About This Guide Practical guide for the implementation of an Information Security Management System (ISMS) according to ISO/IEC 27001:2022
About ISO/IEC 27001:2022 ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience and operational excellence.
Hackers opt for DLL hijacking as a technique to exploit vulnerable applications because it allows them to load malicious code by tricking a legitimate application into loading a malicious DLL.
This can give them unauthorized access and control over a system or application, enabling various types of attacks like:-
Privilege escalation
Data theft
System compromise
An active threat involves an Infostealer distributing a legitimate EXE file alongside a hidden malicious DLL in the same directory.
The legitimate EXE runs the malicious DLL, a technique known as DLL hijacking, commonly used for malware distribution.
Malicious DLL With Legitimate EXE Files
Malware posing as software cracks is growing at a rapid pace and is getting distributed by the threat actors using DLL hijacking.
Users searching for cracked software leads to malicious sites, and the downloads are encrypted RAR files with passwords.
Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report.
Distribution of the malware via webpages (Source â ASEC)
Malicious DLLs tweak part of legitimate DLLs as they decrypt and run data from a nearby file. Hiding data this way avoids altering DLL appearance, reducing detection risk.
For malware to work, the following elements are required to be placed in the same folder:-
Data
EXE
Modified DLL
Unzipping the password-protected file with the code â2023â gives you the following files:-
Contents of compressed file (Source â ASEC)
The following two files are genuine VLC files with valid signatures:-
Setup.exe
libvlc.dll
The âlibvlccore.dllâ is altered and lacks a matching signature, due to which the extra directories like demux and lua serve to mask its malicious nature.
Running âSetup.exeâ activates âlibvlccore.dll,â triggering a modified function that reads and decrypts âironwork.tiffâ in the same folder. This file holds code info. disguised as a PNG.
It loads âpla.dllâ from SysWow64 and injects code into its memory differently than typical malware. This method uses NTDLL relocation, and for âcmd.exe,â it loads âpla.dllâ and injects the malware into it.
A data file is written to %TEMP%. cmd.exe inherits it and has its EntryPoint changed to âpla.dllâ code. This code decrypts a file, generates LummaC2 malware, and runs âexplorer.exe,â injecting and executing the binary.
LummaC2 targets victims and installs malware from its C2 server, and it steals various sensitive data using JSON-formatted responses from C2.
The malware infects via legitimate EXE files, looking like original DLLs, posing a low detection risk.
Mobile network data might be one of our most recent and thorough dossiers. Our mobile phones are linked to these networks and expose our demographics, social circles, purchasing habits, sleeping patterns, where we live and work, and travel history. Technical weaknesses in mobile communications networks threaten this aggregate data. Such vulnerabilities may reveal private information to numerous varied players and are closely tied to how mobile phones roam among cell providers for travel. These vulnerabilities are usually related to signalling signals carried across telecommunications networks, which expose phones to possible location disclosure.
Telecommunications networks use private, open signalling links. These connections enable local and international roaming, allowing mobile phones to smoothly switch networks. These signalling protocols also enable networks to obtain user information including if a number is active, whether services are accessible, to which national network they are registered, and where they are situated. These connections and signalling protocols are continually targeted and exploited by surveillance actors, exposing our phones to several location disclosure techniques.
Most illegal network-based location disclosure is achievable because mobile telecommunications networks interact. Foreign intelligence and security agencies, commercial intelligence businesses, and law enforcement routinely want location data. Law enforcement and intelligence agencies may get geolocation information secretly using tactics similar to those employed by criminals. We shall refer to all of these players as âsurveillance actorsâ throughout this paper since they are interested in mobile geolocation surveillance.
Despite worldwide 4G network adoption and fast developing 5G network footprint, many mobile devices and their owners use 3G networks. The GSMA, which offers mobile industry information, services, and rules, reports 55% 3G subscriber penetration in Eastern Europe, the Middle East, and Sub-Saharan Africa. The UK-based mobile market intelligence company Mobilesquared estimates that just 25% of mobile network operators globally had built a signalling firewall to prevent geolocation spying by the end of 2021. Telecom insiders know that the vulnerabilities in the 3G roaming SS7 signalling protocol have allowed commercial surveillance products to provide anonymity, multiple access points and attack vectors, a ubiquitous and globally accessible network with an unlimited list of targets, and virtually no financial or legal risks.
The research done by Citizen labs focuses on geolocation risks from mobile signalling network attacks. Active or passive surveillance may reveal a userâs position using mobile signalling networks. They may use numerous strategies to do this.
The two methods differ significantly. Active surveillance employs software to trigger a mobile network response with the target phone position, whereas passive surveillance uses a collecting device to retrieve phone locations directly from the network. An adversarial network employs software to send forged signalling messages to susceptible target mobile networks to query and retrieve the target phoneâs geolocation during active assaults. Such attacks are conceivable on networks without properly implemented or configured security safeguards. Unless they can install or access passive collecting devices in global networks, an actor leasing a network can only utilise active surveillance tactics.
However, cell operators and others may be forced to conduct active and passive monitoring. In this case, the network operator may be legally required to allow monitoring or face a hostile insider accessing mobile networks unlawfully. A third party might get access to the operator or provider by compromising VPN access to targeted network systems, allowing them to gather active and passive user location information.
The report primarily discusses geolocation threats in mobile signaling networks. These threats involve surveillance actors using either active or passive methods to determine a userâs location.
Active Surveillance:
In active surveillance, actors use software to interact with mobile networks and get a response with the target phoneâs location.
Vulnerable networks without proper security controls are susceptible to active attacks.
Actors can access networks through lease arrangements to carry out active surveillance.
Passive Surveillance:
In passive surveillance, a collection device is used to obtain phone locations directly from the network.
Surveillance actors might combine active and passive methods to access location information.
Active Attacks:
Actors use software to send crafted signaling messages to target mobile networks to obtain geolocation information.
They gain access to networks through commercial arrangements with mobile operators or other service providers connected to the global network.
Vulnerabilities in Home Location Register (HLR) Lookup:
Commercial HLR lookup services can be used to check the status of mobile phone numbers.
Surveillance actors can pay for these services to gather information about the target phoneâs location, country, and network.
Actors with access to the SS7 network can perform HLR lookups without intermediary services.
Domestic Threats:
Domestic location disclosure threats are concerning when third parties are authorized by mobile operators to connect to their network.
Inadequate configuration of signaling firewalls can allow attacks originating from within the same network to go undetected.
In some cases, law enforcement or state institutions may exploit vulnerabilities in telecommunications networks.
Passive Attacks:
Passive location attacks involve collecting usage or location data using network-installed devices.
Signaling probes and monitoring tools capture network traffic for operational and surveillance purposes.
Surveillance actors can use these devices to track mobile phone locations, even without active calls or data sessions.
Packet Capture Examples of Location Monitoring:
Packet captures show examples of signaling messages used for location tracking.
Location information, such as GPS coordinates and cell information, can be exposed through these messages.
User data sessions can reveal information like IMSI, MSISDN, and IMEI, allowing for user tracking.
The report highlights the various methods and vulnerabilities that surveillance actors can exploit to obtain the geolocation of mobile users, both domestically and internationally.Based on history, present, and future mobile network security evaluations, geolocation monitoring should continue to alarm the public and policymakers. Exploitable vulnerabilities in 3G, 4G, and 5G network designs are predicted to persist without forced openness that exposes poor practises and accountability mechanisms that require operators to fix them. All three network types provide surveillance actors more possibilities. If nation states and organised crime entities can actively monitor mobile phone locations domestically or abroad, such vulnerabilities will continue to threaten at-risk groups, corporate staff, military, and government officials.
In the leadership and communications section, Proactive Boards Enable More Reliable Cyber Governance, CISO Best Practices for Managing Cyber Risk, The Evolution of Work: How Can Companies Prepare for Whatâs to Come?, and more!
Visit https://www.securityweekly.com/bsw for all the latest episodes!
IT Army of Ukraine hacktivists have temporarily disrupted internet services in some of the territories that have been occupied by Russia.
Ukrainian hacktivists belonging to the IT Army of Ukraine group have temporarily disabled internet services in some of the territories that have been occupied by the Russian army.
After the invasion of the Crimea and the eastern Ukraine, Ukrainian telecommunications infrastructure was disable by Russian soldiers.
The hacktivists carried out DDoS attacks against the three Russian internet providers âMiranda-media,â âKrimtelekom,â and âMirTelekom.â The IT Army is inviting supporters to joint its operations by installing their software.
âWe continue targeting internet and telecom providers to disrupt enemy communications. Today, our intel orchestrated a âthousand proxiesâ strike, disabling âMiranda-media,â âKrimtelekom,â and âMirTelekom.â This affects not only Crimea but also occupied parts of Kherson, Zaporizhia, Donetsk, and Luhansk regions. Another blow by our cyber army disrupting enemy military communication at the frontlines.â reads the message published by the group IT Army of Ukraine on its Telegram channel.
The Miranda Media ISP announced on Friday that is was facing a massive DDoS attack.
âDigital services operator Miranda-Media has been recording an unprecedented level of DDoS attacks from Ukrainian hacker groups since 9.05 am on October 27, 2023. As a result, there is a temporary unavailability of the services of Miranda-Media, Krymtelecom and MirTelecom.â reads the announcement.
âAll technical and IT services of the company have been placed on high alert. All necessary measures are being taken to restore the networkâs functionality. We will inform you further about the progress of the work.â
The Russian ISP managed to mitigate the attack by the end of Friday, it partially restored its services on Friday evening.
Telecommunication infrastructure and internet services are critical infrastructure and were targeted by both Russian and Ukrainian threat actors.
The Russia-linked APT group Sandworm (UAC-0165) has compromised eleven telecommunication service providers in Ukraine between May and September 2023, reported the Ukraineâs Computer Emergency Response Team (CERT-UA).
According to public sources, the threat actors targeted ICS of at least 11 Ukrainian telecommunications providers leading to the disruption of their services.
âAccording to public sources, for the period from 11.05.2023 to 27.09.2023, an organized group of criminals tracked by the identifier UAC-0165 interfered with the information and communication systems (ICS) of no less than 11 telecommunications providers of Ukraine, which, among other things, led to interruptions in the provision of services to consumers.â reads the advisory published by the CERT-UA.
According to a recent study published by the leading cybersecurity agency in France, a hacking organisation affiliated with Russiaâs military intelligence agency has been spying on French colleges, corporations, think tanks, and government institutions. The research was published by the agency.
Since the second half of 2021, the group of hackers known as Fancy Bear or APT28 has been operating covertly into French computer networks in an effort to acquire a variety of sensitive sorts of data. According to the findings of the investigation conducted by the National Cybersecurity Agency of France, also known as ANSSI, the perpetrators of the attacks hacked systems that were not being actively watched, such as routers, and abstained from employing backdoors in order to avoid being discovered. These cyber attackers infiltrate peripheral devices on crucially important French organisational networks, according to a recent study published by Franceâs National Agency for the Security of Information Systems (ANSSI), and they do so without making use of backdoors in order to avoid detection. After conducting an analysis of the groupâs Techniques, Tactics, and Procedures (TTPs), ANSSI came to the conclusion that APT28 infiltrates target networks via brute force and credential leaks in order to get access to accounts and Ubiquiti routers. In April of 2023, a phishing expedition was begun with the purpose of obtaining system settings, insights into operational operations, and other relevant data. Using the flaw identified as CVE-2023-23397, APT28 sent emails to Outlook users during the months of March 2022 and June 2023. In order to carry out reconnaissance and data collecting, the attackers made use of other vulnerabilities, such as CVE-2022-30190 (Follina) in Microsoft Windows Support Diagnostic Tool (MSDT) and CVE-2020-12641 in Roundcube webmail. Both of these vulnerabilities were exploited by the attackers.
In order to carry out their intrusions, the gang made use of applications such as the password harvester Mimikatz and the traffic relay tool reGeorg. Additionally, they made use of open-source services such as Mockbin and Mocky. It is important to understand that APT28 use a wide variety of different VPN clients.
As a cyber-espionage group, APT28âs primary mission is to gain unauthorised access and steal information from its targets. The hackers stole sensitive information from email accounts and stole authentication details by using common tools. The hackers also stole emails that were full of personal information. The Command and Control (C2) architecture is rooted on cloud services such as Google Drive and Microsoft OneDrive, which makes it more difficult to identify them.
ANSSI has mapped the TTPs (techniques, tactics, and procedures) of APT28 and found that the threat organisation breaches accounts and Ubiquiti routers on targeted networks by using brute-force attacks and leaked databases holding passwords.
In one incident that occurred in April 2023, the adversaries carried out a phishing effort that duped the receivers into executing PowerShell, which revealed their system settings, running processes, and other OS-related information.
APT28 is responsible for sending emails to Outlook users that attacked a zero-day vulnerability that is now known as CVE-2023-23397. These emails were sent between March 2022 and June 2023, which places the first exploitation a month earlier than what was previously revealed.
The ANSSI emphasises taking a comprehensive approach to security, which includes conducting risk assessments. In light of the dangers posed by APT28, there should be a special focus on ensuring the safety of email communications. The following is a list of the most important suggestions that the organisation has about the safety of email:
Protecting the privacy of email communications and preventing their disclosure via adopting secure exchange systems as a means of preventing the diversion or acquisition of email traffic. Reducing the potential points of attack on email online interfaces and managing the dangers posed by servers such as Microsoft Exchange and putting in place mechanisms that can identify malicious emails.
Network Penetration Testing checklist determines vulnerabilities in the network posture by discovering Open ports, troubleshooting live systems, and services, and grabbing system banners.
The pen-testing helps the administrator to close unused ports, additional services, Hide or customize banners, troubleshoot services, and to calibrate firewall rules.
You should test in all ways to guarantee there is no security loophole.
Network penetration testing, also known as ethical hacking or white-hat hacking, is a systematic process of evaluating the security of a computer network infrastructure.
The goal of a network penetration test is to identify vulnerabilities and weaknesses in the networkâs defenses that malicious actors could potentially exploit.
Letâs see how we conduct step-by-step Network penetration testing by using some famous network scanners.
1. Host Discovery
Footprinting is the first and most important phase where one gathers information about their target system.
DNS footprinting helps to enumerate DNS records like (A, MX, NS, SRV, PTR, SOA, and CNAME) resolving to the target domain.
A â A record is used to point the domain name such as gbhackers.com to the IP address of its hosting server.
MX â Records responsible for Email exchange.
NS â NS records are to identify DNS servers responsible for the domain.
SRV â Records to distinguish the service hosted on specific servers.
PTR â Reverse DNS lookup, with the help of IP you can get domains associated with it.
SOA â Start of record, it is nothing but the information in the DNS system about DNS Zone and other DNS records.
CNAME â Cname record maps a domain name to another domain name.
We can detect live hosts, and accessible hosts in the target network by using network scanning tools such as Advanced IP scanner, NMAP, HPING3, and NESSUS.
Perform port scanning using tools such as Nmap, Hping3, Netscan tools, and Network monitor. These tools help us to probe a server or host on the target network for open ports.
Perform banner Grabbing/OS fingerprinting such as Telnet, IDServe, and NMAP determines the operating system of the target host and the operating system.
Once you know the version and operating system of the target, you need to find the vulnerabilities and exploit them. Try to gain control over the system.
Scan the network using Vulnerabilities using GIFLanguard, Nessus, Ratina CS, SAINT.
These tools help us find vulnerabilities in the target and operating systems. With these steps, you can find loopholes in the target network system.
GFILanguard
It acts as a security consultant and offers patch management vulnerability assessment, and network auditing services.
Nessus
Nessus is a vulnerability scanner tool that searches for bugs in software and finds a specific way to violate the security of a software product.
Data gathering.
Host identification.
Port scan.
Plug-in selection.
Reporting of data.
5. Draw Network Diagrams
Draw a network diagram about the organization that helps you understand the logical connection path to the target host in the network.
The network diagram can be drawn by LANmanager, LANstate, Friendly pinger, and Network View.
6. Prepare Proxies
Proxies act as an intermediary between two networking devices. A proxy can protect the local network from outside access.
With proxy servers, we can anonymize web browsing and filter unwanted content, such as ads and many others.
Proxies such as Proxifier, SSL Proxy, Proxy Finder..etc, to hide from being caught.
6. Document All Findings
The last and very important step is to document all the findings from penetration testing.
This document will help you find potential vulnerabilities in your network. Once you determine the Vulnerabilities, you can plan counteractions accordingly.
You can download the rules and scope Worksheet here: Rules and Scope sheet
Thus, penetration testing helps assess your network before it gets into real trouble that may cause severe loss in terms of value and finance.
Team Orca of Sea Security received the greatest rewards of the day, the researchers chained two issues using an OOB Read and UAF against the Sonos Era 100. They earned $60,000 and 6 Master of Pwn points.
Researchers from Pentest Limited demonstrated an Improper Input Validation against the Samsung Galaxy S23. They earned $50,000 and 5 Master of Pwn points.
The team STAR Labs SG exploited a permissive list of allowed inputs against the Samsung Galaxy S23 and earned $25,000 and 5 Master of Pwn points.
Pentest Limited also earned $40,000 and 4 Master of Pwn points by executing a 2-bug chain against the My Cloud Pro Series PR4100 using a DoS and server-side request forgery (SSRF).
Team Viettel demonstrated a single-bug attack against the Xiaomi 13 Pro and earned $40,000 and 4 Master of Pwn points.
Team ECQ also earned $40,000 and 4 Master of Pwn points by executing a 3-bug chain using an SSRF and two injection vulnerabilities against the QNAP TS-464.
Binary Factory and Synacktiv demonstrated working attacks against the Synology BC500 and earned $30,000 and 3 Master of Pwn points and $15,000 and 3 Master of Pwn points respectively.
Compass Security also executed a stack overflow attack against the Synology BC500, but the exploit they used was previously known. They still earn $3,750 and 0.75 Master of Pwn points.
Other successful attacks were demonstrated against Canon imageCLASS MF753Cdw and Lexmark CX331adwe.
Below is the leaderboard after Pwn2Own Toronto 2023 Day 1.
An ongoing attack on government agencies in the APAC region has been claimed to have compromised a secure USB device with hardware encryption.
The nationâs government agencies utilize these safe USB devices to transfer and save data between computer systems.
The attacks had a very small number of victims and were highly targeted. The attacks are believed to have been conducted by a highly experienced and resourceful threat actor interested in conducting espionage operations in secure and private government networks.
Cyber Espionage Via Secure USBs
According to the Kaspersky APT trends report for Q3 2023, this long-running campaign comprises several malicious modules that may execute commands, gather data from infected workstations, and transfer it to further machines using the same or different secure USB drives.
On the infected computers, the attacks can also carry out additional harmful files.
The attack uses sophisticated tools and methods, such as virtualization-based software obfuscation for malware components, self-replication through connected secure USB drives to spread to other air-gapped systems, and code injection into a legitimate access management program on the USB drive that serves as a loader for the malware on a new machine.
BlindEagle, a financially motivated threat group, has targeted both people and governmental organizations in South America. Although espionage is the threat actorâs main objective, it has demonstrated interest in obtaining financial data.
BlindEagle is characterized by its capacity to cycle through different open-source remote access Trojans (RATs), including AsyncRAT, Lime-RAT, and BitRAT, and utilize them as the ultimate payload to accomplish its goals.
The gang sends spear-phishing emails with Microsoft Office documents attached to its victims. This starts a multi-level infection strategy that results in installing a new Trojan that is primarily made to steal data from the victimâs computer and take over by executing arbitrary commands.
APT campaigns are still widely spread geographically. Attackers have targeted Europe, South America, the Middle East, and other regions of Asia this quarter.
Government, military, defense, gaming, software, entertainment, utilities, banking, and manufacturing are just a few of the industries being attacked.
Cyber espionage continues to be a top priority of APT campaigns, and geopolitics continues to be a major factor in APT development.
âIt is therefore very important to build a deep understanding of the TTPs of this threat actor and to watch out for future attacks,â reads the report.
A new campaign has been discovered that uses XorDDoS Trojan, which affects Linux systems and devices, turning them into zombies that can be controlled by threat actors remotely.
Moreover, these compromised systems can later be used for DDoS(Distributed Denial-of-Service) attacks.
Comparing this current campaign with the campaign conducted in 2022, there was only one change found, which was the configuration of the C2 hosts.
However, the attacking domains were still unchanged. The threat actors seem to have migrated their offensive infrastructure to hosts running on legitimate public hosting services.
Additionally, with respect to the 2022 campaign, many security vendors have already classified the C2 domains as malicious and barred them but still the current active malware traffic is being directed to new IPs.
As part of the initial access vector, the threat actors scanned for hosts with HTTP service, vulnerable to directory traversal attacks that can enable access to arbitrary files on the server.
Threat actors specifically targeted the /etc/passwd file to read passwords. However, since the file has only encrypted passwords, they were forced to gain initial access through SSH brute-force attacks. Once they gained access, they downloaded malware from remote servers and owned the system.
XorDDoS Infects Linux Devices
XorDDoS Trojan uses an XOR encryption key (BB2FA36AAA9541F0) to encrypt all the execution-related data which are then decrypted using a decryption function. Once the malware is activated on the victim machine, it retrieves essential information such as /var/run/gcc.pid, the OS version, malware version, memory status, and CPU information.
The malware also used the decrypt_remotestr() function to decrypt the C2 domains embedded inside the executable. The C2 endpoints are,
ppp.gggatat456[.]com:53
ppp.xxxatat456[.]com:53
p5.dddgata789[.]com:53
P5.lpjulidny7[.]com:53
C2 decryption function (Source: Palo Alto Unit42)
Persistence
As a means of persistence, the malware creates scheduled autorun tasks, which will run every three minutes, along with an autorun service configured during startup.
Detection evasion is achieved by turning its process into a background service that can disguise itself as a legitimate process.
C2 Network Infrastructure
A list of C2 domains that were registered and used by the threat actors is as follows:
Furthermore, a comprehensive report about this new campaign and the trojan has been published by Unit42 of Palo Alto, which provides detailed information about the campaign, code analysis, obfuscation techniques, and other information.
Cisco IOS XE is a robust and flexible operating system, optimized for the evolving landscape of enterprise networking and technology. It enables model-driven programmability, application hosting, and automated configuration management, thus simplifying many day-to-day tasks. IOS XE is integral in providing consistency across Ciscoâs array of switching, routing, and wireless network devices.
THE VULNERABILITY: CVE-2023-20198
A new, critical zero-day vulnerability has emerged, labeled as CVE-2023-20198. This vulnerability, with a maximum severity rating of CVSS 10, predominantly affects devices running the Cisco IOS XE software and is currently without a patch, leaving systems vulnerable to potential exploits. The flaw can be exploited by an unauthenticated attacker to create a user account with the highest privilege level, leading to unauthorized system access.
Exploitation in the Wild Attackers have already begun exploiting this vulnerability in the wild, utilizing it to deliver malicious implants. Organizations using the affected devices are advised to apply mitigation measures promptly to defend against these exploits.
Affected Devices and Systems The vulnerability, CVE-2023-20198, affects all Cisco IOS XE devices that have the Web UI feature enabled, especially when exposed to the internet or untrusted networks. To ascertain if a system is vulnerable, administrators should:
Utilize the command show running-config | include ip http server|secure|active to check for the presence of ip http server or ip http secure-server commands in the global configuration.
Inspect the configuration for ip http active-session-modules none or ip http secure-active-session-modules none to determine if the vulnerability is exploitable over HTTP or HTTPS respectively.
Ciscoâs Response Cisco has acknowledged the vulnerability, confirming its presence in devices running the Cisco IOS XE software. The company provided steps to identify affected systems and noted the following Indicators of Compromise (IoCs):
System logs containing messages indicating programmatic configuration by unfamiliar users, such as:
%SYS-5-CONFIG_P: Configured programmatically by process SEP_webui_wsma_http from console as user on line.
Presence of an implant, checked by issuing the following command from a workstation with access to the affected system:
curl -k -X POST "https://systemip/webui/logoutconfirm.html?logon_hash=1", if a hexadecimal string is returned, the implant is present.
Cisco, alongside other cybersecurity firms like Tenable, has provided plugins to identify affected systems. While awaiting a patch, these plugins and the aforementioned checks can assist in identifying and mitigating unauthorized access attempts.
CVE-2023-20198 poses a significant threat to cybersecurity due to its maximum severity rating and the absence of a patch. Organizations using affected Cisco IOS XE devices should remain vigilant and apply necessary mitigation measures to safeguard their systems from potential exploits.
COMPREHENSIVE ANALYSIS: TODDYCATâS ADVANCED TOOLSET AND STEALTHY CYBER ESPIONAGE TACTICS
ToddyCat, an Advanced Persistent Threat (APT) group, has garnered attention for its clandestine cyber-espionage operations, utilizing a sophisticated toolset designed for data theft and exfiltration. The group employs a myriad of techniques to move laterally within networks and conduct espionage operations with a high degree of secrecy and efficiency. This article, incorporating insights from the article and other sources, aims to provide a detailed overview of ToddyCatâs toolset and operational tactics.
STEALTH AND SOPHISTICATION: TODDYCATâS MODUS OPERANDI
ToddyCat employs disposable malware, ensuring no clear code overlaps with known toolsets, thereby enhancing its ability to remain undetected. The malware is designed to steal and exfiltrate data, while the group employs various techniques to move laterally within networks and conduct espionage operations.
EXPLOITATION TECHNIQUES AND MALWARE UTILIZATION
Disposable Malware: Utilized to enhance stealth and evasion capabilities.
Data Exfiltration: Malware designed to access and extract sensitive information.
Lateral Movement: Techniques employed to expand reach and access within compromised environments.
TOOLSET SUMMARY
Dropbox Exfiltrator: A tool designed to exfiltrate data, ensuring that stolen information can be securely and covertly transferred to the attackers.
LoFiSe: A tool that may be utilized for lateral movement and further exploitation within compromised networks.
Pcexter: A tool that may be used to send specific files or data to external servers, facilitating data exfiltration.
Dropper: A tool that may be utilized to deploy additional payloads or malware within compromised environments.
Standard Loaders: ToddyCat utilizes 64-bit libraries, invoked by rundll32.exe or side-loaded with legitimate executable files, to load the Ninja Trojan during the infection phase. Three variants of these loaders have been observed, each differing in aspects like the library loaded by, where the malicious code resides, the loaded file, and the next stage.
Tailored Loader: A variant of the standard loader, this is customized for specific systems, employing a unique decryption scheme and storing encrypted files in a different location and filename (%CommonApplicationData%\Local\user.key).
2. NINJA TROJAN
The Ninja Trojan, a sophisticated malware written in C++, is a potent tool in ToddyCatâs arsenal. It provides functionalities like:
Managing running processes
File system management
Managing multiple reverse shell sessions
Injecting code into arbitrary processes
Loading additional modules during runtime
Proxy functionality to forward TCP packets between the C2 and a remote host
3. LOFISE
LoFiSe is a component designed to find and collect files of interest on targeted systems. It tracks changes in the file system, filtering files based on size, location, and extension, and collects suitable files for further action.
4. DROPBOX UPLOADER
This generic uploader, not exclusive to ToddyCat, is used to exfiltrate stolen documents to DropBox, accepting a DropBox user access token as an argument and uploading files with specific extensions.
5. PCEXTER
Pcexter is another uploader used to exfiltrate archive files to Microsoft OneDrive. It is distributed as a DLL file and executed using the DLL side-loading technique.
POTENTIAL IMPACT AND THREAT LANDSCAPE
The emergence of ToddyCatâs new toolset and its sophisticated TTPs presents a significant threat to organizations, with potential impacts including data breaches, unauthorized access to sensitive information, and network compromise.
MITIGATION AND DEFENSE STRATEGIES
Enhanced Monitoring: Implementing monitoring solutions to detect anomalous activities.
User Education: Ensuring users are educated about potential threats and cybersecurity best practices.
Regular Patching: Keeping all systems regularly patched and updated.
Threat Intelligence: Leveraging intelligence to stay abreast of the latest TTPs employed by threat actors.
ToddyCatâs advanced toolset and stealthy operations underscore the evolving and sophisticated nature of cyber threats. Organizations and cybersecurity practitioners must remain vigilant and adopt advanced cybersecurity practices to defend against the sophisticated tools and tactics employed by threat actors like ToddyCat.
HackerGPT is a ChatGPT-enabled penetrating testing tool that can help with network hacking, mobile hacking, different hacking tactics, and other specific tasks.
The main foundation of HackerGPT is the training data that has been offered. It does not use a jailbreak technique. Particularly, it generates replies using ChatGPT with a specified request while conforming to ethical rules.
Obtaining a 14-day trial is an option available. With this trial, you get access to GPT-4, an unlimited amount of messages for HackerGPT, quicker answers, and other advantages.
âNo logs, no cost, anonymous login. Trained on a ton of hacking reportsâ, the company said.
âHackerGPT is only available in your web browser. Making it into an app will take some time, but with your feedback, we can make progress fasterâ.
Responses of HackerGPT
For instance, what if we asked HackerGPT to provide a step-by-step tutorial on conducting ARP spoofing?Â
Threat Sentry Security, the Cyber Security Analyst, said, âHacker-GPT. This is a pentester dream, my job just became 100 times easier. I told it to create an XSS payload & it did it without hesitationâ.
Ethical hacking may use this tool to improve security evaluation and mitigation elements. The difficulty of communicating complicated technological results to both technical and non-technical audiences is a problem ethical hackers frequently face.
ChatGPTâs capacity to produce logical and understandable explanations may make the communication of vulnerabilities simpler, hence facilitating organizationsâ comprehension of possible risks and the adoption of the necessary countermeasures.
Todd Fitzgerald, co-author of the ground-breaking (ISC)2CISO Leadership: Essential Principles for Success, Information Security Governance Simplified: From the Boardroom to the Keyboard, co-author for the E-C Council CISO Body of Knowledge, and contributor to many others including Official (ISC)2 Guide to the CISSP CBK, COBIT 5 for Information Security, and ISACA CSX Cybersecurity Fundamental Certification, is back with this new book incorporating practical experience in leading, building, and sustaining an information security/cybersecurity program.
CISO COMPASS includes personal, pragmatic perspectives and lessons learned of over 75 award-winning CISOs, security leaders, professional association leaders, and cybersecurity standard setters who have fought the tough battle. Todd has also, for the first time, adapted the McKinsey 7S framework (strategy, structure, systems, shared values, staff, skills and style) for organizational effectiveness to the practice of leading cybersecurity to structure the content to ensure comprehensive coverage by the CISO and security leaders to key issues impacting the delivery of the cybersecurity strategy and demonstrate to the Board of Directors due diligence. The insights will assist the security leader to create programs appreciated and supported by the organization, capable of industry/ peer award-winning recognition, enhance cybersecurity maturity, gain confidence by senior management, and avoid pitfalls.
The book is a comprehensive, soup-to-nuts book enabling security leaders to effectively protect information assets and build award-winning programs by covering topics such as developing cybersecurity strategy, emerging trends and technologies, cybersecurity organization structure and reporting models, leveraging current incidents, security control frameworks, risk management, laws and regulations, data protection and privacy, meaningful policies and procedures, multi-generational workforce team dynamics, soft skills, and communicating with the Board of Directors and executive management. The book is valuable to current and future security leaders as a valuable resource and an integral part of any college program for information/ cybersecurity.
IN-DEPTH ANALYSIS: NAVIGATING THE PERILS OF CVE-2023-5218 IN GOOGLE CHROME
The digital realm, while offering boundless possibilities, is also a fertile ground for myriad cybersecurity threats. One such peril that has recently come to light is the User-After-Free vulnerability in Google Chrome, specifically identified as CVE-2023-5218. This vulnerability not only poses a significant threat to user data and system integrity but also opens a Pandoraâs box of potential cyber-attacks and exploitations.
UNRAVELING THE USER-AFTER-FREE VULNERABILITY
The User-After-Free vulnerability is a type of cybersecurity flaw that surfaces when a program continues to utilize memory space after it has been freed or deleted. This flaw allows attackers to execute arbitrary code or potentially gain unauthorized access to a system. CVE-2023-5218, identified within Google Chrome, was noted to be potentially exploitable to perform such malicious actions, thereby putting usersâ data and privacy at substantial risk.
CVE-2023-5218 was unveiled to the public through various cybersecurity platforms and researchers who detected unusual activities and potential exploitation trails leading back to this particular flaw. This vulnerability was identified to be present in a specific Chrome component, prompting Google to release a flurry of updates and patches to mitigate the associated risks.
THE EXPLOIT MECHANICS
Exploiting CVE-2023-5218 allows attackers to manipulate the aforementioned âfreedâ memory space, enabling them to execute arbitrary code within the context of the affected application. In the context of Chrome, this could potentially allow attackers unauthorized access to sensitive user data, such as saved passwords or personal information, or even navigate the browser to malware-laden websites without user consent.
THE POTENTIAL IMPACT
The exploitation of CVE-2023-5218 could have a multifold impact:
Data Theft: Sensitive user data, including login credentials, personal information, and financial details, could be compromised.
System Control: Attackers could gain control over the affected system, using it to launch further attacks or for other malicious purposes.
Malware Spread: By redirecting browsers to malicious websites, malware could be injected into usersâ systems, further expanding the impact of the attack.
TECHNICAL INSIGHTS INTO CVE-2023-5218
Vulnerability Class: Use After Free
Impact: Confidentiality, Integrity, and Availability
The vulnerability is rooted in the improper handling of memory in the Site Isolation component of Google Chrome. The flaw arises from referencing memory after it has been freed, which can lead to program crashes, unexpected value utilization, or arbitrary code execution. The vulnerability is classified under CWE-416 and CWE-119, indicating its potential to improperly restrict operations within the bounds of a memory buffer and its susceptibility to use after free exploits.
MITIGATION AND COUNTERMEASURES
The primary mitigation strategy recommended is upgrading to Google Chrome version 118.0.5993.70, which eliminates this vulnerability. However, considering the potential risks associated with such vulnerabilities, organizations and individual users are advised to:
Regularly update and patch software to safeguard against known vulnerabilities.
Employ robust cybersecurity practices, including using security software and adhering to safe browsing practices.
Educate users on recognizing and avoiding potential phishing attempts or malicious sites that might exploit such vulnerabilities.
CONCLUSION
The identification and subsequent mitigation of CVE-2023-5218 underscore the perpetual battle between cybersecurity professionals and cyber adversaries. While this vulnerability has been addressed in the latest Chrome update, it serves as a potent reminder of the criticality of maintaining up-to-date systems and employing prudent cybersecurity practices. As we navigate through the digital era, the complexity and sophistication of cyber threats continue to evolve, making vigilance and preparedness crucial in ensuring secure digital interactions.
The US cybersecurity organization CISA has updated its Known Exploited Vulnerabilities catalog to include five new security flaws that are currently being actively exploited.
This means that attackers are using these vulnerabilities to gain unauthorized access to computer systems, steal sensitive data, or cause damage to critical infrastructure.
It is crucial for organizations to be aware of these vulnerabilities and take immediate steps to mitigate the risk of exploitation.
Earlier this year, several vulnerabilities were reported in popular software applications such as Acrobat, Cisco IOS, WordPad, Skype, and HTTP/2 Rapid Reset.
As a precautionary measure, businesses are advised by CISA to be wary of these vulnerabilities and take necessary steps to secure their systems against potential cyber-attacks.
Malicious cyber actors often exploit these vulnerabilities as they are commonly found in the federal enterprise, posing significant threats to their security.
Five Actively Exploited Flaws
CVE-2023-21608 Adobe Acrobat and Reader Use-After-Free Vulnerability
A Use After Free vulnerability in Adobe Acrobat Reader versions 22.003.20282 (and earlier), 22.003.20281 (and earlier), and 20.005.30418 (and earlier) might lead to arbitrary code execution in the context of the current user.
This vulnerability can only be exploited if the victim opens a malicious file that involves user involvement. Adobe patched the vulnerability in January 2023, and the PoC exploit code for this issue is available.
An authenticated, remote attacker with administrative access to a group member or a key server could exploit a vulnerability in the Cisco Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software.
A successful exploit might give the attacker complete control of the targeted system and the ability to run arbitrary code, or it could force the target system to reload, resulting in a DoS attack. Cisco fixed the flaw at the end of September.
CVE-2023-41763 Microsoft Skype for Business Privilege Escalation Vulnerability
An elevation of privilege vulnerability in Skype for Business is identified as CVE-2023-41763.
âAn attacker could make a specially crafted network call to the target Skype for Business server, which could cause the parsing of an HTTP request made to an arbitrary address. This could disclose IP addresses or port numbers or both to the attackerâ, Microsoft warns.
The attacker may obtain certain private, sensitive data, and in some situations, the information that was revealed could provide the attacker access to internal networks. Microsoft patched the flaw in its October Patch Tuesday release.
CVE-2023-36563 Microsoft WordPad Information Disclosure Vulnerability
This is an information disclosure vulnerability in Microsoft WordPad. Because of the flaw, NTLM hashes can be revealed under certain circumstances.
To exploit the issue, an attacker would need to be able to get into the system, but if a footing is gained, the adversary could then launch a specially crafted application and seize control of an affected machine.
âThe attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file,â Microsoft said.
Microsoft patched the flaw in its October Patch Tuesday release.
The HTTP/2 protocol flaw CVE-2023-44487 has recently been utilized to execute massive DDoS attacks against several targets. The HTTP/2 protocolâs handling of request cancellations or resets is the source of the issue.
When a client makes a reset for an HTTP/2 request, it consumes server resources by canceling the relevant stream.
However, the client can start a new stream right away after initiating a reset. The quick opening and closing of HTTP/2 streams brings on the denial of service.
This vulnerability may affect many web platforms because HTTP/2 has been implemented into so many of them.
CISA urges all organizations to prioritize promptly repairing Catalogue vulnerabilities as part of their vulnerability management procedures to reduce their exposure to attacks.
Cobalt Strike, a legitimate commercial penetration testing tool, has inadvertently become a favored instrument among cybercriminals for its efficacy in infiltrating network security. Initially released in 2012 by Fortra (formerly known as Help Systems), Cobalt Strike was designed to aid red teams in identifying vulnerabilities within organizational infrastructures. Despite stringent customer screening and licensing for lawful use only, malicious actors have successfully obtained and distributed cracked versions of the software, making it a prevalent tool in cyberattacks involving data theft and ransomware.
Cobalt Strike 4.9 is now available. This release sees an overhaul to Cobalt Strikeâs post exploitation capabilities to support user defined reflective loaders (UDRLs), the ability to export Beacon without a reflective loader which adds official support for prepend-style UDRLs, support for callbacks in a number of built-in functions, a new in-Beacon data store and more.
COBALT STRIKE 4.9 FEATURES
The latest release, version 4.9, introduces several significant features and improvements:
User-Defined Reflective Loaders (UDRLs): This feature enhances post-exploitation capabilities by allowing users to define and use their reflective loaders, providing more flexibility and control over the loading process of the Beacon payload.
Export Beacon Without a Loader: Users can now export the Beacon payload without a reflective loader, which officially supports prepend-style UDRLs, allowing for more versatile deployment and execution of the Beacon payload in various environments.
Callback Support: Version 4.9 introduces support for callbacks, enabling users to implement and handle custom callback routines effectively.
Beacon User Data Structures Improvement: These structures have been improved to prevent crashes and provide more stability during operations. They also allow a Reflective Loader to resolve and pass system call information to Beacon, overriding Beaconâs default system call resolver.
Host Profile Support for HTTP(S) Listeners: This feature addresses limitations in HTTP(S) processing by introducing a new Malleable C2 profile group named http-host-profiles.
WinHTTP Support: The update adds support for the WinHTTP library to the Beaconâs HTTP(S) listener.
Beacon Data Store: This feature allows users to store Buffer Overflow Frameworks (BOFs) and .NET assemblies in a structured manner.
CRACKED VERSIONS IN THE WILD
Google researchers have recently identified 34 different cracked versions of the Cobalt Strike hacking toolkit actively being used in the wild. These cracked versions are exploited by cybercriminals for various malicious activities, emphasizing the toolâs popularity and widespread illicit use in the cybercriminal community. The discovery of cracked version 4.9 of Cobalt Strike highlights the significant challenges and risks associated with the illicit use of this powerful toolkit.
THE CRACKDOWN
Microsoft, in collaboration with Fortra and the Health Information Sharing and Analysis Center (Health-ISAC), has initiated a widespread legal crackdown on servers hosting these cracked copies. This concerted effort aims to dismantle the malicious infrastructure and disrupt the operations of threat actors utilizing Cobalt Strike for nefarious purposes.
WHY COBALT STRIKE?
Cobalt Strike has gained notoriety among cybercriminals for its post-exploitation capabilities. Once the beacons are deployed, these provide persistent remote access to compromised devices, allowing for sensitive data harvesting or the dropping of additional malicious payloads.
THE USERS
Cobalt Strikeâs cracked versions are used by unidentified criminal groups, state-backed threat actors, and hacking groups acting on behalf of foreign governments. These actors have been linked to numerous ransomware attacks impacting various industries, causing significant financial and operational damage.
REMEDIATION EFFORTS
To counteract the malicious use of Cobalt Strike, various entities have provided resources to assist network defenders in identifying Cobalt Strike components within their networks. These resources include open-sourced YARA rules and a collection of indicators of compromise (IOCs).
The illicit use of Cobalt Strike poses a significant threat to global cybersecurity. The ongoing crackdown led by Microsoft, Fortra, and Health-ISAC represents a crucial step towards mitigating the risks associated with Cobalt Strike, underscoring the importance of collaborative efforts in the fight against cybercrime.
Are you excited to pursue a cybersecurity career but unsure where to begin? Whether youâre a student, an incoming professional, or ready to work in a different field, the tried-and-tested career hacks in this eBook will help you get your start in cybersecurity
Inside the eBook
Cybersecurity Is Hot! Current Market Conditions
Where Entry-Level Lands You
Cybersecurity Career Hacks for Students, Incoming Professionals and Career-Changers
DECIPHERING WEBWYRM: AN IN-DEPTH ANALYSIS OF THE PERVASIVE MALWARE THREATENING GLOBAL CYBERSECURITY
In the intricate landscape of global cybersecurity, Webwyrm malware has surfaced as a formidable adversary, casting its ominous shadow across 50 nations and leaving in its wake over 100,000 compromised victims. This insidious digital menace successfully emulates in excess of 1000 reputable companies globally, with the ensuing potential financial fallout estimated to surpass a staggering $100 million. It is imperative for cybersecurity professionals and organizations alike to comprehend the multifaceted nature of this threat to devise and implement robust defensive strategies effectively.
THE EVOLUTIONARY TRAJECTORY OF WEBWYRM
In the dynamic realm of cyber threats, malicious actors incessantly refine their Tactics, Techniques, and Procedures (TTPs), exploiting extant vulnerabilities and augmenting the efficacy of their malicious campaigns. Webwyrm epitomizes this relentless pursuit of evolution, embodying a level of sophistication reminiscent of infamous cyber threats of yore, such as the notorious âBlue Whale Challenge.â
REFINED MODUS OPERANDI
WebWyrm malware orchestrates a complex, deceptive narrative aimed at duping unsuspecting job seekers into relinquishing their cryptocurrency. Initiating contact predominantly via WhatsApp, the malefactors likely leverage data procured from employment portals to pinpoint and engage individuals predisposed to their deceptive overtures. Prospective victims are enticed with promises of lucrative weekly remuneration, ranging between $1200 and $1500, contingent upon the completion of daily task âpacketsâ or âresets.â
Upon transferring funds into designated cryptocurrency wallets, victims are led to believe that the completion of tasks results in monetary withdrawals from their accounts, which are subsequently returned along with additional commissions. The introduction of âcombo tasksâ promises substantial financial returns but necessitates a more considerable investment. However, the caveat is that these returns are accessible only upon the sequential completion of all combo tasks, with each task demanding a progressively larger investment.
CAMPAIGN ENABLERS: TECHNICAL INSIGHTS
WebWyrmâs campaign is characterized by its sophistication, adaptability, and elusive operational framework. The initiative employs dedicated personnel engaging with victims via various platforms, thereby lending an aura of legitimacy and support to their endeavors. The orchestrators have meticulously crafted approximately 6000 counterfeit websites, directing victims to register their accounts. These platforms are expertly designed to mimic legitimate enterprises, with a keen focus on geo-targeting and associated contact numbers reflecting the respective victimâs geographical location.
Moreover, the malefactors astutely navigate the ephemeral nature of their infrastructure, allocating specific IP addresses or Autonomous System Numbers (ASNs) to host counterfeit domains for limited durations. This modus operandi facilitates operational continuity and anonymity, allowing for a swift transition to alternative infrastructure in response to potential threats, thereby effectively circumventing detection mechanisms.
INDUSTRIES IN THE CROSSHAIRS
Webwyrm has indiscriminately targeted a plethora of industries, including:
IT Services
Software Development
Mobile App Development
User Experience Design
Digital Marketing
Web Development
SEO
E-Commerce
DEFENSIVE COUNTERMEASURES
Effective defense against Webwyrm necessitates the adoption of several countermeasures:
Origin Tracing of Malefactors via Employment Portals
Collaborative Defensive Initiatives
Deployment of Rapid Response Teams
Implementation of Domain Blacklisting Protocols
Asset Seizure
Launch of Educational Awareness Campaigns
With the incorporation of these enhanced technical insights, it becomes abundantly clear that WebWyrm represents a meticulously orchestrated, sophisticated operation with the singular aim of exploiting job seekers. The nuanced understanding of potential victims, coupled with a highly adaptive and elusive infrastructure, renders this a significant threat warranting coordinated, informed countermeasures to safeguard potential victims. Awareness, education, and the proactive deployment of defense mechanisms are pivotal in mitigating the risks associated with the WebWyrm malware campaign.