Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Defenders Gift Bad Guys Yet Another Tool

Beware the Law of Unintended Consequences, goes the old saying. In the early days of pen-testing, we used to develop our own exploits or collect them from 'underground' sites. Then came Metasploit, and suddenly the skill level required to perform the more routine testing dropped significantly. Newer tools like Cobalt Strike and Brute Ratel made post-exploitation red team activities easier, too. But the unintended consequence is that over the last few years, threat actors have got their hands on these tools, and they are making life easier for the attackers, too.

Now, a new report from Proofpoint Threat Research points out the risk of this happening again. In late 2021, UK-based consulting firm MDSec released Nighthawk, which they bill as "the most advanced and evasive command-and-control framework available on the market". According to Proofpoint's report, based on their observation of an initial deployment of the framework in September 2022, Nighthawk uses a variety of antiforensics and evasion techniques which make it particularly stealthy - for example, its loader is encrypted but even once running, embedded strings are encoded with a simple algorithm and decrypted on the fly, so that they exist in memory for only a very short period of time, making detection more difficult.

Similarly, the main Nighthawk payload uses a simple substitution cipher on its strings, but uses a much longer list of evasion techniques, some of them disclosed by MDSec, but others not. For example, the tool unhooks the DLL load notification registration of security products and other process instrumentation callbacks, and also self-encrypts in order to evade process memory scans.

Although it is - as with many of these tools - subject to client vetting and export controls, there is no way  that threat actors will not take a close interest in this and similar post-exploitation frameworks, making it likely that, sooner or later, we will see cracked versions fall into their hands. Proofpoint's analysis is a hint to detection vendors to start working on this threat now. - as we reported yesterday, Google has started doing this with Cobalt Strike.

Rausch, Alexander, et. al., Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice, blog post, 22 November 2022. Available online at https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice.

Russian Gangs Have Been Busy, Moving from Scams to Infostealing

Yesterday we reported on the evolution of the Aurora infostealer and now, a new report from Singapore-based Group-IB provides a high-level view of the groups that use this and other stealers.

Group-IB has tracked how low-level online scammers have shifted to a more dangerous - and, presumably, profitable - scheme of distributing infostealers. Their operations are coordinated via Telegram groups, where they are directed to drive traffic to sites which impersonate well-known companies and brands, and induce their victims to download malware.

The figures are impressive: 34 Russian-speaking groups are distributing a variety of stealers - primarily Racoon and Redline - under the stealer-as-a-service model, in order to obtain credentials for a range of services, mainly gaming accounts on Steam and Roblox, as well as Amazon and PayPal accounts and even crypto wallet information. In the first seven months of 2022. their roughly 200 members infected over 890,000 devices and stole over 50 million passports, mainly in the US, Brazil, India, Germany and Indonesia.

They also managed to acquire over two billion cookies, 113,204 crypto wallets and over 100,000 payment cards, representing a total value approaching $US6 million if sold on the cybercriminal underground.

Uncredited, Professional stealers: opportunistic scammers targeting users of Steam, Roblox, and Amazon in 111 countries, press release, 23 November 2022. Available online at https://www.group-ib.com/media-center/press-releases/professional-stealers/.

Pro-Kremlin Group Brings Down EU Parliament Site

The English-language web site of the European Parliament (at https://www.europarl.europa.eu/portal/en) was disrupted earlier today by a distributed denial of service attack.

"The availability of @Europarl_EN website is currently impacted from outside due to high levels of external network traffic. This traffic is related to a DDOS attack (Distributed Denial of Service) event.", tweeted Jaume Dauch, Director General for Communication and Spokesperson of the European Parliament.

According to Roberta Metsola, President of the European Parliament, a pro-Kremlin group had claimed responsibility, likely as a response to the Parliament having proclaimed Russia as a state sponsor of terrorism.

The site is now operating normally.

Duch, Jaume, "The availability of @Europarl_EN website ...", Tweet, 24 November 2022. Available online at https://twitter.com/jduch/status/1595433790809284614.

Metsola, Roberta, "The @Europarl_EN is under a sophisticated cyberattack.", Tweet, 24 November 2022. Available online at https://twitter.com/EP_President/status/1595443471518777345.

Monero Mining Apparently Still Profitable

While sales of GPU chips have apparently tanked due to Ethereum's switch to proof-of-stake and the general collapse of cryptocurrency markets, it seems that there is still money to be made in mining the Monero cryptocurrency - especially if you are mining at no cost to yourself, using lots of other people's machines.

Cyble Research and Intelligence Labs reports on an a number of phishing campaigns which are targeting gamers and others who use tools like MSI Afterburner to overclock and tweak their GPU's. The phishing emails direct the victims to approximately 50 different fake Afterburner download sites from which they obtain a malicious installer. This drops and executes a file names browser_assistant.exe which injects itself and downloads an encoded XMR Miner binary from a GitHub repository, then injects it into explorer.exe.

Finally, the malware starts mining, using all the GPU resources of the victim's machine and degrading its performance, while depositing the coins it mines into the threat actor's wallet address - a nice little earner, as they say. Cyble's report provides a full breakdown, mapping to MITRE ATT&CK Techniques and IOC's.

Uncredited, Fake MSI Afterburner Sites Delivering Coin-Miner, blog post, 23 November 2022. Available online at https://blog.cyble.com/2022/11/23/fake-msi-afterburner-sites-delivering-coin-miner/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.