Key takeaways

Cyble Research and Intelligence Labs (CRIL) uncovered a sophisticated attack that leverages legitimate tools such as Visual Studio (VS) Code and GitHub.

The Threat Actor (TA) used a.LNK file as the initial attack vector, potentially delivered through spam or phishing emails. The .LNK file is disguised as a legitimate setup file, using an MSI setup icon to deceive users into executing it.

Upon execution, the .LNK file silently downloads a Python distribution package and uses it to run a malicious Python script.

The TA leverages a VScode tool to initiate a Remote Tunnel and retrieve an activation code, which the TA can use to gain unauthorized remote access to the victim’s machine. This enables the TA to interact with the system, access files, and perform additional malicious activities.

To maintain persistence, the TA creates a scheduled task designed to automatically trigger the execution of a malicious Python script with SYSTEM privileges and high priority.

Similar tactics, techniques, and procedures (TTP) were employed by the Chinese APT group, Stately Taurus, in cyber espionage campaigns aimed at organizations throughout Europe and Asia.

Overview

Cyble Research and Intelligence Lab (CRIL) uncovered a campaign that leverages a suspicious .LNK file as the initial attack vector. This file, potentially delivered via spam emails, downloads a Python distribution package that is then used to execute an obfuscated Python script retrieved from a paste site. At the time of publishing this research, this script had no detections on VirusTotal (VT), making it difficult to identify through standard security measures.

Once executed, the Python script establishes persistence by creating a scheduled task with system privileges and high priority. It checks if Visual Studio Code (VSCode) is installed on the victim’s machine. If not, the script downloads the standalone VSCode CLI from a trusted source. Using VSCode, the script creates a remote tunnel, sharing an activation code with the TA, which facilitates unauthorized remote access to the victim’s machine.

The VSCode Remote – Tunnels extension is typically used to connect to a remote machine, such as a desktop PC or virtual machine (VM), via a secure tunnel. This enables users to access the machine from any VSCode client without the need for SSH. However, in this campaign, the TA exploits this feature, using it to establish a remote connection to the victim’s system for malicious purposes.

This attack method mirrors tactics previously observed in campaigns by the Stately Taurus Chinese APT group, as documented by Unit42 researchers.  In this blog, we will examine how the TA cleverly uses legitimate tools like VSCode and GitHub to conceal their activity and establish unauthorized remote connections. The figure below illustrates the infection chain.

Technical Analysis

CRIL has identified a campaign involving a suspicious .LNK file masquerading as an installer. When executed, it displays a fake “Successful installation” message in Chinese (“安裝成功“). However, in the background, it silently downloads additional components using the curl utility, including a Python distribution package named “python-3.12.5-embed-amd64.zip”.

The .LNK file then creates a directory at “%LOCALAPPDATA%MicrosoftPython” and extracts the contents of the zip archive using tar.exe into this location. Afterward, it downloads a malicious script from a paste.ee site via the URL “hxxps[:]//paste[.]ee/r/DQjrd/0” and saves it as “update.py” in the same location. Once the download is complete, the “update.py” is executed using “pythonw.exe” without showing a console window. The contents of the LNK file are shown below:

Update.py

The script begins by checking whether Visual Studio Code (VSCode) is already installed on the system. It does this by verifying the existence of the directory located at “%LOCALAPPDATA%microsoftVScode.” If this directory is not found, indicating that VSCode is not installed, the script then proceeds to download the VSCode Command Line Interface (CLI) from a Microsoft source: “hxxps://az764295.vo.msecnd.net/stable/97dec172d3256f8ca4bfb2143f3f76b503ca0534/vscode_cli_win32_x64_cli[.]zip.” Once downloaded, the zip file is extracted, and the executable file “code.exe” is placed into the “%LOCALAPPDATA%microsoftVScode” directory

Persistence

The script then proceeds to create a scheduled task named “MicrosoftHealthcareMonitorNode” to ensure the persistence of its malicious activities. It is designed to execute the “update.py” script using “pythonw.exe,” which runs without showing a console window, allowing the malicious activity to stay hidden. Before creating the task scheduler entry, the script checks if it already exists by running the command “schtasks /query /tn MicrosoftHealthcareMonitorNode” to avoid creating duplicates.

 The configuration of this task varies depending on the user’s privilege level. For non-admin users, the task is set to run every four hours, beginning at 8:00 AM, ensuring that the malicious script is executed at regular intervals. On systems where the user has administrative privileges, the task is configured to trigger at logon, running with elevated SYSTEM privileges and high priority, which grants it more control and less likelihood of being interrupted. The figure below shows the Schedule task entry created by the malware.

Creating Remote Tunnel

The script next checks if “code.exe” is already running in the background by inspecting the output of the “tasklist” command. If it detects that “code.exe” is not active, then proceeds to execute “code.exe” to log out any active remote sessions. This is done by issuing the command “code.exe tunnel user logout,” which ensures the termination of any existing remote tunnels connected to the victim’s system. This step is crucial for the TA, as it allows them to establish a fresh remote tunnel for future interactions with the victim’s system.

After ensuring the existing tunnel is closed, the script initiates a new process using the command:

code.exe –locale en-US tunnel –accept-server-license-terms –name <COMPUTERNAME>

This command initiates a remote tunnel, and the script automatically associates it with a GitHub account for authentication. Now, the output of the “code.exe” command is saved in a file named “output.txt” within the “%localappdata%microsoftVSCode” directory. Additionally, the content of “output.txt” is copied to another file named “output2.txt” in the same directory to extract the 8-character alphanumeric activation code for the GitHub account.

Following this, the script reads the “output2.txt” file and identifies the GitHub account activation code using a regular expression pattern “and use code (w{4}-w{4})” as shown in the figure below.  This extracted code is saved to a variable for later stages of the attack, enabling further malicious activities.

Exfiltration

The TA then gathers the victim’s system information by collecting the names of folders from several directories, including “C:\Program Files,” “C:\Program Files (x86),” “C:\ProgramData,” and “C:\Users.” In addition, Additionally, the TA obtains a list of processes currently running on the victim’s machine and sends this information directly to the TA’s command-and-control (C&C) server, “hxxp://requestrepo.com/r/2yxp98b3“ as shown below. RequestRepo.com is primarily a tool for analyzing incoming HTTP and DNS requests. However, the TA has exploited it to capture stolen data transmitted from victim machines.

Furthermore, the TA gathers more sensitive data, such as the system’s language settings, geographical location, computername, username, userdomain, the activation code for the remote tunnel, and details about user privileges. All of this data is base64 encoded to obfuscate it before being sent to the command-and-control (C&C) server via a POST request. The figure below shows the code snippet used by the TA for data exfiltration.

Impact

After the TA receives the exfiltrated data, they can log in using their GitHub account at the URL “hxxps://github.com/login/device”. Here, the TA can enter the exfiltrated alphanumeric activation code to gain unauthorized access to the victim’s machine.

Unauthorized access to the victim’s machine allows the TA to view and manipulate files and directories stored on the victim’s system. The figure below shows how the TA can access the victim’s files through the VSCode tunnel using the stolen activation code.

This degree of access not only enables them to browse through the victims’ files but also enables them to execute commands through the terminal. With this control, the TA can perform a variety of actions, such as installing malware, extracting sensitive information, or altering system settings, potentially leading to further exploitation of the victim’s system and data.

Unit42 researchers explained that the TA can execute several tools, including mimikatz, LaZagne, In-Swor, and Tscan, to perform various malicious activities on the victim’s system.

Conclusion

This campaign demonstrates the growing sophistication of TAs in leveraging legitimate tools like VSCode to establish unauthorized access to victim systems. By utilizing a seemingly harmless .LNK file and an obfuscated Python script, the Threat Actot can effectively bypass detection measures. This access allows them to manipulate files, execute commands, and potentially install additional malware, amplifying the scope for exploitation.

Organizations maintain a proactive security posture, focusing on vigilance, enhancing existing security practices, and implementing new ones to defend against a constantly evolving threat spectrum. Understanding these tactics is crucial for building a more resilient cybersecurity posture.

Recommendations

Utilize advanced endpoint protection solutions that include behavioral analysis and machine learning capabilities to detect and block suspicious activities, even those involving legitimate applications like VSCode.

Review scheduled tasks on all systems regularly to identify unauthorized or unusual entries. This can help detect persistence mechanisms established by threat actors.

Conduct training sessions to educate users about the risks of opening suspicious files or links, particularly those related to .LNK files and unknown sources.

Limit user permissions to install software, particularly for tools that can be exploited, like VSCode. Implement application whitelisting to control which applications can be installed and run on systems.

Deploy advanced monitoring tools that can detect unusual network traffic, unauthorized access attempts, and abnormal behavior within the system. Regularly audit and review system and application logs to catch early signs of intrusion.

MITRE ATT&CK® Techniques

Tactic
Technique
Procedure

Execution (TA0002)
Command and Scripting Interpreter: Python (T1059.006)
Update.py is downloaded and executed by the shortcut file

Persistence (TA0003)
Scheduled Task/Job: Scheduled Task (T1053.005)
“MicrosoftHealthcareMonitorNode” scheduled task is created for non-admin users

Privilege Escalation (TA0004)       
Scheduled Task/Job: Scheduled Task (T1053.005)  
“MicrosoftHealthcareMonitorNode” scheduled task is created for admin users with SYSTEM privilege

Defense Evasion (TA0005)
Masquerading: Match Legitimate Name or Location (T1036.005)  
Creates a folder “%localappdata%/Microsoft/Python” directory

Discovery (TA0007)
System Information Discovery (T1082)
Collects system’s language settings, geographical location, computername, username, and userdomain

Discovery (TA0007)
File and Directory Discovery (T1420)
Collects folder names present in program files and program data directory

Discovery (TA0007)
Process Discovery (T1057)
“tasklist” command is used to gather a list of currently running processes.

Command and Control (TA0011)
Application Layer Protocol: Web Protocols (T1071.001)
The VSCode tunnel feature is used to access the victim’s system.

Indicators Of Compromise

Indicators 
Indicator Type
Description

281766109f2375a01bad80478fd18841eccaefc1ee9277179cc7ff075d1beae2
SHA-256
Shortcut file

c7f07bdfb91653f53782885a3685436e2e965e1c5f4863c03f5a9825c0364489
SHA-256
update.py

hxxp://requestrepo.com/r/2yxp98b3
C&C
POST request sent to this URL

hxxps://paste[.]ee/r/DQjrd/0
URL
Downloads update.py

The post Silent Intrusion: Unraveling the Sophisticated Attack Leveraging VS Code for Unauthorized Access appeared first on Cyble.

Blog – Cyble – ​Read More

Key Takeaways

Cyble threat intelligence researchers investigated 15 vulnerabilities this week and highlighted three of them for security teams to prioritize.

Cyble researchers also found seven vulnerability exploits discussed on the dark web and cybercrime forums, raising the risk that those flaws will be increasingly exploited.

Cyble recommends eight best practices for preventing and limiting cyberattacks and data breaches.

Overview

Cyble Research and Intelligence Labs (CRIL) researchers this week investigated 15 vulnerabilities of particular significance for IT teams, and identified three that merit high-priority patching.

Cyble’s Sept. 18-24 Weekly Vulnerability Insights Report for subscribers also examined seven exploits circulating on the dark web and cybercrime forums, elevating the importance of addressing those flaws too.

Cyble also highlighted eight cybersecurity best practices that all organizations should follow to reduce the risk of cyberattacks and contain any that do occur.

The full report is available for subscribers; here we’ll focus on the most critical risks.

The Top IT Vulnerabilities This Week

The three vulnerabilities highlighted in the report include:

CVE-2024-8963, a critical admin bypass vulnerability in Ivanti Cloud Services Appliance (CSA), is a security-focused solution designed to facilitate secure communication and device management. Recently, Ivanti disclosed that attackers could exploit the flaw by chaining CVE-2024-8963 with CVE-2024-8190 to bypass admin authentication and execute arbitrary commands on unpatched appliances. This vulnerability is also being discussed on the dark web (see below). There is an available patch. Cyble researchers also issued a separate advisory on a vulnerability (CVE-2024-7593) in Ivanti’s Virtual Traffic Manager (VTM).

CVE-2024-45409, a critical SAML authentication bypass vulnerability impacting self-managed installations of the GitLab Community Edition (CE) and Enterprise Edition (EE). Security Assertion Markup Language (SAML) is a single sign-on (SSO) authentication protocol that allows users to log in across different services using the same credentials. An unauthenticated attacker with access to any signed SAML document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system. The disclosure follows several other recent GitLab vulnerabilities.

Internet Exposure? No

Patch Available? Yes

CVE-2024-7490, a critical improper input validation vulnerability in Microchip Technology Advanced Software Framework, a comprehensive library designed for microcontrollers, facilitating various stages of product development, including evaluation, prototyping, design, and production. The vulnerability can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.

Internet Exposure? No

Patch Available? Yes

Vulnerabilities and Exploits on Underground Forums

CRIL researchers observed multiple Telegram channels where the channel administrator shared or discussed exploits weaponizing vulnerabilities, including:

CVE-2024-8190: This is a high-severity OS command injection vulnerability present in Ivanti’s Cloud Services Appliance versions 4.6 Patch 518. It allows attackers with admin access to execute arbitrary commands on the system, potentially leading to complete system compromise.

CVE-2024-36837: A high-severity SQL injection vulnerability present in CRMEB version 5.2.2. This vulnerability allows remote attackers to gain unauthorized access to sensitive information.

CVE-2024-46740: A high severity Use-After-Free (UAF) vulnerability in the Linux Kernel. It is specifically related to the binder subsystem.

CVE-2024-20439: A critical security vulnerability affecting the Cisco Smart Licensing Utility, which could allow unauthenticated, remote attackers to gain administrative access to the system.

CVE-2024-8956: A critical improper authentication vulnerability was identified in PTZOptics’ PT30X-SDI and PT30X-NDI cameras prior to firmware version 6.3.40.

CVE-1999-1587: A vulnerability is present in the ‘/usr/ucb/ps’ command in Sun Microsystems’ Solaris OS, affecting Solaris 8 and 9, as well as a few older versions. The vulnerability allows local users to exploit certain parameters in the commands to view environment details on the system.

CVE-2024-23692: CRIL observed multiple administrators of Telegram channels and a Threat Actor sharing a proof of concept (PoC) for a critical command injection vulnerability affecting the Rejetto HTTP File Server (HFS), specifically versions up to 2.3m. The vulnerability allows remote, unauthenticated attackers to execute arbitrary commands by sending specially crafted HTTP requests to the server.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

1. Implement the Latest Patches

To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.

2. Implement a Robust Patch Management Process

Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.

3. Implement Proper Network Segmentation

Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.

4. Incident Response and Recovery Plan

Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.

5. Monitoring and Logging Malicious Activities

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.

6. Keep Track of Security Alerts

Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.

7. Visibility into Assets

Maintain an up-to-date inventory of all internal and external assets, including hardware, software, and network components. Use asset management tools and continuous monitoring to ensure comprehensive visibility and control over your IT environment.

8. Strong Password Policy

Change default passwords immediately and enforce a strong password policy across the organization. Implement multi-factor authentication (MFA) to provide an extra layer of security and significantly reduce the risk of unauthorized access.

The post Weekly IT Vulnerability Report: Cyble Urges Fixes for Ivanti, GitLab and Microchip appeared first on Cyble.

Blog – Cyble – ​Read More

On a recent Wednesday night, Ranveer Allahbadia, the popular figure behind the YouTube channels BeerBiceps and his main channel, became a victim of a cyberattack. The Ranveer Allahbadia YouTube channel hack resulted in a complete overhaul of their content and branding.  

After gaining unauthorized access, the hackers renamed the main channel to “Tesla” and altered the personal channel to “@Tesla.event.trump_2024.” This takeover included the deletion of all interviews and podcasts, which were replaced with older streams featuring high-profile personalities like Elon Musk and Donald Trump. 

Ranveer Allahbadia YouTube Channel Hack

On his BeerBiceps channel, the name was changed to “@Elon.trump.tesla_live2024.” In a humorous yet pointed response to the breach, Ranveer took to Instagram to share his thoughts about the BeerBiceps and Ranveer Allahbadia YouTube channel hack, posting, “Celebrating my two main channels being hacked with my favourite food. Vegan burgers. Death of BeerBiceps met with death of diet. Back to Mumbai.” 

Before the attack on YouTube channels, Ranveer Allahbadia was well-known for his engaging content that spans motivational advice, lifestyle tips, and how-to tutorials. His primary YouTube channel has amassed over 9.4 million subscribers (about half the population of New York) and approximately 2.84 billion total views since its inception in 2017. The BeerBiceps channel, launched in 2014, attracted around 7.84 million subscribers and over 2 billion views. 

Recent statistics revealed that Ranveer’s channels experienced substantial growth, with an increase of 360,000 subscribers and around 319 million views in just the past month. In terms of rankings, he was positioned 570th in total grade and 432nd in subscriber rank within India, as per the data on SocialBlade. 

The Ranveer Allahbadia YouTube channel hack is not an isolated incident. The hacking of YouTube channels has become a staple for malicious actors. For example, earlier this year, the official YouTube channel of the Supreme Court of India fell victim to a hacking incident, where unauthorized content promoting cryptocurrency was posted.  

Similarly, comedian Bharti Singh faced a crisis when her YouTube channel, Bharti TV Network, was hacked. Singh took to social media to express her distress and seek urgent assistance from YouTube India, stressing the severity of the issue and the need for immediate intervention. 

The Rise of Crypto-Related Hacks

The cyberattack on Ranveer Allahbadia not only impacts his content but also raises questions about the security measures in place for popular YouTube channels. The attack reflects a troubling trend where hackers exploit well-known personalities and brands, using their platforms to promote unrelated content, often of a dubious nature. 

For creators like Ranveer, the repercussions of such hacks can be far-reaching. The loss of valuable content, along with the disruption of their brand identity, poses a dire threat to their online presence and audience trust.  

A notable pattern in recent hacking incidents is the targeting of digital platforms to promote cryptocurrencies. Reports indicate that many high-profile channels, including those of celebrities, have been hijacked to showcase cryptocurrency-related content. This trend has led to a broader conversation about digital security and the accountability of platforms like YouTube in preventing such breaches. 

Ripple Labs, a notable player in the cryptocurrency space, even initiated legal action against YouTube, claiming inadequate protection against scammers who impersonated its executives and engaged in fraudulent activities. The lawsuit aimed to catalyze changes in industry practices concerning accountability and response to such digital threats. 

Recommendations for Content Creators

Considering these incidents, content creators are urged to adopt stronger security measures to protect their channels from potential hacks. Here are some recommended steps: 

Enable Two-Factor Authentication (2FA): This adds an extra layer of security by requiring not just a password but also a second form of identification. 

Regularly Update Passwords: Creators should use strong, unique passwords and change them frequently to reduce the risk of unauthorized access. 

Monitor Channel Activity: Regularly check for any unusual activity on channels and address any discrepancies immediately. 

Educate on Phishing Scams: Creators should be aware of common phishing tactics that hackers use to gain access to accounts. 

Back-Up Content: Regularly back up content to ensure that valuable videos and data can be recovered in case of a breach.

The post Ranveer Allahbadia YouTube Channel Hack: What Happened and What’s Next appeared first on Cyble.

Blog – Cyble – ​Read More