Weekly ICS Vulnerability Intelligence Report: Rockwell Automation, Delta Electronics, Solar-Log

Vulnerability

Overview

Cyble Research & Intelligence Labs (CRIL) has investigated significant ICS vulnerabilities this week, providing essential insights derived from advisories issued by the Cybersecurity and Infrastructure Security Agency (CISA). This week’s report highlights multiple vulnerabilities across critical ICS products, with specific focus on those from Rockwell Automation, Delta Electronics, and Solar-Log.

CISA released three security advisories addressing four ICS vulnerabilities across these products, underscoring the urgent need for mitigation.

Among the most notable is a Cross-Site Scripting (XSS) flaw in Solar-Log Base 15, a widely used photovoltaic energy management product, which poses heightened risks due to internet-facing deployments identified by Cyble’s ODIN scanner.

ICS Vulnerabilities Overview

CRIL has pinpointed the following critical ICS vulnerabilities requiring immediate action:

  • CVE-2023-46344Solar-Log Base 15
    • Type: Cross-Site Scripting (XSS)
    • Severity: Medium
    • Description: This vulnerability allows unauthorized access through internet-facing instances, enabling attackers to potentially compromise device security and functionality. Cyble’s ODIN scanner identified a significant number of Solar-Log Base 15 devices deployed in Germany, emphasizing the need for prompt patching.
    • Patch available here.

  • CVE-2024-10456Delta Electronics InfraSuite Device Master
    • Type: Deserialization of Untrusted Data
    • Severity: Critical
    • Description: The Delta InfraSuite Device Master vulnerability allows critical systems to process untrusted data, which could lead to unauthorized access or system manipulation. This vulnerability impacts essential operational systems, necessitating immediate patching.
    • Patch available here.

  • CVE-2024-10386Rockwell Automation ThinManager
    • Type: Missing Authentication for Critical Function
    • Severity: Critical
    • Description: Rockwell Automation’s ThinManager vulnerability allows unauthorized users to access sensitive systems without proper authentication, potentially exposing operational systems to attacks. This flaw requires urgent attention due to its impact on operational continuity.
    • Patch available here.

  • CVE-2024-10387Rockwell Automation ThinManager
    • Type: Out-of-Bounds Read
    • Severity: Medium
    • Description: This vulnerability could allow unauthorized data access, which can lead to security breaches in operational systems if left unpatched.
    • Patch available here.

The severity overview indicates that these vulnerabilities span medium to critical levels, affecting critical infrastructure and necessitating prioritized mitigation.

Figure 1. Sectors impacted due to these vulnerabilities. (Source: CRIL)

Recommendations and Mitigations

To address these vulnerabilities effectively, organizations should consider the following best practices:

  1. Stay Updated: Regularly monitor security advisories from vendors and regulatory bodies to stay informed of critical patches and vulnerabilities.
  2. Risk-Based Vulnerability Management: Implement a risk-focused approach to manage and patch vulnerabilities based on their potential impact, especially for internet-facing ICS components.
  3. Network Segmentation: Isolate critical assets using effective network segmentation to prevent lateral movement and reconnaissance attempts by potential attackers.
  4. Continuous Vulnerability Assessments: Conduct regular vulnerability assessments, audits, and penetration testing to proactively identify and fix security loopholes.
  5. Utilize Software Bill of Materials (SBOM): Maintain visibility into software components, libraries, and dependencies to detect vulnerabilities promptly.
  6. Incident Response Preparedness: Develop and routinely test a robust incident response plan, ensuring it is aligned with the latest threat landscape.
  7. Cybersecurity Training: Conduct ongoing training programs for employees, particularly those with access to OT systems, covering threat recognition, authentication protocols, and security best practices.

Conclusion

The vulnerabilities highlighted in this ICS intelligence report call for swift action from organizations to mitigate potential security risks. With threats evolving rapidly and exploit attempts on the rise, maintaining a proactive stance is essential. By prioritizing the recommendations and implementing necessary patches, organizations can safeguard critical infrastructure, enhance operational resilience, and minimize the risk of exploitation.

Source:

https://www.cisa.gov/news-events/cybersecurity-advisories

The post Weekly ICS Vulnerability Intelligence Report: Rockwell Automation, Delta Electronics, Solar-Log appeared first on Cyble.

Blog – Cyble – ​Read More

Critical Zero-Click Vulnerability in Synology NAS Devices Needs Urgent Patching

Vulnerability

Overview

A recently discovered high-severity vulnerability, tracked as CVE-2024-10443 and dubbed “RISK:STATION,” poses a significant threat to Synology NAS users worldwide.

The vulnerability, affecting Synology DiskStation and BeeStation models, allows remote code execution without user interaction, heightening the potential for malicious exploitation.

CERT-In has released an advisory urging Synology users to apply critical security patches immediately to secure their devices and prevent unauthorized access.

Affected Systems and Risk Assessment

The flaw specifically impacts Synology Photos and BeePhotos components, which come pre-installed on many Synology NAS products. Vulnerable versions include:

  • BeePhotos for BeeStation OS 1.1 – versions below 1.1.0-10053
  • BeePhotos for BeeStation OS 1.0 – versions below 1.0.2-10026
  • Synology Photos 1.7 for DSM 7.2 – versions below 1.7.0-0795
  • Synology Photos 1.6 for DSM 7.2 – versions below 1.6.2-0720

Given that NAS devices are highly valuable targets in ransomware attacks, the risks associated with this vulnerability are extensive, including data theft, malware installation, and unauthorized system access.

System owners using affected versions are encouraged to upgrade to secure versions immediately.

Impact and Exploitation Risks

The “RISK:STATION” vulnerability represents an “unauthenticated zero-click” attack vector. Attackers exploiting this flaw can gain root-level control without any user interaction.

Synology’s QuickConnect feature, a remote-access service, further increases device exposure, as it allows attackers to reach NAS devices even behind firewalls. According to the researchers who were credited with finding this zero-click bug, this flaw carries a high potential for misuse and could impact an estimated one to two million devices globally.

Device Exposure and Enumeration Concerns

The vulnerability’s severity is amplified by Synology’s QuickConnect feature’s extensive reach. This service provides devices with a unique subdomain that enables remote access, even bypassing firewalls and NAT configurations.

Due to the ease of obtaining these subdomains through Certificate Transparency logs, adversaries can readily enumerate exposed Synology devices. QuickConnect domains often contain identifiable names or locations, raising privacy concerns and potentially making it easier for attackers to prioritize targets.

Mitigations and Recommended Actions

Synology has issued patches that effectively neutralize this vulnerability, covering both the SynologyPhotos and BeePhotos applications. Users should ensure they apply the following updates:

  • For Synology DiskStation (DSM 7.2):

  • Synology Photos 1.7 – Update to version 1.7.0-0795
  • Synology Photos 1.6 – Update to version 1.6.2-0720

  • For Synology BeeStation:

  • BeePhotos 1.1 – Update to version 1.1.0-10053
  • BeePhotos 1.0 – Update to version 1.0.2-10026

Alternatively, users can mitigate exposure by disabling QuickConnect, blocking ports 5000 and 5001, and disabling the SynologyPhotos or BeePhotos components if not actively in use.

Although these actions prevent internet-based exploitation, they do not secure devices within local networks, so a firmware update remains the most effective solution.

Conclusion

The CVE-2024-10443 vulnerability in Synology NAS devices showcases the need for proactive patching, particularly for high-value, internet-exposed assets. Synology users are urged to follow the recommended upgrade steps or apply alternative mitigation measures to secure their devices from exploitation. By addressing these vulnerabilities promptly, organizations can reduce the likelihood of unauthorized access, ransomware attacks, and data breaches on their network-attached storage devices.

Source:

https://www.cert-in.org.in

https://www.synology.com/en-global/security/advisory/Synology_SA_24_18

https://www.synology.com/en-global/security/advisory/Synology_SA_24_19

https://www.midnightblue.nl/research/riskstation

The post Critical Zero-Click Vulnerability in Synology NAS Devices Needs Urgent Patching appeared first on Cyble.

Blog – Cyble – ​Read More

Critical Bug in Cisco’s URWB Exposes Systems to Root Privilege Command Injection

URWB

Overview

Cisco has disclosed a severe vulnerability, tracked as CVE-2024-20418, in its Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB) Access Points. The flaw, rated with a maximum CVSS score of 10.0, affects multiple Cisco Catalyst Access Point models.

Attackers exploiting this vulnerability can gain root-level control, enabling unauthorized command execution on vulnerable devices.

Vulnerability Details

This critical CVE-2024-20418 vulnerability stems from improper input validation within Cisco’s web-based management interface, which controls URWB Access Points. A remote attacker without authentication can exploit this flaw by sending specially crafted HTTP requests to vulnerable devices, thereby injecting commands with root privileges on the device’s operating system.

Cisco has responded by releasing updates to mitigate the risk, advising immediate software upgrades as there are no workarounds. Importantly, only devices operating in URWB mode are impacted.

According to the Office of Information Technology of the New York State, while government institutions and business are at high risk of the bug, home users could be the least affected.

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

What is Cisco’s Ultra-Reliable Wireless Backhaul (URWB)?

Cisco’s URWB technology provides the robust, low-latency wireless connectivity essential for critical, high-stakes applications across industrial and mobile environments. Designed to replace costly and complex wired infrastructure, URWB enables seamless, multigigabit performance with minimal packet loss, making it invaluable for sectors relying on autonomous systems.

Industries including ports, railways, and manufacturing leverage URWB for real-time applications, such as video monitoring and remote machinery control, benefiting from reduced deployment costs and greater flexibility. The technology supports dual-mode capability, allowing devices to toggle between URWB and Wi-Fi 6/6E based on project needs, thereby optimizing infrastructure investments.

Affected Devices

The following Cisco Catalyst Access Points running a vulnerable version of Cisco’s Unified Industrial Wireless Software are affected if URWB mode is enabled:

  • Catalyst IW9165D Heavy Duty Access Points
  • Catalyst IW9165E Rugged Access Points and Wireless Clients
  • Catalyst IW9167E Heavy Duty Access Points

To determine if URWB mode is enabled, Cisco advises using the show mpls-config command. If available, URWB mode is active, and the device is vulnerable.

Cisco has confirmed that other products, including the 6300 Series Embedded Services Access Points, Aironet models, and Catalyst 9100 Series Access Points, are unaffected.

Mitigation Steps

Cisco has issued free software updates addressing this vulnerability. However, users must ensure they are compliant with licensing and have sufficient memory and compatible configurations for successful upgrades.

Customers without service contracts should reach out directly to the Cisco Technical Assistance Center (TAC) for help obtaining the necessary updates. More details can be found on Cisco’s Security Advisory page.

Fixed Software Releases

For the Cisco Unified Industrial Wireless Software versions affected, the company has released the following fixed versions:

  • 17.15 – First fixed in version 17.15.1
  • 17.14 and earlier – Cisco advises migrating to the nearest fixed release.

Security practitioners managing industrial or critical infrastructure networks are strongly urged to update vulnerable devices promptly. Failure to patch could expose systems to high-risk attacks due to the root-level access that this vulnerability permits.

Sources:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-backhaul-ap-cmdinj-R7E28Ecs

https://www.cisco.com/c/en/us/products/collateral/wireless/ultra-reliable-wireless-backhaul/ultra-wireless-backhaul-so.html

https://its.ny.gov/2024-123

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20418

The post Critical Bug in Cisco’s URWB Exposes Systems to Root Privilege Command Injection appeared first on Cyble.

Blog – Cyble – ​Read More

Unwrapping the emerging Interlock ransomware attack

  • Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game hunting and double extortion attacks using the relatively new Interlock ransomware.  
  • Our analysis uncovered that the attacker used multiple components in the delivery chain including a Remote Access Tool (RAT) masquerading as a fake browser updater, PowerShell scripts, a credential stealer, and a keylogger before deploying and enabling the ransomware encryptor binary. 
  • We also observed that the attacker primarily used remote desktop protocol (RDP) to move laterally within the victim’s network, as well as other tools such as AnyDesk and PuTTY. 
  • The attacker used Azure Storage Explorer, which leverages the utility AZCopy, to exfiltrate the victim’s data to an attacker-controlled Azure storage blob.  
  • The timeline of the attacker’s activity, from the initial compromise stage until the deployment of ransomware encryptor binary, indicates their dwelling time in the victim’s environment was about 17 days.  
  • Talos assesses with low confidence that Interlock ransomware is likely a new diversified group that emerged from Rhysida ransomware operators or developers, based on some similarities in the operators’ tactics, techniques, and procedures (TTPs) and in the ransomware encryptor binaries. 

Who is Interlock? 

Unwrapping the emerging Interlock ransomware attack

Interlock first appeared in public reporting in September 2024 and has been observed launching big-game hunting and double extortion attacks. The group has notably targeted businesses in a wide range of sectors, which at the time of reporting includes healthcare, technology, government in the U.S. and manufacturing in Europe, according to the data leak site disclosure, indicating their targeting is opportunistic. 

Like other ransomware players in the big-game hunting space, Interlock also operates a data leak site called “Worldwide Secrets Blog,” providing links to victims’ leaked data, chat support for victims’ communications, and the email address, “interlock@2mail[.]co”.   

Unwrapping the emerging Interlock ransomware attack

In their blog, Interlock claims to target organizations’ infrastructure by exploiting unaddressed vulnerabilities and claims their actions are in part motivated by a desire to hold companies’ accountable for poor cybersecurity, in addition to monetary gain. 

Unwrapping the emerging Interlock ransomware attack

Recent attack methodologies 

Throughout the investigation into the Interlock ransomware attack, Talos observed several notable TTPs used by the attacker in each stage of the delivery chain. Talos assesses that the attacker was present in the victim’s environment for approximately 17 days, from the initial compromise until deployment and execution of the Interlock ransomware. 

Unwrapping the emerging Interlock ransomware attack

Initial access 

The attacker gained access to the victim machine via a fake Google Chrome browser updater executable that the victim was prompted to download from a compromised legitimate news website.  When clicked, the fake browser updater executable “upd_2327991.exe” was downloaded onto the victim machine from a second compromised URL of a legitimate retailer. 

Execution 

Talos IR discovered the fake browser updater executable is a Remote Access Tool (RAT) that automatically executes an embedded PowerShell script when downloaded and run. The script initially downloads a legitimate Chrome setup executable “ChromeSetup.exe” to the victim machine’s applications temporary folder and established persistence by dropping a Windows shortcut file in the Windows StartUp folder with the file name “fahhs.lnk” configured to run the RAT every time the victim logs in, establishing persistence.  

Unwrapping the emerging Interlock ransomware attack
Sample PowerShell command that downloads the RAT. 

The RAT executes the command “cmd.exe /c systeminfo” and collects information from victim machine, listed below:

Host Name Time Zone
OS Name Total Physical Memory
OS Version Available Physical Memory
OS Manufacturer Virtual Memory
OS Configuration Max Size
OS Build Type Virtual Memory: Available
Registered Owner Virtual Memory: In Use
Registered Organization Page File Location(s)
Product ID Domain
Original Install Date Logon Server
System Boot Time Hotfix(s)
System Manufacturer Network Card(s)
System Model Connection Name
System Type Status
Processor(s) DHCP Enabled
BIOS Version DHCP Server
Windows Directory IP address(es)
System Directory Hyper-V Requirements
Boot Device System Locale

Then, the RAT encrypts the collected information in the memory stream. It establishes a secured socket to the command and control (C2) server hidden behind the attacker-controlled Cloudflare domain “apple-online[.]shop”, sends the encrypted data stream of victim machine information to the C2 server, and waits to receive the response.  

The RAT also allowed the attacker to execute two other PowerShell commands on the victim machine, which downloads the encrypted data blobs of a credential stealer “cht.exe” and a keylogger binary “klg.dll”, decrypts them with the passwords “jgSkhg934@kjv#1vkfg2S” and runs them. We observed that the keylogger is a DLL file that is run using the LOLBin “rundll32.exe”.  

Unwrapping the emerging Interlock ransomware attack
A sample PowerShell command that downloads and runs the Keylogger. 

Defense Evasion 

Talos IR observed that EDR was disabled on some of the compromised servers in the victim environment during the investigation. According to the indicators seen, Talos IR believes that the attacker could have either leveraged an EDR uninstaller tool or instrumented a vulnerable device driver Sysmon.sys (TfSysMon.sys) to disable the EDR on the victim machine. We also observed the attacker’s attempts to delete contents of the Event logs on some of the compromised systems.  

Credential Access 

The credential stealer discovered in this campaign is compiled in Golang. It enumerates the installed browser profiles on the victim machine and copies the Login data, Login State, key4.db, browser history and bookmarks files to the victim’s application profile temporary folder. The stealer then processes the data and uses SQL queries to collect the login information of victims’ online accounts along with the associated account URLs. Finally, the data is written to a file “chrgetpdsi.txt” in the user profile temporary folder.  

The keylogger DLL running on the victim machine is a tiny executable, which hooks to the victim machine keyboard and logs keystrokes in a file called “conhost.txt”, the same folder where the Keylogger was downloaded.  

Discovery 

The attacker ran PowerShell commands that are known indicators of pre-kerberoasting reconnaissance, a method used to obtain domain admin credentials. We assess with moderate confidence that a Kerberoasting attack was used to obtain accounts with higher privileges. 

(('AD_Computers: {0}' -f ([adsiSearcher]'(ObjectClass=computer)').FindAll().count)  
([adsisearcher]'(&(objectCategory=user)(servicePrincipalName=*))').FindAll() 

Lateral Movement 

Talos IR observed that the attacker primarily used Remote Desktop Protocol (RDP) and several compromised credentials to move between systems.  Further analysis showed that the attacker has also used AnyDesk and possibly LogMeIn to allow remote connectivity. We also spotted the installation of PuTTY on the compromised machines, which was likely used to move laterally to Linux hosts. We are not clear how these tools were dropped and executed on the infected machines. 

Sample RDP command executions observed during our analysis and with the redacted IP address details are shown below. 

mstsc /v 10.*.*.* 
.conhost.exe -d 10.*.*.*e$ 

Collection and Exfiltration  

The attacker executed storage-explorer, a tool that allows users to manage and interact with Azure Storage, and AzCopy, which allows users to copy files to a remote Azure storage, in the victim’s machine. We believe that the attacker used storage-explorer to navigate and identify sensitive information in the victim network and executed AzCopy to upload the data to the Azure storage blob according to network artifacts analysis. We were not able to confirm how the storage-explorer and AzCopy were delivered to the victim machine. 

Unwrapping the emerging Interlock ransomware attack

Impact 

The attacker deployed the Interlock ransomware encryptor binary with the file name “conhost.exe”, masquerading as a legitimate file, onto the victim machine and stored it in a folder named with a single digit number (example: “3” or “4”) in the user profile application data temporary folder. When run, the ransomware encrypts the targeted files on the victim machine with the file extension “.Interlock” and drops the ransom note “!__README__!.txt” file in every folder containing files that the encryptor has attempted to encrypt. Talos IR also observed that the attacker configured the ransom note to display during interactive login, was pushed using Group Policy Objects (GPOs), a Windows utility that allows users to manage Windows operating systems and applications.  

In the ransom note, the attacker warns against attempting to recover the encrypted files and rebooting the affected machines. They also demand a response within 96 hours or else they threaten to release the victim’s data on their leak site and notify the media outlets, which could lead to financial and reputational damage.  

Unwrapping the emerging Interlock ransomware attack

The ransom note includes the URL for an onion site where the affected victims can contact the operator to discuss the ransom demand and purchase the decryption keys using a unique company ID of sixty alphanumeric characters generated for each victim. 

Unwrapping the emerging Interlock ransomware attack

Interlock ransomware analysis 

Talos observed that Interlock ransomware has both Windows Portable Executable (EXE) and the Linux executable (ELF) variants, indicating that the attacker is targeting both Windows and Linux machines.   

The Interlock ransomware encryption binary is a 64-bit executable, compiled on October 2, 2024. The ransomware appears on the victim’s machines in a packed executable format with the custom unpacker code located in its Thread Local Storage and several obfuscated stack strings in the binary which are decrypted during the runtime of the ransomware. 

When the ransomware runs on the victim machine it initializes the binary by loading custom structures, strings, and Application programming interface (API) functions. After the initialization, it enumerates the logical disk drives that are available on the victim machine. Initially, the ransomware checks for the drive letters “A” through “Z” and excludes the “C drive”. It picks the available logical drives and enumerates all the folders and files in them, encrypting the targeted files on the victim machine and appending the file extension “.interlock” on encrypted files. Once the logical drives are enumerated, the ransomware then enumerates and encrypts the files in the folders of the “C drive”.  

During this enumeration process, the ransomware excludes specific folders and file extensions on the victim machine from being encrypted. The operator hardcoded the folder and files extension exclusion list, shown below, in the Interlock binary.

Folder exclusion list of Windows Interlock variant:
$Recycle.Bin Windows
Boot $RECYCLE.BIN
Documents and Settings AppData
PerfLogs WindowsApps
ProgramData Windows Defender
Recovery WindowsPowerShell
System Volume Information Windows Defender Advanced Threat Protection

File extension exclusion list of Windows Interlock variant:
.bat .bin .cab
.cmd .com .cur
.diagcab .diagcfg .diagpkg
.drv .hlp .hta
.ico .msi .ocx
.psm1 .src .sys
.ini .url .dll
.exe .ps1 Thumbs.db

The Linux variant of the Interlock ransomware performs a similar enumeration of directories and files, starting from the root directory, and encrypts the files excluding those that are in the file extension exclusion list hardcoded in the binary.

File extension exclusion list of Linux Interlock variant:
boot .cfg .b00
.v00 .v01 .v02
.v03 .v04 .v05
.v06 .v07 .t00

Interlock ransomware uses LibTomCrypt library, an open-source comprehensive, modular and portable cryptographic library for encryption.  The Windows Interlock ransomware variant uses the Cipher Block Chaining (CBC) encryption technique to encrypt the files on the victim machine whereas the Linux Interlock variant uses either CBC or RSA encryption technique. 

Encryption routine in Windows variant 

Encryption routine in ELF variant 

Unwrapping the emerging Interlock ransomware attack 

Unwrapping the emerging Interlock ransomware attack 

After encrypting each of the targeted files in the victim machine Interlock drops the ransom note “!__README__!.txt” file in each of the enumerated folders. 

Windows variant ransom note function 

ELF variant ransom note function 

Unwrapping the emerging Interlock ransomware attack 

Unwrapping the emerging Interlock ransomware attack 

We observed that the Windows Interlock variant creates a windows task name “TaskSystem” that runs at 8:00 PM daily on the victim machine as a SYSTEM user executing the configured command to run the ransomware, indicating the ransomware establishing the persistence.  

schtasks /create /sc DAILY /tn “TaskSystem” /tr “cmd /c cd “$Path of the Interlock binary” && “$command” /st 20:00 /ru system > nul

The ransomware has the capability to delete itself upon encrypting the targeted files, hiding the evidence of the encryption binary on the victim machine.  To delete the encryption binary in the Windows variant, Interlock ransomware has a tiny DLL binary embedded in the data section that is dropped into the user profile applications temporary folder with the file name “tmp41.wasd”.  

Unwrapping the emerging Interlock ransomware attack

Then, “rundll32.exe” is used to execute the DLL’s export function, called “run”, which then executes the remove() function to delete the encryption binary.  

Unwrapping the emerging Interlock ransomware attack

The Linux variant uses a similar technique to delete the encryptor binary from the victim machine, by executing the removeme function, which is an inline routine in the same encryptor binary.  

Unwrapping the emerging Interlock ransomware attack

Interlock TTPs overlap with Rhysida Ransomware 

Talos assesses with low confidence that Interlock ransomware is a new diversified group that emerged from Rhysida operators or developers, based on some similarities in TTPs, tools, and the ransomware encryptor binaries’ behaviors. 

We discovered code overlaps in the binaries of Interlock and Rhysida ransomware samples. Notably, the files and folders exclusion list hardcoded in the Windows variant of the Interlock ransomware has similarities with the exclusion list in Rhysida ransomware, reported by Talos in an August 2023 Threat Advisory

Additionally, the Interlock ransomware encryptor with the filename “conhost.exe” was earlier seen in Rhysida ransomware attacks, along with overlaps in TTPs and tools including PowerShell scripts, AnyDesk, and PuTTY, based on a CISA #StopRansomware advisory report on Rhysida Ransomware. Furthermore, both Rhysida and Interlock operators use AzCopy to exfiltrate the victim’s data to an attacker-controlled Azure storage blob, an old but uncommon technique. 

Finally, Interlock and Rhysida deliver ransom notes with a similar theme, where they portray themselves as a helpful partner notifying the victim of a breach and offering to help rectify it. This is in contrast to other prolific and sophisticated cyber groups, such a Black Basta and ALPHV, whose ransom notes demand payment, threaten, and attempt to intimidate the victim.  

Unwrapping the emerging Interlock ransomware attackRhysida ransom note. 

Unwrapping the emerging Interlock ransomware attackInterlock ransom note. 

Interlock’s possible affiliation with Rhysida operators or developers would align with several broader trends in the cyber threat landscape, which Talos reported in our 2022 and 2023 Year in Review reports. We observed ransomware groups diversifying their capabilities to support more advanced and varied operations, and ransomware groups have been growing less siloed, as we observed operators increasingly working alongside multiple ransomware groups. 

Coverage 

Unwrapping the emerging Interlock ransomware attack

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64114, 64113, 64189 and 301042. 

ClamAV detections are also available for this threat: 

Win.Ransomware.Interlock-10036524-0 

Unix.Ransomware.Interlock-10036662-0 

Win.Trojan.Kryptik-10036729-0 

Win.Downloader.Kryptik-10036730-0 

Indicators of Compromise 

IOCs for this threat can be found in our GitHub repository here

Cisco Talos Blog – ​Read More

AsyncRAT’s Infection Tactics via Open Directories: Technical Analysis 

Editor’s note: The current article is authored by the guest author RacWatchin8872, who is a threat intelligence analyst. You can find him on X. 

This article covers two distinct methods used to infect systems with AsyncRAT via open directories. These techniques show how attackers are constantly adapting, finding new ways to use publicly accessible files to broaden AsyncRAT’s impact and reach. 

Overview 

AsyncRAT is a type of Remote Access Trojan (RAT) malware designed to stealthily infiltrate systems and give attackers remote control over infected devices. It is commonly used for spying, data theft, and manipulation of compromised systems.  

Recently, two open directories surfaced, each employing unique methods to distribute and infect victims with AsyncRAT. These techniques highlight the persistent threat posed by this malware and its diverse infection strategies. 

First Technique 

Open Directory 

While investigating malicious open directories exposed to the internet, I discovered one with an unusual structure.  

The directory contained the following files: 

  • A text file with an extensive string that turned out to be a VBS script 
  • A JPG file that was actually a disguised ZIP archive 
Figure 1: Open directory structure 

Analysis of the Txt file 

The text file’s extensive string conceals an obfuscated VBS script. It uses random variables to store parts of the text that will be used to download the JPG file.

Figure 2: Obfuscated VBS code 

To make it easier to read we just need to make a few changes: 

  1. Replace the variables with the actual text
  1. Use intuitive names for variables that are used to write or download files
Figure 3: Deobfuscated VBS code 

Now we see that the VBS script creates an XML file OMjRRRRRRRRRRRRRRRRRRRRvbK.xml located at C:UsersPublic. The content of the XML file contains a PowerShell script that downloads the disguised JPG file, saves it, and extracts it to the same directory. 

Once extracted, the process continues by executing another script, TesKKKeLAvaYdAfbBS.vbs. Then, it cleans up by deleting both the XML and ZIP files. 

Analysis of the VBS file 

The VBS script is also obfuscated and uses the same technique as the other text file. By examining the file, we can understand a few parts of its execution:

Figure 4: TesKKKeLAvaYdAfbBS.vbs obfuscated 

To make it simple to read, we just need to make a few changes: 

  1. Replace the variables with the actual text
  1. Use intuitive names for variables that are in use
  1. Delete all the If statements that execute the same code regardless of the result

By making these changes, we can transform a 34-line VBS script into a simpler 6-line version that is easier to read. 

Figure 5: Clean TesKKKeLAvaYdAfbBS.vbs

The VBS script will then execute the KKKKKKllLavIOOOOOtesAA.bat, which is the next stage.

Analyze malware and see detailed script execution
inside ANY.RUN’s Interactive Sandbox 



Try it now


Analysis of the Bat file 

The BAT script is also obfuscated, but it is possible to understand its purpose by reading the values stored inside the variables vertically.

Figure 6: KKKKKKllLavIOOOOOtesAA.bat file 

Its role is to execute PowerShell without a prompt window. It initiates the next stage by running KiLOvBeRNdautESaatnENn.ps1 

Analysis of the PowerShell (PS1) file 

The PS1 file is a simple script that creates a scheduled task named ‘tMicNet Work40,’ which runs UhLQoyDAMaCUTPaE.vbs every 2 minutes.

Figure 7: Scheduled task created by PowerShell 

Analysis of the Second VBS file 

UhLQoyDAMaCUTPaE.vbs has the same structure as the previous VBS (TesKKKeLAvaYdAfbBS.vbs), so we can use the same technique to make the script easier to read and analyze.

Figure 8: UhLQoyDAMaCUTPaE.vbs obfuscated 

Using the same technique we will get this result: 

Figure 9: UhLQoyDAMaCUTPaE.vbs deobfuscated 

Analysis of The Second BAT file 

aaaNOOTKiiiLAViiiiOOs.bat has the same structure as the previous BAT (KKKKKKllLavIOOOOOtesAA.bat), so by reading it vertically, we can figure out what the file does. 

Figure 10: aaaNOOTKiiiLAViiiiOOs.bat 

The BAT file executes the last stage, which is a Powershell file. 

Analysis of the Last Stage 

The final stage is obfuscated by changing the variable names to make the code harder to interpret. Instead of giving a straightforward name to the variable, they break the word into pieces, mix them up, and then call each position to reconstruct the variable name.  

To simplify the analysis, we can deconstruct the code in a similar way, isolating each piece to make the script clearer and easier to understand. 

Figure 11: Analysis of the last stage 

The first part of the code is a function that receives a string and converts it from hexadecimal to a 32-bit integer.

Figure 12: First part of the final stage 

The second part of the code contains two variables with large strings. Both strings use a replace function to retrieve the correct value, which are then sent to the ‘PARSer’ for further processing. 

Figure 13: Second part of the last stage 

The last part of the final stage is simply loading the files into memory to execute them.

Figure 14: Last part of the last stage 

With the help of CyberChef, we can apply the same technique as shown in the second part of the final stage to retrieve the values inside the two variables and see what they really are.

The first variable is a DLL: 

Figure 15: AsyncRAT DLL 

The second variable is an EXE: 

Figure 16: AsyncRAT EXE 

By running both in the ANY.RUN sandbox, it is possible to gather information about the C2, ports, certificates, mutex, and more. 

Figure 17: Text report generated by ANY.RUN sandbox

Try all PRO features of ANY.RUN’s Interactive Sandbox
for free 



Request 14-day trial


Second Technique 

Open Directory 

The structure of the second open directory mirrors the first, containing two files: a TXT file and a JPG file.  

The TXT file, with a shorter name, is a VBS script, while the JPG file hides a PowerShell script in disguise. 

Figure 18: Open directory 

Analysis of the Txt file 

In this case, the TXT file contains a VBS script that is easier to interpret due to its comments. It includes an array storing commands to download the disguised JPG file. 

Figure 19: VBS script 

To simplify the script further, we can delete the array and store all the array values in a single variable. 

Figure 20: Cleaning VBS script 

The VBS script then calls cmd to execute PowerShell, which downloads and runs the JPG file. 

Analysis of the Powershell file 

The PowerShell file performs 2 main functions: 

  1. File creation and content writing: Creates three files essential to the infection process
  1. Scheduled task setup: Schedules a task to ensure repeated execution, thereby maintaining the AsyncRAT infection

File Creation 

The Powershell creates 3 files.

First file

This obfuscated file stores and executes the values of EXE and DLL files related to AsyncRAT directly in memory. 

Figure 21: First file created by the Powershell file 

After cleaning the file, it removes ‘%&%’ from both variables, converts them from hexadecimal, and then loads and executes them into memory. 

Figure 22: Loading file into memory 

 
By carrying out the above-mentioned processes via CyberChef, we get the following results:

Figure 23: AsyncRAT Exe 
Figure 24: AsyncRAT DLL 

Second file

The second file triggers PowerShell to execute the previous file (roox.ps1). 

Figure 25: Second file created by Powershell file 

Third file

The third and final file runs the previous file roox.bat while keeping the execution hidden from the victim. This ensures that the infection process remains invisible and minimizes any visible indicators, making it harder for the victim to detect the ongoing activity. 

Figure 26: Third file created by Powershell file 

Scheduled Task 

The scheduled task, named thepiratMicrosoftEdgeUpdateTask, executes roox.vbs every two minutes, ensuring that the infection persists. 

Figure 27: Scheduled task named thepiratMicrosoftEdgeUpdateTask 

Upon running the PowerShell script inside the ANY.RUN sandbox, we can see the files being created and executed. We can also gather more information about the command and control (C2) infrastructure.

Figure 28: Files created by the Powershell script 
Figure 29: C2 Ip and DNS 

Conclusion 

Our investigation uncovered two IPs actively spreading AsyncRAT through different methods. The first method follows a multi-stage process, employing several files and scripts to complete the infection.  

The second method uses only two stages, one of which involves generating files that are triggered by a scheduled task, as shown in the image below: 

Figure 30: Difference between two methods 

About ANY.RUN  

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Request free trial of ANY.RUN’s products →

IOCs

23.26.108.141  Open Directory IP 
fsp.txt  7b73596346a36f83b6b540bfc2b779fec228a050e6d7de631d0518b526b9b128 
zohre.jpg  561bb05d2c67fe221646b5af653ef7d1e7e552e6745f980385bd344d8155df0f 
AsyncRAT.exe  70733e5f26a5b4d8c3d2bcc9a21cd015cee63dc0f93c819e7c401237f69967fe 
AsyncRAT.dll  2c6c4cd045537e2586eab73072d790af362e37e6d4112b1d01f15574491296b8 
storeroot[.]duckdns[.]org  Command and Control 
45.126.208.245  Open Directory IP 
nkXhhzeT6H6bxJcU.txt  20b15104f0afc362126f43c0b8628bced3cdecec768bcde79e60ff094c108f8a 
aaaNOOTKiiiLAViiiiOOs.bat   73e945f14db13a00fe72b5c2a20233e3bb98816bb31d035e0776b92246f681bc 
KiLOvBeRNdautESaatnENn.ps1  f0d190d78b3ed7d83cc30224cd55bc158bdd5c40ec7b1f0108ee27afa1996ab1  
KKguLavTEsaaEtneeNARdeP.ps1  29e93b2eac97547386f435811ccf0531ad0df62fd5f021e7e5ea90b2f1f2d69a  
KKKKKKllLavIOOOOOtesAA.bat  d5ca45ab8c9c9e6f932e9500836bd8cd725c4739dafe80a5d41e29389c3d69f3  
TesKKKeLAvaYdAfbBS.vbs  b1b67754391f0598e86254ad8c3a5741b70472138c1fa1be439be788c682345e  
UhLQoyDAMaCUTPaE.vbs  2b312c476ccf036b5339f023a732ddf1aef3f193f59b304ba8089872bae47540 
AsyncRAT.exe  d4edb13aa499b39b74912a30c22a1cba6d00694dcb68fa542bdc3d9ab2b66f68 
AsyncRAT.dll  5b1b7bd1fadfc3d2abcd8ea8f863fe96233e1dac8b994311c6a331179243b5cd 
anothonesevenfivesecsned[.]ddns[.]net  Command and Control 

The post AsyncRAT’s Infection Tactics <br>via Open Directories: Technical Analysis  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Tor Browser and anonymity: what you need to know | Kaspersky official blog

The desire to remain anonymous online is as old as the internet itself. In the past, users believed hiding behind a nickname meant they could badmouth their neighbors on local forums with impunity. Now, such trolls can be identified in seconds. Since those early days, technology has taken a quantum leap: distributed networks, anonymous browsers, and other privacy tools have emerged. One of these tools, which was heavily promoted a decade ago by former NSA contractor Edward Snowden, is the Tor Browser, where “TOR” is an acronym for “The Onion Router”.

But in today’s world, can Tor truly provide complete anonymity? And if it doesn’t, should we just forget all about anonymity and rely on a regular browser like Google Chrome?

How Tor users are deanonymized

If Tor is new to you, check out our vintage article from way back when. There, we answered some common questions: how the browser ensures anonymity, who needs it, and what people usually do on the dark web. In brief, Tor anonymizes user traffic through a distributed network of servers, called nodes. All network traffic is repeatedly encrypted as it passes through a number of nodes between two communicating computers. No single node knows both the origin and destination addresses of a data packet, nor can it access the packet’s content. OK, short digression over — now let’s turn to the real security threats facing anonymity enthusiasts.

In September, German intelligence services identified a Tor user. How did they do it? The key to their success was data obtained through what’s called “timing analysis”.

How does this analysis work? Law enforcement agencies monitor Tor exit nodes (the final nodes in the chains that send traffic to its destination). The more Tor nodes the authorities monitor, the greater the chance a user hiding their connection will use one of those monitored nodes. Then, by timing individual data packets and correlating this information with ISP data, law enforcement can trace anonymous connections back to the end Tor user — even though all Tor traffic is encrypted multiple times.

The operation described above, which led to the arrest of the administrator of a child sexual abuse platform, was possible partly because Germany hosts the highest number of Tor exit nodes — around 700. The Netherlands ranks second with about 400, and the US comes in third with around 350. Other countries have anywhere from a few to a few dozen. International cooperation among these top exit-node countries played a significant role in deanonymizing the child sexual abuse offender. Logically, the more nodes a country has, the more of them can be state-monitored, increasing the likelihood of catching criminals.

Germany and the Netherlands are among the leaders on the number of Tor exit nodes — not only in Europe but worldwide.

Germany and the Netherlands are among the leaders on the number of Tor exit nodes — not only in Europe but worldwide. Source

The Tor Project responded with a blog post discussing the safety of their browser. It concludes that it’s still safe: the de-anonymized individual was a criminal (why else would authorities be interested?), using an outdated version of Tor and the Ricochet messaging app. However, Tor noted it wasn’t given access to the case files, so their interpretation regarding the security of their own browser might not be definitive.

This kind of story isn’t new; the problem of timing attacks has long been known to the Tor Project, intelligence agencies, and researchers. So although the attack method is well-known, it remains possible, and most likely, more criminals will be identified through timing analysis in the future. However, this method isn’t the only one: in 2015, our experts conducted extensive research detailing other ways to attack Tor users. Even if some of these methods have become outdated in the forms presented in that study, the principles of these attacks remain unchanged.

“Generally it is impossible to have perfect anonymity, even with Tor”.

This phrase opens the “Am I totally anonymous if I use Tor?” section of the Tor Browser support page. Here, the developers provide tips, but these tips can at best only increase the chances of remaining anonymous:

  • Control what information you provide through web forms. Users are advised against logging in to personal accounts on social networks, as well as posting their real names, email addresses, phone numbers, and other similar information on forums.
  • Don’t torrent over Tor. Torrent programs often bypass proxy settings and prefer direct connections, which can de-anonymize all traffic — including Tor.
  • Don’t enable or install browser plugins. This advice also applies to regular browsers, as there are many dangerous extensions out there.
  • Use HTTPS versions of websites. This recommendation, incidentally, applies to all internet users.
  • Don’t open documents downloaded through Tor while online. Such documents, the Tor Project warns, may contain malicious exploits.

With all these recommendations, the Tor Project is essentially issuing a disclaimer: “Our browser is anonymous, but if you misuse it, you may still be exposed”. And this actually makes sense — your level of anonymity online depends primarily on your actions as a user — not solely on the technical capabilities of the browser or any other tool.

There is another interesting section on the Tor support page: “What attacks remain against onion routing?” It specifically mentions possible attacks using timing analysis with the note that “Tor does not defend against such a threat model”. However, in a post about the German user’s de-anonymization, the developers claim that an add-on called Vanguard, designed to protect against timing attacks, has been included in Tor Browser since 2018, and in Ricochet-Refresh since June 2022. This discrepancy suggests one of two things: either the Tor Project hasn’t updated its documentation, or it’s being somewhat disingenuous. Both are problematic because they can mislead users.

So what about anonymity?

It’s important to remember that Tor Browser can’t guarantee 100% anonymity. At the same time, switching to other tools built on a similar distributed node network structure is pointless, as they are equally vulnerable to timing attacks.

If you’re a law-abiding individual using anonymous browsing simply to avoid intrusive contextual ads, secretly shop for gifts for loved ones, and for other similarly harmless purposes, the private browsing mode in any regular browser will probably suffice. This mode, of course, doesn’t offer the same level of anonymity as Tor and its counterparts, but it can make surfing the net a bit more… well, private. Just make sure you fully understand how this mode works in different browsers, and what it can and can’t protect you from.

In addition, all of our home security solutions include Private Browsing. By default, this feature detects attempts to collect data and logs them in a report but doesn’t block them. To block data collection, you need to either enable Block data collection in the Kaspersky app or activate the Kaspersky Protection plugin directly in the browser.

Besides this, our protection can also block ads, prevent the hidden installation of unwanted apps, detect and remove stalkerware and adware, and remove traces of your activity in the operating system. Meanwhile, the special component Safe Money provides maximum protection for all financial operations by conducting them in a protected browser in an isolated environment and preventing other apps from gaining unauthorized access to the clipboard or taking screenshots.

Double VPN

You can also stay anonymous on the internet using Kaspersky VPN Secure Connection that support Double VPN (also known as multi-hop). As the name suggests, this technology allows you to create a chain of two VPN servers in different parts of the world: your traffic first passes through an intermediary server, and then through another. Double VPN in Kaspersky VPN Secure Connection uses nested encryption — the encrypted tunnel between the client and the destination server runs inside a second encrypted tunnel between the client and the intermediary server. Encryption in both cases is only performed on the client side, and data is not decrypted on the intermediary server. This provides an additional layer of security and anonymity.

Double VPN is available to users of Windows and Mac versions of Kaspersky VPN Secure Connection. Before enabling Double VPN, make sure that the Catapult Hydra protocol is selected in the application settings: Main → Settings (gear icon) → Protocol → Select automatically, or Catapult Hydra.

After that, you can enable Double VPN:

  1. Open the main application window.
  2. Click the Location drop-down to open the list of locations of VPN servers.
  3. Click the Double VPN
  4. Select two locations and click Connect.

You can add your Double VPN server pair to Favorites by clicking the Add to Favorites button.

How to enable Double VPN in Kaspersky VPN Secure Connection

How to enable Double VPN in Kaspersky VPN Secure Connection

Congratulations! Now your traffic is encrypted more securely than usual — but remember that these traffic encryption methods are not intended for illegal activities. Double VPN will help you conceal personal information from data-gathering sites, avoid undesirable ads, and access resources unavailable in your current location.

Kaspersky official blog – ​Read More

Jane Goodall: Reasons for hope | Starmus highlights

The trailblazing scientist shares her reasons for hope in the fight against climate change and how we can tackle seemingly impossible problems and keep going in the face of adversity

WeLiveSecurity – ​Read More

New 2024 NIST requirements for password strength and storage

The requirements set by online services for user verification — whether it’s password length, a mandatory phone number, or biometric checks with blinking — are often governed by industry standards. One of the most important documents in this field are the NIST SP 800-63 Digital Identity Guidelines, developed by the US National Institute of Standards and Technology (NIST). This standard is mandatory for all US government agencies and their contractors; in practice, this means that all the world’s largest IT companies adhere to this standard, with consequences reaching far beyond the borders of the United States.

Even organizations that aren’t strictly required to comply with NIST SP 800-63 would still benefit from familiarizing themselves with these updated guidelines, as they often serve as a blueprint for regulators in other countries and industries. The recent update, developed through four rounds of public revisions with industry experts, reflects the latest understanding of digital identification and authentication. It covers security and privacy requirements, and considers a possible distributed (federated) approach. The standard is practical, and factors in human considerations — how users respond to various authentication requirements.

This new edition formalizes concepts, and outlines requirements for:

  • passkeys (referred to in the standard as “syncable authenticators”);
  • phishing-resistant authentication;
  • user storage of passwords and accesses (“attribute bundles”);
  • regular re-authentication;
  • session tokens.

So — how to authenticate users in 2024?

Password authentication

The standard defines three Authentication Assurance Levels (AALs). AAL1 allows the least restrictions and minimal confidence that the user is indeed who they claim to be, while AAL3 offers the strongest guarantees and requires more stringent authentication. Only AAL1 permits single-factor authentication — such as just a single password.

The requirements for passwords are as follows:

  • Only centrally verified secrets sent by the user to the server over a secure channel qualify as passwords. Passwords that are stored and verified locally are termed “activation secrets” and have different requirements.
  • Passwords shorter than eight characters are prohibited, with a minimum of 15 characters recommended.
  • Scheduled, mandatory password rotation is considered an outdated practice and therefore prohibited.
  • It’s also prohibited to impose requirements on password composition (such as “your password must contain a letter, a number, and a symbol”).
  • It’s recommended to allow using any visible ASCII characters, spaces, and most Unicode symbols (such as emojis).
  • Maximum password length, if enforced, must be at least 64 characters.
  • Truncating passwords during verification is prohibited, but trimming leading/trailing whitespace is allowed if it interferes with authentication.
  • Using and storing password hints or security questions (such as “your mother’s maiden name”) is prohibited.
  • Commonly used passwords must be eliminated through the use of a stop-list of popular or leaked passwords.
  • Compromised passwords (for example, appearing in data breaches) must be reset immediately.
  • Login attempts must be limited in both rate and number of unsuccessful attempts.

Activation secrets

These are PINs and local passwords that restrict access to the on-device key storage. They can be numeric, with a recommended minimum length of six digits— though four digits are permissible. For AAL3, the primary cryptographic secret (for example, a passkey) must be stored in a tamper-resistant chip, and decrypted using the activation secret. For AAL1 and AAL2, it’s enough that the key restricts access from outsiders, with a limit on input attempts — no more than 10 tries. After exceeding the limit, the storage is locked, requiring an alternative authentication method.

Multi-factor authentication (MFA)

It’s recommended to implement MFA at all AAL levels, but while this is only a suggestion for AAL1, it’s mandatory for AAL2, and only phishing-resistant MFA methods are acceptable for AAL3.

Only cryptographic authentication methods are considered phishing-resistant: USB tokens, passkeys, and cryptographic keys stored in digital wallets conforming to SP 800-63C (distributed identification and authentication services). All cryptographic secrets must be stored in tamper-resistant systems (such as TPM or Secure Enclave). Synchronizing keys across devices and storing them in the cloud is permitted, provided each device meets the standard’s requirements. These provisions enable the use of passkeys across Android and iOS ecosystems.

To ensure resistance to phishing, authentication must be tied to the communication channel (channel binding) or verifier service name (verifier name binding). Examples of these approaches include client-authenticated TLS connections and the WebAuthn protocol from the FIDO2 specification. In simple terms, the client uses cryptography to confirm they’re connecting with the legitimate server rather than a fake one set up for AitM attacks.

Time-based one-time passwords (TOTP) from authenticator apps, SMS codes, and one-time codes from scratch cards or envelopes are not phishing-resistant but are permitted for AAL1 and AAL2 services. The standard specifies which methods for handling one-time codes don’t qualify as MFA and must be avoided. One-time codes should not be sent through email or VoIP — they must be delivered over a communication channel that’s separate from the primary authentication process. OTPs sent through SMS and traditional telephone lines are acceptable — even if both connections (for example, internet and SMS) are on the same device.

Use of biometrics

The standard restricts the use of biometrics — they may serve as an authentication factor, but are prohibited for identification. Biometric checks must be used only as a supplemental factor combined with proof of possession (for example, a smartphone or token — something you physically possess).

Biometric equipment and algorithms must ensure a false match rate (FMR) no greater than 1 in 10,000, and a false non-match rate (FNMR) no greater than 5%. These accuracy rates must be consistent across all demographics. The verification algorithm must also be resistant to presentation attacks in which the sensor is shown a photo or video instead of a live person.

After generating and verifying a cryptographic “fingerprint” from biometric data, the standard mandates immediate deletion (zeroing out) of collected biometric data.

Like other authentication methods, biometric checks must include limits on input rate and the number of unsuccessful attempts.

Kaspersky official blog – ​Read More

Google Fixes Critical Zero-Day Vulnerabilities in Latest Android Security Update

Google

Overview

In its latest security bulletin, Google has patched two actively exploited zero-day vulnerabilities in Android, marking a crucial step toward protecting users from likely spyware attacks.`

 The November update addresses a total of 51 vulnerabilities, including a critical issue in Qualcomm components. Android users are strongly advised to install these updates to secure their devices against potential exploitation.

Key Vulnerabilities in Focus: CVE-2024-43047 and CVE-2024-43093

The two zero-days—tracked as CVE-2024-43047 and CVE-2024-43093—have been identified as exploited in targeted attacks. “There are indications that the following may be under limited, targeted exploitation,” Google said in its November Android Security Bulletin.

These vulnerabilities have raised concerns due to their ability to circumvent Android’s built-in protections and potentially allow remote attackers to access sensitive user data. Although Google has withheld detailed exploitation techniques, the attribution of CVE-2024-43047’s findings to researchers from Amnesty International suggests that it may have been used in spyware attacks, typically deployed in espionage scenarios aimed at high-profile individuals or organizations.

Vulnerability Details and Impact Analysis

1. CVE-2024-43047

Discovered by: Amnesty International researchers.

Impact: This vulnerability could enable attackers to escalate privileges or remotely execute commands on compromised devices. It has likely been used in targeted spyware attacks, allowing threat actors to monitor user activity, intercept communications, and access sensitive data on victims’ device without detection.

Targeted Attack Potential: With signs of exploitation in targeted attacks, CVE-2024-43047 is a potent tool for espionage, likely targeting journalists, activists, or individuals of interest.

2. CVE-2024-43093

Impact: While details remain sparse, this zero-day vulnerability is an elevation of privilege bug in the Android Framework and has also been actively exploited, possibly allowing attackers to gain unauthorized access to devices and control over critical functions. The exploitation may involve initial access through social engineering or phishing, with subsequent remote control of the device.

Risk of Backdoors and Surveillance: This flaw could be used to embed backdoors or spyware, posing a significant threat to user privacy and device integrity.

3. CVE-2024-38408

Impact: This critical flaw affects proprietary Qualcomm components, possibly targeting device hardware responsible for network communications. Hardware-level vulnerabilities are particularly concerning as they bypass OS-level protections, making detection and prevention challenging.

Severity: If exploited, CVE-2024-38408 could allow attackers to manipulate hardware-level functionalities, intercept communications, and even hijack network-based data transmissions.

Google’s November Security Patches: Breakdown and User Guidance

The November security patches address these zero-days and 48 other vulnerabilities across different Android versions, ranging from 12 to 15. The fixes are rolled out through two patch levels:

– November 1 Patch: Focuses on core Android vulnerabilities, addressing 17 issues, including the two zero-days.

– November 5 Patch: Expands to include vendor-specific fixes, covering an additional 34 vulnerabilities affecting components from Qualcomm, MediaTek, and other hardware vendors.

For users, updating to the latest patch level is essential. Android 11 and older devices may no longer receive full support but could get selective patches for critical vulnerabilities through Google Play system updates, though coverage is not guaranteed.

Also read: OEMs Are Urged to Address Vulnerabilities in Device Communication

How to Apply the Latest Android Update

To ensure your device is protected, follow these steps to update your Android device:

– For System Update: Go to Settings > System > Software updates > System update.

– For Security Update: Navigate to Settings > Security & privacy > System & updates > Security update.

A device restart will be required to finalize the update.

Implications of Unpatched Devices

The presence of actively exploited vulnerabilities calls for an urgency in applying these patches. Without updates, devices are at risk of:

– Remote Exploitation: Attackers could gain unauthorized access to data and device functions.

– Data Privacy Threats: Zero-days like CVE-2024-43047 and CVE-2024-43093 are often leveraged in highly targeted campaigns focusing on surveillance and data exfiltration.

– Device Integrity Risks: Hardware-based vulnerabilities (like those affecting Qualcomm components) expose users to potential device malfunctions and even physical security risks. With CVE-2024-38408 affecting Qualcomm components, attackers may gain deep-level control that bypasses typical OS-level protections, making such exploits more severe in their impact and harder to patch.

For Android 11 or older users, consider upgrading to a newer model or using a third-party Android distribution that includes the latest security patches.

Conclusion and Recommendations

Google’s November 2024 security update is a critical release for Android users, addressing zero-day vulnerabilities that could otherwise lead to severe data and privacy breaches. The targeted nature of these attacks suggests a focus on high-value individuals, but the risk extends to all users who remain unpatched.

Timely security updates are essential in defending against sophisticated cyberattacks. Android users should prioritize these patches to safeguard their data, privacy, and device integrity against current and future exploits.

Staying vigilant and promptly applying updates is the best defense against the growing wave of mobile threats, particularly for those in sensitive or high-profile roles. By understanding the nature of these vulnerabilities and their potential impact, users can better appreciate the importance of keeping their devices secure and up-to-date.

Source:

https://source.android.com/docs/security/bulletin/2024-11-01

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43047

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43093

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38408

The post Google Fixes Critical Zero-Day Vulnerabilities in Latest Android Security Update appeared first on Cyble.

Blog – Cyble – ​Read More

GodFather Malware Expands Its Reach, Targeting 500 Banking And Crypto Applications Worldwide

GodFather Malware

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) has identified a new variant of the GodFather malware, now targeting 500 banking and cryptocurrency apps.
  • Initially focused on regions like the UK, US, Turkey, Spain, and Italy, GodFather has expanded its reach to include Japan, Singapore, Greece, and Azerbaijan.
  • The GodFather malware has transitioned the Java code implementation to the Native code for its malicious activities.
  • In its latest version, the GodFather malware uses limited permissions, relying heavily on Accessibility services to capture credentials from targeted applications.
  • This updated variant also includes new commands that enable the malware to automate gestures on infected devices, mimicking user actions.
  • The Threat Actor(TA) behind GodFather malware uses a phishing site to deliver the suspicious app and tracks visitor counts to plan further activity.

Overview

Cyble Research and Intelligence Labs (CRIL) recently identified a phishing site, “mygov-au[.]app,” masquerading as the official MyGov website of the Australian Government. Upon further analysis, this site was found to be distributing a suspicious APK file linked to the GodFather Malware, known for its ability to steal banking application credentials.

Figure 1 – Phishing site impersonating myGov website distributing APK file

The downloaded application, “MyGov.apk”, communicates with the URL “hxxps://az-inatv[.]com/.” This app is programmed to track the number of devices it is installed on, retrieve the device’s IP address, and store this information on the server in a text file. Figures 3 and 4 show the code of index.php and count.php responsible for getting the count and IP address.

Figure 2 – Malware loading URL, which maintains the counter

Figure 3 – Getting counts and IP addresses

Figure 4 – Getting the IP address of an infected device

The URL “hxxps://az-inatv[.]com/” hosted an open directory containing a file named counters.zip, which included the total count of infected devices and a list of IP addresses. Additionally, the directory featured a page labeled “down” that hosted another APK file called “lnat Tv Pro 2024.apk.” Upon analyzing this APK, it was identified as the GodFather Malware.

Figure 5 – Open directory hosting counters.zip and GodFather malware

Upon examining the counters.zip file, we found 151 counts in hit.txt and 59 unique IP addresses, reflecting the targeted device count. While the MyGov application collected this data, we suspect the TA may leverage this visitor information to identify potential victim counts and later use the same website to distribute the GodFather malware.

Figure 6 – Counters.zip content

Notably, we observed that the latest variant of the GodFather malware has moved from Java code to native code implementation. It is now targeting 500 banking and cryptocurrency applications and expanding its reach to Japan, Singapore, Azerbaijan, and Greece. Further details on this new variant of GodFather are provided in the following section.

Technical Details

In the latest version, the GodFather malware operates with minimal permissions, relying heavily on the Accessibility service to carry out its malicious activities.

Figure 7 – Manifest with limited permissions

Native Code Implementation

Starting our analysis with the classes specified in the manifest file, we observed that the malware calls numerous native methods, which were previously implemented in Java code.

Figure 8 – Calls to native methods

These native functions implement various malicious capabilities, including loading an injection URL into the WebView, executing automated gestures, establishing connections with the Command and Control (C&C) server, and keylogging.

Figure 9 – Native code implementation

C&C Server

Similar to the previous variant, the latest samples also connect to the Telegram URL “hxxps://t.me/gafaramotamer,” where the TA has embedded a Base64-encoded C&C URL. The malware retrieves and decodes this URL to “hxxps://akozamora[.]top/z.php.”

Figure 10 – Malware fetches C&C server URL from Telegram Profile

Targeting 500 Crypto and Banking Applications

After decoding the URL, the malware begins communication by sending data such as the list of installed application package names, the device’s default language, model name, and SIM name. In return, it receives a list of 500 targeted application package names associated with banking and cryptocurrency apps. In addition to previous targets in the UK, US, Turkey, Spain, and Italy, GodFather has expanded its reach, now including Japan, Singapore, Greece, and Azerbaijan.

Figure 11 – Receives the list of target application package names

When the user tries to interact with the target application, the malware closes the genuine application. Instead, it loads a fake banking or crypto login URL into the WebView or displays a blank screen. It constructs the injection URL using the C&C server “hxxps://akozamora[.]top/” and appends the endpoint “rx/f.php?f=” along with the device name, package name, and default language, then loads the assembled URL in the WebView.

Figure 12 – Loading fake login pages

The GodFather malware has successfully replaced the traditional overlay attack with this technique. Rather than launching the legitimate application, the malware activates itself and loads a phishing page to steal banking credentials.

Commands Added In New Version

The previous version included commands for USSD and SMS operations, which have been removed in the latest version. Additionally, this malware version lacks permission to collect or send SMS messages from the infected device. Instead, the newly added commands focus primarily on automating actions on the infected device. Below is a list of commands observed in the latest version of the GodFather malware.

Command Description
clickposition Malware clicks on the position X and Y received from the server
backed Take the user to the previous screen
home Take the user to the home screen
recents Take the user to the recent screen
scrollforward Malware scrolls the page forward using the given parameter
scrollback It scrolls the page backward till using the provided parameter
opencontrol Perform gestures on the target app
setpattern Receives some value from the server and saves it to a shared preference variable “pc”
screenlight Manages the brightness of the screen
sl2 Setting up a wake lock to keep the device awake
sl3 Similar to sl2
autopattern The value received using “setpattern” command is used to insert on the device screen using the accessibility service.
csn Set the timer to initiate the WebSocket connection
swpfull Perform swipe operation
upswp Perform swipe up
downswp Perform swipe down
leftswp Perform left swipe
rightswp Perform right swipe
vncreset Not Implemented
opnap Open the application whose package name is received from the server
gif Loads Gif from link “hxxps://s6.gifyu.com/images/S8uz3.gif”
opnsttings Opens setting app
opnsound Opens sound setting
opnmsc Opens notification setting
opnpckg Not Implemented
notifyopen Opens notification using Accessibility service

Conclusion

The latest version of the GodFather malware shows how dangerous and adaptable mobile threats have become. By moving to native code and using fewer permissions, the attackers have made GodFather harder to analyze and better at stealing sensitive information from banking and cryptocurrency apps. With its new automated actions and broader targeting of apps in more countries, this malware poses a growing risk to users worldwide. Staying alert and using strong security practices on mobile devices is essential to avoid falling victim to threats like GodFather.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

Tactic Technique ID Procedure
Initial Access (TA0027) Phishing (T1660) Malware distributing via phishing site
Execution (TA0041) Native API (T1575) Malware using native code to drop final payload
Persistence (TA0028) Scheduled Task/Job (T1603)   Uses timer to initiate WebSocket connection
Defense Evasion (TA0030) Masquerading: Match Legitimate Name or Location (T1655.001) Malware pretending to be a genuine Music application
Defense Evasion (TA0030) Application Discovery (T1418) Collects installed application package name list to identify target
Defense Evasion (TA0030) Input Injection (T1516) Malware can mimic user interaction, perform clicks and various gestures, and input data
Collection (TA0035) Input Capture: Keylogging (T1417.001) Malware can capture keystrokes
Discovery (TA0032) System Information Discovery (T1426) The malware collects basic device information.
Command and Control (TA0037) Web Service: Dead Drop Resolver (T1481.001) Malware communicates with Telegram to fetch C&C server
Exfiltration (TA0036) Exfiltration Over C2 Channel (T1646) Sending exfiltrated data over C&C server

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e e789b03b60ad99727ea65b52ce931482fb70814e 87ccf62e07cf69c25a204bffdbc89630 SHA256 SHA1 MD5 Analyzed GodFather malware
hxxps://akozamora[.]top/   URL C&C server
hxxps://t.me/gafaramotamer URL Malware fetching C&C from Telegram URL
hxxps://az-inatv[.]com URL URL hosting new GodFather variant
mygov-au[.]app Domain Phishing domain distributing counter app
8ae2fcc8bef4d9a0ae3d1ac5356dbd85a4f332ad497375cd217bd1e945e64692 d57ef894b53f804c97d40c3e365faf729ce2ea7386b280f9909ebc8432008eee d508078368d8775fcfff5a7886392da57fcf757c89687f22c0504c3df9075b00 b3d3019ed0a4602fb7e502e54ac12a59da1a0ed7b6736feb98ce7c417091b2e6 3aa7e2353c2de16734f612eba7b43a2538d96f73702a6c25283d6ef0c9300a4c 1ce2a392dd2c1df22dfeb080c7ad290d63e3afe983729927b2f15c6705861070 d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e d8165712329fa120b5cc696514b5dd0d7043fbf7d6b6ef5f767348e0ba31aa6e 0c9e2ae9c699374f06a6d38cf2ea41232fc8a712e110be8069b08659fdf50514 19ed4f67710d455da42017de28688f5e55ed36809cc70252d825ac81713e95d1 7b4543cc4df1fc57af2cd9a892b2fab3647bdceb027d576217724a8c012a2065 2b1b527b87929a13f0c33391c641b3013da099fd7de10695d762da097bc13ffc 2b1b527b87929a13f0c33391c641b3013da099fd7de10695d762da097bc13ffc 72d40ff8ad114724b8d4e0350f81f797866c0f271844aeddc3b92f33faa6fbc0 SHA256 New GodFather variant hashes

The post GodFather Malware Expands Its Reach, Targeting 500 Banking And Crypto Applications Worldwide appeared first on Cyble.

Blog – Cyble – ​Read More