ICS Vulnerability Intelligence Report: Key Insights and Recommendations

ICS Vulnerability

Overview

Cyble Research & Intelligence Labs (CRIL) has investigated key ICS vulnerabilities this week, providing critical insights issued by the Cybersecurity and Infrastructure Security Agency (CISA), focusing on multiple flaws in several ICS products.

During this reporting period, CISA issued four security advisories targeting vulnerabilities across various Industrial Control Systems, including those from ICONICS, Mitsubishi Electric, VIMESA, iniNet Solutions, and Deep Sea Electronics. These advisories pinpoint ICS vulnerabilities that security teams should prioritize for immediate patching to mitigate potential risks.

The recent vulnerability assessment has revealed a high-severity path traversal vulnerability in SpiderControl SCADA. The Deep Sea Electronics DSE855 has also been identified as susceptible to a configuration disclosure vulnerability. This issue enables unauthorized access to stored credentials via an HTTP GET request directed at the Backup.bin file.

ICS Vulnerabilities Overview

The Cyble Research & Intelligence Labs (CRIL) analysis details several critical vulnerabilities, providing essential information to help organizations prioritize their mitigation efforts. The following vulnerabilities were identified as the most vulnerable ones to look out for and patch immediately, if susceptible:

  • CVE-2024-7587: This vulnerability affects the ICONICS Suite, including products like GENESIS64 and Hyper Historian. This vulnerability is categorized as an issue of incorrect default permissions, which poses a high-severity risk to control systems such as DCS, SCADA, and BMS. A patch is available for this vulnerability.
  • CVE-2024-9692: This vulnerability relates to the Blue Plus Transmitter from VIMESA. It involves improper access control and is rated as medium severity, impacting communication units and transmitters. A link to the patch is provided for this issue as well. 
  • CVE-2024-10313: This vulnerability highlights a path traversal vulnerability in the SpiderControl HMI Editor from iniNet Solutions. This vulnerability is also classified as high severity and affects human-machine interface systems. A corresponding patch is accessible.
  • CVE-2024-5947: The last vulnerability, CVE-2024-5947, is related to DSE855 from Deep Sea Electronics. This medium-severity vulnerability is characterized by missing authentication, affecting communication units and transmitters. A patch link is available for users to address this vulnerability.

The severity overview reveals that all disclosed vulnerabilities fall into medium and high severity categories but need urgent attention.

Recommendations and Mitigations

To effectively address the identified vulnerabilities and upgrade defenses, organizations should consider the following best practices:

  1. Staying informed about security/patch advisories from vendors and regulatory bodies is crucial for timely updates.
  2. Organizations should implement a risk-based vulnerability management strategy to minimize the potential for exploitation.
  3. Threat intelligence analysts should actively monitor critical vulnerabilities published in CISA’s Known Exploited Vulnerabilities (KEV) catalog, especially those that are being actively exploited in the wild.
  4. Effective network segmentation can prevent attackers from conducting reconnaissance and lateral movements, thereby reducing the exposure of critical assets.
  5. Frequent vulnerability assessments and penetration testing are essential for identifying and rectifying security weaknesses.
  6. Implement physical barriers to prevent unauthorized access to devices and networks.
  7. An effective incident response plan outlines procedures for detecting, responding to, and recovering from security incidents. Regular testing and updates ensure its relevance to current threats.
  8. Ongoing cybersecurity training for all employees, particularly those with access to OT systems, is crucial. Training should cover recognizing phishing attempts, proper authentication practices, and adherence to security protocols.

Conclusion

The vulnerabilities identified in this ICS vulnerability intelligence report call for urgent prioritization from organizations to take apt cybersecurity measures. With threats continuously evolving and exploits discussed in underground forums, staying vigilant and proactive is essential.

Implementing the recommendations outlined above will help organizations protect their critical infrastructure and maintain system integrity, ultimately reducing the risk of potential exploitation of ICS vulnerabilities.

Sources: https://www.cisa.gov/news-events/alerts/2024/10/31/cisa-releases-four-industrial-control-systems-advisories

The post ICS Vulnerability Intelligence Report: Key Insights and Recommendations appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Warns of Critical Vulnerabilities in Rockwell Automation’s FactoryTalk ThinManager

Rockwell Automation

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has alerted about new vulnerabilities in Rockwell Automation FactoryTalk ThinManager. The alert, designated ICSA-24-305-01, outlines serious security risks that could affect users of the software. With a CVSS v4 score of 9.3, these vulnerabilities demand immediate attention from security teams to safeguard industrial control systems.

The vulnerabilities identified in Rockwell Automation’s FactoryTalk ThinManager include “Missing Authentication for Critical Function” and “Out-of-Bounds Read.” These issues can allow remote attackers to manipulate databases or cause denial-of-service conditions.

The successful exploitation of these vulnerabilities poses a risk to users. Attackers could send specially crafted messages to FactoryTalk ThinManager devices, which might lead to serious consequences, including unauthorized database modifications or service disruptions.

Technical Details

Several versions of Rockwell Automation’s FactoryTalk ThinManager have been identified as vulnerable, including versions 11.2.0 to 11.2.9, 12.0.0 to 12.0.7, 12.1.0 to 12.1.8, 13.0.0 to 13.0.5, 13.1.0 to 13.1.3, 13.2.0 to 13.2.2, and version 14.0.0.

The first critical vulnerability, CVE-2024-10386, is categorized as “Missing Authentication for Critical Function” (CWE-306) and assigned a CVSS v3.1 base score of 9.8. This flaw allows network-accessible attackers to send crafted messages to FactoryTalk ThinManager, which could potentially result in database manipulation.

The second vulnerability, CVE-2024-10387, relates to an “Out-of-Bounds Read” (CWE-125) and poses a denial-of-service risk. It enables attackers with network access to send crafted messages that could disrupt FactoryTalk ThinManager’s operations. This vulnerability carries a CVSS v3.1 base score of 7.5 and a CVSS v4 score of 8.7, indicating a serious security concern.

Rockwell Automation has acknowledged these vulnerabilities, which significantly impact critical infrastructure sectors, particularly in manufacturing, and are deployed globally. To address the risks associated with these vulnerabilities, Rockwell Automation has made patches available for the affected versions on the FactoryTalk ThinManager download site and urges users to apply these updates without delay.

Additionally, users are advised to implement network hardening by restricting communications to TCP port 2031 only to necessary devices that require connection to the ThinManager. Following Rockwell Automation’s guidelines for security best practices is also encouraged to minimize risks in industrial automation control systems.

Recommendations from CISA

The Cybersecurity and Infrastructure Security Agency (CISA) recommends several defensive measures:

  1. Minimize network exposure for all control system devices, ensuring they are not accessible from the internet.
  2. Isolate control system networks and remote devices behind firewalls.
  3. Utilize secure methods for remote access, such as Virtual Private Networks (VPNs), while recognizing that these should be updated regularly.
  4. Perform comprehensive impact analysis and risk assessment before implementing defensive measures.
  5. Regularly review and apply security advisories from credible sources.

Conclusion

CISA encourages organizations to report any suspected malicious activity for tracking and correlation with other incidents. Currently, there have been no known public exploitations targeting these vulnerabilities.

Given the high severity of the vulnerabilities associated with Rockwell Automation’s FactoryTalk ThinManager, organizations must prioritize addressing these issues to maintain security within their industrial environments.

By adhering to recommended practices and implementing available patches, companies can reduce the risk of exploitation and protect their critical infrastructure.

Source: https://www.cisa.gov/news-events/ics-advisories/icsa-24-305-01

The post CISA Warns of Critical Vulnerabilities in Rockwell Automation’s FactoryTalk ThinManager appeared first on Cyble.

Blog – Cyble – ​Read More

Improvements to our SIEM for Q3 2024 | Kaspersky official blog

Clearly, the sooner malicious actions come to the attention of security solutions and experts, the more effectively they’re able to minimize, or even prevent damage. Therefore, while working on new detection rules for our SIEM system named the Kaspersky Unified Monitoring and Analysis Platform, we pay special attention to identifying attackers’ activity at the very initial stage of an attack, when they try to collect information about infrastructure. We’re talking about activity related to the discovery tactics according to the Enterprise Matrix MITRE ATT&CK Knowledge Base classification.

Modern attackers are increasingly paying attention to containerization infrastructure, which is where rather dangerous vulnerabilities are sometimes found. For example, our May report on exploits and vulnerabilities describes the CVE-2024-21626 vulnerability, which allows for a container escape. That’s why in our Q3 2024 SIEM system update, among the rules for identifying atypical behavior that may indicate attacker activity at the initial data collection stage, we’ve added detection rules that catch (i) attempts to collect data on the containerization infrastructure, and (ii) traces of various attempts to manipulate the containerization system itself.

This was done by adding detection rules R231, R433, and R434, which are already available to Kaspersky Unified Monitoring and Analysis Platform users through the rule update system. In particular, they’re used to detect and correlate the following events:

  • access to credentials inside a container;
  • launching a container on a non-container system;
  • launching a container with excessive privileges;
  • launching a container with access to host resources;
  • collecting information about containers using standard tools;
  • searching for weak spots in containers using standard tools;
  • searching for security vulnerabilities in containers using special utilities.

Considering the above-described update, there are now more than 659 rules available on the platform, including 525 rules with direct detection logic.

We continue to align our detection rules with the Enterprise Matrix MITRE ATT&CK Knowledge Base, which today describes 201 techniques, 424 sub-techniques, and thousands of procedures. As of today our solution covers 344 MITRE ATT&CK techniques and sub-techniques.

In addition, we’ve improved many old rules by correcting or adjusting conditions – for example, to reduce the number of false positives.

New and improved normalizers

In the latest update, we’ve also added to our SIEM system normalizers that allow you to work with the following event sources:

  • [OOTB] OpenLDAP
  • [OOTB] Avaya Aura Communication Manager syslog
  • [OOTB] Orion soft Termit syslog
  • [OOTB] Postfix
  • [OOTB] Barracuda Web Security Gateway syslog
  • [OOTB] Parsec ParsecNET
  • [OOTB] NetApp SnapCenter file
  • [OOTB] CommuniGate Pro
  • [OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog
  • [OOTB] Yandex Cloud
  • [OOTB] Barracuda Cloud Email Security Gateway syslog

Our experts have also improved normalizers for these sources:

  • [OOTB] Yandex Browser
  • [OOTB] Citrix NetScaler syslog
  • [OOTB] KSC from SQL
  • [OOTB] Microsoft Products for KUMA 3
  • [OOTB] Gardatech Perimeter syslog
  • [OOTB] KSC PostgreSQL
  • [OOTB] Linux auditd syslog for KUMA 3.2
  • [OOTB] Microsoft Products via KES WIN
  • [OOTB] PostgreSQL pgAudit syslog
  • [OOTB] ViPNet TIAS syslog

You can find the full list of supported event sources in the Kaspersky Unified Monitoring and Analysis Platform version 3.2 in the technical support section of our web site, where you can also get more information about correlation rules. We’ll continue to write about improvements to our SIEM system in future posts that can be found via the SIEM tag.

Kaspersky official blog – ​Read More

How to Capture, Decrypt, and Analyze Malicious Network Traffic with ANY.RUN

Network traffic analysis provides critical insights into malware and phishing attacks. Doing it effectively requires using proper tools like ANY.RUN’s Interactive Sandbox. It simplifies the entire process, letting you investigate threats with ease and speed.

Take a look at the key ways you can monitor and analyze network activity with the service.

Connections 

Examining network connections involves looking at source and destination IP addresses, ports, URLs, and protocols. During this process, you can observe all activities that may pose a risk to the system, such as connections to known malicious domains and attempts to access external resources. 

To correlate the network activity with other behaviors or components of the malware, ANY.RUN identifies the process name and Process Identifier (PID) initiating the connection. This allows you to gain a better understanding of the threat’s functionality and purpose. 

In the Connections section, additional attributes like the country (CN) and Autonomous System Number (ASN) provide context for the geographical location and the organization managing the IP address. 

The service also lists DNS requests that help you identify malicious domains used for Command & Control (C&C) communication or phishing campaigns. 

Use Case: Identifying Agent Tesla’s Data Exfiltration Attempt  

Consider the following sandbox session. Here, we can discover a malicious connection to an external server. 

Malicious connection identified by the ANY.RUN sandbox and marked with a flame icon 

We can navigate to the process that started this connection (PID 6904) to see the details.  

The sandbox shows that the process connected to a server controlled by attackers 

The service displays two signatures related to the connection, which specify that it was made to a server suspected of data theft over the SMTP port. The sandbox also links the process of Agent Tesla, a malware family used by cyber criminals for remote control and data exfiltration.  

Suricata rule used for detecting Agent Tesla’s malicious connection

Thanks to ANY.RUN’s integration of Suricata IDS, you can discover triggered detection rules by navigating to the Threats tab. The detection of data exfiltration over SMTP in this case is done without decryption. The sandbox relies solely on specific sequences of packet lengths characteristic of sending victim data. 

HTTP Requests and Content 

ANY.RUN provides comprehensive analysis of HTTP requests and their content. To access header information, simply navigate to the Network tab. Here, you’ll find a detailed list of all HTTP requests recorded by the sandbox.

You can investigate HTTP Requests in detail in ANY.RUN

Click on a specific request to view its headers, which include information such as the request method, user-agent, cookies, and response status codes. 

ANY.RUN also offers static analysis of the resources transmitted as part of HTTP requests and responses. These may include HTML pages, binary, and other types of files. The sandbox extracts their metadata and strings. 

Use Case: Discovering a Server for Collecting Stolen Passwords 

When investigating phishing attacks, it is sometimes necessary to check which server ends up receiving the passwords entered by victims on a malicious webpage. To accomplish this task, we need to enable Man-in-the-Middle (MITM) Proxy. 

Switching on MITM Proxy takes just one click in the VM setup window 

The feature acts as an intermediary between the malware and the server, allowing analysts to intercept and decrypt even HTTPS traffic, typically used for secure communication. 

ANY.RUN allows you to interact with the VM including by entering text

Here is an example of a typical attack that is designed to trick users into entering their real login credentials on a fake webpage. 

Please Note

Under no circumstances should you enter real credentials when analyzing threats in the ANY.RUN sandbox. Instead, use a non-existent test email and password.

After we enter a fake password, we need to navigate to the HTTP request section. Here, we need to start reviewing the HTTP POST requests, beginning with the most recent connection by time.

The fake password we entered which was exfiltrated via Telegram

 In most cases, you will be able to understand which server the web page is communicating with. In our example, the stolen data is being sent to Telegram. 

Access MITM Proxy and other PRO features of ANY.RUN
for free 



Get 14-day trial


Use Case: Collecting Information on Attackers’ Telegram Infrastructure 

Here is analysis of XWorm malware sample that connects to a Telegram bot for exfiltrating data collected on the infected system. 

Thanks to MITM Proxy, we can decrypt the traffic between the host and the Telegram bot.

Bot token and chat_id are found in the query string

By examining the header of a GET request sent by XWorm we can identify a Telegram bot token along with the id of the chat controlled by attackers where information on successful infections is sent.  

Using the bot token and chat id, we can gain access to the data exfiltrated from other systems infected by the same sample. 

Packets 

Packet capture involves intercepting and recording network packets as they are sent and received by the system. In ANY.RUN, you can determine the specific data being transmitted and received, which can include sensitive information, commands, or exfiltrated data.  

Through this detailed examination, you can uncover the structure and content of network packets, including the headers and payloads, which can reveal the nature of the communication. For instance, tracking the information contained in outgoing packets aids in identifying what data was stolen, such as passwords, logins, and cookies. 

To study network traffic packets effectively, you can use the Network stream window. Simply select the connection you’re interested in to access RAW network stream data. Received packets are blue, while sent ones are green. 

Use Case: Investigating a Pass-the-Hash Attack 

Let’s consider the following sandbox analysis. Here, we can observe a theft of an NTLM hash via a malicious web page. 

About NTLM

NTLM (NT LAN Manager) authentication is a challenge-response protocol used by Microsoft Windows to verify user credentials.

It involves hashing a user’s password with the MD4 algorithm to create an NTLM hash, which is then used to encrypt a server-sent challenge. NTLM relay attacks intercept and reuse these hashes to impersonate users on other services, enabling unauthorized access without cracking the hash.

Accessing 10dsecurity[.]com led to compromising the system’s NTLM hash  

Once we enable MITM Proxy, we can see how the attack is executed. It starts with the victim’s browser sending a request to access an HTML page, which triggers a redirect to an Impacket SMB server hosted on 10dsecurity[.]com. 

Impacket is a Python-based toolkit designed for working with network protocols that can be used for harvesting NTLM authentication data. 

The sent and received packets of the host’s communication with the SMB server

When the victim’s browser attempts to access the redirected resource via SMB, the Impacket-SMBServer intercepts the request and captures the following information: 

  • The victim’s IP address 
  • NTLM Challenge Data 
  • The victim’s username 
  • The victim’s computer name 
Suricata IDS detection rule used for identifying an impacket SMB server with a Wireshark filter

ANY.RUN allows us to download PCAP data for further examination in specialized software like Wireshark. To make it easier to identify the connection of our interest, we can collect a display filter right from the sandbox. 

Analysis of the captured packets in Wireshark  

Once we upload the data to the program and paste the filter, we can once again determine that it is indeed an impacket SMB server.  

Conclusion 

Packet capture, payload analysis, protocol dissection, DNS requests, and connection analysis are essential components of this process. By leveraging these techniques, security analysts can gain a comprehensive understanding of malicious activities, enabling them to develop effective countermeasures and protect against evolving cyber threats. 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI LookupYARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds. 
  • Interact with samples in real time. 
  • Save time and money on sandbox setup and maintenance 
  • Record and study all aspects of malware behavior. 
  • Collaborate with your team 
  • Scale as you need. 

Request free trial → 

The post How to Capture, Decrypt, and Analyze Malicious Network Traffic with ANY.RUN appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

IT Vulnerability Report: Fortinet, SonicWall, Grafana Exposures Top 1 Million

1 million vulnerable Fortinet and SonicWall devices

Overview

Cyble Research and Intelligence Labs (CRIL) researchers investigated 17 vulnerabilities and nine dark web exploits during the period of Oct. 23-29, and highlighted seven vulnerabilities that merit high-priority attention from security teams.

This week’s IT vulnerability report affects an unusually high number of exposed devices and instances: Vulnerabilities in Fortinet, SonicWall, and Grafana Labs can be found in more than 1 million web-facing assets, and a pair of 10.0-severity vulnerabilities in CyberPanel have already been mass-exploited in ransomware attacks.

Security teams should assess which of these vulnerabilities are present in their environments and the risks they pose and apply patches and mitigations promptly.

The Week’s Top IT Vulnerabilities

Here are the top IT vulnerabilities identified by Cyble threat intelligence researchers this week.

CVE-2024-40766: SonicWall SonicOS

CVE-2024-40766 is a 9.8-severity improper access control vulnerability in the administrative interface and controls in the SonicOS operating system used for managing SonicWall’s network security appliances and firewalls. Managed security firm Arctic Wolf has reported that Fog and Akira ransomware operators are increasingly exploiting this vulnerability in SSL VPN environments to gain an initial foothold to compromise networks. 

Cyble has detected more than 486,000 internet-exposed devices with this vulnerability, making it a critically important priority for security teams.

CVE-2024-47575 and CVE-2024-23113: Fortinet FortiOS and FortiManager

Fortinet environments are under attack from threat actors exploiting a pair of recent 9.8-severity vulnerabilities: CVE-2024-47575, also known as “FortiJump,” is a vulnerability in Fortinet FortiManager that allows an attacker to execute arbitrary code or commands via specially crafted requests. Recently, researchers disclosed that the threat actor tracked as UNC5820 has been exploiting the flaw since at least June 27, 2024.

For more than a week before the October 23 disclosure of CVE-2024-47575, security researchers were concerned that Fortinet was slow in disclosing a FortiManager zero-day known to be under exploitation. However, it appears that a week before the CVE was released, Fortinet notified customers of a FortiManager vulnerability and provided some recommended mitigations. Some FortiManager customers reported that they didn’t get that communication, suggesting a need for a clearer advisory process. Fortinet update its guidance on the vulnerability yesterday.

Cyble researchers also observed threat actors on a cybercrime forum discussing exploits of CVE-2024-23113, a critical vulnerability in multiple versions of FortiOS, FortiProxy, FortiPAM, and FortiSwitchManager that allows remote, unauthenticated attackers to execute arbitrary code through specially crafted requests.

Cyble has identified 62,000 exposed instances of the FortiManager vulnerability, and 427,000 internet-facing Fortinet devices exposed to CVE-2024-23113 (see graphic below).

Exposed assets for the top vulnerabilities (Cyble research)

CVE-2024-9264: Grafana Labs

CVE-2024-9264 is a 9.4-severity vulnerability in the SQL Expressions experimental feature of Grafana, an open-source analytics and monitoring platform developed by Grafana Labs. It is designed to visualize and analyze data from various sources through customizable dashboards. This feature allows for the evaluation of ‘duckdb’ queries containing user input. These queries are insufficiently sanitized before being passed to ‘duckdb,’ leading to a command injection and local file inclusion vulnerability.

Cyble reported 209,000 internet-facing Grafana instances exposed to the vulnerability.

CVE-2024-51567 and CVE-2024-51568: CyberPanel

CVE-2024-51567 and CVE-2024-51568  are critical vulnerabilities in CyberPanel, an open-source web hosting control panel designed to simplify server management, particularly for those using the LiteSpeed web server. NVD has yet to rate the vulnerabilities, but MITRE has assigned them each a 10.0. CVE-2024-51567 is a flaw in upgrademysqlstatus in databases/views.py, which allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, and was exploited in the wild in October in a massive PSAUX ransomware attack.

CVE-2024-51568 is a command Injection flaw via completePath in the ProcessUtilities.outputExecutioner() sink.

Nearly 33,000 CyberPanel instances are exposed to these vulnerabilities, more than half of which have been targeted in mass ransomware and cryptominer attacks.

CVE-2024-46483: Xlight FTP Server

CVE-2024-46483 is a critical integer overflow vulnerability still undergoing analysis that affects Xlight FTP Server, a high-performance file transfer server for Windows designed to facilitate secure and efficient FTP and SFTP (SSH2) file transfers. The flaw lies in the packet parsing logic of the SFTP server, which can lead to a heap overflow with attacker-controlled content. Multiple organizations across various sectors use this server because of its Active Directory and LDAP integration functionalities. Cyble assesses that attackers could leverage this vulnerability in campaigns due to the availability of public Proof of Concepts (PoC).

Vulnerabilities and Exploits on Underground Forums

CRIL researchers observed multiple Telegram channels and cybercrime forums where channel administrators shared or discussed exploits weaponizing a number of vulnerabilities, some of which were discussed above. Others include:

CVE-2024-9464: A critical OS command injection vulnerability found in Palo Alto Networks’ Expedition tool, which allows an attacker to execute arbitrary OS commands as root, potentially leading to the disclosure of sensitive information.

CVE-2024-42640: A critical vulnerability affecting the angular-base64-upload library, specifically in versions prior to v0.1.21. This vulnerability allows remote code execution (RCE) through the demo/server.php endpoint, enabling attackers to upload arbitrary files to the server.

CVE-2024-3656: A high-risk vulnerability affecting Keycloak versions prior to 24.0.5. The vulnerability allows low-privilege users to access certain endpoints in Keycloak’s admin REST API, enabling them to perform actions reserved for administrators.

CVE-2024-9570: A critical buffer overflow vulnerability in the D-Link DIR-619L B1 router, specifically in firmware version 2.06, occurs in the ‘formEasySetTimezone’ function. The issue arises when the ‘curTime’ argument is manipulated, leading to a situation where an attacker can execute arbitrary code remotely.

CVE-2024-46538: A critical cross-site scripting (XSS) vulnerability in pfSense version 2.5.2 allows attackers to execute arbitrary web scripts or HTML by injecting a ‘crafted payload’ into the $pconfig variable, specifically through the ‘interfaces_groups_edit.php’ file.

CVE-2024-21305: A vulnerability identified as a Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass allows attackers to circumvent HVCI protections, enabling the execution of unauthorized code on affected systems running versions of Windows and Windows Server OS.

CVE-2024-23692: A critical vulnerability affecting the Rejetto HTTP File Server (HFS) that allows unauthenticated remote code execution (RCE) through a command injection flaw.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

  • To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
  • Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
  • Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
  • Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
  • Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
  • Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
  • Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.

The post IT Vulnerability Report: Fortinet, SonicWall, Grafana Exposures Top 1 Million appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble Sensors Detect New Attacks on LightSpeed, GutenKit WordPress Plugins

Cyble detects attacks on WordPress plugins, IoT, VNC

Overview

Cyble’s weekly sensor intelligence report for clients detailed new attacks on popular WordPress plugins, and IoT exploits continue to occur at very high rates.

Two 9.8-severity vulnerabilities in LightSpeed Cache and GutenKit are under attack, as WordPress and other CMS and publishing systems remain attractive targets for threat actors.

Vulnerabilities in IoT devices and embedded systems continue to be targeted at alarming rates. In addition to older exploits, this week Cyble Vulnerability Intelligence researchers highlighted an older RDP vulnerability that may still be present in some OT networks. Given the difficulty of patching these systems, vulnerabilities may persist and require additional mitigations.

Vulnerabilities in PHP, Linux systems, and Java and Python frameworks also remain under attack.

Here are some of the details of the Oct. 23-29 sensor intelligence report sent to Cyble clients, which also looked at scam and brute-force campaigns. VNC (Virtual Network Computing) was a prominent target for brute-force attacks this week.

CVE-2024-44000: LiteSpeed Cache Broken Authentication

CVE-2024-44000 is an Insufficiently Protected Credentials vulnerability in LiteSpeed Cache that allows Authentication Bypass and could potentially lead to account takeover. The issue affects versions of the WordPress site performance and optimization plugin before 6.5.0.1.

An unauthenticated visitor could gain authentication access to any logged-in users – and potentially to an Administrator-level role. Patchstack notes that the vulnerability requires certain conditions to be exploited:

  • Active debug log feature on the LiteSpeed Cache plugin
  • Has activated the debug log feature once before, it’s not currently active, and the /wp-content/debug.log file has not been purged or removed.

Despite those requirements, Cyble sensors are detecting active attacks against this WordPress plugin vulnerability.

CVE-2024-9234: GutenKit Arbitrary File Uploads

The GutenKit Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to CVE-2024-9234, with arbitrary file uploads possible due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. The vulnerability makes it possible for unauthenticated attackers to install and activate arbitrary plugins or utilize the functionality to upload arbitrary files spoofed like plugins.

As malicious WordPress plugins are becoming an increasingly common threat, admins are advised to take security measures seriously.

IoT Device and Embedded Systems Attacks Remain High

IoT device attacks first detailed two weeks ago continue at a very high rate, as Cyble honeypot sensors in the past week detected 361,000 attacks on CVE-2020-11899, a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack before 6.0.1.66, in attempts to gain administrator privileges.

Also of concern for OT environments are attacks on four vulnerabilities in the Wind River VxWorks real-time operating system (RTOS) for embedded systems in versions before VxWorks 7 SR620: CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263. Cyble sensors routinely detect 3,000 to 4,000 attacks a week on these vulnerabilities, which can be present in a number of older Siemens devices.

New to the report this week are several hundred attacks on CVE-2019-0708, a 9.8-severity remote code execution vulnerability in Remote Desktop Services found in several older Siemens devices.

Linux, Java, and Other Attacks Persist

A number of other recent exploits observed by Cyble remain active:

Attacks against Linux systems and QNAP and Cisco devices detailed in our Oct. 7 report remain active.

Previously reported vulnerabilities in PHP, GeoServer, and Python and Spring Java frameworks also remain under active attack by threat actors.

Phishing Scams Detected by Cyble

Cyble sensors detect thousands of phishing scams a week, and this week identified 385 new phishing email addresses. Below is a table listing the email subject lines and deceptive email addresses used in four prominent scam campaigns.

E-mail Subject  Scammers Email ID  Scam Type  Description 
VERIFICATION AND APPROVAL OF YOUR PAYMENT FILE  infohh@aol.com  Claim Scam  Fake refund against claims 
Online Lottery Draw Reference Claim Code  annitajjoseph@gmail.com  Lottery/Prize Scam  Fake prize winnings to extort money or information 
RE: Great News  cyndycornwell@gmail.com  Investment Scam  Unrealistic investment offers to steal funds or data 
Re: Consignment Box  don.nkru3@gmail.com  Shipping Scam  Unclaimed shipment trick to demand fees or details 

Brute-Force Attacks Target VNC

Of the thousands of brute-force attacks detected by Cyble sensors in the most recent reporting period, Virtual Network Computing (VNC, port 5900) servers were among the top targets of threat actors. Here are the top 5 attacker countries and ports targeted:

  • Attacks originating from the United States targeting ports were aimed at port 5900 (30%), 22 (28%), 445 (25%), 3389 (14%) and 80 (3%).
  • Attacks originating from Russia targeted ports 5900 (88%), 1433 (7%), 3306 (3%), 22 (2%) and 445 (1%).
  • The Netherlands, Greece, and Bulgaria primarily targeted ports 3389, 1433, 5900, and 443.

Security analysts are advised to add security system blocks for the most attacked ports (typically 22, 3389, 443, 445, 5900, 1433, 1080, and 3306).

Recommendations and Mitigations

Cyble researchers recommend the following security controls:

  • Blocking target hashes, URLs, and email info on security systems (Cyble clients received a separate IoC list).
  • Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks.
  • Constantly check for Attackers’ ASNs and IPs.
  • Block Brute Force attack IPs and the targeted ports listed.
  • Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes.
  • For servers, set up strong passwords that are difficult to guess.

Conclusion

With active threats against multiple critical systems highlighted, companies need to remain vigilant and responsive. WordPress and VNC installations and IoT devices were some of the bigger attack targets this week and are worth additional attention by security teams. The high volume of brute-force attacks and phishing campaigns demonstrates the general vulnerability crisis faced by organizations.

To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is key in protecting defenses against exploitation and data breaches.

The post Cyble Sensors Detect New Attacks on LightSpeed, GutenKit WordPress Plugins appeared first on Cyble.

Blog – Cyble – ​Read More

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities

NVIDIA shader out-of-bounds and eleven LevelOne router vulnerabilities

Cisco Talos’ Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website

NVIDIA Graphics remote out-of-bounds execution vulnerabilities

Discovered by Piotr Bania.

NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.

Talos discovered multiple out-of-bounds read vulnerabilities in Nvidia that could be triggered remotely in virtualized environments, via web browser, potentially leading to disclosure of sensitive information and further memory corruption. Researchers used RemoteFX; while recently deprecated by Microsoft, some older machines may still use this software.

Advisories related to these vulnerabilities:
TALOS-2024-1955 (CVE-2024-0121)
TALOS-2024-2012 (CVE-2024-0117)
TALOS-2024-2013 (CVE-2024-0118)
TALOS-2024-2014 (CVE-2024-0120)
TALOS-2024-2015 (CVE-2024-0119)

LevelOne wireless SOHO router vulnerabilities

Discovered by Patrick DeSantis and Francesco Benvenuto.

Eleven vulnerabilities of different types were discovered in the LevelOne WBR-6012 SOHO router.

The LevelOne WBR-6012 is a low-cost wireless SOHO router, marketed as an easy-to-configure and operate internet gateway for homes and small offices.

Talos discovered these vulnerabilities in the R0.30e6 version of the router:

TALOS-2024-1979 (CVE-2024-28875,CVE-2024-31151): Hard-coded credentials exist in the web service, allowing attackers to gain unauthorized access during the first 30 seconds post-boot. Used with other vulnerabilities that force a reboot, time restrictions for exploitation can be greatly reduced. An undocumented user account with hard-coded credentials also exists.

TALOS-2024-1981 (CVE-2024-24777): A cross-site request forgery vulnerability exists in the web application, and a specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability.

TALOS-2024-1982 (CVE-2024-31152): An improper resource allocation vulnerability exists due to improper resource allocation within the web application. A series of HTTP requests can cause a reboot, which could lead to network service interruptions and access to a backdoor account.

TALOS-2024-1983 (CVE-2024-32946): A cleartext transmission vulnerability exists, and sensitive information is transmitted via FTP and HTTP services, exposing it to network sniffing attacks.

TALOS-2024-1984 (CVE-2024-33699): A weak authentication vulnerability exists in the web application firmware, which allows attackers to change the administrator password to gain higher privileges without knowing the current administrator password.

TALOS-2024-1985 (CVE-2024-33603): An information disclosure in the web application allows unauthenticated users to access an undocumented verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device’s reliance on IP addresses for authentication.

TALOS-2024-1986 (CVE-2024-33626): A web application information disclosure vulnerability can reveal sensitive information, such as the Wi-Fi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device’s Wi-Fi network.

TALOS-2024-1996 (CVE-2024-23309): An authentication bypass vulnerability results from the web application’s reliance on client IP addresses for authentication. Attackers can spoof an IP address to gain unauthorized access without a session token.

TALOS-2024-1997 (CVE-2024-28052): A buffer overflow vulnerability can be caused by specially crafted HTTP POST requests with URIs containing 1,454 or more characters, not starting with “upn” or “upg”.

TALOS-2024-1998 (CVE-2024-33700): An improper input validation within the FTP functionality can enable attackers to cause denial of service through a series of malformed FTP commands.

TALOS-2024-2001 (CVE-2024-33623): A denial-of-service vulnerability, triggered by multiple types of specially crafted HTTP POST requests, will cause the router to crash.

Cisco Talos Blog – ​Read More

Backdoor in coding test on GitHub | Kaspersky official blog

Software developers tend to be advanced computer users at the very least, so you could assume they’d be more likely to spot and thwart a cyberattack. However, experience shows that no one is fully immune to social engineering — all it takes is the right approach. For IT professionals, such an approach might involve the offer of a well-paid job at a high-profile company. Chasing a dream job can make even seasoned developers lower their guard and act like kids downloading pirated games. And the real target (or rather —victim) of the attack might be their current employer.

Recently, a new scheme has emerged in which hackers infect developers’ computers with a backdoored script disguised as a coding test. This isn’t an isolated incident, but just the latest iteration of a well-established tactic. Hackers have been using fake job offers to target IT specialists for years — and in some cases with staggering success.

You might think that the consequences should remain the particular individual’s problem. However, in today’s world, it’s highly likely that the developer uses the same computer for both their main work and the coding test for the new role. As a result, not only personal but also corporate data may be at risk.

Fake job posting, crypto game, and a $540 million heist

One of the most notorious cases of fake job ads used for malicious purposes was witnessed in 2022. Hackers managed to contact (likely through LinkedIn) a senior engineer at Sky Mavis, the company behind the crypto game Axie Infinity, and offer him a high-paying position.

Enticed by the offer, the employee diligently went through several stages of the interview set up by the hackers. Naturally, it all culminated in a “job offer”, sent as a PDF file.

The document was infected. When the Sky Mavis employee downloaded and opened it, spyware infiltrated the company’s network. After scanning the company’s infrastructure, the hackers managed to obtain the private keys of five validators on Axie Infinity’s internal blockchain — Ronin. With these keys they gained complete control over the cryptocurrency assets stored in the company’s wallets.

This resulted in one of the largest crypto heists of the century. The hackers managed to steal 173,600 ETH and 25,500,000 USDC, which was worth approximately $540 million at the time of the heist.

More fake job postings, more malware

In 2023, several large-scale campaigns were uncovered in which fake job offers were used to infect developers, media employees, and even cybersecurity specialists (!) with spyware.

One attack scenario goes like this: someone posing as a recruiter from a major tech company contacts the target through LinkedIn. After some back-and-forth, the target receives an “exciting job opportunity”.

However, to land the job, they must demonstrate their coding skills by completing a test. The test arrives in executables within ISO files downloaded from a provided link. Running these executables infects the victim’s computer with the NickelLoader malware, which then installs one of two backdoors: either miniBlindingCan or LightlessCan.

In another scenario, attackers posing as recruiters initiate contact with the victim on LinkedIn, but then smoothly transition the conversation to WhatsApp. Eventually they send a Microsoft Word file with the job description. As you might guess, this file contains a malicious macro that installs the PlankWalk backdoor on the victim’s computer.

Yet another variation of the attack targeting Linux users featured a malicious archive titled “HSBC job offer.pdf.zip”. Inside the archive was an executable file disguised as a PDF document. Interestingly, in this case, to mask the file’s true extension, the attackers used an exotic symbol: the so-called one dot leader (U+2024). This symbol looks like a regular period to the human eye but is read as a completely different character by the computer.

Once opened, this executable displays a fake PDF job description while, in the background, launching the OdicLoader malware, which installs the SimplexTea backdoor on the victim’s computer.

Fake coding test with a Trojan on GitHub

A recently discovered variation of the fake job attack starts similarly. Attackers contact an employee of the target company pretending to be recruiters seeking developers.

When it comes to the interview, the victim is asked to complete a coding test. However, unlike the previous variations, instead of sending the file directly, the criminals direct the developer to a GitHub repository where it is stored. The file itself is a ZIP archive containing a seemingly innocuous Node.js project.

However, one component of this project contains an unusually long string, specially formatted to be overlooked when scrolling quickly. This string holds the hidden danger: heavily obfuscated code that forms the first stage of the attack.

When the victim runs the malicious project, this code downloads, unpacks, and executes the code for the next stage. This next stage is a Python file without an extension, with a dot at the beginning of the filename signaling to the OS that the file is hidden. This script launches the next step in the attack — another Python script containing the backdoor code.

Thus, the victim’s computer ends up with malware that can maintain continuous communication with the command-and-control server, execute file system commands to locate and steal sensitive information, download additional malware, steal clipboard data, log keystrokes, and send the collected data to the attackers.

As with the other variations of this scheme, the hackers count on the victim using their work computer to complete the “interview” and run the “test”. This allows the hackers to access the infrastructure of the target company. Their subsequent actions can vary, as history shows: from trojanizing software developed by the victim’s company to direct theft of funds from the organization’s accounts, as seen in the Sky Mavis case mentioned at the beginning of this article.

How to protect yourself

As we noted above, there’s currently no bulletproof defense against social engineering. Virtually anyone can be vulnerable if the attacker finds the right approach. However, you can make the task significantly more challenging for attackers:

Kaspersky official blog – ​Read More

Threat actors use copyright infringement phishing lure to deploy infostealers

  • Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
  • The decoy email and fake PDF filenames are designed to impersonate a company’s legal department, attempting to lure the victim into downloading and executing malware. 
  • This campaign abuses Google’s Appspot[.]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target’s machine to avoid network security product detections. 
  • Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. 

Phishing email campaign targets Taiwan 

Threat actors use copyright infringement phishing lure to deploy infostealers

Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. 

The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: 

  • IMAGE COPYRIGHTED.exe 
  • [Redacted] 的影片內容遭到侵犯版權.exe (translates to “[Redacted]’s video content has been copyright infringed.exe”) 
  • 版權侵權信息- [Redacted] Media Co Ltd.exe (translates to “Copyright Infringement Information – [Redacted] Media Co Ltd.exe”) 
  • 版權侵權信息- [Redacted] Media Group Inc.exe (translates to “Copyright Infringement Information – [Redacted] Media Group Inc.exe”) 
  • 版權侵權信息- [Redacted] Technology Group.exe (translates to “Copyright Infringement Information – [Redacted] Technology Group.exe”) 
  • 版權侵權信息- [Redacted] Co. Ltd.exe (translates to “Copyright Infringement Information – [Redacted] Co. Ltd.exe”) 
  • [Redacted] Online -宣布侵權.exe (translates to “[Redacted] Online – declare infringement.exe”) 

The decoy email and fake PDF filenames are designed to impersonate a company’s legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign. 

Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.  

Threat actors use copyright infringement phishing lure to deploy infostealers

Phishing email impersonating a well-known industrial motor manufacturer. 

Threat actors use copyright infringement phishing lure to deploy infostealers

Phishing email impersonating a famous online shopping store. 

Attribution 

Talos observed an unknown image printing EPS file within the encrypted archive, with the filename “Support.” Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.   

Threat actors use copyright infringement phishing lure to deploy infostealers

Support EPS file metadata. 

Threat actors use copyright infringement phishing lure to deploy infostealers

The support EPS file preview image in this campaign (left) and the image we found from the internet (right). 

Actor infrastructure 

The threat actor is abusing Google’s Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target’s machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.  

Threat actors use copyright infringement phishing lure to deploy infostealers

Malware download link. 

We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.  

Threat actors use copyright infringement phishing lure to deploy infostealers

C2 domain DNS requests. 

Malware infection summary 

The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server. 

Threat actors use copyright infringement phishing lure to deploy infostealers

The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it. 

Threat actors use copyright infringement phishing lure to deploy infostealers

The RAR file contains a fake PDF and an image printing file.  

Threat actors use copyright infringement phishing lure to deploy infostealers

The RAR file contains a fake PDF, an image printing file, and additional DLL file. 

The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable. 

Threat actors use copyright infringement phishing lure to deploy infostealers

Fake PDF file detail information. 

LummaC2 stealer and its loader 

LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data. 

The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system’s memory. After successfully mapping the payload, the malware then executes it. 

Threat actors use copyright infringement phishing lure to deploy infostealers

Call to an unknown library to execute the malicious code functions. 

When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer’s execution file to that block, and then execute it.   

Threat actors use copyright infringement phishing lure to deploy infostealers

Jump code to shellcode block. 

Threat actors use copyright infringement phishing lure to deploy infostealers 

Threat actors use copyright infringement phishing lure to deploy infostealers 

Encrypted shellcode (left side) and decrypted shellcode (right side). 

We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message. 

Threat actors use copyright infringement phishing lure to deploy infostealers

Alert message shown to the user when executing LummaC2. 

Threat actors use copyright infringement phishing lure to deploy infostealers

POST message with act=life and url path /api. 

Build ID: 

  • sTDsFx–Socks 
  • iAlMAC–ghost 

Rhadamanthys stealer and its loader 

Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments. 

We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.  

Threat actors use copyright infringement phishing lure to deploy infostealers

The loader of Rhadamanthys binary structure sections. 

After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:Users[user]DocumentslumuiUpdaterffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively. 

Threat actors use copyright infringement phishing lure to deploy infostealers

The loader copies itself to the lumuiUpdater folder. 

Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim’s computer restarts, thereby maintaining its persistence on the infected system. 

Threat actors use copyright infringement phishing lure to deploy infostealers

The loader is configured to start automatically. 

Finally, the loader executes the legitimate system process “%Systemroot%system32dialer.exe” and injects Rhadamanthys’ payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other. 

  • GlobalMSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session1MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session2MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session3MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session4MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session5MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session6MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session7MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
  • Session8MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 

Coverage 

Threat actors use copyright infringement phishing lure to deploy infostealers

 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169. 

IOC 

IOCs for this research can also be found at our GitHub repository here

Cisco Talos Blog – ​Read More

How to remove your personal information from Google Search results

Have you ever googled yourself? Were you happy with what came up? If not, consider requesting the removal of your personal information from search results.

WeLiveSecurity – ​Read More