CISSP Study Guide | Cyber Press
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 21 2023
Increasingly prevalent NetSupport RAT infections reported
https://www.scmagazine.com/brief/increasingly-prevalent-netsupport-rat-infections-reported
Attacks involving the NetSupport RAT have become increasingly common, The Hacker News reports. More than 15 infections have been observed mostly in organizations in the education, government, and business sectors, in recent weeks, according to a report from VMware Carbon Black researchers. Fraudulent browser updates have been leveraged by threat actors to facilitate the distribution of the SocGholish downloader malware, also known as FakeUpdates, which then uses PowerShell to establish a remote server connection and facilitate the retrieval of a NetSupport RAT-containing ZIP archive file. Researchers also noted that the installation of NetSupport would then enable behavior tracking, file transfers, computer setting alterations, and lateral network movement. “The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns,” said researchers. NetSupport RAT, which was once a remote access tool, was previously reported by Sucuri to have been spread through fake Cloudflare distributed denial-of-service protection pages.
Rat : Remote Access Trojan – Launching Virus Remotely
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 20 2023
Cyber Attack Forces World’s Biggest Bank to Trade via USB Stick
Cyber Attack Forces World’s Biggest Bank to Trade via USB Stick
https://time.com/6333716/china-icbc-bank-hack-usb-stick-trading/
On Thursday, trades handled by the world’s largest bank in the globe’s biggest market traversed Manhattan on a USB stick.
Industrial & Commercial Bank of China Ltd.’s U.S. unit had been hit by a cyberattack, rendering it unable to clear swathes of U.S. Treasury trades after entities responsible for settling the transactions swiftly disconnected from the stricken systems. That forced ICBC to send the required settlement details to those parties by a messenger carrying a thumb drive as the state-owned lender raced to limit the damage.
The workaround — described by market participants — followed the attack by suspected perpetrator Lockbit, a prolific criminal gang with ties to Russia that has also been linked to hits on Boeing Co., ION Trading U.K. and the U.K.’s Royal Mail. The strike caused immediate disruption as market-makers, brokerages and banks were forced to reroute trades, with many uncertain when access would resume.
The incident spotlights a danger that bank leaders concede keeps them up at night — the prospect of a cyber attack that could someday cripple a key piece of the financial system’s wiring, setting off a cascade of disruptions. Even brief episodes prompt bank leaders and their government overseers to call for more vigilance.
“This is a true shock to large banks around the world,” said Marcus Murray, the founder of Swedish cybersecurity firm Truesec. “The ICBC hack will make large banks around the globe race to improve their defenses, starting today.”
As details of the attack emerged, employees at the bank’s Beijing headquarters held urgent meetings with the lender’s U.S. division and notified regulators as they discussed next steps and assessed the impact, according to a person familiar with the matter. ICBC is considering seeking help from China’s Ministry of State Security in light of the risks of potential attack on other units, the person said.
Late Thursday, the bank confirmed it had experienced a ransomware attack a day earlier that disrupted some systems at its ICBC Financial Services unit. The company said it isolated the affected systems and that those at the bank’s head office and other overseas units weren’t impacted, nor was ICBC’s New York branch.
The extent of the disruption wasn’t immediately clear, though Treasury market participants reported liquidity was affected. The Securities Industry and Financial Markets Association, or Sifma, held calls with members about the matter Thursday.
ICBC FS offers fixed-income clearing, Treasuries repo lending and some equities securities lending. The unit had $23.5 billion of assets at the end of 2022, according to its most recent annual filing with U.S. regulators.
The attack is only the latest to snarl parts of the global financial system. Eight months ago, ION Trading U.K. — a little-known company that serves derivatives traders worldwide — was hit by a ransomware attack that paralyzed markets and forced trading shops that clear hundreds of billions of dollars of transactions a day to process deals manually. That has put financial institutions on high alert.
ICBC, the world’s largest lender by assets, has been improving its cybersecurity in recent months, highlighting increased challenges from potential attacks amid the expansion of online transactions, adoption of new technologies and open banking.
“The bank actively responded to new challenges of financial cybersecurity, adhered to the bottom line for production safety and deepened the intelligent transformation of operation and maintenance,” ICBC said in its interim report in September.
Ransomware attacks against Chinese firms appear rare in part because China has banned crypto-related transactions, according to Mattias Wåhlén, a threat intelligence specialist at Truesec. That makes it harder for victims to pay ransom, which is often demanded in cryptocurrency because that form of payment provides more anonymity.
But the latest attack likely exposes weaknesses in ICBC’s defenses, Wåhlén said.
“It appears ICBC has had a less effective security,” he said, “possibly because Chinese banks have not been tested as much as their Western counterparts in the past.”
Record levels
Ransomware hackers have become so prolific that attacks may hit record levels this year.
Blockchain analytics firm Chainalysis had recorded roughly $500 million of ransomware payments through the end of September, an increase of almost 50% from the same period a year earlier. Ransomware attacks surged 95% in the first three quarters of this year, compared with the same period in 2022, according to Corvus Insurance.
In 2020, the website of the New Zealand Stock Exchange was hit by a cyberattack that throttled traffic so severely that it couldn’t post critical market announcements, forcing the entire operation to shut down. It was later revealed that more than 100 banks, exchanges, insurers and other financial firms worldwide were targets of the same type of so-called DDoS attacks simultaneously.
Caesars Entertainment Inc., MGM Resorts International and Clorox Co. are among companies that have been hit by ransomware hackers in recent months.
ICBC was struck as the Securities and Exchange Commission works to reduce risks in the financial system with a raft of proposals that include mandating central clearing of all U.S. Treasuries. Central clearing platforms are intermediaries between buyers and sellers that assume responsibility for completing transactions and therefore prevent a default of one counterparty from causing widespread problems in the marketplace.
The incident underscores the benefits of central clearing in the $26 trillion market, said Stanford University finance professor Darrell Duffie.
“I view it as one example of why central clearing in the U.S. Treasuries market is a very good idea,” he said, “because had a similar problem occurred in a not-clearing firm, it’s not clear how the default risk that might result would propagate through the market.”
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics
In the Lair of the Cozy Bear: Cyberwarfare with APT 29 Up Close and Personal
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 20 2023
RUSSIA-LINKED APT29 GROUP EXPLOITED WINRAR 0DAY IN ATTACKS AGAINST EMBASSIES
Russia-linked cyberespionage group APT29 has been observed leveraging the CVE-2023-38831 vulnerability in WinRAR in recent attacks.
The Ukrainian National Security and Defense Council (NDSC) reported that APT29 (aka SVR group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes) has been exploiting the CVE-2023-38831 vulnerability in WinRAR in recent attacks.
APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
The Russia-linked APT group was observed using a specially crafted ZIP archive that runs a script in the background to show a PDF lure while downloading PowerShell code to fetch and execute a payload.
The APT group targeted multiple European nations, including Azerbaijan, Greece, Romania, and Italy, with the primary goal of infiltrating embassy entities.
The threat actors used a lure document (“DIPLOMATIC-CAR-FOR-SALE-BMW.pdf”) containing images of a BMW car available for sale to diplomatic entities. The weaponized documents embedded malicious content that exploited the WinRAR vulnerability.
“In the context of this particular attack, a script is executed, generating a PDF file featuring the lure theme of a BMW car for sale. Simultaneously, in the background, a PowerShell script is downloaded and executed from the next-stage payload server.” reads the report published by NDSC. “Notably, the attackers introduced a novel technique for communicating with the malicious server, employing a Ngrok free static domain to access their server hosted on their Ngrok instance.”
In this attack scheme, Ngrok has been used to host their next-stage PowerShell payloads and establish covert communication channels.
Threat actors use the tool to obfuscate their communications with compromised systems and evade detection.
“What makes this campaign particularly noteworthy is the synthesis of old and new techniques. APT29 continues to employ the BMW car for sale lure theme, a tactic that’s been seen in the past. However, the deployment of the CVE-2023-38831 WinRAR vulnerability, a novel approach, reveals their adaptability to the evolving threat landscape. Additionally, their use of Ngrok services to establish covert communications emphasizes their determination to remain concealed.” concludes the NDSC that also published indicators of compromise (IoCs) for these attacks.
In April, Google observed Russia-linked FROZENBARENTS APT (aka SANDWORM) impersonates Ukrainian drone training school to deliver the Rhadamanthys infostealer.
The threat actors used a lure themed as an invitation to join the school, the email included a link to an anonymous file-sharing service, fex[.]net. The file-sharing service was used to deliver a benign decoy PDF document with a drone operator training curriculum and specially crafted ZIP archive (“Навчальна-програма-Оператори.zip” (Training program operators)) that exploits the flaw CVE-2023-38831.
In September, CERT-UA observed the FROZENLAKE group exploitingthe WinRAR flaw to deploy malware in attacks aimed at energy infrastructure.
Google TAG experts also observed the Russia-linked ATP28 group exploiting the flaw in attacks against Ukraine users. The state-sponsored hackers employed a malicious PowerShell script (IRONJAW) to steal browser login data and local state directories.
The China-linked APT40 group was observed exploiting the CVE-2023-38831 vulnerability in attacks against targets in Papua New Guinea.
Last week, researchers at cybersecurity firm NSFOCUS analyzed DarkCasino attack pattern exploiting the WinRAR zero-day vulnerability tracked as CVE-2023-38831. The economically motivated APT group used specially crafted archives in phishing attacks against forum users through online trading forum posts.
In the Lair of the Cozy Bear: Cyberwarfare with APT 29 Up Close and Personal
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 18 2023
Review: Cyberbunker: The Criminal Underworld
Written and directed by Kilian Lieb and Max Rainer, Cyberbunker is a Netflix documentary about a group of hackers that enabled the proliferation of dark web forums where illegal materials were bought and sold.
Cyberbunker: The Criminal Underworld
The documentary begins with a special police unit performing a raid in what looks like a military bunker. We are then shown a thin individual with glasses and long, gray hair: Herman Johan Xennt.
The (now) 64-year-old Dutchman, who is currently serving a prison sentence in Germany, is a bunker aficionado, having been fascinated with them since he visited a WWII bunker in Arnhem when he was a kid.
Understanding the possibilities of computer technology and the internet, he first opened a profitable computer store in the early 90s. In 1995, with the money earned from this business, he was able to buy a former NATO bunker in the southern part of the Netherlands, which ended up being the location of the first Cyberbunker – a company that provides internet and web hosting services to questionable operations.
In 2002, a fire broke in the bunker and revealed the existence of an MDMA lab. Xennt claimes that he knew nothing about the lab and that he was simply subletting part of the bunker to another group. For many years after, the company’s servers were located above ground, in Amsterdam. In 2013, Xennt found and purchased a 5-level underground Cold War-era bunker in Traben-Trarbach, a small town in the South of Germany.
But the town’s mayor soon grew suspicious of the activities going on in the bunker and decided to contact the authorities, which started telephone surveillance in 2015. The group communicated in codes, though, which made crime identification impossible. In 2017, the authories began monitoring the network node to identify illegal data traffic.
This led to the discovery of evidence of criminal activity: Cyberbunker provided hosting for dark web marketplaces, a forum for exchanging illegal drugs, counterfeit money and fake identification, and more.
The undercover operation provided crucial information to the police, helping them to plan and execute a successful raid. Xennt and his criminal colleagues were arrested, and over 280 servers hosting websites for up to 200 customers were shut down.
The idea of “freedom of the internet”
Cyberbunker was know among cybercriminals as a “bulletproof hoster”, which meant that the servers hosting the content stayed online no matter what (i.e., even if the authorities requested sites’ removal). It also guaranteed privacy, which was very convenient for anyone who wanted to host questionable or illegal content.
Cyberbunker advertised that it would host everything except child pornography and terrorism-related content, but the group later claimed that they didn’t really know what the clients were using their servers for.
The group was driven by the idea of “freedom of the internet” and, during the interviews with all the members of the group (including Xennt), we can see that they have a twisted idea of what it should be.
They went so far as to declare the Republic of Cyberbunker, with its “administration” and hierarchy, and perpetuated the delusion that what they were doing was good.
Does it strike the right chord?
The documentary is suitable for a wide audience and does not burden the spectator with technical details. Instead, it has a movie-like format that’s captivating and easy to follow.
The timeline of the events is well presented and clear, complemented with historical data about the main “character” – Xennt – and original private and police footage.
The authors tried to create a tense and scary atmosphere, though the characters at times act bizarrely and seem out of touch with reality that, on occasion, you might almost feel sorry for them. It’s hard to believe these individuals thought they were untouchable and that, even after getting arrested, they were still convinced they were making the world a better place.
Codes of the Underworld: How Criminals Communicate
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 17 2023
Why cyber war readiness is critical for democracies
The skills employed, the hacktivists and other threat actors are not going anywhere. Right now, Russia might be overwhelmingly interested in Ukraine, but their aims and goals remain global.
“These skills will be turned in other directions and other targets in the future, they will be shared in threat actor groups online. This is the world you need to be preparing for right now,” he added.
His warning echoed a similar one by Viktor Zhora, Deputy Chairman and Chief Digital Transformation Officer at the State Service of Special Communication and Information Protection of Ukraine.
Russia’s attack force consists of “hackers in uniform”, cybercriminals and hacktivists congregating in various Telegram channels, but the nation is also working on engaging ever more younger people in their cyber offensive campaigns. They are seeking talented individuals in schools (and not just tech universities), selecting the most talented and training them, he shared.
“The Russians are in it for the long run,” Zhora warned during his IRISSCON talk, and called on countries that are – or expect to be – targeted by cyber aggressive nations to create a cyber coalition so they can prepare, share their experiences, and exchange information.
OT under attack
We can’t talk about the war in Ukraine and not mention cyber attacks aimed at disrupting operational technology (OT) used by companies that are part of the country’s critical infrastructure (CI).
In his talk, Ferguson briefly passed through the known attacks that hit CI entities with OT-specific malware, starting with Stuxnet in 2010 and ending with CosmicEnergy in 2023.
Some of the attacks are believed to be the work of the US and Israel (Stuxnet), cybercriminals (EKANS ransomware, 2020) or are still unattributed (the destructive 2014 attack against a steel plant in Germany). But the rest, he noted, are all believed to have been mounted by Russian state-backed attackers.
And, he says, they are getting better at it. Mirroring the development of attacks against IT systems, they have recently begun exploiting legitimate tools found in OT environments, so they don’t need to develop customized malware.
Many attackers are scanning for OT-specific protocols and probing OT devices, Ferguson noted. While their actual exploitation hinges on the skills of the attackers, some modes of attack (e.g., DDoS and phishing) are available to those who are less skilled, but eager. Hacktivists can target critical infrastructure that’s exposed on the internet as it’s easily discoverable via online tools.
Unfortunately, securing OT systems comes with a host of challenges: a complex infrastructure; an increasing number of endpoints; OT devices insecure by design (and generally not meant to be connected to the internet); rarely integrated OT and IT security teams, a lack of visibility into the OT infrastructure – to name just a few.
A new level of cyber conflict
Since the start of the war, Russian hackers have been trying to shut down electrical power in the country, have gone after government agencies, IT companies, telecoms, software development firms, media houses, editors, and media personalities, Zhora noted.
While the initial attacks were mostly geared towards destruction, Russian cyber attackers are now also trying to get their hands on information that can help them determine the effectiveness of their kinetic attacks, discover whether their spies have been flagged by the Ukrainian authorities, and see what evidence those authorities have gathered about war crimes.
Clever and subtle psy-ops online campaigns are, as well, a favorite tactic employed by the Russian state to manipulate enemies. And, since the advent of generative AI, it has became easier to mount them, Ferguson added.
All these things should be taken in consideration by governments when preparing for the future. Looking at the cyber component of the unfolding wars in Ukraine and Israel, they can see what future conflicts will look like.
Zhora says that Ukraine is becoming more and more confident of its capacity to counter future attacks, but that each democracy needs to ask themselves: Are we prepared for a global cyber war? “And they need to be honest with the answer,” he noted.
If they are not, they should immediately begin investing in cyber defense and intensifying cooperation, he added.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 16 2023
YOUR GOOGLE CLOUD SECURITY MIGHT BE AT RISK. HACKING GCP VIA GOOGLE WORKSPACE FLAW
In a startling revelation, Bitdefender, a leading cybersecurity firm, has disclosed a series of sophisticated attack methods that could significantly impact users of Google Workspace and Google Credential Provider for Windows (GCPW). This discovery highlights potential weaknesses in widely used cloud and authentication services, prompting a reevaluation of current security measures.
DISCOVERY OF ADVANCED ATTACK TECHNIQUES
Bitdefender’s research team, working in conjunction with their in-house research institute Bitdefender Labs, has identified previously unknown methods that cybercriminals could use to escalate a breach from a single endpoint to a network-wide level. These techniques, if exploited, could lead to severe consequences such as ransomware attacks or massive data exfiltration.
The attack progression involves several key stages, starting from a single compromised machine. Once inside the system, attackers could potentially:
- Move across cloned machines within the network, especially if they are equipped with GCPW.
- Gain unauthorized access to the Google Cloud Platform through custom permissions.
- Decrypt locally stored passwords, extending their reach beyond the initially compromised machine.
These findings were responsibly disclosed to Google. However, Google has stated that these issues will not be addressed directly, as they fall outside their designated threat model. This decision reflects Google’s risk assessment and security priorities.
THE DUAL ROLE OF GOOGLE CREDENTIAL PROVIDER FOR WINDOWS (GCPW)
At the heart of these vulnerabilities is the Google Credential Provider for Windows (GCPW), a tool designed to streamline access and management within Google’s ecosystem. GCPW serves two primary functions:
- Remote Device Management: Similar to Mobile Device Management (MDM) systems like Microsoft Intune, GCPW allows administrators to remotely manage and control Windows devices connected to Google Workspace. This includes enforcing security policies, deploying software updates, and managing device settings without needing a VPN connection or domain registration.
- Single-Sign On (SSO) Authentication: GCPW facilitates SSO for Windows devices using Google Workspace credentials. This integration provides a seamless login experience, enabling users to access their devices with the same credentials used for Google services like Gmail, Google Drive, and Google Calendar.
THE OPERATIONAL MECHANISM OF GCPW
Understanding GCPW’s functioning is crucial in comprehending the vulnerabilities. Here’s a breakdown of its operational process:
- Local Service Account Creation: Upon installing GCPW, a new user account named ‘gaia’ is created. This account, not intended for regular user interactions, serves as a service account with elevated privileges.
- Credential Provider Integration: GCPW integrates a new Credential Provider into the Windows Local Security Authority Subsystem Service (lsass), a critical component responsible for handling security operations and user authentication in Windows.
- Local User Account Creation: GCPW facilitates the creation of new local user accounts linked to Google Workspace accounts whenever a new user authenticates with the system.
- Logon Procedure: These Google Workspace users are logged in using their newly created local profiles, where a refresh token is stored to ensure continuous access without repeated authentication prompts.
UNCOVERED ATTACK METHODS
GOLDEN IMAGE LATERAL MOVEMENT:
- Virtualized Environment Challenge: In environments that use cloned virtual machines (VMs), such as Virtual Desktop Infrastructure (VDI) or Desktop as a Service (DaaS) solutions, the installation of GCPW on a base machine means that the ‘gaia’ account and its password are cloned across all VMs.
- Attack Implication: If an attacker discovers the password of one ‘gaia’ account, they can potentially access all machines that have been cloned from the same base image.
- Scenario: Imagine a company, “Acme Corp,” uses a Virtual Desktop Infrastructure (VDI) where multiple virtual machines (VMs) are cloned from a single ‘golden image’ for efficiency. This image has Google Credential Provider for Windows (GCPW) pre-installed for ease of access.
- Attack Example:
- An attacker, Alice, manages to compromise one of Acme Corp’s VMs. During her exploration, she discovers that the VM has GCPW installed.
- She learns that the ‘gaia’ account password created during the GCPW setup is identical across all cloned VMs because they were derived from the same golden image.
- By extracting the ‘gaia’ account password from the compromised VM, Alice can now access all other VMs cloned from the same image. This allows her to move laterally across the network, potentially accessing sensitive information or deploying malware.
UNAUTHORIZED ACCESS TOKEN REQUEST:
- Exploitation of OAuth Tokens: GCPW stores an OAuth 2.0 refresh token within the user’s session, maintaining access to the broader Google ecosystem. Attackers gaining access to this token can request new Access Tokens with varied permissions.
- Scope of Abuse: The permissions granted by these tokens can enable attackers to access or manipulate a wide range of user data and Google services, effectively bypassing multi-factor authentication (MFA) processes.
- Scenario: At a different company, “Beta Ltd.,” employees use their Google Workspace credentials to log into their Windows machines, facilitated by GCPW.
Attack Example:
- Bob, a cybercriminal, gains initial access to a Beta Ltd. employee’s computer through a phishing attack.
- Once inside the system, Bob finds the OAuth 2.0 refresh token stored by GCPW. This token is meant to maintain seamless access to Google services without repeated logins.
- With this token, Bob crafts a request to Google’s authentication servers pretending to be the legitimate user. He requests new Access Tokens with broad permissions, like access to emails or cloud storage.
- Using these tokens, Bob can now access sensitive data in the employee’s Google Workspace environment, like emails or documents, bypassing any multi-factor authentication set up by the company.
PASSWORD RECOVERY THREAT:
- Plaintext Credential Risk: GCPW’s mechanism of saving user passwords as encrypted LSA secrets, intended for password resetting, presents a vulnerability. Skilled attackers could decrypt these credentials, allowing them to impersonate users and gain unrestricted account access.
Scenario: A small business, “Gamma Inc.,” uses GCPW for managing their Windows devices and Google Workspace accounts.
Attack Example:
- Carla, an experienced hacker, targets Gamma Inc. She successfully breaches one of the employee’s systems through a malware-laden email attachment.
- After gaining access, Carla locates the encrypted LSA secret stored by GCPW, which contains the user’s Google Workspace password.
- Using advanced decryption techniques, she decrypts this password. Now, Carla has the same access privileges as the employee, not just on the local machine but across all Google services where the employee’s account is used.
- This enables Carla to impersonate the employee, access company emails, manipulate documents, or even transfer funds if the employee has financial privileges.
GOOGLE’S STANCE AND SECURITY IMPLICATIONS
Google’s decision not to address these findings, citing their exclusion from the company’s specific threat model, has stirred a debate in the cybersecurity community. While Google’s risk.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 15 2023
SystemBC, A SWISS KNIFE Proxy Malware, Used By Numerous Ransomware Groups
SystemBC (aka Coroxy or DroxiDat) is a multifunctional malware known as Proxy, Bot, Backdoor, and RAT, adapting to attackers’ needs.
Since 2018, this multifunctional malware has been active, and it remains popular in underground markets, with consistent annual incidents.
Cybersecurity researcher, REXor (aka Aaron) recently discovered that several ransomware groups are employing SystemBC, a Swiss Knife proxy malware, for their illicit purposes.
Ransomware Groups Involved
Here below, we have mentioned all the ransomware groups that are involved in using this malware:-
- ViceSociety
- Rhysida
- GoldDupont
- FIN12
- 8BASE
- PLAY
- Hive
- BlackBasta
- TropicalScoprious (CUBA)
- RiddleSpider (Avaddon)
- WizardSpider (Conti, Ryuk)
- Egregor
- DarkSide
- Maze Team (Maze & IcedID)
SystemBC, The SWISS KNIFE
Coroxy infiltrates systems using diverse methods tailored to the user group, employing:-
- Reconnaissance
- Lateral movement
- Deploying SystemBC (often alongside CobaltStrike)
It’s also utilized in Spear Phishing campaigns, delivered via loaders or other malware for installation on victim systems.
SystemBC malware adapts its methods but maintains core tasks:-
Gather system info –> Establish persistence –> Create a Socks5 connection to the C&C server –> Transmit data –> Await attacker commands or malware launches
This backdoor enables attackers to operate from their infrastructure, and over time, numerous groups have used SystemBC.
SystemBC usage varies with each attacker’s access to the infrastructure. Studied samples show diverse executions yet share consistent core functions.
Usually, when an executable is run, a duplicate copy of SystemBC is made and persistence is established via tasks or registry entries.
Some samples may use a packer or need deobfuscation/extraction without a loader or malware.
Extracting from memory may be required, revealing identical copies in a temporary folder indicating malware duplication with dynamic filenames.
Coroxy employs a Mutex control in all examined samples that prevents multiple runs. It may generate a random string or deobfuscate a domain as a Mutex, adding complexity.
Samples establish persistence differently, as some create jobs or registry entries, often using PowerShell to execute SystemBC.
In certain versions, SystemBC launches a duplicate in the following paths:-
- ProgramData
- Roaming
- Temp
SystemBC detects a2guard, a handy anti-analysis move to spot antivirus or disruptive software. It captures process snapshots, using ProcessFirst and ProcessNext to hunt for the binary.
This grants persistence, process control, and info gathering, with deobfuscation and decryption for future network connections.
After pinpointing the connection location, SystemBC establishes it through a loop, usually targeting a known server and port, reads the report.
Though versions may differ slightly, the core behavior remains the same. However, the analyst found a focus on Coroxy’s relevance, with active discussions and inquiries in forums.
Besides this, the identified infrastructure allows OS access for around $350 to $300, payable through active cryptocurrency wallets.
IOCs
Hash:
- c96f8d4d1ee675c3cd1b1cf2670bb9bc2379a6b66f3029b2ffcfdd67c612c499
- 6f78256f20eb2b5594391095a341f8749395e7566fdd2ddd3a34a0db9bb9f871
- E81eb1aa5f7cc18edfc067fc6f3966c1ed561887910693fa88679d9b43258133
- 97ebef56e3fa3642d0395c00c25975e586089d26632e65422099a5107d375993
- ef71c960107ba5034c2989fd778e3fd72d4cdc044763aef2b4ce541a62c3466c
- 6E57D1FC4D14E7E7C2216085E41C393C9F117B0B5F8CE639AC78795D18DBA730
- 6b56f6f96b33d0acefd9488561ce4c0b4a1684daf5dde9cc81e56403871939c4
- F0073027076729CE94BD028E8F50F5CCB1F0184C91680E572580DB0110C87A82
- 3d1d747d644420a2bdc07207b29a0509531e22eb0b1eedcd052f85085bef6865
- c68035aabbe9b80ace209290aa28b8108cbb03a9d6a6301eb9a8d638db024ad0
- c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5
Domain:
- payload[.]su
- mxstat215dm[.]xyz
- mxstex725dm[.]xyz
- zl0yy[.]ru
- r0ck3t[.]ru
IP (High confidence):
- 91[.]191[.]209[.]110
- 5[.]42[.]65[.]67
- 45[.]15[.]158[.]40
IP (Mid-Low confidence):
- 178[.]236[.]246[.]117
- 185[.]174[.]136[.]148
- 45[.]142[.]122[.]179
- 178[.]236[.]247[.]39
- 45[.]142[.]122[.]105
- 185[.]112[.]83[.]129
- 185[.]112[.]83[.]164
- 185[.]112[.]83[.]172
- 185[.]112[.]83[.]59
- 5[.]42[.]65[.]67
- 78[.]153[.]130[.]166
- 45[.]142[.]122[.]215
- 91[.]191[.]209[.]110
- 5[.]188[.]206[.]246
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 14 2023
Cyber-espionage operation on embassies linked to Russia’s Cozy Bear hackers
https://therecord.media/cyber-espionage-campaign-embassies-apt29-cozy-bear
Russian state-sponsored hackers have targeted embassies and international organizations in a recent cyber-espionage campaign, Ukrainian government cybersecurity researchers have found.
The attacks were attributed to the infamous hacker group labeled APT29, also known as Cozy Bear or Blue Bravo. Analysts previously have linked it to Russia’s Foreign Intelligence Service (SVR), which gathers political and economic information from other countries.
The campaign, analyzed by Ukraine’s National Cyber Security Coordination Center (NCSCC), occurred in September of this year. The group used similar tools and tactics in its previous campaigns, particularly during an operation against embassies in Kyiv in April.
The most recent operation had “the primary goal of infiltrating embassy entities,” the NCSCC said, including targets in Azerbaijan, Greece, Romania and Italy. Another victim was the major Greek internet provider Otenet, the NCSCC said.
Diplomatic accounts, especially those associated with the foreign affairs ministries in Azerbaijan and Italy, suffered the most, according to researchers. One possible reason is that Russian intelligence was attempting to gather information regarding Azerbaijan’s strategic activities, especially leading up to the Azerbaijani invasion of the Nagorno-Karabakh region.
In total, APT29’s campaign targeted over 200 email addresses, but it’s not clear how many attacks were successful.
Tactics and techniques
APT29 exploited a recently discovered vulnerability in the Windows file archiver tool WinRAR. Identified as CVE-2023-3883, the bug was utilized by state-controlled hackers connected to Russia and China in early 2023 before being patched. Unpatched versions of the tool remain vulnerable.
According to NCSCC, this vulnerability still “poses a significant threat” as it allows attackers to execute arbitrary code through the exploitation of a specially crafted ZIP archive.
In the recent campaign, Cozy Bear sent victims phishing emails containing a link to a PDF document and a malicious ZIP file that exploits the vulnerability, potentially granting attackers access to the compromised systems.
To convince their targets to open malicious files, the hackers created emails claiming to have information about the sale of diplomatic BMW cars. The same lure was used during the group’s attack on the embassies in Kyiv this spring.
In this campaign, the attackers introduced a novel technique for communicating with the malicious server, researchers said. In particular, they used a legitimate tool called Ngrok that allows users to expose their local servers to the internet.
Ngrok is commonly used during web development and testing to provide temporary public URLs for local web servers but cybercriminals deployed it to obfuscate their activities and communicate with compromised systems while evading detection.
By exploiting Ngrok’s capabilities in this way, threat actors can further complicate cybersecurity analysis and remain under the radar, making defense and attribution more challenging, NCSCC said.
Cozy Bear’s previous attacks
During the war in Ukraine, APT29 has carried out cyberattacks against the Ukrainian military and its political parties, as well as diplomatic agencies, think tanks and nonprofit organizations.
In April, for example, the group launched a spying campaign targeting foreign ministries and diplomatic entities in NATO countries, the European Union and, “to a lesser extent,” Africa.
The hackers’ tactics were similar to those used in the September campaign. In particular, they sent phishing emails impersonating the embassies of European countries to specific personnel, usually including a malicious link either in the body of the message or an attached PDF inviting the target diplomat to access the ambassador’s calendar.
APT29 has been blamed for several high-profile incidents prior to the war, including the SolarWinds supply chain attack in 2020 that affected thousands of organizations globally and led to a series of data breaches.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 14 2023
Hackers Selling Exploits For Critical Vulnerabilities On The Dark Web
Dark forums and Telegram channels have become great places for threat actors to sell critical vulnerabilities and exploits.
These vulnerabilities and exploits were associated with the Elevation of Privilege, Authentication Bypass, SQL Injection, and Remote Code Execution in products like Windows, JetBrains software, Microsoft Streaming Service Proxy, and Ubuntu kernels.
Recent discoveries state that these vulnerabilities were sold in underground forums even before the Vendor officially assigned them.
One such example was the Microsoft Streaming Server vulnerability (CVE-2023-36802) that was on sale in February, though the CVE was officially assigned in September 2023.
Key Vulnerabilities
According to the reports shared with Cyber Security News, several critical and high-severity vulnerabilities were sold in the underground forums, which certain ransomware groups used to gain initial access and lateral movement inside the victim network.
Critical Vulnerabilities
CVE-2023-34362: MOVEit RCE Vulnerability (Exploited By Cl0p Ransomware Group)
This vulnerability was published in NVD on June 02, 2023. However, it was observed to be exploited by threat actors since May 2023. This vulnerability had a severity of 9.8 (Critical) and was patched by Progress.
This vulnerability arises due to insufficient sanitization of user-provided data, which enables unauthenticated remote attackers to access the MOVEit application. With this vulnerability, the Cl0p ransomware group targeted more than 3000 organizations in the US and 8000 organizations worldwide.
CVE-2023-3519: Citrix ADC And Gateway Vulnerability (Exploited By Unknown Threat Actor)
NVD published this vulnerability on June 19, 2023, and Citrix patched it in July 2023. However, threat actors were seen to be exploiting this vulnerability in June 2023, which affected Netscaler ADC and Gateway versions.
A threat actor can use this vulnerability to execute remote code on affected Citrix ADC and Gateway systems to steal sensitive information without any authentication. The severity of this vulnerability was given as 9.8 (Critical).
CVE-2023-42793: JetBrains Unauthenticated RCE (Exploited By North Korean Threat Actors)
This vulnerability could allow an unauthenticated threat actor to access the TeamCity server and execute remote code,, which could compromise the source code and add to a supply chain attack.
This vulnerability was published in NVD in September 2023 and was found to be sold in the underground forums in October 2023. This authentication bypass leading to RCE vulnerability was given a severity of 9.8 (Critical).
According to Microsoft, this vulnerability was potentially used by North Korean nation-state threat actors like Diamond Sleet and Onyx Sleet to install malware and backdoors on their targets.
A complete report about the vulnerabilities sold on the underground market, their associated threat groups, and other information has been published.
Users of these products are recommended to patch the affected versions accordingly and take precautionary measures to prevent them from getting exploited by threat actors.
The Darkest Web: Drugs, Death and Destroyed Lives . . . the Inside Story of the Internet’s Evil Twin
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 13 2023
HOW LIVING-OFF-THE-LAND (LOTL) TECHNIQUE IS USED TO HACK INTO POWER GRIDS & CAUSE POWER OUTAGES
Living-off-the-land (LotL) techniques in cyber attacks refer to the use of legitimate, native tools already present in the target system to carry out malicious activities. This approach is particularly stealthy because it leverages tools and processes that are typically trusted and thus less likely to raise alarms. In the context of Operational Technology (OT) or Industrial Control Systems (ICS), such attacks can be especially dangerous due to the critical nature of the systems involved. Here’s how such an attack might work, with examples:
1. INITIAL ACCESS
- Example: A phishing email is sent to an employee in the OT/ICS environment. The email contains a seemingly harmless document that, when opened, executes a PowerShell script (a native Windows tool) to create a backdoor.
2. LATERAL MOVEMENT
- Example: Once inside the network, attackers might use legitimate system administration tools like Windows Management Instrumentation (WMI) or Remote Desktop Protocol (RDP) to move laterally across the network, searching for critical OT/ICS components.
3. ELEVATION OF PRIVILEGES
- Example: Attackers might use built-in tools like Netstat to identify security software or firewall settings and then use other native scripts or commands to disable these defenses, or to elevate their access privileges within the system.
4. DISCOVERY AND INFORMATION GATHERING
- Example: Tools like Tasklist or Systeminfo (native to Windows) are used to gather information about the system, such as running processes, installed software, or network configurations relevant to the OT/ICS environment.
5. EXPLOITATION AND MANIPULATION
- Example: In an ICS environment, attackers might use standard industrial communication protocols like Modbus or DNP3 (which are legitimate and essential for normal operations) to send malicious commands to control systems, potentially disrupting physical processes like power generation or water treatment.
6. PERSISTENCE AND EXFILTRATION
- Example: Attackers could use standard data transfer tools like FTP or even Windows BITS (Background Intelligent Transfer Service) to exfiltrate stolen data, or to maintain persistence by regularly updating malware or downloading additional tools.
7. CLEANUP
- Example: To erase their tracks, attackers might use native cleanup tools or scripts to delete logs or any evidence of their activities, making detection and forensics much more difficult.
In late 2022, a significant cyber-physical incident occurred in Ukraine, attributed to the Russia-linked threat actor Sandworm. This event targeted Ukrainian critical infrastructure and utilized a multi-event cyber attack strategy, incorporating innovative techniques to impact industrial control systems (ICS) and operational technology (OT). The Sandworm actor employed OT-level living-off-the-land (LotL) techniques, likely causing a substation’s circuit breakers to trip and resulting in an unplanned power outage. This outage coincided with mass missile strikes across Ukraine’s critical infrastructure. Additionally, Sandworm executed a second disruptive event by deploying a new variant of CADDYWIPER malware in the victim’s IT environment.
This attack exemplifies the latest advancements in Russia’s cyber-physical attack capabilities, particularly visible since Russia’s invasion of Ukraine. The techniques used indicate a maturing offensive OT arsenal, capable of identifying novel OT threat vectors, developing new capabilities, and leveraging various types of OT infrastructure for attacks. Utilizing LotL techniques likely reduced the time and resources required for the cyber-physical attack. Although the initial intrusion point remains undetermined, the rapid development of the OT component of this attack suggests the actor’s ability to swiftly create similar capabilities against other OT systems globally.
Sandworm, active since at least 2009, is a versatile threat actor conducting espionage, influence, and attack operations, primarily supporting Russia’s Main Intelligence Directorate (GRU). The group’s primary focus has been Ukraine, where it has orchestrated disruptive and destructive attacks using wiper malware, especially during Russia’s re-invasion in 2022. However, Sandworm’s activities extend globally, underlining the Russian military’s extensive ambitions and interests in various regions. The group’s global threat activity and novel OT capabilities necessitate proactive measures from OT asset owners to mitigate potential risks.
As per mandiant research, the 2022 intrusion began or prior to June 2022, culminating in two disruptive events on October 10 and 12. Sandworm accessed the OT environment via a hypervisor hosting a SCADA management instance for a substation, potentially having SCADA system access for up to three months. On October 10, Sandworm used an optical disc (ISO) image, “a.iso,” to execute a native MicroSCADA binary, likely for malicious control commands to switch off substations. The attackers, got into the operational technology (OT) system through a key piece of software (a hypervisor) that managed the control system (SCADA) of a power substation. This means they had access to the system that controls how the power substation works. For up to three months, they could have been inside this system without being detected. On October 10, they used a special file (an ISO image named “a.iso”) to run a command in the control system that was likely intended to turn off power substations.
This case underscores the evolving nature of cyber threats, particularly in critical infrastructure sectors. The increasing sophistication and rapid development of such attacks highlight the need for enhanced cybersecurity measures, continuous monitoring, and preparedness against novel and complex cyber threats in OT and ICS environments.
In OT/ICS environments, such LotL attacks are particularly concerning because they:
- Are harder to detect due to the use of legitimate tools.
- Can cause significant physical and operational damage.
- May bypass traditional security measures that don’t account for malicious use of native tools.
Defending against such attacks requires a combination of robust cybersecurity practices, including employee training, network segmentation, constant monitoring for anomalous behaviors, and regular updating and patching of all systems.
Business internet safety guide
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 10 2023
Russian Hackers Hijacked Power Station Circuit Breakers Using LotL Technique
In a recent and alarming development, the notorious Russia-linked threat actor Sandworm executed a sophisticated cyber-physical attack targeting a critical infrastructure organization in Ukraine.
The incident, responded to by cybersecurity firm Mandiant, unfolded as a multi-event assault, showcasing a novel technique to impact Industrial control systems (ICS) and operational technology (OT).
Unraveling Russia’s Cyber-Physical Capabilities
The attack, spanning from June to October 2022, demonstrated a significant evolution in Russia’s cyber-physical attack capabilities, notably visible since the invasion of Ukraine.
Sandworm, known for its allegiance to Russia’s Main Intelligence Directorate (GRU), has historically focused on disruptive and destructive campaigns, particularly in Ukraine.
The unique aspect of this attack involved Sandworm’s utilization of living-off-the-land (LotL) techniques at the OT level, initially causing an unplanned power outage in conjunction with missile strikes across Ukraine.
The threat actor further demonstrated its adaptability by deploying a new variant of the CADDYWIPER malware in the victim’s IT environment.
Mandiant’s analysis revealed the complexity of the attack, highlighting Sandworm’s ability to recognize novel OT threat vectors, develop new capabilities, and exploit various OT infrastructures.
The threat actor’s deployment of LotL techniques indicated a streamlined approach, reducing the time and resources required for the cyber-physical assault.
Concerns Over Sandworm’s Adaptive Capabilities
Despite being unable to pinpoint the initial intrusion point, Mandiant suggested that the OT component of the attack may have been developed in as little as two months.
This raises concerns about Sandworm’s capability to rapidly adapt and deploy similar attacks against diverse OT systems worldwide.
Sandworm’s global threat activity, coupled with its novel OT capabilities, prompted a call to action for OT asset owners worldwide.
Mandiant provided detailed guidance, including detection methods, hunting strategies, and recommendations for hardening systems against such threats.
The attack’s timing, coinciding with Russian kinetic operations, suggested a strategic synchronization, indicating that the threat actor may have been waiting for a specific moment to deploy its capabilities.
As observed in this incident, the evolution of Sandworm’s tactics offers insights into Russia’s ongoing investment in OT-oriented offensive cyber capabilities.
In conclusion, this Sandworm attack serves as a stark reminder of the escalating cyber threats faced by critical infrastructure globally.
The continuous evolution of cyber adversaries necessitates a proactive approach from governments, organizations, and asset owners to secure and safeguard vital systems against such sophisticated attacks.
Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 09 2023
NordVPN safe and private access to the internet
Protect your online activity
If you are not using a reliable VPN, your private information can be easily accessed by third parties. Get NordVPN to protect yourself from prying eyes.
Next-generation encryption
Connect to a VPN server and be sure that NordVPN’s cutting-edge A-256 encryption keeps your online data safe, even on public Wi-Fi.
Malware protection
Enjoy a higher level of security with NordVPN’s Threat Protection feature. Scan downloads for malware, block trackers, and hide ads.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 09 2023
HACKERS’ NEW FAVORITE: CVE-2023-4911 TARGETING DEBIAN, UBUNTU AND FEDRORA SERVERS IN THE CLOUD
CVE-2023-4911 is a serious security vulnerability within the GNU C Library (glibc), specifically in the dynamic loader ld.so, associated with the processing of the GLIBC_TUNABLES environment variable. This vulnerability has been exploited in cloud attacks, particularly by a group using the Kinsing malware for cryptojacking operations.
The flaw is a buffer overflow that can be exploited by a local attacker using specially crafted GLIBC_TUNABLES environment variables when launching binaries with Set-UID (SUID) permissions, which could potentially allow the execution of code with elevated privileges. The Qualys Threat Research Unit has been credited with discovering this vulnerability.
This vulnerability has been given a severity score of 7.8, which classifies it as high severity. Exploitation of this flaw could enable an attacker to gain root permission on a Linux system that is running a vulnerable version of GLIBC, specifically version 2.34 or similar.
The issue has been noted to impact major Linux distributions, and organizations that use Linux systems, especially in cloud environments, are advised to patch this vulnerability promptly to mitigate the risks associated with it.
Exploit
To exploit CVE-2023-4911, threat actors would typically follow a sequence of steps that hinge on local access to a vulnerable system. The exploitation process can generally be broken down into the following stages:
- Initial Access: First, the attacker needs local access to a system that runs a vulnerable version of the GNU C Library, specifically where
ld.sois affected by the buffer overflow. This access could be obtained through various means, such as compromising a low-privileged user account. - Crafting Malicious Input: The attacker crafts a malicious
GLIBC_TUNABLESenvironment variable. This variable is meant to be used for tuning performance and behavior aspects of the GNU C Library, but when crafted maliciously, it can trigger a buffer overflow. - Exploiting the Buffer Overflow: By triggering the buffer overflow, the attacker aims to overwrite certain areas of memory. This could be the stack, the heap, or other memory locations, depending on how the dynamic loader (
ld.so) is handling the environment variable. - Injecting Code or Redirecting Execution: The overwritten memory could include the injection of malicious code, or it might alter the execution flow of the process to jump to code that the attacker controls. Typically, this would be shellcode—a small piece of code that launches a shell or another control mechanism.
- Elevating Privileges: If the process being exploited has SUID permissions, it runs with the privileges of the owner of the file, often root. By exploiting such a process, the attacker can execute their code with elevated privileges, effectively gaining root access to the system.
Here’s a hypothetical example:
- Alice is a system administrator for a cloud service provider that uses Linux servers.
- Bob is a threat actor who has managed to gain access to a low-privileged account on one of the Linux servers due to a weak password.
- The server runs a version of GLIBC that is vulnerable to CVE-2023-4911.
- Bob writes a malicious
GLIBC_TUNABLESvariable and uses it in conjunction with a vulnerable application that has SUID set to run as root. - When the application runs, the malicious variable causes a buffer overflow in
ld.so, which Bob exploits to redirect the application’s execution flow to his shellcode. - Bob’s shellcode is executed with root privileges, giving him full control over the server.
- Now with root access, Bob could install persistent backdoors, exfiltrate data, or use the compromised server for further attacks.
It’s important to note that exploitation of CVE-2023-4911, like many vulnerabilities, requires specific conditions to be met and often sophisticated knowledge of software internals, memory layout, and exploitation techniques. The exact details of the exploit can vary based on the system’s configuration, the attacker’s goals, and the environment variables involved.
The Aqua Nautilus team documented an attack by the Kinsing malware that exploited CVE-2023-4911 to elevate permissions on a compromised machine. Here’s how they described the exploitation process:
- Initial Access: The attackers gained initial access by exploiting a PHPUnit vulnerability (CVE-2017-9841), allowing them to download and execute a Perl script to open a reverse shell on the compromised machin.
- Manual Testing: The Kinsing attackers manually tested shell commands on the compromised systems. These commands included gathering system information, starting an interactive shell session, and creating a directory in
/tmp. - Downloading Exploits: They downloaded a script named
gnu-acme.py, which was an exploit for the Looney Tunables vulnerability (CVE-2023-4911), allowing for local privilege escalation by exploiting a buffer overflow in the handling of theGLIBC_TUNABLESenvironment variable byld.so. - Executing Additional Exploits: After this, they fetched and executed an obfuscated PHP exploit, which, upon de-obfuscation, turned out to be a JavaScript designed for further exploitative activities. This resulted in a web shell backdoor that allowed them to maintain unauthorized access to the server.
This attack demonstrates the attackers’ sophisticated capabilities in chaining vulnerabilities to penetrate cloud environments, gain unauthorized access, and elevate privileges within the system.
Kinsing aims to gather CSP credentials, potentially exposing sensitive data, like AWS instance identity, which poses risks in cloud environments.
Here below, we have mentioned all the types of credentials and data that could be exposed:-
- Temporary Security Credentials
- IAM Role Credentials
- Instance Identity Tokens
Mitigation
To mitigate an attack exploiting CVE-2023-4911, you should take the following steps:
- Patch the Vulnerability: Update the GNU C Library (glibc) to the latest version that includes a fix for CVE-2023-4911.
- Limit Access: Restrict local access to essential personnel and services, minimizing the number of users who can potentially exploit the vulnerability.
- Monitor for Suspicious Activity: Implement monitoring tools to detect unusual activity, such as unexpected changes to environment variables or unauthorized processes trying to gain elevated privileges.
- Harden Your Environment: Follow best practices for system hardening, such as disabling unnecessary services, closing open ports, and using tools like SELinux or AppArmor for enhanced security.
- Regular Security Audits: Conduct regular security audits to identify and remediate misconfigurations or unnecessary privileges that could be exploited.
- Use Security Tools: Employ security solutions such as intrusion detection systems, firewalls, and anti-malware tools that can detect and prevent exploitation attempts.
- Educate Staff: Train staff to recognize phishing attempts and other forms of social engineering that could lead to local access being compromised.
- Incident Response Plan: Have an incident response plan in place that includes procedures for dealing with suspected breaches, including how to contain and eradicate threats.
- Backup Regularly: Maintain regular backups of critical data to ensure that you can restore systems to a secure state if necessary.
By following these steps, you can significantly reduce the risk of exploitation and mitigate potential damage from attacks like those involving CVE-2023-4911.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 06 2023
Cloud security guidance
How to choose, configure and use cloud services securely.
If you want to store and process data in the cloud, or use cloud platforms to build and host your own services, this guidance will help you do so securely.
Cloud usage continues to grow steadily, both in volume and the type of services being built and hosted in it. In fact, cloud is usually the preferred option when organisations procure new IT services, as reflected in the UK government’s Cloud First Policy.
Against this background, it’s essential that new services are chosen and built in a way which reflects their security needs.
Who is this guidance for?
All organisations can use this guidance to navigate the sometimes confusing array of technologies which make up ‘the cloud’, and the management models which underpin their use.
More particularly:
- If you’re already using cloud services, refer to the section on assessing the security of your chosen services when considering new and updated additions or modifications. To audit you existing deployments, refer to the actions in Using cloud services securely.
- If you don’t hold or process sensitive data, you may find the lightweight approach to cloud security most useful.
- If you’re a larger business/enterprise (including the public sector), you should choose a cloud provider using the cloud security principles. Once you have chosen one you should configure and use your chosen cloud service securely as required by the shared responsiblity model.
Note:
Individuals looking for advice about how to use online services securely should refer to our Cyber Aware advice on staying secure online.
This collection contains
Introduction to cloud security
Defining some common terms, and providing background on the various sections of this guide.
Understanding cloud services
Cloud services can be seen from a number of perspectives. This section considers:
- service models and deployment models
- the ‘shared responsibility model’ used by many cloud providers to handle day-to-day management of security
- two specific security techniques; separation and cryptography
Choosing a cloud provider
The cloud security principles and how to use them, along with our lightweight security framework and some vendor responses to the principles.
Using cloud services securely
Some actions that customers of cloud services will need to take. This includes advice for cloud platforms and software as a service (SaaS), and those looking to lift and shift into the cloud.
Introduction to cloud security
https://www.ncsc.gov.uk/collection/cloud
Practical Cloud Security: A Guide for Secure Design and Deployment
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 03 2023
OWASP API Security Top 10 2023
OWASP API Security Top 10 2023
If you want to learn more, you can check the link below
Understanding API Security and Implications
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 02 2023
CVSS 4.0 EXPLAINED: FROM COMPLEXITY TO CLARITY IN VULNERABILITY ASSESSMENT
The Common Vulnerability Scoring System (CVSS) has been updated to version 4.0, which has been formally announced by the Forum of Incident Response and Security Teams (FIRST). This update comes eight years after the debut of CVSS v3.0, the previous version of the system. At its 35th annual conference, which took place in June in Montreal, Canada, FIRST presented CVSS 4.0 to the attendees. The Common Vulnerability Scoring System, also known as CVSS, is a standardised framework for evaluating the severity of software vulnerabilities. It does this by assigning numerical scores or qualitative labels (such as low, medium, high, and critical) based on factors such as exploitability, impact on confidentiality, integrity, availability, and required privileges, with higher scores indicating more severe vulnerabilities.
The Common Vulnerability Scoring System, more often referred to as CVSS, is a methodology that provides a framework for evaluating and conveying the severity of software vulnerabilities. It offers a standardised way that organisations and security experts may use to analyse vulnerabilities based on the characteristics of the vulnerabilities, and then prioritise those vulnerabilities. The CVSS ratings provide assistance in making educated judgements on which vulnerabilities should be addressed first and how resources should be distributed for vulnerability management.
There have been several versions of CVSS, and each version has included enhancements and modifications that make it possible to more accurately evaluate the severity of vulnerabilities. The previous version, CVSS 3.1, has been upgraded to the current version, CVSS 4.0, which includes a number of significant updates and enhancements, including the following:
CVSS 4.0 has been designed with the goal of simplifying the scoring system and making it more accessible to users. It makes the scoring process more straightforward, which makes it simpler for security experts to grasp and put into practise.
Accurate Scoring: CVSS 4.0 includes enhancements in scoring to enable more accurate evaluations of vulnerabilities. These improvements were made possible by the introduction of new scoring methods. It improves the base, temporal, and environmental parameters such that a more accurate representation of the real effect of a vulnerability may be achieved.
Enhanced Metrics: It provides new metrics, such as Scope and Attack Vector, to offer more insights about the nature of the vulnerability and its effect on the system. Enhanced Metrics.
Formula: CVSS 4.0 comes with a revised formula that may be used to determine the total score on the CVSS scale. When paired with additional indicators, this formula provides a more accurate representation of the severity of vulnerabilities.
Contextual Information: When it comes to rating vulnerabilities, CVSS 4.0 strongly recommends making advantage of any available contextual information. This contributes to the provision of a vulnerability assessment that is more precise and relevant depending on certain deployment circumstances.
Increased Scoring Flexibility: The updated version offers an increased degree of scoring flexibility for vulnerabilities. Users are given the option to choose several temporal and environmental criteria, so that the data may more accurately represent their unique situations.
The Common Vulnerability Scoring System (CVSS) version 4.0 marks an advancement in vulnerability scoring and solves some of the restrictions that were present in prior versions. It seeks to offer a system for analysing and prioritising vulnerabilities that is both more accurate and easier to use, with the ultimate goal of assisting organisations in improving their security posture by concentrating on the most pressing problems. In order to improve their vulnerability management procedures, security professionals and organisations should get aware with CVSS 4.0 and consider implementing it.
Lets take an example of how you would use CVSS 4.0 to determine the degree of severity of a software vulnerability. For the sake of this example, we will employ a made-up vulnerability:
Vulnerability Description: An application contains a buffer overflow vulnerability, which an attacker can exploit to execute arbitrary code on the affected system.
Here’s how you would use CVSS 4.0 to assess the severity of this vulnerability:
Base Metrics:
- Attack Vector (AV): The vulnerability can be exploited via network (AV:N). The attacker does not need local access to the system.
- Attack Complexity (AC): The attack requires no special conditions (AC:LOW). It’s relatively easy to exploit.
- Privileges Required (PR): The attacker needs to gain elevated privileges (PR:HIGH). This makes it more challenging to exploit.
- User Interaction (UI): No user interaction is required (UI:NONE).
- Scope (S): The scope of the vulnerability is unchanged, and it doesn’t impact other components (S:UNCHANGED).
Temporal Metrics:
- Exploit Code Maturity (E): There is proof of concept code available, but no known exploits in the wild (E:POC).
- Remediation Level (RL): There is an official fix available (RL:OFFICIAL-FIX).
- Report Confidence (RC): The vulnerability has been confirmed by multiple sources (RC:HIGH).
Environmental Metrics (Specific to the organization’s setup):
- Modified Attack Vector (MAV): The organization’s security controls have made it harder for attackers to exploit this vulnerability (MAV:NETWORK).
- Modified Attack Complexity (MAC): The organization’s security measures have increased the difficulty of exploitation (MAC:HIGH).
- Modified Privileges Required (MPR): The organization’s security settings require lower privileges for successful exploitation (MPR:LOW).
Now, you can calculate the CVSS 4.0 score based on these metrics:
- Calculate the Base Score: In this case, it might be, for example, 7.8.
- Calculate the Temporal Score by considering the temporal metrics: Let’s say it’s 6.2.
- Calculate the Environmental Score, taking into account the environmental metrics and organization-specific factors: The final score might be 4.3.
The overall CVSS 4.0 score for this vulnerability would be the Environmental Score, which is 4.3 in this example. This score helps organizations understand the severity of the vulnerability in their specific context, considering the mitigations and configurations in place.
The higher the CVSS score, the more severe the vulnerability. Organizations can then prioritize addressing vulnerabilities with higher scores to improve their security posture. CVSS 4.0 offers more flexibility and a better representation of the vulnerability’s impact, taking into account various contextual factors.
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 02 2023
Implementation Guide ISO/IEC 27001:2022
Implementation Guide ISO/IEC 27001:2022 by ISACA Germany Chapter.
About This Guide
Practical guide for the implementation of an Information Security Management System (ISMS) according to ISO/IEC 27001:2022
About ISO/IEC 27001:2022
ISO/IEC 27001 promotes a holistic approach to information security: vetting people, policies and technology. An information security management system implemented according to this standard is a tool for risk management, cyber-resilience and operational excellence.
ISACA Germany Chapter
Homepage can be found here https://lnkd.in/gRu8kT75
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Nov 01 2023
Hackers Deliver Malicious DLL Files Chained With Legitimate EXE Files
Hackers opt for DLL hijacking as a technique to exploit vulnerable applications because it allows them to load malicious code by tricking a legitimate application into loading a malicious DLL.
This can give them unauthorized access and control over a system or application, enabling various types of attacks like:-
- Privilege escalation
- Data theft
- System compromise
An active threat involves an Infostealer distributing a legitimate EXE file alongside a hidden malicious DLL in the same directory.
The legitimate EXE runs the malicious DLL, a technique known as DLL hijacking, commonly used for malware distribution.
Malicious DLL With Legitimate EXE Files
Malware posing as software cracks is growing at a rapid pace and is getting distributed by the threat actors using DLL hijacking.
Users searching for cracked software leads to malicious sites, and the downloads are encrypted RAR files with passwords.
Running EXE infects the system, and they often have valid signatures, so always be cautious with cracked software, reads the ASEC report.
Malicious DLLs tweak part of legitimate DLLs as they decrypt and run data from a nearby file. Hiding data this way avoids altering DLL appearance, reducing detection risk.
For malware to work, the following elements are required to be placed in the same folder:-
- Data
- EXE
- Modified DLL
Unzipping the password-protected file with the code “2023” gives you the following files:-
The following two files are genuine VLC files with valid signatures:-
- Setup.exe
- libvlc.dll
The “libvlccore.dll” is altered and lacks a matching signature, due to which the extra directories like demux and lua serve to mask its malicious nature.
Running ‘Setup.exe’ activates ‘libvlccore.dll,’ triggering a modified function that reads and decrypts ‘ironwork.tiff’ in the same folder. This file holds code info. disguised as a PNG.
It loads “pla.dll” from SysWow64 and injects code into its memory differently than typical malware. This method uses NTDLL relocation, and for “cmd.exe,” it loads “pla.dll” and injects the malware into it.
A data file is written to %TEMP%. cmd.exe inherits it and has its EntryPoint changed to “pla.dll” code. This code decrypts a file, generates LummaC2 malware, and runs “explorer.exe,” injecting and executing the binary.
LummaC2 targets victims and installs malware from its C2 server, and it steals various sensitive data using JSON-formatted responses from C2.
The malware infects via legitimate EXE files, looking like original DLLs, posing a low detection risk.
IOCs
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
Oct 31 2023
THE ART OF INTERCEPTION :ACTIVE AND PASSIVE SURVEILLANCE IN MOBILE SIGNALING NETWORKS
Mobile network data might be one of our most recent and thorough dossiers. Our mobile phones are linked to these networks and expose our demographics, social circles, purchasing habits, sleeping patterns, where we live and work, and travel history. Technical weaknesses in mobile communications networks threaten this aggregate data. Such vulnerabilities may reveal private information to numerous varied players and are closely tied to how mobile phones roam among cell providers for travel. These vulnerabilities are usually related to signalling signals carried across telecommunications networks, which expose phones to possible location disclosure.
Telecommunications networks use private, open signalling links. These connections enable local and international roaming, allowing mobile phones to smoothly switch networks. These signalling protocols also enable networks to obtain user information including if a number is active, whether services are accessible, to which national network they are registered, and where they are situated. These connections and signalling protocols are continually targeted and exploited by surveillance actors, exposing our phones to several location disclosure techniques.
Most illegal network-based location disclosure is achievable because mobile telecommunications networks interact. Foreign intelligence and security agencies, commercial intelligence businesses, and law enforcement routinely want location data. Law enforcement and intelligence agencies may get geolocation information secretly using tactics similar to those employed by criminals. We shall refer to all of these players as ‘surveillance actors’ throughout this paper since they are interested in mobile geolocation surveillance.
Despite worldwide 4G network adoption and fast developing 5G network footprint, many mobile devices and their owners use 3G networks. The GSMA, which offers mobile industry information, services, and rules, reports 55% 3G subscriber penetration in Eastern Europe, the Middle East, and Sub-Saharan Africa. The UK-based mobile market intelligence company Mobilesquared estimates that just 25% of mobile network operators globally had built a signalling firewall to prevent geolocation spying by the end of 2021. Telecom insiders know that the vulnerabilities in the 3G roaming SS7 signalling protocol have allowed commercial surveillance products to provide anonymity, multiple access points and attack vectors, a ubiquitous and globally accessible network with an unlimited list of targets, and virtually no financial or legal risks.
The research done by Citizen labs focuses on geolocation risks from mobile signalling network attacks. Active or passive surveillance may reveal a user’s position using mobile signalling networks. They may use numerous strategies to do this.
The two methods differ significantly. Active surveillance employs software to trigger a mobile network response with the target phone position, whereas passive surveillance uses a collecting device to retrieve phone locations directly from the network. An adversarial network employs software to send forged signalling messages to susceptible target mobile networks to query and retrieve the target phone’s geolocation during active assaults. Such attacks are conceivable on networks without properly implemented or configured security safeguards. Unless they can install or access passive collecting devices in global networks, an actor leasing a network can only utilise active surveillance tactics.
However, cell operators and others may be forced to conduct active and passive monitoring. In this case, the network operator may be legally required to allow monitoring or face a hostile insider accessing mobile networks unlawfully. A third party might get access to the operator or provider by compromising VPN access to targeted network systems, allowing them to gather active and passive user location information.
The report primarily discusses geolocation threats in mobile signaling networks. These threats involve surveillance actors using either active or passive methods to determine a user’s location.
Active Surveillance:
- In active surveillance, actors use software to interact with mobile networks and get a response with the target phone’s location.
- Vulnerable networks without proper security controls are susceptible to active attacks.
- Actors can access networks through lease arrangements to carry out active surveillance.
Passive Surveillance:
- In passive surveillance, a collection device is used to obtain phone locations directly from the network.
- Surveillance actors might combine active and passive methods to access location information.
Active Attacks:
- Actors use software to send crafted signaling messages to target mobile networks to obtain geolocation information.
- They gain access to networks through commercial arrangements with mobile operators or other service providers connected to the global network.
Vulnerabilities in Home Location Register (HLR) Lookup:
- Commercial HLR lookup services can be used to check the status of mobile phone numbers.
- Surveillance actors can pay for these services to gather information about the target phone’s location, country, and network.
- Actors with access to the SS7 network can perform HLR lookups without intermediary services.
Domestic Threats:
- Domestic location disclosure threats are concerning when third parties are authorized by mobile operators to connect to their network.
- Inadequate configuration of signaling firewalls can allow attacks originating from within the same network to go undetected.
- In some cases, law enforcement or state institutions may exploit vulnerabilities in telecommunications networks.
Passive Attacks:
- Passive location attacks involve collecting usage or location data using network-installed devices.
- Signaling probes and monitoring tools capture network traffic for operational and surveillance purposes.
- Surveillance actors can use these devices to track mobile phone locations, even without active calls or data sessions.
Packet Capture Examples of Location Monitoring:
- Packet captures show examples of signaling messages used for location tracking.
- Location information, such as GPS coordinates and cell information, can be exposed through these messages.
- User data sessions can reveal information like IMSI, MSISDN, and IMEI, allowing for user tracking.
The report highlights the various methods and vulnerabilities that surveillance actors can exploit to obtain the geolocation of mobile users, both domestically and internationally.Based on history, present, and future mobile network security evaluations, geolocation monitoring should continue to alarm the public and policymakers. Exploitable vulnerabilities in 3G, 4G, and 5G network designs are predicted to persist without forced openness that exposes poor practises and accountability mechanisms that require operators to fix them. All three network types provide surveillance actors more possibilities. If nation states and organised crime entities can actively monitor mobile phone locations domestically or abroad, such vulnerabilities will continue to threaten at-risk groups, corporate staff, military, and government officials.
Is My Cell Phone Bugged?: Everything You Need to Know to Keep Your Mobile Conversations Private
InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory
« Previous Page — Next Page »
