From the perspective of information security, wireless networks are typically perceived as something that can be accessed only locally — to connect to them, an attacker needs to be physically close to the access point. This significantly limits their use in attacks on organizations, and so they are perceived as relatively risk-free. It’s easy to think that some random hacker on the internet could never simply connect to a corporate Wi-Fi network. However, the newly emerged Nearest Neighbor attack tactic demonstrates that this perception is not entirely accurate.
Even a well-protected organization’s wireless network can become a convenient entry point for remote attackers if they first compromise another, more vulnerable company located in the same building or a neighboring one. Let’s delve deeper into how this works and how to protect yourself against such attacks.
A remote attack on an organization’s wireless network
Let’s imagine a group of attackers planning to remotely hack into an organization. They gather information about the given company, investigate its external perimeter, and perhaps even find employee credentials in databases of leaked passwords. But they find no exploitable vulnerabilities. Moreover, they discover that all of the company’s external services are protected by two-factor authentication, so passwords alone aren’t sufficient for access.
One potential penetration method could be the corporate Wi-Fi network, which they could attempt to access using those same employee credentials. This applies especially if the organization has a guest Wi-Fi network that’s insufficiently isolated from the main network — such networks rarely use two-factor authentication. However, there’s a problem: the attackers are on the other side of the globe and can’t physically connect to the office Wi-Fi.
This is where the Nearest Neighbor tactic comes into play. If the attackers conduct additional reconnaissance, they’ll most likely discover numerous other organizations whose offices are within the Wi-Fi signal range of the target company. And it’s possible that some of those neighboring organizations are significantly more vulnerable than the attackers’ initial target.
This may simply be because these organizations believe their activities are less interesting to cyberattack operators — leading to less stringent security measures. For example, they might not use two-factor authentication for their external resources. Or they may fail to update their software promptly — leaving easily exploitable vulnerabilities exposed.
One way or another, it’s easier for the attackers to gain access to one of these neighboring organizations’ networks. Next, they need to find within the neighbor’s infrastructure a device connected to the wired network and equipped with a wireless module, and compromise it. By scanning the Wi-Fi environment through such a device, the attackers can locate the SSID of the target company’s network.
Using the compromised neighboring device as a bridge, the attackers can then connect to the corporate Wi-Fi network of their actual target. In this way, they get inside the perimeter of the target organization. Having achieved this initial objective, the attackers can proceed with their main goals — stealing information, encrypting data, monitoring employee activity, and more.
How to protect yourself against the Nearest Neighbor attack
It’s worth noting that this tactic has already been used by at least one APT group, so this isn’t just a theoretical threat. Organizations that could be targeted by such attacks should start treating the security of their wireless local area networks as seriously as the security of their internet-connected resources.
To protect against the Nearest Neighbor attack, we recommend the following:
Ensure that the guest Wi-Fi network is truly isolated from the main network.
Strengthen the security of corporate Wi-Fi access — for instance, by using two-factor authentication with one-time codes or certificates.
Enable two-factor authentication — not only for external resources but also for internal ones, and, in general, adopt the Zero Trust security model.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 15:07:012024-12-10 15:07:01Cleo File Transfer Tool Vulnerability Exploited in Wild Against Enterprises
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 15:07:002024-12-10 15:07:00Lessons From the Largest Software Supply Chain Incidents
Data protection startup Cohesity completed its merger with Veritas’ enterprise data protection business, creating one entity with 12,000 customers that is valued at $7 billion. The deal was originally announced in February 2024. Cohesity valued Carlyle-owned Veritas’ data protection business at $3 billion at the time, according to CRN reporting. Cohesity declined to comment on […]
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 14:07:052024-12-10 14:07:05Cohesity completes its merger with Veritas; here’s how they’ll integrate
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 14:07:052024-12-10 14:07:05Cybersecurity News Round-Up 2024: 10 Biggest Stories That Dominated the Year
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 14:07:042024-12-10 14:07:04EU Cyber Resilience Act: What You Need to Know
In response to the growing threat of cyber and financial crimes targeting individuals and organizations, INTERPOL has launched a new campaign called “Think Twice.” The campaign aims to raise awareness about the dangers of increasingly complex online threats, urging people to pause and think before making decisions online. The campaign highlights five key cyber threats: ransomware attacks, malware attacks, phishing, generative AI scams, and romance baiting.
With these crimes becoming more advanced and widespread, the campaign serves as a timely reminder of the importance of vigilance and careful decision-making in the digital world.
The Rising Threat of Cybercrime
Cybercrime is on the rise, with criminals using more advanced techniques to exploit vulnerable individuals and organizations. According to INTERPOL’s findings, ransomware attacks have increased by 70 percent, and malware attacks have risen by over 30 percent in just the past year.
Fostering a culture of cyber-awareness in the workforce is the first and last line of defense against cybercrime, as employees form the backbone of any cybersecurity strategy.
Phishing attacks have also evolved, becoming increasingly difficult to detect. Cybercriminals are now using sophisticated methods, including generative AI, to manipulate voices, images, and text, creating ultra-realistic human avatars to deceive victims. These scams are gaining traction, with scammers targeting victims worldwide using tactics that were once unimaginable. Another rising threat is romance baiting, where criminals use fake online profiles to form relationships with victims, only to later ask for money.
The “Think Twice” campaign, which will run from December 3 to December 19, 2024, emphasizes the importance of making informed choices online. By raising awareness of these growing threats, INTERPOL hopes to empower individuals and organizations to take proactive steps in safeguarding themselves against cybercrime.
Key Threats Highlighted by the “Think Twice” Campaign
The campaign focuses on five major threats that have been identified as rapidly growing concerns in the online space:
Ransomware Attacks: Ransomware continues to be one of the most disruptive forms of cybercrime. It involves criminals encrypting a victim’s data and demanding a ransom to unlock it. The rise of ransomware attacks has been staggering, with a 70 percent increase in the past year alone.
Malware Attacks: Malware attacks involve malicious software designed to infiltrate and damage computers or networks. Over 30 percent of malware attacks have increased in the past year, often spreading through emails, links, or infected files.
Phishing: Phishing scams involve tricking individuals into revealing sensitive information, such as passwords or financial data, through deceptive emails or messages. Phishing has become more sophisticated, with cybercriminals using AI-generated content to make their scams harder to detect.
Generative AI Scams: Generative AI scams involve using AI technology to create fake human avatars, voices, and images to deceive victims. These scams are gaining traction, with cybercriminals using realistic content to manipulate and steal money from victims.
Romance Baiting Scams: Romance baiting is a growing form of fraud where criminals create fake online profiles to form emotional connections with victims. After gaining their trust, they ask for money, often claiming to be in a financial emergency or need.
The “Think Twice” Campaign: Empowering Individuals and Organizations
The primary objective of the “Think Twice” campaign is to encourage individuals to pause and think before acting on digital content. INTERPOL urges people to verify the authenticity of messages, links, and requests before taking any action. This two-week awareness campaign will primarily run through social media channels, reaching individuals globally and educating them about the risks associated with cybercrime.
INTERPOL emphasizes the importance of adopting a mindset of caution and awareness when interacting with digital content. The campaign encourages individuals to:
Pause and evaluate: Take a moment to verify the authenticity of any unsolicited emails, links, or messages.
Check for credibility: Ensure the sources of information are legitimate, especially if you’re asked for personal or financial information.
Verify identities: Even if a request seems to come from a familiar contact, always verify their identity through multiple channels.
Stay informed: Learn about the latest cybercrime tactics and how to recognize them.
Be cautious with online relationships: Especially when money is involved, approach online relationships with skepticism.
Taking Action Against Cybercrime: What Can You Do?
INTERPOL’s campaign is not just about raising awareness; it also provides a practical checklist for reducing the risks of cybercrime. Here are some simple steps that individuals and organizations can take to protect themselves:
Be cautious of unsolicited requests: Always be wary of emails or messages from unfamiliar sources. Avoid clicking on suspicious links or attachments.
Implement a cybersecurity culture: Businesses should foster a culture of cybersecurity awareness among employees, providing training and guidelines on handling potential threats.
Verify identities: If you receive a request for money or sensitive information from a known person, verify their identity before acting.
Use in-person verification: For high-risk situations, like online transactions or relationships, consider verifying details through face-to-face meetings or phone calls.
Stay informed: Cybercrime tactics are constantly evolving, so it’s crucial to stay updated on the latest scams and threats.
Conclusion
As cyber and financial crimes continue to grow in scale, INTERPOL’s “Think Twice” campaign serves as an essential reminder for individuals and organizations to remain vigilant. By pausing to consider their digital actions and verifying the authenticity of online content, people can reduce their exposure to threats like phishing, malware, and romance baiting.
As INTERPOL’s Secretary General Valdecy Urquiza said, cybersecurity is a shared responsibility. Through proactive measures and informed decisions, we can help build a safer digital world for everyone.
Cyble Research and Intelligence Labs (CRIL) has identified a campaign associated with the infamous group Head Mare aimed at targeting Russians.
This campaign involves a ZIP archive containing both a malicious LNK file and an executable. The executable is cleverly disguised as an archive file to deceive users and facilitate its malicious operations.
The LNK file contains commands designed to extract and execute the disguised, which has been identified as PhantomCore.
PhantomCore is a backdoor utilized by the hacktivist group Head Mare. It has been active since 2023 and is known for consistently targeting Russia.
In previous attacks, GoLang-compiled PhantomCore binaries were used. However, in this campaign, the threat actor (TA) is using C++-compiled PhantomCore binaries instead.
TA also integrated the Boost.Beast library into PhantomCore to enable communication with the command-and-control (C&C) server.
PhantomCore collects the victim’s information, including the public IP address, to gain detailed insights into the target before deploying the final-stage payload or executing additional commands on the compromised system.
PhantomCore is known to deploy ransomware payloads such as LockBit and Babuk, inflicting significant damage on the victim’s systems.
Overview
On 2nd September 2024, Kaspersky released a blog about the Head Mare group, which first emerged in 2023. Head Mare is a hacktivist group targeting organizations in Russia and Belarus with the goal of causing maximum damage rather than financial gain. They use up-to-date tactics, such as exploiting the CVE-2023-38831 vulnerability in WinRAR, to gain initial access and deliver malicious payloads. The group maintains a public presence on X, where they disclose information about their victims.
Their targets span various industries, including government, transportation, energy, manufacturing, and entertainment. Unlike other groups, Head Mare also demands ransom for data decryption.
Figure 1 – Threat Actor profile
CRIL recently identified a campaign targeting Russians linked to the notorious Head Mare group. While the initial infection vector remains unknown, the group typically reaches users via spam emails. In this campaign, a ZIP archive named “Doc.Zip” was discovered, containing a malicious LNK file, an executable disguised as “Doc.zip” identified as the PhantomCore, and a corrupted PDF.
Upon executing the LNK file, it extracts the “Doc.Zip” archive into the “C:/ProgramData” directory and executes the file “Doc.zip” using cmd.exe. Once executed, the malware gathers the victim’s information, such as the public IP address, windows version username, etc., and sends it to a command-and-control (C&C) server controlled by the TA. It then awaits further commands from the C&C server to execute additional malicious activities. The figure below shows the infection chain.
Figure 2 – Infection chain
Earlier, PhantomCore samples were developed using GoLang. However, in the latest campaign, the threat actor is using C++-compiled PhantomCore binaries. Additionally, the C++ version of PhantomCore incorporates the Boost.Beast library, which facilitates communication between the infected system and the command-and-control (C&C) server through HTTP WebSockets.
Technical Analysis
The ZIP archive “Doc.zip,” downloaded from the file-sharing website hxxps://filetransfer[.]io/data-package/AiveGg6u/download, is suspected to have been delivered to the victim via a spam email. The email likely carried a social engineering theme, designed to appear legitimate, such as an invoice for goods or similar financial documents. This theme was intended to deceive the recipient into interacting with the malicious attachment, ultimately leading to the delivery of the malicious payload.
The zip archive contains multiple files, including two LNK files, a corrupted lure PDF file, and an executable camouflaged as a “.zip” file extension. All the files within the archive are notably in Russian, as detailed in the table below.
Actual file names
Translated names
Список товаров и услуг.pdf.lnk
List of goods and services.pdf.lnk
Счет-фактура.pdf.lnk
Invoice.pdf.lnk
Контактные данные для оплаты.pdf
Contact details for payment.pdf
The LNK file is configured to execute a PowerShell command that locates and extracts the “Doc.zip” archive into the “C:ProgramData” directory. Once extracted, the “Doc.zip” archive, which contains an executable, is launched using the cmd.exe start command. The figure below illustrates the contents of the LNK file.
Figure 3 – Contents of Список товаров и услуг.pdf.lnk
Upon execution, the Doc.zip file sets both the input and output code pages to OEM Russian (Cyrillic) using the SetConsoleCP and SetConsoleOutputCP Win32 APIs. Additionally, it sets the locale language of the victim machine to “ru_RU.UTF-8” to configure the system to use the Russian locale with UTF-8 encoding.
Figure 4 – Sets locale to Russia
After configuring the locale settings, the malware attempts to connect to the C&C server at 45.10.247[.]152 using the User-Agent string “Boost.Beast/353”. It retries the connection until successful, sleeping for 10 seconds between each attempt.
Figure 5 – Connect request
After a successful connection is established, the malware gathers the victim’s information, including the Buildname, Windows version, public IP address, computer name, username, and domain details. The Buildname, which can vary (e.g., ZIP, URL), may indicate the infection vector. This collected data is then sent to the C&C server via the “init” endpoint, as illustrated in the figure below.
After sending the initial request containing the victim details and UUID, the malware waits for a response from the TA. However, during our analysis, we were unable to capture the response. Nevertheless, code analysis indicates that the typical response from the TA follows a format similar to the one shown below.
Figure 8 – TA’s response
Moreover, the TA can execute commands on the victim’s machine and download additional payloads from the C&C server. This enables them to escalate the compromise, conduct further malicious activities, or expand the attack by deploying specific commands and payloads. The malware uses the following endpoints for its C&C communication and to receive commands
hxxp:// [C&C IP Address]/connect
hxxp:// [C&C IP Address]/init
hxxp:// [C&C IP Address]/check
hxxp:// [C&C IP Address]/command
The TA uses the following methods to execute commands and deploy additional payloads.
Command Execution through Pipes
The execution process involves creating a pipe and redirecting the WritePipe handle to the standard output (stdout) and standard error (stderr). A new process is then launched using the command “cmd.exe /c” to execute the specified command. After the command is executed, the output is retrieved by reading from the pipe using the “ReadFile” API and the ReadPipe handle. Additionally, a log is generated to monitor and track the success or failure of the pipe creation and command execution.
The following code demonstrates the TA’s ability to execute commands through a pipe, read the command output, and parse the commands for execution via the pipe.
Figure 9 – PIPE creation
Creating new process
The malware can also create a new process based on the input from the calling function. If successful, it closes the process and thread handles, updates the log with a success message, and sets a flag to notify the calling process. In case of failure, it logs an error message and sets a different flag to indicate the failure.
Figure 10 – New Process Creation
The Head Mare group has been known to deploy ransomware in previous attacks, targeting a variety of systems and environments. This includes the use of widely recognized ransomware strains such as LockBit for Windows machines and Babuk for ESXi (VMware) environments. These ransomware strains are notorious for their ability to encrypt valuable data and demand ransom payments from victims in exchange for decryption keys.
Yara and Sigma rules to detect this campaign are available for download from the linked Github repository.
Conclusion
The Head Mare group’s campaign continues to target Russian organizations using the PhantomCore backdoor and evolving tactics, including using C++-compiled binaries and social engineering techniques. The group’s ability to collect victim data and deploy additional payloads, including ransomware, highlights the ongoing threat it poses. Organizations must stay vigilant and strengthen their security measures to defend against such attacks.
Recommendations
Avoid opening unexpected or suspicious email attachments, particularly ZIP or LNK files. Train employees to identify phishing attempts and verify file origins before interacting with downloads. Implement email security solutions that detect and block malicious attachments.
Ensure all software, including WinRAR and operating systems, is updated with the latest security patches. Vulnerabilities like CVE-2023-38831 can be exploited in outdated software, making patch management critical for prevention.
Deploy endpoint detection and response (EDR) tools to monitor suspicious activities such as unauthorized PowerShell execution. Use intrusion detection/prevention systems (IDS/IPS) to block connections to known malicious C&C servers like the one observed in this attack.
Limit user permissions to execute potentially dangerous commands or files. Use application whitelisting to allow only trusted programs to run and disable unnecessary scripting tools like PowerShell on non-administrative systems.
Continuously monitor network traffic for anomalies, such as unusual locale settings or repeated connection attempts to unknown IP addresses. Create an incident response plan to quickly isolate and remediate affected systems in case of compromise.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 14:06:552024-12-10 14:06:55Head Mare Group Intensifies Attacks on Russia with PhantomCore Backdoor
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-12-10 13:06:572024-12-10 13:06:57How Red Teaming Helps Meet DORA Requirements
