses virus infections, unauthorized operations that exploit system vulnerabilities, or unauthorized accesses to systems.

Manufacturers have for the past decade been undergoing a major shift in how the equipment on production floors is monitored and controlled. The operational technology (OT) devices used for monitoring and controlling industrial equipment such as supervisory control and data acquisition (SCADA) systems are becoming increasingly connected to the Internet as manufacturers embrace new functionalities such as predictive maintenance, automation and more.

However, connecting previously air-gapped OT networks to the public Internet is also opening up a dangerous security “soft underbelly” for manufacturing firms, said Amir Preminger, vice president of research at Claroty. And cybercriminals are taking full advantage.

“The bottom line is that OT is much more prone to be attacked - it’s more vulnerable, and I think it’s an easy territory for attackers,” said Preminger.

Manufacturing experts surveyed are recognizing this security pain point, with 78 percent agreeing that technology is the biggest security challenge for their organization. Fewer than half of the respondents said they're implementing technical measures to improve cybersecurity.

Part of the challenge is that OT is built for specific environments in which system downtime is a critical factor, making it more difficult to deploy patches. On the flip side, with IT devices, “everyone is planning for a malfunction,” said Preminger.

Critical security flaws continue to pop up in OT systems - with researchers a year ago warning of bugs requiring very little skill to exploit in industrial control system (ICS) devices from Rockwell Automation and Johnson Controls, for instance. And in July, the National Security Agency (NSA) issued an advisory regarding a critical security flaw in the Schneider Electric Triconex TriStation and Tricon Communication Module, components that are designed to prevent equipment failure by shutting down plant operations in the event of an emergency.

“The bottom line is that OT is much more prone to be attacked."

On top of the security issues plaguing OT systems, more than half (67 percent) of manufacturing experts say flawed organizational processes within manufacturing companies are making security more difficult. Few organizations have teams that collaborate across the IT segments - tasked with securing and managing hardware and software along with storing and transmitting data - and the OT segments - which oversee ICS devices, and manage physical processes tied to industrial equipment.

The majority of those surveyed by Trend Micro (88 percent) said that their companies’ IT and OT teams don’t collaborate across all phases when determining cybersecurity measures. The disparity between IT and OT can affect the security posture of manufacturing companies overall: In fact, firms with IT and OT teams that did work together had a higher level of security protections like firewalls and network segmentation.

“The results show that if both IT and OT teams participate in the selection of technical measures and the decision making process in factory cybersecurity, the implementation of technical measures will be easier,” the report says. “In particular, there are significant differences in measures such as firewalls, IPS, and network segmentation.”

For manufacturers, these technology-level and organizational-level challenges are leading to potentially devastating disruptions. Of the surveyed organizations that experienced cyber attacks, 75 percent suffered system outages, with 43 percent saying their outages lasted more than four days.

Depending on the industry that the affected manufacturing firm is in, and the materials it produces, such attacks could have high financial stakes and cause disruptions for other partners and customers across the supply chain. In February, a ransomware attack hit WestRock, the second-largest packaging company in the U.S., affecting its OT systems used to control industrial operations and causing its mill system production and packaging-converting operations to sputter to a stop. The attack caused a lag in production levels for some of the company’s facilities. For instance, the firm’s mill system production, through Feb. 4, was approximately 85,000 tons lower than planned.

These types of production halts can cost companies in terms of lost productivity, brand damage and more. In 2019, a ransomware attack on Norwegian aluminum maker Norsk Hydro forced the company to shut down or isolate several plants and send several more into manual mode - ultimately accumulating a loss of $35 to $41 million in the first quarter of 2019.

Claroty’s Preminger said that for manufacturing companies, “security in-depth is the best approach.”

“You need a layer of protections - starting from the external interface, to internal,” he said. “Antivirus, firewalls and segmentation are important to practice and have, but companies also need internal protection mechanisms for OT networks. This includes different ways to protect systems - you can’t just have one solution.”

<![CDATA[Decipher Podcast: Lindsey O'Donnell-Welch]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-lindsey-odonnell-welch https://duo.com/decipher/decipher-podcast-lindsey-odonnell-welch Tue, 30 Mar 2021 00:00:00 -0400

<![CDATA[Malicious Code Added to PHP Source]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/malicious-code-added-to-php-source https://duo.com/decipher/malicious-code-added-to-php-source Mon, 29 Mar 2021 00:00:00 -0400

An unknown attacker on Sunday was able to gain access to the main Git server for PHP and push two malicious commits to the source code, one of which was a backdoor. One of the contributors to PHP said the commits used the names of him and another contributor, but said the attack was likely not just a simple credential theft.

As a result of the incident, the PHP project will not continue to maintain its own Git server on its infrastructure and will instead make the GitHub server the canonical one.

“We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account),” Nikita Popov, one of the main contributors to PHP, said in a message to the PHP mailing list.

“While investigation is still underway, we have decided that maintaining our own git infrastructure is an unnecessary security risk, and that we will discontinue the git.php.net server. Instead, the repositories on GitHub, which were previously only mirrors, will become canonical. This means that changes should be pushed directly to GitHub rather than to git.php.net.”

PHP is one of the more popular scripting languages in use on the web, running on nearly 80 percent of web servers.

The backdoor in the PHP source code was a simple change that would allow an attacker to supply code inside the HTTP useragent header that PHP would then execute. The PHP maintainers noticed the changes relatively quickly after they were made and reversed them. It’s not clear how many servers downloaded the malicious version.

“We're reviewing the repositories for any corruption beyond the two referenced commits,” Popov said.

The malicious code that creates the backdoor contains a line saying that the bug had been sold to Zerodium, a company that buys bugs and exploits, in 2017. Chaouki Nekrar, Zerodium’s founder, said on Twitter that was not true.

“Cheers to the troll who put "Zerodium" in today's PHP git compromised commits. Obviously, we have nothing to do with this. Likely, the researcher(s) who found this bug/exploit tried to sell it to many entities but none wanted to buy this crap, so they burned it for fun,” Bekrar said.

In addition to moving the PHP repositories to GitHub, the maintainers may also begin requiring that commits be signed, something that is not mandatory at the moment.

“I think for php-src commits we can require it. For doc and other repos we can make it optional for now until people are more comfortable with it,” Rasmus Lerdorf, co-author of PHP, said in a message to the project’s mailing list Monday.

<![CDATA[In Wake of SolarWinds Breach, the Challenge of Building Secure Software Remains]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/in-wake-of-solarwinds-breach-the-challenge-of-building-secure-software-remains https://duo.com/decipher/in-wake-of-solarwinds-breach-the-challenge-of-building-secure-software-remains Fri, 26 Mar 2021 00:00:00 -0400

More than three months after the SolarWinds breach became public knowledge, the company is still working to determine what the initial access vector for the intrusion was, with three possible scenarios still under consideration.

When the investigation into the breach was in its early stages, SolarWinds specialists and outside forensics experts had more than a dozen theories on how the adversary first got into the company’s network last year. After several months of digging into the details of the intrusion, the after effects, and the adversary’s tactics and movements, the company has narrowed it down to three possibilities: credential theft, spear phishing, or a vulnerability in a third party application.

“We had as many as sixteen hypotheses. We have not been able to narrow it down to the last one,” SolarWinds CEO Sudhakar Ramakrishna said during a discussion Thursday on the breach, software security, and other topics.

“As for who did it, I think there’s enough commentary out there on that.”

Security researchers and federal government officials have attributed the SolarWinds breach and the subsequent intrusions at Microsoft, FireEye and other companies to a Russian actor. That much hasn’t been up for debate for some time. But the details of how the attackers first got into the SolarWinds network are still unknown. What is known, though, is what the attackers did after they got in, which is to move laterally, eventually gaining access to a build server for the company’s Orion software and inserting a small backdoor into the code. The compromised version of Orion made its way onto the systems of thousands of SolarWinds customers, though a much smaller subset of them are actually known to have been targeted by the attackers.

The operation was multifaceted and long-running and likely required months of planning and development. The sophistication of the operation is clear, but Ramakrishna said that level of expertise does not necessarily mean it was the work of a massive group of a thousand or more engineers and developers, as Microsoft officials have suggested.

“I don’t believe the sophistication is related to the number of people involved. You can have highly organized and sophisticated attacks with two orders of magnitude less than what’s been reported,” he said.

“Information and knowledge asymmetry has been more or less eliminated. You can write sophisticated software anywhere. This is a perfect example of that.”

As part of the response to the intrusion, SolarWinds has not only been looking at its internal security practices, but also at the way that it builds applications. Ramakrishna, who has a software development background, said the company is experimenting with a new process that uses multiple instances of the software build infrastructure rather than just one.

“Information and knowledge asymmetry has been more or less eliminated. You can write sophisticated software anywhere."

“Just as attacks are getting more sophisticated, we have to become smarter about how we design and build software as well. Instead of a single build system, we are running parallel systems through parallel chains so we want to establish software integrity through two or three pipelines,” he said.

“In other words an attacker will have to be right three different times. We want to get to a place where we build in a level of non-repudiation. ”

Ramakrishna said the company has had discussions with officials from the Cybersecurity and Infrastructure Security Agency and other federal agencies about the approach and is planning to publish information on it at some point in the future.

The SolarWinds breach and the recent exploitation of four zero days in Microsoft Exchange by attackers from China have again reignited discussions in Washington and elsewhere about the possibility of retaliatory actions by U.S. offensive cyber teams. If that ever happens, it likely won’t be made public, and the issue, as always, is that offensive capabilities are not unique to any specific country. Some may be more capable than others, but the tools, tactics, and techniques are available widely and don’t generally require massive budgets. The area where investment and expertise can make an immediate and marked difference is in building more resilient and secure systems and applications.

“We should try to institute an arms race about building more secure systems. We can afford it and we can outspend our adversaries, so let’s do it,” said Gary McGraw, a software security expert and author of several seminal books on the topic.

<![CDATA[Deciphering Dark Web: Cicada 3301]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/deciphering-dark-web-cicada-3301 https://duo.com/decipher/deciphering-dark-web-cicada-3301 Thu, 25 Mar 2021 00:00:00 -0400

<![CDATA[OpenSSL Fixes Flaw in Certificate Checks]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/openssl-fixes-flaw-in-certificate-checks https://duo.com/decipher/openssl-fixes-flaw-in-certificate-checks Thu, 25 Mar 2021 00:00:00 -0400

The maintainers of OpenSSL have released a fix for a high-severity vulnerability that stems from the way the software checks the validity of the certificates in a given certificate chain. In certain configurations, an attacker could bypass the checks and insert a certificate that was not issued by a valid CA.

The vulnerability affects versions 1.1.1h and newer of OpenSSL and is fixed in version 1.1.1k, which was released Thursday. The bug is a result of a specific check introduced in 1.1.1h that is designed to ensure that certificates with explicitly encoded elliptic curve parameters are not included in the certificate chain.

“An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates,” the advisory says.

“If a ‘purpose’ has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named ‘purpose’ values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application.”

The vulnerability is not exploitable in all situations, and an app has to have the X509_V_FLAG_X509_STRICT set for the flaw to be present.

“In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose,” the advisory says.

Also fixed in the new OpenSSL release is a potential denial-of-service vulnerability that can occur when a client sends a malicious renegotiation message to a server.

“If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack,” the advisory says.

“A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration).”