Hackers abuse free TryCloudflare to deliver remote access malware

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

Researchers are warning of threat actors increasingly abusing the Cloudflare Tunnel service in malware campaigns that usually deliver remote access trojans (RATs).

This cybercriminal activity was frst detected in February and it is leveraging the TryCloudflare free service to distribute multiple RATs, including AsyncRAT, GuLoader, VenomRAT, Remcos RAT, and Xworm.

**Campaigns attributed to the same activity cluster**
*Source: Proofpoint*

The Cloudflare Tunnel service allows proxying traffic through an encrypted tunnel to access local services and servers over the internet without exposing IP addresses. This should come with added security and convenience because there is no need to open any public inbound ports or to set up VPN connections.

With TryCloudflare, users can create temporary tunnels to local servers and test the service without the need of a Cloudflare account.

Each tunnel generates a temporary random subdomain on the trycloudflare.com domain, which is used to route traffic through Cloudflare’s network to the local server.

Threat actors have abused the feature in the past to gain remote access to compromised systems while evading detection.

Latest campaign

In a report today, cybersecurity company Proofpoint says that it observed malware activity targeting law, finance, manufacturing, and technology organizations with malicious .LNK files hosted on the legitimate TryCloudflare domain.

The threat actors are luring targets with tax-themed emails with URLs or attachments leading to the LNK payload. When launched, the payload runs BAT or CMD scripts that deploy PowerShell.

**Two attack chains used in the campaign**
*Source: Proofpoint*

In the final stage of the attack, Python installers are downloaded for the final payload.

Proofpoint reports that the email distribution wave that started on July 11 has distributed over 1,500 malicious messages, while an earlier wave from May 28 contained less than 50 messages.

**Malicious email sample**
*Source: Proofpoint*

Hosting LNK files on Cloudflare offers several benefits, including making the traffic appear legitimate due to the service’s reputation.

Moreover, the TryCloudflare Tunnel feature offers anonymity, and the LNK-serving subdomains are temporary, so blocking them does not help defenders too much.

Ultimately, the service is free and reliable, so the cybercriminals do not need to cover the cost of setting up their own infrastructure. If automation is employed to evade blocks from Cloudflare, the cybercriminals can abuse those tunnels even for large-scale operations.

BleepingComputer has reached Cloudflare for a comment on the activity reported by Proofpoint, and a company representative replied with the following statement:

Cloudflare immediately disables and takes down malicious tunnels as they are discovered by our team or reported on by third parties.

In the past few years, Cloudflare has introduced machine learning detections on our tunnel product in order to better contain malicious activity that may occur.

We encourage Proofpoint and other security vendors to submit any suspicious URLs and we will take action against any customers that use our services for malware.

Malicious PyPi packages create CloudFlare Tunnel to bypass firewalls

Hackers increasingly abuse Cloudflare Tunnel for stealthy connections

Over 3,000 GitHub accounts used by malware distribution service

Fake CrowdStrike repair manual pushes new infostealer malware

Warmcookie Windows backdoor pushed via fake job offers

Driving lessons: The kernel drivers in Sophos Intercept X Advanced

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

Operating in ‘kernel-space’ – the most privileged layer of an operating system, with direct access to memory, hardware, resource management, and storage – is vitally important for security products. It enables them to monitor ‘user-space’ – the non-privileged environment where applications run – and protect against malware that executes in that environment, even when it tries to evade detection. But kernel access also allows security products to counter more insidious threats within the kernel itself. As we’ve reported previously, for example, some threat actors use BYOVD (Bring Your Own Vulnerable Driver) attacks, or attempt to get their own malicious drivers cryptographically signed, in order to access kernel-space and take advantage of that elevated level of access.

However, from a security standpoint, working in kernel-space comes with its own risks. A wrong step in this environment – such as a bad update to a kernel driver – can cause outages. If the driver in question starts at boot time, when the operating system first loads, that can lead to prolonged impacts, potentially requiring affected hosts to be started in a recovery mode to mitigate the problem and allow the machines to boot normally.

Sophos’ Intercept X Advanced product uses five kernel drivers as of release 2024.2. All drivers are extensively tested* with applicable flags enabled and disabled, and shipped with new flags disabled. (Sophos Intercept X and Sophos Central use feature flags to gradually enable new features. Feature flags are deployed through Sophos Central. New features are typically ‘guarded’ by feature flags – turned off unless the flag is enabled – so that the feature can be rolled out gradually and potentially revised before wider enablement.)

In this article, in the interests of transparency, we’ll explore what those drivers are, what they do, when they start, how they’re signed, and what their inputs are. We’ll also explore some of the safeguards we put in place around these drivers to minimize the risk of disruption (such as staged rollouts, as mentioned above; we provide an example of this later in the article), and the options available to customers when it comes to configuring them. It’s also worth noting that Intercept X Advanced and all its components, including the kernel drivers, has been part of an external bug bounty program since December 14, 2017; we welcome scrutiny via external bug bounty submissions, and we foster a culture of collaboration with the research community.

* ‘Testing’ refers to a range of internal testing, including Microsoft-provided tools and verifiers

Overview

The following table provides an at-a-glance overview of the five kernel drivers which are part of Intercept X Advanced release 2024.2.

Driver	Version	Type	Start Type	Signed By Microsoft?	Signature	Description
SophosEL.sys	3.2.0.1150	Kernel Driver	Early-Launch Boot Start	Yes	ELAMP*	Sophos ELAM driver: can prevent execution of malicious boot start drivers
SophosED.sys	3.3.0.1727	File System Driver	Boot Start	Yes	WHCP+	The main Sophos anti-malware driver
Sntp.sys	1.15.1121	Network Filter Driver	System Start	Yes	WHCP+	Sophos Network Threat Protection driver
Hmpalert.sys	3.9.4.990	File System Driver	System Start	Yes	WHCP+	Sophos HitmanPro.Alert driver
SophosZtnaTap.sys	9.24.6.3	Network Filter Driver	On Demand	Yes	WHCP+	Sophos Zero Trust Network Access (ZTNA) Tap driver

Table 1: An overview of the kernel drivers in Intercept X Advanced2024.2
* Microsoft Windows Early Launch Anti-malware Publisher
+ Microsoft Windows Hardware Compatibility Publisher

A graphic showing user-space and the kernel (with hardware below) and how Sophos user-space components interact with the kernel drivers mentioned in the post

Figure 1: A conceptual depiction of user-space/kernel boundaries and where Intercept X Advanced components operate

SophosEL.sys

What it does: SophosEL.sys is the Sophos Early Launch Anti-Malware (ELAM) driver.

Inputs: This driver has one input – a blocklist of known-bad drivers which must be prevented from executing as boot start drivers at machine startup. This blocklist, located at the registry key below, is set by Sophos user-space threat detection logic when it detects a malicious driver. At the next boot cycle, SophosEL.sys ensures that this driver is not loaded.

Input	Description	Protection
HKLM\SYSTEM\CurrentControlSet\Services\Sophos ELAM\Config	Blocklist of known-bad drivers	DACLs; Sophos Tamper Protected

Customer options: Customers can configure remediation and allowed items in the Threat Protection policy from Sophos Central.

Additional measures: Any Microsoft or Sophos-signed driver is exempt from cleanup/blocking.

SophosED.sys

What it does: SophosED.sys (Endpoint Defense) is a boot start driver, started during ELAM processing and before many other kernel drivers are loaded, Windows user-space is initialized, and the system drive is mounted. It has three broad responsibilities:

Providing tamper protection for the Sophos installation and configuration
Exposing system activity events to Sophos user-space components for protection and detection
Recording low-level system activity events to the Sophos Event Journals for after-the-fact forensics and analysis

Inputs: Since SophosED.sys starts before the filesystem is available, its entire configuration is provided through its service key. Note that all the below inputs are under HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense.

Filter driver altitudes inputs

SophosED.sys registers with Windows as a Mini-Filter driver at multiple altitudes (a unique identifier that defines a driver’s position on the ‘stack’ of drivers, with ‘lower’ drivers being closer to bare metal) allocated and approved by Microsoft.

Input	Description	Protection
HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Instances\	Multiple altitudes allocated by Microsoft	DACLs; Sophos Tamper Protected

Tamper Protection inputs

Sophos Tamper Protection is configured by a combination of customer policies, Sophos feature flags, and signed manifests built into the agent.

Input	Description	Protection
HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config\	Customer policy (On/Off, configuration password*)	DACLs; Sophos Tamper Protected
HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Components\HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Services\	Manifest of protected keys, folders, services etc	Signed; verified by driver before loading

* The configuration password is hashed with PBKDF2-SHA512 and a salt

System Activity Events inputs

The Sophos Central Threat Protection policy supports multiple configuration options, which Sophos user-space processes write to the SophosED.sys registry key, so that they’re available when the driver is loaded.

Input	Description	Protection
HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config\	Customer policy (On/Off, exclusions, and lots more)	DACLs; Sophos Tamper Protected
HKLM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags\	Sophos feature flags (various)	DACLs; Sophos Tamper Protected

Event Journal inputs

Input	Description	Protection
HLKM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Config\	Customer policy (exclusions, disk limits)	DACLs; Sophos Tamper Protected
HLKM\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EventJournal\Features\	If a subkey exists with a DWORD value Enabled =1, event journals are enabled	DACLs; Sophos Tamper Protected

Customer options: Customers can configure disk limits and manage exclusions in Sophos Central Threat Protection policy.

Additional measures: If a driver facility is available (based on a combination of Customer Policy plus Sophos flag), then Sophos user-space processes can configure various parameters at runtime:

A bitmask of mitigations to apply per-process
What events to enable or disable for each process
The amount of time the driver should wait for a response from user-space (or whether it should be an asynchronous notification).

Sntp.sys

What it does: Sntp.sys (Sophos Network Threat Protection) is a kernel driver that registers for various Windows Filtering Platform events to intercept and potentially modify network flow data. Depending on features enabled by Sophos Central Threat Protection and Web Control policies, different filters and callouts are registered.

Inputs: Feature configuration is communicated to the driver from one or more of the following user mode processes:

SophosNtpService.exe
SophosNetFilter.exe
SophosIPS.exe
SSPService.exe

User-space processes communicate with the driver via the Windows Driver Framework, using IOCTLs, Read, and Write. Communications to and from the driver are protected, only accepting connections from authorized and authentic Sophos processes.

Customer options: The filter driver intercepts network traffic by browser and non-browser processes based on the policies defined in Sophos Central. Processing of the intercepted traffic is performed in user-space by SophosNetFilter.exe and SophosIPS.exe, which may send modified content back to the driver (for example, to display a block page for malicious content).

Additional measures: Customers can add individual sites to their allow or block list in Sophos Central.

Hmpalert.sys

What it does: Hmpalert.sys enforces Sophos CryptoGuard, which detects and prevents bulk encryption of files by ransomware. It also configures what exploit mitigations are enforced as processes are executed.

Inputs: Hmpalert.sys has a number of inputs, including several registry subkeys and IOCTLS.

Input	Description	Protection
HKLM\SYSTEM\CurrentControlSet\Services\hmpalert	Software configuration	DACLs; Sophos Tamper Protected
HKLM\ SYSTEM\CurrentControlSet\Services\hmpalert\Config	Customer policy	DACLs; Sophos Tamper Protected
HKLM\ SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\EndpointFlags	Sophos feature flags (various)	DACLs; Sophos Tamper Protected

Customer options: Customers can enable/disable exploit mitigations and manage exclusions in Sophos Central Threat Protection policy.

Additional measures: N/A

SophosZtnaTap.sys

What it does: SophosZtnaTap.sys is a Sophos-built OpenVPN TAP driver. If the customer deploys the Sophos Zero Trust Network Access (ZTNA) agent, the driver intercepts DNS lookups for managed applications, and redirects traffic for those applications to the applicable Sophos ZTNA gateways. ZTNA applications and gateways are configured through Sophos Central policies and stored in the registry.

Inputs: Inputs into SophosZtnaTap.sys are via a registry subkey.

Input	Description	Protection
HKLM\SOFTWARE\Sophos\Management\Policy\NetworkPerimeter\	Customer policy (ZTNA Applications, Gateways, and certificates)	DACLs; Sophos Tamper Protected

Customer options: Customers can manage their ZTNA-protected applications and gateways from Sophos Central.

Additional measures: N/A

Gradual deployment example: CryptoGuard ExFAT

Sophos CryptoGuard has protected against bulk encryption on permanent disks for over a decade. Intercept X version 2024.1.1 introduced a new feature, CryptoGuard ExFAT, which extends this protection to ExFAT partitions (typically found on removable USB drives).

CryptoGuard ExFAT development and testing took place in September 2023 through March 2024. This feature was guarded by the flag ‘hmpa.cryptoguard-exfat.available.’

Sophos Engineering ran the software internally with the flag enabled (our ‘Dogfood release’) starting March 22, 2024.

Intercept X version 2024.1.1 was released to Sophos, then to customers using our gradual software deployment process, between May 21, 2024 through June 6, 2024. At this stage the feature was still dormant for everyone apart from Sophos engineers.

The ’hmpa.cryptoguard-exfat.available’ flag was enabled using our gradual flag enablement process, between June 10, 2024 through June 26, 2024.

Customer control

Customers can select a fixed software version (Endpoint Software Management: Fixed-term support, Long-term support). This locks the software and flags until the customer selects a different software package. Customers who use the ‘Sophos recommended’ option receive new software periodically. Aside from software rollouts, they also receive gradual feature-flag enablements for new features in the software, as with a normal software release. Sophos has evolved this process to improve stability and avoid enabling new events globally for all customers.

Conclusion

Kernel drivers are fundamental to the Intercept X Advanced product – and to robust Windows endpoint security, in general – but we also acknowledge that operating in kernel-space is not without its risks.

In this article, we’ve walked through the kernel drivers in Intercept X Advanced (as of release 2024.02), what they do, how they’re signed, what their inputs are, the control customers have over their management, and additional safeguards we’ve put in place – including gradual, phased rollouts of new features, and exemptions to minimize the risk of disruption.

While no safeguard can ever eliminate risk altogether, we wanted to share the details of our drivers in the interests of transparency, and to explain in depth how we approach the complex problem of trying to protect our customers from threats, in as safe a manner as possible.

Researchers Showcase Decentralized AI-Powered Torrent Search Engine

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

Researchers from Delft University of Technology plan to amplify their BitTorrent client “Tribler” with decentralized AI-powered search. A new demo shows that generative AI models make it possible to search for content in novel ways, without restriction. The ultimate goal of the research project is to shift the Internet’s power balance from governments and large corporations back to consumers.

Twenty-five years ago, peer-to-peer file-sharing took the Internet by storm.

The ability to search for and share content with complete strangers was nothing short of a revolution.

In the years that followed, media consumption swiftly moved online. This usually involved content shared without permission, but pirate pioneers ultimately paved the way for new business models.

The original ‘pirate’ ethos has long since gone. There are still plenty of unauthorized sites and services, but few today concern themselves with decentralization and similar technical advances; centralized streaming is the new king with money as the main motivator.

AI Meets BitTorrent

There are areas where innovation and technological progress still lead today, mostly centered around artificial intelligence. Every month, numerous new tools and services appear online, as developers embrace what many see as unlimited potential.

How these developments will shape the future is unknown, but they have many rightsholders spooked. Interestingly, an ‘old’ research group, that was already active during BitTorrent’s heyday, is now using AI to amplify its technology.

Researchers from the Tribler research group at Delft University of Technology have been working on their Tribler torrent client for nearly two decades. They decentralized search, removing the need for torrent sites, and implemented ‘anonymity‘ by adding an onion routing layer to file transfers.

Many millions of euros have been spent on the Tribler research project over the years. Its main goal is to advance decentralized technology, not to benefit corporations, but to empower the public at large.

“Our entire research portfolio is driven by idealism. We aim to remove power from companies, governments, and AI in order to shift all this power to self-sovereign citizens,” the Tribler team explains.

Decentralized AI-powered Search

While not every technological advancement has been broadly embraced, yet, Tribler has just released a new paper and a proof of concept which they see as a turning point for decentralized AI implementations; one that has a direct BitTorrent link.

The scientific paper proposes a new framework titled “De-DSI”, which stands for Decentralised Differentiable Search Index. Without going into technical details, this essentially combines decentralized large language models (LLMs), which can be stored by peers, with decentralized search.

This means that people can use decentralized AI-powered search to find content in a pool of information that’s stored across peers. For example, one can ask “find a magnet link for the Pirate Bay documentary,” which should return a magnet link for TPB-AFK, without mentioning it by name.

This entire process relies on information shared by users. There are no central servers involved at all, making it impossible for outsiders to control.

Endless Possibilities, Limited Use

While this sounds exciting, the current demo version is not yet built into the Tribler client. Associate Professor Dr. Johan Pouwelse, leader of the university’s Tribler Lab, explains that it’s just a proof of concept with a very limited dataset and AI capabilities.

“For this demo, we trained an end-to-end generative Transformer on a small dataset that comprises YouTube URLs, magnet links, and Bitcoin wallet addresses. Those identifiers are each annotated with a title and represent links to movie trailers, CC-licensed music, and BTC addresses of independent artists,” Pouwelse says.

We tried some basic searches with mixed results. That makes sense since there’s only limited content, but it can find magnet links and videos without directly naming the title. That said, it’s certainly not yet as powerful as other AI tools.

In essence, De-DSI operates by sharing the workload of training large language models on lists of document identifiers. Every peer in the network specializes in a subset of data, which other peers in the network can retrieve to come up with the best search result.

A Global Human Brain to Fight Torrent Spam and Censors

The proof of concept shows that the technology is sound. However, it will take some time before it’s integrated into the Tribler torrent client. The current goal is to have an experimental decentralized-AI version of Tribler ready at the end of the year.

While the researchers see this as a technological breakthrough, it doesn’t mean that things will improve for users right away. AI-powered search will be slower to start with and, if people know what they’re searching for, it offers little benefit.

Through trial and error, the researchers ultimately hope to improve things though, with a “global brain” for humanity as the ultimate goal.

Most torrent users are not looking for that, at the moment, but Pouwelse says that they could also use decentralized machine learning to fight spam, offer personal recommendations, and to optimize torrent metadata. These are concrete and usable use cases.

The main drive of the researchers is to make technology work for the public at large, without the need for large corporations or a central government to control it.

“The battle royale for Internet control is heating up,” Pouwelse says, in a Pirate Bay-esque fashion.

“Driven by our idealism we will iteratively take away their power and give it back to citizens. We started 18 years ago and will take decades more. We should not give up on fixing The Internet, just because it is hard.”

The very limited De-DSI proof of concept and all related code is available on Huggingface. All technological details are available in the associated paper. The latest Tribler version, which is fully decentralized without AI, can be found on the official project page.

Attacks on Bytecode Interpreters Conceal Malicious Injection Activity

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

Attackers can hide their attempts to execute malicious code by inserting commands into the machine code stored in memory by the software interpreters used by many programming languages, such as VBScript and Python, a group of Japanese researchers will demonstrate at next week’s Black Hat USA conference.

Interpreters take human-readable software code and translate each line into bytecode — granular programming instructions understood by the underlying, often virtual, machine. The research team successfully inserted malicious instructions into the bytecode held in memory prior to execution, and because most security software does not scan bytecode, their changes escaped detection.

The technique could allow attackers to hide their malicious activity from most endpoint security software. Researchers from NTT Security Holdings Corp. and the University of Tokyo will demonstrate the capability at Black Hat using the VBScript interpreter, says Toshinori Usui, research scientist with NTT Security. The researchers have already confirmed that the technique also works for inserting malicious code in the in-memory processes of both the Python and the Lua interpreters.

“Malware often hides its behavior by injecting malicious code into benign processes, but existing injection-type attacks have characteristic behaviors … which are easily detected by security products,” Usui says. “The interpreter does not care about overwriting by a remote process, so we can easily replace generated bytecode with our malicious code — it’s that feature we exploit.”

Bytecode attacks are not necessarily new, but they are relatively novel. In 2018, a group of researchers from the University of California at Irvine published a paper, “Bytecode Corruption Attacks Are Real — And How to Defend Against Them,” introducing bytecode attacks and defenses. Last year, the administrators of the Python Package Index (PyPI) removed a malicious package, known as fshec2, which escaped initial detection because all its malicious code was compiled as bytecode. Python compiles its bytecode into PYC files, which can be executed by the Python interpreter.

“It may be the first supply chain attack to take advantage of the fact that Python byte code (PYC) files can be directly executed, and it comes amid a spike in malicious submissions to the Python Package Index,” Karlo Zanki, reverse engineer at ReversingLabs, said in a June 2023 analysis of the incident. “If so, it poses yet another supply chain risk going forward, since this type of attack is likely to be missed by most security tools, which only scan Python source code (PY) files.”

Going Beyond Precompiled Malware

After an initial compromise, attackers have a few options to expand their control of a targeted system: They can perform reconnaissance, try to further compromise the system using malware, or run tools already existing on the system — the so-called strategy of “living off the land.”

The NTT researchers’ variation of bytecode attack techniques essentially falls into the last category. Rather than using pre-compiled bytecode files, their attack — dubbed Bytecode Jiu-Jitsu — involves inserting malicious bytecode into the memory space of a running interpreter. Because most security tools do not look at bytecode in memory, the attack is able to hide the malicious commands from inspection.

The approach allows attacker to skip other more obviously malicious steps, such as calling suspicious APIs to create threads, allocating executable memory, and modifying instruction pointers, Usui says.

“While native code has instructions directly executed by the CPU, bytecode is just data to the CPU and is interpreted and executed by the interpreter,” he says. “Therefore, unlike native code, bytecode does not require execution privilege, [and our technique] does not need to prepare a memory region with execution privilege.”

Better Interpreter Defenses

Developers of interpreters, security-tools developers, and operating-system architects can all have some impact on the problem. While attacks targeting bytcode do not exploit vulnerabilities in interpreters, but rather the way that they execute code, certain security modifications such as pointer checksums could mitigate the risk, according to the UC Irvine paper.

The NTT Security researchers noted that checksum defenses would not likely be effective against their techniques and recommend that developers enforce write protections to help eliminate the risk. “The ultimate countermeasure is to restrict the memory write to the interpreter,” Usui says.

The purpose of presenting a new attack technique is to show security researchers and defenders what could be possible, and not to inform attackers’ tactics, he stresses. “Our goal is not to abuse defensive tactics, but to ultimately be an alarm bell for security researchers around the world,” he says.

China’s APT41 Targets Taiwan Research Institute for Cyber Espionage

Posted on August 3, 2024 by Maq Verma

China-linked advanced persistent threat group APT41 appears to have compromised a government-affiliated institute in Taiwan that conducts research on advanced computing and associated technologies.

The intrusion began in July 2023, with the threat actor gaining initial access to the victim environment via undetermined means. Since then, it has deployed multiple malware tools, including the well-known ShadowPad remote access Trojan (RAT), the Cobalt Strike post compromise tool, and a custom loader for injecting malware using a 2018 Windows remote code execution vulnerability (CVE-2018-0824).

APT41 is an attribution that several vendors use to track a loose collective of China-nexus threat groups that have been engaged in a broad range of cyber espionage and financially motivated cyberattacks around the world, going back to 2012. Members of the group such as Wicked Panda, Winnti, Barium, and SuckFly have plundered and pillaged trade secrets, intellectual property, and other sensitive data from organizations in the US and multiple other countries in recent years.

Most recently, Mandiant reported observing members of the group targeting global shipping and logistics companies and organizations in the technology, entertainment, and automotive sectors. The US government indicted several members of the Chengdu-based APT41 in 2020, though that has done little slow it down.

Academic Research: A Valuable Cyber Target

Researchers at Cisco Talos discovered the intrusion when investigating abnormal activity involving attempts to download and execute PowerShell scripts in the Taiwan research institute’s network environment last year.

“The nature of research-and-development work carried out by the entity makes it a valuable target for threat actors dedicated to obtaining proprietary and sensitive technologies of interest to them,” Talos researchers Joey Chen, Ashley Shen, and Vitor Ventura said in a report this week. Over the course of the intrusion, APT41 actors broke into three systems in the target environment and stole at least some documents from there, they said.

ShadowPad is malware that researchers first discovered embedded in the source code of NetSarang Computer’s Xmanager server management software back in 2017. That supply chain attack impacted several NetSarang customers in the APAC region. Initially, researchers believed that APT41 was the sole user of the backdoor. Over the years however, they have identified multiple groups — all of them China-linked — that have used the RAT in numerous cyber-espionage campaigns and software supply chain attacks.

With the attack on the Taiwanese research institute, APT41 used two different ShadowPad iterations — one that leveraged a previously known packing mechanism called “ScatterBee,” and another that used an outdated and vulnerable version of Microsoft Input Method Editors (IME), the Cisco Talos researchers said.

ShadowPad & Cobalt Strike Anchor Espionage Effort

The attackers used ShadowPad to run commands for mapping out the victim network, collecting data on hosts, and trying to find other exploitable systems on the same network. Cisco Talos also found the APT harvesting passwords and user credentials stored in Web browsers from the compromised environment, using tools such as Mimikatz and WebBrowserPassView.

“From the environment the actor executes several commands, including using ‘net,’ ‘whoami,’ ‘quser,’ ‘ipconfig,’ ‘netstat,’ and ‘dir’ commands to obtain information on user accounts, directory structure, and network configurations from the compromised systems,” the researchers said. “In addition, we also observed query to the registry key to get the current state of software inventory collection on the system.”

As part of their attack chain, the threat actors also deployed the Cobalt Strike post compromise tool on the victim network using a loader they cloned from a GitHub project. It’s designed to evade antivirus detection tools.

“It’s important to highlight that this Cobalt Strike beacon shellcode used steganography to hide in a picture and executed by this loader,” the researchers said. “In other words, its download, decryption, and execution routines all happen in runtime in memory.”

Fortune 50 Co. Pays Record-Breaking $75M Ransomware Demand

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

A Fortune 50 company paid $75 million to its cyberattackers earlier this year, greatly exceeding any other confirmed ransom payment in history. The beneficiary of the payout is an outfit called Dark Angels. And Dark Angels isn’t just effective — in some ways, the gang turns so much of what we thought we knew about ransomware on its head.

Sure, there have been other big amounts forked over in the past: In 2021, Illinois-based CNA Financial was reported to have paid a then unprecedented $40 million ransom in order to restore its systems after a ransomware attack (the company never confirmed that figure). Later that year, the meat manufacturer JBS admitted to paying $11 million to end a disruption affecting its factories. Caesars Palace last year paid $15 million to make its ransomware disruption problems go away.

But those figures pale in comparison against the $75 million in equivalent Bitcoin paid by the aforementioned large organization, which Zscaler chose to keep anonymous in its 2024 annual ransomware report, where the payout was first recorded. The dollar amount has also been corroborated by Chainalysis.

Meet the Dark Angels

Dark Angels first appeared in the wild in May 2022. Ever since, its specialty has been defeating fewer but higher-value targets than its ransomware brethren. Past victims have included multiple S&P 500 companies spread across varied industries: healthcare, government, finance, education, manufacturing, telecommunications, and more.

For example, there was its headline-grabbing attack on the megalith Johnson Controls International (JCI) last year. It breached the company’s VMware ESXi hypervisors, freezing them with Ragnar Locker and stealing a reported 27 terabytes worth of data. The ransom demand: $51 million. It’s unclear how Johnson Controls responded but, considering its $27 million-plus cleanup effort, it’s likely that the company did not cave.

$27 million would have been the second-largest ransom payment in recorded history at the time (after the reported CNA payment). But there’s evidence to suggest that this wasn’t just some outlandish negotiating tactic — that Dark Angels has good reason to think it can pull off that kind of haul.

Dark Angels Does Ransomware Differently

Forget everything you know about ransomware, and you’ll start to understand Dark Angels.

Against the grain, the group does not operate a ransomware-as-a-service business. Nor does it have its own malware strain — it prefers to borrow encryptors like Ragnar Locker and Babuk.

Its success instead comes down to three primary factors. First: the extra care it can take by attacking fewer, higher-yielding targets.

Second is its ability to exfiltrate gobs of sensitive data. As Brett Stone-Gross, senior director of threat intelligence at Zscaler explains, “If you look at a lot of these other ransomware groups, their affiliates are stealing maybe a few hundred gigabytes of data. Sometimes even less than 100 gigabytes of data. They usually top out around, maybe, one terabyte or so. In contrast, Dark Angels are stealing tens of terabytes of data.”

In that, Dark Angels differs only in degree, not in kind. Where it really separates itself from other groups is in its subtlety. Its leak site isn’t flashy. It doesn’t make grand pronouncements about its latest victims. Besides the obvious operational security benefits to stealth (it’s largely escaped media scrutiny in recent years, despite pulling off major breaches), its aversion to the limelight also helps it earn larger returns on investment.

For example, the group often avoids encrypting victims’ data, with the express purpose of allowing them to continue to operate without disruption. This seems to defy common wisdom. Surely the threat of downtime and media scrutiny are effective tools to get victims to pay up?

“You would think that, but the results say otherwise,” Stone-Gross suggests.

Dark Angels makes paying one’s ransom easy and quiet — an attractive prospect for companies that just want to put their breaches behind them. And avoiding business disruption is mutually beneficial: Without the steep bills associated with downtime, companies have more money to pay Dark Angels.

Can Dark Angels’ Wings Be Clipped?

In its report, Zscaler predicted “that other ransomware groups will take note of Dark Angels’ success and may adopt similar tactics, focusing on high value targets and increasing the significance of data theft to maximize their financial gains.”

If that should come to pass, companies will face much steeper, yet more compelling ransom demands. Luckily, Dark Angels’ approach has an Achilles’ heel.

“If it’s a terabyte of data, [a hacker] can probably complete that transfer in several days. But when you’re talking terabytes — you know, tens of terabytes of data — now you’re talking weeks,” Stone-Gross notes. So, companies that can catch Dark Angels in the act may be able to stop them before it’s too late.

DOJ and FTC Sue TikTok for Violating Children’s Privacy Laws

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

The U.S. Department of Justice (DoJ), along with the Federal Trade Commission (FTC), filed a lawsuit against popular video-sharing platform TikTok for “flagrantly violating” children’s privacy laws in the country.

The agencies claimed the company knowingly permitted children to create TikTok accounts and to view and share short-form videos and messages with adults and others on the service.

They also accused it of illegally collecting and retaining a wide variety of personal information from these children without notifying or obtaining consent from their parents, in contravention of the Children’s Online Privacy Protection Act (COPPA).

TikTok’s practices also infringed a 2019 consent order between the company and the government in which it pledged to notify parents before collecting children’s data and remove videos from users under 13 years old, they added.

COPPA requires online platforms to gather, use, or disclose personal information from children under the age of 13, unless they have obtained consent from their parents. It also mandates companies to delete all the collected information at the parents’ request.

“Even for accounts that were created in ‘Kids Mode‘ (a pared-back version of TikTok intended for children under 13), the defendants unlawfully collected and retained children’s email addresses and other types of personal information,” the DoJ said.

“Further, when parents discovered their children’s accounts and asked the defendants to delete the accounts and information in them, the defendants frequently failed to honor those requests.”

The complaint further alleged the ByteDance-owned company subjected millions of children under 13 to extensive data collection that enabled targeted advertising and allowed them to interact with adults and access adult content.

It also faulted TikTok for not exercising adequate due diligence during the account creation process by building backdoors that made it possible for children to bypass the age gate aimed at screening those under 13 by letting them sign in using third-party services like Google and Instagram and classifying such accounts as “age unknown” accounts.

“TikTok human reviewers allegedly spent an average of only five to seven seconds reviewing each account to make their determination of whether the account belonged to a child,” the FTC said, adding it will take steps to protect children’s privacy from firms that deploy “sophisticated digital tools to surveil kids and profit from their data.”

TikTok has more than 170 million active users in the U.S. While the company has disputed the allegations, it’s the latest setback for the video platform, which is already the subject of a law that would force a sale or a ban of the app by early 2025 because of national security concerns. It has filed a petition in federal court seeking to overturn the ban.

“We disagree with these allegations, many of which relate to past events and practices that are factually inaccurate or have been addressed,” TikTok said. “We offer age-appropriate experiences with stringent safeguards, proactively remove suspected underage users, and have voluntarily launched features such as default screen time limits, Family Pairing, and additional privacy protections for minors.”

The social media platform has also faced scrutiny globally over child protection. European Union regulators handed TikTok a €345 million fine in September 2023 for violating data protection laws in relation to its handling of children’s data. In April 2023, it was fined £12.7 million by the ICO for illegally processing the data of 1.4 million children under 13 who were using its platform without parental consent.

The lawsuit comes as the U.K. Information Commissioner’s Office (ICO) revealed it asked 11 media and video-sharing platforms to improve their children’s privacy practices or risk facing enforcement action. The names of the offending services were not disclosed.

“Eleven out of the 34 platforms are being asked about issues relating to default privacy settings, geolocation or age assurance, and to explain how their approach conforms with the [Children’s Code],” it said. “We are also speaking to some of the platforms about targeted advertising to set out expectations for changes to ensure practices are in line with both the law and the code.”

Hackers Exploit Misconfigured Jupyter Notebooks with Repurposed Minecraft DDoS Tool

Posted on August 3, 2024 - August 3, 2024 by Maq Verma

Cybersecurity researchers have disclosed details of a new distributed denial-of-service (DDoS) attack campaign targeting misconfigured Jupyter Notebooks.

The activity, codenamed Panamorfi by cloud security firm Aqua, utilizes a Java-based tool called mineping to launch a TCP flood DDoS attack. Mineping is a DDoS package designed for Minecraft game servers.

Attack chains entail the exploitation of internet-exposed Jupyter Notebook instances to run wget commands for fetching a ZIP archive hosted on a file-sharing site called Filebin.

The ZIP file contains two Java archive (JAR) files, conn.jar and mineping.jar, with the former used to establish connections to a Discord channel and trigger the execution of the mineping.jar package.

“This attack aims to consume the resources of the target server by sending a large number of TCP connection requests,” Aqua researcher Assaf Morag said. “The results are written to the Discord channel.”

The attack campaign has been attributed to a threat actor who goes by the name yawixooo, whose GitHub account has a public repository containing a Minecraft server properties file.

This is not the first time internet-accessible Jupyter Notebooks have been targeted by adversaries. In October 2023, a Tunisian threat dubbed Qubitstrike was observed breaching Jupyter Notebooks in an attempt to illicitly mine cryptocurrency and breach cloud environments.

Ransomware Attacks are on the Rise

Posted on July 31, 2024 - July 31, 2024 by Maq Verma

Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.

After a recent dip, ransomware attacks are back on the rise. According to data released by NCC Group, the resurgence is being led by old ransomware-as-a-service (RaaS) groups.

With data gathered by “actively monitoring the leak sites used by each ransomware group and scraping victim details as they are released,” researchers have determined that Lockbit was by far the most prolific ransomware gang in July, behind 62 attacks. That’s ten more than the month prior, and more than twice as many as the second and third most prolific groups combined. “Lockbit 3.0 maintain their foothold as the most threatening ransomware group,” the authors wrote, “and one with which all organizations should aim to be aware of.”

Those second and third most prolific groups are Hiveleaks – 27 attacks – and BlackBasta – 24 attacks. These figures represent rapid rises for each group – since June, a 440 percent rise for Hiveleaks, and a 50 percent rise for BlackBasta.

It may well be that the resurgence in ransomware attacks, and the rise of these two particular groups, are intimately connected.

Why Ransomware Has Bounced

Researchers from NCC Group counted 198 successful ransomware campaigns in July – up 47 percent from June. Sharp as that incline may be, it still falls some ways short of the high-water mark set this Spring, with nearly 300 such campaigns in both March and April.

Why the Flux?

Well, in May, the United States government ramped up its efforts against Russian cybercrime by offering up to $15 million for prized information about Conti, then the world’s foremost ransomware gang. “It is likely that the threat actors that were undergoing structural changes,” the authors of the report speculated, “and have begun settling into their new modes of operating, resulting in their total compromises increasing in conjunction.”

Hiveleaks and BlackBasta are the result of that restructuring. Both groups are “associated with Conti,” the authors noted, Hiveleaks as an affiliate and BlackBasta as a replacement strain. “As such, it appears that it has not taken long for Conti’s presence to filter back into the threat landscape, albeit under a new identity.”

Now that Conti’s properly split in two, the authors speculated, “it would not be surprising to see these figures further increase as we move into August.”

New Mandrake Spyware Found in Google Play Store Apps After Two Years

Posted on July 31, 2024 - July 31, 2024 by Maq Verma

A new iteration of a sophisticated Android spyware called Mandrake has been discovered in five applications that were available for download from the Google Play Store and remained undetected for two years.

The applications attracted a total of more than 32,000 installations before being pulled from the app storefront, Kaspersky said in a Monday write-up. A majority of the downloads originated from Canada, Germany, Italy, Mexico, Spain, Peru, and the U.K.

“The new samples included new layers of obfuscation and evasion techniques, such as moving malicious functionality to obfuscated native libraries, using certificate pinning for C2 communications, and performing a wide array of tests to check if Mandrake was running on a rooted device or in an emulated environment,” researchers Tatyana Shishkova and Igor Golovin said.

Mandrake was first documented by Romanian cybersecurity vendor Bitdefender in May 2020, describing its deliberate approach to infect a handful of devices while managing to lurk in the shadows since 2016. The malware has yet to be attributed to a threat actor or group.

The updated variants are characterized by the use of OLLVM to conceal the main functionality, while also incorporating an array of sandbox evasion and anti-analysis techniques to prevent the code from being executed in environments operated by malware analysts.

The list of apps containing Mandrake is below –

AirFS (com.airft.ftrnsfr)
Amber (com.shrp.sght)
Astro Explorer (com.astro.dscvr)
Brain Matrix (com.brnmth.mtrx)
CryptoPulsing (com.cryptopulsing.browser)

The apps pack in three stages: A dropper that launches a loader responsible for executing the core component of the malware after downloading and decrypting it from a command-and-control (C2) server.

The second-stage payload is also capable of collecting information about the device’s connectivity status, installed applications, battery percentage, external IP address, and current Google Play version. Furthermore, it can wipe the core module and request for permissions to draw overlays and run in the background.

The third-stage supports additional commands to load a specific URL in a WebView and initiate a remote screen sharing session as well as record the device screen with the goal of stealing victims’ credentials and dropping more malware.

“Android 13 introduced the ‘Restricted Settings’ feature, which prohibits sideloaded applications from directly requesting dangerous permissions,” the researchers said. “To bypass this feature, Mandrake processes the installation with a ‘session-based‘ package installer.”

The Russian security company described Mandrake as an example of a dynamically evolving threat that’s constantly refining its tradecraft to bypass defense mechanisms and evade detection.

“This highlights the threat actors’ formidable skills, and also that stricter controls for applications before being published in the markets only translate into more sophisticated, harder-to-detect threats sneaking into official app marketplaces,” it said.

When reached for comment, Google told The Hacker News that it’s continuously shoring up Google Play Protect defenses as new malicious apps are flagged and that it’s enhancing its capabilities to include live threat detection to tackle obfuscation and anti-evasion techniques.

“Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services,” a Google spokesperson said. “Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”

CrowdStrike Warns of New Phishing Scam Targeting German Customers

Posted on July 31, 2024 - July 31, 2024 by Maq Verma

CrowdStrike is alerting about an unfamiliar threat actor attempting to capitalize on the Falcon Sensor update fiasco to distribute dubious installers targeting German customers as part of a highly targeted campaign.

The cybersecurity company said it identified what it described as an unattributed spear-phishing attempt on July 24, 2024, distributing an inauthentic CrowdStrike Crash Reporter installer via a website impersonating an unnamed German entity.

The imposter website is said to have been created on July 20, a day after the botched update crashed nearly 9 million Windows devices, causing extensive IT disruptions across the world.

“After the user clicks the Download button, the website leverages JavaScript (JS) that masquerades as JQuery v3.7.1 to download and deobfuscate the installer,” CrowdStrike’s Counter Adversary Operations team said.

“The installer contains CrowdStrike branding, German localization, and a password [is] required to continue installing the malware.”

Specifically, the spear-phishing page featured a download link to a ZIP archive file containing a malicious InnoSetup installer, with the malicious code serving the executable injected into a JavaScript file named “jquery-3.7.1.min.js” in an apparent effort to evade detection.

Users who end up launching the bogus installer are then prompted to enter a “Backend-Server” to proceed further. CrowdStrike said it was unable to recover the final payload deployed via the installer.

The campaign is assessed to be highly targeted owing to the fact that the installer is password-protected and requires input that’s likely only known to the targeted entities. Furthermore, the presence of the German language suggests that the activity is geared towards German-speaking CrowdStrike customers.

“The threat actor appears to be highly aware of operations security (OPSEC) practices, as they have focused on anti-forensic techniques during this campaign,” CrowdStrike said.

“For example, the actor registered a subdomain under the it[.]com domain, preventing historical analysis of the domain-registration details. Additionally, encrypting the installer contents and preventing further activity from occurring without a password precludes further analysis and attribution.”

The development comes amid a wave of phishing attacks taking advantage of the CrowdStrike update issue to propagate stealer and wiper malware malware –

A phishing domain crowdstrike-office365[.]com that hosts rogue archive files containing a Microsoft Installer (MSI) loader that ultimately executes a commodity information stealer called Lumma.

A ZIP file (“CrowdStrike Falcon.zip”) that contains a Python-based information stealer tracked as Connecio that collects system information, external IP address, and data from various web browsers, and exfiltrates them to SMTP accounts listed on a Pastebin dead-drop URL.
An email phishing campaign orchestrated by the Handala Hacking Team targeting Israeli entities that tricks recipients into downloading an “outage fix,” which launches an installer responsible for unpacking and executing an AutoIt script to launch a data wiper and exfiltrate system information via Telegram’s API.

Web infrastructure and security company Akamai said it uncovered no less than 180 newly created counterfeit typosquat domains purporting to assist with navigating the incident, whether it be technical support, quick fixes, or legal support, in an attempt to introduce malware or steal sensitive information.

On Thursday, CrowdStrike’s CEO George Kurtz said 97% of the Windows devices that went offline during the global IT outage are now operational.

“At CrowdStrike, our mission is to earn your trust by safeguarding your operations. I am deeply sorry for the disruption this outage has caused and personally apologize to everyone impacted,” Kurtz said. “While I can’t promise perfection, I can promise a response that is focused, effective, and with a sense of urgency.”

Previously, the company’s chief security officer Shawn Henry apologized for failing to “protect good people from bad things,” and that it “let down the very people we committed to protect.”

“The confidence we built in drips over the years was lost in buckets within hours, and it was a gut punch,” Henry acknowledged. “We are committed to re-earning your trust by delivering the protection you need to disrupt the adversaries targeting you. Despite this setback, the mission endures.”

Meanwhile, Bitsight’s analysis of traffic patterns exhibited by CrowdStrike machines across organizations globally has revealed two “interesting” data points that it said warrants additional investigation.

“Firstly, on July 16 at around 22:00 there was a huge traffic spike, followed by a clear and significant drop off in egress traffic from organizations to CrowdStrike,” security researcher Pedro Umbelino said. “Second, there was a significant drop, between 15% and 20%, in the number of unique IPs and organizations connected to CrowdStrike Falcon servers, after the dawn of the 19th.”

“While we can not infer what the root cause of the change in traffic patterns on the 16th can be attributed to, it does warrant the foundational question of ‘Is there any correlation between the observations on the 16th and the outage on the 19th?'”

Update#

While the full impact of the IT outage remains to be tallied, cloud insurance services firm Parametrix Solutions estimates that the event impacted nearly a quarter of the Fortune 500 companies, resulting in a direct financial loss of $5.4 billion (excluding Microsoft), including $1.94 billion in losses for healthcare, $1.15 billion for banking, and $0.86 billion for the airlines sector.

John Cable, Microsoft’s vice president of program management for Windows servicing and delivery, said the incident “underscores the need for mission-critical resiliency within every organization.”

“These improvements must go hand in hand with ongoing improvements in security and be in close cooperation with our many partners, who also care deeply about the security of the Windows ecosystem,” Cable said, urging enterprises to have a major incident response plan (MIRP) in place, periodically take data backups, utilize deployment rings, and enable Windows security baselines.

With endpoint detection and response (EDR) software requiring kernel-level access to detect threats in Windows, the disruptive event appears to have also had the desired effect of Microsoft rethinking the entire approach.

Redmond said alternative features like virtualization-based security (VBS) enclaves, which it introduced back in May, could be used by third-party developers to create an “isolated compute environment that does not require kernel mode drivers to be tamper resistant.” Azure Attestation, another security solution, enables remote verification of the “trustworthiness of a platform and integrity of the binaries running inside it.”

Microsoft further described the issue as arising due to a “read-out-of-bounds memory safety error in the CrowdStrike developed CSagent.sys driver,” and that such kernel drivers are leveraged for tamper resistance and performance improvements, not to mention for gaining system wide visibility into security related events.

“Windows provides several user mode protection approaches for anti-tampering, like Virtualization-based security (VBS) Enclaves and Protected Processes that vendors can use to protect their key security processes,” David Weston, vice President of enterprise and OS security at Microsoft said.

“Windows also provides ETW events and user-mode interfaces like Antimalware Scan Interface for event visibility. These robust mechanisms can be used to reduce the amount of kernel code needed to create a security solution, which balances security and robustness.”

(The story was updated after publication to include Microsoft’s analysis of Windows crash reports stemming from the CrowdStrike programming error.)

Exit Scam: BlackCat Ransomware Group Vanishes After $22 Million Payout

Posted on July 31, 2024 - July 31, 2024 by Maq Verma

The threat actors behind the BlackCat ransomware have shut down their darknet website and likely pulled an exit scam after uploading a bogus law enforcement seizure banner.

“ALPHV/BlackCat did not get seized. They are exit scamming their affiliates,” security researcher Fabian Wosar said. “It is blatantly obvious when you check the source code of the new takedown notice.”

“There is absolutely zero reason why law enforcement would just put a saved version of the takedown notice up during a seizure instead of the original takedown notice.”

The U.K.’s National Crime Agency (NCA) told Reuters that it had no connection to any disruptions to the BlackCat infrastructure.

Recorded Future security researcher Dmitry Smilyanets posted screenshots on the social media platform X in which the BlackCat actors claimed that the “feds screwed us over” and that they intended to sell the ransomware’s source code for $5 million.

The disappearing act comes after it allegedly received a $22 million ransom payment from UnitedHealth’s Change Healthcare unit (Optum) and refused to share the proceeds with an affiliate that had carried out the attack.

The company has not commented on the alleged ransom payment, instead stating it’s only focused on investigation and recovery aspects of the incident.

According to DataBreaches, the disgruntled affiliate – who had their account suspended by the administrative staff – made the allegations on the RAMP cybercrime forum. “They emptied the wallet and took all the money,” they said.

This has raised speculations that BlackCat has staged an exit scam to evade scrutiny and resurface in the future under a new brand. “A re-branding is pending,” a now-former admin of the ransomware group was quoted as saying.

Menlo Security, citing HUMINT sources with direct contact to the affiliate, described them as likely associated with Chinese nation-state groups. The affiliate, who goes by the name Notchy, is said to have engaged on ransomware-related topics in the RAMP forum as early as 2021.

BlackCat had its infrastructure seized by law enforcement in December 2023, but the e-crime gang managed to wrest control of their servers and restart its operations without any major consequences. The group previously operated under the monikers DarkSide and BlackMatter.

“Internally, BlackCat may be worried about moles within their group, and closing up shop preemptively could stop a takedown before it occurs,” Malachi Walker, a security advisor with DomainTools, said.

“On the other hand, this exit scam might simply be an opportunity for BlackCat to take the cash and run. Since crypto is once again at an all-time high, the gang can get away with selling their product ‘high.’ In the cybercrime world, reputation is everything, and BlackCat seems to be burning bridges with its affiliates with these actions.”

The group’s apparent demise and the abandonment of its infrastructure come as malware research group VX-Underground reported that the LockBit ransomware operation no longer supports Lockbit Red (aka Lockbit 2.0) and StealBit, a custom tool used by the threat actor for data exfiltration.

LockBit has also tried to save face by moving some of its activities to a new dark web portal after a coordinated law enforcement operation took down its infrastructure last month following a months-long investigation.

It also comes as Trend Micro revealed that the ransomware family known as RA World (formerly RA Group) has successfully infiltrated healthcare, finance, and insurance companies in the U.S., Germany, India, Taiwan, and other countries since emerging in April 2023.

Attacks mounted by the group “involve multi-stage components designed to ensure maximum impact and success in the group’s operations,” the cybersecurity firm noted.

VMware ESXi Flaw Exploited by Ransomware Groups for Admin Access

Posted on July 30, 2024 - July 30, 2024 by Maq Verma

A recently patched security flaw impacting VMware ESXi hypervisors has been actively exploited by “several” ransomware groups to gain elevated permissions and deploy file-encrypting malware.

The attacks involve the exploitation of CVE-2024-37085 (CVSS score: 6.8), an Active Directory integration authentication bypass that allows an attacker to obtain administrative access to the host.

“A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management by re-creating the configured AD group (‘ESXi Admins’ by default) after it was deleted from AD,” Broadcom-owned VMware noted in an advisory released in late June 2024.

In other words, escalating privileges on ESXi to the administrator was as simple as creating a new AD group named “ESX Admins” and adding any user to it, or renaming any group in the domain to “ESX Admins” and adding a user to the group or using an existing group member.

Microsoft, in a new analysis published on July 29, said it observed ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest leveraging the post-compromise technique to deploy Akira and Black Basta.

“VMware ESXi hypervisors joined to an Active Directory domain consider any member of a domain group named ‘ESX Admins’ to have full administrative access by default,” researchers Danielle Kuznets Nohi, Edan Zwick, Meitar Pinto, Charles-Edouard Bettan, and Vaibhav Deshmukh said.

“This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist.”

In one attack staged by Storm-0506 against an unnamed engineering firm in North America, the threat actor weaponized the vulnerability to gain elevated permissions to the ESXi hypervisors after having obtained an initial foothold using a QakBot infection and exploiting another flaw in the Windows Common Log File System (CLFS) Driver (CVE-2023-28252, CVSS score: 7.8) for privilege escalation.

Subsequently, phases entailed the deployment of Cobalt Strike and Pypykatz, a Python version of Mimikatz, to steal domain administrator credentials and move laterally across the network, followed by dropping the SystemBC implant for persistence and abusing the ESXi admin access to deploy Black Basta.

“The actor was also observed attempting to brute force Remote Desktop Protocol (RDP) connections to multiple devices as another method for lateral movement, and then again installing Cobalt Strike and SystemBC,” the researchers said. “The threat actor then tried to tamper with Microsoft Defender Antivirus using various tools to avoid detection.”

The development comes as Google-owned Mandiant revealed that a financially motivated threat cluster called UNC4393 is using initial access obtained via a C/C++ backdoor codenamed ZLoader (aka DELoader, Terdot, or Silent Night) to deliver Black Basta, moving away from QakBot and DarkGate.

“UNC4393 has demonstrated a willingness to cooperate with multiple distribution clusters to complete its actions on objectives,” the threat intelligence firm said. “This most recent surge of Silent Night activity, beginning earlier this year, has been primarily delivered via malvertising. This marked a notable shift away from phishing as UNC4393’s only known means of initial access.”

The attack sequence involves making use of the initial access to drop Cobalt Strike Beacon and a combination of custom and readily-available tools to conduct reconnaissance, not to mention relying on RDP and Server Message Block (SMB) for lateral movement. Persistence is achieved by means of SystemBC.

ZLoader, which resurfaced after a long gap late last year, has been under active development, with new variants of the malware being propagated via a PowerShell backdoor referred to as PowerDash, per recent findings from Walmart’s cyber intelligence team.

Over the past few years, ransomware actors have demonstrated an appetite for latching onto novel techniques to maximize impact and evade detection, increasingly targeting ESXi hypervisors and taking advantage of newly disclosed security flaws in internet-facing servers to breach targets of interest.

Qilin (aka Agenda), for instance, was originally developed in the Go programming language, but has since been redeveloped using Rust, indicating a shift towards constructing malware using memory-safe languages. Recent attacks involving ransomware have been found to leverage known weaknesses in Fortinet and Veeam Backup & Replication software for initial access.

“The Qilin ransomware is capable of self-propagation across a local network,” Group-IB said in a recent analysis, adding it’s also equipped to “carry out self-distribution using VMware vCenter.”

Another notable malware employed in Qilin ransomware attacks is a tool dubbed Killer Ultra that’s designed to disable popular endpoint detection and response (EDR) software running on the infected host as well as clear all Windows event logs to remove all indicators of compromise.

Organizations are recommended to install the latest software updates, practice credential hygiene, enforce two-factor authentication, and take steps to safeguard critical assets using appropriate monitoring procedures and backup and recovery plans.

New SideWinder Cyber Attacks Target Maritime Facilities in Multiple Countries

Posted on July 30, 2024 - July 30, 2024 by Maq Verma

The nation-state threat actor known as SideWinder has been attributed to a new cyber espionage campaign targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.

The BlackBerry Research and Intelligence Team, which discovered the activity, said targets of the spear-phishing campaign include countries like Pakistan, Egypt, Sri Lanka, Bangladesh, Myanmar, Nepal, and the Maldives.

SideWinder, which is also known by the names APT-C-17, Baby Elephant, Hardcore Nationalist, Rattlesnake, and Razor Tiger, is assessed to be affiliated with India. It has been operational since 2012, often making use of spear-phishing as a vector to deliver malicious payloads that trigger the attack chains.

“SideWinder makes use of email spear-phishing, document exploitation and DLL side-loading techniques in an attempt to avoid detection and deliver targeted implants,” the Canadian cybersecurity company said in an analysis published last week.

The latest set of attacks employ lures related to sexual harassment, employee termination, and salary cuts in order to negatively impact the recipients’ emotional state and trick them into opening booby-trapped Microsoft Word documents.

Once the decoy file is opened, it leverages a known security flaw (CVE-2017-0199) to establish contact with a malicious domain that masquerades as Pakistan’s Directorate General Ports and Shipping (“reports.dgps-govtpk[.]com”) to retrieve an RTF file.

The RTF document, in turn, downloads a document that exploits CVE-2017-11882, another years-old security vulnerability in the Microsoft Office Equation Editor, with the goal of executing shellcode that’s responsible for launching JavaScript code, but only after ensuring that the compromised system is legitimate and is of interest to the threat actor.

It’s currently not known what’s delivered by means of the JavaScript malware, although the end goal is likely to be intelligence gathering based on prior campaigns mounted by SideWinder.

“The SideWinder threat actor continues to improve its infrastructure for targeting victims in new regions,” BlackBerry said. “The steady evolution of its network infrastructure and delivery payloads suggests that SideWinder will continue its attacks in the foreseeable future.”

‘Stargazer Goblin’ Creates 3,000 Fake GitHub Accounts for Malware Spread

Posted on July 29, 2024 - July 29, 2024 by Maq Verma

A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year.

The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to share malicious links or malware, per Check Point, which has dubbed it “Stargazers Ghost Network.”

Some of the malware families propagated using this method include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with the bogus accounts also engaged in starring, forking, watching, and subscribing to malicious repositories to give them a veneer of legitimacy.

The network is believed to have been active since August 2022 in some preliminary form, although an advertisement for the DaaS wasn’t spotted in the dark until early July 2023.

“Threat actors now operate a network of ‘Ghost’ accounts that distribute malware via malicious links on their repositories and encrypted archives as releases,” security researcher Antonis Terefos explained in an analysis published last week.

“This network not only distributes malware but also provides various other activities that make these ‘Ghost’ accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories.”

Different categories of GitHub accounts are responsible for distinct aspects of the scheme in an attempt to make their infrastructure more resilient to takedown efforts by GitHub when malicious payloads are flagged on the platform.

These include accounts that serve the phishing repository template, accounts providing the image for the phishing template, and accounts that push malware to the repositories in the form of a password-protected archive masquerading as cracked software and game cheats.

Should the third set of accounts be detected and banned by GitHub, Stargazer Goblin moves to update the first account’s phishing repository with a new link to a new active malicious release, thereby allowing the operators to move forward with minimal disruption.

Besides liking new releases from multiple repositories and committing changes to the README.md files to modify the download links, there is evidence to suggest that some accounts part of the network have been previously compromised, with the credentials likely obtained via stealer malware.

“Most of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository takedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected,” Terefos said.

“It’s common to find Link-Repositories containing links to banned Release-Repositories. When this occurs, the Commit account associated with the Link-Repository updates the malicious link with a new one.”

One of the campaigns discovered by Check Point involves the use of a malicious link to a GitHub repository that, in turn, points to a PHP script hosted on a WordPress site and delivers an HTML Application (HTA) file to ultimately execute Atlantida Stealer by means of a PowerShell script.

Other malware families propagated via the DaaS are Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Check Point further noted that the GitHub accounts are part of a larger DaaS solution that operates similar ghost accounts on other platforms such as Discord, Facebook, Instagram, X, and YouTube.

“Stargazer Goblin created an extremely sophisticated malware distribution operation that avoids detection as GitHub is considered a legitimate website, bypasses suspicions of malicious activities, and minimizes and recovers any damage when GitHub disrupts their network,” Terefos said.

“Utilizing multiple accounts and profiles performing different activities from starring to hosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost Network to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of the whole operation is disrupted instead of all the involved accounts.”

The development comes as unknown threat actors are targeting GitHub repositories, wiping their contents, and asking the victims to reach out to a user named Gitloker on Telegram as part of a new extortion operation that has been ongoing since February 2024.

The social engineering attack targets developers with phishing emails sent from “notifications@github.com,” aiming to trick them into clicking on bogus links under the guise of a job opportunity at GitHub, following which they are prompted to authorize a new OAuth app that erases all the repositories and demands a payment in exchange for restoring access.

It also follows an advisory from Truffle Security that it’s possible to access sensitive data from deleted forks, deleted repositories, and even private repositories on GitHub, urging organizations to take steps to secure against what it’s calling a Cross Fork Object Reference (CFOR) vulnerability.

“A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks),” Joe Leon said. “Similar to an Insecure Direct Object Reference, in CFOR users supply commit hashes to directly access commit data that otherwise would not be visible to them.”

In other words, a piece of code committed to a public repository may be accessible forever as long as there exists at least one fork of that repository. On top of that, it could also be used to access code committed between the time an internal fork is created and the repository is made public.

It’s however worth noting that these are intentional design decisions taken by GitHub, as noted by the company in its own documentation –

Commits to any repository in a fork network can be accessed from any repository in the same fork network, including the upstream repository
When you change a private repository to public, all the commits in that repository, including any commits made in the repositories it was forked into, will be visible to everyone.

“The average user views the separation of private and public repositories as a security boundary, and understandably believes that any data located in a private repository cannot be accessed by public users,” Leon said.

“Unfortunately, […] that is not always true. What’s more, the act of deletion implies the destruction of data. As we saw above, deleting a repository or fork does not mean your commit data is actually deleted.”

How Searchable Encryption Changes the Data Security Game

Posted on July 29, 2024 - July 29, 2024 by Maq Verma

Searchable Encryption has long been a mystery. An oxymoron. An unattainable dream of cybersecurity professionals everywhere.

Organizations know they must encrypt their most valuable, sensitive data to prevent data theft and breaches. They also understand that organizational data exists to be used. To be searched, viewed, and modified to keep businesses running. Unfortunately, our Network and Data Security Engineers were taught for decades that you just can’t search or edit data while in an encrypted state.

The best they could do was to wrap that plaintext, unencrypted data within a cocoon of complex hardware, software, policies, controls, and governance. And how has that worked to date? Just look at the T-Mobile breach, the United Healthcare breach, Uber, Verizon, Kaiser Foundation Health Plan, Bank of America, Prudential… and the list goes on. All the data that was stolen in those breaches remained unencrypted to support day-to-day operations.

It’s safe to conclude that the way we’re securing that data just isn’t working. It’s critical that we evolve our thought and approach. It’s time to encrypt all data at rest, in transit, and also IN USE. So, how do we effectively encrypt data that needs to be used?

The Encryption Challenge#

As stated, it’s well established that most data is not being encrypted. Just look at the well documented, ongoing growth rate of cybercrime activity. In short, all data breaches and data ransom cases have one glaring common thread— every target maintains millions of private, sensitive, and confidential records in an unencrypted state. Stores of data, fully indexed, structured and unencrypted as easy to read plaintext simply to support operational use cases. This challenge falls under the auspices of “Acceptable Risk”.

It’s often viewed that if an organization has good cyber hygiene, that organization is encrypting data at rest (in storage, archived, or backed up) and in transit or motion (i.e. email encryption, or sending data from one point to another point). And many may think that’s enough—or that is the best they can do. After all, encryption at rest and in motion is the only encryption focus of current compliance and governance bodies, where they address database encryption.

In truth, most compliance lacks any real definition of what would be considered strong database encryption. Unfortunately, the mindset for many is still ‘if compliance doesn’t address it, it must not be that important, right?’

Let’s unpack this a little. Why don’t we encrypt data? Encryption has a reputation for being complex, expensive, and difficult to manage.

Just looking at traditional encryption of data at rest (archives and static data), these encryption solutions commonly involve a complete “lift and shift” of the database to the encryption at rest solution. This exercise often requires a network architect, database administrator, detailed mapping, and time.

Once encrypted, and assuming that long-string encryption such as AES 256 is utilized, the data is only secure right up to the point that it is needed. The data will eventually be needed to support a business function, such as customer service, sales, billing, financial service, healthcare, audit, and/or general update operations. At that point, the entire required dataset (whether the full database or a segment) needs to be decrypted and moved to a datastore as vulnerable plaintext.

This brings another layer of complexity—the expertise of a DBA or database expert, time to decrypt, the build out of a security enclave of complex solutions designed to monitor and “secure” the plaintext datastore. Now this enclave of complex solutions requires a specialized team of experts with knowledge of how each of those security tools function. Add in the need to patch and refresh each of those security tools just to maintain their effectiveness, and we now understand why so much data is compromised daily.

Of course, once the data set has been utilized, it’s supposed to be moved back to its encrypted state. So, the cycle of complexity (and expense) begins again.

Because of this cycle of complexity, in many situations, this sensitive data remains in a completely unencrypted, vulnerable state, so it is always readily available. 100% of threat actors agree that unencrypted data is the best kind of data for them to easily access.

This example focuses on encryption of data at rest, but it’s important to note that data encrypted in transit goes through much of the same process—it’s only encrypted in transit but needs to be decrypted for use on both ends of the transaction.

There is a much better approach. One that goes beyond baseline encryption. A modern, more complete database encryption strategy must account for encryption of critical database data in three states: at rest, in motion, and now IN USE. Searchable Encryption, also called Encryption-in-Use, keeps that data fully encrypted while it’s still usable. Removing the complexity and expense related to supporting an archaic encrypt, decrypt, use, re-encrypt process.

Merging Technologies for Better Encryption#

So why, now, is Searchable Encryption suddenly becoming a gold standard in critical private, sensitive, and controlled data security?

According to Gartner, “The need to protect data confidentiality and maintain data utility is a top concern for data analytics and privacy teams working with large amounts of data. The ability to encrypt data, and still process it securely is considered the holy grail of data protection.”

Previously, the possibility of data-in-use encryption revolved around the promise of Homomorphic Encryption (HE), which has notoriously slow performance, is really expensive, and requires an obscene amount of processing power. However, with the use of Searchable Symmetric Encryption technology, we can process “data in use” while it remains encrypted and maintain near real-time, millisecond query performance.

IDC Analyst Jennifer Glenn said, “Digital transformation has made data more portable and usable by every part of the business, while also leaving it more exposed. Searchable encryption offers a powerful way to keep data secure and private while unlocking its value.”

“Technologies like searchable encryption are rapidly becoming a staple for organizations to keep data usable, while ensuring its integrity and security,” Glenn said.

A 30+ year old data management company, Paperclip, has created a solution to achieve what was once referred to as the ‘holy grail of data protection’, encryption of data in use. By leveraging patented shredding technology used for data storage and Searchable Symmetric Encryption, a solution was born that removes the complexity, latency and risk inherent with legacy data security and encryption strategies.

The SAFE Encryption Solution#

Understanding that necessity is the mother of all inventions, Paperclip, founded in 1991 as a content supply-chain innovator, realized they themselves needed to do more to secure the cadre of sensitive data their client’s trusted them with. When analyzing the growing number of data breaches and data ransom attacks, one reality became abundantly clear: threat actors aren’t compromising or stealing encrypted data.

They are laser focused on the vast amounts of unencrypted, plaintext data being used to support key operational activities. That’s where they can do the most damage. That’s the best data to hold hostage. It was this critical data that needed to be addressed. It was time to evolve the way we encrypted our most active data, at the database layer.

This was the genesis of SAFE, first as a solution then to bring it to the commercial market.

Of course, identifying the challenge was easy. All organizations have sensitive data to protect, and all organizations have sensitive data they rely on to run their core operations. The next stage was to build a practical solution.

Paperclip SAFE is a SaaS solution that makes fully encrypted, searchable data encryption a practical reality. The entire process of encrypting, decrypting, using, re-encrypting—and the resources needed to accomplish those tasks— is no longer required. More importantly, SAFE removes the excuse related to why millions of records are left fully exposed to data theft and ransom attacks right now.

SAFE Searchable Encryption is commonly referred to as a Privacy Enhancing Technology (PET) Platform. As a PET, SAFE evolves the way data is secured at the core database layer. SAFE is unique to all other encryption solutions because it provides the following features:

Full, AES 256 encryption supporting data owner and data holder key vaults – A threat actor must compromise both disparate keys. Even then they don’t get access to the data.
Patented Paperclip Shredded Data Storage (SDS) – Even before any data is encrypted with AES 256, complex encryption, the data is shredded into pieces, salted and hashed. This breaks all context and creates entropy. Imagine a threat actor compromises both encryption keys. What they end up with is like taking a micro cross-cut shredder, running one million documents through it, throwing out a third of the shredded pieces, replacing that third with shredded old encyclopedias, shaking it up and throwing it on the floor like some sick, demented jigsaw puzzle. Based on current technology it will take about 6,000 years to reassemble all those pieces.
Always Encrypted dataset supporting full create, read, update, delete (CRUD) functionality. – Inherently, when the data isn’t in use, it’s at rest, still fully encrypted. No more encrypted, unencrypted… It’s always encrypted.
Fast encrypted compound searching (<100 milliseconds over a standard SQL query). End users won’t even realize that SAFE is running in the background.
Continuous Machine Learning and AI Threat Detection and Response (TDR) – SAFE is based on Zero Trust so the solution will monitory and learn user trends. Any out-of-band activity will be blocked and will require administrative action. The solution is also monitoring for SQL injections, data fuzzing, and other threat actor actions. As part of the solution, SAFE produces a lot of telemetry that can feed a Client’s SOC monitoring service.
Simple JSON API integration. There is some development involved, but the result is no disruption to the end user and a dataset of always available, always encrypted data.
Implementation Flexibility – SAFE is a SaaS solution, but it was also designed to be implemented as a lightweight on-premises solution. In addition, SAFE can be integrated within a third-party application where that third-party is maintaining sensitive data on behalf of the Client (outsourced application like human resources, payroll, banking platforms, healthcare EMR & PHR, etc.). If you outsource your sensitive data to a third-party vendor, it’s time to ask how they’re encrypting that data. What happens if that vendor is breached? Is your data encrypted?

We’re in a race, one that the threat actors seem to be winning. It’s time to build a better encryption engine. It’s time for SAFE.

In today’s cyber-centric business landscape, the need for searchable encryption spans many industries and use cases such as Financial Services, Healthcare, Banking, Manufacturing, Government, Education, Critical Infrastructure, Retail, and Research to name a few. There isn’t an area where data doesn’t need to be more SAFE.

SAFE as a SaaS solution can be implemented in less than 30-days with no disruption to end users or network architecture. To learn more about SAFE searchable encryption, visit paperclip.com/safe.

Note: This article is expertly written and contributed by Chad F. Walter, Chief Revenue Officer at Paperclip since June 2022, leading Sales and Marketing initiatives, with over 20 years of experience in cybersecurity and technology.