Malicious QR codes

  • QR codes are disproportionately effective at bypassing most anti-spam filters, as most filters are not designed to recognize that a QR code is present in an image and decode the QR code. According to Talos’ data, roughly 60% of all email containing a QR code is spam.  
  • Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. Users could obscure the data modules, the black and white squares within the QR code that represent the encoded data. Alternatively, users could remove one or more of the position detection patterns — large square boxes located in corners of the QR code used to initially identify the code’s orientation and position. 
  • Further complicating detection, both by users and anti-spam filters, Talos found QR code images which are “QR code art”. These images blend the data points of a QR code seamlessly into an artistic image, so the result does not appear to be a QR code at all. 

Prior to 1994, most code scanning technology utilized one-dimensional barcodes. These one-dimensional barcodes consist of a series of parallel black lines of varying width and spacing. We are all familiar with these codes, like the type you might find on the back of a cereal box from the grocery store. However, as the use of barcodes spread, their limitations became problematic, especially considering that a one-dimensional barcode can only hold up to 80 alphanumeric characters of information. To eliminate this limitation, a company named Denso Wave created the very first “Quick Response“ codes (QR codes). 

QR codes are a 2-dimensional matrix bar code that can hold encode just over seven thousand numeric characters, or up to approximately four thousand three hundred alphanumeric characters. While they can represent almost any data, most frequently we encounter QR codes that are used to encode URLs. 

Quantifying the QR code problem 

Cisco Talos extracts QR codes from images inside email messages and attached PDF files for analysis. QR codes in email messages make up as little as .01% up to .2% of all email, worldwide. This equates to roughly 1 out of every 500 email messages. This is not a very big number. However, because QR codes are disproportionately effective at bypassing anti-spam filters, a significant number find their way into users’ email inboxes, skewing users’ perception of the overall problem.  

Also, of course, not all email messages with a QR code inside are spam or malicious. Many email users send QR codes as part of their email signature, or you may also find legitimate emails containing QR codes used as signups for events, and so on. However, according to Talos’ data, roughly 60% of all email containing a QR code is spam.   

Truly malicious QR codes can be found in a much smaller number of messages. These emails contain links to phishing pages, etc. The most common malicious QR codes tend to be multifactor authentication requests used for phishing user credentials. 

An example MFA phishing email utilizing a QR code.

One of the problems that defenders may encounter when dealing with users’ scanning of QR codes received via email, assuming the user’s device is not connected to the corporate Wi-Fi, is that subsequent traffic between the victim and the attacker will traverse the cellular network, largely outside the purview of corporate security devices. This can complicate defense, because few/no alerts from security devices will notify security teams that this has occurred.  

Why are malicious QR codes hard to detect? 

Because QR codes are displayed in images, it can be difficult for anti-spam systems to identify problematic codes. Identifying and filtering these messages requires the anti-spam system to recognize that a QR code is present in an image, decode the QR code, then analyze the link (or other data) present in the decoded data. As spammers are always looking for innovative ways to bypass spam filters, using QR codes has been a valuable technique for spammers to accomplish this. 

As anti-spam systems improve their capability to detect malicious QR codes in images, enterprising attackers have instead decided to craft their QR codes using Unicode characters. Below is an example of an email containing a Unicode art QR code.    

An email containing a QR code constructed from Unicode characters (defanged).

 The graphical parts of the image are contained within a PDF file. The PDF metadata indicates was created from HTML using the tool wkhtmltopdf. Converting the PDF back into HTML shows the Unicode that is being used to construct the QR code. 

HTML used to construct a malicious QR Code from Unicode characters.

Defanging QR codes 

When sharing malicious URLs, it is common to change the protocol from “http” to “hxxp”, or to add brackets [] around one of the dots in the URL. This makes it so browsers and other applications do not render the link as an active URL, ensuring that users do not inadvertently click on the malicious URL. This is a process known as “defanging”. Unfortunately, while defanging URLs is commonplace, many people do not defang malicious QR codes. For example, below is a news article from BBC about criminals who put QR code stickers on parking meters in an attempt to harvest payment credentials from unsuspecting victims. 

A news article from BBC containing a working QRcode (this has been defanged by Talos).

The problem is that these QR codes can still be scanned, taking visitors to whatever malicious link that the QR code encoded. To make malicious QR codes safe for consumption, they should be defanged. 

There are a couple of different ways to do this. One way is to obscure the data modules, the black and white squares within the QR code that represent the encoded data. This is where the data that the QR code represents is located. However, based on Talos’ own research, a far easier way to defang a QR code is to remove one or more of the position detection patterns (a.k.a. finder patterns). These are the large square boxes located in three of the four corners of the QR code, which are used by the QR code scanner to initially identify the code’s orientation and position. Removing the position detection patterns renders a QR code unscannable by virtually all scanners. 

A normal QR code on the left vs.adefanged QR code on the right.

Be careful what you scan! 

For years security professionals have encouraged users not to click on unfamiliar or suspicious URLs. These URLs could potentially lead to phishing pages, malware or other harmful sites. However, many users do not exercise the same care when scanning an unknown QR code as they do when clicking on a suspicious link. To be clear, scanning an unknown/suspicious QR code is equivalent to clicking on a suspicious URL. 

To complicate the situation even more, there are QR code images which are “QR code art”. These images blend the data points of a QR code seamlessly into an artistic image, so the result does not appear to be a QR code at all. The potential danger with QR code art images is that a user could conceivably be tricked into scanning a QR code art image with their camera, and then inadvertently navigate to the linked content without realizing it. Below are some QR codes found online by Talos which illustrate a range of artistic possibilities.  

Note: these images have been created by third parties and posted online. Talos is not responsible for the artwork, nor the linked content.

How to protect yourself from malicious QR codes 

QR codes have become ubiquitous, appearing in email, on restaurant menus, at events, on retail packaging, in museums, even public parks and trails. The perfect defense is to avoid scanning *any* QR codes, however, it can be difficult to avoid scanning these entirely, so users must exercise caution. Scanning a QR code is essentially the same as clicking on an unknown hyperlink, but without the ability to see the full URL beforehand. 

There are several QR code decoders freely available online. Typically, if you can save a screenshot of the QR code, you can upload this image to one of these decoders, and the QR code decoder will tell you what data was encoded inside the QR code. This will enable you more closely inspect the link. You can also choose to navigate to that URL using an application like Cisco Secure Malware Analytics (Threat Grid). This will allow you to view the content behind the URL from a safe place, without jeopardizing the security of your desktop or mobile device. As always, never EVER enter your username and password into an unknown site. It is better to navigate directly to anywhere you wish to login, rather than clicking on a URL presented to you from an unknown third party. 

Cisco Talos Blog – ​Read More

Middle East Cybersecurity in 2024: From Zero-Day Exploits to Supply Chain Attacks 

Middle East Cybersecurity in 2024

Overview 

In 2024, the Middle East faces an escalating wave of cyberattacks amid its rapid digital transformation, with zero-day exploits and advanced attack techniques targeting critical infrastructure, government entities, and supply chains. Cybercriminals are increasingly exploiting vulnerabilities like CVE-2024-4577 and CVE-2024-26169, demonstrating a heightened ability to disrupt sectors such as oil, gas, and telecommunications.  

In response, regional governments are strengthening Middle East cybersecurity frameworks, with nations like Qatar, Saudi Arabia, and Oman enforcing stricter regulations and fostering cross-sector collaboration. The cost of cyber incidents has surged, with financial and operational tolls reaching unprecedented levels. To mitigate these threats, organizations are urged to adopt proactive patch management, invest in AI-driven defense, and strengthen supply chain security, while enhancing regional cooperation to combat shared threats. 

The Rise of Zero-Day Exploits: A Double-Edged Sword 

Cyber adversaries in 2024 have demonstrated an unsettling ability to weaponize zero-day vulnerabilities faster than ever before. Take CVE-2024-4577, for example: within days of its patch release, attackers wielded it to propagate the infamous TellYouThePass ransomware. Similarly, the Cardinal cybercrime group exploited CVE-2024-26169—a Windows kernel flaw—weeks before Microsoft rolled out a patch. These incidents are a stark reminder of the urgent need for organizations to adopt real-time monitoring systems and robust patch management strategies. 

Attack Techniques That Redefine Sophistication 

The arsenal of cybercriminals is expanding. In 2024, innovative attack techniques such as the Terrapin Attack (CVE-2023-48795) and OpenSSH Command Injection (CVE-2023-51385) have exposed vulnerabilities in encryption protocols and communication systems. The Terrapin Attack, a downgrade assault on the SSH protocol, revealed the fragility of encryption systems under certain conditions. Meanwhile, the exploitation of OpenSSH’s ProxyCommand feature underscored the critical need for securing shell operations in enterprise environments. 

Targeted Sectors: Where the Hits Keep Coming 

Some industries in the Middle East have become favored targets: 

  • Government Institutions: Almost 25% of all reported attacks in 2024 targeted government entities, with a mix of ransomware and wiper malware like the “BiBi Wiper” aimed at destabilizing operations in Israel. 

  • Critical Infrastructure: Cyberattacks on oil, gas, and transportation sectors exploited vulnerabilities in operational technology (OT), such as CVE-2024-9463 in Palo Alto Networks’ Expedition platform. 

  • Telecommunications: Hacktivist campaigns leveraged CVE-2023-41570, disrupting wireless network management systems and cascading impacts across dependent industries. 

Supply Chains Under Siege 

The introduction of malicious components into electronic devices in September 2024 marked a new low for supply chain vulnerabilities. These attacks bypassed traditional defenses, enabling long-term, undetected infiltration into critical ecosystems. The lesson? Rigorous supply chain risk management must become a priority. 

Governments Fight Back: A Unified Cybersecurity Front 

The region’s response to escalating threats has been commendable. 

  • Qatar: Under the National Cybersecurity Strategy (2024), the National Cyber Security Agency (NCSA) has championed cross-sector collaboration. 

  • Saudi Arabia: The National Cybersecurity Authority (NCA) enforces its Essential Cybersecurity Controls (ECC) with a focus on resilience and governance. 

  • Oman: Foundational frameworks like the Basic Security Controls (BSC) continue to guide both public and private entities toward stronger defenses. 

Meanwhile, stricter regulations, including Qatar’s Personal Data Protection Law (PDPL) and Saudi Arabia’s Anti-Cyber Crime Law, are pushing organizations to prioritize data security, incident response, and compliance. 

The Cost of Cyber Insecurity 

Cyberattacks are exacting a steep toll in the Middle East cybersecurity in 2024. The average cost of a cyber incident in the region hit $8.75 million in 2024—almost double the global average. Critical infrastructure and financial services bore the brunt, with operational disruptions at gas stations in Iran exemplifying the widespread ripple effects of such incidents. 

The dark web has only added fuel to the fire. Over 10 million sensitive credentials from government and financial institutions surfaced online this year, exacerbating public distrust and inviting stricter regulatory scrutiny. 

Strategic Recommendations for Organizations 

  1. Accelerate Patch Management: A proactive approach to real-time monitoring and immediate patching can mitigate vulnerabilities before attackers exploit them. 

  1. Invest in AI-Driven Defense: Advanced AI tools for threat detection and automated response can outpace even the most sophisticated attackers. 

  1. Strengthen Supply Chain Security: Stringent vetting of suppliers and the adoption of robust risk management practices are now non-negotiable. 

  1. Enhance Regional Collaboration: Real-time intelligence sharing between nations and industries is critical to combating shared threats. 

Looking Ahead 

As the Middle East continues its digital transformation, its cybersecurity challenges will only grow. Yet, with the right investments in technology, collaboration, and governance, the region has the potential to turn these challenges into opportunities for resilience and innovation. For organizations operating in this dynamic landscape, staying ahead of the curve is not just a strategic advantage—it’s an imperative. 

Source:  

The post Middle East Cybersecurity in 2024: From Zero-Day Exploits to Supply Chain Attacks  appeared first on Cyble.

Blog – Cyble – ​Read More

Kaspersky Password Manager Update | Kaspersky official blog

We’re always working to ensure our products and solutions remain top-tier — both in our own view and in the eyes of independent researchers. We take a comprehensive approach to this, adding new features, combating emerging malware, simplifying migration, and continually enhancing user experience.

Today, we’re excited to introduce a major update to Kaspersky Password Manager for mobile devices. This update will be available in all app stores during November 2024. We’re confident this refresh will make storing and managing passwords, two-factor authentication codes, and encrypted documents even easier. In this article, we’ll cover advanced filtering, search functionality, synchronization, and more.

Highlights

The mobile version of our password manager is celebrating its 10th  anniversary this year (while the desktop version turns 15), and in those 10 years we’ve managed to consolidate all the best features into a single app. In recent years, we’ve been conducting extensive Kaspersky Password Manager user-behavior research and, based on the findings, we’ve completely revamped the navigation in our mobile app.

What’s new:

  • The side menu has been replaced with a navigation bar at the bottom of the screen. The product’s core features are now organized into sections.
  • We’ve created a dedicated section for the in-app search, and improved the search scenarios.
  • Managing favorite entries is now more convenient; they’re now pinned at the top of the list.
  • We’ve added a “Sync” button and placed it in a prominent location.
  • The password generator, import, and security-check features have been grouped into a separate “Tools” section.

These changes are available to all Kaspersky Password Manager users on both Android (app version 9.2.106 and later) and iOS (app version 9.2.92 and later).

Navigation bar

All core Kaspersky Password Manager functions are now accessible through the navigation bar at the bottom of the screen.

Updated home screen of Kaspersky Password Manager for iOS (left) and Android (right)

Updated home screen of Kaspersky Password Manager for iOS (left) and Android (right)

Let’s look at each element of the new bar from left to right.

  1. All Entries. This is the main menu – the heart of our password manager.
  2.  Subscription. Here, you can view your current subscription, including the expiry date and provider. If you don’t have a subscription, you can create or log in to a My Kaspersky account to activate or purchase one.
  3. Tools. Here, you’ll find the “Password Generator”, “Password Check”, and “Import Passwords” tools. The names speak for themselves. With a single click, you can create strong, unique passwords, check your existing passwords for uniqueness, strength, security, and compromise in data breaches, and import passwords from built-in browser password managers and similar products into our secure vault.
  4. Search. If you’re an active internet user and have dozens or even hundreds of unique passwords for different accounts saved in Kaspersky Password Manager, simply click on the magnifying glass icon and type just a few characters to quickly find the entry you need.
  5. Settings. This is where you can enable notifications, change your primary password, configure auto-lock and login methods, choose sorting options, access help resources, check the app version, and log out of your account.

New filtering

Let’s dive a little deeper. Another additional feature is the option to select entry categories within a section. Now, clicking “All Entries” opens a dropdown menu with these categories: websites, apps, other, bank cards, documents, addresses, notes, authenticator, and folders (you can create new folders as needed).

New entry category display in Kaspersky Password Manager for iOS (left) and Android (right)

New entry category display in Kaspersky Password Manager for iOS (left) and Android (right)

Other additions

In the top right corner, you’ll notice a new “Sync” icon – replacing the “Search” button, which now resides in the navigation bar. Clicking this new icon displays the current synchronization status of your entries between your cloud storage and devices. If everything is in order, and your smartphone is connected to the internet and operating normally, you’ll see “All data is synced” with the date and time of the last sync. To refresh the data manually, click “Sync”.

The Search function has not only gotten its own tab in the navigation bar, but now also remembers your last search within the current session. For example, let’s say you were searching for your virtual card details while shopping, then switched to the “All Entries” menu, checked the settings and sync status, and then returned to “Search”. Your query and results will remain, despite your little wander through Kaspersky Password Manager. However, if you restart the app or clear the search, you’ll have to enter the query again.

Important note for Kaspersky Password Manager users on iOS 18. Due to Apple’s policies, the default source for auto-filling passwords and logins in iOS 18 is Apple’s built-in “Passwords” app, not Kaspersky Password Manager. This is easy to fix:

  1. After updating to iOS 18, you need to launch Apple’s “Passwords” app at least once. This will activate the “AutoFill & Passwords” section in your device settings.
  2. Go to “AutoFill & Passwords” in the device settings.
  3. Select Kaspersky Password Manager as the preferred password auto-filling source.
  4. In the “Set Up Codes In” section, select Kaspersky Password Manager.

Everything is now set for secure password management. On Android devices, when you first launch the password manager, enable autofill permissions. Simply follow the in-app instructions to do so.

Kaspersky official blog – ​Read More

CISA Adds Three Critical Vulnerabilities to the Known Exploited Vulnerabilities Catalog

CISA

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added three significant vulnerabilities to its Known Exploited Vulnerabilities Catalog (KEV), based on evidence of active exploitation. These vulnerabilities, identified in popular networking and security products, represent a considerable risk to both private and government networks.

The recently added vulnerabilities to the CISA’s Known Exploited Vulnerabilities Catalog include CVE-2024-1212, a critical OS command injection flaw in the Progress Kemp LoadMaster; CVE-2024-0012, an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS; and CVE-2024-9474, a privilege escalation issue within PAN-OS that enables attackers to escalate privileges via OS command injection.

These vulnerabilities have been categorized with varying levels of urgency and severity, but all share a common characteristic—they pose substantial risks when left unaddressed, particularly for federal enterprises. The vulnerabilities were identified through active threat research and exploitation monitoring, underlining the need for immediate mitigation and patching.

CVE-2024-1212: Progress Kemp LoadMaster OS Command Injection Vulnerability

Progress Kemp LoadMaster, a widely-used application delivery controller and load balancer, has been found to contain a severe OS command injection vulnerability. This issue, designated CVE-2024-1212, allows an attacker with access to the administrator web user interface (WUI) to execute arbitrary commands on the affected system. The vulnerability stems from a flaw in the LoadMaster’s handling of API requests via the administrator interface.

The vulnerability in Progress Kemp LoadMaster (CVE-2024-1212) is triggered when an attacker sends specially crafted input to the system’s “/access” endpoint, which bypasses existing restrictions. This input is improperly handled by a vulnerable Bash script, leading to unchecked user input being passed into a system() call.

As a result, attackers can inject malicious commands that could potentially escalate privileges to root, providing full control over the device. The affected version is 7.2.59.0.22007, while the issue has been addressed in the patched version 7.2.59.2.22338. For further details, users are encouraged to review the Kemp LoadMaster CVE-2024-1212 advisory.

The vulnerability was rapidly patched after its discovery, but administrators are urged to upgrade to the latest version to mitigate potential exploitation risks. If left unpatched, the vulnerability allows attackers to completely compromise the affected system, making it a prime target for cybercriminals.

CVE-2024-0012: PAN-OS Authentication Bypass Vulnerability

CVE-2024-0012 is a critical vulnerability in Palo Alto Networks PAN-OS, the software that powers their next-generation firewalls. This vulnerability allows unauthenticated attackers to bypass authentication mechanisms on the management web interface, granting them administrator-level privileges.

The vulnerability in PAN-OS software (CVE-2024-0012) affects the management interface, allowing attackers to bypass authentication controls and gain unauthorized access to administrative functions. This could lead to a full compromise of the firewall, enabling attackers to modify configurations, exfiltrate sensitive data, or exploit other vulnerabilities, such as CVE-2024-9474, which facilitates privilege escalation.

Reports indicate that this flaw is actively being exploited, with cybercriminals targeting management interfaces exposed to the internet. The vulnerability has been assigned a critical severity score of 9.3, highlighting its potential impact. Affected versions include PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2.

Palo Alto Networks published an advisory (PAN-SA-2024-0015) on November 18, 2024, and has released patches for PAN-OS versions 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, and later versions. To mitigate risks, the company strongly recommends restricting access to the management interface to trusted internal IP addresses.

CVE-2024-9474: PAN-OS Privilege Escalation Vulnerability

Another vulnerability, CVE-2024-9474, found in the same PAN-OS software, allows attackers to escalate privileges once they have compromised a device through the previously mentioned CVE-2024-0012 vulnerability. This privilege escalation (PE) vulnerability is especially dangerous for organizations that have already been compromised, as it allows attackers to gain root-level access to the device, providing them with full control over the firewall system.

The vulnerability (CVE-2024-9474) allows attackers who have already bypassed authentication (via CVE-2024-0012) to escalate their privileges through a flaw in the web management interface of PAN-OS. Once they gain elevated privileges, attackers can perform administrative actions that are normally restricted, such as modifying critical system files or configurations, potentially leading to a complete system compromise.

This vulnerability has been assigned a medium severity rating of 6.9 and is actively being exploited. Affected versions include PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2. To address the issue, Palo Alto Networks has released patches for PAN-OS versions 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, and later versions. In addition to applying these patches, it is recommended to restrict access to management interfaces to trusted internal IP addresses.

Recommendations and Mitigations

To mitigate the risks posed by these vulnerabilities, the following actions are strongly recommended for affected organizations:

  1. Ensure all affected systems are patched to the latest versions as listed in the vendor advisories. This will address the vulnerabilities at their core.
  2. Limiting access to management interfaces to trusted internal IP addresses is the best defense against exploitation, particularly for vulnerabilities like CVE-2024-0012.
  3. Regularly monitor for any unusual activity or configuration changes within your firewalls or load balancers. This includes reviewing logs for signs of exploitation or attempts to exploit the listed vulnerabilities.
  4. Organizations using Palo Alto Networks’ firewalls with a Threat Prevention subscription should configure the system to block known attacks associated with these vulnerabilities using Threat IDs 95746, 95747, and others.

Conclusion

The addition of CVE-2024-1212, CVE-2024-0012, and CVE-2024-9474 to the Known Exploited Vulnerabilities Catalog highlights the active and ongoing nature of threats targeting critical infrastructure. Cybercriminals are increasingly targeting vulnerabilities in widely used enterprise tools like load balancers and firewalls, aiming to exploit weak points that could lead to full system compromises or privilege escalation.

Organizations that use affected products, such as Progress Kemp LoadMaster or Palo Alto Networks’ PAN-OS, are strongly encouraged to apply the necessary patches and follow best practices for securing management interfaces. By taking these steps, they can mitigate the risk of exploitation and protect their systems.

Sources:

The post CISA Adds Three Critical Vulnerabilities to the Known Exploited Vulnerabilities Catalog appeared first on Cyble.

Blog – Cyble – ​Read More

Simple tips for a safer digital life | Kaspersky official blog

From kids to retirees, no one is safe from cybercrooks. And if you’re always putting cybersecurity on hold because it all seems so daunting, our five dead-simple tips are just the ticket. Each of them will greatly beef up your protection against the most common cyberthreats. We compiled this post as part of INTERPOL’s #ThinkTwice global information campaign to raise awareness of the main cybercrime vectors plus simple but effective ways to counter them.

Automate your passwords

Make all your passwords for both websites and apps long enough (at least 12 characters) and unique (that is, never use them more than once). No one can think up and memorize so many passwords, so use a password manager to create, store and enter them. You’ll only need to come up with and memorize just one (long!) main password for it; everything else — from generating to entering passwords — will be done automatically.

Keep in mind: you need to install the password manager on all your devices to enter passwords easily and safely everywhere. The data will be synched across all your devices. So, having saved a password on your smartphone, you’ll be able to automatically enter it on your desktop, and vice versa. Note that the password manager will let you store in encrypted form not only passwords, but also PINs, full credit card details, addresses, notes, and even document scans.

Pro level: for maximum security, disable biometric login to the password manager — this way you’ll have to enter the main password every time you use the app, but no one will be able to access all your data without knowing the main password (don’t write it on a sticky note, by the way).

Enable double checking

Double checking, or two-factor authentication, protects you from password-stealing hackers who break into your accounts using leaked credentials. Besides the password, they’ll need to enter a one-time code sent to you via a text or an authenticator app.

Although banks enable two-factor authentication (2FA) automatically, in many other online services it remains optional. Wherever your data is even a tiny bit confidential (social networks, messengers, government services, email), we recommend enabling 2FA in the settings, if available.

Keep in mind: There’s usually a choice of how to get one-time codes: by email or text, or by generating them in a special authenticator app on your smartphone. Of these methods, the safest is to use the latter; next come codes via text (they can be intercepted), and the least secure option is codes via email.

With an authenticator app, the only risk is if you lose your smartphone, in which case you’ll also lose access to accounts protected by one-time codes. Here again, Kaspersky Password Manager comes to the rescue: not only does it securely store authentication tokens and generate one-time codes, it also synchronizes them across all your devices. So, if your smartphone is lost or broken, you can easily generate a verification code on any of your other devices, as well as restore all your Kaspersky Password Manager data to a new phone.

Pro level: get yourself a FIDO U2F hardware key — this dongle looks like a tiny flash drive and offers the best protection against hackers.

Double-check links and attachments

Never follow links or open files sent via messenger or email if you don’t recognize the sender or aren’t expecting any messages. If a friend, colleague or acquaintance writes you a message, but it looks even a little strange, call them, or reply via another communication channel to make sure it really is them and not a scammer.

Keep in mind: use two layers of defense! The first layer is your vigilance; the second is a comprehensive security solution. This will keep you away from phishing sites looking to extract passwords and money, as well as stop malware in its tracks. Incidentally, if a message or website asks you to turn off your antivirus – 99% of the time it’s an attempt to infect you.

Pro level: sign in to email, banking and other accounts only from browser bookmarks or by entering the address manually, and never open links in messages, emails or notifications — it might be phishing.

Enable automatic updates

This is to prevent cybercriminals from infecting you by exploiting bugs in your operating system, browser, office applications or other software. They can all update themselves — you just need to not postpone this action when prompted to restart the program or computer.

Keep in mind: sometimes “updates” are offered on websites. You go to the site, which says you need to update the browser, or video player, or Windows — and invites you to download an update on the spot. Stop! It’s a trick to sneak a virus into your device or computer. Genuine update prompts appear right in an application’s menu or as operating system notifications.
Pro level: Kaspersky Premium can monitor all your installed programs and notify you whenever an update becomes available. One click or tap, and everything’s up-to-date!

Think twice before sharing online

Photos sent to a stranger or scanned documents posted on social media can come back to bite you. You or family members might become victims of extortion, or scammers might use such information to create a convincing cover story to extract money from you or your friends. Therefore, only send and post things that you wouldn’t mind showing on a billboard outside your home. What gets posted online can be very difficult, if not impossible, to remove.

Keep in mind: social networks and messengers have privacy settings to adjust the visibility of your posts. Go there and change as many settings as possible from “Visible to everyone” to “Friends only”. To find out how to best configure privacy for operating systems, browsers, social networks and other programs, visit our Privacy Checker site.

Pro level: use a tool to monitor online leaks of personal information. A free option is to create a Google Alert for your name; a more powerful alternative is to go for a premium service. For example, Kaspersky Premium monitors leaks of personal data linked to all phone numbers and email addresses used by you and your loved ones as a standard feature.

How to automate protection

These tips are much easier to follow with an app that automates each aspect of security. Kaspersky Premium includes a password and one-time 2FA code manager, anti-phishing and anti-malware protection, update management and leak monitoring — all this and much more is available for both computers and smartphones. Join the club of savvy users who enjoy robust protection for next-to-no effort!

Kaspersky official blog – ​Read More

CERT-In Flags Two High-Risk Cisco Vulnerabilities Targeting Key Infrastructure

CERT

Overview

The Indian Computer Emergency Response Team (CERT-In) has recently added two Cisco vulnerabilities to its catalog. Both vulnerabilities target Cisco products, with high severity ratings and potential for impacts on the confidentiality, integrity, and availability of affected systems. 

The first vulnerability, CVE-2024-20536, affects Cisco’s Nexus Dashboard Fabric Controller (NDFC), specifically versions 12.1.2 and 12.1.3. The flaw is found in the REST API endpoint and web-based management interface, and it could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device.

The vulnerability arises due to insufficient input validation. An attacker with read-only privileges could exploit this flaw by sending specially crafted requests to the affected device’s REST API or management interface, bypassing input validation and potentially modifying or deleting data in the internal database. Exploiting this vulnerability could lead to denial of service (DoS) conditions and a significant disruption of operations.

The severity of the vulnerability is classified as high. It affects Cisco NDFC versions 12.1.2 and 12.1.3, making these systems particularly vulnerable to exploitation. The potential impact includes data manipulation, which could allow attackers to alter sensitive information and service disruption, potentially leading to system downtime. Furthermore, there is a risk of data leakage, where unauthorized individuals may access and expose confidential data stored within the affected systems.

This vulnerability does not affect Cisco NDFC when it is configured as a Storage Area Network (SAN) controller. However, for organizations using the affected versions of Cisco NDFC, the potential risks are significant, especially in terms of data integrity and availability.

CVE-2024-20484: Denial of Service in Cisco Enterprise Chat and Email (ECE)

The second vulnerability, CVE-2024-20484, affects Cisco Enterprise Chat and Email (ECE) versions 12.6 and earlier, running the External Agent Assignment Service (EAAS). This vulnerability could allow unauthenticated, remote attackers to trigger a Denial of Service (DoS) condition, disrupting the availability of the ECE system.

The vulnerability lies in the way Cisco ECE handles Media Routing Peripheral Interface Manager (MR PIM) traffic. An attacker could exploit this flaw by sending specially crafted MR PIM traffic, causing a failure in the MR PIM connection between Cisco ECE and Cisco Unified Contact Centre Enterprise (CCE). This failure leads to a denial-of-service condition, rendering the ECE system inoperable.

This issue primarily affects organizations using Cisco ECE for enterprise communication. A successful attack could lead to widespread disruptions, affecting internal communications and customer service operations.

Cisco’s Broader Vulnerability Landscape: A Year of Increased Threats

While CVE-2024-20484 and CVE-2024-20536 are the latest additions to the catalog of known vulnerabilities, Cisco has had a series of high-severity vulnerabilities throughout the year. In addition to these new vulnerabilities, Cyble recently reported on a critical flaw in the Unified Industrial Wireless Software for Ultra-Reliable Wireless Backhaul (URWB), tracked as CVE-2024-20418. This vulnerability, with a CVSS score of 10.0 (the highest possible severity), allows attackers to gain root-level access to vulnerable Cisco devices.

Exploiting this flaw can enable unauthorized command execution on affected systems, making it one of the most dangerous vulnerabilities in Cisco’s product lineup this year. The CVE-2024-20418 vulnerability affects Cisco Catalyst Access Points operating in URWB mode, such as the Catalyst IW9165D, IW9165E, and IW9167E models. Attackers can exploit this flaw by sending specially crafted HTTP requests to the affected device, injecting commands with root privileges, and gaining control over the device. Exploiting this vulnerability could lead to compromises in industrial and high-stakes environments.

Moreover, Cyble sensors have previously detected cyberattacks targeting the “/+CSCOE+/logon.html” URL, which is linked to Cisco ASA’s WebVPN Login Page. Vulnerabilities like XSS, path traversal, and HTTP response splitting could allow attackers to execute code, steal data, or disrupt services.

Conclusion 

The disclosure of these Cisco vulnerabilities, like CVE-2024-20484 and CVE-2024-20536, stresses the growing risk of exploitation in critical infrastructure, particularly in widely used systems like Cisco products. As Cyble and other threat intelligence firms have noted, cybercriminals are increasingly targeting known vulnerabilities, employing tactics such as brute-force attacks and leveraging the dark web to spread exploits. 

With vulnerabilities continuing to be discovered and actively targeted, organizations must prioritize patch management, implement strong security measures, and conduct regular vulnerability assessments. By staying on guard and proactive in updating systems, segmenting networks, and monitoring suspicious activity, businesses can better defend against online threats. 

The post CERT-In Flags Two High-Risk Cisco Vulnerabilities Targeting Key Infrastructure appeared first on Cyble.

Blog – Cyble – ​Read More

CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog

CISA

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has officially added two high-severity vulnerabilities affecting Palo Alto Networks Expedition to its Known Exploited Vulnerability (KEV) Catalog.

The two Palo Alto Networks vulnerabilities, which are actively being targeted by cybercriminals, are identified as CVE-2024-9463 and CVE-2024-9465; both have critical severity ratings and are known to be actively exploited in real-world attacks. Organizations using affected versions of Palo Alto Networks Expedition are urged to take immediate action to mitigate the risks.

The vulnerabilities in question—CVE-2024-9463 (OS Command Injection) and CVE-2024-9465 (SQL Injection)—impact Palo Alto Networks’ Expedition software, a tool for migrating and optimizing PAN-OS configurations. Both flaws have been assigned CVSSv4 scores of 9.9 and 9.2, respectively, signifying their high criticality.

These vulnerabilities could allow attackers to gain unauthorized access to sensitive data or execute arbitrary commands on affected systems, posing online risks to organizations’ security.

Details of Palo Alto Networks Vulnerabilities: CVE-2024-9463 and CVE-2024-9465

The first vulnerability, CVE-2024-9463, is a critical OS command injection flaw that affects Palo Alto Networks Expedition. Assigned a CVSSv4 score of 9.9, this vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on the affected system.

If successfully exploited, this can compromise the integrity of the system, giving attackers the ability to disclose sensitive information. This includes usernames, cleartext passwords, device configurations, and API keys associated with PAN-OS firewalls, which are critical for securing network traffic.

Attackers exploiting this flaw can gain root access to these systems, making this vulnerability a prime target for those seeking to compromise firewall configurations and sensitive network data.

Another critical flaw, CVE-2024-9465, is a SQL injection vulnerability found in Expedition. This flaw, with a CVSSv4 score of 9.2, allows attackers to interact with and manipulate the system’s database, exposing sensitive information such as password hashes, usernames, and device configurations. Exploiting this vulnerability could give attackers the ability to create and read arbitrary files on the system, which increases the risk of a full system compromise.

Similar to CVE-2024-9463, the vulnerable version for CVE-2024-9465 is Expedition < 1.2.96. Additionally, proof-of-concept (PoC) exploits for this vulnerability have already been released to the public, escalating the risk of widespread attacks. As the PoC code is now accessible, it allows potential attackers to easily replicate the exploit and target vulnerable systems more efficiently.

Both CVE-2024-9463 and CVE-2024-9465 are critical vulnerabilities in the Expedition software suite. Organizations that are running versions of Expedition older than 1.2.96 are strongly advised to immediately update to the latest patched version. Given the severity and the ongoing active exploitation of these vulnerabilities, patching is crucial to protect sensitive information and maintain system security.

Cyble researchers have observed active exploitation of these flaws, with CVE-2024-9463 being particularly concerning due to its ability to grant attackers root-level access. This could result in a wide range of malicious activities, including data breaches, ransomware deployment, and unauthorized system modifications. Organizations should be particularly vigilant in monitoring their systems for signs of exploitation.

Recommendations and Mitigations

Palo Alto Networks has already released patches to address both vulnerabilities and organizations are urged to upgrade to Expedition version 1.2.96 or later. However, simply applying the patch may not be enough. The following mitigation strategies are recommended:

  • Organizations should immediately apply the latest patches released by Palo Alto Networks to close the vulnerabilities. Ensuring that systems are updated with the latest software versions will significantly reduce the risk of exploitation.
  • After upgrading to the fixed version of Expedition, all Expedition usernames, passwords, and API keys should be rotated to prevent attackers from using previously exposed credentials to access systems. Similarly, any firewall usernames, passwords, and API keys processed by Expedition should also be updated to maintain system security.
  • Organizations should implement comprehensive monitoring and logging solutions to detect suspicious activities. SIEM (Security Information and Event Management) tools can help organizations identify and respond to potential exploitation attempts in real-time.
  • Regular vulnerability assessments and penetration testing should be conducted to identify and address any other potential weaknesses. This proactive approach ensures that other unknown vulnerabilities are addressed.
  • Organizations should have a well-defined incident response and recovery plan in place, which includes procedures for detecting, responding to, and mitigating the effects of an attack. Regular testing and updates to the plan are crucial to ensure readiness against online threats.

Conclusion

The inclusion of CVE-2024-9463 and CVE-2024-9465 in CISA’s Known Exploited Vulnerabilities catalog highlights the urgent need for organizations to address these critical vulnerabilities in the Palo Alto Networks Expedition.

With active exploitation ongoing, it is important for organizations using vulnerable versions to prioritize patching and apply recommended security measures. Delaying action could lead to severe data breaches and system compromises.

References:

The post CISA Adds Two Critical Palo Alto Networks Vulnerabilities to Known Exploited Catalog appeared first on Cyble.

Blog – Cyble – ​Read More

Sailing Into Danger: DONOT APT’s Attack on Maritime & Defense Manufacturing

DONOT, APT

Key Takeaways

  • Cyble Research and Intelligence Labs (CRIL) came across a campaign Linked to the known APT group DONOT, targeting the manufacturing industry that supports the country’s maritime and defense sectors.
  • The campaign uses a malicious LNK file disguised as an RTF containing encrypted data. The file is decrypted via PowerShell to deliver a lure RTF and payload.
  • A scheduled task is then created to ensure the malware runs every five minutes for persistence.
  • Random domains are generated with hardcoded words and TLDs for backup C&C servers.
  • The encryption method for C&C communication has changed compared to previous campaigns.
  • The stager malware communicates with the C&C server using AES encryption and Base64 encoding to evade detection.
  • The decryption key for the second-stage payload is now in the downloaded binary rather than hardcoded in the config file.
  • The victim’s system information is collected before delivering the final payload to assess the target’s value.
  • The stager malware uses environment variables to store critical configuration details, like C&C addresses and task information.

Overview

CRIL recently came across a campaign seemingly aimed at Pakistan’s manufacturing industry, which supports the country’s maritime and defense sectors. After analyzing the files involved in the campaign, it was determined that the attack was linked to the known APT group DONOT.

DoNot, also known as APT-C-35, is an Advanced Persistent Threat (APT) group operating since 2016. This group has a history of targeting government and military entities, as well as foreign affairs ministries and embassies across South Asia.

Cyble Vision, Threat Library
Figure 1 – Cyble Vision Threat Library

In this recent campaign, the Threat Actor (TA) uses the .LNK file as the initial infection vector, which could arrive within a RAR archive via spam email. The .LNK file is disguised as an RTF file, leading users to believe they are opening a legitimate file.

When the user clicks to execute, it triggers cmd.exe and powershell.exe to run additional malicious commands, loading the stager malware (a DLL file) and establishing persistence by creating a scheduled task to execute the DLL file through rundll32.exe. Also, it communicates with the primary C&C server by sending a unique device ID via a POST request and, in response, receives control commands from the TA to direct its next actions.

These actions include self-destruction, deployment of additional malicious payloads by downloading an encrypted payload from a specified URL, and subsequent execution. To evade detection and complicate analysis, the malware employs a different encryption method instead of the single-byte XOR key used in previous campaigns. The figure below shows the infection chain.

Infection Chain
Figure 2 – Infection Chain

This “.LNK” file campaign was first identified by StrikeReady Labs, who reported it on the X platform. A similar campaign was also seen in July 2024, targeting Pakistan’s Government agencies and manufacturing industries using sector-specific lures. In the previous campaign, the TA employed malicious Office files with embedded macros and Rich Text Format (RTF) files that exploit vulnerabilities to load the stager DLL onto victim machines.

When comparing the previous campaigns, the initial infection vector has shifted from Microsoft Office files to .LNK files. Additionally, the stager DLL now employs an enhanced payload delivery method and improved C&C communication, incorporating encryption mechanisms at various stages.

Technical Analysis

The malicious “.LNK” file contains PowerShell commands, an encrypted lure RTF file, and the encrypted stager payload. Upon execution, the “.LNK” file initiates “cmd.exe,” which creates a directory in the “%temp%” path and copies “powershell.exe” to this location as “2SqSxDA2.exe.” The newly copied PowerShell process subsequently executes the PowerShell code embedded in the LNK file. The figure below shows the partial content of the LNK file.

LNK File, Lure, Phishing
Figure 3 – Partial contents of the LNK file

PowerShell Code

The PowerShell command embedded within the “.LNK” file retrieves both a lure file and a DLL from the “.LNK” itself. It identifies the “.LNK” file based on its file size and directory path, then decrypts the lure RTF file and the DLL file using a single-byte XOR operation with “0xB2.” Decryption begins at offset “0x1774” for the lure file and “0x79AF” for the DLL.

These extracted files are stored in the “%temp%7GGVXwRn” directory. Once extraction is complete, the PowerShell command deletes the PowerShell copy “2SqSxDA2.exe,” opens the lure document, and calls “rundll32.exe” to execute the DLL, invoking the export function “HgCallClient.”

PowerShell Command
Figure 4 – Content of PowerShell commands

Lure Document

The lure document is related to Karachi Shipyard & Engineering Works (KS&EW), a prominent defense contractor and shipbuilding company in Pakistan. This suggests that the TA is targeting industries supporting the defense sector. The figure below shows the lure document.

Figure 5 – Lure Document

DLL file analysis

Upon execution, the DLL begins extracting configuration details from an embedded JSON file. This configuration includes information such as the configuration filename, environment variable name, server domain, transit keys for secure communication, mutex, and user-agent string. The table below shows the configuration details.

Filed Name Value
ConfigFileName Config.json
EnvVarTaskName PFTN
HMAC_Security j4fhrJpSqvgE
MachineMutex 5734b817-1bb8-402b-a761-da8f2e188baf
ServerDomain hxxps://internalfileserver[.]online:443/
TransitKey tTRxrb0kmbQGpdci
TransitSalt aWrtRHXuEBy6CwXj
userAgent Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
BackupServerURL hxxps://safehydratedcloudcosmoswebglobe[.]cc/
PrimaryServerUrl hxxps://internalfileserver[.]online:443/
FirstTaskName Schedule
TaskDefinition This service enables a user to configure and schedule automated tasks on this computer. It also hosts multiple Windows system-critical tasks. If this service is stopped or disabled, these tasks will not be run at their scheduled times, and any services that explicitly depend on it will fail to start.

Random domain generation

The BackupServerURL mentioned in the config file is generated by selecting six values from a hardcoded array of words and concatenating them to create a domain. A TLD is then selected from a separate array of TLD values. This randomly generated domain serves as a backup for Command and Control (C&C) communication. The figure below shows the list of available words used for generating random domains.

Random Domain Generation
Figure 6 – Random Domain Generation

Persistence

After extracting the configuration details, the DLL checks for the presence of a specific scheduled task named “Schedule.” If the task is not found, it creates a new task to execute the DLL via “rundll32.exe” every 5 minutes for one day, as shown in the figure below.

Scheduled Task
Figure 7 – Scheduled Task

After establishing persistence, the DLL sends a POST request to the primary server URL. This request includes headers such as an HMAC (Hash-based Message Authentication Code) generated from the HTTP method, contact URL, current DateTime, and an HMAC secret key, along with an “X-Timestamp.” The request body contains the unique DeviceID and configuration filename, encrypted using a hardcoded AES transit key and salt, then base64 encoded before being sent to the C&C primary URL. This encryption method marks a relatively new approach in this campaign compared to previous ones observed.

C&C Communication
Figure 8 – C&C communication

If the C&C server responds with a status code of 200, the response content contains JSON configuration data, which is decrypted using the same AES transit key and IV. The decrypted data includes the following details:

  • DownloadURL
  • FileDropEnvironment
  • FileDropName
  • ExportFunctionName
  • TaskName
  • Self_Destruction (boolean)
  • Execution (boolean)

JSON configuration
Figure 9 – JSON configuration

The decrypted JSON configuration data allows the TA to control key aspects of the malware’s behavior, such as downloading additional payloads, specifying file locations, and configuring execution options. This enables flexibility to adjust the attack as needed.

Next Stage payload Execution

If the TA intends to execute an additional payload, the encrypted payload is downloaded according to the C&C configuration. It is then decrypted using an XOR key found within the encrypted file, just after a sequence of magic bytes, and processed using the XOR round-robin method, as shown in Figure 10. This process differs from a previous campaign where the encrypted data was fetched from a URL, and the decryption key was provided directly in the C&C configuration, as shown in Figure 11

Once decryption is successful, the data is verified as a valid binary by checking for the presence of the string “This program cannot be run in DOS mode”. The decrypted payload is then placed in the directory specified by the “FileDropEnvironment” variable.

Malware, Payload
Figure 10 – Decrypting the Payload (Latest Campaign)

Payload, Malware Campaign
Figure 11 – Decrypting the payload (previous campaign)

After verifying the binary, the stager malware creates a scheduled task to execute the decrypted binary using “rundll32.exe”. The task name and execution interval are specified in the configuration details provided by the TA via the C&C.

Scheduled Task
Figure 12 – Scheduled task

In case of a decryption failure, the stager malware updates the configuration with the backup server URL and logs the error message “File corruption while decrypting” It also collects detailed system information, such as disk space and installed security products, to help identify the cause of the decryption failure. This information is then sent to the TA via POST request.

System Information
Figure 13 – Gathering System information

In case of successful payload deployment through the scheduled task, the stager malware logs the event in the same manner as it does for a failure, with the only difference being that the result is recorded as “Payload Deployment Successful.” This log also contains detailed system information, helping the TA identify potential targets in case of success and detect security solutions in case of failure. The TA collects and logs all relevant details, regardless of the outcome, and sends the information to the TA’s C&C via POST request.

JSON logs, POST Requests
Figure 14 – Sending JSON log as a POST request

The stager malware typically stores data, including the number of attempts to communicate with the C&C, the primary C&C domain name, the last connection date, the backup domain name, and details of the second-stage payload. These values are stored as encrypted entries in the environment variables, as shown in the table below.

Variable Name Value Decrypted value
NFC (Not Found Count) iOJDUU+oq2I1wQwfdYl98w== 2
PDN (Primary Domain Name) ehdXQoPR9RjVlJYUWq+tIkQkazp1KhA1+59IGAXaXL94XRvH8aNbs9pv3e6PLCKK hxxps://internalfileserver[.]online:443/
LCD (Last Check Date) vKXaygaagiZygkd7/K+uvQ== 11-11-2024
BDN (Backup Domain Name) “tc6rjFyW2AVO6pu2y/c/Vg626iQ+S/FHqYIGBpIejquLjQJwMxVv/r6q44XNnInvBJPP86CLYx9qKJ0lMfryxQ==” hxxps://floridacloudcyberhydratedfloridatech[.]online/

During our testing, the C&C server was unavailable, preventing us from receiving a response. As a result, we were unable to observe or analyze the behavior of the next-stage DLL payload, which would have been triggered by communication with the C&C server. Without this crucial interaction, we could not fully understand how the payload executes or what further actions it might take.

Self- Deletion
If TA activates the self-destruction command via C&C, the stager malware removes the scheduled task and initiates self-deletion by executing the “DEL” command through “cmd.exe”. The image below illustrates the self-deletion process.

Self Delete
Figure 15 – Self delete

Threat Actor Attribution

The malicious DLL connects to the C&C server “internalfileserver[.]online,” which resolves to the IP address “94[.]141.120[.]137.” This same IP address previously hosted the domain “office-updatecentral[.]com,” which was used by the DoNot APT group in a prior campaign. Also, the tactics, techniques, and procedures (TTPs) observed in this campaign exhibit similar behavior to those reported by the 360 Threat Intelligence Centre.

Conclusion

This DoNot APT campaign shows an evolution in tactics. It uses malicious LNK files, PowerShell for payload delivery, and scheduled tasks for persistence. The group also employs dynamic domain generation for backup C&C servers and has updated its encryption methods to avoid detection.

The shift in how decryption keys are handled and the collection of system information before payload delivery indicate a more sophisticated approach. These changes highlight the growing complexity of APT campaigns and the need for improved detection and defense strategies.

Threat hunting Packages

The threat hunting package, including YARA and Sigma rules capable of detecting this campaign, can be downloaded from the linked GitHub pages.

Recommendations 

  • Deploy robust EDR solutions to monitor unusual PowerShell activity, scheduled task creation, and suspicious network connections to C&C servers. Ensure these tools are configured to flag and alert on anomalies.
  • Limit the execution of PowerShell and other scripting tools to necessary users only and enforce least privilege policies to prevent malware from escalating privileges and performing malicious actions.
  • Conduct frequent audits of scheduled tasks to identify any unusual or unauthorized tasks, particularly those involving rundll32.exe. Ensure only trusted applications are allowed to create or execute scheduled tasks.
  • Implement behavior-based detection systems that can identify malicious actions, such as frequent attempts to contact C&C servers or unexpected encrypted data being transmitted.
  • Implement a well-defined incident response plan with clear steps to handle potential APT intrusions. This plan should include rapid identification, containment, and recovery from any detected malicious activity.
  • Conduct regular cybersecurity awareness training for employees, focusing on identifying phishing emails and handling suspicious attachments to reduce the risk of initial infection.

Indicators of Compromise

Indicator Indicator Type Comments
cffe7eb01000de809b79a711702eaf3773f2e6167ce440f33f30bcd6fabcace3 SHA-256 Proc list 2024.lnk
a7893c54edaecaa0e56010576a8249ad9149456f5d379868a0ecaa4c5c33fa70 SHA-256 CertPropOrigin.dll
Internalfileserver[.]online domain C&C server

MITRE ATT&CK® Techniques 

Tactic Technique Procedure
Initial Access (TA0001) Phishing (T1566) This campaign is likely to reach users through spam emails.
Execution (TA0002) Command and Scripting Interpreter: PowerShell (T1059.001) PowerShell commands are used to decrypt and execute the lure RTF file and stager DLL payload.
Execution (TA0002) Command and Scripting Interpreter: Windows Command Shell (T1059.003) Cmd.exe is used to copy PowerShell.exe to the %temp% directory as “2SqSxDA2.exe”.
Defense Evasion (TA0005) System Binary Proxy Execution: Rundll32 (T1218.011) Rundll32.exe is used to execute the stager payload.
Persistence (TA0003) Scheduled Task/Job: Scheduled Task (T1053.005) A scheduled task is created for persistence, running the DLL payload regularly via rundll32.exe.
Defense Evasion (TA0005) Indicator Removal on Host: File Deletion (T1070.004) Temporary PowerShell.exe file (“2SqSxDA2.exe”) is deleted after executing the malicious commands.
Defense Evasion (TA0005) Obfuscated Files or Information (T1027) XOR and AES encryption mechanisms are used in various stages of the attack
Command and Control (TA0011) Application Layer Protocol: Web Protocols (T1071.001) GET and POST requests are sent to the Threat Actor’s C&C server.
Command and Control (TA0011) Remote File Copy (T1105) The additional payload is downloaded from the C&C server using a URL provided in the configuration.
Exfiltration (TA0010) Exfiltration Over C2 Channel (T1041) Extensive system information is collected and exfiltrated to the C&C server via encrypted communication.

References:

https://mp.weixin.qq.com/s/qCcuU0E6d84tdQ1r2dCsjA

https://twitter.com/StrikeReadyLabs/status/1852532673283268899

https://twitter.com/suyog41/status/1814230027560501248

The post Sailing Into Danger: DONOT APT’s Attack on Maritime & Defense Manufacturing appeared first on Cyble.

Blog – Cyble – ​Read More

Cyble IT Vulnerability Report: Microsoft Zero Days Under Attack

Vulnerabilities, Zero Days, Exploit, Report

A pair of actively exploited Microsoft zero-day vulnerabilities highlighted an active November Patch Tuesday, which also saw updates from several IT vendors.

Overview

Cyble Research and Intelligence Labs (CRIL) researchers investigated 22 vulnerabilities and eight dark web exploits from Nov. 6 to 12 and highlighted nine vulnerabilities that merit high-priority attention from security teams.

CRIL researchers also identified six dark web exploits that are at high risk in Cyble’s weekly IT vulnerability report to clients, which examined two Microsoft zero-days and vulnerabilities from Veeam, Cisco, HPE Aruba, D-Link, Citrix, and others.

Security teams should identify the vulnerabilities that are present in their environments and apply patches and mitigations promptly.

The Week’s Top IT Vulnerabilities

Here are the top IT vulnerabilities identified by Cyble threat intelligence researchers this week.

CVE-2024-43451 is an NTLM hash disclosure spoofing vulnerability found in all supported versions of Windows that has been exploited in the wild since at least April. Researchers disclosed this week that suspected Russian hackers exploited it for zero-day attacks targeting Ukrainian entities. The vulnerability was triggered by phishing emails that contained links to download a malicious Internet shortcut file, which, when interacted with, triggered the vulnerability to connect to a remote server and download malware.

CVE-2024-49039 is an elevation of privilege vulnerability in Windows Task Scheduler that has also been attacked. From a low-privilege AppContainer, an attacker could elevate their privileges and execute code or access resources at a higher integrity level than that of the AppContainer execution environment, Microsoft said. A successful exploit could allow an attacker to execute RPC functions that are restricted to privileged accounts.

CVE-2024-49040 is a high-severity spoofing vulnerability in Microsoft Exchange Server that allows attackers to forge legitimate senders on incoming emails and makes malicious messages much more effective. A researcher reported a Proof of Concept (PoC) for this vulnerability, but Microsoft paused the update after some customers reported issues with Transport rules stopping periodically after the update was installed.

CVE-2024-40711 is a critical vulnerability in Veeam VBR (Veeam Backup & Replication) servers caused by the deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE). Previously, the vulnerability was observed to be leveraged in Akira and Fog ransomware attacks. At present, researchers have observed that it is now exploited to deploy a newly identified strain of Frag ransomware.

CVE-2024-42509 and CVE-2024-47460 are command injection vulnerabilities in AOS-8 and AOS-10 versions of HPE Aruba’s network operating system. The flaw lies in the underlying CLI service, which could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211). Successful exploitation results in the ability to execute arbitrary code as a privileged user on the underlying operating system. Cyble researchers detailed the vulnerabilities and others in a separate blog.

CVE-2024-20418 is a critical vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB) Access Points, which is a specialized software solution designed to provide robust and reliable wireless connectivity for industrial applications. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface of an affected system. A successful exploit could allow the attacker to execute arbitrary commands with root privileges on the underlying operating system of the affected device. Cyble also covered this vulnerability in a separate blog.

CVE-2024-10914 is a critical command injection vulnerability in end-of-life (EOL) D-Link network-attached storage (NAS) devices. Unauthenticated attackers can exploit it to inject arbitrary shell commands by sending malicious HTTP GET requests to vulnerable D-Link NAS devices exposed online. Researchers observed that attackers are exploiting the vulnerability with publicly available exploit codes.

CVE-2024-11068 is a critical incorrect use of privileged API vulnerability impacting the end-of-life D-Link DSL6740C modem. The vulnerability allows unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using that user’s account. Since D-Link recently announced that it will not provide patches or updates for this EOL product, the vulnerability poses a significant risk to users.

Vulnerabilities and Exploits on Underground Forums

CRIL researchers also observed multiple Telegram channels and underground forums where threat actors shared or discussed exploits weaponizing vulnerabilities. Those vulnerabilities include:

CVE-2024-39205: A critical vulnerability affecting pyload-ng, versions 0.5.0b3.dev85 running under Python 3.11 or below. This vulnerability allows attackers to execute arbitrary code through crafted HTTP requests, which can lead to complete system compromise.

CVE-2024-50340: A high-security vulnerability affecting the Symfony PHP framework. The vulnerability allows an attacker to manipulate the application’s environment or debug mode by sending specially crafted query strings.

CVE-2024-8068 and CVE-2024-8069: These recently identified vulnerabilities in Citrix Session Recording pose significant security risks for Citrix environments. CVE-2024-8068 allows for privilege escalation to the NetworkService Account access level, and the vulnerability CVE-2024-8069 allows for limited remote code execution with the privileges of a NetworkService Account.

CVE-2024-47295: A high-severity vulnerability identified in the SEIKO EPSON Web Config allows a remote unauthenticated attacker to set an arbitrary administrator password on affected devices. The vulnerability results from an insecure initial password configuration in which the administrator password is left blank.

CRIL researchers also observed a threat actor discussing the critical vulnerability CVE-2023-38408, which affects 26 million internet-facing OpenSSH assets detected by Cyble. The vulnerability allows for remote code execution (RCE) when the SSH agent is forwarded to an attacker-controlled system.

Cyble Recommendations

To protect against these vulnerabilities and exploits, organizations should implement the following best practices:

  • To mitigate vulnerabilities and protect against exploits, regularly update all software and hardware systems with the latest patches from official vendors.
  • Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency.
  • Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats.
  • Implement immutable, air-gapped, ransomware-resistant backup procedures for sensitive and critical data.
  • Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regularly test and update the plan to ensure its effectiveness and alignment with current threats.
  • Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response.
  • Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions.
  • Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards.

Conclusion

These vulnerabilities highlight the urgent need for security teams to prioritize patching critical vulnerabilities in major products and those that could be weaponized as entry points for wider attacks. With increasing discussions of these exploits on dark web forums, organizations must stay vigilant and proactive. Implementing strong security practices is essential to protect sensitive data and maintain system integrity.

The post Cyble IT Vulnerability Report: Microsoft Zero Days Under Attack appeared first on Cyble.

Blog – Cyble – ​Read More

Germany’s Cybersecurity Landscape in 2024 is Worrying but Gaining Resilience

Germany, Cyber Resilience

Germany’s Federal Office for Information Security (BSI) recently released The State of Cybersecurity 2024 report, which illuminates the critical threats and advances in resilience across Germany’s digital landscape.

In a joint press briefing, Federal Minister of the Interior Nancy Faeser and BSI President Claudia Plattner said that while the cyberthreat landscape remains tense, resilience measures are proving effective in protecting businesses, institutions, and democratic processes.

Federal Minister Nancy Faeser noted the importance of cybersecurity for societal stability, stating, “Cybersecurity is central to our society and affects each and every one of us.” She highlighted that extortion, cyber espionage, and hybrid threats—especially from state-sponsored actors—continue to pose significant risks, necessitating robust cybersecurity investments to safeguard democratic institutions.

BSI President Claudia Plattner reinforced this stance, noting that Germany has witnessed increased resilience against cyber threats. However, she warned against complacency: “We must continue to increase our resilience in a nationwide effort.” Both leaders stressed the importance of swiftly incorporating the NIS-2 Directive into national law to fortify Germany’s cyber defenses.

Key Findings from BSI’s 2024 Report

Rising Threats from Malware and Ransomware Attacks

Between mid-2023 and mid-2024, an alarming increase in malware variants was recorded, with an average of 309,000 new variants discovered daily—a 26% increase over the previous year. Much of this rise is attributed to attacks targeting 64-bit Windows systems and an above-average increase in Android malware.

Malware, Ransomware, DDoS, Phishing, Germany
Figure 1 – Rising threats in Germany’s cyber threat landscape (Source: BSI)

Ransomware continues to be a significant challenge, especially for businesses and government institutions. Data leaks following ransomware attacks have increased, although the percentage of victims paying ransom has dropped. LockBit leads the list of the five most active groups targeting Germany. The group published 40 alleged leak victims on its leak site during the reporting period, followed by BlackBasta and 8Base.

Data Leak, Ransomware
Figure 2 – Top 5 Leak pages from July 2024 to June 2024 (Source: BSI)

Many organizations now rely on robust backup systems, reducing their dependency on attackers to restore encrypted data. BSI observed that transparent communication about cyber incidents has helped mitigate potential impacts, as other organizations can swiftly address and close similar vulnerabilities.

Advanced Persistent Threats (APT) and Cyber Espionage

Germany noted the surge in persistent threats from Advanced Persistent Threat (APT) groups, many of which are state-sponsored. Against a backdrop of geopolitical tension, these groups are increasingly targeting political parties, governmental agencies, and corporations for cyber espionage. Germany urged its public and private sectors to adopt proactive threat intelligence and protective measures to defend against these sophisticated, continuous attacks.

Cybersecurity for Elections: Ensuring Democratic Integrity

For German citizens, not only the European elections but also three state elections in Saxony, Thuringia, and Brandenburg and nine local elections took place. The BSI said the electoral process, communication by the authorities and the media, and the formation of opinion and will in the context of elections are now highly dependent upon information technology and are, therefore, at the center of information security.

BSI provided dedicated security oversight, working with electoral authorities to protect the integrity of the voting process. As Germany heads toward future elections, the BSI has enhanced its monitoring and support for political entities, prioritizing resilience against potential cyber threats and disinformation campaigns from state actors.

Emerging Cybersecurity Challenges

Increase in High-Volume DDoS Attacks

The first half of 2024 saw a substantial uptick in Distributed Denial of Service (DDoS) attacks, with a marked increase in high-volume attacks exceeding 10,000 Mbps. DDoS attacks not only disrupt services but are increasingly used to sow public uncertainty by exaggerating their impact on social media.

DDoS, cyberattack
Figure 3 – Proportion of High-Bandwidth DDoS attacks doubled in April 2024 (Source: BSI)

 The BSI recommends adopting advanced DDoS mitigation strategies, particularly for critical infrastructure, to withstand these escalating attack volumes.

Data Theft Targeting Consumers

Phishing remains a major threat to German citizens, with attackers expanding beyond financial institution impersonation to include popular streaming services. During 2024, phishing campaigns have increasingly targeted user data—such as credit card information and personal identifiers—via emails masquerading as communications from banks and entertainment platforms. The BSI advises consumers to stay vigilant and adopt robust identity protection measures to counter phishing attempts.

Strategic Initiatives to Strengthen Cyber Resilience

Cybernation Germany Initiative

The Cybernation Germany initiative, launched in early 2024, is a step towards a national commitment to building resilience and expanding Germany’s cybersecurity expertise. The initiative’s goals align with the NIS-2 Directive and the Cyber Resilience Act (CRA), which impose mandatory cybersecurity measures and incident reporting standards for companies. The CRA emphasizes a “security by design” approach, particularly for IoT devices, to bolster protections across interconnected networks.

This initiative demonstrates a concerted push from Germany towards enhanced threat intelligence, cyber resilience, and protective infrastructure.

Key Recommendations from BSI for Strengthening Cybersecurity

  1. Governance and Risk-Based Policies: Organizations should maintain updated, approved cybersecurity policies, leveraging threat intelligence to refine policies and prioritize high-risk threats.
  2. Enhanced Monitoring and Detection: With the rise in malware and ransomware, BSI recommends integrating Security Operations Centers (SOC) with continuous threat detection and red teaming exercises to effectively simulate real-world scenarios.
  3. Incident Response and Recovery: BSI encourages organizations to establish structured Incident Response plans, supported by Cyber Threat Intelligence (CTI), to reduce response times and facilitate efficient recovery from cyber incidents.
  4. Increased Public Awareness and Resilience Measures: Awareness campaigns, employee training, and enhanced communication strategies have proven effective in helping organizations and consumers defend against phishing and ransomware attacks.
  5. Collaboration with International Security Standards: Adhering to NIS-2 and the Cyber Resilience Act ensures that German entities align with European cybersecurity standards, enhancing cross-border protections and maintaining consistent security measures across sectors.

Conclusion: A Proactive Path Forward

The BSI’s 2024 report reaffirms Germany’s proactive approach to cybersecurity, emphasizing resilience, regulatory compliance, and advanced threat intelligence.

With heightened preparedness across government, businesses, and society, Germany is well-positioned to defend against increasingly sophisticated cyber threats. However, as Minister Faeser stated, the evolving cyber threat landscape necessitates continuous investment and adaptation to safeguard Germany’s critical infrastructure and democratic systems.

Germany’s Cybernation initiative and collaboration with international cybersecurity frameworks hint at a robust defense strategy that other nations can use as a model. By maintaining proactive measures, aligning with global security standards, and fostering a culture of resilience, Germany aims to ensure cybersecurity remains integral to its digital and democratic future.

References:

https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2024/241112_Lagebericht_2024.html

https://www.bsi.bund.de/EN/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html

The post Germany’s Cybersecurity Landscape in 2024 is Worrying but Gaining Resilience appeared first on Cyble.

Blog – Cyble – ​Read More