CISA Flags Critical Vulnerability (CVE-2024-47575) in Fortinet’s FortiManager

October 24, 2024/in Company Blogs

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has added Fortinet’s FortiManager to its known Exploited Vulnerabilities (KEV) catalog, indicating a pressing need for organizations to address the associated risks.

The critical vulnerability identified as CVE-2024-47575 has been assigned a CVSS score of 9.8. This vulnerability affects various versions of FortiManager, including FortiManager 7.6.0, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, and 6.2.0 through 6.2.12, as well as multiple iterations of FortiManager Cloud.

The vulnerability stems from a missing authentication issue within the critical functions of the FortiManager fgfmd daemon, allowing remote, unauthenticated attackers to execute arbitrary commands or code via specially crafted requests. This flaw poses a significant risk to organizations that rely on this technology.

Recovery Methods

Organizations impacted by CVE-2024-47575 are encouraged to undertake specific recovery actions to address the vulnerability effectively. One recommended recovery method is database rebuilding or resynchronization, which helps ensure that the FortiManager configuration remains uncompromised. This can involve installing a fresh FortiManager virtual machine (VM) or reinitializing a hardware model and re-adding devices. Additionally, restoring a backup taken before any indicators of compromise (IoC) detection is advised.

An alternative recovery action is the Quick Recovery Option, which allows for swift recovery without extensive database changes. However, this method requires manual verification of the current configuration. In this case, organizations should install a new FortiManager VM or reinitialize a hardware model and restore components from a compromised FortiManager. They can also restore from a backup taken from the compromised system.

To further mitigate the risks associated with this vulnerability, organizations should consider upgrading to fixed versions of FortiManager or implementing certain workarounds. For FortiManager versions 7.0.12 and above, 7.2.5 and above, and 7.4.3 and above (excluding 7.6.0), it is recommended to enable a configuration that denies unknown devices from registering.

This setting is important as it may prevent FortiGates with serial numbers not listed on the device roster from successfully registering. Additionally, for FortiManager versions 7.2.0 and above, organizations should implement local-in policies to whitelist FortiGate IP addresses that are permitted to connect.

This involves configuring policies to accept connections on port 541 for the specified source addresses. Finally, organizations should ensure that custom certificates are implemented for versions 7.2.2 and above, 7.4.0 and above, and 7.6.0 and above, thereby guaranteeing that only authorized certificates are utilized within their systems.

Recommendations and Mitigations

To effectively combat vulnerabilities like CVE-2024-47575, organizations should:

Regularly update systems with patches from official vendors and prioritize critical updates.

Establish an effective patch management strategy to ensure timely application of updates.

Use network segmentation to protect critical assets and limit exposure to threats.

Create and maintain a comprehensive incident response plan to address security incidents effectively.

Utilize monitoring solutions to detect and analyze suspicious activities within the network.

Conclusion

The inclusion of vulnerabilities in CISA’s KEV catalog signals that threat actors are actively exploiting these flaws in real-world scenarios. This development highlights the urgency for organizations to respond promptly to mitigate risks associated with CVE-2024-47575 and similar vulnerabilities. Failure to address these vulnerabilities can lead to severe consequences, including data breaches and system compromises.

The post CISA Flags Critical Vulnerability (CVE-2024-47575) in Fortinet’s FortiManager appeared first on Cyble.

Blog – Cyble – Read More

Weekly Industrial Control System (ICS) Vulnerability Intelligence Report: New Flaws Affecting Siemens, Schneider Electric, and More

October 24, 2024/in Company Blogs

Overview

Cyble Research & Intelligence Labs (CRIL) has shared new details about weekly industrial control systems (ICS) vulnerabilities. These vulnerabilities were issued by the Cybersecurity and Infrastructure Security Agency (CISA) from October 15 to October 21, 2024. The report outlines critical security concerns affecting various vendors and highlights the urgency for organizations to address these vulnerabilities promptly.

During the reporting period, CISA released seven security advisories targeting ICS, which collectively identified 13 distinct vulnerabilities across several companies, including Siemens, Schneider Electric, Elvaco, Mitsubishi Electric, HMS Networks, Kieback&Peter, and LCDS – Leão Consultoria e Desenvolvimento de Sistemas Ltda ME. Notably, Elvaco disclosed four vulnerabilities, while Kieback&Peter reported three.

Among the highlighted vulnerabilities, particular attention is drawn to those affecting the Elvaco CMe3100 and Kieback&Peter DDC4000 Series. The Elvaco CMe3100 is a compact and intelligent communication gateway designed to remotely read energy meters. Cyble’s ODIN scanner has identified 1,186 instances of the CMe3100 exposed to the internet, with a large concentration of these devices in Sweden.

The Kieback&Peter DDC4000 Series comprises digital controllers utilized primarily in building automation systems for HVAC (heating, ventilation, and air conditioning) management. The scanner detected eight instances of these controllers that require urgent attention.

Vulnerability Overview

The vulnerabilities reported by Cyble Research & Intelligence Labs (CRIL) provide critical insights for organizations aiming to prioritize their patching efforts.

CVE-2024-3506: Among the key vulnerabilities identified, CVE-2024-3506 affects Siemens’ Siveillance Video Camera, with all versions prior to V13.2 vulnerable to a medium-severity classic buffer overflow, impacting physical access control systems and CCTV.

CVE-2023-8531: Schneider Electric’s Data Center Expert, specifically versions 8.1.1.3 and prior, is susceptible to CVE-2023-8531, which involves high-severity improper verification of cryptographic signatures, affecting control systems such as DCS, SCADA, and BMS.

CVE-2024-49396 and CVE-2024-49398: Elvaco’s CMe3100, version 1.12.1, is highlighted with multiple vulnerabilities, including CVE-2024-49396 for insufficiently protected credentials and CVE-2024-49398 for an unrestricted upload of files with dangerous types; both vulnerabilities are classified as high and critical respectively, posing risks to gateway and remote access systems.

CVE-2024-41717: Kieback&Peter’s DDC4002 and related versions are affected by CVE-2024-41717, which presents a critical path traversal vulnerability impacting field controllers and IoT devices.

CISA’s recent advisories reveal a predominance of such high-severity vulnerabilities within the ICS sector, highlighting the need for organizations to remain vigilant and implement effective mitigation strategies in response to these emerging threats.

Recommendations for Mitigation

Cyble emphasizes several key recommendations to enhance organizational cybersecurity:

Organizations should closely track security advisories and alerts issued by vendors and relevant authorities to stay informed about potential vulnerabilities.

Implement a risk-based vulnerability management strategy to minimize the likelihood of exploitation, while adopting a Zero-Trust security framework.

Threat intelligence analysts should play a crucial role in the patch management process by continuously monitoring critical vulnerabilities identified in the CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Develop better patch management strategy that encompasses inventory management, assessment, testing, deployment, and verification of patches. Automation of these processes can enhance efficiency and consistency.

Effective network segmentation is essential to limit attackers’ ability to move laterally within critical environments.

Regular audits, vulnerability assessments, and penetration testing exercises are critical for identifying and addressing security gaps.

Establishing ongoing monitoring and logging capabilities allows for early detection of network anomalies and potential threats.

Leveraging Software Bill of Materials (SBOM) can improve visibility into the components and libraries in use, along with their associated vulnerabilities.

Conclusion

The ISC vulnerability report highlights the pressing need for organizations to address the high-severity vulnerabilities identified by the Cybersecurity and Infrastructure Security Agency.

With significant risks affecting major vendors like Siemens and Schneider Electric, it is crucial for businesses to adopt proactive measures, including patch management strategies and effective network segmentation.

By staying vigilant and responsive to these vulnerabilities, organizations can better protect their critical infrastructure and enhance their overall cybersecurity posture.

The post Weekly Industrial Control System (ICS) Vulnerability Intelligence Report: New Flaws Affecting Siemens, Schneider Electric, and More appeared first on Cyble.

Blog – Cyble – Read More

Security and privacy settings in adidas Running | Kaspersky official blog

October 24, 2024/in Company Blogs

As we’ve discussed before, one does not simply install a fitness tracking app and start using it straight away without first configuring the privacy settings both on the phone and in the app itself. With default settings, these apps often share full details of your workouts with the entire internet, including your precise location. And criminals and fraudsters can use this data for their nefarious purposes.

If you care even in the slightest about your privacy, check out our previously published guides for general smartphone settings and other popular fitness apps: Strava, Nike Run Club, and MapMyRun. Today’s post is for all fans of the famous three stripes: we’ll be setting up privacy in the adidas Running app (available for Android and iOS).

Formerly known as Runtastic, this fitness app now belongs to Europe’s largest sportswear manufacturer and is simply called adidas Running. While adidas Running doesn’t offer as granular privacy controls as, say, Strava, it’s still crucial to make sure everything is configured correctly.

To access the privacy settings in adidas Running, tap Profile in the bottom right corner, then the cog icon in the top right, then select Privacy.

Where to find the privacy settings in adidas Running (Runtastic): Profile → Settings → Privacy

The first thing you’ll want to check is the Maps section (who can see your maps) — make sure it’s set to either Followers or, even better, Only me.

Next, do the same for Activity (who can see your activity) — again, select either Followers or Only me. The remaining settings are slightly less critical, but it’s still a good idea to ensure they’re also set to at least Followers or, ideally, Only me.

Recommended privacy settings in adidas Running (Runtastic)

I also recommend toggling off the switches at the bottom of the page next to Follower suggestions and Join running leaderboard. The app won’t be bothering you as much.

Finally, consider disabling excessive notifications from adidas Running. Go back to Settings, select Notifications, and go through the (rather extensive) list of options.

If you decide to stop using adidas Running altogether, remember to delete your profile data. To do this, go to Settings → Account, tap the big red Delete account button, and follow the prompts.

If you use other fitness apps to track your workouts, you can set their privacy settings using our guides:

Strava
Nike Run Club
MapMyRun
(ASICS Runkeeper – still to come)

You can also learn how to configure privacy in other apps — from social networks to browsers — on our website Privacy Checker.

And Kaspersky Premium will maximize your privacy protection and shield you from digital identity theft on all your devices.

Don’t forget to subscribe to our blog to stay ahead of scammers with more guides and helpful articles.

Kaspersky official blog – Read More

Notifications in Threat Intelligence Lookup

October 24, 2024/in Company Blogs

We are thrilled to announce a significant enhancement to Threat Intelligence Lookup — Notifications. The new functionality allows users to subscribe to real-time notifications for new results related to their specified queries.

Tracking emerging and evolving cyber threats has never been easier.

What Are Lookup Notifications?

Lookup Notifications enable users to receive timely updates on relevant Indicators of Compromise (IOCs), Indicators of Attack (IOAs), and Indicators of Behavior (IOBs) that matter to their organizations.

Use TI notifications to stay updated on your query results

Previously, users needed to perform regular searches to receive new results, risking the chance of missing important updates.

With Lookup Notifications, users can now subscribe to specific queries. When new results appear, a notification will be displayed in the dashboard — new results will be highlighted in green, making it easy to identify fresh information at a glance.

New results for the queries are highlighted in green

If the number of new results exceeds 1,000, the subscription will pause, alerting you to review the accumulated results before proceeding. This ensures that you stay informed without being overwhelmed by excessive data.

Key Benefits of Lookup Notifications

Real-Time Updates

Regularly receive fresh threat data of your interest. The service monitors results and stores updates automatically, ensuring you never miss critical information.

Global Insights

Quickly track changes in IOCs, IOAs, and IOBs extracted from public samples analyzed in ANY.RUN’s Interactive Sandbox by over 500,000 security professionals. Our data is sourced from a diverse community, ranging from freelancers to large corporations, providing comprehensive coverage of potential threats.

Enhanced Monitoring

Monitor the frequency of IOCs, IOAs, and IOBs that are of interest to you. If you identify something suspicious in your SIEM, you can verify it against TI Lookup’s database.

Proactive Defense

Strengthen your organization’s security by enhancing your detection rules, enriching your data with relevant indicators, and staying informed about changing threats. This proactive approach enables better threat management and response strategies.

Learn to Track Emerging Cyber Threats

Check out expert guide to collecting intelligence on emerging threats with TI Lookup

Read full guide

How to Use Lookup Notifications

Lookup Notifications are available for all paid users. Subscribing to notifications is straightforward: you can easily add or remove specific queries from your notifications by clicking the bell to the right of the search box.

Save the query by pressing the bell button

You can also unsubscribe from the query, pin, delete or mark it as viewed by clicking three dots near subscription in your TI dashboard.

Press the three dots, and you will see all available options for the query

Each update subscription uses only a single request from your total quota. All additional updates collected under this subscription do not consume extra search requests, allowing for efficient use of your resources.

Wrapping Up

With the introduction of Lookup Notifications, ANY.RUN‘s TI Lookup becomes a powerful tool not just for operational investigations but also for strategic planning. By enabling real-time alerts and streamlined monitoring, we are committed to helping your organization strengthen resilience against evolving risks.

About ANY.RUN

ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

With ANY.RUN you can:

Detect malware in seconds

Interact with samples in real time

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior

Collaborate with your team

Scale as you need

Request free trial →

The post Notifications in Threat Intelligence Lookup appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – Read More

Talos IR trends Q3 2024: Identity-based operations loom large

October 24, 2024/in Company Blogs

Threat actors are increasingly conducting identity-based attacks across a range of operations that are proving highly effective, with credential theft being the main goal in a quarter of incident response engagements.

These attacks were primarily facilitated by living-off-the-land binaries (LoLBins), open-source applications, command line utilities, and common infostealers, highlighting the relative ease at which these operations can be carried out. In addition to outright credential harvesting, we also saw password spraying and brute force attacks, adversary-in-the-middle (AitM) operations, and insider threats, underscoring the variety of ways in which actors are compromising users’ identities.

Identity-based attacks are concerning because they often involve actors launching internal attacks from a compromised, valid account–making such activity difficult to detect. Moreover, once account compromise is achieved, an actor can carry out any number of malicious activities, including account creation, escalating privileges to gain access to more sensitive information, and launching social engineering attacks, like business email compromise (BEC), against other users on the network.

Threats against identity

This quarter, Cisco Talos Incident Response (Talos IR) has responded to a growing number of engagements in which adversaries have leveraged password-spraying campaigns to obtain valid usernames and passwords to facilitate initial access. This quarter, 25 percent of incidents involved password spraying and/or brute force attempts to steal valid credentials. This method involves an adversary using a password, or a small list of commonly used passwords, against many different accounts on a network, a strategy that helps avoid account lockouts that would typically occur when brute-forcing a single account with many passwords. Although adversaries have been using password-spraying attacks for credential access for years, the activity illustrates that organizations should continue to stress the importance of multi-factor authentication (MFA) and strong password policies to limit unauthorized attempts. 

Talos IR observed AitM phishing attacks play out in a number of ways this quarter, where adversaries attempted to trick users into entering their credentials into fake login pages. In one engagement, Talos IR investigated a phishing case where, after clicking a malicious link in a phishing email, the victim was redirected to a site prompting them to enter their credentials, and subsequently approved an MFA request. In another engagement, an initial phishing email redirected a user to a page that simulates a Microsoft O365 login and MFA portal, capturing the user’s credentials and subsequently logging in on their behalf. The first login by the adversary was seen 20 minutes after the initial phishing email, highlighting the speed, ease, and effectiveness of these operations.

Ransomware

Ransomware, pre-ransomware, and data theft extortion – in which cybercriminals steal and threaten to release victims’ files or other data without using any encryption mechanisms — accounted for nearly 40 percent of engagements this quarter. Talos IR observed RansomHub, RCRU64, and DragonForce ransomware variants for the first time this quarter, while also responding to previously seen ransomware variants, such as BlackByte, Cerber, and BlackSuit.

A third of these engagements involved exploitation of known vulnerabilities that are consistently leveraged by ransomware operators/affiliates to deploy ransomware, according to public reporting. For example, in one BlackByte ransomware engagement, we observed an admin account created and added to an “ESX Admin” group as part of exploitation of the ESXi hypervisor vulnerability, CVE-2024-37085. This vulnerability, which has reportedly been exploited by other ransomware operators, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation.

As part of a years-long trend in greater democratization of ransomware adversaries, we continue to see new variants and ransomware operations emerging. In an incident involving the RCRU64 ransomware –a malware family that has received limited public reporting – the adversary used stolen credentials on an accidentally exposed remote desktop protocol (RDP) account to gain initial access. The threat actor then performed a dump of all domain credentials using publicly available tools, such as fgdump and pwdump, to steal Windows hashes. The threat actor also deployed custom tools, including “saxcvz.exe” and “close.exe”, to kill processes and close SQL servers running on the host, respectively. Open-source tools such as Mimikatz, Advanced Port Scanner, and IObit Unlocker were also used to facilitate the compromise. Of note, Talos has not previously seen IObit Unlocker used in a ransomware incident, though the tool has been used in Play ransomware attacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Looking forward: While there are constantly new ransomware groups entering the threat landscape, some established operations still pose a risk and should not be ignored. We saw this most recently last quarter with RansomHub, where Talos IR not only observed RansomHub actors in two separate incidents, but also using two different extortion models: double-extortion and data theft extortion. For example, we observed RansomHub affiliates conduct data theft extortion, where affiliates steal and threaten to release data without deploying ransomware or using any encryption mechanisms, as well as leverage a double-extortion model by deploying ransomware and encrypting systems and exfiltrating data to extort victims, respectively. In late August, this activity coincided with a CISA advisory on the RansomHub ransomware group, which disseminated indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) identified as recently as August. While RansomHub was first discovered in February 2024, the recent Talos IR incidents and CISA advisory warrants that this continues to be a ransomware threat to monitor.

Targeting

Organizations in the education, manufacturing, and financial services verticals were most affected this quarter, where combined, these sectors accounted for more than 30 percent of compromises. This finding is in line with targeting trends from Q1 2024 (January – March), where the education and manufacturing companies were the most targeted.

Initial access

For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, accounting for 66 percent of engagements when initial access could be determined. This is a slight increase compared to the previous quarter (60 percent). Additionally, 20 percent of engagements featured adversaries exploiting or leveraging vulnerable and public-facing applications for initial access.

Looking forward: Talos IR identified a sophisticated actor targeting a critical infrastructure entity leveraging several known vulnerabilities in internet-facing web servers and two F5 BIG-IP network appliances, consistent with Talos’ reporting on state-sponsored and other sophisticated adversaries’ increased interest in targeting network devices. We assess that networking equipment will remain an attractive target due to the large attack surface it presents and potential access to victim networks it can offer, highlighting the dichotomy of high value and weak security in these devices that makes them a prime target for exploitation. This activity is another reminder of the importance of patching systems, especially network-facing devices.

Security weaknesses

We continue to see a significant number of compromises that could have been prevented with the presence of certain security fundamentals, like MFA and proper configuration of endpoint detection products. In nearly 40 percent of engagements, misconfigured MFA, lack of MFA, and MFA bypass accounted for the top observed security weaknesses this quarter. Additionally, in 100 percent of the engagements that involved threat actors sending phishing emails to victims, MFA was bypassed or not fully enabled, while over 20 percent of incidents where ransomware was deployed did not have MFA enabled on VPNs.

Other security weaknesses, which we commonly see every quarter, involved improper endpoint detection and response (EDR) or security solution misconfigurations. For example, lack of EDR on all systems and/or poorly configured EDR solutions accounted for nearly 30 percent of incidents this quarter. Additionally, nearly 20 percent of engagements this quarter had misconfigured or not fully enabled network security solutions.

In an incident involving SocGholish, a drive-by malware framework, Talos IR recommended configuring Cisco Umbrella properly to block unwanted content, which could have helped to prevent this attack. Blocking “uncategorized” websites in Cisco Umbrella’s “Web Content Categories” will help proactively mitigate suspicious or malicious activity.

Top-observed MITRE ATT&CK techniques

The table below represents the MITRE ATT&CK techniques observed in this quarter’s Talos IR engagement. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note, this is not an exhaustive list.

Key findings from the MITRE ATT&CK appendix include:

In terms of identity-based attacks, we consistently saw adversaries leveraging reconnaissance tactics to identify/gather credentials and then use those valid accounts to gain initial access. This also contributes to the growing trend this quarter in which adversaries are leveraging password spraying to obtain credentials. Nearly 20 percent of engagements this quarter featured proxy usage for command and control (C2). This activity included tools such as the Fast Reverse Proxy (FRPC) to establish a connection, or the Neo-reGoerg proxy tool to set up a SOCKS proxy. In a significant shift compared to previous quarters, we saw a decrease in adversary usage of remote access software, such as AnyDesk. Remote access software was used in less than 5 percent of engagements this quarter, compared to 35 percent last quarter (Q2 2024), where these tools provide the attacker an ability to control a target computer remotely.

Tactic

Technique

Example

Initial Access (TA0001)

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Text file contains details about host

Persistence (TA0003)

T1136 Create Account

Created a user to add to the local administrator’s group

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client’s Active Directory environment

Discovery (TA0007)

T1046 Network Service Discovery

Use a network or port scanner utility

Credential Access (TA0006)

T1003 OS Credential Dumping

Deploy Mimikatz and publicly available password lookup utilities

Privilege Escalation (TA0004)

T1484 Domain Policy Modification

Modify GPOs to execute malicious files

Lateral Movement (TA0008)

T1021.002 Remote Services: SMB / Windows Admin Shares

Adversaries may abuse valid accounts using SMB to move laterally in a target environment.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Adversaries may disable or uninstall security tools to evade detection

Command and Control (TA0011)

T1105 Ingress Tool Transfer

Adversaries may transfer tools from an external system to a compromised system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Hive ransomware and encrypt critical systems

Exfiltration (TA0010)

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Use WinSCP for potential exfiltration of system information

Collection (TA0009)

T1074 Data Staged

Adversary collected data in a central location prior to exfiltration

Software/Tool

S0357 Impacket

An open-source collection of modules written in Python for programmatically constructing and manipulating network protocols

Cisco Talos Blog – Read More

ID card selfie: pros and cons | Kaspersky official blog

October 23, 2024/in Company Blogs

“Please upload a selfie with your ID to verify your identity” — such requests are becoming increasingly common for various online services. Banks, car rental services, even potential employers or landlords may ask for such photos.

Whether you should share your confidential data in this way or not is a personal decision. We’ve laid out all the pros and cons, and prepared tips on how to protect yourself if you do need to take such a selfie.

Should you take a selfie with your documents?

Without an “ID selfie”, you may not be able to install certain banking apps, register for services like car sharing, or quickly apply for a loan. The choice here is very straightforward.

Want to use these services? Take a photo. Worried about the security of your data? Don’t take a photo. But then, for example, you won’t be able to make a bank transfer, rent a car quickly, or solve your financial issues with an instant loan. The stakes are obvious: either you gain access to these services, or your prioritize your own safety.

A common argument from those who choose to take ID selfies is that their data has already been leaked multiple times, so they’re not afraid of potential security risks. Well, if you’re dishing out the ID card selfies left and right, using the same password like “12345” across all accounts for years, it’s likely that your data has already been compromised.

To know for certain whether your data has been leaked or not, use our protection, and in the Data Leak Checker section, provide all the email addresses that you (or your loved ones) may have used to register for online services. Users of Kaspersky Premium can also check their phone numbers in the Identity Theft Check section. Then, our app will automatically search for data leaks in the background, notify you if any are found, and advise what needs to be done in each case.

What could go wrong?

Unfortunately, with rare exceptions, we can almost never know how companies actually store and process our data. Normally, all that users get to hear about their personal data is that its security is taken very seriously and therefore it’s stored very carefully. You’ll agree that this kind of messaging doesn’t inspire much confidence — especially when it’s not backed up by anything except a privacy policy page on the website.

Often, services store your data for too long. For example, one popular European car-sharing company stores user data for as long as 10 years. In that time, you might change residence several times, quit driving, or simply forget about the car-sharing service — but your personal information will still be stored on the company’s servers. And since, according to the agreement, the company can transfer client data to third parties, then theoretically your ID-card selfie could end up in someone else’s hands without your knowledge. And this is not an example of a “bad” company, but a harsh reality: almost all organizations that request IDs during registration process your data under similar conditions. And that’s just the official side — we haven’t mentioned leaks…

Data transmission will be carried out according to the European security regulations, but this is not guaranteed

Data leaks from car-sharing companies are a classic issue: such companies have been subject to hacker attacks since their inception. Sometimes these leaks lead to absurd situations. In Russia, criminals registered fake accounts in car-sharing services using stolen passport photos, then booked expensive cars, violated traffic laws, and caused accidents. Where did they get the data? From leaks of customer data from other car-sharing companies!

And we shouldn’t forget the more obvious threat — unexpected loans. Of course, large banks are unlikely to issue a loan based solely on an ID selfie, but less accountable organizations that hand out microloans to practically anyone — sure thing. And if you suddenly find a dozen such loans in your name, it’s bad news. Not to mention the fact that another unreliable company now has your ID selfie.

These ID card selfies are a universal tool in the hands of criminals. In addition to the above scenarios, fraudsters can open a shell company in your name or register a SIM card using your identity to break the law in various ways. And the more services support remote online registration — the greater the risks of taking selfies with ID cards.

Criminals have long been selling sets of photos and videos of people holding white sheets of paper the size of standard documents on underground websites to forge photos and bypass standard KYC (Know Your Customer) procedures. And if they get hold of a real selfie with a passport — it’s a goldmine…

How to reduce the risks

Unfortunately, despite the significant risks, sometimes we may still have to take these photos. So the best we can do is approach the process with maximum care. How to protect yourself?

Study the company’s privacy policy. Before sending your document selfies, find out everything you can about the company. Check where and by whom your data will be processed, how long it will be stored, and whether the company can pass customer information to law enforcement, third parties, or even to other countries.
Investigate the company’s history of data leaks. Find out if there have been any customer data leaks. If there have, did they occur more than once? What kind of information was leaked? How did the company respond to the breach? You can find this out using search queries like Company_Name data leaks, or Company_Name data breaches.
Add watermarks to your selfie. If you decide it’s worth the risk, add watermarks to the selfie with the name of the service you’re sending it to. This can be done easily on your smartphone using the built-in photo editor to overlay semi-transparent text, or by using free apps – there are plenty of them in any app store. This way, even if the photo leaks, it will be much harder for criminals to use it to register with another service.
Send the photo through the official app or website of the service. Do not use messengers or email to send document selfies.
Delete the selfie immediately after sending if your device lacks reliable protection. Don’t forget to remove the selfie from your messages (if possible) and from the Recently Deleted folder on your smartphone or the recycle bin on your computer.
Regularly check your credit history. Check with your bank to find out how to be notified promptly of changes to your credit history.
Use maximum protection for all your devices alerting you to identity theft and data leaks.
Use Kaspersky Password Manager Identity Protection Wallet to store and share sensitive documents and photos encrypted across all your devices.
Compare the value of the service being provided against the value of your ID card selfie. And absolutely never give out your personal data for monetary rewards.

Kaspersky official blog – Read More

CISA Adds ScienceLogic SL1 Vulnerability to Known Exploited Vulnerabilities (KEV) Catalog

October 23, 2024/in Company Blogs

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) recently added a vulnerability related to ScienceLogic SL1, previously known as EM7, to its Known Exploited Vulnerabilities (KEV) catalog.

The specific vulnerability in question, designated as CVE-2024-9537, has been classified as critical. It relates to a third-party utility included with the ScienceLogic SL1 package. Notably, the name of this utility has not been disclosed to prevent providing insights to potential threat actors.

The newly identified vulnerability, designated CVE-2024-9537, has a critical CVSS score of 9.3. It involves a remote code execution issue linked to a third-party component within ScienceLogic SL1.

This specific vulnerability has attracted many users and cybersecurity professionals, particularly those who follow it on social media, where users have reported that the flaw, a zero-day remote code execution vulnerability, was exploited.

Importance of Addressing the Vulnerability

ScienceLogic SL1 is a vital IT operations management platform that supports critical functions such as monitoring, automation, and optimization of hybrid cloud environments. However, the recent vulnerability related to a bundled third-party component highlights significant security concerns. Organizations should prioritize evaluating and securing these components to protect against vulnerabilities that could compromise their overall security framework.

“CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria”, says the Cybersecurity and Infrastructure Security Agency (CISA).

Recommendations for Organizations

To mitigate the risks associated with this critical vulnerability, organizations are urged to take the following steps:

Ensure that all software and hardware systems are updated with the latest patches released by official vendors. Establish a routine schedule for applying critical patches immediately to protect against potential exploits.

Create a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Where feasible, automate these processes to enhance consistency and efficiency.

Implement proper network segmentation to isolate critical assets from less secure areas. Utilizing firewalls, VLANs, and access controls can significantly reduce the attack surface exposed to potential threats.

Develop and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents. Regular testing and updates of this plan are essential to ensure its effectiveness.

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Using Security Information and Event Management (SIEM) systems can facilitate real-time threat detection and response.

Proactively identify and evaluate the criticality of End-of-Life (EOL) products within the organization. Timely upgrades or replacements are crucial to minimizing security risks.

Conclusion

The recent identification of the CVE-2024-9537 vulnerability in ScienceLogic SL1 highlights rising cybersecurity challenges. With a critical CVSS score of 9.3, this remote code execution flaw emphasizes the risks associated with third-party components in IT operations management platforms.

To mitigate these risks, organizations must prioritize timely software updates, establish robust patch management processes, and enhance network segmentation. Implementing comprehensive incident response plans and utilizing monitoring tools like SIEM systems will further strengthen security measures.

The post CISA Adds ScienceLogic SL1 Vulnerability to Known Exploited Vulnerabilities (KEV) Catalog appeared first on Cyble.

Blog – Cyble – Read More

CISA Warns About New Microsoft SharePoint Vulnerability CVE-2024-38094: High Risks and Immediate Patching Needed

October 23, 2024/in Company Blogs

Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory regarding newly discovered vulnerabilities in Microsoft SharePoint, specifically addressing a deserialization vulnerability now included in CISA’s Known Exploited Vulnerability (KEV) catalog.

The vulnerability in question, identified as CVE-2024-38094, has a CVSSv3.1 score of 7.2, which indicates a high-severity risk. It affects several SharePoint products, including Microsoft SharePoint Server Subscription Edition, Microsoft SharePoint Server 2019, and Microsoft SharePoint Enterprise Server 2016.

An authenticated attacker with Site Owner permissions could exploit this vulnerability to inject and execute arbitrary code within the SharePoint environment. The risk of such exploitation is exacerbated by the availability of proof-of-concept (PoC) code in the public domain, heightening the urgency for organizations to act swiftly.

Vulnerability Classification and Summary

CISA’s inclusion of vulnerabilities in the Known Exploited Vulnerabilities (KEV) catalog highlights that these issues are actively being exploited in real-world scenarios, indicating a threat to organizations.

Specifically, high-severity vulnerabilities like CVE-2024-38094 allow authenticated users with Site Owner permissions to inject arbitrary code into SharePoint Server, leading to potential consequences such as data breaches, ransomware attacks, and privilege escalation.

Organizations using affected SharePoint versions must prioritize timely patching and implement security measures to combat these threats. This advisory aligns with the established Common Vulnerabilities and Exposures (CVE) framework and the Common Vulnerability Scoring System (CVSS), which categorizes vulnerabilities into high (7.0-10.0), medium (4.0-6.9), and low (0.0-3.9) based on their severity. Importantly, a patch for CVE-2024-38094 is available, and its exploitation in the public domain underscores the urgency for organizations to act.

Recommendations for Organizations

CISA urges organizations to take the following steps to mitigate risks associated with CVE-2024-38094 and similar vulnerabilities:

Organizations should promptly apply the latest patches released by Microsoft. Regular updates of all software and hardware systems are crucial for minimizing vulnerabilities and defending against potential exploits.

Develop a comprehensive patch management strategy encompassing inventory management, patch assessment, testing, deployment, and verification. Where feasible, automate these processes to enhance consistency and efficiency.

Properly segment networks to protect critical assets from exposure to less secure areas. Employ firewalls, VLANs, and strict access controls to limit access and reduce the overall attack surface.

Create and maintain an effective incident response plan. This plan should detail the procedures for detecting, responding to, and recovering from security incidents. Regular testing and updates to the plan will help ensure its alignment with evolving threats.

Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Utilizing Security Information and Event Management (SIEM), systems can facilitate real-time threat detection and improve response capabilities.

Organizations should proactively assess the criticality of any End-of-Life (EOL) products in their infrastructure, planning timely upgrades or replacements to mitigate security risks.

Conclusion

CISA’s advisory highlights the ongoing threats posed by vulnerabilities such as CVE-2024-38094 in Microsoft SharePoint. Organizations must not only recognize the seriousness of these vulnerabilities but also take decisive action to fortify their defenses.

By implementing timely patches and security measures, organizations can reduce their risk of exploitation and maintain the integrity of their systems. Prompt attention to these vulnerabilities is not just advisable; it is essential for protecting sensitive data and maintaining operational security.

The post CISA Warns About New Microsoft SharePoint Vulnerability CVE-2024-38094: High Risks and Immediate Patching Needed appeared first on Cyble.

Blog – Cyble – Read More

DarkComet RAT: Technical Analysis of Attack Chain

October 23, 2024/in Company Blogs

Editor’s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mostafa on X and LinkedIn.

In this malware analysis report, we take an in-depth look at how the Remote Access Trojan (RAT) DarkComet has been used by attackers to remotely control systems, steal sensitive data, and execute various malicious activities.

Overview

DarkComet is a Remote Access Trojan (RAT) initially developed by Jean-Pierre Lesueur in 2008. This malware runs silently in the background, collecting sensitive information about the system, users, and network activity.

It attempts to steal stored credentials, usernames, passwords, and other personal data, transmitting this information to a destination specified by the attacker.

Backdoor.DarkComet allows attackers to install further malicious software on the infected machine or enlist it in a botnet for sending spam or other malicious activities.

Symptoms of an infection may not be noticeable to the user, as it can disable antivirus programs and other Windows security features.

Distribution methods include:

Bundling with free software.

Disguising as harmless programs in emails.

Exploiting software vulnerabilities on websites.

DarkComet became widely used due to its user-friendly graphical interface, which contributed to its popularity.

Technical Details

Let’s run a sandbox analysis session using ANY.RUN to discover the technical details of this malware.

View analysis session

Changing file attributes

DarkComet uses a command-line operation to alter file attributes, making its components more difficult to detect.

The command line of DarkComet displayed in ANY.RUN’s sandbox

It uses attrib to display or change file attributes

+s (System Attribute): Marks the file as a system file, making it appear as a critical part of the operating system.

+h (Hidden Attribute): Hides the file from regular view in Windows Explorer, making it invisible to most users.

Dropped executable file inside the summary of IOCs

It drops an executable at C:UsersadminDocumentsMSDCSCmsdcsc.exe and executes it, making it harder to detect.

Contacting Malicious Domains

The malware establishes communication with a specified malicious domain, enabling remote control and data exfiltration.

Malicious domain displayed inside the sandbox

Modifying Process Privileges

The malware interacts with the Windows APIs LookupPrivilegeValueA and AdjustTokenPrivileges to modify the privileges associated with the current process’s access token (not the process itself).

This is done by obtaining a handle to the process’s access token, which allows the malware to modify its security context.

Modification of process privileges

If a2 is 0, the privilege is removed (Attributes = 0).

If a2 is 1, the privilege is enabled (Attributes = 2).

Gathering System Information

Retrieving Hardware Profile

Use of GetCurrentHwProfileA API

DarkComet uses the GetCurrentHwProfileA API to collect detailed information about the infected system’s hardware:

Hardware Profile ID (HWID): A Globally Unique Identifier (GUID) that identifies the current hardware profile, allowing the malware to uniquely recognize the system.

Dock State: Extracted through the dwDockInfo field, this information reveals whether the system is docked (e.g., connected to a docking station) or undocked. This helps the malware adapt its behavior based on the system’s hardware configuration.

Demonstration of GUID and Dock State

Retrieving Date, Time, and Location

The malware also gets the date and time of the victim device.

Retrieval of date and time

It also checks the computer’s location settings by querying the registry key associated with the current user’s Security Identifier (SID):

REGISTRYUSER{SID}Control PanelInternationalGeoNation

Data Processing and Manipulation

DarkComet uses a function called sub_4735E8 multiple times with different strings as parameters.

Use of sub_4735E8 function

This function carries out resource management and processes various pieces of data, including:

C2 Domain Information: The Command and Control server the malware communicates with.

SID (Security Identifier): Identifies the user profile associated with the malware’s activity.

Mutex Values: Used to ensure that only one instance of the malware runs on the infected system at a time.

This function helps obfuscate key information, preventing it from appearing directly in the strings section of the malware.

Data processing and data manipulation with v28

With this function, the malware loops through DARKCOMET DATA to retrieve specific attributes based on the provided parameter strings.

DARKCOMET DATA

Here is the loop that the malware uses to iterate through DARKCOMET DATA:

Demonstration of the loop used by DarkComet

Within sub_4735E8, DarkComet iterates through its internal data set, known as DARKCOMET DATA, to match specific parameters and extract corresponding attributes. This process involves looping through data entries to retrieve the needed values based on the provided strings.

Extracted DARKCOMET DATA:

#BEGIN DARKCOMET DATA —

MUTEX={DC_MUTEX-D1SPNDG}

SID={Sazan}

FWB={0}

NETDATA={8.tcp.eu.ngrok.io:27791}

GENCODE={fKTZRKdv0Nij}

INSTALL={1}

COMBOPATH={7}

EDTPATH={MSDCSC\msdcsc.exe}

KEYNAME={MicroUpdate}

EDTDATE={16/04/2007}

PERSINST={0}

MELT={0}

CHANGEDATE={0}

DIRATTRIB={6}

FILEATTRIB={6}

FAKEMSG={1}

EF={1}

MSGCORE={{42696C67697361796172FD6EFD7A20332073616E6979652069E7696E64652079656E6964656E206261FE6C6174FD6C6163616B74FD722E2E2E}

MSGICON={48}

SH1={1}

CHIDEF={1}

CHIDED={1}

PERS={1}

OFFLINEK={1}

#EOF DARKCOMET DATA —

From this data, the malware extracts and processes key attributes, including:

C2 domain: Specifies where the malware sends stolen data.

EDTDATE: The date associated with the malware’s installation (e.g., 16/04/2007), indicating that it does not alter the date of the dropped executable.

The processed C2 domain & EDTDATE

Mutex: Ensures that only one copy of DarkComet runs on the system.

The processed Mutex

Campaign name: Used for identifying specific attacks or operations.

Processed campaign name

It also processes the attributes of the malware that define how it behaves and interacts with the system:

EDTPath: Path of the executable (MSDCSCmsdcsc.exe)

The path of the new executable

Registry Key (KEYNAME): MicroUpdate, used to maintain persistence in the system’s registry.

reg_key (KEYNAME): MicroUpdate

From the DARKCOMET DATA, we can also notice that the malware does not change the original creation date of the dropped executable. The CHANGEDATE attribute is set to 0, indicating that the date remains unchanged, which can help the malware blend in with other files and avoid raising suspicion during forensic analysis.

Learn to analyze cyber threats

See a detailed guide to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis

Read full guide

Dropped Executable File

DarkComet drops a file named msdcsc.exe in the C:UsersadminDocumentsMSDCSC directory and executes it from there.

The dropped executable file

This dropped file is identical to the original malware executable.

Comparison of the original and executable files

This means it can start itself from another location. By doing so, the malware can better evade detection, as running from a new path makes it more challenging for security tools to track its activity.

Persistence Mechanisms

To maintain persistence on the infected system, DarkComet:

Adds Run key: It creates a registry entry at SOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate with the path of the executable.

Modifies the WinLogon registry key: It alters REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit for persistance.

Registry entry creation

DLL Loading and Function Resolution

DarkComet retrieves handles to the modules (DLLs) such as kernel32.dll and user32.dll for further manipulation and execution of its malicious functions.

Module handle retrieval for DLL

RAT Functionalities

DarkComet has various capabilities that allow it to manipulate the infected system and gather information. These include functions for simulating user input, capturing data, and interacting with the system’s display and clipboard.

Simulating Mouse and Keyboard Actions

DarkComet uses the mouse_event function to simulate mouse motion and button clicks.

implementation of mouse_event

This helps the attacker to interact with the system as if a user is controlling the mouse.

DarkComet synthesizing the mouse motion and button clicks

This malware also uses Keyboard Event Simulation, particularly, the keybd_event function to allow the malware to manipulate the user’s environment, input data, or perform actions without the user’s knowledge.

Implementation of the keybd_event function

Capturing Keyboard Inputs

The malware calls GetKeyboardType(0) to determine the type of the primary keyboard. If it returns 7, it indicates that the keyboard is a “language” keyboard, which is often a Unicode keyboard.

DarkComet retrieving information about the current keyboard

The next function captures keystrokes from the user, allowing the malware to record input without detection.

Keyboard input capture

The function used by DarkComet processes each character input (ch), which could represent a keyboard key or a specific command. It applies a series of conditional checks and actions based on the character’s value.

This malware utilizes the VkKeyScanA(ch) function to convert the character into a virtual key code. This conversion allows the malware to accurately interpret and simulate keyboard actions, making it easier to log keystrokes or execute commands.

Conversion of characters into keystrokes

System and Display Information

The malware uses EnumDisplayDevicesA function to retrieve information about display devices connected to the system.

Retrieving Display information connected to the system

DarkComet attempts to access data from the clipboard, focusing on format 0xE, which is used for enhanced metafiles (EMF) – a vector graphics format. By doing so, the RAT can exfiltrate or manipulate clipboard data, such as copied images or text.

Retrieving data from the clipboard

C2 Commands and Remote Control

DarkComet receives instructions from its Command and Control (C2) server, allowing it to perform various remote tasks. These commands enable the attacker to control the malware’s behavior and may include actions like:

Data exfiltration: Extracting files or information from the infected system.

System manipulation: Modifying system settings or terminating processes.

Additional payload delivery: Deploying additional malicious software into the infected system.

See Appendix I for the extracted commands that the C2 server sends to the malware.

These commands help control the malware’s behavior remotely and may provide insight into the attacker’s objectives and tactics.

Conclusion

DarkComet is a highly capable Remote Access Trojan (RAT) that continues to be a threat due to its stealthy behavior and extensive feature set. It allows attackers to manipulate infected systems remotely, steal sensitive information, and install additional malware.

This analysis has demonstrated DarkComet’s ability to evade detection by modifying file attributes, manipulating registry keys for persistence, and escalating privileges. It gathers system information, including hardware profiles and location settings, and communicates with a command-and-control (C2) server to execute a variety of commands, from capturing keystrokes to controlling display devices.

The malware’s functionality, including its ability to modify system settings, simulate user input, and manage services, makes it a versatile tool for attackers. Its ease of use, coupled with a rich set of RAT functionalities, has contributed to its widespread deployment, especially in targeted cyberattacks.

About ANY.RUN

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, YARA Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.

With ANY.RUN you can:

Detect malware in seconds.

Interact with samples in real time.

Save time and money on sandbox setup and maintenance

Record and study all aspects of malware behavior.

Collaborate with your team

Scale as you need.

Request free trial →

Appendix I

IOCs

Hashes

md5: 1b540a732f2d75c895e034c56813676a

sha1: 0dd8c542fd46dd5b55eefcf35382ee8903533703

sha256: 90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1

C2

8[.]tcp[.]eu[.]ngrok[.]io[:]27791

Registry keys

REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserInit = “C:\Windows\system32\userinit.exe,C:\Users\Admin\Documents\MSDCSC\msdcsc.exe”

REGISTRYUSERUSER SIDSOFTWAREMicrosoftWindowsCurrentVersionRunMicroUpdate = “C:\Users\Admin\Documents\MSDCSC\msdcsc.exe”

Dropped executable file

C:UsersadminDocumentsMSDCSCmsdcsc.exe

TTPs

TACTIC

TECHNIQUE

MITRE ATT&CK ID

Persistence

Boot or Logon Autostart Execution

T1547

Adds Run key to start application

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Adds Run key to start application

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Command and Control

Web Service

T1102

Commands

GetSIN

RefreshSIN

RunPrompt

GetDrives

GetSrchDrives

GetFileAttrib

KillProcess

GetAppList

GetServList

StartServices

StopServices

RemoveServices

InstallService

GetStartUpList

ActiveOnlineKeylogger

ActiveOfflineKeylogger

GetOfflineLogs

Shutdown

RestartComp

LogOffComp

PowerOff

GetFullInfo

GetSystemInfo

OpenWebPage

PrintText

GetTorrent

GetPrivilege

TraceRoute

#BOT#VisitUrl

#BOT#OpenUrl

#BOT#Ping

#BOT#RunPrompt

#BOT#CloseServer

#BOT#SvrUninstall

#BOT#URLUpdate

DOWNLOADFILE

UPLOADFILE

ACTIVEREMOTESHELL

DESKTOPCAPTURE

WEBCAMLIVE

WIFI

CHAT

FTPFILEUPLOAD

The post DarkComet RAT: <br>Technical Analysis of Attack Chain appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – Read More

Threat Spotlight: WarmCookie/BadSpace

October 23, 2024/in Company Blogs

WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike. Post-compromise intrusion activity associated with WarmCookie overlaps with previously observed activity we attribute to TA866. We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.

What is WarmCookie?

WarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024. Throughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to entice victims to take actions that result in malware infection.

These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments.

In previously analyzed intrusion activity involving WarmCookie, we have observed that it is used as an initial payload and that CSharp-Streamer-RAT and Cobalt Strike were delivered following the initial WarmCookie infection.

While analyzing the campaigns, intrusion activity, and infrastructure associated with WarmCookie over the course of 2024, we also identified multiple overlaps with activity conducted by TA866 in 2023.

Typical infection chains

As previously mentioned, we have observed WarmCookie campaigns being conducted since at least April 2024. These campaigns rely on malspam or malvertising to facilitate the delivery of malicious content.

In the case of malspam, we have observed consistent use of invoice-related and job agency themes that entice victims to access hyperlinks present in either the email body, or within attached documents, such as PDFs.

Examples of common message subjects observed in campaigns conducted between April and August 2024 are listed below.

United Rentals Inc: Invoice# [0-9]{9}-[0-9]{3} Invoice and Remittance

In a recent campaign conducted in August, the messages contained PDF attachments. The attachment filenames were randomized but typically use the following format.

Attachment_[0-9]{3}-[0-9]{3}.pdf

While there have been variations over time, below is a representative example of one of these emails and the associated PDF attachment.

WarmCookie emails and attachments.

The PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the infection process.

We have also observed WarmCookie campaigns leveraging infrastructure associated with traffic distribution and malware delivery systems. In one early campaign, we observed the use of the LandUpdates808 cluster of infrastructure described here. In observed cases, malicious JavaScript downloaders were being hosted at the following paths on servers associated with the LandUpdates808 cluster of web servers.

/wp-content/upgrade/update[.]php

Regardless of whether the delivery stage of the attack was conducted via malspam or malvertising, an obfuscated JavaScript downloader is delivered that is responsible for continuing the infection process. We have observed the use of ZIP archives to compress the JavaScript file and the delivery of the JavaScript file directly from the distribution infrastructure.

When executed, it deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute the WarmCookie DLL using syntax, like that shown below.

PowerShell execution.

We have observed a relatively small number of distribution servers hosting WarmCookie DLLs compared to the infrastructure used in earlier stages of the infection chain.

WarmCookie

The main WarmCookie payload has been extensively analyzed in prior reporting here and here. While performing this research, newly observed WarmCookie samples were reported on social media during September 2024. We observed significant additions and changes in this latest version that demonstrate the threat actor is continuing to improve their tooling.

We observed changes to the way the malware is executed and how persistence is achieved on infected systems. As described in prior reporting, the malware is typically delivered and executed as a PE DLL or a PE EXE. If the payload is in the DLL format, it is typically executed with specific command-line parameters that determine whether persistence should be achieved.

In previous WarmCookie samples the execution was consistent with the following:

rundll32.exe <DLL_Filename>,Start /p

In the latest samples analyzed, this command-line syntax has been modified as follows:

rundll32.exe <DLL_Filename>,Start /u

Additionally, the user agent used during C2 communications in previous WarmCookie samples featured extraneous spaces not consistent with normal user agent strings seen in the wild. This allowed for easy detection of WarmCookie C2 activity via network traffic inspection. In the latest WarmCookie samples, this mistake has been corrected. Below is a comparison between the old and new user agent strings used during C2 communications.

Old User Agent:

Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

New User Agent:

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

We also observed the inclusion of a new self-updating mechanism that would enable an attacker to dynamically deliver updates to WarmCookie via the C2 server, however, this functionality did not appear to be fully implemented in the analyzed sample at the time.

In the latest sample, changes were made to the sandbox detection mechanism present in the malware where some checks present in previous versions have been removed.

WarmCookie sandbox detection.

Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added as follows:

Command 0x8: Supports the creation of a DLL file received from the C2 server that is assigned a temporary filename and then executed by WarmCookie. Command 0xA: Appears to be a prepared update command, it is like Command 0x8, but adds hardcoded parameters to the DLL:
C:WindowsSystem32rundll32.exe <tmpfilename.dll> Start /updateCommand 0xB: Supports moving the malware to a temporary file name and location and deletes the previously scheduled task. It prepends the string ‘dat’ to the temporary filename. It also exits the C2 loop, leading to termination of the malware process.

During the malware’s initialization and startup phase, the /update parameter of the Command 0xA is checked to determine if the parameter was set. Regardless of the result of this check, the same function is executed, as shown below.

WarmCookie update parameter.

Analysis suggests that the malware will continue to evolve moving forward as the threat actor continues to improve on it and adds additional functionality as needed.

Links to past intrusion activity

While analyzing the distribution campaigns, infrastructure used, and post-compromise intrusion activity associated with WarmCookie, we identified multiple overlaps with previously observed malicious activity.

In earlier WarmCookie distribution campaigns, threat actors relied on lures that appear as if they were associated with talent/job search agencies. As mentioned here, the lure documents and landing pages associated with this campaign are like those used by distributors of Ursnif in past campaigns.

While analyzing intrusion activity associated with WarmCookie, we observed the deployment of CSharp-Streamer-RAT as a follow-on payload following the initial system compromise. CSharp-Streamer-RAT is a full-featured remote access trojan that offers robust functionality as described here.

In this case, the sample reached out to a C2 server that was configured to use an SSL certificate that appeared to have been programmatically generated with several fields randomly populated. Using Regular Expressions to identify other servers with similar SSL characteristics, we identified three additional C2 servers, all previously associated with CSharp-Streamer-RAT samples. One of these C2 servers was observed being used by a CSharp-Streamer-RAT sample we identified in a previous intrusion that we assess with high confidence was conducted by TA866.

The screenshot below shows the relevant fields present within the SSL certificate associated with the CSharp-Streamer-RAT C2 server observed in previous intrusion activity we attribute to TA866.

Previous CSharp-Streamer-RAT C2 SSL certificate.

Below is an example of one of the SSL certificates associated with the CSharp-Streamer-RAT C2 server observed in recent WarmCookie intrusion activity.

Recent CSharp-Streamer-RAT C2 SSL certificate.

Based on analysis of the system involved in this prior intrusion activity, we assess with high confidence that TA866/Asylum Ambuscade deployed CSharp-Streamer-RAT while directly operating on the system leading up to, during, and after its deployment. In the recent WarmCookie case, we also assess with high confidence that the attacker who deployed WarmCookie also deployed CSharp-Streamer-RAT following the initial compromise.

WarmCookie vs. Resident backdoor

As referenced here, and in prior reporting, TA866/Asylum Ambuscade has been observed delivering a post-compromise implant called Resident backdoor in prior intrusion activity. Prior reporting on WarmCookie has alluded to observed links between Resident backdoor and WarmCookie.

We performed a code and function level analysis of Resident backdoor samples from previous intrusion activity and WarmCookie samples from September 2024 and observed several notable similarities in the way core functionality has been implemented across both malware families. WarmCookie appears to contain much of the same functionality as Resident backdoor but has been significantly extended to support additional functionality.

We assess that both were likely developed by the same entity based on the following analysis findings:

The RC4 implementation is consistent across both malware families. The RC4 string decryption function implementation is consistent across both malware families. Mutex management is performed consistently across both malware families. Both malware families use GUID-like strings for the mutex. The way in which various functions were constructed and the coding conventions used is consistent. The definition of scheduled tasks to achieve persistence is consistent. Both malware families wait one minute before executing the scheduled task. The directory, file schema and parameters are similar in both malware families. The initial startup logic and command line parameter implementation are similar.

Code similarity analysis

We conducted a similarity analysis of the code execution flow between both Resident backdoor and a recent WarmCookie sample that was shared on social media. We observed consistent implementation of core functionality across both as well as consistent use of coding conventions across both malware families.

Task Scheduler implementation

If the malware is initially executed without supplying any parameters, both Resident and WarmCookie first determine if the initially launched application was a PE DLL or an PE EXE. Depending on the result, they either create a filename with the extension “.dll” or “.exe”. Also based on the results of this test, they both create a scheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60 seconds. In the case that the initially launched application was a PE DLL, rundll32.exe is used to launch the malware. In the case of a PE EXE file, it is executed directly.

They both attempt this in the %ALLUSERSPROFILE% directory, if that fails, they try it again in %ALLDATA% directory.

WarmCookie startup parameters.WarmCookie persistence mechanism.Resident backdoor startup parameters.Resident backdoor persistence mechanism.Resident backdoor persistence mechanism (cont’d).

The overall startup logic is also the same in both Resident backdoor and WarmCookie. At the beginning of the startup process both check to determine if the malware was executed with a command line switch. In the case of the Resident backdoor, it is ‘/p’; in the case of WarmCookie it is ‘/u’. This parameter tells the application whether it is the first instance of itself or if the running version is the former copied version, which was previously made persistent via the Task Scheduler. This prevents multiple scheduled tasks from being created once the malware has achieved persistence.

WarmCooke startup logic.Resident backdoor startup logic.

One slight difference is that Resident uses the hardcoded string ‘RtlUpd’ to generate the filename for the scheduled task, whereas WarmCookie uses a hardcoded list of company names and randomly selects one, as shown below:

WarmCookie filename list.

Based on our analysis of Resident backdoor and WarmCookie, we assess that they were likely developed by the same entity. While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to Resident backdoor. Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.

Given the differences in functionality and where each is encountered in the attack lifecycle, we classify Resident and WarmCookie as separate malware families that have been developed by the same threat actor.

Coverage

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.

Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162. Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.

Js.Downloader.Agent-10022279-0 Vbs.Downloader.Agent-10022291-0 Win.Trojan.WasabiSeed-10022304-0 Js.Trojan.Screenshotter-10022306-0 Js.Trojan.Agent-10022307-0 Win.Trojan.Lazy-10022308-0 Win.Trojan.Screenshotter-10022309-0 PUA.Win.Tool.NetPing-10022493-0 Win.Malware.CobaltStrike-10022494-0 PUA.Win.Tool.AutoHotKey-10022305-1 PUA.Win.Tool.RemoteUtilities-9869515-0 PUA.Win.Tool.AdFind-9962378-0 Txt.Downloader.AHKBot-10024463-0 Ps1.Malware.CobaltStrike-10024466-0 Win.Infostealer.Rhadamanthys-10024467-0 Txt.Infostealer.Rhadamanthys-10024468-0 Win.Backdoor.Agent-10025011-0 Vbs.Trojan.Screenshotter-10025015-0 Win.Malware.Warmcookie-10036688-0 Win.Malware.CSsharpStreamer-10036641-0

Indicators of Compromise

Indicators of compromise associated with WarmCookie/BadSpace activity can be found in our GitHub repository here.

Cisco Talos Blog – Read More