Threat actors are abusing legitimate adversary simulation software BRc4 in their campaigns to evade detection.
Researchers from Palo Alto Networks Unit 42 discovered that a sample uploaded to the VirusTotal database on May 19, 2022 and considered benign by almost all the antivirus, was containing a payload associated with Brute Ratel C4 (BRc4), a new red-teaming and adversarial attack simulation tool.
Unlike Cobalt strike beacons, BRc4 payloads are less popular, but with similar capabilities. The tool was specifically designed to avoid detection by security solutions such as endpoint detection and response (EDR) and antivirus (AV). Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal.
“Brute Ratel is the most advanced Red Team & Adversary Simulation Software in the current C2 Market. It can not only emulate different stages of an attacker killchain, but also provide a systematic timeline and graph for each of the attacks executed to help the Security Operations Team validate the attacks and improve the internal defensive mechanisms.” reads the description of the tool on its website. “Brute Ratel comes prebuilt with several opsOpec features which can ease a Red Team’s task to focus more on the analytical part of an engagement instead of focusing or depending on Open source tools for post-exploitation. Brute Ratel is a post-exploitation C2 in the end and however does not provide exploit generation features like metasploit or vulnerability scanning features like Nessus, Acunetix or BurpSuite.”
The file was uploaded to VirusTotal on May 19, 2022, from Sri Lanka, it is named Roshan_CV.iso and poses as a curriculum vitae. Upon clicking on the ISO file, users are presented with an apparent harmless Word document, but after launching it the attack chain will start. An instance of the BRc4 is installed on the user’s machine and attempts to contact a remote server.
According to Unit42 experts, threat actors are spreading the ISO files via spear-phishing messages.
The delivery of packaged ISO files is typically sent via spear-phishing email campaigns, although it’s not clear if the same method was used to deliver the payload to the target environment.
The experts noticed that the composition of the ISO file, Roshan_CV.ISO, is highly compatible with TTPs associated with the Russia-linked APT29 group.
The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least 2014, along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections. The group is suspected to be the threat actor that launched the SolarWinds supply chain attack.
“The composition of the ISO file, Roshan_CV.ISO, closely resembles that of other nation-state APT tradecraft. The following table shows a side-by-side comparison of Roshan_CV.ISO and that of a previously identified APT29 sample (Decret.ISO).” reads the analysis published by Palo Alto Networks.
The researchers also spotted a second sample that was uploaded to VirusTotal from Ukraine a day after the Roshan_CV.ISO file was uploaded. The experts observed significant code overlaps of a module used to load BRc4 into memory. Further investigation allowed the researchers to discovere seven more BRc4 samples dating back to February 2021.
The analysis of the C2 server allowed the experts to identify a number of potential victims, including an Argentinian organization, an IP television provider providing North and South American content, and a major textile manufacturer in Mexico.
“The emergence of a new penetration testing and adversary emulation capability is significant. Yet more alarming is the effectiveness of BRc4 at defeating modern defensive EDR and AV detection capabilities.
“Over the past 2.5 years this tool has evolved from a part-time hobby to a full-time development project with a growing customer base. As this customer base has expanded into the hundreds, the tool has gained increased attention across the cybersecurity domain from both legitimate penetration testers as well as malicious cyber actors.” concludes the report. “The analysis of the two samples described in this blog, as well as the advanced tradecraft used to package these payloads, make it clear that malicious cyber actors have begun to adopt this capability.”
(SecurityAffairs – hacking, BRc4)
The post Less popular, but very effective, Red-Teaming Tool BRc4 used in attacks in the wild appeared first on Security Affairs.
Experts observed an increase in malicious activity targeting law enforcement agencies at the beginning of Q2 2022.
Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 companies worldwide, has registered an increase in malicious activity targeting law enforcement agencies at the beginning of Q2 2022. Threat actors are hacking email and other accounts which belong to police officers and their internal systems.
The emerging trend consists of threat actors sending fake subpoenas and EDR’s (Emergency Data Requests) to their victims from the hacked law enforcement email accounts. Using such capabilities, the threat actors are targeting major technology companies such as Apple, Facebook (Meta), Snapchat, and Discord are to name a few, to collect sensitive information about targets of interest. The replies received by the bad actors contain sensitive details which could/are being used for leverage extortion, or cyberespionage. Such incidents have become especially notable in cybercriminal group activities such as LAPSUS$ and Recursion Group.
Resecurity has been observing multiple Dark Web marketplaces where cybercriminals are monetizing their efforts by selling credentials belonging to police officers of various foreign countries (e-mails, VPNs, SSO, etc.). One example of an email account previously used to send fake EDR requests on behalf of the Bangladesh Police was recently covered in a Bloomberg article illustrating the risk of such tactics.
Based on experts’ opinion, one of the biggest concerns is the visible insecurity of the law enforcement IT infrastructure, such infrastructure creates significant risk to our society, not just in cyberspace but in real life too. Organized crime, terrorists and extremist groups may leverage such access for malicious purposes.
The trend is continuing to grow in popularity as more law enforcement organizations have been impacted by cyberattacks this month. Just recently, the Conti ransomware group claimed to attack the Intelligence Agency in Peru and leaked their data which created a significant precedent in the security community. DDOS Secrets – another notable group of threat actors, has released 285,635 leaked emails from Nauru Police.
The most typical scenarios involving attacks on law enforcement systems include:
- Protest Activity (15%)
- Unauthorized Access (25%)
- Cyberespionage (40%)
- Law Enforcement Systems and Applications Abuse (8%)
- Data Theft (12%)
Based on the published research, such malicious activity is especially visible in countries of Latin America, South-East Asia, and offshore jurisdictions. Last year, Resecurity registered a targeted security incident related to one of the law enforcement organizations in the Middle East and its counterpart in the face of one of the international police organizations.
“Sophisticated bad actors and APT groups are actively targeting law enforcement agencies worldwide. Traditional cybercriminals are also an important component in this process, as state-supported actors may be actively collaborating with them for further planned cyberattacks and targeted network intrusions. Investigation of such incidents is a complicated process due to the significant sensitivity involved” – said Christian Lees, CTO of Resecurity, Inc.
Resecurity® is committed to protecting consumers and enterprises all over the globe, and is actively involved in public-private partnerships to share actionable cyber threat intelligence (CTI) with financial institutions, technology companies and law enforcement to ultimately minimize the risk of credentials being compromised and data breaches being executed.
For more details give a look at the original published on the Resecurity:
(SecurityAffairs – hacking, cybercrime)
The post Cyberattacks against law enforcement are on the rise appeared first on Security Affairs.
Hotel chain Marriott International suffered a new data breach, a threat actor has stolen 20GB from the company.
Hotel chain Marriott International confirmed it has suffered a new data breach after a threat actor stole 20GB of files from one of its properties.
The attacker compromised the network at the BWI Airport Marriott Maryland (BWIA), as confirmed later by the company.
The threat actor told DataBreaches.net website that they had access to the Marriott property’s network about a month ago, they also added that the 0 GB of data exfiltrated included some credit card info and confidential information.
According to statements made to DataBreaches, the attackers also notified numerous employees at Marriot about the security breach. The company initially responded to them, but later interrupted any communication.
“This incident only involved one property. The threat actor did not gain access to Marriott’s core network. The access to one device at the property involved only lasted for approximately six hours,” a Marriott spokesperson told to media .
The threat actor attempted to extort Marriot by threatening to leak the stolen files, but the company refused to pay a ransom and notified the authorities.
Marriott also hired a leading cyber security firm to investigate the security breach.
“Marriott acknowledged that while most of the data acquired by GNN was what Marriott described as non-sensitive internal business files, they will be notifying approximately 300-400 individuals and any regulators, as required. They did not provide a full description as to what kinds of personal information were involved for the individuals being notified.” reported DataBreaches.
This isn’t the first incident suffered by Marriot, below is a list of some of the security breaches it was the victim of:
- November 2018 – Starwood Data Breach – Hackers accessed the guest reservation system of the Marriot-owned Starwood since 2014 and copied and encrypted the information of about 327 million guests.
March 2021 – Marriott disclosed a new security breach detected at the end of February 2020 that could impact up to 5.2 million of its guests.
(SecurityAffairs – hacking, data breach)
The post Marriott International suffered a new data breach, attackers stole 20GB of data appeared first on Security Affairs.
The development team behind the OpenSSL project fixed a high-severity bug in the library that could potentially lead to remote code execution.
This bug makes the RSA implementation with 2048 bit private keys incorrect on such machines and triggers a memory corruption during the computation. A remote attacker can exploit the memory corruption to achieve code execution on the machine while performing the computation.
The CVE-2022-2274 vulnerability was introduced in OpenSSL version 3.0.4 released on June 21, 2022.
“The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation.” reads the advisory published by the Project Maintainers. “SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.”
The OpenSSL software library allows secure communications over computer networks against eavesdropping or need to identify the party at the other end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
The vulnerability was reported to project maintainers on 22nd June 2022 by Ph.D. student Xi Ruoyao who also developed the patch.
The flaw has been addressed with the release of OpenSSL version 3.0.5, users of the library have to upgrade their instances as soon as possible.
(SecurityAffairs – hacking, encryption)
The post OpenSSL version 3.0.5 fixes a flaw that could potentially lead to RCE appeared first on Security Affairs.
Cybersecurity researchers warn of new malware, tracked as OrBit, which is a fully undetected Linux threat.
Cybersecurity researchers at Intezer have uncovered a new Linux malware, tracked as OrBit, that is still undetected.
The malware can be installed as a volatile implant either by achieving persistence on the compromised systems. The malware implements advanced evasion techniques and hooks key functions to maintain persistence on the infected systems. OrBit allows operators to achieve remote access capabilities over SSH, harvests credentials, and logs TTY commands.
“Once the malware is installed it will infect all of the running processes, including new processes, that are running on the machine.” reads the analysis published by the experts. “Unlike other threats that hijack shared libraries by modifying the environment variable LD_PRELOAD, this malware uses 2 different ways to load the malicious library. The first way is by adding the shared object to the configuration file that is used by the loader. The second way is by patching the binary of the loader itself so it will load the malicious shared object.”
Experts noticed similarities between the threat and the recently disclosed Symbiote malware which is designed to infect all of the running processes on the compromised machines.
Unlike Symiote that leverages the LD_PRELOAD environment variable to load the shared object, OrBit employs two different methods. In the first method, the shared object is added to the configuration file that is used by the loader, in the second one the binary of the loader is patched to load the malicious shared object.
The malicious payload is a shared object (.SO file) that can be placed either in persistent storage, for example /lib/libntpVnQE6mk/, or in shim-memory under /dev/shm/ldx/. Placing the payload in the first path will allow the threat to gain persistence, otherwise, it is volatile.
The backdoor hooks the read and write functions to log data that is being written by the executed processes on the infected machine.
“The shared object hooks functions from 3 libraries: libc, libcap and Pluggable Authentication Module (PAM). Existing processes that use these functions will essentially use the modified functions, and new processes will be hooked with the malicious library as well, allowing the malware to infect the whole machine and harvest credentials, evade detection, gain persistence and provide remote access to the attackers.” continues the experts.
The experts pointed out that the malware outstands for its almost hermetic hooking of libraries. Linux threats continue to evolve, recently other sophisticated Linux malware were spotted by the researchers in the wild such as Symbiote and Syslogk.
“Threats that target Linux continue to evolve while successfully staying under the radar of security tools, now OrBit is one more example of how evasive and persistent new malware can be.” concludes the report.
(SecurityAffairs – hacking, OrBit)
The post OrBit, a new sophisticated Linux malware still undetected appeared first on Security Affairs.
I’m proud to announce that the European Union Agency for Cybersecurity, ENISA, has released the Threat Landscape Methodology.
Policy makers, risk managers and information security practitioners need up-to-date and accurate information on the current threat landscape, supported by threat intelligence. The EU Agency for Cybersecurity (ENISA) Threat Landscape report has been published on an annual basis since 2013. The report uses publicly available data and provides an independent view on observed threat agents, trends and attack vectors.
ENISA aims at building on its expertise and enhancing this activity so that its stakeholders receive relevant and timely information for policy-creation, decision-making and applying security measures, as well as in increasing knowledge and information for specialised cybersecurity communities or for establishing a solid understanding of the cybersecurity challenges related to new technologies.
The added value of ENISA cyberthreat intelligence efforts lies in offering updated information on the dynamically changing cyberthreat landscape. These efforts support risk mitigation, promote situational awareness and proactively respond to future challenges.
Following the revised form of the ENISA Threat Landscape Report 2021, ENISA continues to further improve this flagship initiative.
ENISA seeks to provide targeted as well as general reports, recommendations, analyses and
other actions on future cybersecurity scenarios and threat landscapes, supported through a clear
and publicly available methodology.
By establishing the ENISA Cybersecurity Threat Landscape (CTL) methodology, the Agency
aims to set a baseline for the transparent and systematic delivery of horizontal, thematic, and
sectorial cybersecurity threat landscapes. The following threat landscapes could be considered
- Horizontal threat landscapes, such as the overarching ENISA Threat Landscape (ETL), a product which aims to cover holistically a wide-range of sectors and industries.
- Thematic threat landscapes, such as the ENISA Supply Chain Threat Landscape, a product which focuses on a specific theme, but covers many sectors.
- Sectorial threat landscape, such as the ENISA 5G Threat Landscape, focuses on a specific sector. A sectorial threat landscape provides more focused information for a particular constituent or target group.
Recognising the significance of systematically and methodologically reporting on the threat landscape, ENISA has set up an ad hoc Working Group on Cybersecurity Threat Landscapes2 (CTL WG) consisting of experts from European and international public and private sector entities.
The scope of the CTL WG is to advise ENISA in designing, updating and reviewing the methodology for creating threat landscapes, including the annual ENISA Threat Landscape (ETL) Report. The WG enables ENISA to interact with a broad range of stakeholders for the purpose of collecting input on a number of relevant aspects. The overall focus of the methodological framework involves the identification and definition of the process, methods, stakeholders and tools as well as the various elements that, content-wise, constitute the cyberthreat Landscape (CTL).
You can download the ENISA Threat Landscape Methodology here:
(SecurityAffairs – hacking, ENISA Threat Landscape Methodology)
US authorities have issued a joint advisory warning of North Korea-linked APTs using Maui ransomware in attacks against the Healthcare sector.
The FBI, CISA, and the U.S. Treasury Department issued a joint advisory that warn of North-Korea-linked threat actors using Maui ransomware in attacks aimed at organizations in the Healthcare sector.
“The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.” reads the advisory published by US authorties.
The attacks against Healthcare and Public Health (HPH) Sector organizations started in May 2021 and government experts observed multiple cases that involved the use of the Maui ransomware.
The report provides information about tactics, techniques, and procedures (TTPs) of the threat actors using the Maui ransomware along with indicators of compromise (IOCs) that were obtained by government experts during incident response activities and industry analysis of a Maui sample.
North Korean nation-state actors used Maui ransomware to encrypt servers providing healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.
The report confirmed that In some cases, the attacks disrupted the services provided by the targeted HPH Sector organizations for prolonged periods.
The joint report refers to an industry analysis of a sample of Maui provided in Stairwell Threat Report: Maui Ransomware. According to the analysis, the malware appears to be human-operated ransomware.
This ransomware uses a combination of Advanced Encryption Standard (AES), RSA, and XOR encryption to encrypt the files on the infected systems.
The FBI states that North Korea-linked threat actors are targeting healthcare organizations because they are critical infrastructure and the likelihood that they will pay ransoms is respected to be higher. Government experts believe that the attacks against healthcare organizations are likely to continue in the next years.
The joint report includes mitigations for ransomware attacks with a focus on the healthcare industry.
(SecurityAffairs – hacking, ransomware)
The post North Korea-linked APTs use Maui Ransomware to target the Healthcare industry appeared first on Security Affairs.
There are no more articles