Julius “Zeekill” Kivimäki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimäki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest.
In late October 2022, Kivimäki was charged (and “arrested in absentia,” according to the Finns) with attempting to extort money from the Vastaamo Psychotherapy Center. In that breach, which occurred in October 2020, a hacker using the handle “Ransom Man” threatened to publish patient psychotherapy notes if Vastaamo did not pay a six-figure ransom demand.
Vastaamo refused, so Ransom Man shifted to extorting individual patients — sending them targeted emails threatening to publish their therapy notes unless paid a 500-euro ransom.
When Ransom Man found little success extorting patients directly, they uploaded to the dark web a large compressed file containing all of the stolen Vastaamo patient records.
But as documented by KrebsOnSecurity in November 2022, security experts soon discovered Ransom Man had mistakenly included an entire copy of their home folder, where investigators found many clues pointing to Kivimäki’s involvement. From that story:
“Among those who grabbed a copy of the database was Antti Kurittu, a team lead at Nixu Corporation and a former criminal investigator. In 2013, Kurittu worked on an investigation involving Kivimäki’s use of the Zbot botnet, among other activities Kivimäki engaged in as a member of the hacker group Hack the Planet (HTP).”
“It was a huge opsec [operational security] fail, because they had a lot of stuff in there — including the user’s private SSH folder, and a lot of known hosts that we could take a very good look at,” Kurittu told KrebsOnSecurity, declining to discuss specifics of the evidence investigators seized. “There were also other projects and databases.”
According to the French news site actu.fr, Kivimäki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimäki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument.
Police responding to the scene were admitted by another woman — possibly a roommate — and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6′ 3″ blonde, green-eyed man presented an ID that stated he was of Romanian nationality.
The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimäki and took him into custody.
Kivimäki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimäki’s involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP.
Finnish police said Kivimäki also used the nicknames “Ryan”, “RyanC” and “Ryan Cleary” (Ryan Cleary was actually a member of a rival hacker group — LulzSec — who was sentenced to prison for hacking).
Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimäki’s alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimäki was 15 years old at the time.
The DDoS-for-hire service allegedly operated by Kivimäki in 2012.
In 2013, investigators going through devices seized from Kivimäki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe’s ColdFusion software.
As KrebsOnSecurity reported at the time, this small ColdFusion botnet of data broker servers was being controlled by the same cybercriminals who’d assumed control over ssndob[.]ms, which operated one of the underground’s most reliable services for obtaining Social Security Number, dates of birth and credit file information on U.S. residents.
Multiple law enforcement sources told KrebsOnSecurity that Kivimäki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimäki.
Kivimäki also was involved in calling in multiple fake bomb threats and “swatting” incidents — reporting fake hostage situations at an address to prompt a heavily armed police response to that location.
Kivimäki’s apparent indifference to hiding his tracks drew the interest of Finnish and American cybercrime investigators, and soon Finnish prosecutors charged him with an array of cybercrime violations. At trial, prosecutors presented evidence showing he’d used stolen credit cards to buy luxury goods and shop vouchers, and participated in a money laundering scheme that he used to fund a trip to Mexico.
Kivimäki was ultimately convicted of orchestrating more than 50,000 cybercrimes. But largely because he was still a minor at the time (17) , he was given a 2-year suspended sentence and ordered to forfeit EUR 6,558.
“The danger in such a decision is that it emboldens young malicious hackers by reinforcing the already popular notion that there are no consequences for cybercrimes committed by individuals under the age of 18.
Kivimäki is now crowing about the sentence; He’s changed the description on his Twitter profile to “Untouchable hacker god.” The Twitter account for the Lizard Squad tweeted the news of Kivimäki’s non-sentencing triumphantly: “All the people that said we would rot in prison don’t want to comprehend what we’ve been saying since the beginning, we have free passes.”
Something tells me Kivimäki won’t get off so easily this time, assuming he is successfully extradited back to Finland. A statement by the Finnish police says they are seeking Kivimäki’s extradition and that they expect the process to go smoothly.
Kivimäki could not be reached for comment. But he has been discussing his case on Reddit using his legal first name — Aleksanteri (he stopped using his middle name Julius when he moved abroad several years ago). In a post dated Jan. 31, 2022, Kivimäki responded to another Finnish-speaking Reddit user who said they were a fugitive from justice.
“Same thing,” Kivimäki replied. “Shall we start some kind of club? A support organization for wanted persons?”
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-02-06 09:07:002023-02-06 09:07:07Finland’s Most-Wanted Hacker Nabbed in France
The FTC this week has handed out a $1.5 million penalty to a U.S. healthcare company that promised its customers it would “never share personal health information with advertisers or third parties” and then allegedly did precisely that.
The Department of Justice filed an enforcement action on behalf of the FTC against GoodRx under its new Health Breach Notification rule. The complaint against the company accused it of failing to notify customers about unauthorized disclosure of health PII (personally identifiable information). According to the FTC, GoodRx repeatedly shared individually identifiable health information over a four year period with Facebook, Google, Twilio, Branch, and Criteo.
FTC enforcement action to bar GoodRx from sharing consumers’ sensitive health info for advertising: https://t.co/ag4TCYS2Ii /1
The FTC went on to complain that GoodRx had uploaded contact details of its own customers to Facebook along with advertising IDs, and that it used privileged information about those customers’ previous medication purchases to target their profiles with health-related ads. In doing so, the company exposed their information to Facebook, which itself is facing multiple ongoing lawsuits related to scraping data from hospital websites for use in targeted ads.
FTC director Samuel Levine said of the action that “Digital health companies and mobile apps should not cash in on consumer’s extremely sensitive and personally identifiable health information” and that the FTC would continue to use its legal authority to protect American consumers.
The Bad
SIM swapping attacks, where a threat actor impersonates a customer of a mobile phone carrier and requests a transfer of the customer’s number to a new device, have been utilized to pull off some high profile hacks recently. This week, it’s bad news for Google Fi customers, who have been targeted by hackers that gained access to technical SIM data after breaching a Google Fi network provider.
Google’s U.S. telecommunications and mobile internet service, Google Fi, informed customers this week that personal data had been exposed after a breach of one of its network providers. Google notified customers that the incident had exposed their phone numbers, SIM card serial numbers, and other details. However, the company emphasized that there was no access to Google’s systems or any systems overseen by Google.
Users on social media, however, soon began reporting notifications from Google Fi that described SIM swapping attacks.
SIM swapping attacks allow the attacker to receive both phone calls and SMS text messages intended for the legitimate user and, among other things, allow attacks to intercept text-based 2FA authentication messages.
Google says its incident response team investigated the breach and implemented measures to secure data on the provider’s system and notified everyone potentially impacted. The SIM swapping attacks were temporary and Google Fi has since restored service to all customers’ registered SIM cards.
The Ugly
Threat actors have been creating malicious OAuth applications as part of a phishing campaign aimed at breaching Microsoft cloud services, it was revealed this week.
According to MSRC, threat actors ran a consent phishing campaign after impersonating companies enrolling in MCPP/MPN (Microsoft Cloud Partner Program, aka Microsoft Partner Network). Consent phishing works by tricking users into granting permissions to malicious cloud applications that can then be weaponized to compromise legitimate cloud services and access sensitive data.
Once victims granted access to the malicious OAuth apps, threat actors used them to exfiltrate email mailboxes, likely with the further objective to use the stolen data in email Reply Chain attacks, Business Email Compromises (BEC), and spear phishing attacks.
The campaign, which primarily targeted MCPP customers in the UK and Ireland, was first spotted on December 15th last year, with the actors using fraudulent partner accounts to register OAuth applications in Azure AD that appeared to be from verified publishers.
The Redwood tech giant says that all identified fraudulent applications have now been disabled and affected customers informed. Even so, it comes amid turbulent times for the company. Despite announcing security sales of over $20 billion in 2022, the company’s products across endpoint and cloud remain notorious for multiple high-impact vulnerabilities and cloud-based attack vectors.
Attacks using bogus OAuth apps have targeted Microsoft’s cloud services before, with separate threat activities seen in January 2022 and September 2022, according to reports.
https://phxtechsol.com/wp-content/uploads/2023/02/Google-Fi.jpg4441081Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-02-03 09:06:382023-02-03 09:06:44The Good, the Bad and the Ugly in Cybersecurity – Week 5
Extended Berkeley Packet Filter (eBPF) is a framework for loading and running user-defined programs within the Linux OS kernel, to observe, change, and respond to kernel behavior without the destabilizing impact of kernel modules. eBPF provides kernel-level visibility directly from user space. This combination of visibility and stability makes the eBPF framework particularly attractive for security applications.
In this blog post, we describe how eBPF works, its significance to cloud workload protection platforms (CWPP) for machine-speed detection of OS-level runtime threats, and the benefits of such an architectural approach, namely stability, scalability, and performance. We will then summarize how SentinelOne has over the last 3 years, in close cooperation with leaders across a wide variety of verticals, crafted the most high-performing, resource-efficient, and DevOps-friendly CWPP solution on the market.
eBPF Architectural Overview
eBPF programs allow us to observe and respond to application (workload) behavior within the kernel without modifying the application code itself. This is useful for many applications, especially security applications such as cloud workload protection.
Consider the following diagram in Figure 1, modified for simplicity from the original found at ebpf.io.
Figure 1: Simple Architectural Overview
Here, we have an application (for example, a CWPP agent) running in user space and which includes an eBPF program for process-level visibility within the Linux kernel. The eBPF program itself is in bytecode, though developers usually use a higher level programming language whose compiler supports eBPF bytecode. This eBPF program is loaded into the Linux kernel, where the program is immediately verified by the eBPF Verification Engine. Then, the program is compiled and attached to a targeted-by-design kernel event; this is what is meant when one says that eBPF programs are “event-driven.” Whenever this event occurs, the program is attached to this event, runs its observation and analysis tasks to completion, and presents results back to the application.
The mechanism by which information is transferred between the eBPF program and the user space application/workload is called “eBPF Maps” or simply “maps”. Now that we have a high-level overview, let’s dig in a little deeper for more complete understanding.
eBPF Safety
The eBPF Verification Engine and Just-in-Time Compiler are the means by which the eBPF framework ensures that, first and foremost, the eBPF program to be loaded and run within the kernel does not destabilize the kernel. This is Rule No. 1: Do No Harm.
Kernel Modules: The Inferior Alternative
Consider the alternative to eBPF: writing kernel modules. Kernel modules raise concerns about operational stability and complexity. While writing a kernel module does indeed allow a developer to change kernel behavior, it is a highly specialized skill, which therefore makes staffing and retention an issue. More pointedly, using kernel modules raises the specter of two critical risk questions: (1) will my kernel module crash the machine?, and (2) will it introduce a security vulnerability?
In addition to stability and security concerns, there is the matter of operational overhead: a kernel module only works for a specific Linux kernel version and distribution. Maintaining the kernel module consumes precious developer cycles and complicates operational management unnecessarily. The eBPF framework addresses each of these pain points, making kernel modules far less desirable.
Before any eBPF program is loaded into the kernel, it passes through the Verification Engine and JIT Compiler. The Verifier ensures that the program is safe to run, will not crash the system, and will not compromise data. It validates that several conditions are met:
The process loading the eBPF program has the necessary privileges to do so.
The eBPF program does not crash the system.
The eBPF program runs to completion. That is, it does not loop indefinitely.
Once verified, the JIT Compiler translates the program from bytecode into machine instructions, optimizing for speed of execution.
Now that the eBPF program is verified and compiled, it is attached to a kernel-level event, such that when the event occurs, the program is triggered, run to completion, and information presented to the user space application. This brings us to eBPF Maps, or simply “maps”.
eBPF Maps
eBPF maps are the mechanism by which information transfers between the eBPF program and the user space application. Bidirectional information flow is supported. A map is a data structure that the eBPF program and user space application can read or write.
For example, the program might be triggered on an event such as gzip of a file. The eBPF program will write some information about that event, such as the file name, filesize, and gzip timestamp, to the map. It might also increment the number of times a gzip operation occurs within a given period of time. If that number exceeds a certain threshold, the eBPF program can write a judgment of “MALICIOUS” to the data structure. Stated simply, the eBPF program observed behavior indicative of a ransomware attack and flagged this behavior as malicious. The user space program – in our example, a cloud workload protection (CWPP) agent – can read that map, see the malicious judgment, and take appropriate action. Basic information processing occurred within the eBPF program, minimizing the amount of information passed to the user space application and thereby optimizing performance.
Advantages of eBPF within CWPP
A cloud workload protection platform agent does what other security controls do not: detect and respond to runtime threats, like ransomware or zero days, in real time. This makes CWPP a vital component of a cloud defense in depth strategy. An organization can, and quite often should, have other cloud security measures in place, such as AppSec, CSPM, and more. Each plays a role in a robust cloud security strategy. A CWPP agent works alongside these other controls, to (1) provide runtime protection and (2) record workload telemetry.
Figure 2: Linux Ransomware Attack Shown in the SentinelOne Console
As shown in Figure 2, a ransomware attack on a cloud compute instance (VM) can lock-up a cloud workload in milliseconds. Note that the CWPP agent in this 1-minute video detected and stopped the ransomware attack mere moments (less than a second) after it was launched.
Try getting this real-time response from a side-scanning solution. You cannot. Side-scanning is typically run only once a day, because taking snapshots of a cloud compute instances’ storage volumes for inspection is cost-prohibitive. Moreover, a side-scan architecture lacks process-level visibility within the kernel. These are the forensic details which the SOC needs to investigate and appropriately tag and route the incident to the appropriate DevOps owner. Only a behavioral, real-time CWPP agent using the eBPF framework provides the combination of real-time process-level visibility and stability, making it the preferred choice.
Increasingly, cybersecurity insurance underwriters require CWPP before they will even quote a policy. Machine-speed threats such as ransomware demand an ability to respond faster, and with higher accuracy, than human-powered technology alone. Additionally, a historical record of workload telemetry not only facilitates investigation in the event of a security incident, but also makes proactive threat hunting possible. In this way, threat actors can be stopped before they even launch an attack.
The application of the eBPF framework within a CWPP program offers several advantages, including but not limited to:
Operational stability
System performance
Business agility
Operational Stability
While a kernel module can provide the kernel visibility which a CWPP application requires, running code in the kernel can be dangerous. A false move can destabilize the system (ie, kernel panic), or introduce a security vulnerability into the kernel. Neither of these outcomes are in any way acceptable, especially where a CWPP agent is concerned. A CWPP agent that uses kernel modules can cause kernel panics that crash the VM and brick your workload. These unplanned outages threaten financial performance, order fulfillment, customer loyalty, and create costly, disruptive fire drills.
In stark contrast to a kernel module, the eBPF framework includes safety controls such as the Verification Engine, JIT Compiler, and more. As a result, eBPF programs will not crash the kernel. Neither can they reach into arbitrary memory space within the kernel, making them much less prone to security vulnerabilities. eBPF programs provide all the kernel-level visibility with none of the risk from kernel modules: no tainted kernels or panics. For these reasons, eBPF is the preferred choice for CWPP from an operational stability perspective.
System Performance / Resource Efficiency
Transferring information from within the kernel to user space is slow and introduces performance overhead (CPU, memory). In contrast, the eBPF framework enables us to observe kernel behavior and perform analysis within the kernel before transferring a subset of results back to user space. This creates a fundamental performance advantage for CWPP agents operating in user space and which use eBPF programs. eBPF provides high observability with lower overhead relative CWPP agents with kernel modules.
Business Agility
Developers should be focused on innovation, not on juggling the kernel dependency hassles which kernel modules introduce. By operating from user space, DevOps have more flexibility to update the host OS image with less concern of that update conflicting with their CWPP agent. eBPF makes this possible. As a result, more DevOps can be devoted to innovation, and less (much less) to maintenance concerns.
Moreover, because the CWPP agent itself uses the eBPF framework and avoids kernel modules, the vendor too is more focused on innovation. And of course the customer reaps the benefits of this virtuous cycle of agile velocity.
Singularity Cloud Workload Security
Working with Customers
At SentinelOne, we work closely with our customers, innovating and advancing existing solutions, even as we accelerate execution of our product vision. Dating back to 2019, a customer urged us to re-architect our Linux CWPP agent to use eBPF. The easy answer would have been to politely decline, but we are both intellectually curious and fanatical about customer success. Once we understood the benefits which eBPF would bring to our customers, we got to work. The result? SentinelOne customers around the world have the advantage of a CWPP continuously refined over 3 years, and which has delivered some exceptional performance.
High Performance
Independent test results prove this out. In April 2021, MITRE Engenuity published its MITRE ATT&CK benchmark results for Carbanak & FIN7, an evaluation focused on emulating financial threat groups. For the first time, MITRE ATT&CK included Linux servers in its testing. SentinelOne was the only vendor with 100% visibility across Windows devices and Linux servers (Figure 3). We had the most enriched detections (“Analytic Detections,” in MITRE’s vernacular), as shown in Figure 4. Far from “noisy,” our patented Storyline technology auto-correlates related detections to maximize signal-to-noise ratio (SNR) and streamline investigation and response.
CWPP must be real-time if it is to defend cloud workloads from runtime attack and ensure business continuity. Machine-speed attacks spread evil at machine speed. Delayed detections give the adversary the time needed – literally, only a matter of seconds – to bring a cloud workload to a grinding halt. And if not ransomware, then it’s malware quietly spreading throughout your cloud footprint. In broad brushstrokes, the wider the spread, the larger the remediation effort. Delays cost. SentinelOne delivered 100% real-time detection, with zero delays, again, as defined by MITRE. No spin, just a common language to compare apples to apples. The fewer the delays, the better.
Figure 5: Delayed Detections, MITRE, Carbanak + FIN 7
Similarly, the 2022 MITRE Engenuity ATT&CK testing showed SentinelOne had exceptionally high performance. The Wizard Spider + Sandworm emulation also included Linux servers. Here again, SentinelOne led from the front with 99% Analytic Coverage, much more than CrowdStrike, Microsoft, or TrendMicro. Head-to-head comparisons are available at the MITRE Engenuity website.
SecOps prefer our CWPP performance and partnership, but we recognize that it is Infrastructure & Operations who carry the costs of operating an agent, even if those costs eventually are transferred internally to the lines of business. Any application, be it a CWPP agent or otherwise, requires compute and memory resources to function, and those resources come at a cost. For deployment within a fixed and sunk cost infrastructure such as a data center, such apps take away resources that would otherwise be available for the primary business workloads; while it’s not an incremental operational expense, there is the opportunity cost of resources. For cloud IaaS however, resources used are metered and paid for on-demand; deploying a CWPP agent may necessarily increase the size of the cloud compute instance (e.g., from a t4g.medium to a t4g.large), and thereby incrementally raise its operational expense. It’s a necessary expense, to be sure, but an incremental expense nonetheless.
Therefore, we obsess about CPU and memory utilization as much as we do about performance. Our eBPF agent architecture refined over the years enables us to deliver exceptional security performance in a very compact footprint. Check out this blog post about advancements made in Linux and K8s Agents v22.3. And in July 2022, we announced support for AWS Graviton3, the most recent AWS ARM processor generation providing further benefits in compute, power, etc.
Additionally, if you are running containerized workloads, a single SentinelOne CWPP K8s agent per K8s worker node protects the host, all its pods, and all their containers. Deployed as a DaemonSet, our agent scales automatically to ensure your business workload is defended even under peak demand.
DevOps Friendly
In addition to working closely with customers as partners and delivering performance leadership, we recognize that organizations went to the cloud to go faster, not slower. Innovate swiftly, operate securely. Singularity Cloud Workload Security solves the agility/security paradox by simplifying deployment, automating scalability with workload demand, and of course, operating entirely in user space.
Automated deployment fits within standard DevOps provisioning methods, including CloudFormation, Terraform, Helm, and a host of others.
We support 13 leading Linux distributions and a wide array of versions, all from a single CWPP agent. Say goodbye to 60 pages of user documentation devoted to “this agent version” mapped to “that Linux distribution.” Our eBPF agent abstracts aways that complexity.
Our agent has no kernel modules, so DevOps don’t have to worry about kernel panics.
Summary
The advantages of the eBPF framework make it the preferred choice for cloud workload protection. Superior system performance translates to lower operational costs than alternatives relying on kernel modules. Operational stability aspects provide for better business continuity.
Refined over 3 years in a global installed base, Singularity Cloud Workload Security delivers market-leading performance, flexibility, and scalability. If you are searching for a CWPP product which uses the eBPF framework, is preferred by titans of industry and mid-market commercial alike, and which regularly shines in benchmark testing such as MITRE ATT&CK, we hope you consider SentinelOne. Customer case studies and testimonials can be found both on our webpage and on independent peer review platforms such as Gartner Peer Insights. When you are ready to speak with a cloud security expert, our team would be happy to connect with you. Let us show you why thousands of SentinelOne customers worldwide trust us to protect their business.
Practical Guidance for Cloud Defense in Depth
The cloud has fundamentally transformed business operations and innovation. Security leaders can access this free resource to learn how a multi-layered defense in depth cloud security stack can help their organization innovate swiftly and operate securely.
In our recent post, 7 Ways Threat Actors Deliver macOS Malware in the Enterprise, we discussed some of the popular mechanisms currently in use by threat actors to achieve initial compromise on a macOS system. In this post, we continue our exploration of modern macOS malware by looking at different kinds of payloads that are either common or are emerging, with an emphasis on those that attempt obfuscation and evasion.
We take a look at scripts, the SHC shell script compiler, obfuscated Python, Go implants as well as some rare sightings of obfuscated Cobalt Strike beacons seen in some recent macOS-targeted campaigns.
1. Hidden Scripts
A method first popularized by Shlayer malware, commodity adware and PUP platforms continue to leverage shell scripts delivered in disk images, often through content lures.
Some malware families use the script as an executable in an app bundle, such as this one.
Others drop the script directly into a disk image file and encourage the user to execute it through an alias. The sample 2070b149b7d99cd4b396a8b78de5a28c1f2b505a provides a representative example.
On mounting the disk image, the user is presented with a two-step graphical instruction on how to open the malware and bypass the built-in macOS Gatekeeper restriction.
Examining the disk image in the Finder with hidden files displayed, it’s clear that the Install PKG icon the user is urged to right-click on is an alias to a shell script file located in a hidden directory called, appropriately enough, .hidden.
The script is lightly obfuscated. After creating a directory inside /tmp with a random 12-character name, it ultimately decrypts, runs and deletes an executable extracted from the data file located in the same directory.
The malware queries a number of system and environment variables to ascertain if it is running in a virtual machine. It also reads the local LSQuarantine file to check the source of the downloaded disk image, searching for URLs containing %s3.amazonaws.com%, suggesting that this version of Bundlore is using AWS to deliver the first stage disk images.
sh -c sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV*
'select LSQuarantineDataURLString from LSQuarantineEvent where LSQuarantineDataURLString
like '%s3.amazonaws.com%' order by LSQuarantineTimeStamp desc limit 5'
This information is next posted to a C2 and a further payload is returned, mounted and launched.
SentinelOne detects such script-based malware, with this particular payload identified as Bundlore.E, a well-known commodity adware and PUP delivery platform.
2. Shell Script Compiler
Shell Script Compiler is a Github repo known as SHC for short, which takes a script and produces obfuscated C source code. The source code is then compiled and linked to produce a stripped binary executable. Although these binaries aren’t entirely independent – they still require the execution environment to have available the shell specified in the shebang – if the script uses a shell that is found by default on the target OS (e.g., /bin/sh/ on macOS), execution should not be an issue.
SHC comes with some compilation options that are useful to malware authors. The -U option attempts to make the binary untraceable with ptrace. The -e option allows the author to set an expiry date after which the program won’t run. One useful side-effect of this is that the same script will produce binaries with different hashes if compiled with different values for -e.
SHC was heavily used by XCSSET malware and has been seen more recently obfuscating Linux payloads. It’s great advantage from an attacker’s point of view is it makes it extremely simple to write malicious scripts which cannot be read via static analysis and which, thanks to the -e option, can have endlessly different hash values. The only way to discover what an SHC-compiled binary does is to detonate it in a sandbox and observe its behavior.
SHC compiled binaries can be detected statically and marked as suspicious, as the compiler produces a distinctive string signature. However, only behavioral solutions will be able to distinguish between benign code and those with malicious intent.
3. Python Obfuscators
Apple removed support for Python 2.7 on macOS devices running Monterey 12.3 and later in 2022, and as a result the language has become a less attractive option for attackers than it once was.
However, there are still plenty of enterprise environments where some local version of Python will be installed as it remains hugely popular with developers of all stripes, and there is a ‘back catalog’ of Python-based attack frameworks such as Meterpreter and Empyre that are still favored by both attackers and red teams.
Packaging Python scripts into .pyc compiled Mach-Os is also still a viable attack option, but more commonly frameworks like Meterpreter will be base64 encoded multiple times to obfuscate their true payload. Many of these remain undetected by static engines but are recognized by behavioral solutions like SentinelOne on execution.
4. Obfuscated Cobalt Strike
Widely-seen in malware targeting the Windows world, Cobalt Strike is less common in Mac malware campaigns, but not unheard of. SentinelLabs observed two ostensibly unrelated campaigns dropping Cobalt Strike beacons in obfuscated Go binaries.
The OSX.Zuru campaign in September 2021 involved a supply-chain style attack that used trojanized versions of popular enterprise apps including iTerm2, MS Remote Desktop for Mac, SecureCRT and Navicat 14. These trojans were seen delivering a heavily obfuscated Mach-O to the victim device at /private/tmp/GoogleUpdate.
The file is packed with UPX and unpacks into a 5 MB Mach-O written in C. This executable is heavily obfuscated and contains over 40,000 functions of almost entirely junk code. The same obfuscation technique was later seen in the pymafka attack on PyPI, which dropped a ~3 MB Mach-O executable at /private/var/tmp/zad.
The obfuscation technique is recognizable from the entropy and md5 hashes of the binary sections. In particular, the __cstring section will have the md5 value of c5a055de400ba07ce806eabb456adf0a.
Section entropy can also be used to recognize these binaries statically.
5. Obfuscated AppleScripts
AppleScript has a long and somewhat underrated history of malicious use on OSX and macOS systems, in part because of its longevity (it’s been around longer than Python) and in part because until recent years Apple paid little attention to its security implications. It remains an incredibly powerful tool for both legitimate and malicious purposes, despite Apple’s attempts to rein it in with use of TCC and other restrictions.
Until very recently, one of AppleScript’s best kept secrets was its ability to produce almost irreversible compiled code by means of the ‘run-only’ option. Run-only AppleScripts and a method to reverse them were discussed in detail in the SentinelLabs post here, but among the techniques discovered in the wild was a particularly clever one of embedding one run-only script inside another using four-byte hex character encoding.
Such scripts cannot be decompiled with the built-in tool osadecompile and require either dynamic analysis in a sandbox or significant reverse engineering effort. Static detection can be used to detect the presence of embedded hex characters and the unique AppleScript magic FADE DEAD that marks the end of an AppleScript block.
Who Needs Python? GO For the Win
In part due to Apple’s removal of a default Python script interpreter, many malware authors have been turning to Google’s Golang. Mach-O binaries written in Go have the advantage of containing the Go runtime environment within the executable, a feature that makes execution guaranteed but produces an unusually large file size. This file size can work both for and against threat actors: on the one hand, large binaries are easy to spot, both to solutions and to users. On the other hand, their large size can present difficulties to some security solutions and sandboxes, which may limit the maximum size they ingest for performance reasons.
Go binaries also present challenges to analysts and reverse engineers, who must develop new tools and methods for separating out the malicious code from the masses of Go imports, runtime functions and third-party packages. They also need to develop an effective way of dealing with strings, as strings in Go binaries are not delimited by a terminating null character.
The final two examples of payloads we will look at are both Go-based and serve as good examples of why this language has become popular among malware authors.
6. Poseidon Implants
Poseidon is a Golang agent for the red-teaming framework Mythic that ‘beacons’ back to an operator and allows various functionality on the infected machine.
The image above depicts the source code on the left and disassembly on the right for various goroutines that allow the operator to perform different tasks. Goroutines provide performative concurrent execution and, in Poseidon, are used for things like sending and receiving files between the victim’s device and the operator.
Poseidon also allows the attacker to log keystrokes, take screen captures, install persistence and other backdoor functionality. A recent high-profile use of Poseidon in the wild was the CrateDepression supply chain attack against the Rust development community.
Detecting Poseidon payloads is reasonably straightforward once they are unpacked as the strings in compiled Poseidon binaries have a distinctive signature. The source code is also available online.
7. Sliver Implants
Another open-source attack framework that has been gaining increasing use in in-the-wild campaigns, Sliver is a C2 system that can manage multiple implants through a central server by one or more operators. It offers attackers callback protocols over DNS, HTTPS, Mutual TLS and Wireguard to help evade domain detection and blocking.
A Sliver binary will weigh in at around 10 MB or more, making it important that security teams have solutions that can handle large executables. The Sliver project does not itself support further obfuscation or packing, but in the wild samples may be found with off-the-shelf or custom UPX packing.
Sliver has been seen in recent macOS malware that masquerades as an Apple softwareupdate binary and installs persistence in the user’s Library LaunchAgents folder. That campaign was interesting in its avoidance of any Apple proprietary software (such as Xcode) and its employment of free and readily available tools including UPX, MacDriver and Platypus.
Somewhat like Poseidon, Sliver is fairly straightforward to detect with a simple file signature so long as the binary size does not present a problem as there are many characteristic strings in the __DATA section. The source code is available here.
Conclusion
The payload types and obfuscation mechanisms we’ve discussed above are by no means the only ones we see on macOS – adware like Pirrit and Adload, which we have discussed elsewhere, continue to evolve their techniques in this regard, and to leverage cross-platform languages like Go and Kotlin. Malware like SilverSparrow and others have found interesting ways to disguise and deliver payloads inside package installers.
Threat actors of all stripes have and still do rely on curl to deliver second and third-stage payloads. However, as Apple continues its own attempts to block downloads that bypass its Gatekeeper security settings, we expect to see more malware embed later-stage payloads in the initial infection and to evolve their obfuscation and evasion efforts to make these successful.
We hope this brief overview of some of the techniques we observe in current malware families may help defenders to better protect their organizations and their users.
The tables have turned for Hive ransomware group. This week, FBI and international partners shared news of their successful sting operation; a “hack of the hackers” resulting in the seizure of two of the group’s servers and one virtual private server. The FBI also revealed that it was able to burrow deep into the group’s infrastructure and gather intelligence prior to dismantling the operation.
Hive is among the world’s most prolific ransomware networks, which has long beleaguered critical infrastructures such as governments and hospitals. Initially spotted in July 2021 during the height of the COVID-19 pandemic, the syndicate is known for its Ransomware-as-a-Service (RaaS) model. Hive ransomware group has extorted more than $100 million from 1500 organizations across at least 80 countries.
According to the DOJ, the month-long operation came to a head in July of last year when the FBI quietly accessed Hive’s control panel and obtained the software keys shared with the syndicate’s partners used to perform double extortion attacks. While no arrests have been made yet, officials announced that they were building a map of associated administrators, software, and affiliates based on the seized servers. Officials have been helping recent victims regain access to their networks, saving almost 300 organizations over $130 million in what would have been ransom payments.
The dismantling of Hive is one of the first big crackdowns of 2023; a concerted effort across various law enforcement groups in the effort to slow the ransomware epidemic. While the ransomware economy continues to be a lucrative one for attackers, these sting operations are hitting them where it hurts most – their earnings. Officials are now offering rewards for information linking Hive to foreign governments.
The Bad
Alleged Chinese-speaking threat actors are upping their evasion game through a little-known open source SparkRAT and Golang malware. In an analysis by SentinelLabs this week, a recent cluster of attacks dubbed DragonSpark has been observed employing uncommon tactics to sidestep security layers. DragonSpark attacks have so far victimized organizations in China, Taiwan, Hong Kong, and Singapore.
Initial access involves the compromise of vulnerable, internet-exposed web servers and MySQL servers to drop a ‘China Chopper’ web shell. After gaining that foothold, DragonSpark attacks use lateral movement techniques paired with privilege escalation and malware deployment to root deeper into a victim’s environment.
Once lateral spread is underway, actors use a cross-platform remote access trojan called SparkRAT to conduct a host of malicious activities such as manipulating system files, stealing information, and running additional PowerShell commands. SparkRAT is based in Golang and can run on Windows, macOS, and Linux. Other malicious tools observed in DragonSpark attacks have all been open sourced tools such as SharpToken, BadPotato, and GotoHTTP.
The Golang malware ‘m6699.exe’ executes code from embedded Go scripts in the malware binaries – a technique for hindering static analysis and evading detection. The malware then opens a reverse shell allowing the threat actors to begin remote code execution (RCE).
SentinelLabs analysts hypothesize that multi-platform, feature-rich tools like SparkRAT will continue to appear in future attacks by attackers known to favor open source software in their campaigns.
The Ugly
A new warning from CISA, the NSA, and Multi-State Information Sharing & Analysis Center (MS-ISAC) dropped this week detailing attacks against multiple federal civilian executive branch (FCEB) agencies through the use of legitimate remote monitoring and management (RMM) software.
Malicious activity against many FCEB networks was executed through callback phishing campaigns. Threat actors sent spoofed help desk emails to federal staffers’ personal and government email addresses. Emails were found to contain a link to a first-stage domain and encouraged targeted users to call the attackers who then posed as help desk technicians.
After the ‘technicians’ convinced the caller to visit the domains, malware would be downloaded automatically, connecting the target to a second-stage domain with downloads for AnyDesk and ScreenConnect – popular RMM tools used by remote workers globally – after which the attacker had full access to the victim’s device.
Weaponizing legitimate remote software continues to be attractive to threat actors as an effective means of establishing local user access – all without needing any admin permissions. The joint warning released this week highlights the increased spike in social engineering and phishing attacks combined with the use of legitimate software for access.
This follows on from a recent case in which attackers hosted an online Pokémon-based NFT game, luring fans of the franchise to download remote access trojans (RATs) on the site. Efforts like this are considered ‘quick wins’ for threat actors as they get the access they want without spending time or resources on developing bespoke attacks. CISA’s official warning includes a list of preventative measures organizations can take to avoid social engineering attacks and reduce the risk of RMM software misuse.
https://phxtechsol.com/wp-content/uploads/2023/01/hive.png13721842Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-01-27 07:56:572023-01-27 07:57:26The Good, the Bad and the Ugly in Cybersecurity – Week 4
Gathering information about cyber attacks is only half of the battle – the other half lies in curating the raw data into original insights about major vulnerabilities, cybercrime toolkits, and ransomware groups.
In this blog post, SentinelOne’s WatchTower team reflects on a year’s worth of threats observed and investigated across every geography and industry our partners operate in. Based on telemetry from tens of millions of endpoints protected by Singularity XDR platform, here’s a review of the top cyber attack trends from 2022 and their significance in the fluctuating threat landscape.
Trends In the Landscape | 2022 Top Cybersecurity Takeaways
Findings from 2022 show the top ransomware variants, initial infection vectors, and emerging malware that organizations from all sectors contended with.
Ransomware Findings
Over the course of last year, ransomware showed no signs of slowing down. Faced with federal level sanctions, the act of rebranding is now a widespread strategy ransomware groups use to obfuscate their identities and sidestep crackdowns. Several new ransomware groups emerged in 2022 and existing ones rebranded before showing their faces in the threat landscape once more.
Ransomware authors have also widely adopted both Rust and Golang in their efforts to evade detection. BlackCat, Hive and a host of other ransomware families made the switch. taking advantage of their fast file encryption capabilities and wide-ranging cryptographic libraries.
Growing Infection Vectors
2022 saw a steep increase in supply chain attacks, SEO poisoning/malvertising, and cracked software. The growing theme in attacks from last year saw threat actors steering towards the path of least resistance for greater rewards.
Through software supply chain attacks, actors exploit weaknesses in a vendor’s development cycle to inject malicious code into a certified application. While many organizations have worked to monitor and detect such threats since the attack on SolarWinds in 2020, threat actors are still leveraging open-source modules for initial intrusion. Identity management giant, Okta for example, found themselves the target of a supply chain attack last year when its 2FA provider, Twilio, was breached.
SEO poisoning has also risen to the top as a way for threat actors to take advantage of existing infrastructure for malicious purposes. By poisoning the mechanisms that influence search engine optimization (SEO), attackers have been able to quickly lure and infect unsuspecting users with commodity malware. Cracked software follows the same theme, banking on victims to download unlocked, illegal software which is embedded with dangerous malware.
Malware Innovations
Attackers were observed attempting to neutralize and sidestep endpoint detection and response (EDR) tools over the past year, using bypass techniques and known vulnerabilities. In February 2022, the FBI and United States Secret Service (USSS) released a joint cybersecurity advisory warning against BlackByte ransomware group known for using a “Bring Your Own Driver” technique to circumvent various EDR products available on the market today.
A table of ransomware groups that created modules attempting to kill EDR solutions in 2022 is provided below. SentinelOne offers robust anti-tamper capabilities to protect against these attacks.
The threat intelligence community observed new wiper malware samples and ransomware strains circulating in Ukrainian organizations. The malware was distributed with the goal of rendering their computer systems inoperable. HermeticWiper and PartyTicket ransomware were among the novel threats that prefaced the unprovoked Russian invasion of Ukraine that have since evolved to produce several new malware variants. SolarMarker infostealer, Bumblebee downloader, and the Raspberry Robin worm (aka QNAP worm, or LNK worm) also emerged as popular tools for cyberattackers in 2022.
2022 Most Used Commodity Tooling & Techniques
Attackers will always look for opportunities to do less work for more damage. They don’t always use sophisticated and customized malware and often rely on the same public tools used by network administrators and security professionals.
The most notable commodity tooling observed in 2022 by threat tactic are as follows:
Reconnaissance – Ipconfig, Net.exe, Netstat, Nslookup, arp.exe, WMI, Impacket, Cobalt Strike, Whoami, ADFind, ADRecon.py, Advanced Port Scanner, IP Scanner, PingCastle, Powerview, and Winrm
Credential Theft – Mimikatz, Meterpreter, Cobalt Strike, BloodHound, SharpHound, ProcDump, Process Hacker, ninjacopy, NirSoft, Lazagne, and PassView
This section expands on the threat groups last year that have developed or modified malware as an advanced means of evading and disabling detection and response mechanisms.
Black Basta Ransomware & Ties to FIN7
Ransomware-as-a-Service (RaaS) group, Black Basta, is well known for launching double extortion attacks through customized tools. During analysis of their toolkit, SentinelLabs researchers found that the group had worked with a developer associated with Carbanak/FIN7 – a threat gang specializing in targeting U.S. retail and hospitality sectors. Uncovering possible connections between threat groups lends cybersecurity analysts better visibility into a wider net of threat operators’ infrastructures.
Transformers | Bumblebee Downloader, IcedID and Qakbot
First identified in March 2022, the Bumblebee downloader has been adopted by multiple threat groups as a sophisticated initial access facilitator. Bumblebee allows threat actors to gain initial access to enterprise environments and launch advanced cyberattacks. This downloader also shares the same infection chain as Qakbot – another toolkit that appeared multiple times in the past year – and IcedID malware.
Targeting Ukraine Using Royal Road Document Builder
The Russian invasion of Ukraine created major shifts in the 2022 threat landscape, including the increased use of wiper malware. Widely impacting Ukrainian citizens as well as organizations based outside of Ukraine was the Royal Road Document Builder.
SentinelLabs’ analysis indicates that the threat actors behind these cyberattacks are part of a Chinese state-sponsored cyber espionage group which uses phishing emails to deliver these malicious documents and exploit the Bisonal backdoor.
Raspberry Robin Worms Its Way Through 2022
2022 saw, threat actors leveraging Raspberry Robin to deliver multiple types of malware and ransomware to infected endpoints. Also known as the QNAP or LNK worm, Raspberry Robin is a self-propagating worm used in attacks throughout last year as a delivery mechanism for second stage malware. Its usage amongst threat actors spiked in the latter half of 2022 making it the fastest growing threat families of last year.
SocGholish Expands and Diversifies
Highly active throughout the past 12 months, SocGholish has undergone a marked diversification, with expanding infrastructure to contend with known defenses. Across 2022, SocGholish averaged 18 malware-staging servers being unveiled each month. Threat groups use a JavaScript-based framework to gain initial access to targeted systems in campaigns that primarily revolve around social engineering tactics. SocGholish has been able to persist in the threat landscape, emphasizing the need for enterprises to regularly audit the integrity of their web servers, websites, and DNS records.
DLL Sideloading Attacks Continue to Menace
Major threat groups or malware families including Qakbot, Sliver Framework, Temp.Hex, FIN7, and LockBit led the uptick in sideloading DLL files to execute malicious payloads in attacks from 2022. This tactic allows cyber criminals to sidestep first-generation EDR solutions and legacy antivirus products while installing malware on targeted devices.
WatchTower | 2022 in Review
Lessons Learned from Our Threat Hunters & DFIR Investigators
2022 showed that threat actors continue to use what works while investing in novel techniques in response to countermeasures by security teams and security software.
Identifying and sharing trends in new vulnerabilities, attack vectors, and malware strains are key to staying steps ahead of cyberattackers. Though new threats will undoubtedly continue to emerge, there are many ways enterprises can mitigate risk and harden their defenses. The more information that is shared about past, current, and emerging threat actors, the better enterprises can implement the people, processes, and technology needed to combat cybersecurity challenges.
Looking ahead to 2023, threat actors will continue to upgrade their methods and tools of attack, innovating on attack vectors and finding new vulnerabilities. Establishing an effective response strategy and deep, continuous monitoring can help augment a business’ in-house team’s defenses with robust detection and response capabilities.
Webinar: WatchTower | 2022 in Review
Get key takeaways from SentinelOne’s threat hunts and investigations in 2022 and tips for protecting your organization in 2023.
https://phxtechsol.com/wp-content/uploads/2023/01/WatchTower-Trends-and-Top-Cybersecurity-Takeaways-from-2022.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-01-26 07:44:502023-01-26 07:45:00WatchTower | Trends and Top Cybersecurity Takeaways from 2022
On Dec. 23, 2022, KrebsOnSecurity alerted big-three consumer credit reporting bureau Experian that identity thieves had worked out how to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, but remained silent about the incident for a month. This week, however, Experian acknowledged that the security failure persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.
The tip about the Experian weakness came from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to cybercrime.
Normally, Experian’s website will ask a series of multiple-choice questions about one’s financial history, as a way of validating the identity of the person requesting the credit report. But Kushnir said the crooks learned they could bypass those questions and trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.
When I tested Kushnir’s instructions on my own identity at Experian, I found I was able to see my report even though Experian’s website told me it didn’t have enough information to validate my identity. A security researcher friend who tested it at Experian found she also could bypass Experian’s four or five multiple-choice security questions and go straight to her full credit report at Experian.
Experian acknowledged receipt of my Dec. 23 report four days later on Dec. 27, a day after Kushnir’s method stopped working on Experian’s website (the exploit worked as long as you came to Experian’s website via annualcreditreport.com — the site mandated to provide a free copy of your credit report from each of the major bureaus once a year).
Experian never did respond to official requests for comment on that story. But earlier this week, I received an otherwise unhelpful letter via snail mail from Experian (see image above), which stated that the weakness we reported persisted between Nov. 9, 2022 and Dec. 26, 2022.
“During this time period, we experienced an isolated technical issue where a security feature may not have functioned,” Experian explained.
It’s not entirely clear whether Experian sent me this paper notice because they legally had to, or if they felt I deserved a response in writing and thought maybe they’d kill two birds with one stone. But it’s pretty crazy that it took them a full month to notify me about the potential impact of a security failure that I notified them about.
It’s also a little nuts that Experian didn’t simply include a copy of my current credit report along with this letter, which is confusingly worded and reads like they suspect someone other than me may have been granted access to my credit report without any kind of screening or authorization.
After all, if I hadn’t authorized the request for my credit file that apparently prompted this letter (I had), that would mean the thieves already had my report. Shouldn’t I be granted the same visibility into my own credit file as them?
Instead, their woefully inadequate letter once again puts the onus on me to wait endlessly on hold for an Experian representative over the phone, or sign up for a free year’s worth of Experian monitoring my credit report.
As it stands, using Kushnir’s exploit was the only time I’ve ever been able to get Experian’s website to cough up a copy of my credit report. To make matters worse, a majority of the information in that credit report is not mine. So I’ve got that to look forward to.
If there is a silver lining here, I suppose that if I were Experian, I probably wouldn’t want to show Brian Krebs his credit file either. Because it’s clear this company has no idea who I really am. And in a weird, kind of sad way I guess, that makes me happy.
Denis Emelyantsev, a 36-year-old Russian man accused of running a massive botnet called RSOCKS that stitched malware into millions of devices worldwide, pleaded guilty to two counts of computer crime violations in a California courtroom this week. The plea comes just months after Emelyantsev was extradited from Bulgaria, where he told investigators, “America is looking for me because I have enormous information and they need it.”
A copy of the passport for Denis Emelyantsev, a.k.a. Denis Kloster, as posted to his Vkontakte page in 2019.
First advertised in the cybercrime underground in 2014, RSOCKS was the web-based storefront for hacked computers that were sold as “proxies” to cybercriminals looking for ways to route their Web traffic through someone else’s device.
Customers could pay to rent access to a pool of proxies for a specified period, with costs ranging from $30 per day for access to 2,000 proxies, to $200 daily for up to 90,000 proxies.
Many of the infected systems were Internet of Things (IoT) devices, including industrial control systems, time clocks, routers, audio/video streaming devices, and smart garage door openers. Later in its existence, the RSOCKS botnet expanded into compromising Android devices and conventional computers.
Inspired by that takedown, KrebsOnSecurity followed clues from the RSOCKS botnet master’s identity on the cybercrime forums to Emelyantsev’s personal blog, where he went by the name Denis Kloster. The blog featured musings on the challenges of running a company that sells “security and anonymity services to customers around the world,” and even included a group photo of RSOCKS employees.
“Thanks to you, we are now developing in the field of information security and anonymity!,” Kloster’s blog enthused. “We make products that are used by thousands of people around the world, and this is very cool! And this is just the beginning!!! We don’t just work together and we’re not just friends, we’re Family.”
But by the time that investigation was published, Emelyantsev had already been captured by Bulgarian authorities responding to an American arrest warrant. At his extradition hearing, Emelyantsev claimed he would prove his innocence in an U.S. courtroom.
“I have hired a lawyer there and I want you to send me as quickly as possible to clear these baseless charges,” Emelyantsev told the Bulgarian court. “I am not a criminal and I will prove it in an American court.”
RSOCKS, circa 2016. At that time, RSOCKS was advertising more than 80,000 proxies. Image: archive.org.
Emelyantsev was far more than just an administrator of a large botnet. Behind the facade of his Internet advertising company based in Omsk, Russia, the RSOCKS botmaster was a major player in the Russian email spam industry for more than a decade.
Some of the top Russian cybercrime forums have been hacked over the years, and leaked private messages from those forums show the RSOCKS administrator claimed ownership of the RUSdot spam forum. RUSdot is the successor forum to Spamdot, a far more secretive and restricted community where most of the world’s top spammers, virus writers and cybercriminals collaborated for years before the forum imploded in 2010.
A Google-translated version of the Rusdot spam forum.
Indeed, the very first mentions of RSOCKS on any Russian-language cybercrime forums refer to the service by its full name as the “RUSdot Socks Server.”
Email spam — and in particular malicious email sent via compromised computers — is still one of the biggest sources of malware infections that lead to data breaches and ransomware attacks. So it stands to reason that as administrator of Russia’s most well-known forum for spammers, Emelyantsev probably knows quite a bit about other top players in the botnet spam and malware community.
It remains unclear whether Emelyantsev made good on his promise to spill that knowledge to American investigators as part of his plea deal. The case is being prosecuted by the U.S. Attorney’s Office for the Southern District of California, which has not responded to a request for comment.
Emelyantsev pleaded guilty on Monday to two counts, including damage to protected computers and conspiracy to damage protected computers. He faces a maximum of 20 years in prison, and is currently scheduled to be sentenced on April 27, 2023.
Microsoft released a Windows security update in May 2022, disclosing CVE-2022-26923 Active Directory Domain Services Elevation of privilege vulnerability. The CVE-2022-26923 allows a lower privileged user to acquire a certificate from Active Directory Certificate Services (AD CS) and escalate privileges to the domain controller. However, issues with the update may have prevented some organizations from updating at the time, while others may have been unable to update due to local dependency or compatibility reasons.
In this post, we discuss AD CS misconfigurations that allow attackers to exploit this flaw and describe how security teams can mitigate this vulnerability.
What Is CVE-2022-26923?
According to Microsoft’s advisory, CVE-2022-26923 is one of three CVEs relating to an elevation of privilege vulnerability that can occur when the Kerberos Distribution Center (KDC) services a certificate-based authentication request. On unpatched systems, certificate-based authentication fails to account for a dollar sign ($) at the end of a machine name, allowing related certificates to be spoofed in various ways.
What Is AD CS and Why Is It Important?
Before we dig deeper into the exposure, we will revise what Active Directory Certificate Services (AD CS) is and what it offers.
AD CS is an identity technology in Windows Server that offers Public Key Infrastructure (PKI) functionality to facilitate capabilities such as Encrypting File System (EFS), domain authentication, digital signatures, and email security. AD CS is the Server Role that allows an organization to build Public Key Infrastructure (PKI) and provide public key cryptography, digital certificates, and digital signature capabilities.
While organizations plan to implement PKI by deploying AD CS in an Active Directory environment, they must manage configurations properly for issuing and revoking certificates, including ensuring that appropriate certificate trusts are in place.
Windows Server administrators are responsible for designing the certification authority hierarchy, implementing it, and managing the process of issuing and revoking certificates. It is essential to ensure that appropriate certificate trusts are in place. Any misconfigurations in AD CS role services can expose them to cyber attacks such as privilege escalation, Golden Ticket Attacks, and AD Domain dominance.
How Do Attackers Abuse AD CS and Exploit CVE-2022-26923?
Several security risks exist with AD CS misconfigurations. Let us discuss a couple of them. After running the command certsrv.msc, right-click on the Certification Authority (CA) object, select Properties and navigate to the Security tab.
Note that the “Request Certificates” permission is enabled by default. This setting will allow an authenticated user to request certificates from the AD CS server. As with the CVE-2022-26923, an authenticated user could manipulate attributes on computer accounts they own or manage and acquire a certificate from AD CS that would allow elevation of privilege to Domain Controller.
Another vulnerable misconfiguration exists with enrollment permissions of certificate templates. In Windows environments, certificate templates are stored as objects in the Active Directory and used by Microsoft enterprise CAs. A certificate template defines the content and purpose of a digital certificate, including issuing certificate policies and enrollment permissions. Enrollment permissions define the rules by which a certification authority (CA) will issue or deny certificate requests.
A standard User Certificate template may grant the Domain Users group with “Enroll“ permissions, as shown below.
Also, there are Enroll and Autoenroll permissions that are specific to certificate template objects, for example, the Workstation Authentication certificate template, as shown in the next image.
An attacker can abuse these permissions on objects. If an attacker gains access to any template, it can be reconfigured to issue certificates and compromise the entire domain.
Detection and Mitigation Factors for CVE-2022-26923
Singularity Ranger® AD continuously monitors risks associated with misconfigurations, weak policies, credential harvesting, and privilege escalations at the domain, user, and device levels. The solution prevents attacks that attempt to exploit CVE-2022-26923 by detecting and remediating Active Directory Certificate Services exposures. As a mitigation strategy, the following best practices outline how to protect AD CS services from the exploitation of CVE-2022-26923.
Exposure #1: Dangerous Access Rights That Expose Certificate Templates
Misconfigured permissions on certificate templates can allow an attacker to modify or request a certificate, and an attacker could use the certificate to elevate privileges.
To mitigate this:
Open the Certificate Authority Manager MMC from “Administrative Tools” or run the command “certsrv.msc”.
Expand the Certificate Authority.
Right Click “Certificate Templates” and Click “Manage”.
Select the Certificate Template listed in the Exposure.
Right Click on the Certificate Template and select “Properties”.
Repeat the steps from 4 to 8 until all the templates are corrected.
Delete the template from the “Certificate Templates” Container and Re-Publish the certificate to Issue.
To publish the Certificate, right-click “Certificate Templates” and Click “New”.
Click “Certificate Template to Issue”.
Select all the required Certificate Templates and Click “Ok”.
Re-Run the assessment to check exposure is remediated.
Exposure #2: Dangerous Access Rights Delegation on Critical Objects
Attackers can compromise user accounts with access rights on critical AD objects and take complete AD domain compromise.
To mitigate this:
Remove all standard & non-privileged users from the Critical Objects listed in the detection.
View the assigned permissions on an Organizational Unit (OU) in the graphical user interface. You can also use the Active Directory Users and Computers console with Advanced Features enabled in the View menu.
After enabling, right-click on OU (for example, OU=NewYork) and select Properties.
Select the Security tab, then click the “Advanced” button. You can see ACE lists in the Permissions tab (alternate name – “Discretionary Access Control List – DACL”).
Select the ACE you want to remove and click “Remove”.
Exposure #3: Regular users can add new computers into AD domain
Attackers can also compromise endpoints and attempt to add new computers to the Active Directory Domain without Administrative access.
To mitigate this:
Open Group Policy Management Console ( Start -> Run -> gpmc.msc).
Locate Domain Controllers OU and find Default Domain Controllers Policy.
Edit Default Domain Controllers Policy.
Expand Computer Configuration-> Policies -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment.
From the right pane, right-click on Add workstations to domain ->Properties ->Remove Authenticated Users and Add the User or Group that you are delegating domain joining permissions.
Click Apply and then OK to close the Properties window.
Other services offered by AD CS such as “Certificate Authority Web Enrollment” and “Certificate Enrollment Web Service” are also potentially vulnerable. Attackers can exploit these settings to perform a classic NTLM Relay Attack called PetitPotam. It allows an attacker to take over Windows domain controllers or other Windows servers.
Patching CVE-2022-26923
As CVE-2022-26923 carries the highest Common Vulnerability Scoring System (CVSSv3) base score of 8.8, it is highly recommended that organizations prioritize the deployment of a patch for CVE-2022-26923 to reduce the possibility of an attacker exploiting this vulnerability.
If certificate-based authentication relies on a weak mapping that cannot be moved from the environment, admins can place domain controllers in Disabled mode using a registry key setting. According to the Microsoft’s documentation, KB5014754—Certificate-based authentication changes on Windows domain controllers, Enablement Phase starts with the February 14, 2023 updates for Windows, which will ignore the Disabled mode registry key setting.
Conclusion
It is of paramount importance that administrators implement all mitigation factors to protect their AD CS servers from such attacks. Organizations deploying Singularity Ranger® AD solutions can remediate the AD CS exposures discussed that will no longer allow attackers to exploit CVE-2022-26923. For more information, please visit Singularity Ranger AD.
Singularity Ranger AD
Singularity Ranger AD is a cloud-delivered solution designed to uncover vulnerabilities in Active Directory and Azure AD.
https://phxtechsol.com/wp-content/uploads/2023/01/Dollar-Signs-in-Attackers-Eyes-How-to-Mitigate-CVE-2022-26923-2.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-01-24 07:22:532023-01-24 07:23:04Dollar Signs in Attackers’ Eyes | How to Mitigate CVE-2022-26923
The U.S. Department of Justice this week arrested and charged Anatoly Legkodymov, a 40-year old Russian national, with offenses related to processing more than $700 million of illicit funds, including ransomware proceeds.
Legkodymov, who also went by the online names of ‘Gandalf’ and ‘Tolik’, was a senior executive and majority shareholder of Bitzlato, a cryptocurrency exchange that authorities say knowingly aided ransomware actors and other cybercriminals to process illicit funds.
According to court documents, Bitzlato marketed itself as requiring minimal identification from users, specifying that “neither selfies nor passports [are] required” and knowingly fostered the perception that it was a safe haven for funds used for and resulting from criminal activities.
Bitzlato was heavily involved with cryptocurrency transactions through the notorious darknet market Hydra, which was taken down by cops in April 2022. It’s alleged that Bitzlato received more than $15 million in ransomware proceeds and transacted over $700 million in cryptocurrency with Hydra. The U.S. government says that after Hydra’s shuttering, Bitzlato continued to facilitate transactions for Russia-connected darknet markets such as BlackSprut, OMG!OMG!, and Mega.
Legkodymov, who was arrested in Miami on Tuesday, faces up to 5 years jail time if convicted of operating an illegal money transmitting business. As for Bitzlato, European authorities have conducted a separate operation to seize and dismantle its digital infrastructure, taking the service out of the cybercriminal ecosystem once and for all.
The Bad
Git users are being urged to update to the latest release following news of two critical remote code execution bugs this week. The RCEs could allow attackers to exploit heap-based buffer overflow flaws and execute arbitrary code.
CVE-2022-41903 and CVE-2022-23521 were patched on Wednesday, but a third Windows-specific vulnerability in the Git GUI tool, CVE-2022-41953, is still awaiting a fix. Users are being recommended not to use the tool until an update becomes available.
Mitigations for the two patched vulnerabilities for those that cannot immediately update are:
Disable ‘git archive’ in untrusted repositories or avoid running the command on untrusted repos
If ‘git archive’ is exposed via ‘git daemon,’ disable it when working with untrusted repositories by running the git config --global daemon.uploadArch false command
Git is used widely in enterprises to manage development projects. The researchers that discovered the flaws in a sponsored audit pointed out that vulnerabilities in Git could allow attackers to compromise source code repositories or developer systems and potentially result in security breaches on a large scale.
The researchers went on to say that the sheer size of the Git codebase made it challenging to address all potential instances of the issues they discovered, and they made a number of recommendations to Git’s maintainers to improve code security.
In a separate blog post, GitHub says that it scanned all repositories on GitHub.com to confirm that no evidence existed that GitHub had been used as a vector to exploit any of the discovered vulnerabilities.
The Ugly
It’s another tough week for password managers as the recent troubles faced by LastPass have been followed by news of breaches of Norton Lifelock customer accounts.
Norton’s parent company, Gen Digital, has advised customers that a likely credential stuffing attack was used to compromise thousands of customer accounts in December. Customers that use the same password for different sites and services are susceptible to credential stuffing attacks if a reused password is exposed or leaked from a breach of one of those sites.
Suspicious activity began around December 1st and was followed by a large number of failed login attempts on December 12th. On January 9th, Gen Digital sent notices to around 6,500 customers of its password manager advising customers that “an unauthorized party likely has knowledge of the email and password you have been using with your Norton account…and your Norton Password Manager”. The advisory went on to recommend customers change their passwords with Norton Lifelock and elsewhere immediately.
The company says that intruders used a list of usernames and passwords obtained from another source such as the darknet to attempt to log into Norton customer accounts. Gen Digital insist that Norton Lifelock’s own systems were not compromised
Despite the bad news, password managers remain an effective first line of defense against account takeovers and compromises so long as users follow recommended procedures. These include using unique passwords for every site, ensuring master passwords are not easily guessable, and employing 2FA authentication wherever possible.
https://phxtechsol.com/wp-content/uploads/2023/01/GBU2023_wk3_2.jpg400728Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-01-21 06:53:572023-01-21 06:54:03The Good, the Bad and the Ugly in Cybersecurity – Week 3
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Google Analytics Cookies
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
Other cookies
The following cookies are also needed - You can choose if you want to allow them:
technology auto-correlates related detections to maximize signal-to-noise ratio (SNR) and streamline investigation and response.
