The huge bot army was used to trigger distributed denial of service (DDoS) attacks or for spamming. Other than these, he had also been brute forcing to steal user credentials like passwords. The bot army was also used to test the weaknesses of various sites in preparation for perhaps future cyberattacks. He received orders for such attacks through online forums and Telegram.

The SBU was able to trace him using the account he had registered on the Russian digital payment service called WebMoney. The hacker had provided his real address there which helped the Ukrainian authority track him down.

As per the Criminal Code of Ukraine, the offender would be charged under "Part 2 of Art. 361-1 (creation for the purpose of use, distribution, or sale of malicious software or hardware, as well as their distribution or sale), and Art. 363-1 (interference with the work of electronic computers (computers), automated systems, computer networks, or telecommunication networks by mass dissemination of telecommunication messages)".

Source

Although the severity of the flaw is classified as moderate, the implications could be dire. The digital signatures used in document macros are meant to help the user verify that the document hasn’t been altered and can be trusted. 

"Allowing anyone to sign macro-ridden documents themselves, and make them appear as trustworthy, is an excellent way to trick users into running malicious code.

The discovery of the flaw, which is tracked as CVE-2021-41832 for OpenOffice, was the work of four researchers at the Ruhr University Bochum. 

The same flaw impacts LibreOffice, which is a fork of OpenOffice spawned from the main project over a decade ago, and for their project is tracked as CVE-2021-25635. 

Addressing the risk

If you’re using either of the open-source office suites, you’re advised to upgrade to the latest available version immediately. For OpenOffice, that would be 4.1.10 and later, and for LibreOffice, 7.0.5 or 7.1.1 and later. 

Since neither of these two applications offer auto-updating, you should do it manually by downloading the latest version from the respective download centers - LibreOffice, OpenOffice. 

If you’re using Linux and the aforementioned versions aren’t available on your distribution's package manager yet, you are advised to download the “deb”, or “rpm” package from the Download center or build LibreOffice from source. 

If updating to the latest version is not possible for any reason, you can always opt to completely disable the macro features on your office suite, or avoid trusting any documents containing macros. 

To set macro security on LibreOffice, go to Tools → Options → LibreOffice → Security, and click on ‘Macro Security’. 

LibreOffice settings menu to disable macros

In the new dialog, you may select among four distinct levels of security, with High or Very High being the recommended options. 

If you’re still running an old and vulnerable version, you shouldn’t rely on the “trusted list” functionality as an invalid signature algorithm could still make a laced document appear as it comes from a trusted source.  

Source

Microsoft Defender for Identity (previously Azure Advanced Threat Protection or Azure ATP) is a cloud-based security solution that leverages on-premises Active Directory signals.

It enables SecOps teams to detect and investigate compromised advanced threats, identities, and malicious insider activity targeting enrolled organizations.

Landing in two months

"An alert will be triggered when there is evidence of suspicious Kerberos delegation attempts using the BronzeBit method, where a user has attempted to use a ticket to delegate access to a particular resource," Microsoft explains on the Microsoft 365 roadmap.

The flaw (patched by Microsoft during November 2020's Patch Tuesday) can be exploited in what Jake Karnes, the security consultant who discovered, has named Kerberos Bronze Bit attacks.

Microsoft addressed the Bronze Bit vulnerability in a two-phase staged rollout, with the initial deployment phase on December 8 and an automatic enforcement phase on February 9.

One month after Microsoft issued the CVE-2020-17049 patches, Karnes published a proof-of-concept (PoC) exploit code and full details on how it could be used.

The exploit can bypass Kerberos delegation protection, allowing attackers to escalate privileges, impersonate targeted users, and move laterally within compromised environments.

He has shared a low-level overview with additional info on the Kerberos protocol, including practical exploit scenarios and details on implementing and using Kerberos Bronze Bit attacks against vulnerable servers.

The release of all these additional details and the PoC exploit would probably make it a lot easier to breach Windows servers unpatched against CVE-2020-17049 and was what likely prompted Redmond to add Bronze Bit detection support to Microsoft Defender for Identity.

PrintNightmare and Zerologon attack detection also available

In July, Microsoft also added support for PrintNightmare exploitation detection to Microsoft Defender for Identity after including Zerologon exploitation detection in November 2020.

Both are critical security vulnerabilities, with PrintNightmare (CVE-2021-34527) allowing attackers to take over affected servers by elevating privileges to Domain Administrator while Zerologon (CVE-2020-1472) can be exploited to elevate privileges to spoof a domain controller account that leads to complete control of the entire domain.

Multiple threat actors, including ransomware gangs like Vice Society, Conti, and Magniber, already use PrintNightmare exploits to compromise unpatched Windows servers.

Both state-backed and financially motivated threat actors are also exploiting systems unpatched against the ZeroLogon vulnerability since the end of October and in September, with more having joined since then, including:

• Iranian-backed MuddyWater hacking group (aka SeedWorm and MERCURY),

• TA505 (aka Chimborazo) known for providing a delivery channel for Clop ransomware,

• Chinese APT10 hackers.

Also in July, Microsoft rolled out another Defender for Identity update that enables security operations (SecOps) teams to block attack attempts by locking compromised users' Active Directory accounts.

Defender for Identity is bundled with Microsoft 365 E5 but, if you don't have a subscription already, you can also get a Security E5 trial to give these features a spin.

Source

"Two new settings have been added for this release (which were also added to the Windows Server 2022 release), a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions," Microsoft security consultant Rick Munck said.

Human operated ransomware protection by default

When enabling the Microsoft Security Baseline for Windows 11, Redmond urges admins to ensure that Microsoft Defender for Endpoint's tamper protection feature, which adds additional protection against human-operated ransomware attacks, is enabled.

It does that by blocking attempts made by malware or threat actors to disable security solutions and OS security features that would allow them to gain easier access to sensitive data and deploy malware or malicious tools.

Tamper protection sets up Microsoft Defender Antivirus using secure default values and hinders attempts to change them via the registry, PowerShell cmdlets, or group policies.

Once tamper protection is toggled on, ransomware operators would have a much more challenging task ahead of them when trying to:

• Disable virus and threat protection
• Disable real-time protection
• Turnoff behavior monitoring
• Disable antivirus (such as IOfficeAntivirus (IOAV))
• Disable cloud-delivered protection
• Remove security intelligence updates

PrintNightmare and Edge Legacy recommendations

With the new security baseline, Microsoft also added a new setting to the MS Security Guide custom administrative template to restrict printer driver installation to administrators.

This new recommendation follows patches released since July 2021 to address the CVE-2021-34527 PrintNightmare remote code execution vulnerability in the Windows Print Spooler service.

Microsoft also removed all Microsoft Edge Legacy settings after the EdgeHTML-based web browser reached the end of support in March and was removed from Windows 11.

'Going forward, please use the new Microsoft Edge (Chromium-based) baseline, which is on a separate release cadence and available as part of the Microsoft Security Compliance Toolkit," Munck said.

Download and implement the security baseline

Windows security baselines provide admins with Microsoft-recommended security configuration baselines designed to reduce Windows systems' attack surface and boost the overall security posture of Windows enterprise endpoints.

"A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact," as Microsoft explains. "These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers."

The Windows 11 security baseline is available for download via the Microsoft Security Compliance Toolkit. It includes Group Policy Object (GPO) backups and reports, scripts to apply settings to the local GPO, and Policy Analyzer rules files.

"Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate," Munck added.

Microsoft adds tamper protection to Windows 11 security baseline

In an advisory issued today, the NSA said that it is aware of targeted attacks by Chinese state-sponsored hackers against National Security Systems (NSS), the U.S. Defense Industrial Base (DIB), and the Department of Defense (DoD) information networks.

As part of these attacks, the NSA has seen twenty-five publicly disclosed vulnerabilities exploited to gain access to networks, deploy malicious mobile apps, and spread laterally through a system while attackers steal sensitive data.

The NSA is advising all organizations to immediately patch vulnerable devices to protect against cyberattacks that lead to data theft, banking fraud, and ransomware attacks.

“We hear loud and clear that it can be hard to prioritize patching and mitigation efforts,” NSA Cybersecurity Director Anne Neuberger said.

“We hope that by highlighting the vulnerabilities that China is actively using to compromise systems, cybersecurity professionals will gain actionable information to prioritize efforts and secure their systems."

Vulnerabilities used in different phases of attack

The NSA has categorized the vulnerabilities into different buckets to illustrate how they are being used in cyberattacks.

Exploit secure remote access: To gain access to networks, Chinese threat actors utilize seven different vulnerabilities, many of which also provide credentials that can be used to spread further on the network.

• CVE-2019-11510 - A Pulse Secure VPN vulnerabilities that allow an unauthenticated attacker to gain access to VPN credentials.
• CVE-2020-5902 - A F5 BIG-IP® 8 proxy / load balancer remote code execution vulnerability.
• CVE-2019-19781 - A Citrix Application Delivery Controller (ADC) and Gateway directory traversal vulnerability, which can lead to remote code execution without credentials.
• CVE-2020-8193 - Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP vulnerability allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users
• CVE-2020-8195 - Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP vulnerability allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users
• CVE-2020-8196 - Citrix ADC, Citrix Gateway, Citrix SDWAN WAN-OP vulnerability allows unauthenticated access to certain URL endpoints and information disclosure to low-privileged users
• CVE-2019-0708 - The Windows BlueKeep Remote Desktop Service vulnerability allows unauthenticated users to perform remote code execution.

Exploit Mobile Device Management (MDM): By compromising MDM servers, threat actors can push out malicious mobile apps or change device configurations that send traffic through attacker-controlled proxy servers or hosts.

• CVE-2020-15505 - A remote code execution vulnerability in the MobileIron 13 mobile device management (MDM)

Exploit Active Directory for Lateral Movement and Credential Access: 

• CVE-2020-1472 - The critical 10/10 Windows ZeroLogon Netlogon elevation of privilege vulnerability allows threat actors to quickly gain access to domain administrator credentials on a domain controller. From there, they can harvest sensitive data or deploy malware, such as ransomware.
• CVE-2019-1040 - A Windows NTLM vulnerability allows attackers to reduce the built-in security for the Windows operating system.

Exploit public-facing servers: Attackers use these vulnerabilities to bypass authentication in web servers, email servers, or DNS to remotely execute commands on the internal network. For compromised web servers, attackers can utilize them in watering-hole attacks to target future visitors.

• CVE-2020-1350 - The Windows DNS server SigRed vulnerability allows attackers to spread laterally through a network.
• CVE-2018-6789 - An Exim mail server vulnerability allows unauthenticated, remote code execution.
• CVE-2018-4939 - Adobe ColdFusion 14 vulnerability that could lead to arbitrary code execution

Exploit internal servers: These vulnerabilities are used to spread laterally throughout a network and gain access to internal servers, where the attackers can steal valuable data.

• CVE-2020-0688 - A Microsoft Exchange vulnerability that allows authenticated users to perform remote code execution.
• CVE-2015-4852 - The WLS Security component in Oracle WebLogic15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java16 object.
• CVE-2020-2555 - A vulnerability exists in the Oracle® Coherence product of Oracle Fusion® Middleware. This easily exploitable 
• CVE-2019-3396 - A server-side template injection vulnerability is present in the Widget Connector in Atlassian Confluence servers that allows remote attackers to perform remote code execution and path traversal.
• CVE-2019-11580 - Attackers who can send requests to an Atlassian® Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, permitting remote code execution. This vulnerability was used in GandCrab ransomware attacks in the past.
• CVE-2020-10189 - Zoho ManageEngine 18 Desktop Central vulnerability allows remote code execution. This bug was used in attacks to deploy backdoors.
• CVE-2019-18935 - A vulnerability in Telerik 19 UI for ASP.NET AJAX can lead to remote code execution. It was seen used by a hacker group named 'Blue Mockingbird' to install Monero miners on vulnerable servers but could be used to spread laterally as well.

Exploit user work workstations for local privilege escalation: When an attacker gains access to a workstation, their ultimate goal is to gain administrative credentials or privileges. Using these vulnerabilities, a hacker can elevate their privileges to SYSTEM or administrator access.

• CVE-2020-0601 - A Windows CryptoAPI Spoofing vulnerability discovered by the NSA allows attackers to spoof code-signing certificates to make malicious executables appear to be signed by a legitimate trusted company.
• CVE-2019-0803 - An elevation of privilege vulnerability exists in Windows® when the Win32k component fails to properly handle objects in memory. 

Exploit network devices: This final bucket of vulnerabilities allows attackers to monitor and modify network traffic as it flows over the device. 

• CVE-2017-6327 - The Symantec 22 Messaging Gateway can encounter a remote code execution issue.
• CVE-2020-3118 - A Cisco 'CDPwn' vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS 23 XR Software could allow remote code execution.
• CVE-2020-8515 - DrayTek Vigor 24 devices enable remote code execution as root (without authentication) via shell metacharacters

As Chinese state-sponsored hackers have been seen utilizing a combination of these vulnerabilities, it is strongly advised that all administrators patch them as soon as possible.

 
Source

This latest threat report, released Aug. 23, provides an in-depth look at the Linux threat landscape. It discusses several pressing security issues that affect Linux running in the cloud.

Key findings include that Linux is powerful, universal, and dependable, but not devoid of flaws, according to the researchers. However, like other operating systems, Linux remains susceptible to attacks.

Linux in the cloud powers most infrastructures, and Linux users make up the majority of the Trend Micro Cloud One enterprise customer base at 61 percent, compared to 39 percent Windows users.

The data comes from the Trend Micro Smart Protection Network (SPN) or the data reservoir for all detections across all Trend Micro’s products. The results show enterprise Linux at considerable risk from system configuration mistakes and outdated Linux distributions.

For instance, data from internet scan engine Censys.io revealed that nearly 14 million results for exposed devices running any sort of Linux operating system on July 6, 2021. A search for port 22 in Shodan, a port commonly used for Secure Shell Protocol (SSH) for Linux-based machines, showed almost 19 million exposed devices detected as of July 27, 2021.

Like any operating system, security depends entirely on how you use, configure, or manage the operating system. Each new Linux update tries to improve security. However, to get the value you must enable and configure it correctly, cautioned Joseph Carson, chief security scientist and advisory CISO at Thycotic.

“The state of Linux security today is rather good and has evolved in a positive way, with much more visibility and security features built-in. Nevertheless, like many operating systems, you must install, configure, and manage it with security in mind — as how cybercriminals take advantage is the human touch,” he told LinuxInsider.

Top Linux Threats

The Trend Micro Report disclosed rampant malware families within Linux systems. Unlike previous reports based on malware types, this study focused on the prevalence of Linux as an operating system and the pervasiveness of the various threats and vulnerabilities that stalk the OS.

That approach showed that the top three threat detections originated in the U.S. (almost 40 percent), Thailand (19 percent), and Singapore (14 percent).

Detections arose from systems running end-of-life versions of Linux distributions. The four expired distributions were from CentOS versions 7.4 to 7.9 (almost 44 percent), CloudLinux Server (more than 40 percent), and Ubuntu (about 7 percent).

Trend Micro tracked more than 13 million malware events flagged from its sensors. Researchers then cultivated a list of the prominent threat types consolidated from the top 10 malware families affecting Linux servers from Jan. 1 to June 30, 2021.

The top threat types found in Linux systems in the first half of 2021 are:

• Coinminers (24.56 percent)

• Web shell (19.92 percent)

• Ransomware (11.56 percent)

• Trojans (9.56 percent)

• Others (3.15 percent)

The top four Linux distributions where the top threat types in Linux systems were found in H1-2021 are:

• CentOS Linux (50.80 percent)

• CloudLinux Server (31.24 percent)

• Ubuntu Server (9.56 percent)

• Red Hat Enterprise Linux Server (2.73 percent)

Top malware families include:

• Coinminers (25 percent)

• Web shells (20 percent)

• Ransomware (12 percent)

CentOS Linux and CloudLinux Server are the top Linux distributions with the found threat types, while web application attacks happen to be the most common attack vector.

Web Apps Top Targets

Most of the applications and workloads exposed to the internet run web applications. Web application attacks are among the most common attack vectors in Trend Micro’s telemetry, said researchers.

If launched successfully, web app attacks allow hackers to execute arbitrary scripts and compromise secrets. Web app attacks also can modify, extract, or destroy data. The research shows that 76 percent of the attacks are web-based.

The LAMP stack (Linux, Apache, MySQL, PHP) made it inexpensive and easy to create web applications. In a very real way, it democratized the internet so anyone can set up a web application, according to John Bambenek, threat intelligence advisor at Netenrich.

“The problem with that is that anyone can set up a web app. While we are still waiting for the year of Linux on the desktop, it is important for organizations to use best practices for their web presences. Typically, this means staying on top of CMS patches/updates and routine scanning with even open-source tools (like the Zed Attack Proxy) to find and remediate SQL injection vulnerabilities,” he told LinuxInsider.

The report referenced the Open Web Application Security Project (OWASP) top 10 security risks, which lists injection flaws and cross-scripting (XSS) attacks remaining as high as ever. What strikes Trend Micro researchers as significant is the high number of insecure deserialization vulnerabilities.

This is partly due to the ubiquity of Java and deserialization vulnerabilities in it, according to Trend Micro. It’s report also noted that the Liferay Portal, Ruby on Rails, and Red Hat JBoss deserialization vulnerabilities as being prominent.

Attackers also try to use vulnerabilities where there is broken authentication to gain unauthorized access to systems. Plus, the number of command injection hits also poses a surprise as they are higher than what Trend Micro’s analysts expected.

Expected Trend

It is no surprise that the majority of these attacks are web-based. Every website is different, written by different developers with different skill sets, observed Shawn Smith, director of infrastructure at nVisium.

“There is a wide range of different frameworks across a multitude of languages with various components that all have their own advantages and drawbacks. Combine this with the fact that not all developers are security gurus, and you’ve got an incredibly alluring target,” he told LinuxInsider.

Web servers are one of the most common services to expose to the internet because most of the world interacts with the internet through websites. There are other areas exposed — like FTP or IRC servers — but the vast majority of the world is using websites as their main contact point to the internet.

“As a result, this is where attackers will focus to get the biggest return on investment for their time spent,” Smith said.

OSS Linked to Supply Chain Attacks

Software supply chains must be secured to deal with the Linux attack landscape as well, noted the Trend Micro report. Attackers can insert malicious code to compromise software components of third-party suppliers. That code then connects to a command-and-control server to download and deploy backdoors and other malicious payloads within the system, causing remote code.

This can lead to remote code execution to an enterprise’s system and computing resources. Supply chain attacks can also come from misconfigurations, which are the second top incident type in cloud-native environments, according to the Trend Micro report. More than 56 percent of their survey respondents had a misconfiguration or known unpatched vulnerability incident involving their cloud-native applications.

Hackers are having an easy time. “The major attack types on web-based applications have remained constant over the recent past. That, combined with the rising time-to-fix and declining remediation rates, makes the hackers’ job easier,” said Setu Kulkarni, vice president of strategy at NTT Application Security.

Organizations need to test applications in production, figuring out what their top three-to-five vulnerability types are. Then launch a targeted campaign to address them, rinse, and repeat, he recommended.

The “Linux Threat Report 2021 1H” is available here.

Source

Cybersecurity firm Mandiant attributed the intrusions to a Russian-speaking hacker group codenamed FIN12, and previously tracked as UNC1878, with a disproportionate focus on healthcare organizations with more than $300 million in revenue, among others, including education, financial, manufacturing, and technology sectors, located in North America, Europe, and the Asia Pacific.

"FIN12 relies on partners to obtain initial access to victim environments," Mandiant researchers said. "Notably, instead of conducting multifaceted extortion, a tactic widely adopted by other ransomware threat actors, FIN12 appears to prioritize speed and higher revenue victims."

The use of initial access brokers to facilitate ransomware deployments isn't new. In June 2021, findings from enterprise security company Proofpoint revealed that ransomware actors are increasingly shifting from using email messages as an intrusion route to purchasing access from cybercriminal enterprises that have already infiltrated major entities, with Ryuk infections mainly leveraging accesses obtained via malware families like TrickBot and BazaLoader.

FIN12's targeting of the healthcare sector suggests that its initial access brokers "cast a wider net and allow FIN12 actors to choose from a list of victims after accesses are already obtained."

Mandiant also noted that it observed, in May 2021, threat actors obtaining a foothold in the network through phishing email campaigns distributed internally from compromised user accounts, before leading to the deployment of Cobalt Strike Beacon and WEIRDLOOP payloads. Attacks mounted between mid-February and mid-April of 2021 are said to also have taken advantage of remote logins by getting hold of credentials to victims' Citrix environments.

Although FIN12's tactics in late 2019 involved using TrickBot as a means to maintain a foothold in the network and carry out latter-stage tasks, including reconnaissance, delivering malware droppers, and deploying the ransomware, the group has since consistently banked on Cobalt Strike Beacon payloads for performing post-exploitation activities.

FIN12 also distinguishes itself from other intrusion threat actors in that it doesn't engage in data theft extortion — a tactic that's used to leak exfiltrated data when victims refuse to pay up — which Mandiant says stems from the threat actor's desire to move quickly and strike targets that are willing to settle with minimal negotiation.

"The average time to ransom (TTR) across our FIN12 engagements involving data theft was 12.4 days (12 days, 9 hours, 44 minutes) compared to 2.48 days (2 days, 11 hours, 37 minutes) where data theft was not observed," the researchers said. "FIN12's apparent success without the need to incorporate additional extortion methods likely reinforces this notion."

"[FIN12 is the] first FIN actor that we are promoting who specializes in a specific phase of the attack lifecycle — ransomware deployment — while relying on other threat actors for gaining initial access to victims," Mandiant noted. "This specialization reflects the current ransomware ecosystem, which is comprised of various loosely affiliated actors partnering together, but not exclusively with one another."

Source

The scenario isn't fictional; it happened in 2010, when the Stuxnet virus was used to damage nuclear centrifuges in Iran. And as ransomware and other cyberattacks around the world increase, system operators worry more about these sophisticated "false data injection" strikes. In the wrong hands, the computer models and data analytics—based on artificial intelligence—that ensure smooth operation of today's electric grids, manufacturing facilities, and power plants could be turned against themselves.

Purdue University's Hany Abdel-Khalik has come up with a powerful response: To make the computer models that run these cyberphysical systems both self-aware and self-healing. Using the background noise within these systems' data streams, Abdel-Khalik and his students embed invisible, ever-changing, one-time-use signals that turn passive components into active watchers. Even if an attacker is armed with a perfect duplicate of a system's model, any attempt to introduce falsified data will be immediately detected and rejected by the system itself, requiring no human response.

"We call it covert cognizance," said Abdel-Khalik, an associate professor of nuclear engineering and researcher with Purdue's Center for Education and Research in Information Assurance and Security (CERIAS). "Imagine having a bunch of bees hovering around you. Once you move a little bit, the whole network of bees responds, so it has that butterfly effect. Here, if someone sticks their finger in the data, the whole system will know that there was an intrusion, and it will be able to correct the modified data."

Trust through self-awareness

Abdel-Khalik will be the first to say that he is a nuclear engineer, not a computer scientist. But today, critical infrastructure systems in energy, water, and manufacturing all use advanced computational techniques, including machine learning, predictive analytics, and artificial intelligence. Employees use these models to monitor readings from their machinery and verify that they are within normal ranges. From studying the efficiency of reactor systems and how they respond to equipment failures and other disruptions, Abdel-Khalik grew familiar with the "digital twins" employed by these facilities: Duplicate simulations of data-monitoring models that help system operators determine when true errors arise.

But gradually he became interested in intentional rather than accidental failures, particularly what could happen when a malicious attacker has a digital twin of their own to work with. It's not a far-fetched situation, as the simulators used to control nuclear reactors and other critical infrastructure can be easily acquired. There's also the perennial risk that someone inside a system, with access to the control model and its digital twin, could attempt a sneak attack.

"Traditionally, your defense is as good as your knowledge of the model. If they know your model pretty well, then your defense can be breached," said Yeni Li, a recent graduate from the group, whose Ph.D. research focused on the detection of such attacks using model-based methods.

Abdel-Khalik said, "Any type of system right now that is based on the control looking at information and making a decision is vulnerable to these types of attacks. If you have access to the data, and then you change the information, then whoever's making the decision is going to be basing their decision on fake data."

To thwart this strategy, Abdel-Khalik and Arvind Sundaram, a third-year graduate student in nuclear engineering, found a way to hide signals in the unobservable "noise space" of the system. Control models juggle thousands of different data variables, but only a fraction of them are actually used in the core calculations that affect the model's outputs and predictions. By slightly altering these nonessential variables, their algorithm produces a signal so that individual components of a system can verify the authenticity of the data coming in and react accordingly.

"When you have components that are loosely coupled with each other, the system really isn't aware of the other components or even of itself," Sundaram said. "It just responds to its inputs. When you're making it self-aware, you build an anomaly detection model within itself. If something is wrong, it needs to not just detect that, but also operate in a way that doesn't respect the malicious input that's come in."

For added security, these signals are generated by the random noise of the system hardware, for example, fluctuations in temperature or power consumption. An attacker holding a digital twin of a facility's model could not anticipate or re-create these perpetually shifting data signatures, and even someone with internal access would not be able to crack the code.

"Anytime you develop a security solution, you can trust it, but you still have to give somebody the keys," Abdel-Khalik said. "If that person turns on you, then all bets are off. Here, we're saying that the added perturbations are based on the noise of the system itself. So there's no way I would know what the noise of the system is, even as an insider. It's being recorded automatically and added to the signal."

Though the papers published by the team members so far have focused on using their paradigm in nuclear reactors, the researchers see potential for applications across industries—any system that uses a control loop and sensors, Sundaram said. The same methods could be used also for objectives beyond cybersecurity, such as self-healing anomaly detection that could prevent costly shutdowns, and a new form of cryptography that would enable the secure sharing of data from critical systems with outside researchers.

Cyber gets physical

As nuclear engineers, Abdel-Khalik and Sundaram benefit from the expertise and resources of CERIAS to find entry points into the worlds of cybersecurity and computer science. Abdel-Khalik credits Elisa Bertino, the Samuel D. Conte Professor of Computer Science and CERIAS research director, with the original spark that led to creating the covert cognizance algorithm, and thanks the center for exposing him to new partnerships and opportunities.

Founded in 1998, CERIAS is one of the oldest and largest research centers in the world concentrating on cybersecurity. Its mission, says managing director Joel Rasmus, has always been interdisciplinary, and today the center works with researchers from 18 departments and eight colleges at Purdue. Abdel-Khalik's research is a perfect example of this diverse network.

"When most people think about cybersecurity, they only think about computer science," Rasmus said. "Here's a nuclear engineering faculty member who's doing unbelievably great cyber and cyberphysical security work. We've been able to link him with computer scientists at Purdue who understand this problem, but yet don't understand anything about nuclear engineering or the power grid, so they're able to collaborate with him."

Abdel-Khalik and Sundaram have begun to explore the commercial possibilities of covert cognizance through a startup company. That startup, Covert Defenses LLC, has recently engaged with Entanglement Inc., an early-stage deep tech company, to develop a go-to-market strategy.

In parallel, the team will be working to develop a software toolkit that can be integrated with the cyberphysical test beds at CERIAS and the Pacific Northwest National Laboratory, where sensors and actuators coupled to software provide a simulation of large-scale industrial systems.

"We can provide additional applications for the technologies that he's developing, since this is an idea that can help nearly every cyberphysical domain, such as advanced manufacturing or transportation," Rasmus said. "We want to make sure that the research that we're doing actually helps move the world forward, that it helps solve actual real-world problems."

Source

The malware family, dubbed "FontOnLake" by Slovak cybersecurity firm ESET, is said to feature "well-designed modules" that are continuously being upgraded with new features, indicating an active development phase. Samples uploaded to VirusTotal point to the possibility that the very first intrusions utilizing this threat have been happening as early as May 2020.

Avast and Lacework Labs are tracking the same malware under the moniker HCRootkit.

"The sneaky nature of FontOnLake's tools in combination with advanced design and low prevalence suggest that they are used in targeted attacks," ESET researcher Vladislav Hrčka said. "To collect data or conduct other malicious activity, this malware family uses modified legitimate binaries that are adjusted to load further components. In fact, to conceal its existence, FontOnLake's presence is always accompanied by a rootkit. These binaries are commonly used on Linux systems and can additionally serve as a persistence mechanism."

FontOnLake's toolset includes three components that consist of trojanized versions of legitimate Linux utilities that are used to load kernel-mode rootkits and user-mode backdoors, all of which communicate with one another using virtual files. The C++-based implants themselves are designed to monitor systems, secretly execute commands on networks, and exfiltrate account credentials.

A second permutation of the backdoor also comes with capabilities to act as a proxy, manipulate files, download arbitrary files, while a third variant, besides incorporating features from the other two backdoors, is equipped to execute Python scripts and shell commands.

ESET said it found two different versions of the Linux rootkit that's based on an open-source project called Suterusu and share overlaps in functionality, including hiding processes, files, network connections, and itself, while also being able to carry out file operations, and extract and execute the user-mode backdoor.

It's currently not known how the attackers gain initial access to the network, but the cybersecurity company noted that the threat actor behind the attacks is "overly cautious" to avoid leaving any tracks by relying on different, unique command-and-control (C2) servers with varying non-standard ports. All the C2 servers observed in the VirusTotal artifacts are no longer active.

"Their scale and advanced design suggest that the authors are well versed in cybersecurity and that these tools might be reused in future campaigns," Hrčka said. "As most of the features are designed just to hide its presence, relay communication, and provide backdoor access, we believe that these tools are used mostly to maintain an infrastructure which serves some other, unknown, malicious purposes."

Source

The campaign was detected in late September and accounts for a larger than usual batch of Government-Backed Attack notifications that Google sends to targeted users every month.

Fancy Bear phishing

Shane Huntley, who is at the helm of Google’s Threat Analysis Group (TAG) that responds to government-backed hacking, notes that the higher-than-usual number of alerts this month comes from “from a small number of widely targeted campaigns which were blocked.”

The campaign from APT28, also known as Fancy Bear, lead to a larger number of warnings for Gmail users across various industries.

In a statement sent by a Google spokesperson, Huntley says that Fancy Bear’s phishing campaign accounts for 86% of all the batch warnings delivered this month.

He explains that these notifications indicate targeting of the recipient, not a compromise of their Gmail account.

Huntley says that these warnings are normal for individuals such as activists, journalists, government officials, or people that work national security structures because that’s who government-backed entities are targeting.

All the phishing emails from the Fancy Bear campaign were blocked by Gmail and did not land in the users’ inboxes as they were automatically classified as spam.

“As we've previously explained, we intentionally send these notices in batches, rather than at the moment we detect the threat itself, so that attackers cannot track some of our defense strategies,” Huntley said.

APT28 has been operating since at least 2004 on behalf of Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.

The group is typically engaged in data theft and espionage activity. Among its more recent targets are members of the Bundestag, the German federal parliament, and of the Norwegian Parliament.

Google’s goal with these alerts is to inform individuals that they are being targeted so they can improve defenses. The company’s recommendation is to enroll in the Advanced Protection Program for work and personal email.

Google warns 14,000 Gmail users targeted by Russian hackers

Excel 4.0 macros, or XLM macros, were first added to Excel in 1992 and allowed users to enter various commands into cells that are then executed to perform a task.

While VBA macros were introduced in Excel 5.0, threat actors continue to XLM macros twenty years later in malicious documents that download malware or perform other unwanted behavior.

Malicious campaigns utilizing Excel 4.0 XLM macros include ones for malware, such as TrickBot, Qbot, Dridex, Zloader, and many more.

Due to their continued abuse, Microsoft has been recommending users switch from and disable Excel 4.0 XLM macros for years in favor of VBA macros. This recommendation is because VBA macros support the Antimalware Scan Interface (AMSI), which can be used by security software to scan macros for malicious behavior.

To disable Excel 4.0 macros, Windows admins can use group policies to disable the feature, and users can disable it via the Excel Trust Center using the Enable XLM macros when VBA macros are enabled setting.

Microsoft to disable Excel 4.0 macros in all tenants

Instead of waiting for organizations to disable XLM macros on their own, Microsoft announced yesterday that they would be disabling Excel 4.0 macros by default starting in October in preview builds and then moving onto the current channel in November.

"We are introducing a change to the Excel Trust Center Macro settings to provide a more secure experience for users by default. This new default behavior will disable Excel 4.0 macros," explained an advisory in the Microsoft 365 message center.

Microsoft will begin disabling Excel 4.0 macros in all tenants using this rollout schedule:

• Insiders-Slow: will rollout in late October and be complete in early November.
• Current Channel: will rollout in early November and be complete in mid-November.
• Monthly Enterprise Channel (MEC): will begin and complete rollout in mid-December.

Microsoft will not be making any changes for users who have manually configured this setting or configured it via group policies.

When the change rolls out, the Enable XLM macros when VBA macros are enabled setting will be unchecked by default, which disables XLM macros.

Microsoft states that users who wish to enable XLM macros after this rollout has finished can do so in the Excel Trust Center.

Microsoft is disabling Excel 4.0 macros by default to protect users

Mozilla says the feature was introduced with Firefox 92 in September to fund development and optimization.

"Beginning in Firefox version 92, you will also receive new, relevant suggestions from our trusted partners based on what you're searching for. No new data is collected, stored, or shared to make these new recommendations," Mozilla says

While blog posts [1, 2] presenting it under the "Firefox Suggest" name were published in September, it was first mentioned in a Firefox changelog with the release of Firefox 93 two days ago and presented as a "faster way to navigate the web."

"Firefox Suggest is a new discovery feature that is built directly into the browser. Firefox Suggest acts as a trustworthy guide to the better web, surfacing relevant information and sites to help people accomplish their goals," Mozilla said at the time.

"Firefox Suggest will enhance this by including other sources of information such as Wikipedia, Pocket articles, reviews and credible content from sponsored, vetted partners and trusted organizations."

Mozilla says it will only work with partners that meet Firefox's privacy standards, with the preferred partner for now being adMarketplace.

Opt-in or opt-out?

Mozilla says on its support site that these suggestions will only be enabled after users provide access to new data types by clicking "Allow suggestions" when prompted or by manually choosing the types of suggestions that will be shown from settings.

To toggle Firefox Suggest and change the types of suggestions showing up at any time, you have to click the menu button and go to Settings > Privacy & Security on the left, and then go down to the Address Bar — Firefox Suggest section.

To enable or disable contextual suggestions, select or deselect the checkbox next to Contextual suggestions. To toggle traditional address bar suggestions like Firefox Suggest results from browsing history and bookmarks, you will have to check or uncheck their associated checkboxes.

However, while Mozilla describes Firefox Suggest contextual suggestions as opt-in, in BleepingComputer's tests and from what users have reported [1, 2], the feature is on by default.

Furthermore, Firefox doesn't tag the ads displayed via Firefox Suggest. There is no clear way to identify what a sponsored suggestion and what a regular unsponsored suggestion should look like.

The only way Firefox users will know whether a sponsored suggestion is an ad would be by looking at the URL, but, in many cases, the URL is not clearly visible.

No PII data shared with partners

When Firefox Suggest is enabled, users' search queries are sent to Mozilla servers, and the clicked suggestions to partners via a Mozilla-owned proxy service.

"The data we share with partners does not include personally identifying information and is only shared when you see or click on a suggestion," Mozilla said.

Right now, Mozilla says it collects the following info to power its Firefox Suggest service when users opt-in contextual suggestions:

• Search queries and suggest impressions: Firefox Suggest sends Mozilla search terms and information about engagement with Firefox Suggest, some of which may be shared with partners to provide and improve the suggested content.
• Clicks on suggestions: When a user clicks on a suggestion, Mozilla receives notice that suggested links were clicked.
• Location: Mozilla collects city-level location data along with searches, in order to properly serve location-sensitive queries.

 In this blog post, you can find additional information on how collected data is handled and shared by Mozilla with its partners.

Mozilla revenue and market share

This newly added feature is likely an effort to diversify Mozilla's revenue streams, seeing that most of the organization's yearly revenue comes from a deal made with Google in November 2017 to make Google's search engine the default search provider in the United States, Canada, Hong Kong, and Taiwan.

Mozilla has also introduced sponsored tiles (aka sponsored shortcuts) on the default home page and the New Tab page in Firefox to promote content provided by advertising partners (Mozilla gets paid only when users click on the displayed tiles).

adMarketplace is also the preferred partner for the sponsored tiles feature as it meets Mozilla's privacy standards for Firefox.

Firefox currently has 3.67% of the browser market share worldwide, compared to Google Chrome's 65.15% and Apple Safari's 18.4%, according to Statcounter's GlobalStats.

Also, according to Mozilla's Firefox Public Data Report, the web browser reported just over 211 million Monthly Active Users (MAU) on September 27, which measures the number of Firefox Desktop clients active during the last 28 days.

A Mozilla spokesperson was not able to provide a comment before BleepingComputer published the article. 

 Firefox now shows ads as sponsored address bar suggestions

The devastating effectiveness of the long-undetected SolarWinds hack — it mainly breached information technology businesses including Microsoft — also boosted Russian state-backed hackers’ success rate to 32% in the year ending June 30, compared with 21% in the preceding 12 months.

China, meanwhile, accounted for fewer than 1 in 10 of the state-backed hacking attempts Microsoft detected but was successful 44% of the time in breaking into targeted networks, Microsoft said in its second annual Digital Defense Report, which covers July 2020 through June 2021.

While Russia’s prolific state-sponsored hacking is well known, Microsoft’s report offers unusually specific detail on how it stacks up against that by other U.S. adversaries.

The report also cited ransomware attacks as a serious and growing plague, with the United States by far the most targeted country, hit by more than triple the attacks of the next most targeted nation. Ransomware attacks are criminal and financially motivated.

By contrast, state-backed hacking is chiefly about intelligence gathering — whether for national security or commercial or strategic advantage — and thus generally tolerated by governments, with U.S. cyber operators among the most skilled. The report by Microsoft Corp., which works closely with Washington government agencies, does not address U.S. government hacking.

The SolarWinds hack was such an embarrassment to the U.S. government, however, that some Washington lawmakers demanded some sort of retaliation. President Joe Biden has had a difficult time drawing a red line for what cyberactivity is permissible. He has issued vague warnings to President Vladimir Putin to get him to crack down on ransomware criminals, but several top administration cybersecurity officials said this week that they have seen no evidence of that.

Overall, nation-state hacking has about a 10%-20% success rate, said Cristin Goodwin, who heads Microsoft’s Digital Security Unit, which is focused on nation-state actors. “It’s something that’s really important for us to try to stay ahead of — and keep driving that compromised number down — because the lower it gets, the better we’re doing,” Goodwin said.

Goodwin finds China’s “geopolitical goals” in its recent cyberespionage especially notable, including targeting foreign ministries in Central and South American countries where it is making Belt-and-Road-Initiative infrastructure investments and universities in Taiwan and Hong Kong where resistance to Beijing’s regional ambitions is strong. The findings further belie as obsolete any conventional wisdom that Chinese cyber spies’ interests are limited to pilfering intellectual property.

Russian hack attempts were up from 52% in the 2019-20 period as a share of global cyber-intrusion bids detected by the “nation-state notification service” that Microsoft employs to alert its customers. For the year ending June 30, North Korea was second as country of origin at 23%, up from less than 11% previously. China dipped to 8% from 12%.

But attempt volume and efficacy are different matters. North Korea’s failure rate on spear-phishing — targeting individuals, usually with booby-trapped emails — was 94% in the past year, Microsoft found.

Only 4% of all state-backed hacking that Microsoft detected targeted critical infrastructure, the Redmond, Washington-based company said, with Russian agents far less interested in it than Chinese or Iranian cyber-operatives.

After the SolarWinds hack was discovered in December, the Russians transitioned back to focus mostly on government agencies involved in foreign policy, defense and national security, followed by think tanks then health care, where they targeted organizations developing and testing COVID-19 vaccines and treatments in the United States, Australia, Canada, Israel, India and Japan.

In the report, Microsoft said Russian state hackers’ recent greater efficacy “could portend more high-impact compromises in the year ahead.” Accounting for more 92% of the detected Russian activity was the elite hacking team in Russia’s SVR foreign intelligence agency best known as Cozy Bear.

Cozy Bear, which Microsoft calls Nobelium, was behind the SolarWinds hack, which went undetected for most of 2020 and whose discovery badly embarrassed Washington. Among badly compromised U.S. government agencies was the Department of Justice, from which the Russian cyber spies exfiltrated 80% of the email accounts used by the U.S. attorneys’ offices in New York.

Microsoft’s nation-state notifications, of which about 7,500 were issued globally in the period covered by the report, are by no means exhaustive. They only reflect what Microsoft detects.

Source

For more than a decade, security experts have recommended using a VPN to shield your internet traffic from bad actors who are trying to snoop on you. But just as tech gadgets become outdated over time, so does some tech advice.

The reality is that web security has improved so much in the last few years that VPN services, which charge monthly subscription fees that cost as much as Netflix, offer superfluous protection for most people concerned about privacy, some security researchers said.

Many of the most popular VPN services are now also less trustworthy than in the past because they have been bought by larger companies with shady track records. That’s a deal-breaker when it comes to using a VPN service, which intercepts our internet traffic. If you can’t trust a product that claims to protect your privacy, what good is it?

“Trusting these people is really critical,” Matthew Green, a computer scientist who studies encryption, said about VPN providers. “There’s no good way to know what they’re doing with your data, which they have huge amounts of control over.”

I learned this the hard way. For several years, I subscribed to a popular VPN service called Private Internet Access. In 2019, I saw the news that the service had been acquired by Kape Technologies, a security firm in London. Kape was previously named Crossrider, a company that had been called out by researchers at Google and the University of California for developing malware. I immediately canceled my subscription.

In the last five years, Kape has also bought several other popular VPN services, including CyberGhost VPN, Zenmate and, just last month, ExpressVPN in a $936 million deal. This year, Kape additionally bought a group of VPN review sites that give top ratings to the VPN services it owns.

A Kape spokeswoman said that Crossrider, which has long been shut down, was a development platform that was misused by those who distributed malware. She said Kape’s VPN review sites maintained their independent editorial standards.

“It kind of sets a concerning precedent from the consumer standpoint,” said Sven Taylor, the founder of the tech blog Restore Privacy. “As the average user goes online to look for information about the product, do they know that what they’re reading might have been written by the company that owns the end product?”

A caveat: VPNs are still great for some applications, such as in authoritarian countries where citizens use the technology to make it look as if they are using the internet in other locations. That helps give them access to web content they cannot normally see. But as a mainstream privacy tool, it’s no longer an ideal solution.

This sent me down a rabbit hole of seeking alternatives to paying for a VPN. I ended up using some web tools to create my own private network for free, which wasn’t easy. But I also learned that many casual users may not even need a VPN anymore.

What Has Changed About VPNs

Not long ago, many websites lacked security mechanisms to prevent bad actors from eavesdropping on what people were doing when browsing their sites, which opened doors to their data being hijacked. This helped VPN services become a must-have security product. VPN providers offered to help cloak people’s browsing information by creating an encrypted tunnel on their servers, through which all your web traffic passes.

But in the last five years, the internet has undergone immense change. Many privacy advocates and tech companies pushed for website creators to rewrite their sites to support HTTPS, a security protocol that encrypts traffic and solves most of the aforementioned problems.

You’ve probably noticed the padlock symbol on your web browser. A locked padlock indicates a site is using HTTPS; an unlocked one means it’s not and is therefore more susceptible to attack. These days, it’s rare to stumble upon a site with an unlocked padlock — 95 percent of the top 1,000 websites are now encrypted with HTTPS, according to W3Techs, a site that compiles data on web technologies.

This means that VPNs are no longer an essential tool when most people browse the web on a public Wi-Fi network, said Dan Guido, the chief executive of Trail of Bits, a cybersecurity firm.

“It’s very difficult to find cases where people were harmed by signing on to the airport, coffee shop or hotel Wi-Fi,” he said. These days, he added, the people who benefit from a VPN are those working in high-risk fields and who might be targets, like journalists who correspond with sensitive sources and business executives carrying trade secrets while traveling abroad.

Simple Alternatives

So what to do? Fortunately, most of us can secure ourselves online with basic protections that, unlike VPN services, are free, Mr. Guido said.

Importantly, people should keep the software on their devices and web browsers up to date because new software updates include security protections against the latest vulnerabilities, he said.

Another crucial step is setting up online accounts with two-step verification, which requires two forms of verification of your identity before letting you log in. That safeguard can help prevent attackers from gaining access to your data if they obtain your passwords.

For those who would still prefer not to browse the web on a public Wi-Fi network, there’s an easy solution included on most smartphones. The personal hot spot, a feature for wirelessly sharing a smartphone’s cellular data connection with other devices, like your computer, can be activated in the phone’s settings. Many phone plans don’t charge extra to use this feature, though hotspotting does count against the monthly data allotment in your cellular plan.

How to Create Your Own VPN

Some people (including myself) still benefit from using a VPN, and not all providers are bad.

Wirecutter, a New York Times publication that tests products, recommends a few that are still trustworthy. But if your next VPN gets bought by a larger company, you may have to vet its trustworthiness all over again. I’m tired of the whiplash, so I created my own private network service.

I turned to Algo VPN, a free tool developed by Mr. Guido that automatically builds a VPN service in the cloud, which shields my browsing activity by allowing me to create a virtual tunnel on an outside server for my internet traffic to pass through.

Following the instructions listed on the Algo VPN project website, I set up a cloud service where my VPN service would be located on Amazon’s web services, a reputable and widely trusted cloud provider. The rest of the steps involved installing some scripts on my computer and typing in commands to generate my VPN.

After about an hour, I set up a VPN that worked flawlessly. The best part? Not only is it free to use, but I no longer have to worry about trust, because the operator of the technology is me.

Source

The company added that the attackers could gain access to the stolen data due to a faulty Twitch server configuration change.

"We have learned that some data was exposed to the internet due to an error in a Twitch server configuration change that was subsequently accessed by a malicious third party," Twitch said.

"At this time, we have no indication that login credentials have been exposed. Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed."

Twitch security teams are still investigating the incident to fully assess the impact of this incident.

"Our teams are working with urgency to investigate the incident. As the investigation is ongoing, we are still in the process of understanding the impact in detail," the company added.

In a follow-up update, Twitch said that it also reset all stream keys and asked streamers to go through the following procedure before starting their next stream:

• Twitch Studio, Streamlabs, Xbox, PlayStation and Twitch Mobile App users should not need to take any action for your new key to work. 
• OBS users who have connected their Twitch account should also not need to take any action. OBS users that have not connected their Twitch account to OBS will need to manually copy their stream key from their Twitch Dashboard and paste it into OBS. 
• For all others, please refer to specific setup instructions for your software of choice. 

125 GB of stolen source code and payment reports

While Twitch didn't reveal what servers were misconfigured to cause the breach, the leaker who posted the leak on the 4chan bulletin board said the data was allegedly stolen from roughly 6,000 internal Twitch Git repositories.

"Their community is also a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories," the anonymous poster said.

According to the 4chan user, the leaked archive contains the following Twitch info:

• The entirety of twitch.tv, with commit history going back to its early beginnings
• Mobile, desktop, and video game console Twitch clients
• Various proprietary SDKs and internal AWS services used by Twitch
• Every other property that Twitch owns, including IGDB and CurseForge
• An unreleased Steam competitor from Amazon Game Studios
• Twitch SOC internal red teaming tools (lol)
• Creator payout reports from 2019 until now.

They also named the 4chan thread "twitch leaks part one," which hints at additional stolen data likely to be leaked soon.

BleepingComputer confirmed that the stolen info looks authentic and matches what was disclosed by the 4chan user.

Twitch: No credentials or card numbers exposed in data breach

The torrent is apparently available to download publicly and contains source code for Twitch software, encrypted passwords, and the company's financial dealings with popular streamers. Naturally, the information has been posted on other platforms too, as can be seen below:

The leak also contains references to Twitch's competitor to Steam, codenamed "Vapor". In the same vein, "Vapeworld", which is purportedly a chat app for Vapor has been mentioned too.

VGC says that an internal Twitch source has confirmed the validity of the data leaked in the hack. The data was apparently extracted on Monday. The person who posted the URL to the torrent on 4chan claimed that the reason for the hack is to "foster more disruption and competition in the online video streaming space [because] their community is a disgusting toxic cesspool".

Although reports claim that the leak contains only encrypted passwords, it is still advisable to change your credentials as soon as possible and turn on two-factor authentication, just to be on the safe side. Twitch is yet to issue an official statement regarding the matter.

Twitch suffers massive data breach, sensitive details leaked

This is because, starting with the Firefox 93 version released yesterday, the browser comes with improved web compatibility for privacy protections via SmartBlock 3.0.

The SmartBlock mechanism, introduced by Mozilla with the release of Firefox 87 in March, ensures that the Tracking Protection feature and Strict Mode don't break websites when blocking tracking scripts.

It does that by loading local and privacy-preserving alternatives to blocked resources with behavior similar enough to the original ones to ensure that the site still works properly.

"The third iteration of SmartBlock brings vastly improved support for replacing the popular Google Analytics scripts and added support for popular services such as Optimizely, Criteo, Amazon TAM and various Google advertising scripts," Mozilla said.

"As usual, these replacements are bundled with Firefox and can not track you in any way.

Starting with this release, Firefox also comes with enhanced Referrer Tracking Protection which blocks sites from sharing sensitive user data via HTTP referrers by trimming the HTTP referrer for cross-site requests, regardless of the site's settings.

How Firefox private browsing defends your privacy

Mozilla also announced in July that the SmartBlock cross-site tracking blocking tech was updated to block Facebook tracking scripts while still allowing logins to work.

In June, it also enabled Total Cookie Protection by default in Private Browsing windows starting with Firefox 89, automatically protecting users from cross-site tracking.

While browsing the Internet in private mode, Firefox is designed to protect your privacy with several privacy protection technologies, all of them enabled by default:

• Total Cookie Protection isolates cookies to the site where they were created.
• Supercookie protections stop supercookies from following you from site to site.
• Cookies and caches are cleared at the end of every Private Browsing session and aren't shared with standard windows.
• Trackers are blocked, including cookies, scripts, tracking pixels, and other resources from domains on Disconnect's list of known trackers.
• Many fingerprinting scripts are blocked, according to Disconnect's list of invasive fingerprinting domains.
• SmartBlock intelligently fixes up web pages that were previously broken when tracking scripts were blocked.

To switch to private browsing, you have to open the Application Menu by clicking the button (☰) on the top right corner and choose "New Private Window."

You can also enable private browsing mode by using the Ctrl + Shift + P (or Cmd + Shift + P on macOS) keyboard shortcut.

In related news, Firefox 93 now also blocks downloads over HTTP to protect against potentially unsafe or malicious downloads.

Furthermore, when available system memory is critically low on Windows devices, Firefox will automatically unload browsing tabs based on their last access time, memory usage, and other attributes to reduce out-of-memory crashes.

Firefox improves advertising tracker blocking in private browsing

Discussing the campaign

Proofpoint researchers have observed 20 campaigns spreading hundreds of thousands of email messages aimed at Italian organizations this year.

• In the campaign, TA544 impersonated Italian organizations either as a courier company or some agency based in the energy sector, asking for payments from the targeted users.

• The Ursnif campaign infected numerous sites using web injects and redirections once the payload is installed on targeted machines.
• The discovered web injects are capable of stealing credentials from multiple sites and online services used by Italian users.
• It targeted login portals of a large number of sites, including UniCredit Group, Agenziabpb, ING, BNL, eBay, PayPal, Banca Sella, CheBanca!, and IBK.

The targeting module

According to Proofpoint, more than half a million messages have been observed targeting Italian organizations, making Ursnif the most frequently observed malware targeting this region.

• The emails are laden with malicious Microsoft Office documents including macros. If the victim enables macros, the document will deploy Ursnif on the infected machine.
• In some of these campaigns, the threat actor employs geofencing tactics to confirm recipients in targeted geographic regions.

Conclusion

TA544’s campaigns have been ongoing since last year and are still targeting Italian users with the Ursnif banking trojan. Organizations are recommended to stay alert and train employees to spot malicious emails. Additionally, make sure that macros are disabled for all employees if not needed.

Source

The new version of FormBook

For a long time, FormBook has been known for exploiting the CVE- 2017-0199 flaw, but the recent versions of the malware are updated to abuse a recent Office 365 zero-day vulnerability (CVE-2021-40444).  

• FormBook developers have re-written their original exploit and used the initial codebase to deploy Cobalt Strike beacons.
• In the ongoing effort, FormBook uses a different ‘Target’ format inside the document[.]xml[.]rels. This new format is meant to bypass detections with the use of Target options.
• The vulnerability can be exploited even if the URL is jumbled up using directory traversal paths and empty options for Target. Moreover, after exploitation, Word sends a request to the server as the network capture.
• FormBook developers have also added an additional obfuscation mechanism for the exploit code to provide additional protection. It has added two calls to a function for anti-debugging behavior to prevent reverse engineering.

The attack chain 

The campaign uses an email laden with a malicious Word document attachment as an initial attack vector. Two layers of PowerShell scripts are used to deploy the FormBook malware. 

• The first stage downloads the second one, which is saved as an attachment hosted on Discord. This is possibly done to bypass network protection.
• The next stage is downloaded from Discord (using an obfuscated URL). This downloaded attachment is the second PowerShell layer (formatted in Base64).
• The final version deployed in the recent campaign is similar to that used in earlier campaigns as well. The version is identified as FormBook version 4.1.

Conclusion

Zero-day flaws are already popular among threat actors and abusing those usually has severe consequences. Therefore, experts suggest following a proper patch management program and using reliable anti-malware solutions.

Source

About the attack campaign

GhostEmperor is now using an undiscovered Windows kernel-mode rootkit, named Demodex, along with a sophisticated multi-stage malware framework used for remote control over targeted servers.

• The group is mostly has been observed targeting telecommunication businesses and governmental entities in Southeast Asia, as well as Afghanistan, Ethiopia, and Egypt.

• Most of the infections were deployed on public-facing servers, including Apache servers, IIS Windows Servers, and Oracle servers. 

• Attackers are suspected to have exploited the vulnerabilities in the corresponding web applications.

How do they operate?

After gaining access to the targeted systems, the attackers have used a mix of custom and open-source offensive toolsets to gather user credentials and target other systems in the network. 

• The group evades the Windows Driver Signature Enforcement by using an undocumented loading scheme using the kernel-mode component of Cheat Engine (an open-source project).

• GhostEmperor has used obfuscation and anti-analysis tactics to make it challenging for analysts to examine the malware.

Use of post-exploitation tools

• The used tools include common utilities developed by the Sysinternals suite for controlling processes (PsExec, ProcDump, and PsList), along with BITSAdmin, CertUtil, and WinRAR. 

• Furthermore, the attackers used open-source tools such as Get-PassHashes[.]ps1, Token[.]exe, Ladon, and mimkat_ssp as well. For internal network reconnaissance/communication they used Powercat/NBTscan.

Conclusion

The use of anti-forensic techniques and a wide variety of toolsets indicate that the GhostEmperor group possesses sound knowledge of and access to advanced infrastructure to operate. To stay protected, organizations are recommended to implement multi-layered security architecture of reliable anti-malware, firewalls, Host-based Intrusion Detection Systems (HIDS), and Intrusion Prevention Systems (IPS). 

Source

The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. 

The Nocturnus Team found evidence that the ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown.

Assessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far. In addition, our research points out possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (APT39) and Agrius APT. However, we assess that MalKamak has distinct features that separate it from the other Iranian groups. 

In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe. 

The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. 

The Nocturnus Team found evidence that the ShellClient RAT has been under ongoing development since at least 2018, with several iterations that introduced new functionalities, while it evaded antivirus tools and managed to remain undetected and publicly unknown.

Assessments as to the identity of the operators and authors of ShellClient resulted in the identification of a new Iranian threat actor dubbed MalKamak that has operated since at least 2018 and remained publicly unknown thus far. In addition, our research points out possible connections to other Iranian state-sponsored APT threat actors such as Chafer APT (APT39) and Agrius APT. However, we assess that MalKamak has distinct features that separate it from the other Iranian groups. 

KEY FINDINGS

• New Iranian Threat Actor MalKamak: A newly discovered Iranian threat actor dubbed MalKamak that has been operating since at least 2018 and remained unknown thus far. In addition, the investigation draws possible connections to other Iranian state-sponsored threat actors including Chafer APT (APT39) and Agrius APT.

• Discovery of New ShellClient RAT: The Cybereason Nocturnus team discovered a sophisticated and previously undocumented RAT (Remote Access Trojan) dubbed ShellClient used for highly targeted cyber espionage operations.

• Targeting Aerospace and Telecom Companies: Based on the telemetry, this threat has been predominantly observed in the Middle East region, but has also been observed targeting organizations in the U.S., Russia and Europe, with a focus on the Aerospace and Telecommunications industries. 

• Ongoing Development Since 2018: Our investigation revealed this threat was first operationalized in 2018, and since then has been under active development with each new version adding more features and stealth. This threat is still active as of September 2021. 

• Abusing Cloud Services for C2: The most recent ShellClient versions were observed to be abusing cloud-based storage services for Command and Control (C2), in this case the popular Dropbox service, in order to remain undetected by blending in with legitimate network traffic.

• Designed for Stealth: The authors of ShellClient invested a lot of effort into making it stealthy to evade detection by antivirus and other security tools by leveraging multiple obfuscation techniques and recently implementing a Dropbox client for command and control (C2), making it very hard to detect. 

SHELLCLIENT: THE SILENT RAT

The following sections recap the recently observed Operation GhostShell campaign and the evolution of this stealthy ShellClient RAT, which has been operationalized and actively developed since at least November 2018.

RECENT CAMPAIGN

In July 2021, Cybereason encountered an unidentified threat actor carrying out a cyber espionage operation using a previously undocumented and stealthy RAT dubbed ShellClient. 

Using this RAT, the threat actors were first observed conducting reconnaissance and the exfiltration of sensitive data from leading Aerospace and Telecommunications companies in the Middle East region, and was later observed targeting the same industries in other regions including the U.S, Russia and Europe.

When first inspecting the ShellClient RAT, the malicious binary was found to be running on victim machines as “svchost.exe” while its internal name was disguised as “RuntimeBroker.exe”:

ShellClient RAT internal name masquerades as a legitimate Microsoft RuntimeBroker.exe binary

This executable was determined to have been compiled on May 22nd, 2021, and was observed to be executing adjacent to additional TTPs. 

SHELLCLIENT STRUCTURE AND CONFIGURATION

The ShellClient RAT is a modular PE leveraging Costura to compress each of the modules using zlib:

ShellClient RAT utilizing Costura

Two of the references are DLLs containing supporting functionalities: 

• ExtensionLib.dll contains utilities and functionalities such as:

• AES Encryption, including an AES Key and an Initialization Vector (IV)
• Hashing
• File Operations
• Registry Operations
• Process Creation
• Serialization

ExtensionLib.dll

• ClientCore.dll holds other core functionalities of the the client such as:

• Fingerprinting
• File Operations
• User Impersonation
• Token Handling
• FTP Client
• Telnet Client
• Settings & Strings

ClientCore.dll

The executable stores most of the its strings, including configuration strings, as bytes and then converts them in real-time to Unicode/ASCII to evade antivirus strings detection:

ShellClient using Unicode/ASCII to evade antivirus strings detection

EXECUTION FLOW

The ShellClient RAT executes according to the following arguments:

• If no arguments are provided, the binary executes itself using InstallUtil.exe to install and run a malicious nhdService service

• If there is one argument and it is equal to -c, the binary will be executed using the Service Control Manager (SCM) to create a reverse shell, communicating with a configured Dropbox storage as a C2

• If there is one argument and it is equal to -d, the binary will execute as a regular process

ShellClient RAT arguments

When either of the -c or -d arguments are provided, the malware performs basic fingerprinting using WMI to collect:

• Hardware information such as BIOS information, Mac address, etc.

• Networking Information including a request to ipinfo[.]io/ip to retrieve the public IP address of the infected machine

• Which antivirus products are installed 

The abovementioned collected information is also used to create a unique agent identifier for each infected machine:

Creating a unique identifier

COMMAND AND CONTROL (C2) COMMUNICATIONS

The C2 communications this malware implements are quite unique, as they rely on “cold files” being saved to a remote Dropbox, instead of a common interactive session. This method of communication is an interesting Operational Security (OPSEC) solution, making it difficult to trace the threat actor’s infrastructure by utilizing a public service such as Dropbox.

To communicate with Dropbox, ShellClient uses Dropbox’s API with a unique embedded API key. Before communicating, it encrypts the data using an hardcoded AES encryption key.

The Dropbox storage contains 3 folders:

• AS Folder (Agents Folder): Stores uploaded information on infected machines

• CS Folder (Commands Folder): Stores commands to be fetched, executed and then deleted by ShellClient

• RS Folder (Results Folder): Stores the output of commands executed by ShellClient

Every 2 seconds, the victim machine checks the commands folder, retrieves files that represent commands, parses their content, then deletes them from the remote folder and enables them for execution:

ShellClient C2 Communications

After executing the commands, the executable uploads the results to the corresponding folder with a randomly generated file name based on the unique victim ID that the threat actor calls as HardwareID:

ShellClient C2 Communications

The destinations for these communications will be api.dropboxdapi[.]com and content.dropboxapi[.]com.

PERSISTENCE AND PRIVILEGE ESCALATION

The ShellClient RAT achieves persistence and privilege escalation to run with SYSTEM privileges on victim machines by creating the nhdService disguised as Network Hosts Detection Service:

• Service Name: nhdService

• Display Name: Network Hosts Detection Service

• Description: Searches and manages hosts in the Network and Dial-Up Connections folder, where both local area network and remote connections are viewable

• Start Type: Automatic

• Account: LocalSystem
   

SUPPORTED COMMANDS

The executable contains multiple command functions that enable its capabilities, including arbitrary command execution, FTP/Telnet clients, lateral movement, file manipulation, etc. 

In addition, the malware contains several command functions that seem to do nothing and have no reference in the code; this could indicate that the malware is still under development.

The following table describes the purpose of each command:

Command      Description

code10          Query hostname, malware version, executable path, IP address and Antivirus products 

code11           Execute an updated version of ShellClient

code12          Self delete using InstallUtil.exe

code13          Restart the ShellClient service

code20         Start a CMD shell

code21         Start a PowerShell shell

code22        Add to the results message the following line: “Microsoft Windows Command Prompt Alternative Started …”

code23        Open a TCP Client

code24        Start a FTP client

code25        Start a Telnet client

Code26       Execute a shell command

code29       Kill active CMD or PowerShell shell

code31       Query files and directories

code32       Create a Directory

code33       Delete files and folders

code34       Download a file to the infected machine

code35       Upload a File to Dropbox

code36       Does nothing

code37       Download a file to the infected machine and execute it

code38       Lateral movement using WMI

             ShellClient C2 Commands

ADDITIONAL TTPS OBSERVED WITH SHELLCLIENT

Using the ShellClient RAT, the threat actor deployed additional tools to perform various activities to support their operation such as reconnaissance, lateral movement, data collection and more.

LATERAL MOVEMENT

The attackers were observed using PAExec and “net use” for lateral movement. PAExec is a redistributable version of the famous Sysinternals PsExec, with some additional options.  

The attackers leveraged PAExec to:

• Execute a CMD shell as SYSTEM on remote machines

• Perform remote service related operations like start, stop, restart, status and more

• Exfiltrate organizational Active Directory structure using a remotely executed csvde.exe -f < output file > command

• Check internet connectivity using ping to reach Google.com

• Gather host information by executing ipconfig, tasklist and net use

ShellClient leveraging PAExec as observed in the Cybereason Defense Platform

CREDENTIAL DUMPING TOOL

During the observed attacks, the ShellClient RAT activity group deployed and executed an unknown executable named lsa.exe to perform credential dumping. Lsa.exe dumped the memory of lsass.exe to a file named debug.bin and was observed executing with the following command-line arguments:

• lsa.exe -d 

• lsa.exe -m

Although the Cybereason Nocturnus team was unable to retrieve the lsa.exe executable, we speculate the tool might be a variation of the tool SafetyKatz based on the debug.bin dump file the tool creates, which is also the name of the dump file created by SafetyKatz that was previously tied to Iranian threat actors:

ShellClient credential dumping as observed in the Cybereason Defense Platform

STAGING

In order to exfiltrate data, the attackers used WinRar to compress important files before data exfiltration using a renamed rar.exe WinRar file:

ShellClient using WinRar to compress data before exfiltration

THE EVOLUTION OF SHELLCLIENT AND FINDING THE MISSING LINK

Known ShellClient RAT version history timeline

One of the questions that came up during the investigations was regarding how far back the use of the malware can be observed. At first it was thought to have been developed recently since there was no publicly available documentation or any mention of it available. However, the code indicates that the sample we analyzed was version 4.0, which implies there should be several previous versions.

With that in mind, the investigation revealed the missing link in a .NET GUID that appeared in the metadata of the observed sample. Pivoting on this unique identifier, we were able to uncover an older instance (version 3.1, VT link) that used the same .NET TypeLibID GUID, a unique ID generated by Visual Studio per project - fd01304b-571f-4454-b52b-19cfb8af44a9:

Shared .NET TypeLib Id GUID between the recent and the older version of ShellClient

From there, finding the other previous versions of ShellClient was achieved by pivoting searching for string and code similarities. This pivoting process proved that ShellClient has been under continuous development since at least November of 2018, marking almost three years of development work to evolve the malware from a simple standalone reverse shell to a stealthy modular espionage tool. 

In each new iteration of the malware, the authors added new features and capabilities, attempting to use various exfiltration protocols and methods, such as using an FTP client and a Dropbox account to hide in plain site. In addition, from version 4.0.0 and up, the authors made significant design and architecture changes like introducing modular design. 

Below is a summary of the variants that were discovered so far:

< View the Table Known ShellClient RAT version history at the source page. >

OVERVIEW OF SHELLCLIENT EVOLUTION 

EARLIEST VARIANT (NOVEMBER 2018)

The earliest variant traced was compiled on November 06, 2018, and was purposefully named svchost.exe to allow it to masquerade as a legitimate Windows binary. This early variant is not very rich in features and lacks the sophistication and functionality that are manifested in its successors. In essence, it is a rather simple reverse shell. 

Main Features:

• File name: svchost.exe

• File description: Windows Defender Service

• Core functionality: Simple websocket-based reverse shell

• Hardcoded C2 domain: azure.ms-tech[.]us:80

VARIANT V1 (NOVEMBER 2018)

The second oldest variant emerged about 3 weeks after the initial version. This variant is more mature and contains capabilities of both of a client and a server, including a new service persistence method disguising as a Windows Defender Update service. This version of ShellClient also communicates with the following C2 domain: azure.ms-tech[.]us:80 

Main Updates:

• File description: Host Process For Windows Processes

• Core functionalities: 

• Predefined set of C2 commands

• Executing arbitrary commands via CMD shell or PowerShell

• Client and Server components

• Persistence via Windows Service, masquerading as Windows Defender

• Base64 encoding/decoding for data sent from / to C2

VERSION V2.1 (DECEMBER 2018)

Compiled approximately 2 weeks after variant V1, this variant keeps the same name and description attributes but shows further progress in development by adding a variety of new capabilities, including FTP and Telnet clients, AES encryption, self-update capabilities and more. This version of ShellClient also communicates with the following C2 domain: azure.ms-tech[.]us:80 

• Main Changes:

• Core functionalities: 

• Implementing FTP and Telnet clients

• AES encryption of data sent to the C2

• Self-updating feature

• Client ID and versioning attributes added

• Extended set of predefined C2 commands

VARIANT V3.1 (JANUARY 2019)

About a month after the emergence of variant V2.1, the V3.1 variant was seen in January of 2019. It has mostly minor changes in regards to functionality. The main difference is the removal of the “Server” component from the executable, as well as new code obfuscation and an upgraded commands menu. This version of ShellClient also communicates with the following C2 domain: azure.ms-tech[.]us:80 

• Main Changes:

• Core functionality: 

• Removal of the Server component

• Introduction of command-line arguments

• First attempts of code obfuscation

• More predefined C2 commands

• OS fingerprinting via WMI

VARIANT V4.0.0 (AUGUST 2021)

Perhaps one of the biggest advancements in the ShellClient evolution came with version V4.0.0 and continued with its successor V4.0.1, in which the malware authors implemented many changes and improvements, adding new capabilities, enhancing code obfuscation and code protection using Costura packer, as well as abandoning the C2 domain that was active since 2018. 

The traditional C2 communications were replaced with a Dropbox built-in client, abusing the popular online platform to send commands to ShellClient as well as storing the stolen data exfiltrated to a designated Dropbox account. This ultimately makes it harder to detect since the network traffic would appear legitimate to security analysts as well as most security solutions. 

Note: For full analysis of the variants, please refer to Appendix A in the IOCs popup in lower right of your screen. 

ATTRIBUTION

During the investigation, efforts were made to identify instances of the ShellClient code and to determine its origin or affiliation with known threat actors. Given the fact that ShellClient was previously undocumented and unknown at the time of the investigation, and the identity of the threat actor behind the attack was unclear, the Nocturnus Team first attempted to find links to known adversary groups that have carried out similar attacks in the past against this industry and the affected regions. 

While some possible connections to known Iranian threat actors were observed, our conclusion is that MalKamak is a new and distinct activity group, with unique characteristics that distinguish it from the other known Iranian threat actors. In publishing this data, it is hoped that more attention will be given to this threat and over time more information about ShellClient origins will emerge. 

LIKELY NATION STATE-SPONSORED THREAT ACTOR

The current working assumption is that ShellClient was created and maintained by a nation-state sponsored threat actor, or Advanced Persistent Threat (APT). The intrusions analyzed by Cybereason suggest that the motivation is cyber espionage against a very small set of carefully selected targets. This is supported by the fact that there are very few samples found in the telemetry or in-the-wild since 2018, in contrast to commodity malware that can usually be found in abundance. 

In addition, the PDB path that is embedded in some of the ShellClient samples suggests that this malware is part of a restricted or classified project that could be related to military or intelligence agency operations: 

E:\Projects (Confidential)\07 - Reverse Shell\ShellClientServer_HTTP.v2\obj\Release\svchost.pdb

RUSSIAN TURLA CONNECTION OR A YARA FALSE POSITIVE? 

In examining some “low hanging fruit, ”the first clue examined was a Yara rule comment that appeared in VirusTotal along with some of the older variants of ShellClient. The Yara rule that was indicated is named APT_Turla_MSTCSS_Malware_Jun19_1:

Yara rule comment that appeared in VirusTotal

The Nocturnus Team examined the possibility that the ShellClient malware might have been created by the Russian APT group Turla. However, upon careful analysis of known Turla malware, and even more specifically the ones indicated in a Symantec report referenced in the Yara rule, the team did not find any significant similarities or evidence that can tie Turla to ShellClient or the activity that was observed in the intrusion investigated. 

AN IRANIAN CONNECTION

Given that most of the victims were located in the Middle East region and considering the affected industries, the unique profile of the attacked organizations, as well as other characteristics related to the intrusion and the malware, the team also examined the possibility that an Iranian state-sponsored threat actor might be behind the Operation GhostShell intrusions. 

The Nocturnus team compared our observations with previous campaigns that were attributed to known Iranian threat actors, and was able to point out some interesting similarities between ShellClient and previously reported Iranian malware and threat actors. 

However, at this point, our estimation is that this operation was carried out by a separate activity group, dubbed MalKamak, which has its own distinct characteristics that distinguish it from the other groups.

Nonetheless, we believe that highlighting the possible connections between various Iranian threat actors could be beneficial. Whether such connection is a result of a direct collaboration among these threat actors is currently unknown. 

These connections can also be explained in other ways, which are less direct, for example - a cyber mercenary who codes for multiple threat actors - could also be a likely explanation that can account for some of these observed overlaps. 

MEET MALKAMAK: A NEW IRANIAN THREAT ACTOR

MalKamak Diamond Model Summary

Using the famous diamond model of attribution, the Nocturnus team was able to determine that the attacks were carried out by a new activity group, dubbed MalKamak, which was unknown thus far and believed to be operating on behalf of Iranian interests. Following is a quick summary of its main characteristics: 

• Country of Origin: Iran 

• Years of Activity: Since at least 2018

• Motivation: Cyber Espionage

• Victimology: 

• Affected Regions: Predominantly the Middle East, with victims in the US, Europe and Russia. 

• Affected Industries: Aerospace and Telecommunications

• Unique Tools: ShellClient (evolving from a simple reverse shell to a complex RAT)

• Generic Tools: SafetyKatz, PAExec, ping, ipconfig, tasklist, net, and WinRAR.

• Known Infrastructure:

• 2018-2020: ms-tech[.].us 

• 2021: DropBox C2

*MalKamak is derived from Kamak, the name of an ancient Persian mythological creature thought responsible for droughts and spreading chaos.

SIMILARITIES TO PREVIOUS CHAFER APT-RELATED CAMPAIGNS

During the analysis, it was observed that there were some potentially interesting links and similarities to an Iranian threat actor called Chafer APT (also known as APT39, ITG07 or Remix Kitten). 

The group has been active since at least 2014, and is believed to be linked to the Rana Intelligence Computing Company, a Teheran-based company, previously known to serve as a front company for the Iranian Ministry of Intelligence and Security (MOIS). The Chafer APT is known to attack targets in the Middle East as well as the U.S. and Europe. 

Examining past campaigns, such as the one analyzed in Bitdefender’s Chafer APT report, the team noticed interesting overlaps with observations in this investigation, as detailed in the following sections.

Our current assessment is that while these overlaps are interesting, they are not enough to establish attribution with an adequate certainty.

CREDENTIAL DUMPING

Chafer has been known to use the SafetyKatz tool to harvest credentials from compromised endpoints. As mentioned previously in this report, there are indications that the threat actor analyzed here used the same tool. 

OBFUSCATED PERSISTENCE

In both of the investigations, the threat actors maintained persistence by obfuscating the malware as legitimate Windows-related components on victims’ systems. To achieve that, both operations used the Windows Defender Update name to disguise their activity:

ShellClient Disguised Persistence                                     Previous Chafer APT Disguised Persistence

WIndows Defender Update service                                   Defender Update scheduled task

Obfuscated Persistence

PDBS

Executable in both of the operations were found to be compiled from similar paths, particularly containing the “projects” folder under a root drive:

< View the Table PDB Evidence at the source page.>

SIMILARITIES TO AGRIUS APT-RELATED CAMPAIGNS

Another Iranian threat actor that was examined is a relatively new activity group known as Agrius APT. The group has been known to attack mainly Israeli organizations and companies, carrying out destructive operations under the guise of ransomware attacks. 

A report about Agrius attacks mentions a custom .NET backdoor called IPsec Helper. Although the IPsec Helper backdoor and ShellClient are quite different, there were some interesting similarities in the coding style and naming conventions, which may indicate a link between the two malware and the possibility that they were authored by developers from the same or adjacent teams. 

These interesting code similarities could indicate a similar developer was also behind the ShellClient, or at the very least indicate a person who had access to the code of the two malware. That being said, the TTPs and the intrusions conducted by Agrius seem very different than the TTPs and intrusions observed in Operation GhostShell - and therefore we concluded that it is unlikely that Agrius is behind this operation. 

POSSIBLE CODING STYLE OVERLAP

When comparing the command parsing function of both IPsec Helper and ShellClient, a similar code structure and logic can be seen: 

Code similarities between IPsec Helper and ShellClient

NAMING CONVENTIONS 

Both ShellClient and IPsec Helper use a similar naming convention for the classes used to launch the malware as a service:

Similarities between ShellClient and IPsec Helper naming conventions

KILL TECHNIQUES 

Both ShellClient and IPsec Helper use InstallUtil.exe in the self kill mechanism. When ShellClient receives a self kill command, It executes InstallUtil.exe in order to delete the service created and remove itself from the infected machine. When IPsec Helper receives a self kill command, it creates and executes a batch script named “remover.bat”. The script uses InstallUtil.exe to delete the service created for the malware.

DATA DECODING AND ENCRYPTION 

Both ShellClient and IPsec Helper use Base64 and AES to encode and encrypt data sent to the C2. In addition, both malware have a separate class for Base64 encoding and decoding, and for AES encryption and decryption:

ShellClient and IPsec Helper data decoding and encryption similarities

OTHER SIMILAR FUNCTIONS 

Some functions of ShellClient, IPsec Helper and Apostle malware are very similar, for example the Serialize function, which is found on all three malware variants.

ShellClient, IPsech Helper and Apostle malware similarities

POSSIBLE INFRASTRUCTURE CONNECTION

Another interesting connection identified between these malware is based on past IP address resolutions of the domain used by ShellClient azure.ms-tech[.]us and a domain used by IPsec Helper whynooneistherefornoneofthem[.]com. Both of these domains have been resolved to both of the IP addresses 139.162.120.150 and 50.116.17.41. 

Upon examination of these IP addresses, they function as a sinkhole. Further examination of other domains that were resolved to these IP addresses in the past revealed a significant number of malicious domains that were used by Iranian APTs.

CONCLUSION

In the Operation GhostShell report, the Cybereason Nocturnus and Incident Response Teams discovered a sophisticated new Remote Access Trojan (RAT) dubbed ShellClient that was used in highly targeted attacks against a select few Aerospace and Telecommunications companies mainly in the Middle East, with other victims located in the U.S., Russia and Europe. Our current assessment is that the attacks were perpetrated by a newly discovered Iranian activity group dubbed MalKamak that has been operating since at least 2018 and remained in the dark until now.

The investigation into Operation GhostShell also revealed that ShellClient dates back to at least 2018, and has been continuously evolving ever since while successfully evading most security tools and remaining completely unknown. By studying the ShellClient development cycles, the researchers were able to observe how ShellClient has morphed over time from a rather simple reverse shell to a sophisticated RAT used to facilitate cyber espionage operations while remaining undetected. 

The most recent ShellClient versions observed in Operation GhostShell follow the trend of abusing cloud-based storage services, in this case the popular Dropbox service. The ShellClient authors chose to abandon their previous C2 domain and replace the command and control mechanism of the malware with a more simple yet more stealthy C2 channel using Dropbox to exfiltrate the stolen data as well as to send commands to the malware. This trend has been increasingly adopted by many threat actors due to its simplicity and the ability to effectively blend in with legitimate network traffic. 

It is the intention of the researchers that the information provided in the Operation GhostShell report will inspire further research regarding ShellClient and the newly identified MalKamak activity group, and that it will ultimately assist in shedding more light on this mysterious malware that was kept well-hidden for many years. 

Source

Apparently, VBS is set to on by default in clean Windows 11 installs. In an interview with the Computer Reseller News (CRN), David Weston, Partner Director of Enterprise and OS Security at Microsoft, has clarified why this is so:

What we learned from [Windows] 10 is, if you make things optional, people don’t turn them on. They assume that if it was necessary, it would be on. And so I think that’s a big learning. What we put into 11 is [that] we are going to secure you by default.

He also explained why there is a need for such a feature in the first place:

Even if someone gets admin-level privileges—the highest level of privilege—they still can’t read what’s in this separate VM. It’s the exact same premise as how the cloud works today—you can be on a hardware machine with your bitterest rival, and you cannot read coded data across. We use that exact same technology shrunk down [for Windows 11].

Other than sharing his thoughts on VBS, Weston also talked about the TPM 2.0 requirement in Windows 11 and how all of this together will help Microsoft realize its vision for the future of the OS and Windows PCs:

A lot of this initial release of Windows 11 is not the end goal—it’s the first click stop on our journey. We’re saying, ‘we can now guarantee you have a TPM. That means I can go and make sure every app developer is now storing credentials and keys in hardware.

[...] More applications can support passwordless by default. More applications can do data encryption. More applications can have zero trust protections, because we’ve got that virtualization-based capability to report on their integrity.

What you’ll see in the following versions of Windows 11 is us exploiting that to a much better extent to increase security. So I think this is just the stage setting. This is act one. Act two and three, I think, are going to really bring some massive increases in security.

In fact, back when it had announced its Windows 11 system requirements, the Redmont giant claimed that the added security measures led to reduced malware infestation by 60%.

Source: CRN

Microsoft explains why TPM 2.0 and VBS on Windows 11 are so key for next-gen security

On the 5th of each month, Google releases the complete security patch for the Android OS which contains both the framework and the vendor fixes for that month. As such, this update also incorporates fixes for the 10 vulnerabilities that were addressed in the Security patch level 2021-10-01, released a couple of days back. 

The high-severity flaws fixed this month concern denial of service, elevation of privilege, remote code execution, and information disclosure issues.

The three critical severity flaws in the set are tracked as:

• CVE-2021-0870: Remote code execution flaw in Android System, enabling a remote attacker to execute arbitrary code within the context of a privileged process.
• CVE-2020-11264: Critical flaw affecting Qualcomm’s WLAN component, concerning the acceptance of non-EAPOL/WAPI frames from unauthorized peers received in the IPA exception path.
• CVE-2020-11301: Critical flaw affecting Qualcomm’s WLAN component, concerning the acceptance of unencrypted (plaintext) frames on secure networks.

Critical but unexploited

None of the 41 flaws addressed this month have been reported to be under active exploitation in the wild, so there should be no working exploits for them circulating out there.

Older devices that are no longer supported with security updates now have an increased attack surface, as some of the vulnerabilities fixed this month are excellent candidates for threat actors to create working exploits in the future.

Remember, Android security patches aren’t bound to Android versions, and the above fixes concern all versions from Android 8.1 to Android 11. As such, the OS version isn’t a determining factor in whether or not your device is still supported.

If you have confirmed that your device has reached the EOL date, you should either install a third-party Android distribution that still delivers monthly security patches for your model, or replace it with a new one.

Android fans have been eagerly waiting for the release of version 12, which was rumored for October 4, 2021, but what they got instead was the source of Android 12 pushed to the Android Open Source Project.

This step signifies that the actual release is just around the corner, and OTA upgrade alerts could hit eligible devices, like the Pixel, very soon.

Android October patch fixes three critical bugs, 41 flaws in total

To protect Google accounts from unauthorized access, it is possible to enroll in an optional security feature called two-factor authentication, or as Google likes to call it, 2-step verification (2SV).

When 2SV is enabled on a Google Account, and someone logs in with the correct username and password, they are asked for an additional form of authentication to prove they are the account owner.

This additional verification can be through a code from an authenticator app or SMS text, Google Prompt, a hardware security key, like a Yubikey or Google Titan, or even an iOS device.

In May, Google announced that it had started automatically enrolling users into 2SV for properly configured accounts to protect against exposed credentials from data breaches or the use of easy passwords.

For an account to be auto-enrolled, it would need to have a Google app installed that could be used for authentication or a backup mobile device for account recovery.

150 million users to be auto-enrolled into 2SV

Today, Google has announced that they will be automatically enrolling 150 million additional Google Accounts into 2SV by the end of the year.

"And because we know the best way to keep our users safe is to turn on our security protections by default, we have started to automatically configure our users’ accounts into a more secure state," explained Google in a new blog post.

"By the end of 2021, we plan to auto-enroll an additional 150 million Google users in 2SV and require 2 million YouTube creators to turn it on."

Google says that these additional accounts will only be enrolled if they have the "proper backup mechanisms" in place to transition to 2SV.

For those unable to enroll in 2SV due to available authentication methods, Google is working on other technologies that these users can use.

To check if your account has the correct settings for 2SV, you can perform a Security Checkup on your Google Account, which will explain your available options.

As 2-factor authentication is such an important method of securing online accounts and data breaches that frequently expose credentials, it is strongly advised that users enroll now in 2SV rather than waiting.

Google to auto-enroll 150 million user accounts into 2FA

Bootkits are malicious code planted in the firmware (sometimes targeting UEFI) invisible to security software that runs within the operating system since the malware is designed to load before everything else, in the initial stage of the booting sequence.

They provide threat actors with persistence and control over an operating systems' boot process, making it possible to sabotage OS defenses bypassing the Secure Boot mechanism if the system boot security mode is not properly configured. Enabling 'thorough boot' or 'full boot' mode would block such malware as the NSA explains).

Persistence on the EFI System Partition

The bootkit, dubbed ESPecter by ESET researchers who found it, achieves persistence on the EFI System Partition (ESP) of compromised devices by loading its own unsigned driver to bypass Windows Driver Signature Enforcement.

"ESPecter was encountered on a compromised machine along with a user-mode client component with keylogging and document-stealing functionalities, which is why we believe ESPecter is mainly used for espionage," ESET security researchers Martin Smolár and Anton Cherepanov said.

"Interestingly, we traced the roots of this threat back to at least 2012, previously operating as a bootkit for systems with legacy BIOSes."

The malicious driver deployed on compromised Windows computers is used to load two payloads (WinSys.dll and Client.dll) that can also download and execute additional malware.

WinSys.dll is an update agent, the component used to reach out to the command-and-control (C2) server for further commands or more malicious payloads.

As the researchers found, WinSys.dll can exfiltrate system info, launch other malware downloaded from the C2 server, restart the PC using ExitProcess (only on Windows Vista), and get new configuration info and save it to the registry.

Client.dll, the second payload, acts as a backdoor with automatic data exfiltration capabilities, including keylogging, document stealing, and screen monitoring via screenshots.

ESET also found ESPecter versions that target Legacy Boot modes and achieving persistence by altering the MBR code found in the first physical sector of the system disk drive.

Secure Boot doesn't really help 

Patching the Windows Boot Manager (bootmgfw.efi) requires for Secure Boot (which helps check if the PC boots using trusted firmware) to be disabled.

As the researchers discovered, attackers have deployed the bootkit in the wild, which means they've found a method to toggle off Secure Boot on targeted devices.

Even though right now there's no hint of how the ESPecter operators achieved this, there are a few possible scenarios:

• The attacker has physical access to the device (historically known as an "evil maid" attack) and manually disables Secure Boot in the BIOS setup menu (it is common for the firmware configuration menu to still be labeled and referred to as the "BIOS setup menu," even on UEFI systems).
• Secure Boot was already disabled on the compromised machine (e.g., a user might dual-boot Windows and other OSes that do not support Secure Boot).
• Exploiting an unknown UEFI firmware vulnerability that allows disabling Secure Boot.
• Exploiting a known UEFI firmware vulnerability (e.g., CVE-2014-2961, CVE-2014-8274, or CVE-2015-0949) in the case of an outdated firmware version or a no-longer-supported product.

Publicly documented attacks using bootkits in the wild are extremely rare — the FinSpy bootkit used to load spyware, Lojax deployed by the Russian-backed APT28 hacker group, MosaicRegressor used by Chinese-speaking hackers, and the TrickBoot module used by the TrickBot gang.

"ESPecter shows that threat actors are relying not only on UEFI firmware implants when it comes to pre-OS persistence and, despite the existing security mechanisms like UEFI Secure Boot, invest their time into creating malware that would be easily blocked by such mechanisms, if enabled and configured correctly."

To secure your systems against attacks using bootkits like ESPecter, you are advised to ensure that:

• You always use the latest firmware version.
• Your system is properly configured, and Secure Boot is enabled.
• You apply proper Privileged Account Management to help prevent adversaries from accessing privileged accounts necessary for bootkit installation.

Further technical details on the ESPecter bootkit and indicators of compromise can be found in ESET's report. 

New UEFI bootkit used to backdoor Windows devices since 2012