How can information be transferred from a computer that’s connected neither to the internet nor a local network? For many years now, Israeli researcher Mordechai Guri has been on a mission to uncover the exotic methods with which attackers could do precisely that to steal data. And we’ve always been there to cover his research. Recently, Guri published two new scientific papers within four days of each other. In the first, he demonstrates how to turn a computer into a radio transmitter by manipulating data loading into RAM; in the second — how to use an ordinary computer monitor as an “acoustic spy”.

Hypothetical situation

Guri’s papers all tackle the same scenario:

A computer stores or processes highly classified data.
To ensure the security of this data, the system is isolated from the network, and even located in a separate room with restricted access.
The hypothetical attacker knows how to install data-snatching malware on the computer, and now needs to exfiltrate this data.

The task of infecting an isolated computer is tricky — but by no means impossible. One way is to take advantage of a careless operator who inadvertently plugs an infected flash drive into the “secret” computer (a depressingly realistic scenario). Another, theoretically possible, way is to plant malware in the system in advance: at the factory or during delivery to the customer. The simplest way is to bribe a company employee. However, to exfiltrate the data, the cybervillains need deploy side-channel attacks.

RAMBO

In the first paper, Guri describes a way to turn ordinary memory modules into a radio transmitter — a so-called RAMBO attack. It’s no secret that all electronic systems make “noise” in one way or another during operation; that is, they emit spurious signals. Random access memory (RAM) is no exception: changing the voltage supplied to RAM modules to update data generates radio waves. In the case of a RAMBO attack, it’s malware that initiates a data write to RAM. What matters is not the kind of data but the intensity of the operation. By accessing the modules in bursts alternated with pauses, and catching radio emissions at a certain frequency, it’s possible to create a channel for covert data transmission.

The image above shows what it looks like. Accessing memory generates radiation at a frequency of about 975 kilohertz. The moments when data is written to memory and the “silent” periods are clearly distinguishable. The result is something like Morse code — only slightly more complicated: the data here is encoded using two different methods. The bottom graph uses a simple amplitude modulation, and the top one uses a slightly more complex Manchester code. The latter has some advantages when it comes to decrypting the data later on.

The key question in any such study is always the same: how effective is the method? Guri managed to achieve reliable data transmission at speeds of up to 1000 bits per second (bps). By the standards of modern data communication, that’s snail-like; however, it’s perfectly sufficient to, say, transmit keystrokes to the attacker in real time. More importantly, this exfiltration method works at a distance of up to seven meters.

We’ve already covered a similar method designed by the same researcher, which also relies on spurious radiation from RAM modules. But in that case, Guri used a different data-transfer frequency — 2.4 gigahertz (GHz) — and the speed was 10 times slower: no more than 100bps. The new method is more effective, although the previous one has a key advantage: wireless data networks operate at 2.4 GHz, and many household devices also use this frequency band. This potentially allows attackers to hide their spying activities in radio noise.

PIXHELL

Guri’s second paper proposes a wholly different method of data exfiltration — though it’s based on the same core principles. Besides spurious radio emissions, electronic components can also emit sound. The PIXHELL attack method relies on barely audible noise produced by the electronic components found in a typical computer monitor. This acoustic noise is caused by a change in the voltage supplied to, say, capacitors in an electrical circuit.

One strategy for manipulating this noise is to output a sequence of black-and-white rows to the screen; something like this:

Each of the on-screen patterns causes the monitor’s electronic components to sound at a certain frequency. What Guri did in essence was to turn the display into a very quiet, very low-quality loudspeaker. The downside of this method is that its results vary depending on the model of the display: each has its own particular electronic circuitry, and so the intensity of spurious acoustic noise varies:

Looking at the spectrograms of the acoustic signals from four different monitors, we’re interested in the sloping lines, which represent noise with variable frequency. Everything else is other noise from the display, which is sure to drown out the “useful” data. We can conclude that the Samsung monitor and TV noise is louder than the other two devices. What remains is choosing the most suitable frequency and transmitting data on it using one of the available encoding methods.

What’s interesting about this method is that a regular smartphone can serve as a receiver. Unlike the previous study, there’s no need for an expensive (and possibly suspicious) radio receiver. But there’s also a downside: the scheme works reliably at a distance of no more than two meters from the display. Moreover, the phone should be held directly next to the monitor, or, at the very least, be lying nearby on the table. The speed of a theft would also be horribly slow — no more than 20bps.

Besides, the operator would surely be puzzled by their screen displaying black-and-white ripples. Guri’s paper thus considers a situation where data exfiltration occurs at night: the computer (and monitor) are working, but there’s no one in the room. However, covert transmission in the presence of humans (who may spot an anomaly) is acknowledged as doable — by reducing the brightness of the display or subtly superimposing the patterns onto another image.

Countering RAMBO and PIXHELL attacks

Guri proposes countermeasures for designers of maximum-security systems. In the case of RAMBO, spurious radio emissions should be isolated against interception — for which he suggests using a computer case capable of shielding all radio waves. For processing sensitive data, shielding the entire room is also an option.

The PIXHELL attack seems less reliable, but it’s also hard to defend against — except by filling the room with random noise. As ever, it’s vital to stop unwanted software from running. One major takeaway from Mordechai Guri’s numerous works is that finding malware on a machine is a lot easier than guarding against all possible methods of side-channel data exfiltration.

Kaspersky official blog – ​Read More

Key takeaways

Cyble Research and Intelligence Labs (CRIL) recently encountered an ongoing campaign associated with the Patchwork APT group, which is likely aimed at Chinese entities.

This campaign continues the trend of the Patchwork APT group, which has previously targeted entities in China and Bhutan.

The threat actors (TAs) have utilized a malicious LNK file, likely originating from a phishing email, as the initial infection vector. This file executes a PowerShell script that downloads two files: a seemingly innocuous PDF intended to lure the user and a malicious Dynamic Link Library (DLL).

This campaign employs DLL sideloading techniques to execute the downloaded DLL using the legitimate system file “WerFaultSecure.exe,” thereby obfuscating malicious activity.

The loaded DLL decrypts and executes shellcode that modifies the AMSIscanBuffer and ETWEventWrite APIs. This manipulation aims to evade detection mechanisms, allowing the malware to operate stealthily within the compromised system.

The shellcode is subsequently used to decrypt and execute the final payload, stealing sensitive information from the victim’s machine.

Overview

Patchwork, also known as Dropping Elephant, is a highly active advanced persistent threat (APT) group that has been engaged in cyber espionage operations since 2009. Believed to be based in India, this group primarily targets high-profile organizations such as government, defense, and diplomatic entities across South and Southeast Asia.

Cyble Research and Intelligence Labs (CRIL) has been closely monitoring the activities of the Patchwork APT group since July 2024. On July 24, 2024, CRIL observed a campaign related to Patchwork APT. By pivoting through the pattern of files, CRIL observed several files associated with two major Patchwork APT campaigns: the first targeting Bhutan and the second targeting Chinese entities.

Campaign Targeting China

This campaign involves a malicious LNK file titled “COMAC_Technology_Innovation.pdf.lnk,” which references the Commercial Aircraft Corporation of China and specifically targets Chinese entities. This lure capitalizes on the 7th COMAC International Science and Technology Innovation Week, with TAs leveraging this event to focus on organizations in the aerospace, technology research, and government sectors, thereby increasing the success rate of their phishing campaign. Researchers from Aliyun have analyzed this campaign and published their findings in a blog post detailing the tactics used by Patchwork.

Campaign targeting Bhutan

Another notable campaign by this group observed in the same month targeted Bhutan with a file named ‘Large_Innovation_Project_for_Bhutan.pdf.lnk.’ This decoy document features a project proposal for Bhutan from the Adaptation Fund Board.

Ongoing Campaign

Among these, a newly identified LNK file, “186523-pdf.lnk”, appears to be linked to an ongoing campaign of the Patchwork group. This same sample was also shared by researcher Ginkgo and StrikeReady Labs on X (formerly Twitter).

When the malicious LNK file gets executed, this file downloads two components: a lure PDF and a malicious DLL containing encrypted shellcode. Additionally, it copies a system file from the victim’s machine, which is then leveraged to sideload the malicious DLL. This DLL then decrypts and executes the final payload directly in memory. The malware collects system information, such as the Process ID, public and private IP addresses, usernames, and more. Then, it transmits this data to the command and control (C&C) server, enabling further malicious activities, as shown in the image below.

This variant seems to be new compared to the payloads observed in previous campaigns. For tracking purposes, we are naming the malware “Nexe” Backdoor, as the string “Nexe” was found hardcoded in the binary used for C&C communication.

Notably, this campaign lacks specific targets, as the lure consists of plain, empty PDF. However, the names of the payload servers used in this campaign, such as shianchi[.]scapematic.info and jihang[.]scapematic.info suggests that Chinese entities are likely being targeted. Typically, the Patchwork group’s payload server names are associated with the country they are focusing on.

Technical Details

The LNK file, disguised as a PDF, contains a PowerShell script that carries out several malicious actions. The image below shows its contents.

The script first uses an “Invoke-WebRequest” command to download a file from the URL “hxxps://jihang[.]scapematic[.]info/eqhgrh/uybvjxosg” and saves it as a PDF in the “C:ProgramData” directory. This PDF file appears to be the lure document, but in this case, it contains no content and is simply a plain, empty PDF.

Next, the script downloads another file from a different URL on the same domain, “hxxps://shianchi[.]scapematic[.]info/jhgfd/jkhxvcf,” saving it initially as “hal” in the “C:ProgramData” directory. It then renames the file to “wer.dll” in the same location.

The script proceeds to copy the Windows system file “WerFaultSecure.exe” from “C:WindowsSystem32” to “C:ProgramData”, likely to facilitate DLL sideloading. The image below shows the downloaded files on the victim’s machine.

Finally, it creates a scheduled task named “EdgeUpdate” to run “WerFaultSecure.exe” at regular intervals, ensuring persistence on the compromised system. The image below shows the scheduled task created on the system.

DLL Sideloading

Threat actors leveraged the DLL sideloading technique to load the malicious DLL file using the legitimate WerFaultSecure.exe, as shown in the image below.

After the DLL is successfully loaded, it decrypts the encrypted shellcode within it and writes the decrypted content into the memory of the WerFaultSecure process, as shown in the image below.

Bypassing Security Mechanisms via Memory Patching

The injected shellcode is crafted to circumvent AMSI and Microsoft’s event tracking systems by patching specific bytes in the EtwEventWrite, AmsiScanString, and AmsiScanBuffer APIs, as shown in the images below.

Once the shellcode overwrites these APIs, it creates a section object from the previously decrypted content and maps it into the address space of WerFaultSecure. This allows the final VC++ compiled payload to execute without triggering any security alerts.

Final Payload

Once the payload is successfully loaded into memory, it utilizes the LoadLibraryW() API to load the necessary modules for execution, as shown in the image below.

After loading the necessary modules, the malware creates a mutex named “dsds” to ensure that only one instance of the malware runs on the victim’s system at a time, as shown in the figure below.

After creating the mutex, the malware retrieves a handle to the console window associated with the calling process. It then hides the console window and continues running in the background.

The malware then utilizes the GetAdaptersInfo() and GetHostName() functions to collect information about the network adapters and the device name on the compromised machine, as shown in the image below.

The malware queries https://myexternalip.com/raw using a specific user agent to obtain the victim’s public IP address, as demonstrated in the image below.

After gathering key system details, including the MAC address, username, and IP address, the malware computes the SHA256 hash for these values before further encryption, as shown in the image below.

After generating the hash, the malware encodes it into Base64 format. The resulting data then enters another encryption loop using the Salsa20 algorithm, which represents a change from the previous encryption method used in prior campaigns. This is followed by an additional round of Base64 encoding. The figure below shows the encryption code with key and nonce.

In addition to the previously mentioned details, including the MAC address, username, and IP address, the malware also retrieves and encrypts the following information using the same sequence: it first converts the data into Base64 format, then applies the Salsa20 encryption algorithm and finally encodes it again in Base64:

Process ID

Local IP address

Windows version

Username

Hardcoded user-agent string

Each piece of encrypted system information is concatenated and separated by the “$” symbol. The image below displays the encrypted system information.

The encrypted data corresponds to the following fields:

MAC address $ username  $ public IP address $ private IP address $ Windows version $ username $ Process ID $ Nexe (hardcoded string) $ User-agent string

Using the final generated string, the malware initiates an HTTP request to a hardcoded domain, “iceandfire[.]xyz,” which is embedded in the code, as illustrated in the image below.

After constructing the HTTP request, the malware transmits encrypted data to its C&C server. However, since the C&C was not active during the analysis, we couldn’t fully assess its behavior. Despite this, following the POST request, the malware creates two threads capable of performing various tasks, as shown in the image below.

The thread extracts partial content from the initially generated string, which includes the encrypted MAC address, username, and public IP address of the victim’s machine, and attempts to send this data to the same domain.

The threads read the server’s response following the request and then compare the response with the following values:

upload

uplexe

download

filelist

screenshot

This comparison helps the thread to determine the actions or commands that it should execute in the system.

Conclusion

The ongoing evolution and enhancement of the Patchwork APT group’s malware capabilities highlight their commitment to remaining at the forefront of espionage and cyber operations. The latest attack exemplifies their ability to evade security alerts and execute malicious files directly in memory, showcasing a sophisticated approach that underscores their adaptability and resourcefulness in the ever-changing landscape of cybersecurity threats. This adaptability not only enables them to bypass traditional defenses but also poses significant challenges for organizations seeking to protect themselves from such advanced tactics.

Recommendations

The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments.  

When handling email attachments or links, particularly those from unknown senders, exercising caution is crucial. Verify the sender’s identity, particularly if an email seems suspicious.  

Consider disabling or limiting the execution of scripting languages on user workstations and servers if they are not essential for legitimate purposes. 

Restrict the execution of WerFaultSecure.exe to its designated location to prevent unauthorized execution from other directories.

Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.

Monitor the beacon on the network level to block data exfiltration by malware or TAs.

MITRE ATT&CK® Techniques

Tactic 
Technique ID 
Technique Name 

Initial Access (TA0027)
Phishing (T1660)
Malware distribution via phishing site

Execution  (TA0002) 
User Execution (T1204)
Manual execution by the user

Defense  Evasion  (TA0005)
Masquerading (T1036.008)
LNK file disguised as a legitimate PDF file  

Privilege  
Escalation 
(TA0004) 
DLL Side-Loading (T1574.002) 
Adversaries may execute their own  malicious payloads by side-loading DLLs.

Privilege  
Escalation 
(TA0004) 
T1055
Process Injection

Discovery  
(TA0007) 
System Information  Discovery (T1082)
Queries the system information 

C&C 
(TA0011) 
Application Layer Protocol 
(T1071) 
Malware exe communicate to C&C server. 

Exfiltration (TA0010)
Exfiltration Over C2 Channel (T1041)  
Exfiltration Over C2 Channel 

Indicators of Compromise (IOCs)

Indicators   
Indicator  
Type  
Description  

d7b278d20f47203da07c33f646844e74cb690ed802f2ba27a74e216368df7db9
SHA256
Malicious LNK file

ba262c587f1f5df7c2ab763434ef80785c5b51cac861774bf66d579368b56e31
SHA256
Malicious DLL file

fe503708d7969e65e9437b56b6559bc9b6bb7f46f3be5022db9406579592670d
SHA256
Decoy PDF

f6d171e79e2fb38b3919011835c8117a1c56788bcf634e69ae67a5e255fb9d58 14bbe421abe496531f4c63b16881eee23fb2c92b2938335dca1668206882201a c3805b8b37eb1ba34057cd6c882dc9bedcebc01ec90a6d4be8d0f6fc82859ecb
SHA256
Lnk used to target Bhutan

c6398b5ca98e0da75c7d1ec937507640037ce3f3c66e074c50a680395ecf5eae
SHA256
Lnk targeting Chinese entities

hxxps://shianchi[.]scapematic[.]info/jhgfd/jkhxvcf hxxps://jihang[.]scapematic[.]info/eqhgrh/uybvjxosg
URL
remote server

Iceandfire[.]xyz
Domain
C&C Server

Yara Rule

rule Nexe_Backdoor

{

  meta:

    author = “Cyble Research and Intelligence Labs”

    description = “Detects Malicious Backdoor used in the latest Patchwork APTcampaign”

    date = “2024-09-26”

    os = “Windows”

    reference_sample = “ba262c587f1f5df7c2ab763434ef80785c5b51cac861774bf66d579368b56e3”

  strings:

    $a = “WerSysprepCleanup”

    $b = “WerpSetReportFlags”

    $c = “WriteProcessMemory”

    $d = “VirtualAllocEx”

    $e = “Release\AESC.pdb” 

  condition:

    uint16(0) == 0x5A4D and all of them

}

References

https://xz-aliyun-com.translate.goog/t/15376?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc&u_atoken=0ce0739e487564fbf9e5b5ed29c0687a&u_asig=1a0c384b17265708412575151e0042&decode__2803=eqIxcD0DBD9Q0%3DXxGNne4mhOzdD%3D3hKH4D

The post Nexe Backdoor Unleashed: Patchwork APT Group’s Sophisticated Evasion of Defenses appeared first on Cyble.

Blog – Cyble – ​Read More

Attackers are abusing normal features of legitimate web sites to transmit spam, such as the traditional method of verifying the creation of a new account. This web infrastructure and its associated email infrastructure is otherwise used for legitimate purposes, which makes blocking these messages more difficult for defenders. The breadth of different sources of spam suggests that the attackers have automated the process of initially identifying web infrastructure vulnerable to abuse. However, the complexity of executing each individual attack suggests more human involvement. Attackers are also testing credentials obtained from data breaches by credential stuffing IMAP and SMTP accounts. 

Spammers are always looking for creative ways to bypass spam filters. As a spammer, one of the problems with creating your own architecture to deliver mail is that, once the spam starts flowing, these sources (IPs/domains) can be blocked. Spam can more easily find its way into the inbox if it is delivered from an unexpected or legitimate source. Realizing this, many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email. 

There are many ways spammers accomplish this task: One is to abuse web pages connected to backend SMTP infrastructure, and another uses breached email/password credentials to try and log into email accounts they can use to send spam. Cisco Talos has new research that explores both styles of attack and delves into some of the tools used by spammers. 

Web form abuse 

The HTML <form> tag was released with HTML version 2.0, nearly 30 years ago. Since then, spammers have found creative ways to abuse web forms. The lack of proper input validation left many of these forms open to manipulation by attackers. Over time, these HTML form attacks became more sophisticated, sometimes employing cross-site scripting or SQL injection. Many administrators learned the hard way that their forms were vulnerable and forced to harden their forms as a result. However, spammers are a persistent bunch, and they look for anything they can use to facilitate malicious activities. Creative spammers have realized that *any* web form that triggers an email back to the user can be abused. 

Online account registration 

Many websites allow users to sign up for an account and log in to access specific features or content. Typically, upon successful user registration, an email is triggered back to the user to confirm the account. In this case, the spammers have overloaded the name field with text and a link, which is unfortunately not validated or sanitized in any way. The resulting email back to the victim contains the spammer’s link. 

An example spam message exploiting an account signup form

Event signup 

Like account registration, many websites let users register to participate in an event. Again, poor input validation and sanitization is prevalent on many of these sites, allowing the spammers to overload the name field with text and URLs. 

An example spam message exploiting an event registration form

Contact form 

Contact forms sometimes send users a copy of their form responses. This could be a checkbox on the form or an automatic reply. Again, the spammers rely on poor input validation and sanitization to transmit text and URLs to the victim. 

An example spam message exploiting a web site contact form

Google Quizzes, Calendar, Groups and other apps 

Talos previously reported on spammers abusing Google Quizzes. But that is not the only Google software that spammers have been abusing. Google Drawings, Sheets, Forms, Calendar and Groups all contain similar vulnerabilities that allow spammers to send unsolicited emails to victims. Additionally, by using a variety of Google applications, and ones that are located in different countries, they can largely avoid detection by Google. 

These messages from Google require some significant pre-attack setup. For example, to send spam from Google Quizzes, the attackers must set up a quiz and configure it correctly, then they must fill out the quiz, masquerading as the victim. Then, the attackers must log back into the Google Quiz they created to “grade” the results and send the quiz score email back to the victim. This suggests a significant human interaction on the part of the spammers. 

An example spam message sent via Google Drawings

 

An example spam message sent via Google SheetsAn example spam message sent via Google FormsAn example spam message sent via Google CalendarAn example spam message sent via Google Groups

Unfortunately for defenders, there is very little we can do to defend against such spam messages. Most of the emails sent by these contact forms are legitimate, so the malicious email blends in with the otherwise legitimate traffic. However, on the positive side, some of the extra content in the emails gives away that the message is not legitimate.   

SMTP server credential stuffing 

Have you ever wondered what cyber criminals do with all the information they’ve obtained in a data breach? If the stolen dataset contains email address usernames and passwords, then it is quite probable that those same credentials will work in other places. Trying the same set of credentials at other sites is known as “credential stuffing.”  

One of the main ways cybercriminals leverage stolen credentials is attempting to access the victim’s email. POP/IMAP servers are often juicy targets, because if an attacker can access a person’s email inbox, then they can find other accounts used by the victim, account usernames/passwords, cryptocurrency wallet keys or perhaps other lucrative, sensitive personal information. Attackers can also leverage access to the victim’s inbox to receive email-based multifactor authentication codes or password resets. 

One of the other, lesser-known ways attackers leverage stolen credentials is on the outbound side of the victim’s mailbox. If an attacker can log into the outbound smtp server as the victim, they can send out email using the victim’s email server. This provides the cybercriminal with a legitimate mail server and domain which are not likely blocked by various spam real-time blackhole lists (RBLs). 

How do cybercriminals locate mailboxes that have working credentials? Typically, the attacker will set up a personal mailbox somewhere (Yahoo, Gmail, etc.) and then send themselves test messages using the stolen credentials at the outbound SMTP server matching the email address’ domain. Some criminals have turned this into an online business by finding working SMTP server credentials and selling them to others. 

A test email from Smart Tools Shop. The price of working SMTP server credentials is $6The Smart Tools Shop interface shows the typical prices of SMTP server credentials 

There are also open-source tools used for these sorts of activities. Among the tools Talos sees most frequently are MadCat and MailRip, both of which are available to download and run on GitHub. 

The MadCat SMTP cracker tool found on Github

 MadCat is an open-source SMTP tool that includes credential-stuffing capabilities. The test emails can be recognized from the Subject header: “Subject: You get a new smtp”. Among some of MadCat’s advertised features is the ability to skip emails hosted by known security vendors such as Cisco. This feature is implemented rather poorly, however, because the code used to skip “dangerous emails” is simply a regular expression with words like “cisco,” “cloudflare,” “proofpoint,” etc., as if spam traps implemented by security organizations are all run out of the main corporate domain name (Spoiler alert: they are not). 

MailRip is another open-source tool capable of credential stuffing in outbound SMTP servers

Another tool that Talos frequently sees performing credential stuffing is a program named MailRip. Although it contains a disclaimer that the code is not to be used “for any kind of illegal activity,” it is a tool primarily designed to facilitate checking username/password combos on IMAP servers and outbound SMTP servers. 

Besides these commercial and open-source tools, Talos also sees attackers who have “rolled their own” tools used for this activity. Typically, the Subject headers are a giveaway that the messages are test emails looking for valid SMTP accounts. However, some of the subject headers and email bodies of test messages are encoded/encrypted. Below are some of the more frequent Subject headers Talos has encountered. 

Common Credential Stuffing Test Message Subject headers: 
Subject: Mail Inbox Test IDF50F22 
Subject: You get a new smtp (from MadCat SMTP cracker tool) 
Subject: smtp id 2496130 
Subject: g1ukczr0iz3b6o6xsk0al0tyqy8ggr (encrypted/encoded Subject/Body) 
Subject: test 
Subject: Testing: mx.example.com 
Subject: new SMTP from MadCat checker 
Subject: Smart Tools Shop – Test SMTP ID: 1016587 
Subject: MailRip Test Result ID0BAB7A (from MailRip Tool) 
Subject: !XProad mx.example.com|2525|nywepaq@example.com|f29r21caT4. (from Laravel Monster Tool) 
Subject: SMTP Check #131085 – Jemex Shop 
Subject: TESTING RELAY! 
Subject: SMTP Check #6148 – Spyxe Shop 
Subject: Your Account ID #62363 
Subject: Mail Test Result ID0CD637.  
Subject: aloha: 127.0.0.255 
Subject: Mail Auto-Email ID86E8A6 
Subject: Mail Email Test ID23CB4D 
Subject: Mail Test Result IDD762AB 
Subject: =?utf-8?q?New_working_smtp_=2350131001?=  

Thwarting SMTP server credential stuffers 

One way Talos has tried to thwart these types of attacks is to make them believe that the actors have found a working outbound email account.  

To accomplish this, Talos has configured some of our spam traps to deliver those messages we have identified by Subject as test messages from the credential stuffers, while every other email is sent to various internal anti-spam systems for processing. Once the credential stuffers believe they have found a valid account, they typically turn on the spam firehose, which causes all the connecting IP addresses to be dinged for sending spam, which significantly affects those addresses’ ability to deliver mail to the inbox. 

 The anti-spam industry has largely been successful at driving a wedge between legitimate senders and spammers, causing spammers to seek out new ways to deliver their mail.  

Rather than send directly, these spammers have chosen to try and blend in with legitimate traffic to make their spam more difficult to block.  

Defenses 

Create Unique Passwords: People are terrible at creating and remembering good passwords. For the past several decades, even, the most popular unsafe password has been “123456”. Despite years of guidance from the security community that people should use a unique password for every website, many users will re-use the same credentials at several different sites. When someone is using unique credentials everywhere, one single compromised account will not impact any other online accounts belonging to that victim.  

Use a password manager: All those unique passwords you have been creating are going to be hard to remember. But avoid storing credentials in a browser. These can be stolen by attackers quite easily. A perfect tool exists for storing your passwords: a password manager. It is best to use a dedicated password manger such as KeePass, LastPass or 1Password. 

Educate Users: Unfortunately for defenders, there is very little we can do to defend against spam messages sent from legitimate forms. Most of the emails sent via forms are legitimate, so the malicious email blends in with the otherwise legitimate email traffic. However, on the positive side, some of the extra content in the emails gives away that the message is not legitimate. Educating your users to be wary of such email messages is a good way to prevent them from falling victim to phishing and other attacks that arrive by email. 

Cisco Talos Blog – ​Read More

Overview

The Cybersecurity Infrastructure and Security Agency (CISA) and Ivanti have shared an update advisory highlighting a critical authentication bypass vulnerability, CVE-2024-7593, in Ivanti’s Virtual Traffic Manager (VTM). This vulnerability has garnered attention due to its inclusion in the CISA’s Known Exploited Vulnerabilities (KEV) catalog, indicating that it is currently being targeted by threat actors.

Ivanti’s Virtual Traffic Manager serves as a software-based application delivery controller designed to optimize and manage network traffic across web and application servers. By efficiently distributing traffic, inspecting requests, and managing workloads, VTM enhances application performance, security, and scalability. However, the identified vulnerability poses significant risks that organizations must address promptly.

Ivanti’s Virtual Traffic Manager (VTM) Vulnerability

The vulnerability classification for CVE-2024-7593, which pertains to an authentication bypass, falls under a critical rating with a CVSS score of 9.8. It affects several versions of Ivanti Virtual Traffic Manager, specifically versions 22.2, 22.3, 22.3R2, 22.5R1, 22.6R1, and 22.7R1.

This flaw allows remote attackers to create administrator accounts, granting them unauthorized access to critical administrative functions within the VTM. At the time of the advisory’s release, Cyble’s ODIN scanner detected 67 internet-facing instances of Ivanti VTM, predominantly located in Japan and the United States. Given this context, organizations are strongly advised to review their audit logs to identify any potential unauthorized access attempts.

Given that the vulnerability can be exploited through the management interface, Ivanti recommends limiting administrative access to the management interface exclusively within internal networks. By restricting access to private or corporate networks, organizations can significantly reduce their exposure to potential threats.

Conclusion

The Ivanti Virtual Traffic Manager plays a pivotal role in ensuring efficient network operations and application performance. However, the recent identification of CVE-2024-7593 highlights the importance of vigilant security practices. With this vulnerability being actively exploited by threat actors, it is important for organizations relying on Ivanti VTM to take immediate action.

Recommended Actions

Implement the most recent patches released by Ivanti. Regular software updates are essential to close security gaps and protect against exploits. Establish a routine for patch applications, ensuring that critical updates are prioritized.

Establish a robust patch management strategy that includes inventory management, assessment, testing, deployment, and verification of patches. Automating parts of this process can enhance efficiency and ensure consistent application.

To minimize the exposure of critical assets, organizations should segment their networks. This involves creating distinct zones for sensitive information and utilizing firewalls, VLANs, and access controls to regulate access.

Organizations must develop and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regular testing and updates are essential to adapt to new threats.

Comprehensive monitoring and logging systems are vital for detecting malicious activities. Implementing Security Information and Event Management (SIEM) solutions can help organizations aggregate and analyze logs for real-time threat detection.

The post Urgent Security Advisory: CVE-2024-7593 Exposes Ivanti VTM to Attacks appeared first on Cyble.

Blog – Cyble – ​Read More