Who’s Behind the 8Base Ransomware Website?

The victim shaming website operated by the cybercriminals behind 8Base — currently one of the more active ransomware groups — was until earlier today leaking quite a bit of information that the crime group probably did not intend to be made public. The leaked data suggests that at least some of website’s code was written by a 36-year-old programmer residing in the capital city of Moldova.

The 8Base ransomware group’s victim shaming website on the darknet.

8Base maintains a darknet website that is only reachable via Tor, a freely available global anonymity network. The site lists hundreds of victim organizations and companies — all allegedly hacking victims that refused to pay a ransom to keep their stolen data from being published.

The 8Base darknet site also has a built-in chat feature, presumably so that 8Base victims can communicate and negotiate with their extortionists. This chat feature, which runs on the Laravel web application framework, works fine as long as you are *sending* information to the site (i.e., by making a “POST” request).

However, if one were to try to fetch data from the same chat service (i.e., by making a “GET” request), the website until quite recently generated an extremely verbose error message:

The verbose error message when one tries to pull data from 8Base’s darknet site. Notice the link at the bottom of this image, which is generated when one hovers over the “View commit” message under the “Git” heading.

That error page revealed the true Internet address of the Tor hidden service that houses the 8Base website: 95.216.51[.]74, which according to DomainTools.com is a server in Finland that is tied to the Germany-based hosting giant Hetzner.

But that’s not the interesting part: Scrolling down the lengthy error message, we can see a link to a private Gitlab server called Jcube-group: gitlab[.]com/jcube-group/clients/apex/8base-v2. Digging further into this Gitlab account, we can find some curious data points available in the JCube Group’s public code repository.

For example, this “status.php” page, which was committed to JCube Group’s Gitlab repository roughly one month ago, includes code that makes several mentions of the term “KYC” (e.g. KYC_UNVERIFIED, KYC_VERIFIED, and KYC_PENDING).

This is curious because a FAQ on the 8Base darknet site includes a section on “special offers for journalists and reporters,” which says the crime group is open to interviews but that journalists will need to prove their identity before any interview can take place. The 8base FAQ refers to this vetting process as “KYC,” which typically stands for “Know Your Customer.”

“We highly respect the work of journalists and consider information to be our priority,” the 8Base FAQ reads. “We have a special program for journalists which includes sharing information a few hours or even days before it is officially published on our news website and Telegram channel: you would need to go through a KYC procedure to apply. Journalists and reporters can contact us via our PR Telegram channel with any questions.”

The 8Base FAQ (left) and the KYC code in Kolev’s Gitlab account (right)

The 8Base darknet site also has a publicly accessible “admin” login page, which features an image of a commercial passenger plane parked at what appears to be an airport. Next to the airplane photo is a message that reads, “Welcome to 8Base. Admin Login to 8Base dashboard.”

The login page on the 8Base ransomware group’s darknet website.

Right-clicking on the 8Base admin page and selecting “View Source” produces the page’s HTML code. That code is virtually identical to a “login.blade.php” page that was authored and committed to JCube Group’s Gitlab repository roughly three weeks ago.

It appears the person responsible for the JCube Group’s code is a 36-year-old developer from Chisinau, Moldova named Andrei Kolev. Mr. Kolev’s LinkedIn page says he’s a full-stack developer at JCube Group, and that he’s currently looking for work. The homepage for Jcubegroup[.]com lists an address and phone number that Moldovan business records confirm is tied to Mr. Kolev.

The posts on the Twitter account for Mr. Kolev (@andrewkolev) are all written in Russian, and reference several now-defunct online businesses, including pluginspro[.]ru.

Reached for comment via LinkedIn, Mr. Kolev said he had no idea why the 8Base darknet site was pulling code from the “clients” directory of his private JCube Group Gitlab repository, or how the 8Base name was even included.

“I [don’t have] a clue, I don’t have that project in my repo,” Kolev explained. “They [aren’t] my clients. Actually we currently have just our own projects.”

Mr. Kolev shared a screenshot of his current projects, but very quickly after that deleted it. However, KrebsOnSecurity captured a copy of the image before it was removed:

A screenshot of Mr. Kolev’s current projects that he quickly deleted.

Within minutes of explaining why I was reaching out to Mr. Kolev and walking him through the process of finding this connection, the 8Base website was changed, and the error message that linked to the JCube Group private Gitlab repository no longer appeared. Instead, trying the same “GET” method described above caused the 8Base website to return a “405 Method Not Allowed” error page:

Mr. Kolev claimed he didn’t know anything about the now-removed error page on 8Base’s site that referenced his private Gitlab repo, and said he deleted the screenshot from our LinkedIn chat because it contained private information.

Ransomware groups are known to remotely hire developers for specific projects without disclosing exactly who they are or how the new hire’s code is intended to be used, and it is possible that one of Mr. Kolev’s clients is merely a front for 8Base. But despite 8Base’s statement that they are happy to correspond with journalists, KrebsOnSecurity is still waiting for a reply from the group via their Telegram channel.

The tip about the leaky 8Base website was provided by a reader who asked to remain anonymous. That reader, a legitimate security professional and researcher who goes by the handle @htmalgae on Twitter, said it is likely that whoever developed the 8Base website inadvertently left it in “development mode,” which is what caused the site to be so verbose with its error messages.

“If 8Base was running the app in production mode instead of development mode, this Tor de-anonymization would have never been possible,” @htmalgae said.

A recent blog post from VMware called the 8Base ransomware group “a heavy hitter” that has remained relatively unknown despite the massive spike in activity in Summer of 2023.

“8Base is a Ransomware group that has been active since March 2022 with a significant spike in activity in June of 2023,” VMware researchers wrote. “Describing themselves as ‘simple pen testers,’ their leak site provided victim details through Frequently Asked Questions and Rules sections as well as multiple ways to contact them. ”

According to VMware, what’s particularly interesting about 8Base’s communication style is the use of verbiage that is strikingly familiar to another known cybercriminal group: RansomHouse.

“The group utilizes encryption paired with ‘name-and-shame’ techniques to compel their victims to pay their ransoms,” VMware researchers wrote. “8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries. Despite the high amount of compromises, the information regarding identities, methodology, and underlying motivation behind these incidents still remains a mystery.”

The Good, the Bad and the Ugly in Cybersecurity – Week 37

The Good | CISA Announces Open Source Software Security Roadmap

Open Source Software (OSS) underpins much of the products and services we all take for granted, including within the federal government and across the critical infrastructure sector. When a vulnerable piece of OSS is exploited by threat actors, supply chain attacks can have widespread and costly consequences, just ask Equifax or SolarWinds customers, or any admin that had to hunt down Log4j in their environments. Good to hear, then, that this week, CISA has announced its Open Source Software Security Roadmap.

The roadmap sets out how CISA will help support the secure use and development of OSS both within and outside the federal government. Identifying the cascading effects of OSS vulnerabilities and the malicious compromise of OSS components to create downstream compromises as the primary threats, CISA has laid out four key objectives in the roadmap published this week.

  • Establish CISA’s role in supporting OSS security
  • Drive visibility into OSS usage and risks
  • Reduce risks to Federal Government
  • Harden the OSS ecosystem

Hardening the open security software ecosystem in particular is a goal that can have far-reaching impacts for all. CISA says its goal is to foster security education for OSS developers as well as to coordinate vulnerability disclosure and response. This includes establishing processes to look for upstream issues in open source packages and quickly notify affected users of any identified vulnerabilities.

Over 5000 vulnerabilities have been identified in OSS software in the last 5 years alone and attempts to address the issue have lacked direction. CISA taking an active and prominent role in furthering OSS security, itself an outcome of the National Cybersecurity Strategy announced earlier this year, is a positive step that should be broadly welcomed.

The Bad | Caesars Gambles On Paying Attackers While MGM Battles On

An affiliate of ALPHV/BlackCat ransomware is claiming responsibility for an extortion attempt on MGM Casinos that has caused severe disruption to the company’s outlets, with reports of empty casinos and disconnected slot machines.

Researchers vx-underground broke the story on Monday, sharing on social media that the attackers were claiming they breached the company through social engineering MGM Casino help desk staff.

A further statement from the gang claimed that the disruption was caused by MGM Casinos attempt to find and root out the intruders rather than by the detonation of ransomware, but that claim remains unverified at the time of writing.

The gang said that they did launch ransomware attacks against 100 ESXi hypervisors after the company refused to negotiate with them, and that they are threatening to leak stolen data if the company remains unmoved.

Meanwhile, in a separate incident, casino operator Caesars Entertainment has said that intruders stole a database containing personally identifying information of its customers including driving license details and social security numbers. The admission came in a required SEC filing in which Caesars also stated that they had “taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result”.

It is rumored that these “steps” involved paying half of a $30 million ransom initially demanded, an expensive gamble – if true – that MGM rightly seems unwilling to copy.

The Ugly | Threat Actors Exploit Bug in Google’s WebP Library

Vendors Apple, Google, Microsoft, Mozilla and more have been scrambling to patch a critical severity bug in WebP this week that is known to be being actively exploited in the wild.

WebP is used in Chrome, Firefox, Edge, Brave and the Tor Browser. It is also found in many Electron apps like Signal, Telegram, and 1Password. Many Android applications and cross-platform software built with Flutter also use WebP.

The vulnerability is described as a heap buffer overflow which could allow an attacker to perform a memory write outside of its allocated buffer and gain arbitrary code execution.

Github commit CVE-2023-4863
Github commit in libwebp related to CVE-2023-4863

Tagged as CVE-2023-4863, the bug in the widely used image encoding and compression library was apparently first reported by Citizen Lab to Apple. Regular readers will recall that last week Citizen Lab also identified an Apple zero-click zero day being used to deliver Pegasus malware. It is not clear at this time whether the two reports are linked.

Initial reporting of the vulnerability suggested it was restricted to web browsers, but it quickly became apparent that any software using the libwebp library is affected. libwebp is open source software developed by Google and has been widely adopted in both applications and other third-party libraries.

Details about the bug and exploit are sparse at the time of writing. Google says it is deliberately restricting disclosure until the majority of affected software has been patched. Vendors mentioned in this report have all issued patches this week, but given how widespread the library is, there are likely many others still to come.

Ready, Set, Turla | Everything You Need to Know Before the MITRE ATT&CK® 2023 Evaluations

The cybersecurity industry is awaiting the highly anticipated MITRE ATT&CK® Evaluations for 2023, expected to be published next week. In this comprehensive post, we provide all the essential knowledge needed to derive maximum value from the forthcoming test results.

Our journey through MITRE’s evaluations begins with exploring why MITRE embarked on this testing journey. We’ll then delve into a brief history of MITRE’s evaluations, offering insights into the inception and evolution of this industry-recognized comparative assessment.

From there, we’ll explore Turla as a potent threat to understand why MITRE has chosen to make this group its focal point. Finally, we’ll navigate the intricate technical aspects of MITRE’s methodologies, explaining how and why these evaluations provide value to enterprises as they consider their current and future investment in security products.

The Genesis | Setting the Stage

To fully understand the significance of the MITRE ATT&CK® Evaluations, it is helpful to explore their origin. MITRE, a not-for-profit organization, has been at the forefront of fostering innovation and enhancing cybersecurity frameworks. The ATT&CK® evaluations directly result from MITRE’s structured and comprehensive approach to understanding cyber threats. This initiative has witnessed remarkable growth, offering valuable insights and fostering a collaborative spirit within cybersecurity.

A Chronicle of MITRE ATT&CK® Evaluations

Let’s embark on a chronological journey through the annals of MITRE ATT&CK® Evaluations, each contributing significantly to the cybersecurity landscape.

APT3 (2018): The Inaugural Evaluation

The inaugural MITRE evaluation in 2018 cast its spotlight on APT3, also known as Gothic Panda, a China-based threat group.

Attributed to China’s Ministry of State Security, APT3 was renowned for campaigns like Operation Clandestine Fox and Operation Double Tap. Notably, during this period, APT3 transitioned from targeting U.S. victims to focusing on political organizations in Hong Kong.

This evaluation uncovered critical insights into APT3’s modus operandi, revealing a strong reliance on credential harvesting and the use of trusted operating system programs. APT3 preferred to avoid elaborate scripting techniques or leveraging post-initial access exploits. SentinelOne’s performance in this evaluation underscored its effectiveness in detecting and mitigating complex threats.

APT29 (2019): A Deep Dive into Russian Cyber Espionage

In 2019, the MITRE evaluations took a significant leap by examining APT29, a threat group attributed to the Russian government. APT29 gained notoriety for its intrusion into the Democratic National Committee in 2015. This evaluation brought to light APT29’s unwavering commitment to stealth and the use of sophisticated techniques. These included custom malware and alternate execution methods like PowerShell and Windows Management Instrumentation (WMI).

The evaluation results were published in April 2020 and provided a platform for SentinelOne to further solidify its position as a robust cybersecurity solution, effectively countering the advanced techniques employed by APT29.

Carbanak+FIN7 (2021): Unveiling Financial Threats

The 2020 evaluation thrust into the spotlight two prominent threat groups, Carbanak and FIN7, both known for targeting the financial sector, particularly in the U.S. This evaluation meticulously dissected the modus operandi of these groups, revealing their reliance on innovative tradecraft and stealth techniques. Carbanak and FIN7 were notorious for exploiting both sophisticated malware and legitimate administration tools to achieve their objectives.

Once again, SentinelOne demonstrated its impressive capabilities in this evaluation, offering solutions that effectively countered the threats posed by these financially motivated groups.

Wizard Spider & Sandworm (2022): Exploring Diverse Threat Landscapes

The 2022 evaluation constituted a deep dive into the strategies employed by two distinct groups: Wizard Spider, a financially motivated criminal group, and Sandworm, a Russian threat group known for its destructive attacks. This evaluation zoomed in on how these groups leveraged data encryption for different objectives. Wizard Spider’s focus was on ransomware campaigns, while Sandworm’s notoriety lay in data destruction.

SentinelOne’s performance during this evaluation once again demonstrated its resilience and effectiveness in countering the diverse range of threats posed by these groups. It showcased its adaptability and robustness in the face of evolving cyber threats.

Turla (2023): The Upcoming Evaluation

As we gear up for the 2023 MITRE ATT&CK® Evaluation, the spotlight shifts to Turla, a sophisticated Russian-based threat group active since the early 2000s. Turla’s targets include government agencies, diplomatic missions, military groups, research organizations, and media outlets. What sets Turla apart is its unwavering commitment to innovation and operational security.

The upcoming evaluation promises to offer a detailed analysis of Turla’s tactics, including their use of a distinctive command-and-control network and a repertoire of open-source and in-house tools. As we anticipate this evaluation, SentinelOne stands ready to demonstrate its capabilities once again, offering solutions adept at countering the sophisticated techniques employed by the Turla group.

Unraveling the Turla Campaigns: A Closer Look

Turla is not your ordinary cyber threat actor; they stand as a testament to the evolving sophistication of cyber adversaries. Since the early 2000s, this Russian-based group has left an indelible mark on victims spanning over 45 countries. Their targets encompass a wide spectrum, including government agencies, diplomatic missions, military groups, research institutions, and media outlets. However, what distinguishes Turla from the rest is their unwavering commitment to innovation and operational security, making them a formidable force in the cyber realm.

Targeted Intrusions and Innovative Stealth

Turla’s modus operandi revolves around precision and stealth. They begin by establishing a foothold within their target environment. Once inside, they meticulously enumerate victims while leaving a minimal footprint. This often involves the use of in-memory or kernel implants, making detection and attribution a challenging task.

Crossing OS Boundaries

Turla is not confined to a single operating system. They are equally adept at targeting both Linux and Windows infrastructure, showcasing their adaptability and versatility. This flexibility enables them to breach a wide range of organizations, regardless of their technology stack.

Open Source and In-House Tools

One of Turla’s distinguishing features is their extensive toolkit. They combine open-source tools with custom, in-house-developed malware, creating a potent arsenal that can bypass traditional security measures. This blend of publicly available utilities and proprietary malware keeps defenders on their toes.

A Unique Command-and-Control Network

Turla employs a distinctive command-and-control (C2) network to maintain control over their operations. This network infrastructure is carefully designed to evade detection and attribution, further emphasizing Turla’s commitment to operational security.

MITRE ATT&CK® Evaluation Methodology

Understanding MITRE’s evaluation methodology is key to deriving meaningful insights from the upcoming test results. MITRE’s evaluations are designed to emulate real-world threat scenarios, providing a controlled environment where cybersecurity solutions are tested. Here’s a brief overview of MITRE’s evaluation process:

ATT&CK® Framework

MITRE’s evaluations are deeply rooted in the ATT&CK® framework, a foundational component that shapes the entire evaluation process. ATT&CK®, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a curated knowledge base that categorizes the actions and behaviors exhibited by cyber adversaries. It serves as the bedrock upon which realistic threat scenarios are constructed.

Within the ATT&CK® framework, adversaries’ tactics and techniques are systematically documented. These tactics encompass the overarching objectives cyber adversaries seek to achieve, while the techniques detail the specific methods employed to realize these objectives. Furthermore, the framework includes information on common knowledge—crucial insights into adversaries’ operations. This structured categorization allows for a granular and comprehensive examination of cybersecurity solutions’ capabilities in the face of diverse threats.

Transparent Methodology

MITRE maintains open communication throughout the evaluation process and provides detailed information regarding the techniques and procedures implemented in each scenario.

By divulging the inner workings of the evaluation, MITRE aims to enable vendors and practitioners to gain insights into the evaluative criteria, fostering a more informed and engaged community. Transparency ensures that all parties comprehend the evaluation’s objectives, making the results credible and valuable for improving cybersecurity solutions.

Real-World Relevance

MITRE’s approach to evaluations is rooted in the aspiration to mirror the challenges confronted by real-world cybersecurity professionals. The scenarios and threat actors portrayed in the evaluations are designed to replicate the complex and dynamic nature of actual cyber threats.

This real-world relevance ensures that the evaluation results are not just academic exercises but directly applicable to the ever-evolving threat landscape and enables vendors and practitioners to gauge the practical effectiveness of cybersecurity solutions. The results reflect the solutions’ capabilities in mitigating the types of threats and tactics that organizations face daily. This approach aids organizations in making informed decisions about their cybersecurity posture and technology investments.

Continuous Improvement

MITRE actively seeks feedback and insights to enhance the evaluation process continually. This iterative approach ensures that the evaluations remain relevant, rigorous, and capable of adapting to the ever-shifting cybersecurity landscape.

MITRE ATT&CK® Evaluation Technical Nuances

MITRE’s evaluations delve deep into technical nuances to comprehensively assess cybersecurity solutions. Here are some key technical aspects that deserve attention:

  1. Technique Scope: In each evaluation, MITRE defines the scope of techniques and tactics under examination. This scope is essential for participants and observers to understand the specific areas where cybersecurity solutions will be tested. It delineates the boundaries of the evaluation, providing clarity on the techniques that vendors and practitioners should focus on.
  2. Environment Configuration: MITRE conducts evaluations in a controlled environment, often leveraging cloud services to efficiently provision and manage resources. This environment closely mimics an on-premises setup, ensuring the evaluation results remain relevant to real-world scenarios. The evaluation environment enables participants to showcase how their solutions perform in a simulated but authentic cybersecurity landscape.
  3. Detection and Protection Categories: MITRE classifies detection and protection capabilities into main and modifier categories. These categories play a pivotal role in evaluating cybersecurity solutions. Main categories assess the level of context provided to analysts, while modifier categories offer additional insights that describe the event in more detail. Evaluators use these categories to gauge the effectiveness of protection mechanisms and the depth of information available to analysts. This categorization facilitates a structured and systematic evaluation of each solution’s performance in detecting and mitigating threats.

Understanding these technical nuances provides a solid foundation for comprehending the depth and rigor of MITRE ATT&CK® Evaluations. It showcases the precision and granularity with which cybersecurity solutions are assessed, helping vendors and practitioners navigate the intricate landscape of cybersecurity technology and defense capabilities.

Conclusion

The MITRE ATT&CK® Evaluations have become a cornerstone of the cybersecurity landscape, providing a platform for testing and improving cybersecurity solutions. As we await the results of the 2023 evaluation focusing on Turla, we have explored the history of MITRE’s evaluations, the technical nuances of the testing methodology, and the intricacies of the Turla threat.

Stay vigilant, stay informed, and leverage the forthcoming test results to bolster your organization’s defenses against evolving cyber threats. MITRE’s commitment to transparency and rigor ensures that the insights gained from these evaluations are invaluable in the ongoing battle for cybersecurity.

In the ever-evolving realm of cybersecurity, knowledge is power. Equip yourself with the knowledge that MITRE’s evaluations provide, and let it serve as a beacon of resilience against the ever-persistent forces of cyber adversaries.

To learn about how SentinelOne can help protect your organization, contact us or request a free demo.

Sep 2023 Cybercrime Update | New Ransomware Threats and the Rising Menace of Telegram 

In this blog post, we delve into the notable trends that have been shaping the cyber landscape over the past month. From the burgeoning market of bypass services to the alarming criminal activities on Telegram, we provide an update on cybercriminal activity to help defenders, SOC Teams and security leaders stay abreast of the latest developments and fortify their defenses in this ever-evolving battleground.

The AV/EDR/XDR Bypass Market

Threat actors across the cybercrime landscape are interested in anything that will help them bypass security solutions and evade detection, and this has resulted in a busy trade for tools and services which claim to answer this need.

The bypass market is not new but has witnessed an alarming growth in both the sophistication of the tools being offered and the assertiveness of the actors involved. These actors are leveraging unprecedented access to enterprise-level tools, continually testing and refining their malware against these tools, and posing a sophisticated and potent threat in targeted environments.

Advertisement for “EDR Killer”, a malware dropper and bypass service
Advertisement for “EDR Killer”, a malware dropper and bypass service

Bypass tools and services, which are far from being budget-friendly, are becoming a staple in the arsenal of ransomware operators. The bespoke nature of these services, exemplified by vendors such as “r1z,” indicates a burgeoning market where customizations can drive the price upwards from a base of around 3000 USD.

Demo of “EDR Killer” bypassing an AV company
Demo of “EDR Killer” bypassing an AV company

However, modern EDR/XDR technologies are not entirely helpless against these tools, provided they are well-maintained and appropriately configured. Threat actor tools, when successful, are usually deployed against outdated versions- or ill-maintained and misconfigured setups, laying open the vulnerabilities for these AV bypass tools to exploit.

Ransomware | New Threat Actors Ramping Up Attacks

The ransomware threat may be less in the headlines than this time last year, but known and new threat actors continue their activities, exploiting novel techniques and finding overlooked weaknesses in organizations’ security posture, as the ransomware attack on MGM Resorts this week has shown.

Elsewhere, new threat actors continue to appear and are ramping up operations. The coming months are expected to be a busy time for new attacks.

INC Ransom

The INC Ransom group emerged on the scene in early August 2023, establishing themselves with a semi-private, affiliate-based operation. A closer look at their operation reveals a penchant for exploiting weaknesses in Remote Desktop Protocols (RDP) and utilizing purchased valid account credentials, typically acquired through Initial Access Brokers (IAB).

Their modus operandi includes leveraging living-off-the-land binaries (LOLBINs) such as WMIC.EXE and MSTC.EXE, among others, aiming to bypass detection technologies embedded in targeted environments. The victims, once infected, are ushered into a negotiation process via a TOR-based portal, with a stringent 72-hour window to comply with the payment demands before their data gets published.

INC Ransomware victim sign-in portal
INC Ransomware victim sign-in portal
INC Ransom ransom note
INC Ransom ransom note

Ransomed.VC

Ransomed.VC burst onto the scene with a well-orchestrated PR campaign, encompassing a clearnet site and multiple communication channels including Telegram and Twitter/X profiles. Their operations are heavily inclined towards exploiting GDPR penalties as a method of extortion, threatening victims with potential legal repercussions in case of data leaks.

Ransomed.vc capture for August 2023 (Wayback Machine)
Ransomed.vc capture for August 2023 (Wayback Machine)

Their evolutionary journey can be traced back to the “RANSOMED” forums, with their website undergoing a significant transformation before a highly publicized launch in August 2023. The group has expanded its communication channels, utilizing both clearnet and dark web platforms to circulate news and updates regarding their activities.

Ransomed Telegram channel is banned
Ransomed Telegram channel is banned

Despite facing bans from various social media and communication platforms, they have adapted quickly, shifting their communication hub to other platforms including underground Russian cybercrime forums. Their approach indicates a brazen disregard for the potential humanitarian consequences of their actions, even allowing for attacks on critical infrastructure sectors, provided they get an approval from the “admin”.

Advert to join the Ransomed RaaS (Affiliate Program)
Advert to join the Ransomed RaaS (Affiliate Program)

Their business model encompasses an affiliate program, providing a platform for like-minded criminals to collaborate and enhance their nefarious activities. The group has also demonstrated their ability to deface websites, including government domains, using them as a billboard to showcase their ransom demands and details of the attacks.

Ransomware message on Hawaii[.]gov website
Ransomware message on Hawaii[.]gov website

Leveraging GDPR laws, they have positioned themselves as a pure extortion group, operating without deploying any ransomware. This approach complicates the efforts to neutralize and respond to their threats effectively.

Telegram | The “Wild Wild West” of Cybercrime

Since its inception in 2013, Telegram has gradually but steadily morphed into a hub for criminal activities, such that it now resembles the unregulated and chaotic nature of IRC channels and the early days of the internet. From malware distribution to recruitment into criminal organizations, the platform is now a hotbed for various cybercrime ventures.

One of many Telegram channels offering EDR Bypass tools
One of many Telegram channels offering EDR Bypass tools, tips and tricks

Telegram’s encrypted environment, coupled with the capability to host large groups and automate processes through “bots,” has facilitated a significant migration of cybercriminal activities from traditional dark web markets to this more secure platform.

As of September 2023, the platform continues to teem with vendors offering custom malware tools and crypters, and it has now become the preferred platform for ransomware groups to disseminate stolen data and recruit affiliates, functioning as a versatile tool in their operations.

Telegram has become a hive for cybercriminals to share stolen data

Conclusion

As we approach fall of 2023, with businesses returning to offices and schools and colleges opening for the new term, the cybercrime landscape continues to evolve at pace, with new entrants wielding sophisticated tools looking for any avenue of attack. Organizations must be vigilant and prepared, continuously adapting to the ever-changing threats emerging from the digital shadows.

In the face of these emerging trends, employing a comprehensive security solution like Singularity XDR, which leverages AI and automated remediation, can serve as a potent weapon in an organization’s cybersecurity arsenal. It’s more crucial than ever to stay ahead of the curve, adopting proactive measures that help detect and mitigate threats before they can inflict significant damage.

The cybercriminals are not resting, and neither should we. To learn more about how SentinelOne can help defend your organization’s endpoint, cloud, and network assets, contact us or request a free demo.

FBI Hacker Dropped Stolen Airbus Data on 9/11

In December 2022, KrebsOnSecurity broke the news that a cybercriminal using the handle “USDoD” had infiltrated the FBI‘s vetted information sharing network InfraGard, and was selling the contact information for all 80,000 members. The FBI responded by reverifying InfraGard members and by seizing the cybercrime forum where the data was being sold. But on Sept. 11, 2023, USDoD resurfaced after a lengthy absence to leak sensitive employee data stolen from the aerospace giant Airbus, while promising to visit the same treatment on top U.S. defense contractors.

USDoD’s avatar used to be the seal of the U.S. Department of Defense. Now it’s a charming kitten.

In a post on the English language cybercrime forum BreachForums, USDoD leaked information on roughly 3,200 Airbus vendors, including names, addresses, phone numbers, and email addresses. USDoD claimed they grabbed the data by using passwords stolen from a Turkish airline employee who had third-party access to Airbus’ systems.

USDoD didn’t say why they decided to leak the data on the 22nd anniversary of the 9/11 attacks, but there was definitely an aircraft theme to the message that accompanied the leak, which concluded with the words, “Lockheed martin, Raytheon and the entire defense contractos [sic], I’m coming for you [expletive].”

Airbus has apparently confirmed the cybercriminal’s account to the threat intelligence firm Hudson Rock, which determined that the Airbus credentials were stolen after a Turkish airline employee infected their computer with a prevalent and powerful info-stealing trojan called RedLine.

Info-stealers like RedLine typically are deployed via opportunistic email malware campaigns, and by secretly bundling the trojans with cracked versions of popular software titles made available online. Credentials stolen by info-stealers often end up for sale on cybercrime shops that peddle purloined passwords and authentication cookies (these logs also often show up in the malware scanning service VirusTotal).

Hudson Rock said it recovered the log files created by a RedLine infection on the Turkish airline employee’s system, and found the employee likely infected their machine after downloading pirated and secretly backdoored software for Microsoft Windows.

Hudson Rock says info-stealer infections from RedLine and a host of similar trojans have surged in recent years, and that they remain “a primary initial attack vector used by threat actors to infiltrate organizations and execute cyberattacks, including ransomware, data breaches, account overtakes, and corporate espionage.”

The prevalence of RedLine and other info-stealers means that a great many consequential security breaches begin with cybercriminals abusing stolen employee credentials. In this scenario, the attacker temporarily assumes the identity and online privileges assigned to a hacked employee, and the onus is on the employer to tell the difference.

In addition to snarfing any passwords stored on or transmitted through an infected system, info-stealers also siphon authentication cookies or tokens that allow one to remain signed-in to online services for long periods of time without having to resupply one’s password and multi-factor authentication code. By stealing these tokens, attackers can often reuse them in their own web browser, and bypass any authentication normally required for that account.

Microsoft Corp. this week acknowledged that a China-backed hacking group was able to steal one of the keys to its email kingdom that granted near-unfettered access to U.S. government inboxes. Microsoft’s detailed post-mortem cum mea culpa explained that a secret signing key was stolen from an employee in an unlucky series of unfortunate events, and thanks to TechCrunch we now know that the culprit once again was “token-stealing malware” on the employee’s system.

In April 2023, the FBI seized Genesis Market, a bustling, fully automated cybercrime store that was continuously restocked with freshly hacked passwords and authentication tokens stolen by a network of contractors who deployed RedLine and other info-stealer malware.

In March 2023, the FBI arrested and charged the alleged administrator of BreachForums (aka Breached), the same cybercrime community where USDoD leaked the Airbus data. In June 2023, the FBI seized the BreachForums domain name, but the forum has since migrated to a new domain.

USDoD’s InfraGard sales thread on Breached.

Unsolicited email continues to be a huge vector for info-stealing malware, but lately the crooks behind these schemes have been gaming the search engines so that their malicious sites impersonating popular software vendors actually appear before the legitimate vendor’s website. So take special care when downloading software to ensure that you are in fact getting the program from the original, legitimate source whenever possible.

Also, unless you really know what you’re doing, please don’t download and install pirated software. Sure, the cracked program might do exactly what you expect it to do, but the chances are good that it is also laced with something nasty. And when all of your passwords are stolen and your important accounts have been hijacked or sold, you will wish you had simply paid for the real thing.

LABScon 2023 | Security Research in Real Time – Talks Not to Miss, Part Two

The clock is ticking, and in case you hadn’t heard, LABScon is back!

Continuing the stellar success of last year’s inaugural event, the SentinelLabs team is once again hosting a bespoke, invite-only conference for the cybersecurity industry’s leading experts, threat investigators, journalists, academics and government partners. The con will meet in Scottsdale, Arizona from 20th September through to 24th and places are limited, but there’s still time to request an invite.

Showcasing cutting-edge research into cyber threat actors, hunting techniques, vulnerabilities, exploits and new tooling, LABScon offers a unique opportunity to interface with leading researchers and journalists without the distractions of vendor halls and product pitching.

This year’s lineup of speakers includes veterans of the cybersecurity landscape from Cisco Talos, ESET, Intezer, Mandiant, Microsoft, Red Canary, SentinelLabs, Sophos and more. In this post, we take another sneak peek into some of the research that will be presented at LABScon23.

For those that can’t make it, don’t forget to bookmark both the LABScon homepage and the SentinelLabs homepage to keep an eye out for the release of video recordings after the event. Many of the talks from last year are available here.

Alex Matrosov | Spectre Strikes Again: Introducing the Firmware Edition

The excitement surrounding speculative execution attacks may have subsided, but sadly, such threats remain. Binarly Research has discovered a vast attack surface still vulnerable to known issues like Spectre v1 and v2 on AMD silicon. Ineffective mitigations and the complexity of validation negatively impact the AMD device ecosystem. While the industry is currently concentrating on constructing confidential computing infrastructure, foundational design problems reveal a lack of basic security at the hardware level. This discovery was made possible due to the asynchronous nature of firmware and hardware security fixes development.

Throughout their lifecycle, devices are susceptible to security issues due to the asynchronous nature of firmware security fixes delivery from multiple parties and the asynchronous nature of the supply chain. The lack of transparency in vendor security advisories results in an opaque channel for informing customers about the criticality of released security fixes and leads to varying approaches to patching widespread vulnerabilities with industry-wide implications. Even major silicon vendors develop mitigations for side-channel attacks differently. This situation presents an opportunity for potential threat actors to exploit known speculative attacks like the 5-year-old Spectre or the 1-year-old Retbleed. A new perspective is needed to construct an attack vector that utilizes speculative attacks to target UEFI-specific firmware vulnerabilities.

In this presentation, we will discuss our research into the potential use of speculative attacks against the System Management Mode (SMM) on AMD-based devices and outline the methodologies we employed throughout our research investigation.

Hakan Tanriverdi | From Vulkan to Ryazan – Investigative Reporting from the Frontlines of Infosec

During the last couple of years, I have reported on several large-scale digital espionage and sabotage campaigns, from hacking groups that were later called out by the Department of Justice to companies targeting critical infrastructure in Germany and across Western Europe. In both cases, mistakes in how the attackers set up their infrastructure enabled our team to follow their tracks, in some cases right back to their employers. The resulting stories revealed the intersection where covert cyberoperations and overt organizational structures meet.

This talk will lay out the types of information we work with, how we follow and fact-check opaque leads, and turn them into portraits of the previously unknown actors pulling the strings in cyberspace.

Martin Wendiggensen | BLACK MAGIC – Influence Operations In The Open And At-Scale In Hungary

Influence operations are often thought of as clandestine meddling in other countries’ affairs. But what if it’s were insidious than that? What if, right in front of our eyes, a NATO ally and EU Member Staate had developed a system to consistently peddle Russian talking points at a large scale within its own borders and beyond? This is what our research uncovered in the case of Hungary.

Hungary’s media ecosystem is controlled by the state. Years of corrupt dealings brought hundreds of news outlets – print, radio, television, and internet – under the control of oligarchs loyal to the state. And the state is very friendly to Russia. In time, the vast majority of these outlets were gifted, free of charge, to a holding controlled by the prime minister’s close confidants.

To prove the existence of an at-scale and continuous influence operation, we collected all coverage of Ukraine from major news outlets and analyzed our dataset with Semi-Supervised Machine Learning. The picture that emerged was stark: an ensemble of striking narratives aligned with Russian interests in denigrating Ukraine and the West. Moreover, these narratives were present well before the start of the war in 2020.

Matching our findings with an archive of Russian media, we were able to how show the narratives aligned topically, tonally, and in bias. Crucially, we should show a clear temporal lag. In other words, vast sections of Hungarian actively pick up Russian narratives and amplify them. The effects of this reach beyond Hungary’s own borders, as hundreds of thousands of ethnic Hungarians live in the “near abroad” (neighboring countries) and in the diaspora, thereby giving the controllers of Hungarian media outsized political influence abroad. This dark alignment of narratives runs deeper than words, leading our investigation to the staged firebombing of a Hungarian cultural center in Ukraine, and an obscure Cold War-era “spy bank” that is actively circumventing sanctions on Russia.

Amitai Ben Shushan Ehrlich | DNS Tunnel Warfare

Tunnels have been utilized in armed conclicts since antiquity. Underground passages, dug beneath the surface, are still utilized to undermine fortifications and slip right into enemy territory. Today, however, underground tunnels are not the only tunnels used in armed conflicts, as new hidden pathways have proved to be quite effective.

DNS tunneling has emerged as a stealthy technique used to covertly transfer data over the DNS protocol, and has been adopted by a wide variety of threats actors, including those involved in ongoing armed conflicts.

In this talk, we will explore various aspects of DNS tunneling, understanding its advantages, drawbacks, and potential for detection. We will immerse ourselves in one particular actor, delving into the analysis of its DNS tunneling infrastructure, tools and targets. As we proceed, we will soon learn how DNS tunnels, much like their physical counterparts, are used to initiate surprise attacks and sabotage enemy infrastructure during times of war.

Boldizsar Bencsath | SIMBIoTA: Implementation of an IoT virus-scanner for limited resources environment

IoT devices flood our lives. There are multi-billion pieces of IoT devices around, and the number grows constantly. Malware problems are not something that can be avoided for these devices. However, anti-virus techniques, especially standalone ones (not cloud based) are currently basically unavailable for these, e.g., for routers, cameras, and Linux-based Raspberry PI devices. A user typically installs a device and does not intend to maintain it, and generally has no ways to find out if the device behaves in a bad way.

Together, CrySyS Lab and Ukatemi planned and developed a possible standalone solution against these threats that cannot be handled by traditional antivirus products due to resource limits. Our SIMBIoTA project aims at taking the advantage of extreme compression: it does not need to store sequences of millions of different binary files, but to accumulate detection based on similarity hashes, and only store minimal basis for the detection. I will show the main benefits of the approach of SIMBIoTA, and also will show how different ways of evasion efforts can be handled and same latest information of the actual implementation.

In addition to the details of the technical methods I’ll try to elaborate on the possible attacks on the method and also show new advancements to mitigate this problem.

Austin Larsen & John Palmisano | Across the Seven Seas: Unmasking a Global Espionage Campaign

In this talk, we unveil the intricacies of a sophisticated 8-month-long global espionage campaign that targeted government agencies and private sector companies across the world. By exploiting widely-used Email Security Gateways (ESG), the campaign left organizations vulnerable to espionage by UNC4841, a suspected Chinese actor operating in support of the People’s Republic of China.

For the first time, we will provide an inside look into the tactics, targeting, and tricks employed by UNC4841 during this espionage operation. Commencing in October 2022, the actor launched targeted attacks utilizing malicious emails cleverly disguised low quality spam emails to exploit a zero-day in ESG appliances. The actor employed These code families deceptively masqueraded as legitimate modules of the Email Security Gateway, enabling UNC4841 to gain initial access and establish a persistent presence on compromised appliances.

Throughout the 8-month duration, UNC4841 showcased remarkable sophistication, adaptability, responsiveness, and understanding of the appliance itself. Their activities leveraging the compromised appliances for extremely targeted data exfiltration, as well as lateral movement into victims networks. As the investigation progressed, the sophistication of UNC4841’s activities necessitated a collaborative effort between our team, the company impacted as well as US law enforcement.

This talk will offer insights into the modus operandi of UNC4841, the far-reaching consequences of the campaign, and the collaborative efforts involved in burning this espionage operation. We will discuss the broader implications of cyber espionage on national security, highlight key findings from the investigation, and provide actionable recommendations for bolstering defenses against similar threats in the future.

Emily Austin | Managed File Transfer or Miscreants’ Favorite Target? An internet-wide study of MFT exposures

Managed file transfer (MFT) tools are a popular, user-friendly evolution of FTP, facilitating data sharing between and within organizations. In 2021, Businesswire reported projected growth of the MFT market to $2.4 billion by 2027, further emphasizing how organizations have come to rely on these tools. While companies of all sizes may have a need for user-friendly file sharing, MFT tools tend to be geared toward enterprise organizations in highly regulated industries (e.g., finance, healthcare).

As the tech industry provides software and tooling to facilitate work, we often inadvertently provide new targets for threat actors, and MFT is no exception. In the first half of 2023 alone, we’ve seen a series of high-profile attacks against file transfer software including GoAnywhere, Faspex, and MOVEit.

In this talk, we’ll begin by exploring a timeline of attacks against file transfer software. We’ll discuss the Clop ransomware and extortion group, along with their attacks against tools like GoAnywhere and MOVEit. Specifically, we’ll examine exposure of these tools prior to and during the attack time frame, along with a look at affected industries and networks.

We’ll then examine the state of additional file transfer tool exposures across the internet to better understand potential impact of attacks against such tools. The recent string of attacks against this category of software, combined with how widespread they are across the internet, suggests that we may see more attacks of this kind in the near future. In closing, we’ll discuss implications of the rise of MFT software for companies and consumers.

Paul Rascagneres | Ongoing EvilEye Campaigns Targeting CCP Adversaries

Volexity has recently uncovered ongoing campaigns by EvilEye, a Chinese state-backed threat actor, targeting three of the five groups the Chinese Communist Party (CCP) refers to as the “Five Poisons”. The targeted groups are members of the Tibetan community, the Uyghur ethnic group, and Taiwanese nationals. Volexity’s research has identified both currently active and historic activity for these campaigns. Volexity also identified related campaigns from this threat actor specifically targeting the Uyghur ethnic group back in 2019 and 2020.

The ongoing campaigns consist of two elements, malicious mobile applications and fake websites, which are created by the attacker to facilitate exploitation of end users by way of zero or n-day exploits. The three Android malware families being deployed include new versions of BADBAZAAR, as well as two previously undocumented families. In addition to these Android malware families, there is compelling evidence that EvilEye has developed an iOS implant and tried to distribute it via the Apple App Store.

This presentation outlines the current, ongoing campaigns; delves into the technical details of the Android malware families involved; discusses the threat actor’s command-and-control (C2) infrastructure and configuration; and reveals how the threat actor builds communities to distribute their malware through trusted platforms. The presentation also explores overlaps between the campaigns and explains links to historic activity.

Nicole Fishbein & Ryan Robinson | Cryptovirology: Second Guessing The Cryptographic Underpinnings of Modern Ransomware

Ransomware has permeated our everyday lives to the point of becoming a household term, featured prominently in news headlines, and even entwined with international politics. However, it is crucial not to overlook the technical intricacies that make ransomware both intriguing and highly effective—the cryptographic foundations that enable attackers to seize files and hold them hostage until a ransom is paid. Surprisingly, implementing cryptography effectively remains a challenging task. In this talk, we will delve into the nitty-gritty details of the cryptographic implementations utilized in modern ransomware and shed light on their inherent flaws.

Through engaging visualizations and occasional explanations in ELI5 terms, we will keep you awake through the math for long enough to discuss the strengths, weaknesses, and, most importantly, the inevitable failures of these implementations. Our focus will center around utilizing the Hybrid Cryptosystem in the context of XData ransomware and the flaws found in the QNAPCrypt key generation algorithm. Furthermore, we will delve into recent ransomware strains, exposing cryptographic flaws that render their effectiveness. Ultimately, we will question whether we can trust these ransomware creators to implement robust cryptography when even we often hesitate to do so ourselves.

Dual Core | Stay Free: Tampering AWS CloudTrail

You have gained access to an AWS account and don’t want to go to prison. The all-seeing eyes of the Blue Team and SOC analysts attempt to monitor your every move via AWS CloudTrail. How can we tamper the defenders’ capabilities to complete our objectives and remain free?

This talk will present a set of techniques for tampering the premier telemetry facility in AWS, accompanied by anecdotes of adventures in cloud security. Attendees will learn new tricks for evasion in AWS environments, along with a methodology for evaluating potential evasion techniques. We will focus on perspectives of offense, defense, and engineering.

Donald McCarthy | Cheap Parking and Express Lanes Through Your Proxy Filters

Infrastructure as a service/code has taken root. With a few API calls and some minor orchestration, almost anyone is able to have a horde of servers at their disposal in seconds. This however doesn’t generally help bypass proxy filters and those looking for new infrastructure.

This presentation will focus on techniques and services that APTs and other cyber criminals are using to turn what used to be a months/years long process into something achievable on short timelines, how and where this has been used in the past, quantification of the problem (although incomplete), and who we need to get engaged in order to solve it.

Sergei Frankoff & Sean Wilson | Exploring the Impact of Dual-Use Obfuscation Libraries on Threat Intelligence

Code similarity analysis is a fundamental and widely used technique for identifying and attributing malware at the binary level. However, the rising prevalence of open source code obfuscation libraries and their adoption by malware developers impose challenges that must be addressed to maintain the reliability and accuracy of this technique and its associated tools.

In 2022, the leaked Conti ransomware developer chat logs and subsequent leak of the Conti source code, confirmed the use of both an open source string protection library (ADVObfuscator) and an open source code obfuscation library (Obfuscator-LLVM). While these obfuscation libraries had been employed in malware previously, the exposed Conti development process emerged as a defining moment in the malware development ecosystem. Subsequently, the use of open source obfuscation libraries has grown with ADVObfuscator and Obfuscator-LLVM becoming common in ransomware code, and the adoption of lesser known obfuscation projects such as xorstr introducing significant challenges when using code similarity analysis tools.

Our research examines the impact of these obfuscation libraries on popular analysis tools (e.g., Lumina, Bindiff, and Binlex) and the resulting challenges faced by the threat intelligence processes that employ them. To address these challenges, we propose the use of ground truth binaries, which can fine-tune existing tools and processes. Using real world case-studies we will work through the challenges posed by these obfuscation libraries and describe how our solution may mitigates the encountered issues.

Greg Lesnewich | Surveying Similarities in macOS Components used in North Korean CryptoHeists

While many state-aligned threats have dipped their toes into macOS Malware, North Korea has invested serious time and effort into compromising that operating system. Their operations in macOS environments include both espionage and financial gain. macOS malware analysis is an exciting space, but most blogs on the subject deal with functionality and capability, rather than how to find more similar samples. Analysts are forced to rely on string searching, based on disassembler output or a strings dump; comparatively, executables for Windows have “easy” pivots such as import hashing or rich headers, to find additional samples without much effort.

This talk will introduce some of those easy pivots for Mach-O files, using North Korean samples as an initial case study; along the way, attendees will get a tour of the North Korean clusters using Mach-O samples, how those clusters intersect, how their families relate to one another, and be shown how some simple pivots can link a group’s families together.

MJ Emanuel | Where have all the APTs gone – a discussion of tradecraft accelerationism or counter-counter-counter

Activity in cyberspace has gone through a massive transformation over the last few decades, with cyber threat intelligence emerging, and then evolving alongside with it. Despite maturing as an industry, it is harder than ever before to consistently detect, track, and cluster known intrusion sets and identify new activity.

This presentation will describe the relationships between actor activity and discuss challenges in maintaining visibility as adversaries have changed their behavior over time. It will also examine the cascading effects of disclosure on adversary activity as a public good, including burning defenders ability to discover new activity as adversary’s reaction times continue to shorten, and strategic consequences on the closing window of our ability to detect the highest tier actors. Deterrence is one of the core tenets of cyber warfare strategy, and publicly outing campaigns to “impost cost” remains high on the list of options for response. However, this presentation will challenge the idea that public dissemination of information will operationally impact the perpetrators, and in fact, may end up harming our overall ability to detect and defend against them.

Filip Jurčacko | Deadglyph: Covertly preying over Middle Eastern skies

The Middle East has been known for years to be a fertile land for APTs. During our routine monitoring of suspicious activities in government entities of the region, we stumbled upon a very sophisticated and unknown backdoor that we have named Deadglyph.

Deadglyph’s main components are protected with encryption using a machine-specific key, which usually prevents further analysis. Its architecture is unusual as it consists of a native x64 and .NET component that cooperate. The traditional backdoor commands are not implemented in the Deadglyph binary; instead, they are dynamically received from its C&C server in the form of additional modules that exist in memory only briefly, to perform the commands. Without the modules, the full capabilities of the backdoor are unknown. Deadglyph also features a number of capabilities to avoid being detected, including the ability to uninstall itself, preventing discovery. After initial investigation, we could not attribute the Deadglyph backdoor to an existing threat actor, but later we found another piece of the puzzle – a multistage shellcode downloader that pointed us in the right direction. Finally, we will describe how we pivoted on various indicators to arrive at attributing Deadglyph backdoor to an existing threat actor, active in the Middle East for years.

Gabriel Bernadett-Shapiro | Demystifying LLMs: Power Plays in Security Automation

As the popularity of Large Language Models (LLMs) continues to grow, there’s a clear divide in perception: some believe LLMs are the solution to everything – a ruthlessly efficient automaton that will take your job and steal your dance partner. Others remain deeply skeptical of their potential – and have strictly forbidden their use in corporate environments.

This presentation seeks to bridge that divide, offering a framework to better understand and incorporate LLMs into the realm of security work. We will delve into the most pertinent capabilities of LLMs for defensive use cases, shedding light on their strengths (and weaknesses) in summarization, data labeling, and decision task automation. Our discourse will also address specific tactics with concrete examples such as ‘direction following’—guiding LLMs to adopt the desired perspective—and the ‘few-shot approach,’ emphasizing the importance of precise prompting to maximize model efficiency. The presentation will also outline the steps to automate tasks and improve analytical processes and provide attendees with access to basic scripts which they can customize and test according to their specific requirements.

And There’s More!

In addition to all the goodness highlighted above and the LABSCon 2023 talks we highlighted last week, this power event will feature presentations by award-winning journalist Kim Zetter, receiver of the Gold Presidential Volunteer Service Award (PVSA) and Senior Director of SentinelLabs, Juan Andres Guerrero-Saade, Automox’s Jason Kitka, Robert Ghilduta from Nuand LLC, and SentinelLabs’ researchers Tom Hegel and Aleksandar Milenkowski.

Request an Invite

We are hugely excited about LABScon 2023, a premier event where the brightest minds in cybersecurity come together to share their insights. It’s still not too late to request an invite. A limited number of tickets remain available, so hurry and click that button if you’d like to come and join us.

Adobe, Apple, Google & Microsoft Patch 0-Day Bugs

Microsoft today issued software updates to fix at least five dozen security holes in Windows and supported software, including patches for two zero-day vulnerabilities that are already being exploited. Also, Adobe, Google Chrome and Apple iOS users may have their own zero-day patching to do.

On Sept. 7, researchers at Citizen Lab warned they were seeing active exploitation of a “zero-click,” zero-day flaw to install spyware on iOS devices without any interaction from the victim.

“The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim,” the researchers wrote.

According to Citizen Lab, the exploit uses malicious images sent via iMessage, an embedded component of Apple’s iOS that has been the source of previous zero-click flaws in iPhones and iPads.

Apple says the iOS flaw (CVE-2023-41064) does not seem to work against devices that have its ultra-paranoid “Lockdown Mode” enabled. This feature restricts non-essential iOS features to reduce the device’s overall attack surface, and it was designed for users concerned that they may be subject to targeted attacks. Citizen Lab says the bug it discovered was being exploited to install spyware made by the Israeli cyber surveillance company NSO Group.

This vulnerability is fixed in iOS 16.6.1 and iPadOS 16.6.1. To turn on Lockdown Mode in iOS 16, go to Settings, then Privacy and Security, then Lockdown Mode.

Not to be left out of the zero-day fun, Google acknowledged on Sept. 11 that an exploit for a heap overflow bug in Chrome is being exploited in the wild. Google says it is releasing updates to fix the flaw, and that restarting Chrome is the way to apply any pending updates. Interestingly, Google says this bug was reported by Apple and Citizen Lab.

On the Microsoft front, a zero-day in Microsoft Word is among the more concerning bugs fixed today. Tracked as CVE-2023-36761, it is flagged as an “information disclosure” vulnerability. But that description hardly grasps at the sensitivity of the information potentially exposed here.

Tom Bowyer, manager of product security at Automox, said exploiting this vulnerability could lead to the disclosure of Net-NTLMv2 hashes, which are used for authentication in Windows environments.

“If a malicious actor gains access to these hashes, they can potentially impersonate the user, gaining unauthorized access to sensitive data and systems,” Bowyer said, noting that CVE-2023-36761 can be exploited just by viewing a malicious document in the Windows preview pane. “They could also conduct pass-the-hash attacks, where the attacker uses the hashed version of a password to authenticate themselves without needing to decrypt it.”

The other Windows zero-day fixed this month is CVE-2023-36802. This is an “elevation of privilege” flaw in the “Microsoft Streaming Service Proxy,” which is built into Windows 10, 11 and Windows Server versions. Microsoft says an attacker who successfully exploits the bug can gain SYSTEM level privileges on a Windows computer.

Five of the flaws Microsoft fixed this month earned its “critical” rating, which the software giant reserves for vulnerabilities that can be exploited by malware or malcontents with little or no interaction by Windows users.

According to the SANS Internet Storm Center, the most serious critical bug in September’s Patch Tuesday is CVE-2023-38148, which is a weakness in the Internet Connection Sharing service on Windows. Microsoft says an unauthenticated attacker could leverage the flaw to install malware just sending a specially crafted data packet to a vulnerable Windows system.

Finally, Adobe has released critical security updates for its Adobe Reader and Acrobat software that also fixes a zero-day vulnerability (CVE-2023-26369). More details are at Adobe’s advisory.

For a more granular breakdown of the Windows updates pushed out today, check out Microsoft Patch Tuesday by Morphus Labs. In the meantime, consider backing up your data before updating Windows, and keep an eye on AskWoody.com for reports of any widespread problems with any of the updates released as part of September’s Patch Tuesday.

macOS MetaStealer | New Family of Obfuscated Go Infostealers Spread in Targeted Attacks 

This year has seen an explosion of infostealers targeting the macOS platform. Throughout 2023, we have observed a number of new infostealer families including MacStealer, Pureland, Atomic Stealer and RealStealer (aka Realst). Over the last few months, we have also been tracking a family of macOS infostealers we call ‘MetaStealer’. Last week, Apple dropped a new signature for XProtect that detects some (but not all) variants of the MetaStealer family.

In this post, we describe how MetaStealer differs from other recent stealers, as well as indicate some intriguing overlaps with other malware. We highlight how threat actors are proactively targeting macOS businesses by posing as fake clients in order to socially engineer victims into launching malicious payloads, and we provide a comprehensive list of indicators to help threat hunters and security teams identify MetaStealer in their environments. All SentinelOne customers are automatically protected from macOS MetaStealer.

MetaStealer Droppers Targeting Businesses

Many of the samples of MetaStealer we have observed are distributed in malicious application bundles contained in disk image format (.dmg) with names indicating that the targets were business users of Mac devices.

MetaStealer disk images contain names such as

  • “Advertising terms of reference (MacOS presentation).dmg”
  • “CONCEPT A3 full menu with dishes and translations to English.dmg”
  • “AnimatedPoster.dmg”
  • “Brief_Presentation-Task_Overview-(SOW)-PlayersClub.dmg”

Many of the disk image droppers contain names that include the words “Official Brief Description” such as “(Cover references,tasks,logos,brief)YoungSUG_Official_Brief_Description_LucasProd.dmg”, suggesting that these were lures aimed at business users of macOS.

In one case, a malicious version of MetaStealer with the name “Conract for paymen & confidentiality agreement Lucasprod.dmg” was uploaded to VirusTotal with a comment from the victim describing how they were lured.

“I was targeted by someone posing as a design client, and didn’t realize anything was out of the ordinary. The man I’d been negotiating with on the job this past week sent me a password protected zip file containing this DMG file, which I thought was a bit odd.

Against my better judgement I mounted the image to my computer to see its contents. It contained an app that was disguised as a PDF, which I did not open and is when I realized he was a scammer.”

Other versions of MetaStealer we have seen use names masquerading as Adobe files or software such as “AdobeOfficialBriefDescription.dmg” and “Adobe Photoshop 2023 (with AI) installer.dmg”.

MetaStealer dropper disk image
MetaStealer Disk Image

This specific targeting of business users is somewhat unusual for macOS malware, which is more commonly found being distributed via torrent sites or suspicious third-party software distributors as cracked versions of business, productivity or other popular software.

MetaStealer Malicious Application Bundles

The applications inside the MetaStealer disk images contain the minimum required to form a valid macOS bundle, namely an Info.plist file, a Resources folder containing an icon image and a MacOS folder containing the malicious executable.

Contents of a typical MetaStealer bundle
Contents of a typical MetaStealer bundle

Although we have seen some versions carrying an Apple Developer ID string embedded in the executable (Bourigaultn Nathan (U5F3ZXR58U)), none of the samples we observed attached a code signature or used ad hoc signing. This means that to gain execution, the threat actor would likely need to guide or persuade the victim to override protections such as Gatekeeper and OCSP.

Interestingly, all the samples we have collected are single architecture Intel x86_64 binaries, meaning that they are unable to run on Apple’s Apple silicon M1 and M2 machines without the help of Rosetta.

Early samples of MetaStealer began appearing on VirusTotal around March 2023 and increased throughout the summer. The most recent sample we are aware of was uploaded to VirusTotal on 27 August. Apple updated its malware blocking tool XProtect to version 2170 in the week commencing 4 September.

However, some of the samples in our collection that appeared in June and July remain undetected by XProtect after this update; these include the following malicious Mach-O executables:

1df8ff1fe464a0d9baaeead3c7158563a60199d4
1e5319969d6a53efc0ec1345414c62c810f95fce
2c567a37c49af5bce4a236be5e060c33835132cf
57c2302c30955527293ed90bfaf627a4132386fb
b51d7482d38dd19b2cb1cd303e39f8bddf5452ac
c37751372bb6c970ab5c447a1043c58ce49e10a5
c5429b9b4d1a8e147f5918667732049f3bd55676
fce7a0c00bfed23d6d70b57395e2ec072c456cba

MetaStealer Obfuscated Go Executable

The main executable in MetaStealer bundles is an Intel x86 Mach-O containing compiled and heavily obfuscated Go source code. The Go Build ID has been stripped and function names obfuscated. The obfuscation method bears similarity to that used in obfuscated Sliver and Poseidon malware binaries, and may be a product of the garble obfuscator or similar.

Main.main functions in MetaStealer
main.main functions in MetaStealer

Despite the obfuscation, some tell-tale signs of the binary’s tasking remain as artifacts. In particular, we can identify functions for exfiltrating the keychain, extracting saved passwords, and grabbing files.

Some, but not all, versions contain methods seemingly targeting Telegram and Meta services.

Samples of MetaStealer have been observed reaching out to one of the following domains:

api.osx-mac[.]com
builder.osx-mac[.]com
db.osx-mac[.]com

MetaStealer has also been observed attempting to open an outgoing TCP connection to either host 13[.]125.88[.]10 or 13[.]114.196[.]60 over port 3000.

Is MetaStealer Related to Atomic Stealer?

Earlier this year we documented how another macOS infostealer, Atomic Stealer, was being offered for rent to threat actors via a Telegram channel. Last week, other researchers noted that a version of Atomic Stealer was being distributed via malvertising through Google Ads using a typosquatting technique to deliver a fake TradingView application. Interestingly, some versions of MetaStealer are also masquerading as TradingView.

MetaStealer masquerading as Trading View
MetaStealer masquerading as Trading View

However, despite both being Go-based infostealers that also use osascript to display error messages to the user on execution, we see little actual code overlap between MetaStealer and Atomic Stealer. We also note that the network infrastructure and observed method of delivery in MetaStealer campaigns is rather different to that seen in Atomic Stealer.

At this point, we cannot rule out that the same team of malware developers could be behind both stealers and that differences in delivery are due to different buyers of the malware, but it is also equally possible that entirely different individuals or teams are simply using similar techniques to achieve the same objectives.

How to Stay Safe from MetaStealer Malware

The SentinelOne Singularity platform detects these and all other samples of MetaStealer malware both on-write and on execution.

Yes, SentinelOne detects MetaStealer

As noted above, Apple’s XProtect update v2170 contains a detection signature for some versions of MetaStealer but not all, so organizations without SentinelOne or other capable security solution are advised to review the indicators below for threat hunting and mitigation.

Conclusion

The appearance of yet another macOS infostealer this year shows the trend towards targeting Mac users for their data continues to rise in popularity among threat actors. What makes MetaStealer notable among this crop of recent malware is the clear targeting of business users and the objective of exfiltrating valuable keychain and other information from these targets. Such high-value data can be used to pursue further cybercriminal activity or gain a foothold in a larger business network.

All Mac users are advised to ensure they have an adequate security solution in place and IT and security teams are encouraged to review the comprehensive list of IoCs below.

Indicators of Compromise

MetaStealer Droppers

AdobeOfficialBriefDescription.dmg
00b92534af61a61923210bfc688c1b2a4fecb1bb

Adobe Photoshop 2023 (with AI) installer.dmg
51e8eaf98b77105b448f4a0649d8f7c98ac8fc66

Advertising terms of reference (MacOS presentation).dmg
14da5241119bf64d9a7ffc2710b3607817c8df2f

AnimatedPoster.dmg
c2cd344fbcd2d356ab8231d4c0a994df20760e3e

CardGame.dmg
5ba3181df053e35011e9ebcc5330034e9e895bfe

Conract for paymen & confidentiality agreement Lucasprod.dmg
dec16514cd256613128b93d340467117faca1534

FreyaVR 1.6.102.dmg
d3fd59bd92ac03bccc11919d25d6bbfc85b440d3

Matrix.dmg
3033c05eec7c7b98d175df2badd3378e5233b5a2

OfficialBriefDescription.app.zip
345d6077bfb9c55e3d89b32c16e409c508626986

P7yersOfficialBriefDescription 1.0.dmg
35bfdb4ad20908ac85d00dcd7389a820f460db51

PDF.app.zip
aa40f3f71039096830f2931ac5df2724b2c628ab

TradingView.dmg
e49c078b3c3f696d004f1a85d731cb9ef8c662f1

YoungClass brief presentation Mac 20OS.zip
3161e6c88a4da5e09193b7aac9aa211a032526b9

YoungSUG(Cover references,tasks,logos,brief)YoungSUG_Official_Brief_Description_LucasProd.dmg
61c3f2f3a7521920ce2db9c9de31d7ce1df9dd44

Mach-O Binaries – Intel x86_64

0edd4b81fa931604040d4c13f9571e01618a4c9c
13249e30a9918168e79cdb0f097e4b34fbbd891f
13bcebdb4721746671e0cbffbeed1d6d92a0cf6c
1424f9245a3325c513a09231168d548337ffd698
148bc97ff873276666e0c114d22011ec042fb9b9
15c377eb5a69f93fa833e845d793691a623f928c
166ff1cd47a45e47721bb497b83cc84d8269b308
1b3ce71fa42f4c0c16af1b8436fa43ac57d74ce9
1cc66e194401f2164ff1cbc8c07121475a570d9f
1df31db0f3e5c381ad73488b4b5ac5552326baac
1df8ff1fe464a0d9baaeead3c7158563a60199d4
1e5319969d6a53efc0ec1345414c62c810f95fce
291011119bc2a777b33cc2b8de3d1509ed31b3da
2c567a37c49af5bce4a236be5e060c33835132cf
33a5043f8894a8525eeb2ba5d80aef80b2a85be8
34c7977e20acc8e64139087bd16f0b0a881b044f
3589dd0d01527ca4e8a2ec55159649083b0c50a8
35c3b735949151aae28ebf16d24fb32c8bcd7e6b
35e14d8375f625b04be43019ccb8be57656b15cf
394501f410bd9cb4f4432a32b17348cdde3d4157
47620d2242dfaf14b7766562e812b7778a342a48
57c2302c30955527293ed90bfaf627a4132386fb
65de53298958b4f137c4bd64f31f550dd2199c36
70625f621f91fd6b1a433a52e57474316e0df662
78e8f9a93b56adc8e030403ba5f10f527941f6ae
80c83e659c63c963f55c8add4bf62f9bec73d44e
816fdf1fd9cf9aff2121d1b59c9cca38b5e4eb9d
86eb7c6a4d4bec5abeb6b44e0506ab0d5a96235d
8dfeda030bd3b38592b29d633c40e041d5f3331d
8ec57c1b1b5409cadb99b050c3c41460d4c7fea8
8f211c0ef570382685d024cc8e6e8acd4a137545
90d7f8acf3524fcb58c7d7874a5b6e8194689b1a
92b178817a6c9ad22f10b52e9a35a925a3dc751b
a54c9906d41b04b9daf89c2e6eb4fdd54d0eae39
a8724eb5f9f8f4607b384154f0c398fce207259e
b51d7482d38dd19b2cb1cd303e39f8bddf5452ac
bd6b87c6f4f256fb2553627003e8bce58689d1d8
bdd4ce8c2622ddcf0888e05690c8b3d1a8c83dae
be1ac5ed5dfd295be15ba5ed9fbb69f10c8ec872
c37751372bb6c970ab5c447a1043c58ce49e10a5
c4d9272ef906c7bf4ccc2a11a7107d6b7071537b
c5429b9b4d1a8e147f5918667732049f3bd55676
caf4fb1077cea9d75c8ae9d88817e66c870383b5
cf467ca23bdb81e008e7333456dfceb1e69e9b8a
cfa56e10c8185792f8a9d1e6d9a7512177044a8b
d7de135a03a2124c6e0dfa831476e4069ebfba24
dbf0983b29a175ebbcf7132089e69b3999adeca7
dfd5adb749cbc5608ca915afed826650fcb0ff05
e5cfc40d04ea5b1dac2d67f8279c1fd5ecf053f6
f6f09ecc920eb694ed91e4ec158a15f1fb09f5dd
f93dd5e3504fe79f7fcd64b55145a6197c84caa2
f97e22bad439d14c053966193fdfdec60b68b786
fce7a0c00bfed23d6d70b57395e2ec072c456cba

Network Communications

IPs
13[.]114.196[.]60
13[.]125.88[.]10

Domains
api.osx-mac[.]com
builder.osx-mac[.]com
db.osx-mac[.]com

URLs

hXXps[:]//api.osx-mac[.]com/api/collections/victims/records
returns:
{"page":1,"perPage":30,"totalItems":0,"totalPages":0,"items":[]}
hXXp[:]//api.osx-mac[.]com/chainbreaker
returns:
{"code":404,"message":"Not Found.","data":{}}

Developer ID
Bourigaultn Nathan (U5F3ZXR58U)

The Good, the Bad and the Ugly in Cybersecurity – Week 36

The Good | US and UK Sanction Russian Cybercrime Gang

The US and UK governments imposed joint sanctions on 11 Russian individuals this week for their part in ransomware and other cybercrime activities widely attributed to the Conti and TrickBot gangs. Nine of the eleven have further been charged with ransomware offences in the US.

The individuals took part in or facilitated attacks on hospitals and other critical infrastructure, a statement from the British government said on Thursday.

According to the UK’s National Crime Agency (NCA), the group has extorted more than $180 million in attacks on hospitals, schools, local authorities and businesses around the world. The new sanctions will target the 11 Russian men with asset freezes and travel bans in an attempt to hamper their ability to monetize their cybercrime activities. They also prohibit ransomware victims from making payments or transferring funds to the sanctioned individuals.

Source X (Twitter)

The 11 sanctioned individuals are:

  • Andrey Zhuykov (aka ‘Defender’, ‘Dif’ and ‘Adam’),
  • Maksim Galochkin (aka ‘Bentley’, ‘Volhvb’ and ‘Max17’)
  • Maksim Rudenskiy (aka ‘Buza’, ‘Silver’ and ‘Binman’)
  • Mikhail Tsarev (aka ‘Mango’, ‘Fr*ances’ and ‘Khano’)
  • Dmitry Putilin (aka ‘Grad’ and ‘Staff’)
  • Maksim Khaliullin (aka ‘Kagas’)
  • Sergey Loguntsov (aka ‘Begemot’, ‘Begemot_Sun’ and ‘Zulas’)
  • Alexander Mozhaev (aka ‘Green’ and ‘Rocco’)
  • Vadym Valiakhmetov (aka ‘Weldon’, ‘Mentos’ and ‘Vasm’)
  • Artem Kurov (aka ‘Naned’)
  • Mikhail Chernov (aka ‘Bullet’ and ‘m2686’)

The UK government said that by stripping away the anonymity of the criminals who hide behind online pseudonyms and monikers, they hope to disrupt their ability to conduct criminal businesses.

The Bad | NSO Pegasus Exploit Caught In the Wilds of Washington DC

A report from Citizen Lab this week revealed that an iPhone zero-click zero day exploit was used to deliver NSO’s Pegasus spyware to an employee of a Washington DC-based civil society organization.

Although full details have yet to be disclosed, the attack involves exploiting Apple Wallet Passes – digital images containing information that can be used instead of tickets or plastic cards. It appears that a threat actor sent a maliciously-crafted Apple Wallet pass to the target’s iMessage account. The exploit was then used to deliver Pegasus spyware, a product developed and sold by US-sanctioned company and private sector offensive actor, NSO.

apple wallet zero day

This is not the first time Pegasus has been caught in the wild making use of a zero-click Apple zero day. In 2021, Citizen Lab discovered that FORCEDENTRY, a vulnerability in Apple’s Core Graphics framework, was used to deliver Pegasus to an iOS device belonging to a Saudi activist.

Dubbing the entire exploit chain BLASTPASS, Citizen Lab says that it is capable of compromising the current version of iOS (16.6) without interaction from the target. Apple has reportedly said that devices operating in Lockdown Mode are not vulnerable to BLASTPASS.

The vulnerabilities making the exploit chain possible have been tagged as CVE-2023-41061 and CVE-2023-41064. Apple released an emergency software update for both iOS and macOS on Thursday to address the issue and all iPhone and Mac users are urged to update immediately.

The Ugly | Unpatched Zero Day in ‘Popular Software Package’ Targets Researchers

Cybersecurity researchers are on alert this week as news comes of a zero-day in an unnamed ‘popular software package’ being exploited by North Korean-linked threat actors to compromise infosec professionals.

Google’s Threat Analysis Group says it discovered the vulnerability as part of its tracking of an ongoing campaign targeting security researchers. However, they have declined to name either the vendor or the package concerned until a patch is available in order to prevent other cybercriminals and threat actors from taking advantage.

It is believed that the exploit is delivered to selected targets after a lengthy-period of grooming on social media. In one reported incident, a threat actor posing as a researcher made initial contact with the victim via X (Twitter) and Mastodon, using the account names of Paul091_ and paul354, respectively. They then engaged in a conversation for several months around the topic of collaborating on security research.

paul threat actor on twitter
Source: Google TAG

After building trust with the target, the attackers moved the conversation to an encrypted messaging app, from which they eventually sent a malicious file containing the zero day exploit.

The exploit was used to deliver shellcode to the victim’s computer that first runs checks to ensure the device is not running on a virtual machine. The shellcode then sends data including a screenshot back to the attacker’s command-and-control server. Analysis of the shellcode reveals similarities to that seen in previous North Korean-linked attacks.

While security researchers may have been the target in this campaign, it should serve as a timely reminder to anyone that unsolicited social media contacts are a vector for compromise and appropriate caution and security controls need to be in place.

LABScon 2023 | Security Research in Real Time – Talks Not to Miss, Part One

LABScon is back – after last year’s stunning success, the bespoke, invite-only conference for the cybersecurity industry’s leading experts, threat investigators, journalists, academics and government partners returns for its second installment in Scottsdale, Arizona from 20th September through to 24th (places are limited, but it’s still possible to request an invite).

Showcasing cutting-edge research into cyber threat actors, hunting techniques, vulnerabilities, exploits and new tooling, LABScon offers a unique opportunity to interface with leading researchers and journalists without the distractions of vendor halls and product pitching.

This year’s lineup of speakers includes veterans of the cybersecurity landscape from Cisco Talos, ESET, Intezer, Mandiant, Microsoft, Red Canary, SentinelLabs, Sophos and more. In this post, we take a sneak peek into some of the research that will be presented at LABScon23.

For those that can’t make it, don’t forget to bookmark both the LABScon homepage and the SentinelLabs homepage to keep an eye out for the release of video recordings after the event. Many of the talks from last year are available here.

Who’s Speaking at LABScon 23?

The event will kick off with a keynote speech from Christiaan Tribert from the New York Times’ Visual Investigations team. Renowned for his work on exposing the Russian bombing of hospitals in Syria and Iran’s downing of a civilian airliner, Christiaan has earned multiple prestigious awards for his work, including two Pulitzer Prizes.

Christiaan’s keynote will be followed by an action-packed program of over 30 talks. We welcome back some of our distinguished speakers from LABScon 22 such as Kim Zetter, Kristin Del Rosso, MJ Emanuel, Paul Rascagneres, Greg Lesnewich and Alex Matrosov as well as extend a warm hand to a fantastic gallery of new LABScon speakers this year including Zuzana Hromcová from ESET, cyber lawyer Elizabeth Wharton, Bendik Hagan from PwC, Red Canary’s David Bogie, Adam Rawnsley from Rolling Stone and many more.

In addition, SentinelLabs researchers Juan Andrés Guerrero-Saade, Tom Hegel and Aleksandar Milenkoski will be presenting the latest on their research projects to the LABScon audience.

The full schedule for this year’s LABScon is now available here. In the meantime, enjoy this sneak peek of what we have on offer. Below, we spotlight a selection of presentations we have lined up to give you a flavor of what to expect at LABScon 2023.

Adam Rawnsley | Meet the Iranian Company Powering Russia’s Drone War on Ukraine

Adam RawnsleyOne day in 2021, a self-professed “hacktivist” popped into my direct messages, told me his “group” had noticed I’d done the most work on Mado, and dumped videos and documents allegedly hacked from the company’s network and CEO.

The material—painstakingly verified with the help of colleagues—fleshes out a portrait of the company I’d been sketching out for years. Thanks to the additional sourcing and some help from colleagues at the Middlebury Institute of International Studies (MIIS) and work by others, we can confirm that Mado’s are now powering the Iranian drones raining down on Ukraine and are likely in some of the cruise missiles Iran and its proxies have launched at Saudi Arabia, and the United Arab Emirates.

Using the hacked documents and videos along with court records, web registration information, business records, and other open sources, we can trace the rise of a key Iranian drone company from late 2000s aviation forum posts to contracts with some of the highest ranking generals in the Islamic Revolutionary Guard Corps. Mado’s trail starts in Iran but moves through China, Germany, Saudi Arabia, an Iranian motorcycle company, and finally Russia and Ukraine.

Elizabeth Wharton | Send Lawyers, ‘Garchs, and Money

Elizabeth WhartonAllegations of oligarch elections meddling and influence is old news as we head into 2024. While prosecutors focus on the money trail in building threat intelligence based cases for indictment, don’t overlook oligarch-funded lawyers with creative delay and distract defense tactics. From twisting data privacy laws to using funds for Slapp libel cases to leaking legal discovery, we’ll dissect a series of US and UK cases where oligarchs are throwing lawyers and money as curveballs to thwart influence and cybercrime prosecutions. We’ll also look at ways to further leverage these cases as opportunities for closing policy gaps and for open source intelligence data gathering.

Bendik Hagen & Adrien Bataille | Pulling the (KEY)PLUG: A dive into the ecosystem of yet another shared malware family

KEYPLUG has been publicly referenced on several occasions but never in great detail. Past analysis has associated this malware family with APT41 / Brass Typhoon and public reporting described activity in 2021 targeting US state governments. But is there more to it?

During the past year, we dug into KEYPLUG internals and related samples where we uncovered new loaders and plugins. We tracked its associated infrastructure and the protocols adversaries use in order to avoid detection and stay one step ahead. Throughout our analysis, we discovered several different users of KEYPLUG, which we will present here, each with distinct characteristics and victims.

In addition we will detail opportunities and challenges of detecting KEYPLUG from a network perspective and on the endpoint based on recent observations and discoveries of these new groups. We will show ways to attribute these activities differently solely based on how KEYPLUG is being used and how little details can make a difference. We hope to show the audience that although it can be difficult, attribution based on shared tooling or malware is still possible and brings important pieces to the bigger puzzle.

Dan Black & Luke Jenkins | BEATDROP: Spy, Burn, Rebuild, Repeat

The Russian government’s Foreign Intelligence Agency (SVR) is responsible for conducting nation state espionage against diplomatic entities globally. In the lead up to Ukraine’s pivotal counteroffensive, Mandiant observed APT29 substantially increase its targeting of foreign embassies in Ukraine, with new campaigns now being identified on a weekly basis alongside its typical targeting of other diplomatic entities in Europe and further afield.

Coupled with this shift in targeting, we also observed a major shift in APT29’s tooling and tradecraft. This shift in tooling is resulting in major innovations in the delivery chain in addition to new bespoke malware families responsible for persistence, data collection and subsequent malware delivery.

This presentation aims to discuss these new APT29 waves Mandiant identified in 2023, taking a look at the technical details of the capability and discussing the defensive changes made by APT29 to remain undetected by the threat intelligence community.

Dave Bogle | Entering the hive: Understanding eBPF-based malware

Dave BogleeBPF (extended Berkeley Packet Filter) is a rapidly growing technology that’s revolutionizing the Linux ecosystem. It allows developers to write code that can safely run in the kernel while handling much of the processing and analysis in userspace. As with most new and useful tech, adversaries will inevitably begin to leverage eBPF to implement common malware tradecraft.

This presentation explores how adversaries can leverage the power of eBPF to implement common tradecraft such as process hiding, file hiding, privilege escalation, and more. We’ll examine this emergent eBPF tradecraft from both the offensive and defensive perspective, analyzing the many ways that adversaries might abuse eBPF and diving into the identification, classification, and detection of eBPF malware — while also educating the audience about how the technology is also useful for endpoint and cloud security vendors.

Kristin Del Rosso & Matt Devost | Ghost in the Breach: Using breach intelligence to hunt hidden Russian assets

Following the invasion of Ukraine, increased sanctions against Russian individuals and entities led to an increase in large-scale, fully litigated judgments and the creation of international task forces focused on seizing assets from Russian oligarchs.

Russian individuals and entities have repeatedly employed extensive obfuscation techniques and utilized shell corporations in multiple jurisdictions globally, to successfully hide or transfer assets – this is, until their data got leaked. The ever growing amount of data leaks has proven to be a valuable tool for additional researcher context, as well as novel information sourcing, theory confirmation, and new asset discovery.

We will delve into two real-world use cases where breach data provided crucial insights, uncovering additional US assets belonging to a sanctioned oligarch, as well as another entity’s coordinated efforts to control assets based on insider knowledge of the Russian invasion, in a preemptive attempt to remain a beneficiary while avoiding impending sanctions.

There is a growing importance of data leaks in augmenting OSINT investigations, and participants will leave aware of potential data leaks that can be used as invaluable resources, as well as best practices when sorting through the data.

Vitor Ventura & Michael Gentile | Intellexa and Cytrox: From fixer-upper to Intel Agency grade spyware

Vitor VenturaMercenary spyware companies need to evolve their spyware capabilities just like software from any other commercial company. This presentation details an account and timeline of one such mercenary organization, from almost bankrupt to having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Intellexa, a conglomerate of commercial spyware creators, was born out of the merger of existing mercenaries: Nexa Technologies, WiSpear and Cytrox, a Macedonian company focused on the Android platform. The spyware created by Intellexa consists of highly modular and versatile spyware, deployed via zero day attacks against a variety of victims targeted by unscrupulous state-related actors all over the world. From the moment Cytrox was “rescued” by Intellexa, it started to revamp their suite of spyware called ALIEN/PREDATOR. Based on code analysis and OSINT, this presentation will take the audience through a time travel describing key milestones for capability building, hiring, sales pitch and finally the delivery of their solution to potential customers.

Throughout our presentations we will share the fundamentals of our analyses providing the audience with insightful techniques that can be replicated in their own research, and eventually helping in the construction of timelines based on binary analysis.

We breakdown all major events in ALIEN and PREDATOR’s development cycle leading up to the first campaigns ever attributed to Cytrox, highlighting their operational tactics along the way.

Finally we will make a code level review through the different components of the spyware followed by high-level comparison between the ALIEN/PREDATOR tag team and the solo PREDATOR for iOS, the reasoning behind such platform specific differences while illustrating that ultimately the core and capabilities of the spyware are basically the same.

Zuzana Hromcová | They spilled oil in my health-boosting smoothie: How OilRig keeps access to healthcare orgs and Israeli local governments

Zuzana HromcováOilRig is a well-known Iran-aligned cyberespionage group, allegedly under the MOIS (Ministry of Intelligence and Security), that has been targeting Middle Eastern governments and a variety of business verticals since at least 2014. In this presentation, we study the group’s persistent attacks on Israeli healthcare and local governments, often with the same organizations targeted multiple times over the course of several years, suggesting that OilRig considers them to be of high espionage value.

We look at the group through the eyes of an Israeli local government organization and a group of healthcare organizations, that recovered from the Out to Sea compromise in 2021, only to find themselves retargeted by several versions of OilRig’s SC5k downloader, followed by the new OilBooster and Mango backdoors throughout 2022.

In the process, we disclose the previously undocumented 2021 Outer Space and 2022 Juicy Mix campaigns, notable for their new C# backdoors dubbed Solar and Mango, and a set of custom post-compromise tools that are used to collect credentials, cookies, and browsing history from major browsers and from the Windows Credential Manager. Although these are not sophisticated tools, they are tweaked frequently, and we inspect the added layers of obfuscation and detection evasion techniques.

Next, we discuss OilRig’s ongoing shift away from traditional C&C infrastructure towards Microsoft APIs. We look at the mechanism behind using the OneDrive API (OilBooster) and Microsoft Office 365 API (SC5k downloader) for their C&C communications, and the difficulty this presents for tracking OilRig.

Finally, we focus on the group’s characteristic TTPs that remain unchanged despite the constant stream of updated and newly developed tools – including their frequent coding mistakes, noisy presence on compromised systems, and other characteristics that allow us to keep a close eye on the group.

Request an Invite

These are just a few of the exciting talks coming up at LABScon 2023, a premier event where the brightest minds in cybersecurity come together to share their insights. We’ll be highlighting further upcoming talks soon, but in the meantime it’s still not too late to request an invite. A limited number of tickets remain available, so hurry and click that button if you’d like to come and join us.