Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Russian Businessman Convicted in $US90 Million Hacking and Wire Fraud Case

The US DoJ has secured the conviction of a Russian businessman for his part in a sophisticated fraud which involved hacking to gain confidential information about the financial performance of publicly-listed US companies, and then using that information to perform stockmarket trades which netted him and his co-conspirators $US90 million.

Vladislav Klyushin,was charged along with Ivan Ermakov and Nikolai Rumiantcev. Klyushin was owner of M-13, a Moscow-based company which offered penetration testing and "Advanced Persistent Threat (APT) emulation" services and counted as clients “the Administration of the President of the Russian Federation, the Government of the Russian Federation, federal ministries and departments, regional state executive bodies, commercial companies and public organizations”, according to the company web site.

Between January 2018 and September 2020, the three, along with Mikhail Vladomirovich Irzak and Igor Sergeevich Sladkov, repeatedly hacked into the networks of two US-based filing agencies in order to obtain unreleased earnings information such as quarterly and annual filings. Knowing whether a company would meet, exceed or fall short of market expectations for its performance, the conspirators could predict whether its share price would rise or fall following the public earnings announcement, and used this to trade via accounts they opened in Cyprus, Portugal, Russia, the US and elsewhere. Klyushin also invested the money of several investors in this scheme, taking 60% of the profits.

While his co-conspirators remain at large, Klyushin was arrested in Sion, Switzerland in March 2021 and extradited to the US in December of that year. Having been convicted of charges of conspiring to obtain unauthorized access to computers, to commit wire fraid and to commit securities fraud - charges which attract significant jail time and fines - Klyushin will be sentenced on 4 May 2023.

US Attorney's Office for the District of Massachussets, Russian Businessman Found Guilty in $90 Million Hack-to-Trade Conspiracy, press release, 14 December 2023. Available online at https://www.justice.gov/usao-ma/pr/russian-businessman-found-guilty-90-million-hack-trade-conspiracy.

New Dropper Beeps to Avoid Sandbox Detection

Some new malware samples analyzed by Minerva researchers exhibit some interesting techniques, particularly for evading forensic analysis. The samples, which were uploaded to VirusTotal as DLL, GIF or JPG files, were flagged as 'spreader' or 'detect-debug-environment', and appear to be droppers, but are most interesting for their extensive use of evasion techniques.

The malware dropper component creates some registry keys, one of which contains a PowerShell script that uses curl.exe to fetch a DLL and then executes it using regsvr32.exe. This, in turn, injects its malicious payload into a legitimate WWAHost.exe process, using process hollowing. That payload then contacts a C2 server, uploading information about the victim machine and waiting for further commands. Unfortunately, the C2 server was down, which stalled Minerva's analysis, although they did identify a number of commands, many of them as yet unimplemented.

The various stages implement increasing levels of antiforensic evasion techniques, some of them repeated across the stages, including dynamic string deobfuscation, checking the system default language (to avoid infecting 'friendly' nations), checking for the presence of a debugger, using the RDTSC instruction to ensure a minimum number of CPU ticks have occurred since the processor was last reset, manipulating the stack segment register to see if the code is being single-stepped under a debugger, using the CPUID instruction to check for a VMware hypervisor, checking the registry for a VBOX key and - this is the technique that gets the malware its new name - calling the Beep API to delay execution.

Generally, malware uses the Sleep API to delay execution, avoiding detection by sandboxes. However, the Beep API - a holdover from the days of the original IBM PC and PC DOS - generates a simple beep tone on the system speaker and does not return until the sound finishes, achieving the same result in a less obvious way. Hence the monicker, Beep malware.

Zargarov, Natalie, Beepin’ Out of the Sandbox: Analyzing a New, Extremely Evasive Malware, blog post, 13 February 2023. Available online at https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/.

Pepsi Bottler Hacked, Employee Personal Information Stolen

For almost a month over the Christmas period, hackers had penetrated the systems of Pepsi Bottling Ventures, the largest privately-owned bottler of PepsiCo soft drinks in the US, and were able to exfiltrate personally identifiable information from the network. The breach was discovered on 10 January 2023, but another nine days went by before the company's systems were fully secured.

The information stolen is almost a hacker's wishlist for committing identity fraud:

• Full name and home address
• Financial account information, including passwords, PIN's and access numbers
• State and Federal government-issued ID numbers and drivers licence numbers
• ID card data
• Social security numbers
• Passport information
• Digital signatures
• Employee benefit information, including health insurance claims and medical history

The information stolen seems to relate to company employees; it is not clear whether any customers or business parters are affected.

Cluley, Graham, Gulp! Pepsi hack sees personal information stolen by data-stealing malware, blog post, 15 February 2023. Available online at https://www.bitdefender.com/blog/hotforsecurity/gulp-pepsi-hack-sees-personal-information-stolen-by-data-stealing-malware/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.