A week in security (November 13 – November 19)

Last week on Malwarebytes Labs:

Signal is testing usernames so you don’t have to share your phone number

State of Maine data breach impacts 1.3 million people

Credit card skimming on the rise for the holiday shopping season

Update now! Microsoft patches 3 actively exploited zero-days

Ransomware review: November 2023

Alarm system cyberattack leaves those in need struggling to call for help

3 benefits of ThreatDown bundles

Ransomware gang files SEC complaint about victim

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Malwarebytes – ​Read More

Malware Spotlight – Into the Trash: Analyzing LitterDrifter

Introduction

Gamaredon, also known as Primitive Bear, ACTINIUM, and Shuckworm, is a unique player in the Russian espionage ecosystem that targets a wide variety of almost exclusively Ukrainian entities. While researchers often struggle to uncover evidence of Russian espionage activities, Gamaredon is notably conspicuous. The group behind it conducts large-scale campaigns while still primarily focusing on regional targets. The Security Service of Ukraine (SSU) identified the Gamaredon personnel as Russian Federal Security Service (FSB) officers.

Gamaredon’s large-scale campaigns are usually followed by data collection efforts aimed at specific targets, whose selection is likely motivated by espionage goals. These efforts run parallel to the deployment of various mechanisms and tools designed to maintain as much access to these targets as possible. One such tool is a USB propagating worm that we have named LitterDrifter.

The LitterDrifter worm is written in VBS and has two main functionalities: automatic spreading over USB drives, and communication with a broad, flexible set of command-and-control servers. These features are implemented in a manner that aligns with the group’s goals, effectively maintaining a persistent command and control (C2) channel across a wide array of targets. LitterDrifter seems to be an evolution of a previously reported activity tying Gamaredon group to a propagating USB Powershell worm.

In this report, we take an extensive dumpster dive into the analysis of Gamaredon’s LitterDrifter malware, as well as its C2 infrastructure.

Key Points

Gamaredon continues to focus on wide variety Ukrainian targets, but due to the nature of the USB worm, we see indications of possible infection in various countries like USA, Vietnam, Chile, Poland and Germany. In addition, we’ve observed evidence of infections in Hong Kong. All this might indicate that much like other USB worms, LitterDrifter have spread beyond its intended targets.

Figure 1 – Virus Total Submissions of LitterDrifter

The group recently started deploying LitterDrifter, a worm written in VBS, designed to propagate through removable USB drives and secure a C2 channel.

Gamaredon’s infrastructure remains extremely flexible and volatile, while at the same time maintaining previously reported characteristics and patterns.

LitterDrifter Overview

The LitterDrifter is a self-propagating worm with two main functionalities: spreading over drives and establishing a C2 channel to Gamaredon’s wide command and control infrastructure. Those two functionalities reside within an orchestration component saved to disk as “trash.dll”, which is actually a VBS, despite its file extension name.

Figure 2 – A high-level execution scheme of LitterDrifter.

trash.dll, as the initial orchestration component, runs first and its main function is to decode and execute the other modules and maintain initial persistence in the victim’s environment.

Following a successful execution, it runs the two extracted modules:

1. Spreader module – Distributes the malware in the system and potentially spreads it to other environments by prioritizing infection of a logical disk with mediatype=NULL, usually associated with USB removable media.

2. C2 Module – Retrieves a command and control server IP address by generating a random subdomain of a built-in C2 server, while also maintaining a backup option to retrieve a C2 IP address from a Telegram channel. Its main purpose is to establish communication with the attacker C&C server and to execute incoming payloads.

Dumpster Diving

Deobfuscoding the DEOBFUSCODER

The orchestration component (referred to as DEOBFUSCODER) is heavily obfuscated and is constructed from a series of strings with character substitution obfuscation. It consists of 7 functions and variables with name mangling. Throughout the run of the “Deobfucate” action, LitterDrifter invokes a function that delays the execution for a few seconds (the exact time varies from sample to sample) to delay the following actions.

The main function takes two encoded strings (the other two malicious components) as parameters. It then declares two paths under the user’s “Favorites” directory, designed to store the two decoded scripts from the other 2 encoded components of the VBS.

To ensure its persistence, the Deobfuscoder makes a copy of the original script to a hidden file called “trash.dll” in the user’s directory.

The script decodes the provided encoded strings and writes them to the “Favorites” directory as “jersey.webm”, the payload component, and “jaw.wm”, the spreader component (the names and extensions of the files and also the location inside the %userprofile% differ between variants).

After creating these files, the malware proceeds to set scheduled tasks for each of the 2 components, ensuring they are regularly executed. In addition, it adds an entry to the user’s startup items in the Registry Run Keys to ensure they run upon startup.

Both the tasks and the startup entries are disguised using technical-sounding names such as “RunFullMemoryDiagnostic” and “ProcessMemoryDiagnosticEvents” to appear legitimate and avoid arousing suspicion.

Figure 3 – Deobfuscated snippet of the orchestrator DEOBFUSCODER’s Main Function.

The entire flow is deliberately obscured by ambiguous function and variable names as well as the use of inline scripting, which make it difficult for casual observers to discern its intent and activities.

Spreader Module Analysis

The core essence of the Spreader module lies in recursively accessing subfolders in each drive and creating LNK decoy shortcuts, alongside a hidden copy of the “trash.dll” file.

Figure 4 – trash.dll is distributed as a hidden file in a USB drive together with a decoy LNK.

Upon execution, the module queries the computer’s logical drives using Windows Management Instrumentation (WMI), and searches for logical disks with the MediaType value set to null, a method often used to identify removable USB drives.

Figure 5 – LitterDrifter’s spreader component.

For each logical drive detected, the spreader invokes the createShortcutsInSubfolders function. Within this function, it iterates the subfolders of a provided folder up to a depth of 2.

For every subfolder, it employs the CreateShortcut function as part of the “Create LNK” action, which is responsible for generating a shortcut with specific attributes. These shortcuts are LNK files that are given random names chosen from an array in the code. This is an example of the lure’s names from an array in one of the samples that we investigated:(“Bank_accоunt”, “постановa”, “Bank_accоunt”, “службовa”, “cоmpromising_evidence”). The LNK files use wscript.exe **** to execute “trash.dll” with specified arguments ” “”trash.dll”” /webm //e:vbScript //b /wm /cal “. In addition to generating the shortcut, the function also creates a hidden copy of “trash.dll” in the subfolder.

Figure 6 – A function in the Spreader component used to iterate subfolders.

C2 Module Analysis – Taking Out the Trash

Gamaredon’s approach towards the C&C is rather unique, as it utilizes domains as a placeholder for the circulating IP addresses actually used as C2 servers.

Before attempting to contact a C2 server, the script checks the %TEMP% folder for an existing C2 configuration file with a meaningless name that’s hardcoded in the malware. This mechanism acts as a self-check for the malware, verifying whether it already infected the machine. If present, the current execution could simply be a scheduled execution triggered by the persistence mechanisms discussed earlier. If there isn’t an existing config file, the malware switches gears and pings one of Gamaredon’s domains using a WMI query: select * from win32_pingstatus where address=’Write<random_2_digit_number>.ozaharso.ru’. The malware extracts the IP resolution for the domain from the response to the query and saves it to a new configuration file.

Figure 7 – LitterDrifter retrieving the C2 IP address using a WMI query.

With the IP address in hand, LitterDrifter constructs the IP into a URL. The format is usually along the lines of http://<cncIP>/jaw<random_2_digit_number>/index.html=?<random_2_digit_number>. The C2 communication is carried out using a custom user-agent that contains some information about the machine. This information includes the computer name and a hexadecimal form of the %systemdrive%’s serial number.

The end result is a user-agent that looks like this: mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36 (khtml, like gecko) chrome/88.0.4324.152 yabrowser/21.2.3.106 yowser/2.5 safari/537.36;;<computer_name>_<system_drive_serial>;;/.justly/.

Figure 8 – LitterDrifter prepares the HTTP request, constructing the URL and user-agent.

The request’s HTTP header is also carefully tailored. For example, in one of the samples we found, the Referer field discreetly holds https://www.crimea.kp.ru/daily/euromaidan/, a nod to Crimea’s news site. It also sneaks in some specifics for the Accept-Language and the string marketCookie in the Cookie field.

Figure 9 – HTTP request function.

LitterDrifter utilizes a fail counter to choose which C2 method is relevant. The fail counter increases each time the C2 fails to return either a payload or a Telegram backup channel, from which LitterDrifter extracts an alternative C2. The flow of the code suggests the first answer to return is usually a Telegram channel ID, which is saved in a backup file.

Based on the fail count, LitterDrifter chooses to which C2 to connect:

If the fail counter is currently set to 0, the request is carried out to the file saved in the configuration file.

If the fail counter is currently set to 1, LitterDrifter attempts to resolve its embedded C2 domain using a WMI Query, as previously described.

If the fail counter is set to 2, LitterDrifter attempts to connect to a C2 extracted from a Telegram backup channel, using a different user-agent and a Referer of https://www.interfax.ru/tags/, which is another Russian news site. From there, it extracts an IP address used as a C2.

Figure 10 – Gamaredon’s Telegram channel that conceals a C&C IP address.

If a payload is found within the C2 reply, LitterDrifter tries to decode it. It unwraps any base64 content and attempts to run the decoded data. Based on our analysis, the payload is not downloaded to most targets.

Figure 11 – LitterDrifter’s fail count options and execution of a received payload (Deobfuscated).

Infrastructure

During our analysis, we noticed distinct patterns in the infrastructure employed by Gamaredon in this operation. This includes registration patterns, as all of the domains used by Gamaredon’s LitterDrifter are registered by REGRU-RU. and are part of the TLD .ru. These findings align with other past reports of Gamaredon’s infrastructure.

Based on some of the patterns, we were able to associate specific domains and subdomains with LitterDriffter’s operation, and other domains that are linked to other clusters of Gamaredon’s activity.

In the LitterDrifter campaign, the C2 module gets the resolution for a Gamaredon-owned domain through a WMI query. It does so by generating a random subdomain of a hardcoded domain, using random words and digits so each domain exhibits a diverse range of associated subdomains. Some domains have just a few subdomains, while others have several hundred. The following charts show the number of subdomains for each of the domains we encountered:

Figure 12 – Number of subdomains per domain.

As we described earlier, the WMI query to Gamaredon’s domain returns an IP address that is used as the operational C2 of the campaign. On average, an IP address remains operational for roughly 28 hours. However, the IP address serving as the active C2 usually changes several times a day (all of the IP addresses used might fall within the same subnet), as seen below:

Figure 13 – Number of C&C IP addresses per day in the past 2 months.

Conclusion

In this report, we explored the inner workings of this recently identified worm. Comprised of two primary components – a spreading module and a C2 module – it’s clear that LitterDrifter was designed to support a large-scale collection operation. It leverages simple, yet effective techniques to ensure it can reach the widest possible set of targets in the region.

LitterDrifter doesn’t rely on groundbreaking techniques and may appear to be a relatively unsophisticated piece of malware. However, this same simplicity is in line with its goals, mirroring Gamaredon’s overall approach. This method has demonstrated considerable effectiveness, as evidenced by the group’s sustained activities in Ukraine.

Check Point Customers Remain Protected

Check Point Customers remain protected against attacks detailed in this report while using Check Point Harmony Endpoint and Threat Cloud.

Indicators of Compromise

LitterDrifter samples

cbeaedfa84b02a2bd41a70fa92a46c36

6349dd85d9549f333117a84946972d06

2239800bfc8fdfddf78229f2eb8a7b95

42bc36d5debc21dff3559870ff300c4e

4c2431e5f868228c1f286fca1033d221

1536ec56d69cc7e9aebb8fbd0d3277c4

49d1f9ce1d0f6dfa94ad9b0548384b3a

83500309a878370722bc40c7b83e83e3

8096dfaa954113242011e0d7aaaebffd

bbb464b327ad259ad5de7ce3e85a4081

cdae1c55ec154cd6cef4954519564c01

2996a70d09fff69f209051ce75a9b4f8

9d9851d672293dfd8354081fd0263c13

96db6240acb1a3fca8add7c4f9472aa5

1c49d04fc0eb8c9de9f2f6d661826d24

88aba3f2d526b0ba3db9bc3dfee7db39

86d28664fc7332eafb788a44ac82a5ed

1da0bf901ae15a9a8aef89243516c818

579f1883cdfd8534167e773341e27990

495b118d11ceae029d186ffdbb157614

Infrastructure

ozaharso[.]ru

nubiumbi[.]ru

acaenaso[.]ru

atonpi[.]ru

suizibel[.]ru

dakareypa[.]ru

ahmozpi[.]ru

nebtoizi[.]ru

squeamish[.]ru

nahtizi[.]ru

crisiumbi[.]ru

arabianos[.]ru

gayado[.]ru

quyenzo[.]ru

credomched[.]ru

lestemps[.]ru

urdevont[.]ru

hoanzo[.]ru

absorbeni[.]ru

aethionemaso[.]ru

aychobanpo[.]ru

ayzakpo[.]ru

badrupi[.]ru

barakapi[.]ru

boskatrem[.]ru

brudimar[.]ru

decorous[.]ru

dumerilipi[.]ru

heartbreaking[.]ru

judicious[.]ru

karoanpa[.]ru

lamentable[.]ru

procellarumbi[.]ru

ragibpo[.]ru

raidla[.]ru

ramizla[.]ru

samiseto[.]ru

superficial[.]ru

talehgi[.]ru

undesirable[.]ru

valefgo[.]ru

vasifgo[.]ru

vilaverde[.]ru

vloperang[.]ru

zerodems[.]ru

geminiso[.]ru

vilaverde[.]ru

lamentable[.]ru

raidla[.]ru

boskatrem[.]ru

heartbreaking[.]ru

sabirpo[.]ru

valefgo[.]ru

vasifgo[.]ru

absorbeni[.]ru

vloperang[.]ru

decorous[.]ru

ramizla[.]ru

procellarumbi[.]ru

andamanos[.]ru

triticumos[.]ru

The post Malware Spotlight – Into the Trash: Analyzing LitterDrifter appeared first on Check Point Research.

Check Point Research – ​Read More

Transatlantic Cable podcast, episode 324 | Kaspersky official blog

The latest episode of the Transatlantic Cable podcast kicks off with Meta will now require political advertisers to mark when they use deepfakes. From there, the team discuss how META and Google are being sued for “spying” in Irish courts.

To wrap up the team discuss two final stories – the first around the Royal ransomware gang siphoning off over $200M in ransom payments and the second on the recent cyber-attack against DP World – a port operator in Australia.

If you liked what you heard, please consider subscribing.

Meta requires political advertisers to mark when deepfakes used
Meta, YouTube face criminal spying complaints in Ireland
Royal ransomware asked 350 victims to pay $275 million
Port operator gradually restarting operations around Australia after cyber-attack

Kaspersky official blog – ​Read More

Alarm system cyberattack leaves those in need struggling to call for help

An alarm system company that allows those in need to ask for help at the touch of a button has suffered a cyberattack, causing serious disruption.

Tunstall Netherlands says the attack left the control room struggling to receive distress calls from clients on Sunday November 12, 2023.

Tunstall, among others, provides services and systems to allow smart monitoring in various healthcare settings. One of the services provides sick or disabled persons, and the elderly with an alarm button that can be used in case of an emergency.

Under normal circumstances, the control room would relay the distress call to a caregiver so they can check on and provide help.

The alarm button systems are used in situations where people that require care are not constantly surrounded by caregivers, like care homes that provide independent living, elderly who live at home but need the ability to call for help, and people with a heightened risk of falling.

It’s unknown what the exact nature of the cyberattack is. In case of a ransomware attack, it is unlikely that any group will claim responsibility or demand a ransom. These types of services are usually the type that they want to avoid for fear of repercussions.

Estimates say that tens of thousands of people are unable to reach the control room at the press of a button and will have to call an emergency number instead.

Tunstall says it’s worked hard to remediate the situation. It has engaged a specialized cybersecurity company to investigate the situation. Meanwhile it advised clients to keep their mobile phones handy so they can reach out in case of an emergency. At the moment the first services have been brought back online and the hope is that soon everything will be fully functional again.

Some organizations that use Tunstall’s system say they have provided their clients with the direct number they would need to call when they need help. But obviously pressing a button is a lot easier when you are in distress than having to call a phone number.

How you can call without having to unlock your phone first

Having the number pre-programmed and available at the press of a button makes things a bit easier if you do need to call for help via your phone. If you have or are someone who may need immediate help and you don’t have an alarm button or it doesn’t work, there are methods to make it easier to use your phone to raise help.

iPhones provide an “Emergency” option on the lock screen. Tapping it opens an on-screen keyboard, which allows you to dial a number. The restriction with this option however, is that it is designed primarily to call emergency numbers. Another option is to use the smart assistant by saying ‘Hey Siri’, and then ask it to call one of your contacts or a phone number. 

Some Android phones offer the option to add emergency contacts. Activating Emergency SOS requires you to save at least one emergency contact to your phone. This will need to be done first. Please note that Android phones’ menus may differ from vendor to vendor and version to version.

Open the Settings app.

Scroll down and tap Safety & emergency. On some types this menu can be found in the Advanced Settings menu.

Tap Emergency contacts > Add contact

Select one or more emergency contacts from your contact list.

Now you can enable Emergency SOS

In Safety & emergency, toggle the Use Emergency SOS and set the Use Emergency SOS slider to enabled

Confirm the setting and select what information you want to share.

You will need to provide the app with the necessary permissions.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Malwarebytes – ​Read More

WhatsApp spyware modifications in Telegram | Kaspersky official blog

Over the past decade, messaging apps such as WhatsApp and Telegram have become an integral part of life for almost every internet user. Billions of people use them to chat with loved ones, share funny pictures and videos with friends, communicate with coworkers, catch up on the news, and so on. Just try to imagine modern life without messengers. Hard, isn’t it? Unfortunately, these indispensable apps sometimes contain hidden threats.

WhatsApp and Telegram mods: the whats and whys

Some people think that the official WhatsApp and Telegram apps lack functionality — be that additional options to customize the interface or something more specific; for example, the ability to hide chats, automatically translate messages, or view messages deleted by chat partners. And the list of “missing” features is a very long one.

Third-party developers create modifications, or mods of standard WhatsApp and Telegram apps to satisfy even the most peculiar user needs, and there are a great many such mods.

The problem with installing any of them is that the user must entrust their correspondence not only to the original messenger developers but also to the mod developers, who can easily hide malicious modules in them; mod distributors can also add something of their own.

In the case of WhatsApp, the situation with mods is further complicated by its owners. They don’t approve of modifications and so hinder their distribution. From time to time, WhatsApp’s owners try to prohibit folks from using mods — albeit unsuccessfully thus far. Meanwhile they have had some success in barring alternative clients for WhatsApp from the official stores like Google Play and App Store.

As a consequence, users of WhatsApp mods are accustomed to downloading them from just about anywhere. APK files are boldly downloaded, settings are switched to allow installation from unknown sources, and mods are then run on phones. And cybercriminals exploit this carelessness by embedding malware in the mods.

Our experts recently found several such infected mods, which we’ll take a look at in this post.

Infected WhatsApp mods on Telegram

The WhatsApp mods that caught our experts’ attention hadn’t previously shown any malicious activity. Now, however, they contain a spy module, which our security solutions detect as Trojan-Spy.AndroidOS.CanesSpy.

After installation on the victim’s smartphone, an infected WhatsApp mod waits for the phone to be turned on or put on charge before launching the spy module. It contacts one of the C2 servers from the respective list and uploads various information about the device to it, such as phone number, IMEI, cellular network code, and so on. What’s more, the spy Trojan sends information about the victim’s contacts and accounts to the server every five minutes, all the while waiting for commands.

Leaving service commands aside, the spy module’s capabilities are essentially reduced to two functions:

Search the device and send its operators files contained in the smartphone’s memory (to be precise, in its non-system part, or “external storage” in Android terminology)
Record sound from the built-in microphone and, as before, send the recordings to C2

As for how the spyware was distributed, infected WhatsApp modifications were found in several Arab and Azerbaijani Telegram channels under the names of popular mods: GBWhatsApp, WhatsApp Plus, and AZE PLUS — a WhatsApp Plus version with the interface translated into Azerbaijani.

WhatsApp mods infected with spyware were distributed mostly in Azerbaijani and Arabic Telegram channels

In addition, our experts discovered APK files infected with the spy module on WhatsApp mod download websites.

In October, our security solutions detected and prevented more than 340,000 attacks by this spyware in more than 100 countries. Note that we’re talking about attacks intercepted by our solutions. The total number (accounting for phones on which our solutions aren’t installed) is likely much higher.

Although the geographic spread of the threat is extensive, the largest number of infection attempts — by a wide margin — was registered in Azerbaijan, followed by several Arab countries: Yemen, Saudi Arabia, and Egypt; as well as Turkey.

Top-20 countries where WhatsApp spy mods were distributed

How to protect yourself against messenger spyware

This isn’t the first case in 2023 of malicious modules being found in modified messenger apps. A few months ago we wrote about a string of infected mods for Telegram, WhatsApp, and even the secure messenger Signal. So there’s every reason to remain vigilant:

Use only the official WhatsApp and Telegram apps. As we’ve seen, messenger mods are prone to malware.
Install apps only from official stores: Apple App Store, Google Play, Huawei AppGallery, and the like. These aren’t immune to malware, but still way safer than third-party websites, which often have no security measures in place at all.
Before installing any app, first study its page in the store and make sure it’s not fake — bad actors often create clones of popular apps.
Read user reviews of the app, paying special attention to negative ones. There you’ll probably find out if it demonstrates suspicious activity.
Be sure to install reliable protection on all your devices. This will detect malicious code inside a seemingly harmless app, and warn you in time.
Remember that in the free version of our Kaspersky: Antivirus & VPN app, you have to run the scan manually.
If you use the premium version of our protection for Android — which comes included in the Kaspersky Standard, Kaspersky Plus, and Kaspersky Premium subscriptions — you can sit back and relax: scanning for threats takes place automatically.

Kaspersky official blog – ​Read More

Ransomware review: November 2023

This article is based on research by Marcelo Rivero, Malwarebytes’ ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, “known attacks” are those where the victim did not pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher.

In October, 318 new victims were posted on ransomware leak sites. The top active gangs were LockBit (64), NoEscape (40), and PLAY (36). Major stories for the month included the takedown of several high-profile groups, including alleged Sony Systems attacker RansomedVC, new data shedding light on Cl0p’s education sector bias, and a deep-dive revealing the danger of the group behind September’s infamous casino attacks.

Last month three major ransomware groups—RansomedVC, Ragnar, and Trigona—were shut down, the first two by law enforcement and the third by Ukrainian hacktivists. Let’s dive into RansomedVC, a group which burst onto the scene in August and quickly gained notoriety for allegedly breaching several well-known companies. In late October, the lead hacker behind the group was seen on Telegram trying to sell the operation. Just days later, the account announced that it was “putting an end to” the group after learning that six of its affiliates may have been arrested. The group had posted 42 victims on their leak site at the time of their take down.

While law enforcement is yet to come forward confirming the RansomedVC arrests, the same is not true for RagnarLocker group, which Europol and Eurojust announced they had taken down last month. RagnarLocker started in 2019 and was responsible for numerous high-profile attacks against municipalities and critical infrastructure across the world. At the time of the takedown action, the group had posted a total of 42 victims on their leak site.

Trigona’s demise, on the other hand, was not at the hands of investigators but activists, highlighting the impact that broader geopolitical struggles can have on the ransomware landscape. In mid-October, the Ukrainian Cyber Alliance (UCA) breached the Trigona Confluence server and completely deleted and defaced their sites. Formed around 2016 to defend Ukraine’s cyberspace against Russian interference, the UCA used a public exploit for CVE-2023-22515 to gain access to Trigona infrastructure. Trigona is responsible for at least 30 attacks across various sectors since first emerging in October 2022.

Known ransomware attacks by ransomware group, October 2023

Known ransomware attacks by country, October 2023

Known ransomware attacks by industry sector, October 2023

In other October news, Resilience, a cyber insurance company, reported that 48% of all MOVEit cyberattack victims in its client base during the first half of 2023 were from the education sector. This suggests a possible targeting preference of the Cl0p campaign towards educational institutions. However, this figure might not fully represent the situation.

For instance, if Resilience has a higher proportion of clients in the education sector, it could bias the data towards that sector. On the other hand, data from Malwarebytes indeed indicates that while the education sector comprises only 3% of all MOVEit hosts, they account for 6% of the victims. However, this trend is likely not due to a deliberate focus by Cl0p, whose attacks were more opportunistic in scope, but rather because educational sectors often have fewer resources to promptly address vulnerabilities like those in MOVEit. Thus, the bias observed is more circumstantial than intentional. At any rate, given that the education sector frequently relies on third-party applications like MOVEit, the impact of Cl0p’s activities serves as a stark reminder for these institutions to adopt robust third-party security best practices.

Microsoft’s deep dive into Scattered Spider last month shed new light on the relatively new, albeit dangerous, ransomware gang who made headlines in September for attacking MGM Resorts and Caesar Entertainment. For small security teams, one of the most important findings about the group is their use of Living Of The Land (LOTL) techniques to avoid detection: Scattered Spider employs everyday tools like PowerShell for reconnaissance and stealthily alters network settings to bypass security measures. They also exploit identity providers and modify security systems, blending their malicious activities with normal network operations.

With the success of groups like Scattered Spider increasingly relying on LOTL attacks, it’s vital for defenders to focus on detecting anomalous activities within legitimate tools and network configurations. Strengthening monitoring and analysis capabilities can help identify and counter the subtle, sophisticated techniques employed by these ransomware gangs.

New(?) player: Hunters International

Hunters International is a new ransomware player suspected to be a rebrand of the Hive ransomware, which was shutdown in January 2023 by law enforcement. Despite Hunters International’s denial, claiming they are a distinct entity that purchased Hive’s source code, the overlap in their malware’s coding and functionality suggests a direct lineage from Hive.

Their activity, though limited, includes a notable attack on a UK school.

How to avoid ransomware

Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.

Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.

Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.

Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.

Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.

Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes – ​Read More

Update now! Microsoft patches 3 actively exploited zero-days

Another important update round for this month’s Patch Tuesday. Microsoft has patched a total of 63 vulnerabilities in its operating systems. Five of these vulnerabilities qualify as zero-days, with three listed as being actively exploited. Microsoft considers a vulnerability to be a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in these updates are listed as:

CVE-2023-36025: a Windows SmartScreen security feature bypass vulnerability that would allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts. SmartScreen is a built-in Windows component designed to detect and block known malicious websites and files.

It requires user interaction since the user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker. Microsoft listed this vulnerability with the remark “Exploitation Detected.”

CVE-2023-36033: a Windows Desktop Window Manager (DWM) Core Library elevation of privilege (EoP) vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”

CVE-2023-36036: a Windows Cloud Files Mini Filter Driver EoP vulnerability. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. This vulnerability is also listed with the remark “Exploitation Detected.”

EoP type of vulnerabilities are typically used in attack chains. Once the attacker has gained entrance, the vulnerabilities allow them to increase their permission level.

CVE-2023-36413: a Microsoft Office security feature bypass vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and open in editing mode rather than protected mode. Full exploitation requires that the attacker sends the target a malicious file and convince them to open it. This is a publicly disclosed vulnerability but there are no known cases of exploitation.

CVE-2023-36038: a vulnerability in ASP.NET that could lead to core denial of service. This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. A successful exploitation might result in a total loss of availability. So, basically an attacker would send requests and then cancel them until the program runs out of memory and crashes. Microsoft notes that this vulnerability was publicly disclosed, however no in-the-wild exploitation has been observed, which is not likely to happen either if the denial of service is the best achievable goal for an attacker.

An extra warning for organizations running Microsoft Exchange Server: Prioritize several new Exchange patches, including CVE-2023-36439, which is a vulnerability that enables attackers to install malicious software on an Exchange server.

Other vendors

Other organizations have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address vulnerabilities affecting multiple Adobe products:

APSB23-52: Adobe ColdFusion

APSB23-53: Adobe RoboHelp Server

APSB23-54: Adobe Acrobat and Reader

APSB23-55: Adobe InDesign

APSB23-56: Adobe Photoshop

APSB23-57: Adobe Bridge

APSB23-58: Adobe FrameMaker Publishing Server

APSB23-60: Adobe InCopy

APSB23-61: Adobe Animate

APSB23-62: Adobe Dimension

APSB23-63: Adobe Media Encoder

APSB23-64: Adobe Audition

APSB23-65: Adobe Premiere Pro

APSB23-66: Adobe After Effects

Android’s November updates were released by Google.

SAP released its November 2023 Patch Day updates.

SysAid released security updates for a zero-day vulnerability that is actively being exploited by a ransomware affiliate.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Malwarebytes – ​Read More

What is a zero-click exploit? | Kaspersky official blog

Some people believe that if you don’t click on dangerous links, open suspicious files, or install programs from untrusted sources, you don’t have to worry about malware infections. Unfortunately, this isn’t entirely true. There are so-called zero-click exploits that don’t require any actions of the targeted user.

Creating zero-click exploits requires both serious expertise and significant resources. The vulnerabilities needed for zero-clicks to work are, to say the least, not easily discovered — information about such security issues can cost hundreds of thousands, if not millions of dollars on the black market.

However, this does not mean that attacks using zero-click exploits are rare. Information about vulnerabilities (including those suitable for creating zero-click exploits) is often published by researchers on the Internet, sometimes along with proof-of-concept code. That is, after some time, any cybercriminal who follows infosec news will be able to use this vulnerability in their malware. Yes, software developers try to fix such vulnerabilities ASAP, but as we know, not everyone promptly installs updates.

Also, we should not forget about vulnerabilities in IoT devices, servers, and other connected systems such as network attach storage (NAS). All this equipment operates without constant human control, and therefore exploits designed to attack them do not rely on any user action. Either way, it’s worth at least knowing about zero-click attacks; even better — to take some measures to protect your company against them.

Examples of zero-click attacks

Using real-life examples of zero-click attacks, let’s see how they work in practice, and what methods the creators of these exploits use to achieve their goals.

The Operation Triangulation espionage campaign

Not long ago, employees of our company were attacked by an unknown group using, among other things, a zero-click exploit. After discovering it, we named this espionage campaign Operation Triangulation. Using Apple’s iMessage service, the attackers sent a message to the victim’s iPhone with a special attachment containing an exploit. Thanks to a previously unknown vulnerability in iOS, this exploit, without any user input, triggered the execution of malicious code that connected to a C2 server and gradually loaded additional malicious payload. It first elevated privileges using additional exploits and then launched a full-blown APT platform.

To get around the iPhone’s internal security mechanisms, the platform operated exclusively in the device’s RAM. It allowed the attackers to collect information about the owner and launch additional plugins downloaded from С2 servers. The infection was only detected thanks to our network event monitoring and analyzing system.

Of course, Apple quickly fixed this vulnerability, but it is not the first exploitation of a bug in iMessage that allows attackers to infect an iPhone using an invisible malware. Since attackers are actively researching this service, there is no guarantee that they will not find some alternative method and use it (possibly even for mass attacks).

Intellexa Predator spyware and a zero-click vulnerability in Safari

Another fairly recent example: Apple recently released an important update for iOS, macOS, and some other software products, fixing several serious vulnerabilities. A vulnerability in the WebKit (a browser engine used by Apple Safari browser) was exploited by a zero-click exploit, part of Intellexa Predator spyware.

First, the attackers waited for the moment when the victim accessed a website whose connection didn’t use encryption (that is, HTTP rather than HTTPS). After that, they conducted a man-in-the-middle (MITM) attack by redirecting the victim to an infected site. Then, the aforementioned vulnerability in the Safari browser was exploited — it allowed the attackers to execute arbitrary code on the iPhone without any action from the victim. Subsequently, the criminals used additional vulnerabilities to install spyware on the compromised iPhone.

Researchers also discovered a similar exploit chain that the creators of Predator used to infect Android smartphones. In this case, the zero-click attack was executed in the Chrome browser.

Earlier this year, we reported other vulnerabilities of this kind in both Apple Safari and Google Chrome. All of them enable the creation of malicious web pages that, in turn, infect with malware the smartphones or computers of users who visit them — again without any additional actions on the part of the victims.

How to defend against zero-click attacks

Since the primary danger of zero-clicks lies in the fact that their creators don’t require any active action at all by the victim, the usual principles of online hygiene aren’t very helpful here. However, there are still some things you can do to protect devices:

Keep software up to date — especially the operating system and all browsers installed on it.
If you have any reason to be concerned about attacks using high-level commercial spyware (such as NSO Pegasus), see our dedicated post with recommendations on how to defend against them.
For iPhone users, it’s good to use Lockdown Mode. This mode helps partially protect against serious attacks, but should by no means be considered a panacea.
Supply all corporate devices with a reliable protective solution that will take care of security during periods when new vulnerabilities are already being exploited, but the corresponding patches haven’t yet been released.
This also applies to iOS. Yes, due to Apple’s policy, there are no full-fledged antivirus solutions for this operating system. However, Kaspersky Endpoint Security for Business includes an application that does at least block dangerous web pages, thereby reducing the likelihood of vulnerabilities being exploited in the browser.

Kaspersky official blog – ​Read More

Ransomware gang files SEC complaint about victim

In what seems to be a new twist on the ransomware theme, the notorious ALPHV/BlackCat ransomware group has filed a complaint with the US Securities and Exchange Commission (SEC) about the software company MeridianLink.

ALPHV is one of the most active ransomware-as-a-service (RaaS) operators and regularly appears in our monthly ransomware reviews. MeridianLink supplies “digital lending solutions” to banks, credit unions, fintechs, and other financial institutions.

Since September 5, 2023 the SEC has required public companies to disclose within four days all cybersecurity breaches that could impact their bottom lines. Apparently ALPHV is aware of the new rules and in this screenshot of the SEC complaint form it wrote:

“We want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules.

It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules.”

The referenced item (Form 8-K Item 1.05) states:

“Registrants must disclose any cybersecurity incident they experience that is determined to be material, and describe the material aspects of its:

– Nature, scope, and timing; and

– Impact or reasonably likely impact.

An Item 1.05 Form 8-K must be filed within four business days of determining an incident was material. A registrant may delay filing as described below, if the United States Attorney General (“Attorney General”) determines immediate disclosure would pose a substantial risk to national security or public safety.

Registrants must amend a prior Item 1.05 Form 8-K to disclose any information called for in Item 1.05(a) that was not determined or was unavailable at the time of the initial Form 8-K filing. “

As you can see, there are possible exceptions and for all we know, the investigation into the nature and gravity of the data breach is still ongoing. Or far from as material as ALPHV wants us to believe.

In a statement to databreaches.net MeridianLink  said:

“Safeguarding our customers’ and partners’ information is something we take seriously. MeridianLink recently identified a cybersecurity incident that took place on Nov 10. Upon discovery on the same day, we acted immediately to contain the threat and engaged a team of third-party experts to investigate the incident. Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.

We have no further details to offer currently, as our investigation is ongoing.”

Apparently the ransomware operators like to pretend that what they are doing is their civic duty. This tile is posted on the landing page of the gang’s leak site.

ALPHV announces that it’s filed a complaint with the SEC

Clicking through, we found the screenshot of the form and a non-explanatory statement why they filled the form out.

“Despite this requirement, MeridianLink has not fulfilled this obligation regarding the breach it experienced a week ago. We have therefore reported this non-compliance by MeridianLink, who was involved in a material breach impacting customer data and operational information, for failure to file the required disclosure with the Securities and Exchange Commission (SEC). It appears MeridianLink reached out, but we are yet to receive a message on their end. Maybe this was their DFIR, Mandiant, who did so without authorization from their client. Whatever the reason is…..we are giving you 24 hours before we publish the data in its entirety.”

Whatever the reason is behind MeridianLink’s apparent decision not to report the cyber-incident (yet), the action taken by ALPHV certainly is something we haven’t seen before. It may be a warning or an attempt to gain extra leverage. Knowing how hard it can be to determine the scope of a cyberattack in just a few days, we can expect to see this happen more often.

How to avoid ransomware

Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; and disable or harden remote access like RDP and VPNs.

Prevent intrusions. Stop threats early before they can even infiltrate or infect your endpoints. Use endpoint security software that can prevent exploits and malware used to deliver ransomware.

Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.

Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.

Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.

Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Malwarebytes – ​Read More

Understanding the Kaspersky Compromise Assessment Service

A question for many businesses these days isn’t “Will we get hacked?” but rather, “Might we have already been hacked unknowingly?” The stealthy nature of advanced cyberthreats means that organizations need to be continuously vigilant. To safeguard sensitive data and critical systems, many turn to various cybersecurity services – including compromise assessment services. While compromise assessment may sound similar to incident response, penetration testing, and/or managed detection and response (MDR), it serves a distinct purpose in the realm of cybersecurity. In this post, we explore the concept of a compromise assessment service and show how it differs from these other crucial cybersecurity operations.

What is a compromise assessment service?

A compromise assessment service is a proactive cybersecurity project-based measure designed to identify signs of compromise within an organization’s IT infrastructure. This assessment focuses on detecting threats or suspicious activities that may have gone unnoticed within an organization’s environment. The primary objectives of compromise assessment are typically the following:

To perform a tool-aided indicator of compromise (IoC) scan of all hosts in the IT infrastructure
To analyze network activity, including outgoing connections to potential attackers’ command and control servers
To conduct initial incident investigation to identify tools and techniques used for the attack (if signs of network compromise were found)
To reveal suspected sources of an attack and other likely compromised systems
To provide recommendations on further remediation actions

What’s the difference between compromise assessment (CA) and incident response (IR)?

Incident response is a reactive cybersecurity process, which comes into play once a security incident has been detected. IR teams are responsible for investigating the nature and scope of a breach, containing it, eradicating the threat, and restoring normal operations. Incident response aims to minimize the impact of security incidents and prevent their reoccurrence.

Both CA and IR share common approaches and methodologies – including collection and analysis of digital forensic artifacts (Prefetch, Amcache, etc.), usage of IoC-scanners to find compromised hosts, and binary reverse engineering to prove the presence of malicious functions in certain programs or scripts.

The primary differences between CA and IR are:

Aspect
Compromise assessment
Incident response

Primary goal
To identify missed/unknown incidents
To reduce the impact of an identified security breach or an attack on your IT environment

Input data
Doesn’t require technical data for the input
Requires technical data for the input: alert from security control, suspicious file, signal about data leakage, ransom note, etc., which obviously prove that an incident has occurred

Timing
– Periodic assessment project
– Precedes IR in identifying an incident
– Can follow IR to make sure of no other compromises
– Is initiated after security incident detection
– Follows compromise assessment if a breach is detected

Scope
Broad scan across entire organization’s network to find all signs of compromise

Only the network segments affected by the reported incident

What’s the difference between compromise assessment and penetration testing?

Penetration testing – often referred to as pentesting – is a simulated cyberattack on a system, network, or application to evaluate its security vulnerabilities. The primary goal of a pentest is to identify potential weak points that malicious hackers might exploit, thereby allowing organizations to strengthen their security posture.

Both penetration testing and compromise assessment activities require skilled professionals with a deep understanding of cyberthreats and defenses. While they have different primary objectives, both are proactive measures to understand and improve security.

The key differences between a penetration test and a compromise assessment.

Aspect
Penetration testing
Compromise assessment

Objective
To identify vulnerabilities before they’re exploited
To identify instances of successful exploitation of vulnerabilities

Scope
Predefined (e.g., specific systems, applications)
Typically, the whole organization

Methodology
Simulated cyberattacks using tools and manual techniques
To examine logs, network traffic, anomalies and system behaviors

What’s the difference between compromise assessment and managed detection and response

Managed detection and response services involve continuous monitoring, threat detection, and incident response by a third-party provider. MDR combines technology, human expertise, and threat intelligence to identify and respond to security threats in real time. The focus of MDR is on providing a holistic cybersecurity solution that includes both monitoring and response capabilities.

Both CA and MDR use a combination of advanced technologies, threat intelligence, and skilled analysts to identify potential security breaches and suspicious activities within an organization’s network.

The key differences between CA and MDR are as follows:

Aspect
Compromise Assessment
MDR

Timing
-Periodic assessment project (one-time assessment)
– no SLA for notifications
– Continuous 24/7 activity (ongoing service)
– Strict SLA for notifications

Analysis focus
– Past and current attacks
– Forensic state analysis
– Current attacks
– Behavioral monitoring

Sources of data for analysis
– EDR/NTA
– SIEM
– Digital footprint intelligence (darknet)
EDR/NTA

Conclusion

As cyberthreats become increasingly sophisticated, the traditional reactive approach to cybersecurity is no longer sufficient. A compromise assessment service offers a proactive solution, ensuring that organizations aren’t just waiting for the next breach but actively seeking out and neutralizing latent threats. By conducting such assessments, you can eliminate the residual risk of being breached without notice.

A compromise assessment service plays a critical role in proactively identifying potential compromises and security weaknesses within an organization’s network. While it may share some similarities with incident response, penetration testing, and managed detection and response services, it’s a project-flow activity whose primary focus is on proactive identification of unnoticed attacks that bypassed an organization’s security systems and processes.

Understanding the differences among these cybersecurity practices is crucial for organizations seeking to build a robust defense strategy. Each service has its place in an organization’s cybersecurity posture, and they can complement one another to create a comprehensive and effective corporate security framework. You can learn more or contact our Kaspersky Compromise Assessment experts at the service’s web page.

Kaspersky official blog – ​Read More