Today, we’re excited to introduce a major update to Kaspersky Password Manager for mobile devices. This update will be available in all app stores during November 2024. We’re confident this refresh will make storing and managing passwords, two-factor authentication codes, and encrypted documents even easier. In this article, we’ll cover advanced filtering, search functionality, synchronization, and more.
Highlights
The mobile version of our password manager is celebrating its 10th anniversary this year (while the desktop version turns 15), and in those 10 years we’ve managed to consolidate all the best features into a single app. In recent years, we’ve been conducting extensive Kaspersky Password Manager user-behavior research and, based on the findings, we’ve completely revamped the navigation in our mobile app.
What’s new:
The side menu has been replaced with a navigation bar at the bottom of the screen. The product’s core features are now organized into sections.
We’ve created a dedicated section for the in-app search, and improved the search scenarios.
Managing favorite entries is now more convenient; they’re now pinned at the top of the list.
We’ve added a “Sync” button and placed it in a prominent location.
The password generator, import, and security-check features have been grouped into a separate “Tools” section.
These changes are available to all Kaspersky Password Manager users on both Android (app version 9.2.106 and later) and iOS (app version 9.2.92 and later).
Navigation bar
All core Kaspersky Password Manager functions are now accessible through the navigation bar at the bottom of the screen.
Updated home screen of Kaspersky Password Manager for iOS (left) and Android (right)
Let’s look at each element of the new bar from left to right.
All Entries. This is the main menu – the heart of our password manager.
Subscription. Here, you can view your current subscription, including the expiry date and provider. If you don’t have a subscription, you can create or log in to a My Kaspersky account to activate or purchase one.
Tools. Here, you’ll find the “Password Generator”, “Password Check”, and “Import Passwords” tools. The names speak for themselves. With a single click, you can create strong, unique passwords, check your existing passwords for uniqueness, strength, security, and compromise in data breaches, and import passwords from built-in browser password managers and similar products into our secure vault.
Search. If you’re an active internet user and have dozens or even hundreds of unique passwords for different accounts saved in Kaspersky Password Manager, simply click on the magnifying glass icon and type just a few characters to quickly find the entry you need.
Settings. This is where you can enable notifications, change your primary password, configure auto-lock and login methods, choose sorting options, access help resources, check the app version, and log out of your account.
New filtering
Let’s dive a little deeper. Another additional feature is the option to select entry categories within a section. Now, clicking “All Entries” opens a dropdown menu with these categories: websites, apps, other, bank cards, documents, addresses, notes, authenticator, and folders (you can create new folders as needed).
New entry category display in Kaspersky Password Manager for iOS (left) and Android (right)
Other additions
In the top right corner, you’ll notice a new “Sync” icon – replacing the “Search” button, which now resides in the navigation bar. Clicking this new icon displays the current synchronization status of your entries between your cloud storage and devices. If everything is in order, and your smartphone is connected to the internet and operating normally, you’ll see “All data is synced” with the date and time of the last sync. To refresh the data manually, click “Sync”.
The Search function has not only gotten its own tab in the navigation bar, but now also remembers your last search within the current session. For example, let’s say you were searching for your virtual card details while shopping, then switched to the “All Entries” menu, checked the settings and sync status, and then returned to “Search”. Your query and results will remain, despite your little wander through Kaspersky Password Manager. However, if you restart the app or clear the search, you’ll have to enter the query again.
Important note for Kaspersky Password Manager users on iOS 18. Due to Apple’s policies, the default source for auto-filling passwords and logins in iOS 18 is Apple’s built-in “Passwords” app, not Kaspersky Password Manager. This is easy to fix:
After updating to iOS 18, you need to launch Apple’s “Passwords” app at least once. This will activate the “AutoFill & Passwords” section in your device settings.
Go to “AutoFill & Passwords” in the device settings.
Everything is now set for secure password management. On Android devices, when you first launch the password manager, enable autofill permissions. Simply follow the in-app instructions to do so.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-19 10:06:312024-11-19 10:06:31Kaspersky Password Manager Update | Kaspersky official blog
The Cybersecurity and Infrastructure Security Agency (CISA) has recently added three significant vulnerabilities to its Known Exploited Vulnerabilities Catalog (KEV), based on evidence of active exploitation. These vulnerabilities, identified in popular networking and security products, represent a considerable risk to both private and government networks.
The recently added vulnerabilities to the CISA’s Known Exploited Vulnerabilities Catalog include CVE-2024-1212, a critical OS command injection flaw in the Progress Kemp LoadMaster; CVE-2024-0012, an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS; and CVE-2024-9474, a privilege escalation issue within PAN-OS that enables attackers to escalate privileges via OS command injection.
These vulnerabilities have been categorized with varying levels of urgency and severity, but all share a common characteristic—they pose substantial risks when left unaddressed, particularly for federal enterprises. The vulnerabilities were identified through active threat research and exploitation monitoring, underlining the need for immediate mitigation and patching.
CVE-2024-1212: Progress Kemp LoadMaster OS Command Injection Vulnerability
Progress Kemp LoadMaster, a widely-used application delivery controller and load balancer, has been found to contain a severe OS command injection vulnerability. This issue, designated CVE-2024-1212, allows an attacker with access to the administrator web user interface (WUI) to execute arbitrary commands on the affected system. The vulnerability stems from a flaw in the LoadMaster’s handling of API requests via the administrator interface.
The vulnerability in Progress Kemp LoadMaster (CVE-2024-1212) is triggered when an attacker sends specially crafted input to the system’s “/access” endpoint, which bypasses existing restrictions. This input is improperly handled by a vulnerable Bash script, leading to unchecked user input being passed into a system() call.
As a result, attackers can inject malicious commands that could potentially escalate privileges to root, providing full control over the device. The affected version is 7.2.59.0.22007, while the issue has been addressed in the patched version 7.2.59.2.22338. For further details, users are encouraged to review the Kemp LoadMaster CVE-2024-1212 advisory.
The vulnerability was rapidly patched after its discovery, but administrators are urged to upgrade to the latest version to mitigate potential exploitation risks. If left unpatched, the vulnerability allows attackers to completely compromise the affected system, making it a prime target for cybercriminals.
CVE-2024-0012 is a critical vulnerability in Palo Alto Networks PAN-OS, the software that powers their next-generation firewalls. This vulnerability allows unauthenticated attackers to bypass authentication mechanisms on the management web interface, granting them administrator-level privileges.
The vulnerability in PAN-OS software (CVE-2024-0012) affects the management interface, allowing attackers to bypass authentication controls and gain unauthorized access to administrative functions. This could lead to a full compromise of the firewall, enabling attackers to modify configurations, exfiltrate sensitive data, or exploit other vulnerabilities, such as CVE-2024-9474, which facilitates privilege escalation.
Reports indicate that this flaw is actively being exploited, with cybercriminals targeting management interfaces exposed to the internet. The vulnerability has been assigned a critical severity score of 9.3, highlighting its potential impact. Affected versions include PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2.
Palo Alto Networks published an advisory (PAN-SA-2024-0015) on November 18, 2024, and has released patches for PAN-OS versions 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, and later versions. To mitigate risks, the company strongly recommends restricting access to the management interface to trusted internal IP addresses.
Another vulnerability, CVE-2024-9474, found in the same PAN-OS software, allows attackers to escalate privileges once they have compromised a device through the previously mentioned CVE-2024-0012 vulnerability. This privilege escalation (PE) vulnerability is especially dangerous for organizations that have already been compromised, as it allows attackers to gain root-level access to the device, providing them with full control over the firewall system.
The vulnerability (CVE-2024-9474) allows attackers who have already bypassed authentication (via CVE-2024-0012) to escalate their privileges through a flaw in the web management interface of PAN-OS. Once they gain elevated privileges, attackers can perform administrative actions that are normally restricted, such as modifying critical system files or configurations, potentially leading to a complete system compromise.
This vulnerability has been assigned a medium severity rating of 6.9 and is actively being exploited. Affected versions include PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2. To address the issue, Palo Alto Networks has released patches for PAN-OS versions 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, and later versions. In addition to applying these patches, it is recommended to restrict access to management interfaces to trusted internal IP addresses.
Recommendations and Mitigations
To mitigate the risks posed by these vulnerabilities, the following actions are strongly recommended for affected organizations:
Ensure all affected systems are patched to the latest versions as listed in the vendor advisories. This will address the vulnerabilities at their core.
Limiting access to management interfaces to trusted internal IP addresses is the best defense against exploitation, particularly for vulnerabilities like CVE-2024-0012.
Regularly monitor for any unusual activity or configuration changes within your firewalls or load balancers. This includes reviewing logs for signs of exploitation or attempts to exploit the listed vulnerabilities.
Organizations using Palo Alto Networks’ firewalls with a Threat Prevention subscription should configure the system to block known attacks associated with these vulnerabilities using Threat IDs 95746, 95747, and others.
Conclusion
The addition of CVE-2024-1212, CVE-2024-0012, and CVE-2024-9474 to the Known Exploited Vulnerabilities Catalog highlights the active and ongoing nature of threats targeting critical infrastructure. Cybercriminals are increasingly targeting vulnerabilities in widely used enterprise tools like load balancers and firewalls, aiming to exploit weak points that could lead to full system compromises or privilege escalation.
Organizations that use affected products, such as Progress Kemp LoadMaster or Palo Alto Networks’ PAN-OS, are strongly encouraged to apply the necessary patches and follow best practices for securing management interfaces. By taking these steps, they can mitigate the risk of exploitation and protect their systems.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-19 09:06:592024-11-19 09:06:59CISA Adds Three Critical Vulnerabilities to the Known Exploited Vulnerabilities Catalog
From kids to retirees, no one is safe from cybercrooks. And if you’re always putting cybersecurity on hold because it all seems so daunting, our five dead-simple tips are just the ticket. Each of them will greatly beef up your protection against the most common cyberthreats. We compiled this post as part of INTERPOL’s #ThinkTwice global information campaign to raise awareness of the main cybercrime vectors plus simple but effective ways to counter them.
Automate your passwords
Make all your passwords for both websites and apps long enough (at least 12 characters) and unique (that is, never use them more than once). No one can think up and memorize so many passwords, so use a password manager to create, store and enter them. You’ll only need to come up with and memorize just one (long!) main password for it; everything else — from generating to entering passwords — will be done automatically.
Keep in mind: you need to install the password manager on all your devices to enter passwords easily and safely everywhere. The data will be synched across all your devices. So, having saved a password on your smartphone, you’ll be able to automatically enter it on your desktop, and vice versa. Note that the password manager will let you store in encrypted form not only passwords, but also PINs, full credit card details, addresses, notes, and even document scans.
Pro level: for maximum security, disable biometric login to the password manager — this way you’ll have to enter the main password every time you use the app, but no one will be able to access all your data without knowing the main password (don’t write it on a sticky note, by the way).
Enable double checking
Double checking, or two-factor authentication, protects you from password-stealing hackers who break into your accounts using leaked credentials. Besides the password, they’ll need to enter a one-time code sent to you via a text or an authenticator app.
Although banks enable two-factor authentication (2FA) automatically, in many other online services it remains optional. Wherever your data is even a tiny bit confidential (social networks, messengers, government services, email), we recommend enabling 2FA in the settings, if available.
Keep in mind: There’s usually a choice of how to get one-time codes: by email or text, or by generating them in a special authenticator app on your smartphone. Of these methods, the safest is to use the latter; next come codes via text (they can be intercepted), and the least secure option is codes via email.
With an authenticator app, the only risk is if you lose your smartphone, in which case you’ll also lose access to accounts protected by one-time codes. Here again, Kaspersky Password Manager comes to the rescue: not only does it securely store authentication tokens and generate one-time codes, it also synchronizes them across all your devices. So, if your smartphone is lost or broken, you can easily generate a verification code on any of your other devices, as well as restore all your Kaspersky Password Manager data to a new phone.
Pro level: get yourself a FIDO U2F hardware key — this dongle looks like a tiny flash drive and offers the best protection against hackers.
Double-check links and attachments
Never follow links or open files sent via messenger or email if you don’t recognize the sender or aren’t expecting any messages. If a friend, colleague or acquaintance writes you a message, but it looks even a little strange, call them, or reply via another communication channel to make sure it really is them and not a scammer.
Keep in mind: use two layers of defense! The first layer is your vigilance; the second is a comprehensive security solution. This will keep you away from phishing sites looking to extract passwords and money, as well as stop malware in its tracks. Incidentally, if a message or website asks you to turn off your antivirus – 99% of the time it’s an attempt to infect you.
Pro level: sign in to email, banking and other accounts only from browser bookmarks or by entering the address manually, and never open links in messages, emails or notifications — it might be phishing.
Enable automatic updates
This is to prevent cybercriminals from infecting you by exploiting bugs in your operating system, browser, office applications or other software. They can all update themselves — you just need to not postpone this action when prompted to restart the program or computer.
Keep in mind: sometimes “updates” are offered on websites. You go to the site, which says you need to update the browser, or video player, or Windows — and invites you to download an update on the spot. Stop! It’s a trick to sneak a virus into your device or computer. Genuine update prompts appear right in an application’s menu or as operating system notifications. Pro level:Kaspersky Premium can monitor all your installed programs and notify you whenever an update becomes available. One click or tap, and everything’s up-to-date!
Think twice before sharing online
Photos sent to a stranger or scanned documents posted on social media can come back to bite you. You or family members might become victims of extortion, or scammers might use such information to create a convincing cover story to extract money from you or your friends. Therefore, only send and post things that you wouldn’t mind showing on a billboard outside your home. What gets posted online can be very difficult, if not impossible, to remove.
Keep in mind: social networks and messengers have privacy settings to adjust the visibility of your posts. Go there and change as many settings as possible from “Visible to everyone” to “Friends only”. To find out how to best configure privacy for operating systems, browsers, social networks and other programs, visit our Privacy Checker site.
Pro level: use a tool to monitor online leaks of personal information. A free option is to create a Google Alert for your name; a more powerful alternative is to go for a premium service. For example, Kaspersky Premium monitors leaks of personal data linked to all phone numbers and email addresses used by you and your loved ones as a standard feature.
How to automate protection
These tips are much easier to follow with an app that automates each aspect of security. Kaspersky Premium includes a password and one-time 2FA code manager, anti-phishing and anti-malware protection, update management and leak monitoring — all this and much more is available for both computers and smartphones. Join the club of savvy users who enjoy robust protection for next-to-no effort!
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-18 13:07:192024-11-18 13:07:19Simple tips for a safer digital life | Kaspersky official blog
The Indian Computer Emergency Response Team (CERT-In) has recently added two Cisco vulnerabilities to its catalog. Both vulnerabilities target Cisco products, with high severity ratings and potential for impacts on the confidentiality, integrity, and availability of affected systems.
The first vulnerability, CVE-2024-20536, affects Cisco’s Nexus Dashboard Fabric Controller (NDFC), specifically versions 12.1.2 and 12.1.3. The flaw is found in the REST API endpoint and web-based management interface, and it could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device.
The vulnerability arises due to insufficient input validation. An attacker with read-only privileges could exploit this flaw by sending specially crafted requests to the affected device’s REST API or management interface, bypassing input validation and potentially modifying or deleting data in the internal database. Exploiting this vulnerability could lead to denial of service (DoS) conditions and a significant disruption of operations.
The severity of the vulnerability is classified as high. It affects Cisco NDFC versions 12.1.2 and 12.1.3, making these systems particularly vulnerable to exploitation. The potential impact includes data manipulation, which could allow attackers to alter sensitive information and service disruption, potentially leading to system downtime. Furthermore, there is a risk of data leakage, where unauthorized individuals may access and expose confidential data stored within the affected systems.
This vulnerability does not affect Cisco NDFC when it is configured as a Storage Area Network (SAN) controller. However, for organizations using the affected versions of Cisco NDFC, the potential risks are significant, especially in terms of data integrity and availability.
CVE-2024-20484: Denial of Service in Cisco Enterprise Chat and Email (ECE)
The second vulnerability, CVE-2024-20484, affects Cisco Enterprise Chat and Email (ECE) versions 12.6 and earlier, running the External Agent Assignment Service (EAAS). This vulnerability could allow unauthenticated, remote attackers to trigger a Denial of Service (DoS) condition, disrupting the availability of the ECE system.
The vulnerability lies in the way Cisco ECE handles Media Routing Peripheral Interface Manager (MR PIM) traffic. An attacker could exploit this flaw by sending specially crafted MR PIM traffic, causing a failure in the MR PIM connection between Cisco ECE and Cisco Unified Contact Centre Enterprise (CCE). This failure leads to a denial-of-service condition, rendering the ECE system inoperable.
This issue primarily affects organizations using Cisco ECE for enterprise communication. A successful attack could lead to widespread disruptions, affecting internal communications and customer service operations.
Cisco’s Broader Vulnerability Landscape: A Year of Increased Threats
While CVE-2024-20484 and CVE-2024-20536 are the latest additions to the catalog of known vulnerabilities, Cisco has had a series of high-severity vulnerabilities throughout the year. In addition to these new vulnerabilities, Cyble recently reported on a critical flaw in the Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB), tracked as CVE-2024-20418. This vulnerability, with a CVSS score of 10.0 (the highest possible severity), allows attackers to gain root-level access to vulnerable Cisco devices.
Exploiting this flaw can enable unauthorized command execution on affected systems, making it one of the most dangerous vulnerabilities in Cisco’s product lineup this year. The CVE-2024-20418 vulnerability affects Cisco Catalyst Access Points operating in URWB mode, such as the Catalyst IW9165D, IW9165E, and IW9167E models. Attackers can exploit this flaw by sending specially crafted HTTP requests to the affected device, injecting commands with root privileges, and gaining control over the device. Exploiting this vulnerability could lead to compromises in industrial and high-stakes environments.
Moreover, Cyble sensors have previously detected cyberattacks targeting the “/+CSCOE+/logon.html” URL, which is linked to Cisco ASA’s WebVPN Login Page. Vulnerabilities like XSS, path traversal, and HTTP response splitting could allow attackers to execute code, steal data, or disrupt services.
Conclusion
The disclosure of these Cisco vulnerabilities, like CVE-2024-20484 and CVE-2024-20536, stresses the growing risk of exploitation in critical infrastructure, particularly in widely used systems like Cisco products. As Cyble and other threat intelligence firms have noted, cybercriminals are increasingly targeting known vulnerabilities, employing tactics such as brute-force attacks and leveraging the dark web to spread exploits.
With vulnerabilities continuing to be discovered and actively targeted, organizations must prioritize patch management, implement strong security measures, and conduct regular vulnerability assessments. By staying on guard and proactive in updating systems, segmenting networks, and monitoring suspicious activity, businesses can better defend against online threats.
The two Palo Alto Networks vulnerabilities, which are actively being targeted by cybercriminals, are identified as CVE-2024-9463 and CVE-2024-9465; both have critical severity ratings and are known to be actively exploited in real-world attacks. Organizations using affected versions of Palo Alto Networks Expedition are urged to take immediate action to mitigate the risks.
The vulnerabilities in question—CVE-2024-9463 (OS Command Injection) and CVE-2024-9465 (SQL Injection)—impact Palo Alto Networks’ Expedition software, a tool for migrating and optimizing PAN-OS configurations. Both flaws have been assigned CVSSv4 scores of 9.9 and 9.2, respectively, signifying their high criticality.
These vulnerabilities could allow attackers to gain unauthorized access to sensitive data or execute arbitrary commands on affected systems, posing online risks to organizations’ security.
Details of Palo Alto Networks Vulnerabilities: CVE-2024-9463 and CVE-2024-9465
The first vulnerability, CVE-2024-9463, is a critical OS command injection flaw that affects Palo Alto Networks Expedition. Assigned a CVSSv4 score of 9.9, this vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on the affected system.
If successfully exploited, this can compromise the integrity of the system, giving attackers the ability to disclose sensitive information. This includes usernames, cleartext passwords, device configurations, and API keys associated with PAN-OS firewalls, which are critical for securing network traffic.
Attackers exploiting this flaw can gain root access to these systems, making this vulnerability a prime target for those seeking to compromise firewall configurations and sensitive network data.
Another critical flaw, CVE-2024-9465, is a SQL injection vulnerability found in Expedition. This flaw, with a CVSSv4 score of 9.2, allows attackers to interact with and manipulate the system’s database, exposing sensitive information such as password hashes, usernames, and device configurations. Exploiting this vulnerability could give attackers the ability to create and read arbitrary files on the system, which increases the risk of a full system compromise.
Similar to CVE-2024-9463, the vulnerable version for CVE-2024-9465 is Expedition < 1.2.96. Additionally, proof-of-concept (PoC) exploits for this vulnerability have already been released to the public, escalating the risk of widespread attacks. As the PoC code is now accessible, it allows potential attackers to easily replicate the exploit and target vulnerable systems more efficiently.
Both CVE-2024-9463 and CVE-2024-9465 are critical vulnerabilities in the Expedition software suite. Organizations that are running versions of Expedition older than 1.2.96 are strongly advised to immediately update to the latest patched version. Given the severity and the ongoing active exploitation of these vulnerabilities, patching is crucial to protect sensitive information and maintain system security.
Cyble researchers have observed active exploitation of these flaws, with CVE-2024-9463 being particularly concerning due to its ability to grant attackers root-level access. This could result in a wide range of malicious activities, including data breaches, ransomware deployment, and unauthorized system modifications. Organizations should be particularly vigilant in monitoring their systems for signs of exploitation.
Recommendations and Mitigations
Palo Alto Networks has already released patches to address both vulnerabilities and organizations are urged to upgrade to Expedition version 1.2.96 or later. However, simply applying the patch may not be enough. The following mitigation strategies are recommended:
Organizations should immediately apply the latest patches released by Palo Alto Networks to close the vulnerabilities. Ensuring that systems are updated with the latest software versions will significantly reduce the risk of exploitation.
After upgrading to the fixed version of Expedition, all Expedition usernames, passwords, and API keys should be rotated to prevent attackers from using previously exposed credentials to access systems. Similarly, any firewall usernames, passwords, and API keys processed by Expedition should also be updated to maintain system security.
Organizations should implement comprehensive monitoring and logging solutions to detect suspicious activities. SIEM (Security Information and Event Management) tools can help organizations identify and respond to potential exploitation attempts in real-time.
Regular vulnerability assessments and penetration testing should be conducted to identify and address any other potential weaknesses. This proactive approach ensures that other unknown vulnerabilities are addressed.
Organizations should have a well-defined incident response and recovery plan in place, which includes procedures for detecting, responding to, and mitigating the effects of an attack. Regular testing and updates to the plan are crucial to ensure readiness against online threats.
Conclusion
The inclusion of CVE-2024-9463 and CVE-2024-9465 in CISA’s Known Exploited Vulnerabilities catalog highlights the urgent need for organizations to address these critical vulnerabilities in the Palo Alto Networks Expedition.
With active exploitation ongoing, it is important for organizations using vulnerable versions to prioritize patching and apply recommended security measures. Delaying action could lead to severe data breaches and system compromises.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-18 08:08:012024-11-18 08:08:01CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog
Cyble Research and Intelligence Labs (CRIL) came across a campaign Linked to the known APT group DONOT, targeting the manufacturing industry that supports the country’s maritime and defense sectors.
The campaign uses a malicious LNK file disguised as an RTF containing encrypted data. The file is decrypted via PowerShell to deliver a lure RTF and payload.
A scheduled task is then created to ensure the malware runs every five minutes for persistence.
Random domains are generated with hardcoded words and TLDs for backup C&C servers.
The encryption method for C&C communication has changed compared to previous campaigns.
The stager malware communicates with the C&C server using AES encryption and Base64 encoding to evade detection.
The decryption key for the second-stage payload is now in the downloaded binary rather than hardcoded in the config file.
The victim’s system information is collected before delivering the final payload to assess the target’s value.
The stager malware uses environment variables to store critical configuration details, like C&C addresses and task information.
Overview
CRIL recently came across a campaign seemingly aimed at Pakistan’s manufacturing industry, which supports the country’s maritime and defense sectors. After analyzing the files involved in the campaign, it was determined that the attack was linked to the known APT group DONOT.
DoNot, also known as APT-C-35, is an Advanced Persistent Threat (APT) group operating since 2016. This group has a history of targeting government and military entities, as well as foreign affairs ministries and embassies across South Asia.
Figure 1 – Cyble Vision Threat Library
In this recent campaign, the Threat Actor (TA) uses the .LNK file as the initial infection vector, which could arrive within a RAR archive via spam email. The .LNK file is disguised as an RTF file, leading users to believe they are opening a legitimate file.
When the user clicks to execute, it triggers cmd.exe and powershell.exe to run additional malicious commands, loading the stager malware (a DLL file) and establishing persistence by creating a scheduled task to execute the DLL file through rundll32.exe. Also, it communicates with the primary C&C server by sending a unique device ID via a POST request and, in response, receives control commands from the TA to direct its next actions.
These actions include self-destruction, deployment of additional malicious payloads by downloading an encrypted payload from a specified URL, and subsequent execution. To evade detection and complicate analysis, the malware employs a different encryption method instead of the single-byte XOR key used in previous campaigns. The figure below shows the infection chain.
Figure 2 – Infection Chain
This “.LNK” file campaign was first identified by StrikeReady Labs, who reported it on the X platform. A similar campaign was also seen in July 2024, targeting Pakistan’s Government agencies and manufacturing industries using sector-specific lures. In the previous campaign, the TA employed malicious Office files with embedded macros and Rich Text Format (RTF) files that exploit vulnerabilities to load the stager DLL onto victim machines.
When comparing the previous campaigns, the initial infection vector has shifted from Microsoft Office files to .LNK files. Additionally, the stager DLL now employs an enhanced payload delivery method and improved C&C communication, incorporating encryption mechanisms at various stages.
Technical Analysis
The malicious “.LNK” file contains PowerShell commands, an encrypted lure RTF file, and the encrypted stager payload. Upon execution, the “.LNK” file initiates “cmd.exe,” which creates a directory in the “%temp%” path and copies “powershell.exe” to this location as “2SqSxDA2.exe.” The newly copied PowerShell process subsequently executes the PowerShell code embedded in the LNK file. The figure below shows the partial content of the LNK file.
Figure 3 – Partial contents of the LNK file
PowerShell Code
The PowerShell command embedded within the “.LNK” file retrieves both a lure file and a DLL from the “.LNK” itself. It identifies the “.LNK” file based on its file size and directory path, then decrypts the lure RTF file and the DLL file using a single-byte XOR operation with “0xB2.” Decryption begins at offset “0x1774” for the lure file and “0x79AF” for the DLL.
These extracted files are stored in the “%temp%7GGVXwRn” directory. Once extraction is complete, the PowerShell command deletes the PowerShell copy “2SqSxDA2.exe,” opens the lure document, and calls “rundll32.exe” to execute the DLL, invoking the export function “HgCallClient.”
Figure 4 – Content of PowerShell commands
Lure Document
The lure document is related to Karachi Shipyard & Engineering Works (KS&EW), a prominent defense contractor and shipbuilding company in Pakistan. This suggests that the TA is targeting industries supporting the defense sector. The figure below shows the lure document.
Figure 5 – Lure Document
DLL file analysis
Upon execution, the DLL begins extracting configuration details from an embedded JSON file. This configuration includes information such as the configuration filename, environment variable name, server domain, transit keys for secure communication, mutex, and user-agent string. The table below shows the configuration details.
Filed Name
Value
ConfigFileName
Config.json
EnvVarTaskName
PFTN
HMAC_Security
j4fhrJpSqvgE
MachineMutex
5734b817-1bb8-402b-a761-da8f2e188baf
ServerDomain
hxxps://internalfileserver[.]online:443/
TransitKey
tTRxrb0kmbQGpdci
TransitSalt
aWrtRHXuEBy6CwXj
userAgent
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
BackupServerURL
hxxps://safehydratedcloudcosmoswebglobe[.]cc/
PrimaryServerUrl
hxxps://internalfileserver[.]online:443/
FirstTaskName
Schedule
TaskDefinition
This service enables a user to configure and schedule automated tasks on this computer. It also hosts multiple Windows system-critical tasks. If this service is stopped or disabled, these tasks will not be run at their scheduled times, and any services that explicitly depend on it will fail to start.
Random domain generation
The BackupServerURL mentioned in the config file is generated by selecting six values from a hardcoded array of words and concatenating them to create a domain. A TLD is then selected from a separate array of TLD values. This randomly generated domain serves as a backup for Command and Control (C&C) communication. The figure below shows the list of available words used for generating random domains.
Figure 6 – Random Domain Generation
Persistence
After extracting the configuration details, the DLL checks for the presence of a specific scheduled task named “Schedule.” If the task is not found, it creates a new task to execute the DLL via “rundll32.exe” every 5 minutes for one day, as shown in the figure below.
Figure 7 – Scheduled Task
After establishing persistence, the DLL sends a POST request to the primary server URL. This request includes headers such as an HMAC (Hash-based Message Authentication Code) generated from the HTTP method, contact URL, current DateTime, and an HMAC secret key, along with an “X-Timestamp.” The request body contains the unique DeviceID and configuration filename, encrypted using a hardcoded AES transit key and salt, then base64 encoded before being sent to the C&C primary URL. This encryption method marks a relatively new approach in this campaign compared to previous ones observed.
Figure 8 – C&C communication
If the C&C server responds with a status code of 200, the response content contains JSON configuration data, which is decrypted using the same AES transit key and IV. The decrypted data includes the following details:
DownloadURL
FileDropEnvironment
FileDropName
ExportFunctionName
TaskName
Self_Destruction (boolean)
Execution (boolean)
Figure 9 – JSON configuration
The decrypted JSON configuration data allows the TA to control key aspects of the malware’s behavior, such as downloading additional payloads, specifying file locations, and configuring execution options. This enables flexibility to adjust the attack as needed.
Next Stage payload Execution
If the TA intends to execute an additional payload, the encrypted payload is downloaded according to the C&C configuration. It is then decrypted using an XOR key found within the encrypted file, just after a sequence of magic bytes, and processed using the XOR round-robin method, as shown in Figure 10. This process differs from a previous campaign where the encrypted data was fetched from a URL, and the decryption key was provided directly in the C&C configuration, as shown in Figure 11
Once decryption is successful, the data is verified as a valid binary by checking for the presence of the string “This program cannot be run in DOS mode”. The decrypted payload is then placed in the directory specified by the “FileDropEnvironment” variable.
Figure 10 – Decrypting the Payload (Latest Campaign)Figure 11 – Decrypting the payload (previous campaign)
After verifying the binary, the stager malware creates a scheduled task to execute the decrypted binary using “rundll32.exe”. The task name and execution interval are specified in the configuration details provided by the TA via the C&C.
Figure 12 – Scheduled task
In case of a decryption failure, the stager malware updates the configuration with the backup server URL and logs the error message “File corruption while decrypting” It also collects detailed system information, such as disk space and installed security products, to help identify the cause of the decryption failure. This information is then sent to the TA via POST request.
Figure 13 – Gathering System information
In case of successful payload deployment through the scheduled task, the stager malware logs the event in the same manner as it does for a failure, with the only difference being that the result is recorded as “Payload Deployment Successful.” This log also contains detailed system information, helping the TA identify potential targets in case of success and detect security solutions in case of failure. The TA collects and logs all relevant details, regardless of the outcome, and sends the information to the TA’s C&C via POST request.
Figure 14 – Sending JSON log as a POST request
The stager malware typically stores data, including the number of attempts to communicate with the C&C, the primary C&C domain name, the last connection date, the backup domain name, and details of the second-stage payload. These values are stored as encrypted entries in the environment variables, as shown in the table below.
During our testing, the C&C server was unavailable, preventing us from receiving a response. As a result, we were unable to observe or analyze the behavior of the next-stage DLL payload, which would have been triggered by communication with the C&C server. Without this crucial interaction, we could not fully understand how the payload executes or what further actions it might take.
Self- Deletion If TA activates the self-destruction command via C&C, the stager malware removes the scheduled task and initiates self-deletion by executing the “DEL” command through “cmd.exe”. The image below illustrates the self-deletion process.
Figure 15 – Self delete
Threat Actor Attribution
The malicious DLL connects to the C&C server “internalfileserver[.]online,” which resolves to the IP address “94[.]141.120[.]137.” This same IP address previously hosted the domain “office-updatecentral[.]com,” which was used by the DoNot APT group in a prior campaign. Also, the tactics, techniques, and procedures (TTPs) observed in this campaign exhibit similar behavior to those reported by the 360 Threat Intelligence Centre.
Conclusion
This DoNot APT campaign shows an evolution in tactics. It uses malicious LNK files, PowerShell for payload delivery, and scheduled tasks for persistence. The group also employs dynamic domain generation for backup C&C servers and has updated its encryption methods to avoid detection.
The shift in how decryption keys are handled and the collection of system information before payload delivery indicate a more sophisticated approach. These changes highlight the growing complexity of APT campaigns and the need for improved detection and defense strategies.
Threat hunting Packages
The threat hunting package, including YARA and Sigma rules capable of detecting this campaign, can be downloaded from the linked GitHub pages.
Recommendations
Deploy robust EDR solutions to monitor unusual PowerShell activity, scheduled task creation, and suspicious network connections to C&C servers. Ensure these tools are configured to flag and alert on anomalies.
Limit the execution of PowerShell and other scripting tools to necessary users only and enforce least privilege policies to prevent malware from escalating privileges and performing malicious actions.
Conduct frequent audits of scheduled tasks to identify any unusual or unauthorized tasks, particularly those involving rundll32.exe. Ensure only trusted applications are allowed to create or execute scheduled tasks.
Implement behavior-based detection systems that can identify malicious actions, such as frequent attempts to contact C&C servers or unexpected encrypted data being transmitted.
Implement a well-defined incident response plan with clear steps to handle potential APT intrusions. This plan should include rapid identification, containment, and recovery from any detected malicious activity.
Conduct regular cybersecurity awareness training for employees, focusing on identifying phishing emails and handling suspicious attachments to reduce the risk of initial infection.
A pair of actively exploited Microsoft zero-day vulnerabilities highlighted an active November Patch Tuesday, which also saw updates from several IT vendors.
Overview
Cyble Research and Intelligence Labs (CRIL) researchers investigated 22 vulnerabilities and eight dark web exploits from Nov. 6 to 12 and highlighted nine vulnerabilities that merit high-priority attention from security teams.
CRIL researchers also identified six dark web exploits that are at high risk in Cyble’s weekly IT vulnerability report to clients, which examined two Microsoft zero-days and vulnerabilities from Veeam, Cisco, HPE Aruba, D-Link, Citrix, and others.
Security teams should identify the vulnerabilities that are present in their environments and apply patches and mitigations promptly.
CVE-2024-43451 is an NTLM hash disclosure spoofing vulnerability found in all supported versions of Windows that has been exploited in the wild since at least April. Researchers disclosed this week that suspected Russian hackers exploited it for zero-day attacks targeting Ukrainian entities. The vulnerability was triggered by phishing emails that contained links to download a malicious Internet shortcut file, which, when interacted with, triggered the vulnerability to connect to a remote server and download malware.
CVE-2024-49039 is an elevation of privilege vulnerability in Windows Task Scheduler that has also been attacked. From a low-privilege AppContainer, an attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment, Microsoft said. A successful exploit could allow an attacker to execute RPC functions that are restricted to privileged accounts.
CVE-2024-49040 is a high-severity spoofing vulnerability in Microsoft Exchange Server that allows attackers to forge legitimate senders on incoming emails and makes malicious messages much more effective. A researcher reported a Proof of Concept (PoC) for this vulnerability, but Microsoft paused the update after some customers reported issues with Transport rules stopping periodically after the update was installed.
CVE-2024-40711 is a critical vulnerability in Veeam VBR (Veeam Backup & Replication) servers caused by the deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE). Previously, the vulnerability was observed to be leveraged in Akira and Fog ransomware attacks. At present, researchers have observed that it is now exploited to deploy a newly identified strain of Frag ransomware.
CVE-2024-42509 and CVE-2024-47460 are command injection vulnerabilities in AOS-8 and AOS-10 versions of HPE Aruba’s network operating system. The flaw lies in the underlying CLI service, which could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Successful exploitation results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Cyble researchers detailed the vulnerabilities and others in a separate blog.
CVE-2024-20418 is a critical vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points, which is a specialized software solution designed to provide robust and reliable wireless connectivity for industrial applications. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device. Cyble also covered this vulnerability in a separate blog.
CVE-2024-10914 is a critical command injection vulnerability in end-of-life (EOL) D-Link network-attached storage (NAS) devices. Unauthenticated attackers can exploit it to inject arbitrary shell commands by sending malicious HTTP GET requests to vulnerable D-Link NAS devices exposed online. Researchers observed that attackers are exploiting the vulnerability with publicly available exploit codes.
CVE-2024-11068 is a critical incorrect use of privileged API vulnerability impacting the end-of-life D-Link DSL6740C modem. The vulnerability allows unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using that user’s account. Since D-Link recently announced that it will not provide patches or updates for this EOL product, the vulnerability poses a significant risk to users.
Vulnerabilities and Exploits on Underground Forums
CRIL researchers also observed multiple Telegram channels and underground forums where threat actors shared or discussed exploits weaponizing vulnerabilities. Those vulnerabilities include:
CVE-2024-39205: A critical vulnerability affecting pyload-ng, versions 0.5.0b3.dev85 running under Python 3.11 or below. This vulnerability allows attackers to execute arbitrary code through crafted HTTP requests, which can lead to complete system compromise.
CVE-2024-50340: A high-security vulnerability affecting the Symfony PHP framework. The vulnerability allows an attacker to manipulate the application’s environment or debug mode by sending specially crafted query strings.
CVE-2024-8068 and CVE-2024-8069: These recently identified vulnerabilities in Citrix Session Recording pose significant security risks for Citrix environments. CVE-2024-8068 allows for privilege escalation to the NetworkService Account access level, and the vulnerability CVE-2024-8069 allows for limited remote code execution with the privileges of a NetworkService Account.
CVE-2024-47295: A high-severity vulnerability identified in the SEIKO EPSON Web Config allows a remote unauthenticated attacker to set an arbitrary administrator password on affected devices. The vulnerability results from an insecure initial password configuration in which the administrator password is left blank.
CRIL researchers also observed a threat actor discussing the critical vulnerability CVE-2023-38408, which affects 26 million internet-facing OpenSSH assets detected by Cyble. The vulnerability allows for remote code execution (RCE) when the SSH agent is forwarded to an attacker-controlled system.
Cyble Recommendations
To protect against these vulnerabilities and exploits, organizations should implement the following best practices:
To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
Implement immutable, air-gapped, ransomware-resistant backup procedures for sensitive and critical data.
Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.
Conclusion
These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-15 07:06:382024-11-15 07:06:38Cyble IT Vulnerability Report: Microsoft Zero Days Under Attack
Germany’s Federal Office for Information Security (BSI) recently released The State of Cybersecurity 2024 report, which illuminates the critical threats and advances in resilience across Germany’s digital landscape.
In a joint press briefing, Federal Minister of the Interior Nancy Faeser and BSI President Claudia Plattner said that while the cyberthreat landscape remains tense, resilience measures are proving effective in protecting businesses, institutions, and democratic processes.
Federal Minister Nancy Faeser noted the importance of cybersecurity for societal stability, stating, “Cybersecurity is central to our society and affects each and every one of us.” She highlighted that extortion, cyber espionage, and hybrid threats—especially from state-sponsored actors—continue to pose significant risks, necessitating robust cybersecurity investments to safeguard democratic institutions.
BSI President Claudia Plattner reinforced this stance, noting that Germany has witnessed increased resilience against cyber threats. However, she warned against complacency: “We must continue to increase our resilience in a nationwide effort.” Both leaders stressed the importance of swiftly incorporating the NIS-2 Directive into national law to fortify Germany’s cyber defenses.
Key Findings from BSI’s 2024 Report
Rising Threats from Malware and Ransomware Attacks
Between mid-2023 and mid-2024, an alarming increase in malware variants was recorded, with an average of 309,000 new variants discovered daily—a 26% increase over the previous year. Much of this rise is attributed to attacks targeting 64-bit Windows systems and an above-average increase in Android malware.
Ransomware continues to be a significant challenge, especially for businesses and government institutions. Data leaks following ransomware attacks have increased, although the percentage of victims paying ransom has dropped. LockBit leads the list of the five most active groups targeting Germany. The group published 40 alleged leak victims on its leak site during the reporting period, followed by BlackBasta and 8Base.
Figure 2 – Top 5 Leak pages from July 2024 to June 2024 (Source: BSI)
Many organizations now rely on robust backup systems, reducing their dependency on attackers to restore encrypted data. BSI observed that transparent communication about cyber incidents has helped mitigate potential impacts, as other organizations can swiftly address and close similar vulnerabilities.
Advanced Persistent Threats (APT) and Cyber Espionage
Germany noted the surge in persistent threats from Advanced Persistent Threat (APT) groups, many of which are state-sponsored. Against a backdrop of geopolitical tension, these groups are increasingly targeting political parties, governmental agencies, and corporations for cyber espionage. Germany urged its public and private sectors to adopt proactive threat intelligence and protective measures to defend against these sophisticated, continuous attacks.
Cybersecurity for Elections: Ensuring Democratic Integrity
For German citizens, not only the European elections but also three state elections in Saxony, Thuringia, and Brandenburg and nine local elections took place. The BSI said the electoral process, communication by the authorities and the media, and the formation of opinion and will in the context of elections are now highly dependent upon information technology and are, therefore, at the center of information security.
BSI provided dedicated security oversight, working with electoral authorities to protect the integrity of the voting process. As Germany heads toward future elections, the BSI has enhanced its monitoring and support for political entities, prioritizing resilience against potential cyber threats and disinformation campaigns from state actors.
Emerging Cybersecurity Challenges
Increase in High-Volume DDoS Attacks
The first half of 2024 saw a substantial uptick in Distributed Denial of Service (DDoS) attacks, with a marked increase in high-volume attacks exceeding 10,000 Mbps. DDoS attacks not only disrupt services but are increasingly used to sow public uncertainty by exaggerating their impact on social media.
Figure 3 – Proportion of High-Bandwidth DDoS attacks doubled in April 2024 (Source: BSI)
The BSI recommends adopting advanced DDoS mitigation strategies, particularly for critical infrastructure, to withstand these escalating attack volumes.
Data Theft Targeting Consumers
Phishing remains a major threat to German citizens, with attackers expanding beyond financial institution impersonation to include popular streaming services. During 2024, phishing campaigns have increasingly targeted user data—such as credit card information and personal identifiers—via emails masquerading as communications from banks and entertainment platforms. The BSI advises consumers to stay vigilant and adopt robust identity protection measures to counter phishing attempts.
Strategic Initiatives to Strengthen Cyber Resilience
Cybernation Germany Initiative
The Cybernation Germany initiative, launched in early 2024, is a step towards a national commitment to building resilience and expanding Germany’s cybersecurity expertise. The initiative’s goals align with the NIS-2 Directive and the Cyber Resilience Act (CRA), which impose mandatory cybersecurity measures and incident reporting standards for companies. The CRA emphasizes a “security by design” approach, particularly for IoT devices, to bolster protections across interconnected networks.
This initiative demonstrates a concerted push from Germany towards enhanced threat intelligence, cyber resilience, and protective infrastructure.
Key Recommendations from BSI for Strengthening Cybersecurity
Governance and Risk-Based Policies: Organizations should maintain updated, approved cybersecurity policies, leveraging threat intelligence to refine policies and prioritize high-risk threats.
Enhanced Monitoring and Detection: With the rise in malware and ransomware, BSI recommends integrating Security Operations Centers (SOC) with continuous threat detection and red teaming exercises to effectively simulate real-world scenarios.
Incident Response and Recovery: BSI encourages organizations to establish structured Incident Response plans, supported by Cyber Threat Intelligence (CTI), to reduce response times and facilitate efficient recovery from cyber incidents.
Increased Public Awareness and Resilience Measures: Awareness campaigns, employee training, and enhanced communication strategies have proven effective in helping organizations and consumers defend against phishing and ransomware attacks.
Collaboration with International Security Standards: Adhering to NIS-2 and the Cyber Resilience Act ensures that German entities align with European cybersecurity standards, enhancing cross-border protections and maintaining consistent security measures across sectors.
Conclusion: A Proactive Path Forward
The BSI’s 2024 report reaffirms Germany’s proactive approach to cybersecurity, emphasizing resilience, regulatory compliance, and advanced threat intelligence.
With heightened preparedness across government, businesses, and society, Germany is well-positioned to defend against increasingly sophisticated cyber threats. However, as Minister Faeser stated, the evolving cyber threat landscape necessitates continuous investment and adaptation to safeguard Germany’s critical infrastructure and democratic systems.
Germany’s Cybernation initiative and collaboration with international cybersecurity frameworks hint at a robust defense strategy that other nations can use as a model. By maintaining proactive measures, aligning with global security standards, and fostering a culture of resilience, Germany aims to ensure cybersecurity remains integral to its digital and democratic future.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-14 13:06:362024-11-14 13:06:36Germany’s Cybersecurity Landscape in 2024 is Worrying but Gaining Resilience
Cyble Research & Intelligence Labs’ (CRIL) Weekly Industrial Control System (ICS) Vulnerability Intelligence Report has highlighted multiple security vulnerabilities disclosed by the Cybersecurity and Infrastructure Security Agency (CISA).
These ICS vulnerabilities, which affect critical Industrial Control System components from Bosch Rexroth, Delta Electronics, and Beckhoff Automation, target unsuspecting users. With multiple vulnerabilities posing substantial risks to operational continuity, prompt patching and mitigation efforts are critical.
CISA issued three security advisories this week, each addressing several Industrial Control System vulnerabilities with varying severity. The vulnerabilities affect products integral to manufacturing, energy, and utilities. Cyble Research & Intelligence Labs has emphasized the need to prioritize patching certain vulnerabilities due to their potential impact on operational systems and the risk of exploitation by cyber adversaries.
The most concerning vulnerabilities include stack-based buffer overflow issues in Delta Electronics’ DIAScreen and a command injection vulnerability in Beckhoff Automation’s TwinCAT Control Package. If exploited, these vulnerabilities could lead to severe disruptions, including device crashes, remote code execution, and unauthorized command execution.
Detailed Vulnerability Analysis
The vulnerabilities identified this week are multiple products and vendors within the ICS environment.
Bosch Rexroth – Uncontrolled Resource Consumption in IndraDrive Controllers
CVE-2024-48989 is a high-severity vulnerability affecting Bosch Rexroth’s AG IndraDrive FWA-INDRV*-MP* and IndraDrive Controllers. The vulnerability arises from uncontrolled resource consumption within the affected devices, which, if exploited, could lead to system instability or a denial of service (DoS) attack.
To mitigate this vulnerability, it is strongly recommended that organizations immediately apply the vendor’s patch. This will minimize the risk of exploitation and ensure the continued reliability and security of the affected devices.
Delta Electronics – Multiple Stack-Based Buffer Overflow Vulnerabilities in DIAScreen
The vulnerabilities identified as CVE-2024-47131, CVE-2024-39605, and CVE-2024-39354 are high-severity issues affecting Delta Electronics’ DIAScreen versions prior to v1.5.0. These vulnerabilities stem from buffer overflow issues within the system, which could cause the device to crash when exploited. If successfully attacked, remote adversaries could execute arbitrary code on the compromised device, potentially leading to a complete device compromise and significant operational downtime.
To mitigate the risks associated with these vulnerabilities, Delta Electronics has released patches that address the issue. Organizations using affected versions are strongly advised to upgrade to the latest software versions to protect their systems. Additionally, implementing network segmentation can help minimize the exposure of critical assets, further reducing the likelihood of successful exploitation.
Beckhoff Automation – Command Injection in TwinCAT Control Package
CVE-2024-8934 is a medium-severity vulnerability affecting the TwinCAT Control Package for versions prior to 1.0.603.0. This vulnerability arises from a command injection flaw, which could allow attackers to execute arbitrary commands within the system. If successfully exploited, this could compromise the underlying infrastructure, potentially impacting the security and stability of the affected systems.
To address this issue, organizations should upgrade to the latest version of the TwinCAT Control Package. This will effectively mitigate the vulnerability. Additionally, to further protect against exploitation, restricting access to the affected systems through network-level controls is advisable.
The vulnerabilities disclosed in this report demonstrate a concerning trend in the ICS vulnerability environment. The data from CISA reveals that a large proportion of the vulnerabilities affecting Industrial Control Systems (ICS) fall under critical or high-severity categories. Specifically, 50% of the identified vulnerabilities are classified as critical, while 30% are categorized as high severity.
In contrast, medium-severity vulnerabilities account for 15% of the total, while low-severity vulnerabilities make up just 5%. This distribution underscores the increasing risks posed by ICS vulnerabilities, highlighting the critical importance of implementing robust vulnerability management strategies to address and mitigate potential threats.
Recommendations for Mitigating ICS Vulnerabilities
To effectively manage and mitigate the risks associated with these vulnerabilities, the following steps are recommended:
Organizations should follow the guidance provided by CISA and apply patches as soon as they become available. Staying up to date with vendor updates and security advisories is critical to ensuring that vulnerabilities are addressed promptly.
Segregating ICS networks from other parts of the IT infrastructure can help prevent lateral movement in case of a breach. Implementing a Zero-Trust Architecture is also advisable to limit the potential for exploitation.
Regular cybersecurity training for all personnel, particularly those with access to Operational Technology (OT) systems, can help prevent human error and reduce the risk of social engineering attacks.
Ongoing vulnerability scanning and penetration testing can help identify and address weaknesses before attackers exploit them. Engaging threat intelligence services and staying updated with CISA’s vulnerability intelligence reports is essential for proactive defense.
Developing a robust incident response plan and conducting regular security drills ensures that organizations are prepared for a quick and coordinated response to any security incidents that may arise.
Conclusion
The ICS vulnerabilities highlighted by CISA demonstrate the rise of new risks targeting the industrial sector. By implementing comprehensive patch management strategies, enhancing network security, and staying informed about CISA’s vulnerability alerts, organizations can reduce their exposure to these risks and better protect their critical assets from potential exploitation.
Proactive measures such as regular security audits, network segmentation, and continuous monitoring will be essential for ensuring the ongoing safety and security of Industrial Control Systems and their associated networks.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-14 11:06:412024-11-14 11:06:41Key Industrial Control System Vulnerabilities Identified in Recent CISA Advisories
Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia.
We discovered a new Python program called PXA Stealer that targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software.
PXA Stealer has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts.
The attacker has used complex obfuscation techniques for the batch scripts used in this campaign.
We discovered the attacker selling credentials and tools in the Telegram channel “Mua Bán Scan MINI,” which is where the CoralRaider adversary operates, but we are not sure if the attacker belongs to the CoralRaider threat group or another Vietnamese cybercrime group.
Victimology and targeted information
The attacker is targeting the education sector in India and government organizations in European countries, including Sweden and Denmark, based on Talos telemetry data.
The attacker’s motive is to steal the victim’s information, including credentials for various online accounts, browser login data, cookies, autofill information, credit card details, data from various cryptocurrency online and desktop wallets, data from installed VPN clients, gaming software accounts, chat messengers, password managers, and FTP clients.
Attacker’s infrastructure
Talos discovered that the attacker was hosting malicious scripts and the stealer program on a domain, tvdseo[.]com, in the directories “/file”, “/file/PXA/”, “/file/STC/”, and “/file/Adonis/”. The domain belongs to a Vietnamese professional search engine optimization (SEO) service provider; however, we are not certain whether the attacker has compromised the domain to host the malicious files or has subscribed to get legitimate access while still using it for their malicious purposes.
We found that the attacker is using the Telegram bot for exfiltrating victims’ data. Our analysis of the payload, PXA Stealer, disclosed a few Telegram bot tokens and the chat IDs – controlled by the attacker.
Attacker–controlled Telegram bot token
7545164691:AAEJ4E2f-4KZDZrLID8hSRSJmPmR1h-a2M4
7414494371:AAGgbY4XAvxTWFgAYiAj6OXVJOVrqgjdGVs
Attacker–controlled Telegram chat IDs
-1002174636072
-1002150158011
-4559798560
-4577199885
-4575205410
Attacker’s underground activities
We identified attacker’s Telegram account “Lone None,” which was hardcoded in the PXA Stealer program and analyzed various details of the account, including the icon of Vietnam’s national flag and a picture of the emblem for Vietnam’s Ministry of Public Security, which aligns with our assessment that the attacker is of Vietnamese origin. Also, we found Vietnamese comments in the PXA Stealer program, which further strengthen our assessment.
The attacker’s Telegram account has biography data that includes a link to a private antivirus checker website that allows users or buyers to assess the detection rate of a malware program. This website provides a platform for potential threat actors to evaluate the effectiveness and stealth capabilities of the malware before purchasing it, indicating a sophisticated level of service and professionalism in the threat actor’s operations.
We also discovered that the attacker is active in an underground Telegram channel, “Mua Bán Scan MINI,” mainly selling Facebook accounts, Zalo accounts, SIM cards, credentials, and money laundry data. Talos observed that this Vietnamese actor is also seen in the Telegram group in which the CoralRaider actor operates. However, we are not certain whether the actor is a member of the CoralRaider gang or another Vietnamese cybercrime group.
Talos discovered that the attacker is also promoting another underground Telegram channel, “Cú Black Ads – Dropship,” by sharing a few automation tools to manage large numbers of user accounts in their channel and conducting the exchanging or selling of information related to social media accounts, proxy services, and a batch account creator tool.
The tools shared by the attacker in the group are automated utilities designed to manage several user accounts. These tools include a Hotmail batch creation tool, an email mining tool, and a Hotmail cookie batch modification tool. The compressed packages provided by the threat actor often contain not only the executable files for these tools but also their source code, allowing users to modify them as needed.
Hotmail batch creation tool from telegram channel.Hotmail cookie batch modification tool from telegram channel.
We found that the attacker is not sharing all the tools for free, and some of them require users to send a unique key back to the Telegram channel administrator for software activation. This process ensures that only those who have been vetted or have paid for the tool can access its full functionality. We also discovered that these tools are distributed on other websites, such as aehack[.]com, highlighting that they are selling the tools. Additionally, a YouTube channel exists that provides tutorials on how to use these tools, further facilitating their widespread use and demonstrating the organized efforts to market and instruct potential users on their application.
Infection Chain
The attacker gains initial access by sending a phishing email with a ZIP file attachment, according to our telemetry data. The ZIP file contains a malicious loader executable file compiled in Rust language and a hidden folder called Photos. The hidden folder has other recurring folders, such as Documents and Images, that contain obfuscated Windows batch scripts and a decoy PDF document.
When a victim extracts the attachment ZIP file, the hidden folder and the malicious Rust loader executable are dropped onto the victim machine. When the malicious Rust loader executable is run by the victim, it loads and executes multiple obfuscated batch scripts that are in the dropped hidden folders.
We deobfuscated the Windows batch scripts using CyberChef, with each step in the process being crucial and requiring precise execution to achieve accurate deobfuscation. First, we employed regular expressions (regex) to filter out random characters consisting of uppercase and lowercase letters (A to Z). These random strings ranged in length from six to nine characters and were enclosed within “%” symbols. Next, we filtered out the “^” symbols and removed any remaining uppercase and lowercase letters (A to Z) as well as special characters “_,” /’(?),” “$,” “#,” and “[].” Finally, we eliminated the “%” symbols and we were able to successfully deobfuscate the scripts and reveal their PowerShell commands.
Snippet of the obfuscated batch script
Snippet of the deobfuscated batch script
The batch scripts execute PowerShell commands simultaneously, performing the following activities on the victim machine:
Opens a decoy PDF document of a Glassdoor job application form.
Downloads a portable Python 3.10 package archive masquerading as “synaptics.zip”, which is hosted on the attacker-controlled domain through the hardcoded URL “hxxps[://]tvdseo[.]com/file/synaptics[.]zip”, and saves it in the user profile’s temporary folder as well as in the public user’s folder with the random file names and extracts them.
Then, it creates and runs a Windows shortcut file with the file name “WindowsSecurity.lnk”, configuring a base64-encoded command as a command line argument in the user profile’s temporary folder and configures the “Run” registry key with the path of the shortcut file to establish persistence.
The Windows shortcut file with a single-line Python script using a disguised portable Python executable downloads a base64-encoded Python program from a remote server. The downloaded program contains instructions to disable the antivirus programs on the victim’s machine.
Next, the batch script continues to execute another PowerShell command that downloads the PXA Stealer Python program and executes it with the masqueraded portable Python executable “synaptics.exe” on the victim’s machine.
Another batch script called “WindowsSecurity.bat” is dropped in the Windows startup folder of the victim’s machine to establish persistence, which has the command to download and execute the PXA Stealer Python program shown in the earlier paragraph.
PXA Stealer targets victims’ sensitive data
PXA Stealer is a Python program that has extensive capabilities targeting a variety of data on the victim’s machine.
When the PXA Stealer is executed, it kills a variety of processes from a hardcoded list, including endpoint detection software, network capture and analysis process, VPN software, cryptocurrency wallet applications, file transfer client applications, and web browser and instant messaging application processes by executing “task kill” commands.
Detection evasive function of PXA Stealer.
The stealer has the capability of decrypting the browser master key, which is a cryptographic key used by web browsers like Google Chrome and other Chromium-based browsers to protect sensitive information, including stored passwords, cookies, and other data in an encrypted form on the local system. The stealer accesses the master key file “Local State” located in the browser folder of the user’s profile directory, which contains the information of the encryption key used to encrypt the user data stored in the “Login Data” file, and decrypts it using the “CryptUnprotectData” function. This allows the attacker to gain access to the stored credentials and other sensitive browser information.
Browser master key decryption function of PXA Stealer.
The stealer also attempts to decrypts the master key that is stored in the key4.db file. Key4.db is a database used by Firefox (and some other Mozilla-based browsers) to store encryption keys, particularly the master key that encrypts sensitive data, such as saved passwords. The “getKey” function of the stealer is designed to extract and decrypt keys from the key4.db file using either AES or 3DES encryption methods, depending on the encryption used in the stored key.
Browser master key decryption function of PXA Stealer.
The stealer attempts to retrieve user profiles paths from the profiles.ini file of browser applications, including Mozilla Firefox, Pale Moon, SeaMonkey, Waterfox, Mercury, k-Melon, IceDragon, Cyberfox, and BlackHaw for further processing, such as extracting saved passwords or other user data.
The stealer collects the victim’s login information from the browser’s login data file. The function “get_ch_login_data” of the stealer extracts login data, including URLs, usernames, and passwords, from the database “login_db”, which stores login information. The extracted login information is formatted into a string that includes the URL, username, decrypted password, browser, and profile.
For each login entry in the browser login database, the function checks if the URL contains any important keywords that are hardcoded in the stealer program, and if a match is found, the login information is saved in a separate file named “Important_Logins.txt” located in the “Browsers Data” folder within the user’s profile temporary directory. The function saves all the results to “All_Passwords.txt” in the “Browsers Data” folder for other login data found in the database.
Login credentials stealer function of PXA Stealer.
The stealer executes another function, “get_ch_cookies”, to extract cookies from a specified browser’s cookie database, decrypt them, and save the results to a file. First, it checks if the cookies database file exists in the specified profile directory and unlocks the cookies database file. The database file is then copied to the temporary folder and is processed by executing an SQL query to retrieve cookie information, including host key, name, path, encrypted value, expiration time, secure flag, and HTTP-only flag from the cookies database file.
If any Facebook cookies are found, they are concatenated to a single string called “fb_formatted”, and it calls another function, “ADS_Checker()”, to check for ads based on the Facebook cookies, and the results are written to a file called “Facebook_Cookies.txt”. Any other cookie information is written to a text file named after the browser and the profile. Finally, the function removes the temporary cookie database file.
Browser cookies stealer function of PXA Stealer.
In another sample of the stealer, for the browsers Chrome, Chrome SxS, and Chrome(x86), it downloads and executes a cookie stealer JavaScript through the URL hxxps://tvdseo[.]com/file/PXA/Cookie_Ext.zip. The cookie stealer JavaScript connects to the Telegram bot with the token, and the chat ID hardcoded in the script collects the cookies and sends them to the attacker’s Telegram bot through the POST method.
Browser cookie stealer JavaScript.
Next, the stealer targets the victim’s credit card information stored in the browser database “webappsstore.sqlite”. The function extracts and decrypts saved credit card information from a browser’s web data database. It checks if the cards database file “cards_db” exists and copies them to the user’s profile temporary folder. It executes a SQL query to retrieve credit card information including name on card, expiration month/year, encrypted card number, and date modified. Then it decrypts the encrypted card number using the function “decrypt_ch_value” with the help of the decrypted master key. It writes the cards’ information to a text file and names it after the browser and the profile. Finally, it gets the count of credit card information that was found and deletes the temporary copy of the “cards_db” file.
Credit card data stealer function of PXA Stealer.
The stealer extracts and saves the autofill form data from a browser’s database to a text file with the file name format of “$browser_$profile.txt” in a folder called “AutoFills” in browser profile location.
Autofill data stealer function of PXA Stealer.
The stealer also extracts and validates Discord tokens stored in various browsers or Discord applications. It checks for the stored encrypted Discord tokens in the different browser database files and also Discord-specific applications files of Discord, Discord Canary, Lightcord, and Discord PTB on the victim’s machine by searching for strings using regular expression “r”dQw4w9WgXcQ:[^.*[‘(.*)’].*$][^”]*”)”. Once the encrypted tokens are found, it decrypts them with the function “decrypt_dc_tokens()” using the extracted master key that was used to encrypt the tokens from the “Local State” file. Then, it validates the decrypted Discord tokens to check if it is a legitimate Discord token and stores it by associating it with the browser name. Besides searching for the encrypted tokens, the function also looks for unencrypted Discord tokens by searching strings that match the regular expression pattern “[w-]{24}.[w-]{6}.[w-]{27}” for standard tokens and “mfa.[w-]{84}” for multi-factor authentication (MFA) tokens in “.log” and “.ldb” files in the levelDB directory of Discord applications or web browsers where the structured key-value data is stored in levelDB database format.
Discord token stealer function of PXA Stealer.
The stealer executes another function to extract the user information from the MinSoftware application database. It searches for the database file “db_maxcare.sqlite” file on the victim machine folders, including Desktop, Documents, Downloads, OneDrive and in the logical partitions with the drive letters “D:” and “E:”. Once found, it executes a SQL query to search in the accounts table of the database file and extracts the following data:
uid: User identifier.
pass: User’s password.
fa2: Two-factor authentication data.
email: The user’s email address.
passmail: The email password.
cookie1: Likely a session or authentication cookie.
token: Likely an authentication token.
info: Account information.
MinSoftware application data stealer function of PXA Stealer.
The stealer also has the functionalities for interacting with Facebook Ads Manager and Graph API using a session authenticated via cookies.
It takes a Facebook cookie and parses it for the session information, such as “c_user”, and attempts to access the token.
Retrieves and formats the details about the user’s ad accounts, such as account status, currency, balance, spend cap, and amount spent.
Gets the list of the user’s Facebook pages, including page name, link, likes, followers, and verification status.
It retrieves a list of groups with administrative users.
It extracts Business Manager IDs associated with the account and retrieves ad account information under each Business Manager.
It uses Facebook data to determine ad account limits for a Business Manager.
It extracts the token from Facebook mobile pages to facilitate authenticates requests.
Facebook data stealer function of PXA Stealer.
After collecting the targeted victim’s data, including the login data, browser cookies, autofill information, credit card details, Facebook ads account data, cryptocurrency wallet data, Discord token details, and MinSoft application data, the stealer creates a ZIP archive of all the files in the user profile’s temporary folder with the file name format “CountryCode_Victim’s public IP Computername.zip”, with a high compression level of value nine.
While creating the archive and navigating the targeted folders, the stealer excludes some of the directories, including user_data, emoji, tdummy, dumps, webview, update-cache, GPUCache, DawnCache, temp, Code Cache, and Cache. It also attempts to rename each file while adding them to the archive. The archive is exfiltrated to the actor’s Telegram bot. After exfiltrating the victim’s data, the stealer deletes the folders that contained the collected user data.
Exfiltration function of PXA Stealer.
Coverage
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are listed below:
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png2024-11-14 11:06:402024-11-14 11:06:40New PXA Stealer targets government and education sectors for sensitive information
