Horizon3.ai Principal Security SME Stephen Gates and JTI Cybersecurity Principal Consultant Jon Isaacson discuss:
– What JTI does to validate things like access control, data loss prevention, ransomware protection, and intrusion detection approaches.
– How #pentesting and red team exercises allow orgs to validate the effectiveness of their security controls.
– Why offensive operations work best to discover and mitigate exploitable vulnerabilities in their client’s infrastructures.
Outsmart evolving cyber threats with Threat Hunting Essentials. This hands-on training path builds expertise in threat actor analysis, advanced hunting techniques, and data analysis.
Today on Cyber Work, our deep-dive into manufacturing and operational technology (OT) cybersecurity brings us to the problem of endpoint security. Tom Molden, CIO of Global Executive Engagement at Tanium, has been grappling with these problems for a while. We talk about his early, formative tech experiences (pre-Windows operation system!), his transformational position moving from fiscal strategy and implementation into his first time as chief information officer and talk through the interlocking problems that come from connected manufacturing devices and the specific benefits and challenges to be found in strategizing around the endpoints. All of the endpoints.
0:00 - Manufacturing and endpoint security 1:44 - Tom Molden's early interest in computers 4:06 - Early data usage 6:26 - Becoming a CIO 10:29 - Difference between a CIO and CISO 14:57 - Problems for manufacturing companies 18:45 - Best CIO problems to solve in manufacturing 22:51 - Security challenges of manufacturing 26:00 - The scop of endpoint issues 33:27 - Endpoints in manufacturing security 37:12 - How to work in manufacturing security 39:29 - Manufacturing security skills gaps 41:54 - Gain manufacturing security work experience 43:41 - Tom Molden's best career advice received 46:26 - What is Tanium 47:58 - Learn more about Tom Molden 48:34 - Outro
About Infosec Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
CTI # Cyber Threat Intelligence is about communicating the latest information on threat actors and incidents to organizations in a timely manner. Analysis in these areas allows an organization to maintain situational awareness of the current threat landscape, organizational impacts, and threat actor motives. The level of information that needs to be conveyed is dependent on specific teams within CTI as specific levels on granularity depends on who you’re speaking to.
Infosec and Cyber Work Hacks are here to help you pass the CCNA exam! For today’s Hack, Wilfredo Lanz, Infosec bootcamp instructor in charge of Cisco’s CCNA certification, walks us through four sample CCNA questions, walking through each answer and discounting the wrong ones with explanations, allowing you to reach the right answer in a logical and stress-free way. And the only way you’re going to see it is by staying right here for this Cyber Work Hack!
0:00 - CCNA exam sample questions 1:31 - Different types of CCNA exam questions 3:34 - First CCNA exam sample question 8:34 - Second CCNA exam sample question 13:52 - Third CCNA exam sample question 20:47 - Fourth CCNA exam sample question 25:22 - Infosec CCNA boot camp practice exam 27:04 - Advice for CCNA exam day 28:46 - Outro
About Infosec Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
Hello, cybersecurity enthusiasts and white hackers!
This post is the result of my own research on try to evasion AV engines via encrypting payload with another algorithm: SAFER. As usual, exploring various crypto algorithms, I decided to check what would happen if we apply this to encrypt/decrypt the payload.
SAFER
SAFER (Secure And Fast Encryption Routine) is a symmetric block cipher designed by James Massey. SAFER K-64 specifically refers to the variant with a 64-bit key size. It’s notable for its nonproprietary nature and has been incorporated into some products by Cylink Corp.
SAFER K-64 operates as an iterated block cipher, meaning the same function is applied for a certain number of rounds. Each round utilizes two 64-bit subkeys, and the algorithm exclusively employs operations on bytes. Unlike DES, SAFER K-64 is not a Feistel network.
practical example
For practical example, here is the step-by-step flow of the SAFER-64:
// extract left and right halves of the data blockL=data_ptr[0];R=data_ptr[1];// SAFER-64 encryption roundsfor(i=0;i<ROUNDS;i++){T=R^key_ptr[i%4];T=(T<<1)|(T>>31);// Rotate left by 1 bitL^=(T+R);T=L^key_ptr[(i%4)+4];T=(T<<1)|(T>>31);// Rotate left by 1 bitR^=(T+L);}// update the data block with the encrypted valuesdata_ptr[0]=L;data_ptr[1]=R;
What about decryption logic? The decryption process is not much different from encryption:
// extract left and right halves of the data blockL=data_ptr[0];R=data_ptr[1];// SAFER-64 decryption roundsfor(i=ROUNDS-1;i>=0;i--){T=L^key_ptr[(i%4)+4];T=(T<<1)|(T>>31);// Rotate left by 1 bitR^=(T+L);T=R^key_ptr[i%4];T=(T<<1)|(T>>31);// Rotate left by 1 bitL^=(T+R);}// Update the data block with the decrypted valuesdata_ptr[0]=L;data_ptr[1]=R;
Respectively, SAFER-64 Decryption Function looks like this:
24 of of 70 AV engines detect our file as malicious as expected.
As you can see, this algorithm encrypts the payload quite well, but it is detected by many AV engines and is poorly suited for bypassing them, but this is most likely due to the fact that a well-studied method of launching the payload is used. if you apply anti-debugging, anti-disassembly and anti-VM tricks, the result will be better.
The Singapore government has considered using SAFER with a 128-bit key for various applications due to its lack of patent, copyright, or other restrictions, making it an attractive choice for widespread adoption.
I hope this post spreads awareness to the blue teamers of this interesting encrypting technique, and adds a weapon to the red teamers arsenal.
The following is an excerpt from our new module on the recent XZ Utils backdoor, CVE-2024-3094.
On Mar 29, 2024, at 12:00PM ET, Andres Freund posted on the Openwall mailing list about a backdoor he discovered in the XZ Utils package. The backdoor targeted the OpenSSH binary, allowing remote code execution on impacted machines. This backdoor was not located in the GitHub repository, but only in release versions of the package, which hid its presence.
Given that XZ Utils had been installed (directly or indirectly) on billions of Linux systems worldwide, this finding stunned the international Linux and infosec communities.
Did you know that 95% of cybersecurity breaches are caused by human error? Traditional training methods often fail to address this critical factor, leaving organizations exposed. OffSec Versus, part of the Enterprise Cyber Range, is designed to change that. It’s a live-fire training environment where your Red and Blue teams learn by doing, battling head-to-head, and developing the essential collaboration skills needed to neutralize real-world attacks.
Versus Explained
OffSec Versus exists to bridge the gap between traditional cybersecurity training and the dynamic, collaborative teamwork needed to defend against modern threats.
Versus is a realistic, adversarial training environment within the Enterprise Cyber Range, enabling Red and Blue teams to engage in realistic, scored tournaments. In a real-world attack,
AT&T Cybersecurity’s head of evangelism, Theresa Lanowitz, is today's guest. Lanowitz has amazing and wide-ranging career achievements, from her time with analyst firms Gartner and Voke, work on Java’s JBuilder environment and strategic marketing for the Jini Project, which was proto-IoT going back to the late ‘90s! With all of these incredible stories, we talked far and wide about manufacturing security concerns, she breaks down the key pain points around edge computing and talks extensively about her love of both the English language and programming languages of all sorts. They all have grammar, they all have style, and if you’re a linguist or a lover of learning new languages, perhaps computer languages are an opportunity you hadn’t pursued? All that and a ton more – seriously, I could have talked to Lanowitz for hours – on today’s episode of Cyber Work.
0:00 - Manufacturing security 2:02 - Theresa Lanowitz’s early interest in computers 3:52 - Learning programming languages in the early days 6:12 - English language’s connection to programming language 8:24 - Evolution of programming language 11:55 - How language impacts programming 13:52 - Lanowitz’s cybersecurity career 17:20 - An average day as head of cybersecurity evangelism 22:53 - Edge computing use in manufacturing 26:35 - Biggest security issues in manufacturing 30:02 - The bad actors in manufacturing security 33:41 - Manufacturing cybersecurity technology 39:02 - Skills needed to work in manufacturing cybersecurity 41:00 - Biggest skills gaps in manufacturing security 41:44 - Best cybersecurity career advice 42:15 - Where are manufacturing security issues heading? 45:06 - Security issues with third-party vendors 47:53 - Learn more about AT&T cybersecurity 48:48 - Learn more about Theresa Lanowitz 49:04 - Outro
About Infosec Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
Zach Hanley, Horizon3.ai Chief Attack Engineer, and James Horseman, Exploit Developer, join John Furrier of theCUBE to discuss Fortinet CVE 2022 40864.
Many penetration tests are only point-in-time and/or manual. In this Horizon3.ai sponsored webcast from SANS, take a First Look at how Horizon3.ai’s NodeZero takes on the pen test problem.
Listen to SANS Senior Instructor Dave Shackleford and Horizon3.ai’s CEO and Co-Founder Snehal Antani discuss the platform’s highlights and why it might be right for your organization.
Reading Time: 10minutes Introduction In November 2023, the Yarix Cyber Threat Intelligence team (YCTI) intercepted a set of suspicious phishing emails addressed to digital marketing agencies that were impersonating different famous fashion brands. Through the analysis of these emails, we uncovered the activities of a Vietnamese cybercriminal group distributing a malicious python-based infostealer, tracked as BlueDuck, aimed to […]
Managed security service providers (MSSPs) and managed services providers (MSPs) tell us that in today’s cyber threat
environment, securing customer environments while still maintaining profit margins and growing adoption of their services is an ongoing challenge. The NodeZeroTM platform enables you to proactively and efficiently probe your customers’ networks for weaknesses that go beyond known and patchable vulnerabilities, such as credentials open to compromise, exposed data, misconfigurations, poor security controls, and weak policies.
State, local and education (SLED) organizations have unique cybersecurity pain points. Because they rely on taxpayer dollars, SLED organizations are often trying to do more with less.
Demand for #pentesting expertise is at an all-time high, and many orgs are struggling to meet their annual requirements for the PCI DSS v4.0. This webinar explains how our services fulfill your pentesting requirements and help you streamline your remediation efforts. You’ll learn about:
– Horizon3.ai’s human-machine teaming approach for compliance pentesting
– How we fully address requirement 11.4 of the PCI DSS and pentesting for the Self-Assessment Questionnaires (SAQs)
– A practitioner’s view of how #NodeZero helps orgs efficiently interpret and remediate their penetration test report
The emphasis on technical skills and knowledge in cybersecurity has always been present. However, as the field becomes increasingly complex and intertwined with every facet of business operations, the spotlight has shifted to the indispensable role soft skills hold in cybersecurity leadership.
This perspective was the focal point of our recent webinar, led by Thereasa Roy of OffSec and featuring the insights of Jason Haddix, CEO of Arcanum Information Security. Jason delved into the pivotal role that soft skills—such as strategic communication, empathy, and storytelling—play in navigating the challenges of cybersecurity.
As we’ve seen with recent attacks like the one on casino giant MGM, cyber threats are technical but also deeply rooted in human behaviors and interactions.
Long time no hear in terms of Evilginx updates. While I'm still working on the release of Evilginx Pro, I've decided to fix a few issues and add new features to the public version of Evilginx, in the meantime.
First of all, I wanted to thank everyone for the great feedback and insightful discussions in the BREAKDEV RED community Discord. All of the reported issues and suggestions led to the improvement of Evilginx and this update is the fruit of such great community feedback.
Additionally, I wanted to use this opportunity to thank everyone for sending their applications to access BREAKDEV RED. We've gathered an incredible number of security professionals (almost 850 at the time of writing) and every day I'm learning something new from you guys, which I'm super grateful for. Hell, I've even finally fully understood how to properly configure the SPF/DKIM/DMARC combo thanks to all the discussion on the subject.
Vetting the applications takes a lot of time and before I open the registrations again, to the public, I'd like to automate the verification process a bit. Once I do this, requesting access to the community should be more accessible to everyone.
Allowing access only to red teamers with a clean conscience is still of utmost importance to me and it is the base for creating a friendly atmosphere, which fuels guilt-free information sharing.
This time I have something special for you. Never before have I had a request so popular that it was mentioned in 90% of all BREAKDEV RED application forms. Let it be known that your pleas have been heard.
That's right - you will finally be able to create phishing campaigns for sending emails with valid Evilginx lure URLs and enjoy all the benefits of GoPhish's lovely UI, seeing which emails were opened, which lure URLs were clicked and which clicks resulted in successful session capture.
Here is the full list of changes coming in Evilginx 3.3 together with a full guide on how to use all the new features.
GoPhish Support
I've forked GoPhish and added the integration with Evilginx in the cleanest way possible. If you were using your custom version of GoPhish, merging Evilginx integration with your own fork should be relatively easy.
I have made the integration in such a way that Evilginx will be notifying GoPhish of the following events, which occur:
A hidden image tracker is triggered when the email is opened. The tracker image is just a lure URL with specific parameters to let Evilginx know it should be used as a tracker.
A phishing link is clicked within the email message. Thephishing link within the email message sent through GoPhish is just the lure URL with embedded parameters.
The session is successfully captured with Evilginx. Once Evilginx gathers the credentials and logs the cookies, it will notify GoPhish that the data has been submitted.
I've exposed additional API endpoints in GoPhish to make it possible to change the results status for every sent email.
Now, when you create a new campaign in GoPhish, you do not have a "Landing Page" to select. Instead, you will generate a lure URL in Evilginx and paste it into the "Evilginx Lure URL" text box.
What's more, GoPhish will automatically generate the encrypted custom parameters with personalized content, retrievable by Evilginx, for each embedded link. The personalized values embedded with every phishing link embedded within the generated email message are the following:
First Name (fname)
Last Name (lname)
Email (email)
This is super useful as you can use the custom parameters further to customize the content on your phishing pages within your js_inject scripts.
Let's say you wanted to pre-fill the email in the sign-in text box on the phishing page. Now you can just use the {email} placeholder within your injected script and you can be sure that GoPhish will deliver the right value for you. The same goes for {fname} and {lname}.
GoPhish will also embed the rid (Result ID) in the phishing link's parameters, so that Evilginx will know for which result it should update the status.
You can monitor the status of your mailing campaigns and check email deliverability, straight from GoPhish, but Evilginx will be the only side storing the credentials and authentication cookies.
How to set up GoPhish with Evilginx?
First of all, you need to get GoPhish from my forked GoPhish repository. You can either grab clone the source code and build it yourself or you can grab the binaries from releases.
Deploy GoPhish on the external server. It doesn't have to be the same server Evilginx is running on, but it will have to be reachable by your Evilginx instances. You can find out how to install GoPhish in its official documentation.
Once you have GoPhish running on a remote server and you also have Evilginx deployed and ready for action, you will need to tell Evilginx how it can communicate with your GoPhish server.
Configuring Evilginx
For this, you will need the Admin URL of your GoPhish instance and the API key. You can find the API key within the Account Settings in your GoPhish admin panel. To figure out the IP and port of your GoPhish instance, refer to the official documentation.
For example, if your GoPhish admin server is running on an IP 1.2.3.4 listening on port 3333, with TLS enabled, you can set it up as follows:
If you do not use a valid TLS certificate for the exposed GoPhish instance, you may need to allow insecure TLS connections as well (such connections can be man-in-the-middled, so tread carefully):
config gophish insecure true
Once all this is configured, your Evilginx instance is ready to go. You can test if the communication with GoPhish works properly by issuing the command:
Make sure GoPhish is running either in a tmux session or you set it up to run as a daemon. You can find more information on how to do it in this GitHub issue.
Once you have everything properly set up, it is time to set up your Campaign. Create the new campaign and then select the Email Template, Sending Profile and the group of recipients. You may notice that instead of being asked for the Landing Page profile you need to provide the Evilginx Lure URL.
Open your Evilginx instance, create the lure and grab the lure URL you want to send out in your phishing campaign, using the command:
lures get-url <id>
Copy this URL and paste it into the Evilginx Lure URL text field of the campaign creation panel.
That's it! You can now send out the campaign emails while enjoying the full overview of your campaign progress within the GoPhish UI.
Custom TLS Certificates
Since the release of Evilginx 3.0, the tool has been using certmagic library for TLS certificate management with automated LetsEncrypt TLS certificate registration. Having to use only LetsEncrypt certificates is often not ideal as it may mark your phishing server, on an engagement, as suspicious.
Many people have requested support to use their own TLS certificates with Evilginx, including the wildcard certificates. This feature has finally been implemented.
To add your own TLS certificates, first, create a new directory under ~/.evilginx/crt/sites/ with the name of your website or hostname. The name does not matter and it can be anything you choose.
Evilginx will scan these directories looking for the public X509 certificate and the private key used to sign the certificate. The X509 certificate should have either the .pem or .crt extension, while the private key should have the .key extension.
For convenience, Evilginx will also recognize the keypair generated by CertBot, where the public certificate is named fullchain.pem and the private key is privkey.pem. You can copy both files into the same directory to add such a TLS certificate generated by CertBot.
Once you put your custom TLS certificates in the right place, don't forget to disable automated LetsEncrypt certificate retrieval with:
config autocert off
IMPORTANT! Make sure the private key files are not password-protected or otherwise Evilginx may fail to load them.
CertMagic library will automatically add the TLS certificates to the managed pool and it will automatically respond with a valid TLS certificate.
HTTP Proxy IP Detection
I know some of you use Caddy, Apache or Nginx as an additional proxy layer, sitting in front of the Evilginx instance. This created an issue for Evilginx to properly detect the origin IP address of incoming requests. Since all requests were proxied through a local web server, the origin IP would default to 127.0.0.1, completely ignoring the additional HTTP headers added by the proxies, with the correct origin IP addresses as values.
Since this update, Evilginx will properly recognize the origin IP address of all proxied HTTP requests. The list of monitored HTTP headers is as follows:
Keanu Nys reported an issue, in the BREAKDEV RED channel, where he found that one of the online URL scanners he used was able to open the phishing page by visiting the URL with just a hostname, without a valid lure URL path.
There was a bug in Evilginx, which would only enforce valid lure URLs for phishing hostnames, which were defined with session: true in the proxy_hosts section of the phishlet file.
Upon closer inspection, I've decided that the session parameter never made sense and it is now obsolete. Every proxy_hosts entry is treated as if session was set to true.
Keanu wrote a great post-mortem post about the bug he found, so if you're interested in learning more about it, you can find it here.
Fixed the infinite redirection loop
Evilginx, since forever, had a very annoying bug, which would trigger the infinite redirection loop, whenever the lure URL path was set to be the same as the login path of the targeted website.
This has now been fixed and Evilginx will also make an additional check to compare if the lure URL contains the valid phishing domain used by the landing phishing page.
Added support for more TLDs
Over the years, there have been multiple new TLDs launched for registering domains. Evilginx will try hard to detect all URLs in proxied packets and convert them either from phishing domains to original domains or from original domains to phishing domains.
To be more efficient, it relies on the detection of URLs ending with known TLDs. Some of the newer TLDs have not been supported and this update changes that.
Here is the new list of all supported TLDs:
aero
arpa
art
biz
bot
cat
click
cloud
club
com
coop
edu
game
gov
inc
info
ink
int
jobs
live
lol
mil
mobi
museum
name
net
online
org
pro
root
shop
site
tech
tel
today
travel
vip
wiki
xyz
[all known 2 character TLDs]
Changelog
Here is the whole Evilginx 3.3 changelog with some additional changes and fixes I did not mention in this post:
Feature: Added support to load custom TLS certificates from a public certificate file and a private key file stored in ~/.evilginx/crt/sites/<hostname>/. Will load fullchain.pem and privkey.pem pair or a combination of a .pem/.crt (public certificate) and a .key (private key) file. Make sure to run without -developer flag and disable autocert retrieval with config autocert off.
Feature: Added ability to inject force_post POST parameters into JSON content body (by @yudasm_).
Feature: Added ability to disable automated TLS certificate retrieval from LetsEncrypt with config autocert <on/off>.
Feature: Evilginx will now properly recognize origin IP for requests coming from behind a reverse proxy (nginx/apache2/cloudflare/azure).
Fixed: Infinite redirection loop if the lure URL path was the same as the login path defined in the phishlet.
Fixed: Added support for exported cookies with names prefixed with __Host- and __Secure-.
Fixed: Global unauth_url can now be set to an empty string to have the server return 403 on unauthorized requests.
Fixed: Unauthorized redirects and blacklisting would be ignored for proxy_hosts with session: false (default) making it easy to detect evilginx by external scanners.
Fixed: IP address 127.0.0.1 is now ignored from being added to the IP blacklist.
Fixed: Added support for more TLDs to use with phishing domains (e.g. xyz, art, tech, wiki, lol & more)
Fixed: Credentials will now be captured also from intercepted requests.
Conclusion
I'm happy to have finally been able to include the most requested features, together with some quality-of-life improvements, before the Evilginx Pro release this year.
Please let me know your feedback about the update, either on Twitter @mrgretzky or in BREAKDEV RED Discord.
Looking forward to your opinion!
If you're reading this before 3rd April 2024, you can still get a 30% discount for the Evilginx Mastery course, which I am constantly updating and you get access for a lifetime. Expect to see the GoPhish integration guide added sometime in the future.
Thomas Pace of NetRise talks about industrial control systems security. We’ll learn about Pace's time in the United States Marine Corps in cyber-intelligence, his move to forensics and then ICS and why the greatest asset a security professional can have is the ability to find, clearly see and create narratives. I always find ICS professionals to be fascinating, and Pace took us down some new paths, so if you’re also interested in ICS Security, keep it here for today’s episode of Cyber Work!
0:00 - Industrial Control Systems security 1:39 - How Pace got into cybersecurity 4:31 - The speed of cybersecurity's change 5:20 - Pace's career in cyber intelligence 10:08 - Importance of cybersecurity analysis 10:55 - Current state of ICS and infrastructure security in the U.S. 25:22 - How to work in ICS security 32:52 - Manufacturing security issues 38:00 - Security risks for cranes 40:51 - Best ICS security advice 44:09 - Best cybersecurity career advice 46:15 - What is NetRise? 47:40 - Learn more about Pace 48:25 - Outro
About Infosec Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
In 2024, the cybersecurity landscape is bleak, with 62% of organizations acknowledging a pressing need for enhanced cybersecurity skills amidst growing digital threats. This statistic underscores the urgent demand for comprehensive training in modern cybersecurity practices. In response to this critical need, OffSec is introducing a new suite of Cyber Ranges.
OffSec’s Cyber Ranges – our solution for realistic, high-impact cybersecurity training. This suite delivers a powerful combination:
Our Enterprise Cyber Range (ECR) with the groundbreaking live-fire capability in Versus, for Red vs. Blue training.
Enhanced Offensive and Defensive Cyber Ranges for deep-dive, specialized skill development.
Together, these ranges create an unmatched training experience for your entire cybersecurity team.
OffSec’s Enterprise Cyber Range
Traditional cybersecurity training often falls short.
Pentesters are well known for their technical skill sets, they simulate cyber attacks on computer systems, networks, or applications in a controlled environment. And, their primary goal is to identify vulnerabilities and weaknesses to assess the security posture of a target system. Much of the work they do is technical in nature, but in order to help organizations understand and rectify their vulnerabilities before malicious hackers can exploit them, communicating that risk through report writing is nearly as important as finding the risk.
This is where soft skills like report writing become just as important as their technical skills.
In this blog post, we’ll address the value of report writing for penetration testers, show examples of reports, highlight some mistakes that are often made,
Horizon3.ai delivers sophisticated and timely penetration testing services tailored to fulfill the internal and external pentesting requirements of your cardholder data environment outlined by the Payment Card Industry Data Security Standard (PCI DSS) v4.0. Our offerings are executed with comprehensive coverage and meticulous attention to detail to fully address these stringent pentesting requirements.
Cloud Werewolf spearphishes for government employees in Russia and Belarus with fake spa vouchers and federal decrees
The attackers use phishing emails with seemingly legitimate documents and evade defenses by hosting the malicious payload on a remote server and limiting its downloads.
The BI.ZONE Threat Intelligence team has revealed another campaign by Cloud Werewolf aiming at Russian and Belarusian government organizations. According to the researchers, the group ran at least five attacks in February and March. The adversaries continue to rely on phishing emails with Microsoft Office attachments. Placing malicious content on a remote server and limiting the number of downloads enables the attackers to bypass defenses.
Key findings
Cloud Werewolf leverages topics that appeal to its targets to increase the likelihood that the malicious attachments get opened.
The IT infrastructure of government organizations provides ample opportunities for adversaries to exploit even the old vulnerabilities. This is just another reminder of how crucial it is to proactively remediate vulnerabilities, especially those used in real attacks.
Placing the malicious payload on a remote server rather than inside of an attachment increases the chances to bypass the defenses.
Campaign
Cloud Werewolf uses Microsoft Office documents with information targeting employees of government organizations. For instance, the file titled Путевки на лечение 2024.doc contains information on spa vouchers.
Another document is a federal agency decree titled Приказ [redacted] № ВБ-52фс.doc.
Yet another document Инженерная записка.doc lists the requirements to an engineering memo for public works.
Opening the attachment triggers the transfer of a document template from a remote source, such as https://triger-working[.]com/en/about-us/unshelling. The template is an RTF file that enables the attackers to exploit the CVE-2017-11882 vulnerability.
The successful exploitation and the execution of the shell code allow the adversaries to do the following:
decrypt the malicious payload within the shell code with the help of a 2-byte key XOR operation
download an HTA file with a VBScript from a remote server and open the file
The script triggers actions that:
reduce the size of the window and move it outside the screen boundaries
retrieve the path to the AppData\Roaming folder by means of obtaining the value of the APPDATA parameter of the HKCU\Volatile Environment registry key
create the rationalistic.xml file and write the following files to its alternate data streams: — rationalistic.xml:rationalistic.hxn, the file with malicious payload for connecting to the C2 server — rationalistic.xml:rationalistic.vbs, one of the files responsible for decrypting and executing the malicious payload — rationalistic.xml:rationalisticing.vbs, another file responsible for decrypting and executing the malicious payload — rationalistic.xml:rationalisticinit.vbs, the file responsible for purging all the files in the folder C:\Users\[user]\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\ and in rationalistic.xml:rationalisticinit.vbs and rationalistic.xml:rationalisticing.vbs by opening the files in write mode.
enable the autorun of rationalistic.xml:rationalistic.vbs by creating the defragsvc parameter with the value wscript /B “[path to the file rationalistic.xml:rationalistic.vbs]” in the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
run rationalistic.xml:rationalisticing.vbs and rationalistic.xml:rationalisticinit.vbs with the help of the command wscript /B “[path to the file]”
By decrypting the malicious payload the adversaries can:
obtain an object of interaction with network resources by accessing the registry hive CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}\ProgID
use the proxy server whose address was retrieved from HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
verify the presence of the defragsvc parameter in HKCU\Software\Microsoft\Windows\CurrentVersion\Run and create it if missing
stay connected to the server in an infinite loop
To obtain additional VBS files from the C2 server, the attackers send a GET request to the server’s address (e.g., https://web-telegrama[.]org/podcast/accademia-solferino/backtracker) with the header User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) [domain name] Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0"=" Chrome/116.0.0.0 Safari/537.36 Edg/116.0.0.0. The device's domain is retrieved from the USERDOMAIN parameter of the HKCU\Volatile Environment registry key. Files under 1 MB are executed in the program memory, otherwise saved to the file rationalistic.xml:rationalisticinit.vbs and launched with the help of wscript /B “[path to the file rationalistic.xml:rationalisticinit.vbs]”. If executed from rationalistic.xml:rationalisticing.vbs, the name will be rationalistic.xml:rationalisticinginit.vbs. After execution, the file is purged by being opened in write mode.
If rationalistic.xml:rationalistic.tmp (or rationalistic.xml:rationalisticing.tmp, depending on the active file) is available, the specified file is sent to the C2 server through a POST request. After sending, the file is purged by being opened in write mode.
More about Cloud Werewolf
The cluster has been active since at least 2014 and also known as Inception and Cloud Atlas.
Cloud Werewolf is a state-sponsored threat actor focused on spying.
Attacks mostly government, industrial, and research organizations in Russia and Belarus.
At the post-exploitation stage, Cloud Werewolf can employ unique tools, such as PowerShower and VBShower, as well as Python scripts.
Uses LaZagne to receive authentication data.
Uses Advanced IP Scanner to gather information about remote systems.
Uses AnyDesk as a backup channel to access compromised IT infrastructures.
Uses RDP and SSH to advance in compromised IT infrastructures.
Uses 7-Zip to archive the files retrieved from the compromised systems.
Deletes C2 server communication entries (e.g., from proxy server logs).
More indicators of compromise and a detailed description of threat actor tactics, techniques, and procedures are available on the BI.ZONE Threat Intelligence platform.
How to protect your company from such threats
Cloud Werewolf’s methods of gaining persistence on endpoints are hard to detect with preventive security solutions. Therefore we recommend that companies enhance their cybersecurity with endpoint detection and response practices, for instance, with the help of BI.ZONE EDR.
To stay ahead of threat actors, you need to be aware of the methods used in attacks against different infrastructures and to understand the threat landscape. For this purpose, we would recommend that you leverage the data from the BI.ZONE Threat Intelligence platform. The solution provides information about current attacks, threat actors, their methods and tools. This data helps to ensure the effective operation of security solutions, accelerate incident response, and protect against the most critical threats to the company.
Infosec and Cyber Work Hacks want you to pass the Cisco CCNA exam! To help you do that, Infosec’s CCNA Boot Camp instructor Wilfredo Lanz gives you his top tips and tricks for taking the CCNA exam! Lanz will give you some advice for narrowing down the right answer by eliminating the obviously wrong ones, common mistakes people make while taking the exam and what to do if, for some reason, you don’t pass on the first try. And most importantly, why you must take the practice exams before the test. And then retake them. And again!
0:00 - CCNA exam tips 1:43 - What does the CCNA cover? 4:50 - Tricks for taking the CCNA exam 5:55 - Common CCNA exam mistakes 7:17 - What if you fail the CCNA exam? 8:40 - Best piece of advice for CCNA exam day 9:53 - Outro
About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
The NodeZeroTM platform is easy-to-use, safe for production, and scales to support your largest networks. You are empowered to test a very broad scope in a single test, orchestrate tests concurrently, and simultaneously test your enterprise from different attacker perspectives.