In recent weeks there has been a noticeable increase in malicious search engine advertisements found in the wild– an attack method known as SEO Poisoning, which can be considered a type of malvertising (malicious advertising). Industry colleagues have also observed this activity, as noted by vx-underground this week. There is an increasing variety in the specifics of the malware delivery method, such as which searches produce the malicious advertisements and which malware being delivered.
In the vast majority of these cases, attackers aim to opportunistically infect unsuspecting users with commodity malware, as we will examine below. However it is important to note attackers have used this technique in a variety of ways for years. One noteworthy example is the early 2022 report of BATLOADER and Atera Agent being delivered in such ways. Ultimately, the attackers are most successful in these scenarios when they SEO poison the results of popular downloads associated with organizations that do not have extensive internal brand protection resources.
In this post, we will examine an ongoing SEO Poisoning campaign related to Blender 3D, the open-source 3D graphics software, as an example of how these attacks are used to infect users via web searches.
Blender 3D SEO Poisoning
Mimicking the actions of an unsuspecting user, we performed a routine Google search for “Blender 3D” and examined the Ad results presented at the top.
Notably, the malicious ads being delivered by this search quickly shift, highlighting how the attackers are likely automating these efforts at scale, including both the SEO poisoning and the creation of malicious domains where they lead. See screenshots others have collected for such examples of how these are not single malicious domains but rather a continuous flow of new activity after cleanup.
On January 18th we can see three malicious Blender 3D ads before the legitimate Blender.org domain is listed.
January 18th 2023 SEO Poisoning Results for Blender 3D
The above three malicious ads link to:
blender-s.org
blendersa.org
blender3dorg.fras6899.odns.fr
The top results, blender-s.org is a near exact copy of the legitimate Blender domain.
The malicious blender-s site contains a download link for “Blender 3.4”; however, the download is delivered through a Dropbox URL rather than blender.org, and delivers a blender.zip file.
Examining the Dropbox share details, we can see the following uploader properties:
Size: 1.91 MB
Modified: 1/16/2023, 5:00 AM
Type: Archive
Uploaded by: rays-who rays-who
Date uploaded: 1/16/2023, 5:00 AM
In this case, the ZIP file SHA1 hash is 43058fc2e4dfa2d8a9108da51186e35b7d49f0c6, which contains a blender.exe file (ffdc43c67773ba9d36a309074e414316667ef368).
The Blender.exe file is signed by an invalid certificate belonging to AVG Technologies USA, LLC. This same certificate has a long history of illicit crimeware use, including by Racoon Stealer.
The delivered sample is recognized by multiple vendor engines, including the SentinelOne agent, as malware. We’ll release additional details on this specific malware family at a later time.
VirusTotal vendor detections for malicious blender.exe sample
Examination of the malicious link to blendersa.org reveals that the site is nearly identical to the previous example, which also provides a download link to a Dropbox URL.
The actors behind these two sites are also responsible for dozens of others themed around popular software such as Photoshop, specific financial trading tools, and remote access software. The actor’s own infrastructure was hidden behind CloudFlare, who thankfully were quick to confirm and respond by flagging the sites as malicious after we reported the service abuse. Any new visitors moving forward will receive the following warning:
Site Updated with CloudFlare Phishing Warning
The final malicious Blender 3D ad is for blender3dorg.fras6899.odns.fr, which happens to use a variety of delivery methods. For example, the download link may use a Discord URL rather than Dropbox one.
This ultimately delivers blender-3.4.1-windows-x64.zip (f00c1ded3d8b42937665da3253bac17b8f5dc2d3), which is a directory containing a malicious ISO file.
The use of malicious ISO files is not new – as many have reported over the last year.
Blender-3.4.1-windows-x64.iso (53b7bbde90c22e2a7965cb548158f10ab2ffbb24) is roughly 800 MB in size, and contains a blender-3.4.1-windows-x64.exe and a large collection of suspicious XML files.
Conclusion
SEO poisoning leading to malicious advertisements are the rising star in today’s crimeware malware delivery methods. The examples above are just a few of many that can easily be found by researchers or stumbled upon by users with common and legitimate search queries. Attackers are finding a large amount of success in such attack methods, and we can expect to see this method evolving to conceal effort even further.
SentinelOne Singularity provides protection for endpoint, identity and cloud. To learn more about how SentinelOne can protect your organization, contact us or request a free demo.
https://phxtechsol.com/wp-content/uploads/2023/01/SEO_poisoning_7.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-01-20 06:44:172023-01-20 06:44:37Breaking Down the SEO Poisoning Attack | How Attackers Are Hijacking Search Results
T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.
Image: customink.com
In a filing today with the U.S. Securities and Exchange Commission, T-Mobile said a “bad actor” abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data stolen included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.
APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases. In October, mobile provider Optus disclosed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.
The company said it first learned of the incident on Jan. 5, 2022, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022.
T-Mobile says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver’s license or other government ID numbers were exposed.
In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.
Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity.
In its filing with the SEC, T-Mobile suggested it was going to take years to fully realize the benefits of those cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.
“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” the filing reads. “We have made substantial progress to date, and protecting our customers’ data remains a top priority.”
Despite this being the second major customer data spill in as many years, T-Mobile told the SEC the company does not expect this latest breach to have a material impact on its operations.
While that may seem like a daring thing to say in a data breach disclosure affecting a significant portion of your active customer base, consider that T-Mobile reported revenues of nearly $20 billion in the third quarter of 2022 alone. In that context, a few hundred million dollars every couple of years to make the class action lawyers go away is a drop in the bucket.
The settlement related to the 2021 breach says T-Mobile will make $350 million available to customers who file a claim. But here’s the catch: If you were affected by that 2021 breach and you haven’t filed a claim yet, please know that you have only three more days to do that.
If you were a T-Mobile customer affected by the 2021 incident, it is likely that T-Mobile has already made several efforts to notify you of your eligibility to file a claim, which includes a payout of at least $25, with the possibility of more for those who can document direct costs associated with the breach. OpenClassActions.com says the filing deadline is Jan. 23, 2023.
“If you opt for a cash payment you will receive an estimated $25.00,” the site explains. “If you reside in California, you will receive an estimated $100.00. Out of pocket losses can be reimbursed for up to $25,000.00. The amount that you claim from T-Mobile will be determined by the class action administrator based on how many people file a legitimate and timely claim form.”
There are currently no signs that hackers are selling this latest data haul from T-Mobile, but if the past is any teacher much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers and harassment.
T-Mobile customers should fully expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even send messages that include the recipient’s compromised account details to make the communications look more legitimate.
Data stolen and exposed in this breach may also be used for identity theft. Credit monitoring and ID theft protection services can help you recover from having your identity stolen, but most will do nothing to stop the ID theft from happening. If you want the maximum control over who should be able to view your credit or grant new lines of credit in your name, then a security freeze is your best option.
Regardless of which mobile provider you patronize, please consider removing your phone number from as many online accounts as you can. Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.
Threat actors are no strangers to targeting critical sectors to get what they want and the healthcare industry has long worn a target on its back. Exacerbated by the COVID-19 pandemic and its subsequent variants, hospitals and clinics have seen alarming rates of attacks in recent years with more incidents directly leading to patient endangerment.
A recent study found that cyberattacks have significantly strained healthcare providers, resulting in the following:
More than 20% of providers surveyed reported experience with common attacks including cloud compromise, ransomware, supply chain, business email compromise (BEC), and phishing
Cyberattacks have caused delayed procedures and tests, increased complications in care, and longer patient stays for 57% of the providers surveyed
Cyberattacks have cost an average of $4.4 million in 2022 with productivity losses totalling $1.1 million
Life-critical services and patient care are at stake when threat actors take aim at healthcare organizations. This post explains why hospitals and clinics of all sizes are so susceptible to cyberattacks and what CISOs and technical leaders can do to build up their cyber defense strategies.
Understand the Shifting Nature of Ransomware
Medical service providers present two attractive opportunities to financially-motivated cybercriminals: service disruption and data theft.
Exploiting the Fear of Service Disruption
Over the past few years, ransomware attacks have been the direct cause of many major disruptions in healthcare service. By locking out medical staff from accessing their critical tools and databases, ransomware has been responsible for canceled surgeries, delayed cancer treatments, and even an ongoing lawsuit on what is being called the first death by ransomware. In November 2022, for example, the Brooklyn hospital group was thrown into chaos as services were disrupted across its patient care facilities in the wake of a cyber attack.
Victims from this sector are reportedly most likely to pay the ransom with 61% of providers having paid out compared to an average of 46% from other industry verticals. Ransomware operators know that medical facilities face devastating consequences should they lose access to their systems.
Though CISA and law enforcement groups have issued warnings against paying ransoms, each minute without access can result in extremely dangerous situations for patients needing care. As such, threat actors continue to beleaguer hospitals, long-term care facilities, private clinics and more, marking them as high-profile targets.
Medical Data Is In High Demand
Some ransomware threat actors have understood that service disruption can be minimized by organizations that implement a good backup and disaster recovery model. File-locking can be devastating to the unprepared, but it can be mitigated against with a degree of planning.
However, hospitals and clinics especially hold mass amounts of sensitive data on their clients – data that is easily sold on dark marketplaces and used for identity theft and fraud.
The high worth of private patient information ranging from contact details and social insurance numbers to payment data and Protected Health Information (PHI) has driven up the rate of attacks on healthcare organizations.
Attacks on healthcare from a data theft point of view has become a fast growing issue, with 297 known attacks occurring last year. In one incident in October 2022, Hive ransomware operators stole sensitive files from LCMHS (Lake Charles Memorial Hospital) belonging to 270,000 patients. The stolen data included medical records, health insurance information and payment information. Some patients’ social security numbers were also exposed.
Payment data like credit card numbers can be frozen and replaced, but medical history such as test results, diagnoses, and treatment plans cannot be removed or canceled. This data, in the hands of an opportunistic threat actor, can mean long-reaching damage for affected patients. When private health data is hacked, victims may find themselves at the mercy of targeted ransom demands and blackmail attempts.
Recognizing that data extortion can be both more profitable and less resource-intensive, some threat actors have moved to extortion-only methods. Disaster recovery plans cannot mitigate this threat, and effective defense requires having trusted security software in place that can prevent and detect initial access before data is stolen.
Outdated Systems Bear Many Low-Hanging Fruits of Access
For threat actors, outdated environments and lack of advanced security features spell opportunity for breach. In a notification to medical provider leaders, the FBI highlighted the risk that older, unpatched medical devices bring to digital systems used in hospitals and clinics.
Due to the highly specialized nature of technology in healthcare, the high cost of implementing and maintaining new systems hinders many small and medium-sized providers from upgrading regularly. Many healthcare organizations must work within limited budgets and may not have prioritized the need to update older systems.
However, when the security angle is factored into the intrinsic value of such equipment, there’s a strong argument for reassessing budgetary priorities in favor of accelerating the retirement of outdated and insecure systems.
Digitalization Doesn’t Always Translate to Full Adoption
Digital transformation in the world of health care can be very disruptive. Since the health sector is characterized by a high degree of specialization, medical professionals and organizations oftentimes work in silos.
Software introduced to solve one problem at one facility may cause issues elsewhere in the workflow; especially if they are working in collaboration with a facility that is operating on an incompatible platform. A lack of integration with existing systems can create problems with patient safety and security of medical records while bringing down staff productivity.
Reducing risk from the plethora of devices, operating systems and software in use across the organization is not a simple one-step operation, but the emergence of open XDR technology is leading to answers to problems that older technologies like SIEMs and SOARs attempted but failed to address.
Regulatory Compliance Is Ever Changing
Healthcare providers shoulder a heavy responsibility when it comes to balancing the protection of patient privacy, complying with HIPAA, GDPR, and other regulatory frameworks, and providing quality care. Cyber criminals have rushed to take advantage of providers who may have few resources and budget to juggle all of these requirements on the day-to-day.
The regulatory compliance industry is often changing, and can become a complex undertaking for even the better-funded medical service providers. In recent years alone, digitalization and the reality of COVID-19 have changed regulatory requirements, adding new and updated controls that could take a healthcare organization upwards of months to years to implement properly.
As new attack surfaces and threats arise in the cyber landscape, regulatory frameworks also adjust, making compliance a moving target for organizations in the healthcare industry.
Healthcare providers now using cloud services to securely store data in a compliant way should understand the shared responsibility model and look for cloud protection solutions to ensure that no doors are being left open.
How SentinelOne Can Help Boost Medical Service Providers Defenses
Get Streamlined Security Solution on the Device Level
Having a wide array of Internet-of-Things (IoT) devices combined with lengthy patch cycles leave endpoints vulnerable to cyberattack. As the medical service industry slowly continues to modernize their systems and tools, smart devices, laptops, and machines all add to the growing attack surface available for threat actors to exploit.
SentinelOne’s Singularity Ranger offers a simple, straightforward security solution that can protect on a device or endpoint and ensure that a full inventory of everything on a network is protected in real-time.
Rely on Frictionless Security Operations & Threat Resolution
In-house cybersecurity experts are hard to come by in the healthcare provider industry. During a potential security event, having a team of experts to analyze, triage, and neutralize any threat means providers and medical staff can continue their operations with less disruption. By preventing the initial attack from occurring, providers can protect patient and staff records, avoid delays in life-saving medical care, retain patients, and ensure no reputation-damaging downtime.
Vigilance Respond is a 24/7/365 monitoring detection and response service offering an expert team to continuously monitor an environment for early indicators of compromise (IoC). Stop signs of lateral movement before it can develop into a full blown cyber crisis.
Protect Cloud Workloads
To meet the most up-to-date regulatory requirements on data protection, many healthcare providers rely on cloud environments to store, manage, and transmit their patient’s PHI.
To get ahead of threat actors, hospitals and clinics using cloud services must fully understand how the services are being implemented and maintained. Singularity Cloud ensures visibility within the cloud so providers can see how file sharing is being done, what type of data is being stored, and what applications are connected.
Conclusion
As the future of healthcare moves steadily towards the digital, threat actors have seemingly locked in their sights on medical service providers globally. Organizations can’t afford to wait for the next attack, so prevention and visibility are the main goals as CISOs in this sector set out to protect patient PHI and ensure continuous care for those in need.
The responsibility of data security, complexities of regulatory compliance, risks with IoT, and the high value of PHI place CISOs in the midst of a changing threat landscape where the consequences can, at the extreme, affect patient lives.
The state of healthcare organizations do not have to remain precarious, though, and CISOs and technical leaders can work to strengthen their cyber security posture against data breaches and ransomware attacks. By implementing a single, robust security platform, providers can ensure transparency across all their critical endpoints and protect sensitive patient data from being compromised.
SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response.
https://phxtechsol.com/wp-content/uploads/2023/01/Healthcare-Cybersecurity-How-to-Strengthen-Defenses-Against-Cyber-Attacks.jpg6281200Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-01-19 06:33:032023-01-19 06:33:05Healthcare Cybersecurity | How to Strengthen Defenses Against Cyber Attacks
Most people who operate DDoS-for-hire businesses attempt to hide their true identities and location. Proprietors of these so-called “booter” or “stresser” services — designed to knock websites and users offline — have long operated in a legally murky area of cybercrime law. But until recently, their biggest concern wasn’t avoiding capture or shutdown by the feds: It was minimizing harassment from unhappy customers or victims, and insulating themselves against incessant attacks from competing DDoS-for-hire services.
And then there are booter store operators like John Dobbs, a 32-year-old computer science graduate student living in Honolulu, Hawaii. For at least a decade until late last year, Dobbs openly operated IPStresser[.]com, a popular and powerful attack-for-hire service that he registered with the state of Hawaii using his real name and address. Likewise, the domain was registered in Dobbs’s name and hometown in Pennsylvania.
Dobbs, in an undated photo from his Github profile. Image: john-dobbs.github.io
The only work experience Dobbs listed on his resume was as a freelance developer from 2013 to the present day. Dobbs’s resume doesn’t name his booter service, but in it he brags about maintaining websites with half a million page views daily, and “designing server deployments for performance, high-availability and security.”
In December 2022, the U.S. Department of Justice seized Dobbs’s IPStresser website and charged him with one count of aiding and abetting computer intrusions. Prosecutors say his service attracted more than two million registered users, and was responsible for launching a staggering 30 million distinct DDoS attacks.
Dobbs’s booter service, IPStresser, in June 2020. Image: archive.org.
Many accused stresser site operators have pleaded guilty over the years after being hit with federal criminal charges. But the government’s core claim — that operating a booter site is a violation of U.S. computer crime laws — wasn’t properly tested in the courts until September 2021.
That was when a jury handed down a guilty verdict against Matthew Gatrel, a then 32-year-old St. Charles, Ill. man charged in the government’s first 2018 mass booter bust-up. Despite admitting to FBI agents that he ran two booter services (and turning over plenty of incriminating evidence in the process), Gatrel opted to take his case to trial, defended the entire time by court-appointed attorneys.
Prosecutors said Gatrel’s booter services — downthem[.]org and ampnode[.]com — helped some 2,000 paying customers launch debilitating digital assaults on more than 20,000 targets, including many government, banking, university and gaming websites.
Gatrel was convicted on all three charges of violating the Computer Fraud and Abuse Act, including conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. He was sentenced to two years in prison.
Now, it appears Dobbs is also planning to take his chances with a jury. On Jan. 4, Dobbs entered a plea of not guilty. Neither Dobbs nor his court-appointed attorney responded to requests for comment.
But as it happens, Dobbs himself provided some perspective on his thinking in an email exchange with KrebsOnSecurity back in 2020. I’d reached out to Dobbs because it was obvious he didn’t mind if people knew he operated one of the world’s most popular DDoS-for-hire sites, and I was genuinely curious why he was so unafraid of getting raided by the feds.
“Yes, I am the owner of the domain you listed, however you are not authorized to post an article containing said domain name, my name or this email address without my prior written permission,” Dobbs replied to my initial outreach on March 10, 2020 using his email address from the University of Hawaii at Manoa.
A few hours later, I received more strident instructions from Dobbs, this time via his official email address at ipstresser[.]com.
“I will state again for absolute clarity, you are not authorized to post an article containing ipstresser.com, my name, my GitHub profile and/or my hawaii.edu email address,” Dobbs wrote, as if taking dictation from a lawyer who doesn’t understand how the media works.
When pressed for particulars on his business, Dobbs replied that the number of IPStresser customers was “privileged information,” and said he didn’t even advertise the service. When asked whether he was concerned that many of his competitors were by then serving jail time for operating similar booter services, Dobbs maintained that the way he’d set up the business insulated him from any liability.
“I have been aware of the recent law enforcement actions against other operators of stress testing services,” Dobbs explained. “I cannot speak to the actions of these other services, but we take proactive measures to prevent misuse of our service and we work with law enforcement agencies regarding any reported abuse of our service.”
What were those proactive measures? In a 2015 interview with ZDNet France, Dobbs asserted that he was immune from liability because his clients all had to submit a digital signature attesting that they wouldn’t use the site for illegal purposes.
“Our terms of use are a legal document that protects us, among other things, from certain legal consequences,” Dobbs told ZDNet. “Most other sites are satisfied with a simple checkbox, but we ask for a digital signature in order to imply real consent from our customers.”
Dobbs told KrebsOnSecurity his service didn’t generate much of a profit, but rather that he was motivated by “filling a legitimate need.”
“My reason for offering the service is to provide the ability to test network security measures before someone with malicious intent attacks said network and causes downtime,” he said. “Sure, some people see only the negatives, but there is a long list of companies I have worked with over the years who would say my service is a godsend and has helped them prevent tens of thousands of dollars in downtime resulting from a malicious attack.”
“I do not believe that providing such a service is illegal, assuming proper due diligence to prevent malicious use of the service, as is the case for IPstresser[.]com,” Dobbs continued. “Someone using such a service to conduct unauthorized testing is illegal in many countries, however, the legal liability is that of the user, not of the service provider.”
Dobbs’s profile on GitHub includes more of his ideas about his work, including a curious piece on “software engineering ethics.” In his January 2020 treatise “My Software Engineering Journey,” Dobbs laments that nothing in his formal education prepared him for the reality that a great deal of his work would be so tedious and repetitive (this tracks closely with a 2020 piece here called Career Choice Tip: Cybercrime is Mostly Boring).
“One area of software engineering that I think should be covered more in university classes is maintenance,” Dobbs wrote. “Projects are often worked on for at most a few months, and students do not experience the maintenance aspect of software engineering until they reach the workplace. Let’s face it, ongoing maintenance of a project is boring; there is nothing like the euphoria of completing a project you have been working on for months and releasing it to the world, but I would say that half of my professional career has been related to maintenance.”
Allison Nixon is chief research officer at the New York-based cybersecurity firm Unit 221B. Nixon is part of a small group of researchers who have been closely tracking the DDoS-for-hire industry for years, and she said Dobbs’s claim that what he’s doing is legal makes sense given that it took years for the government to recognize the size of the problem.
“These guys are arguing that their services are legal because for a long time nothing happened to them,” Nixon said. “It’s difficult to argue something is illegal if no one has ever been arrested for it before.”
Nixon says the government’s fight against the booter services — and by extension other types of cybercrimes — is hampered by a legal system that often takes years to cycle through cybercrime cases.
“With cybercrime, the cycle between the crime and investigation and arrest can often take a year or more, and that’s for a really fast case,” Nixon said. “If someone robbed a store, we’d expect a police response within a few minutes. If someone robs a bank’s website, there might be some indication of police activity within a year.”
Nixon praised the 2022 and 2018 booter takedown operations as “huge steps forward,” but added that “there need to be more of them, and faster.”
“This time lag is part of the reason it’s so difficult to shut down the pipeline of new talent going into cybercrime,” she said. “They think what they’re doing is legal because nothing has happened, and because of the amount of time it takes to shut these things down. And it’s really a big problem, where we see a lot of people becoming criminals on the basis that what they’re doing isn’t really illegal because the cops won’t do anything.”
In December 2020, Dobbs filed an application with the state of Hawaii to withdraw IP Stresser Inc. from its roster of active companies. But according to prosecutors, Dobbs would continue to operate his DDoS-for-hire site until at least November 2022.
Two months after our 2020 email interview, Dobbs would earn his second bachelor’s degree (in computer science; his resume says he earned a bachelor’s in civil engineering from Drexel University in 2013). The federal charges against Dobbs came just as he was preparing to enter his final semester toward a master’s degree in computer science at the University of Hawaii.
Nixon says she has a message for anyone involved in operating a DDoS-for-hire service.
“Unless you are verifying that the target owns the infrastructure you’re targeting, there is no legal way to operate a DDoS-for-hire service,” she said. “There is no Terms of Service you could put on the site that would somehow make it legal.”
And her message to the customers of those booter services? It’s a compelling one to ponder, particularly now that investigators in the United States, U.K. and elsewhere have started going after booter service customers.
“When a booter service claims they don’t share logs, they’re lying because logs are legal leverage for when the booter service operator gets arrested,” Nixon said. “And when they do, you’re going to be the first people they throw under the bus.”
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-01-18 05:59:422023-01-18 05:59:49Thinking of Hiring or Running a Booter Service? Think Again.
Researchers at ASEC recently reported on a NetSupport RAT campaign that utilizes Pokemon as the social engineering lure. Threat actors staged a malicious website, hosting a Pokemon-based NFT game, offering both a fun and financially rewarding experience. In reality, those drawn into the site are coerced into downloading the trojanized NetSupport RAT client, allowing attackers full access to their device.
NetSupport RAT has been observed innumerousattacks on enterprise environments over the years, and Pokemon is just the latest in a long line of creative lures used to distribute and drop NetSupport RAT. It is frequently used by cybercriminals as a ‘quick solution’ in lieu of implementing something more bespoke.
In this post, we provide an overview of NetSupport RAT and discuss the technical details of a recent campaign.
Background
NetSupport RAT is based on NetSupport Manager, a legitimate tool which is frequently used by bad actors for malicious purposes in ways similar to TeamViewer. NetSupport Manager, used maliciously or otherwise, provides full and complete control over the target device. Once the client has been installed, attackers can access, acquire, and manipulate any data on the device (exfiltrate data, execute additional payloads). In addition, the software allows at least the following:
Real-time screen monitoring, optimized for monitoring multiple devices
Taking control or redirect user screens
Capturing screenshots, audio, video
Malicious versions are constantly being sold or rented out via underground crime marketplaces.
NetSupport Manager RAT offered for rental
As NetSupport Manager is a legitimate tool that has a long history of development, it is highly attractive to attackers as it can be relied on to work ‘out of the box’. Additionally, it is thoroughly documented and actively supported: benefits that are less likely with custom-built malware that provides similar functionality such as Andromeda, Nanocore, CirenegRAT, Dark Comet and others.
Malicious use of NetSupport Manager (aka NetSupport RAT) has been observed since at least late 2017. The use of “legitimate” or COTS (Commercial off the Shelf) tools is highly beneficial to attackers when attempting to achieve the greatest degree of stealth. Custom-written malware can often be detected by some layer of protection, such as EPP and EDR tools, so it is often advantageous to utilize a legitimate tool, even if it takes some creativity to deliver the remote software client.
ASEC reported that the NetSupport RAT droppers were delivered via phishing emails that entice targets to install a “Pokemon card game”. On doing so, the victim unknowingly installs the NetSupport RAT, a doctored version of the NetSupport Manager client (client32.exe) that gives the attacker immediate and direct control of the infected device. While this specific attack was centered around the Pokemon theme, other phishing lures are known to be used.
Some recent NetSupport RAT campaigns utilize .ISO files as droppers. This allows the attackers to evade certain types of detection. This technique has been used by ransomware actors as well such as by both Maze and Ragnar Locker.
When opened, the ISO files will contain either the NetSupport RAT installer (with configs/support files) or a .LNK file redirecting the victim to said installer.
Technical Details
A typical example of this kind of .ISO file is the sample CLF_security.iso (288603f501926756c236e368a1fdc7d128f4f9a1).
This particular .ISO contains an embedded .EXE file (CLFSECUR.EXE) which is then utilized to drop and execute the installer for NetSupport RAT.
Sample 4233ff7941da62b86fc2c2d92be0572c9ab534c8 has been observed in multiple ISO files masquerading as legitimate software, including:
CodeTwo Exchange Manager
PCFresh 2022 SDK Tools
Google Chrome
Google Crash Handler
Steelray Project Setup
BrowserRenew.iso
CLFsecurity.ISO
Cloudflare_security_setup.iso
The RAT installation is disguised to look similar to a Google Chrome installation.
NetSupport RAT installer disguised as Google Chrome setup.
The sample is obfuscated via the Babadeda crypter. When executed, a base64 encoded string is used to specify various parameters including sessionID and other critical values to the NetSupport connection.
Base64 encoded RAT execution command
The command decodes to look similar to the following:
NetSupport RAT decoded command
Persistence for the RAT is achieved via registry entry, and a shortcut to the installed RAT executable is written to the Startup folder. For example:
In this case, the shortcut links to AppDataRoamingSteelray Project Viewer. In addition, the sample generates a scheduled task with multiple triggers.
NetSupport RAT Persistence via Scheduled TaskInstall directory of NetSupport RAT
The RAT performs a number of discovery operations to understand its host environment. Network adapter details are pulled via GetAdaptersAddresses. Additional data is gleaned via WMI queries such as:
SELECT * FROM Win32_ComputerSystem
SELECT * FROM Win32_SystemEnclosure
The malware deploys some anti-analysis measures such as attempting to detect the presence of a debugger via IsDebuggerPresent, and all running processes are enumerated and logged via EnumProcesses (32-bit processes). Launch behavior, including delays in execution or outgoing connection, can be controlled by the attacker. For example, Sleep statements may be used to delay execution by hours in order to trick sandboxes used in malware analysis or simply to disguise the association between the infection and the social engineering event from the user.
Network requirements vary across different NetSupport Manager configurations and sessions. In the analyzed sample, the client opens a port on TCP 50275 to receive network connections.
NetSupport RAT has the ability to drop and execute additional components. In this particular campaign, system/log data and executable code is dropped into %temp%.
NetSupport RAT data in %temp%.
Data files and executables are also written to ~Program Files (x86) GoogleTemp. These files are all self-deleted after launch or full installation of the attacker configuration. A large number of legitimate Google Chrome support files are also written to this location. These are used by the malware in order to facilitate the fake Google Chrome installation.
Conclusion
NetSupport Manager is a long-standing tool which, like TeamViewer, has unfortunately attracted ample use by cybercriminals. NetSupport RAT, once installed, is very robust and powerful, and threat actors are able to masquerade the dropper or installer in any way they see fit. In addition, threat actors using this tool are very quick to update their lures and find ways to entice their victims into installing the malicious remote control software.
SentinelOne Singularity provides protection against malicious behaviors associated with NetSupport RAT.
The Federal Communications Commission (FCC) has proposed a number of reforms to breach reporting requirements for U.S. telecoms providers to better protect customers and reduce the impact of security incidents.
With the severity and frequency of data breaches up since the rules were last updated in 2007, the new ones would eliminate the seven-day timeframe for reporting breaches, moving instead to reports filed within a 24 to 72 hour window. Further, providers would need to send data breach reports to agency staff as well as the FBI and Secret Service.
FCC data breach rules are 15 years old. An update is way overdue. It starts now. https://t.co/Lzul0Fkfja
The proposed updates follow several cyber intrusions on leading global telecoms providers. In 2022 alone, Australian telecoms giant, Optus, disclosed a data breach in which customer data was stolen, Comcast Xfinity faced their second data breach within a two-year span, and Verizon notified their prepaid customers of account breaches leading to SIM swapping and unauthorized changes on their credit cards. The year before saw T-Mobile suffer a major breach that affected 77 million individuals and resulted in more than 100 million private records posted for sale in underground forums.
Telecommunications is an oft-targeted industry by threat actors for its direct access to their clients. Providers are earmarked by nation state-backed actors seeking to conduct espionage on political critics. For cyber criminals, providers hold the keys to customer PII (personally identifiable information) that is not only valuable amongst dark marketplace buyers, but also leveraged in social engineering attacks and identity theft. The FCC’s recent proposals will be a welcome update to U.S. data breach regulations with its next steps focusing on helping telecom carriers enforce stricter data security practices and combat industry-wide vulnerabilities.
The Bad
More than 1300 domains have been compromised this week in an ongoing threat using AnyDesk’s brand name to distribute Vidar info-stealer malware. The impersonation campaign banks on the popularity of the remote desktop solution, used by IT professionals globally for remote connectivity and administrative tasks.
In this active campaign, those accessing the compromised domains are led to a fake, cloned AnyDesk site prompting them to download Vidar malware masquerading as a software installation .zip file. Then, they are redirected to a Dropbox folder which delivers the info-stealing malware payload – a technique used by the threat actor to evade detection since Dropbox is safelisted by many AV solutions.
News outlets report that many of the domains have since been taken offline and for the sites that remain online, the Dropbox links no longer work. However, given that all 1300 domains lead to the same spoof site, the threat actors can keep the campaign going by simply updating the download URL address.
Vidar malware has been around since 2018, responsible for stealing credentials, saved passwords, crypto wallet and banking information, as well as browser history. Info-stealing malware has grown in popularity with cyber criminals as a dedicated means of prying legitimate credentials and cookies out of users’ hands.
Increasingly, info-stealer source code has been placed up for sale, bought by ransomware operators for low-cost, quick access and for use in MFA-fatigue attacks. Users are best protected from the rise in info-stealing malware by downloading from trusted sites only, using an endpoint protection security solution, avoiding browser-based password managers, and regularly clearing their browser cookies.
Linking their attacks tightly to political events, the pro-Russian group has been attributed to attacking the websites of Czech presidential candidates in the country’s 2023 election, the Polish government, and Latvia’s parliament. NoName057(16)’s attacks on Poland line up with the latter’s official recognition of Russia as a state sponsor of terrorism. Lithuania being caught in a dispute with Russia over train and port usage was cause enough for the hacktivists to attack the Lithuanian cargo and shipping sector.
SentinelLabs researchers report that the group makes instant messaging app, Telegram, their home base for communications and have used GitHub to host their DDoS tool website for free before their accounts were disabled for violating the company’s acceptable use policies.
NoName057(16) employs a collaborator payment program where the group coordinates with volunteers to carry out its attacks on targets. This model is lucrative to those who are compelled to join attacks for financial gain rather than for political reasons. Top DDoS performers are rewarded in cryptocurrency and followers are encouraged to add skin to the game by contributing more technical resources for the next attack.
Though researchers say that the DDoS attacks from NoName057(16) have little to no wider consequence, volunteer-powered attacks with modelized incentive are a cause for concern as threat actors continue to take advantage of a highly volatile political landscape.
https://phxtechsol.com/wp-content/uploads/2023/01/23-01-12-15-42-46-649_deco-scaled-1.jpg17062560Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-01-14 05:46:042023-01-14 05:46:12The Good, the Bad and the Ugly in Cybersecurity – Week 2
Microsoft today released updates to fix nearly 100 security flaws in its Windows operating systems and other software. Highlights from the first Patch Tuesday of 2023 include a zero-day vulnerability in Windows, printer software flaws reported by the U.S. National Security Agency, and a critical Microsoft SharePoint Server bug that allows a remote, unauthenticated attacker to make an anonymous connection.
At least 11 of the patches released today are rated “Critical” by Microsoft, meaning they could be exploited by malware or malcontents to seize remote control over vulnerable Windows systems with little or no help from users.
Of particular concern for organizations running Microsoft SharePoint Server is CVE-2023-21743. This is a Critical security bypass flaw that could allow a remote, unauthenticated attacker to make an anonymous connection to a vulnerable SharePoint server. Microsoft says this flaw is “more likely to be exploited” at some point.
But patching this bug may not be as simple as deploying Microsoft updates. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said sysadmins need to take additional measures to be fully protected from this vulnerability.
“To fully resolve this bug, you must also trigger a SharePoint upgrade action that’s also included in this update,” Childs said. “Full details on how to do this are in the bulletin. Situations like this are why people who scream ‘Just patch it!’ show they have never actually had to patch an enterprise in the real world.”
Eighty-seven of the vulnerabilities earned Redmond’s slightly less dire “Important” severity rating. That designation describes vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”
Among the more Important bugs this month is CVE-2023-21674, which is an “elevation of privilege” weakness in most supported versions of Windows that has already been abused in active attacks.
Satnam Narang, senior staff research engineer at Tenable, said although details about the flaw were not available at the time Microsoft published its advisory on Patch Tuesday, it appears this was likely chained together with a vulnerability in a Chromium-based browser such as Google Chrome or Microsoft Edge in order to break out of a browser’s sandbox and gain full system access.
“Vulnerabilities like CVE-2023-21674 are typically the work of advanced persistent threat (APT) groups as part of targeted attacks,” Narang said. “The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”
By the way, when was the last time you completely closed out your Web browser and restarted it? Some browsers will automatically download and install new security updates, but the protection from those updates usually only happens after you restart the browser.
Speaking of APT groups, the U.S. National Security Agency is credited with reporting CVE-2023-21678, which is another “important” vulnerability in the Windows Print Spooler software.
There have been so many vulnerabilities patched in Microsoft’s printing software over the past year (including the dastardly PrintNightmare attacks and borked patches) that KrebsOnSecurity has joked about Patch Tuesday reports being sponsored by Print Spooler. Tenable’s Narang points out that this is the third Print Spooler flaw the NSA has reported in the last year.
Kevin Breen at Immersive Labs called special attention to CVE-2023-21563, which is a security feature bypass in BitLocker, the data and disk encryption technology built into enterprise versions of Windows.
“For organizations that have remote users, or users that travel, this vulnerability may be of interest,” Breen said. “We rely on BitLocker and full-disk encryption tools to keep our files and data safe in the event a laptop or device is stolen. While information is light, this appears to suggest that it could be possible for an attacker to bypass this protection and gain access to the underlying operating system and its contents. If security teams are not able to apply this patch, one potential mitigation could be to ensure Remote Device Management is deployed with the ability to remotely disable and wipe assets.”
There are also two Microsoft Exchange vulnerabilities patched this month — CVE-2023-21762 and CVE-2023-21745. Given the rapidity with which threat actors exploit new Exchange bugs to steal corporate email and infiltrate vulnerable systems, organizations using Exchange should patch immediately. Microsoft’s advisory says these Exchange flaws are indeed “more likely to be exploited.”
Adobe released four patches addressing 29 flaws in Adobe Acrobat and Reader, InDesign, InCopy, and Adobe Dimension. The update for Reader fixes 15 bugs with eight of these being ranked Critical in severity (allowing arbitrary code execution if an affected system opened a specially crafted file).
For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. Nearly 100 updates is a lot, and there are bound to be a few patches that cause problems for organizations and end users. When that happens, AskWoody.com usually has the lowdown.
Please consider backing up your data and/or imaging your system before applying any updates. And please sound off in the comments if you experience any problems as a result of these patches.
https://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpg00Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-01-11 04:53:082023-01-11 04:53:11Microsoft Patch Tuesday, January 2023 Edition
Our 2022 review of macOS malware revealed that the threats faced by businesses and users running macOS endpoints included an increase in backdoors and cross-platform attack frameworks. Threats like CrateDepression and PyMafka used typosquatting attacks against package repositories to infect users, while ChromeLoader and others like oRAT leveraged malvertising as an infection vector.
However, the infection vector used by many other macOS threats remains unknown. SysJoker, OSX.Gimmick, CloudMensis, Alchemist and the Lazarus-attributed Operation In(ter)ception are just some of those for which researchers still do not know how victims were initially compromised. In these and other cases, researchers happened across the malware either in post-infection analyses or by discovering the samples on malware repositories like VirusTotal, where the sample’s trajectory from threat actor through victim to discovery remains largely untraceable.
Although this gap prevents us from building a full picture of any particular attack campaign, fortunately we can as defenders enumerate the possible ways that malware can compromise a macOS system and analyze how malware has used these vectors in the past. Armed with this knowledge, we can look to build more resilient defenses and security policies to prevent threats gaining entry.
1. The Lure of Free Content
There is an abundance of macOS malware that is distributed through free content downloads sites such as torrent sites, shareware sites, cracked app sites or free 3rd party app distribution sites.
This torrent for a file utility downloads an adware installer
Content lures include:
Cracked Software
Live sports streaming sites
VPNs, adverts for ‘privacy’ & geofencing evasion
Movie, TV, Game and Music download sites, DRM circumvention
Porn and sexual services sites
Free content lures are primarily used to drive adware and bundleware infections, but cryptominers such as LoudMiner have also been distributed this way.
The most common scenario is a user being offered free or cracked versions of an application; the user initiates a download of a disk image file purporting to contain that application but on mounting it finds that it is called something like “Flash Player”, “AdobeFlashPlayer.app” or similar. These files are usually unsigned and the user is given instructions on how to override macOS Gatekeeper in order to launch them.
Lure for a cracked version of Adobe Photoshop leads to an adware installer
As shown in the above image, this is a simple trick in the Finder that even non-admin users can use to defeat the Mac’s built-in security mechanism.
Some threat actors have recently been seen directing users to the Terminal to override Gatekeeper there, presumably to workaround any additional security controls that organization admins might have deployed via MDM (mobile device management).
Some users set out to seek legitimate content but are pulled into malicious sites through advertising and ‘too good to be true’ deals and offers. Anecdotal evidence suggests that there is a widespread perception among Mac users that exploring such links is not inherently dangerous because Macs are “Safe” and “Don’t get viruses”. The nature of these sites, however, and the insistent use of popups, misleading icons and redirecting links can quickly lead a user from a safe search to a dangerous download.
Although the “Flash Player” lure is largely used by adware and bundleware campaigns, it was also seen in a long-running campaign by Chinese threat actors distributing macOS.Macma. Other campaigns that have made significant use of this vector include OSX.Shlayer, Pirrit and Bundlore. These threats are well-detected by security vendors but often missed by Apple’s built in signature-based detection technology XProtect.
How To Prevent Attacks via Free Content
Mitigating infections through this vector include:
Controlling permissions relating to software downloads or launches via MDM and/or application allow/deny lists by a security product
Restricting access to the Terminal via an MDM solution or a security product
Restricting or preventing the execution of unsigned code with a security product
Using endpoint protection software to prevent and detect known malware
2. Malvertising to Mac Users
Maliciously-crafted ads on webpages can run hidden code inside the user’s browser, redirecting the victim to sites showing popups with fake software updates or virus scan warnings. In the past 12 months, known malvertising campaigns aimed at macOS users include ChromeLoader and oRAT.
ChromeLoader, also known as Choziosi Loader or ChromeBack, takes the form of a malicious Chrome extension that hijacks the user’s search engine queries, installs a listener to intercept outgoing browser traffic, and serves up adware to victims.
oRAT is a backdoor implant written in Go and is downloaded to the victim’s machine as an unsigned disk image (.dmg) masquerading as a collection of Bitget Apps. The disk image contains a package with the name Bitget Apps.pkg and the distribution identifier com.adobe.pkg.Bitget.
An encrypted blob of data is appended to the malicious binary that contains configuration data such as the C2 IP address.
oRAT’s encrypted blob and the decrypted plain text
More details on oRAT can be found in the writeup here.
How to Prevent Attacks from Malvertising
Mitigations for threats distributed through malvertising include:
Using firewall control and web filters to block access to known malicious websites. In extremely sensitive cases, firewalls can restrict access to only a limited set of authorized IPs
Using Ad blocking software: ad blockers can prevent most adverts from being displayed, but this may have an impact on performance and access to some resources
Deploying endpoint protection software to prevent and detect the execution of malicious code delivered through malicious adverts
3. Poisoned Developer Projects
Developers are high-value targets for threat actors looking at mass infections, supply chain attacks, espionage and political manipulation. Undoubtedly the most successful attack on Apple developers to date was XcodeGhost, a malicious version of Apple’s Xcode IDE hosted on a server in China in 2015. A number of Chinese developers chose to download what they believed to be a local mirror of Xcode because downloading the legitimate version from Apple’s servers in the US was extremely slow.
XcodeGhost inserted malicious code into any iOS app that was built with it, and a number of infected apps were subsequently released on Apple’s App Store. The infected apps were capable of stealing sensitive information such as the device’s unique identifier and the user’s Apple ID, and executing arbitrary code on the infected iOS device.
More commonly and more recently, threat actors have sought to infect developers by means of shared code. Because developers look to increase productivity by not ‘reinventing the wheel’, they will often seek out shared code rather than attempt to write their own implementation of tricky libraries or unfamiliar API calls.
Useful code can be found in public repositories hosted on sites like Github, but these can also be laced with malware or code that opens a backdoor from the developer’s environment to the attackers. XCSSET malware and XcodeSpy have both exploited shared Xcode projects to compromise developers of macOS and iOS software.
In XCSSET, a project’s .xcodeproj/project.xcworkspace/contents.xcworkspacedata was modified to contain a file reference to a malicious file hidden in the project’s xcuserdata folder. Building the project caused the malware to be executed, which then dropped a multi-stage infection on the developer’s machine, including a backdoor.
In XcodeSpy, a threat actor distributed a doctored version of a legitimate, open-source project available on GitHub. The project’s Build Phases included an obfuscated Run Script that would execute when the developer’s build target was launched.
The obfuscated script found in an XcodeSpy sample.
The script created a hidden file at /private/tmp/.tag , which contained a single command: mdbcmd. This in turn was piped via a reverse shell to the attackers C2. The file path is linked to two custom EggShell backdoors found on VirusTotal.
On execution, the customized EggShell binaries drop a LaunchAgent either at ~/Library/LaunchAgents/com.apple.usagestatistics.plist or ~/Library/LaunchAgents/com.apple.appstore.checkupdate.plist. This plist checks to see if the original executable is running; if not, it creates a copy of the executable from a ‘master’ version at ~/Library/Application Support/com.apple.AppStore/.update then executes it.
Persistence agent used by EggShell backdoor linked to XcodeSpy
How To Prevent Attacks via Poisoned Developer Project
Mitigations for threats distributed through this vector include:
Isolating development environments from production environments
Requiring all shared developer projects to be reviewed and authorized before being downloaded or built on company devices
Implementing secure development practices such as secure coding guidelines, code review and code buddying
Educating developers on the dangers of externally-sourced developer projects
Monitoring for suspicious and malicious code execution with endpoint protection software
4. Open Source Package Repositories
Things start to get more serious when threat actors target open source package repositories. Code shared through these is widely used across many projects in enterprises and security vetting is both weak and difficult. There are many in use across different platforms and languages including:
Python Package Index (PyPI)
Crates.io (Rust)
Node Package Manager (NPM)
Go Module Index (Go)
NuGet Gallery (.NET)
RubyGems (Ruby)
Packagist (PHP)
Chocolatey (Windows)
Scoop (Windows)
Homebrew (macOS)
CocoaPods (Swift, iOS)
Carthage (Swift, macOS)
Fedora Package Database (Linux)
CentOS Package Repository (Linux)
Arch Linux User Repository (Linux)
Ubuntu Package Repositories (Linux)
Alpine Package Repository (Linux)
Maven Central (Java)
Package repositories can be susceptible to typosquatting attacks and dependency confusion attacks. In some cases, ownership of legitimate packages has been hijacked or transferred to malicious actors.
In May 2022, a popular PyPI package ‘PyKafka’ was targeted in a typosquatting attack with a package named ‘PyMafka’. The PyMafka package contained a Python script that surveyed the host and determined the operating system.
If the device was running macOS, it reached out to a C2 and downloaded a Mach-O binary called ‘MacOs’ and wrote it to /private/var/tmp with the name ‘zad’. The binary was UPX-packed and obfuscated and dropped a Cobalt Strike beacon.
Only a week earlier, the Rust repository Crates.io had also been targeted by threat actors typosquatting the legitimate ‘rust_decimal’ package with a malicious ‘rustdecimal’ package. The latter targeted environments with GitLab Continuous Integration (CI) pipelines and dropped a Go-written macOS-compiled Poseidon payload.
As 2022 closed out, an actor who later claimed to be a ‘researcher’ targeted the PyTorch package on PyPI with a dependency confusion attack.
Dependency confusion attacks take advantage of the fact that some packages have dependencies that are hosted on private servers. By default, package managers handle a client’s request for dependencies by first searching the public repository. If the dependency package’s name doesn’t already exist in the public repo, an attacker can upload their own malicious package to the public repo and intercept the request from the client.
The malware dropped in the attack on PyTorch collected and exfiltrated a variety of sensitive data from the victim’s machine for transfer to a remote URL, including the contents of ~/.gitconfig/ and ~/.ssh/.
PyTorch is a popular open-source machine learning library for Python, estimated to have had around 180 million downloads. In the 5 days between Christmas Day and New Year’s day that the malicious package was hosted on PyPI, it achieved 2300 downloads.
How To Prevent Attacks via Package Repositories
Mitigations for threats distributed through this vector include many of the same recommendations as for protecting against malicious shared developer projects. In addition, security teams can also adopt the following recommendations:
Using private repositories and configuring package managers not to default to a public repository
verifying package authenticity through code signing
periodic auditing and verification of externally-sourced code
5. Trojan Applications
Attacks on package repositories can be devastating and far-reaching, but they are also noisy: they will inevitably be discovered and draw a lot of attention. In contrast, threat actors looking to deliver malware to specific targets more stealthily may prefer to trojanize popular applications.
In 2021, sponsored links in the Baidu search engine were used to spread malware via trojanized versions of the popular Terminal application, iTerm2. Further investigation into OSX.Zuru, as it came to be known, found that the campaign also used trojan versions of Microsoft’s Remote Desktop for Mac, Navicat and SecureCRT.
The apps were codesigned with a developer signature different from the legitimate signature, primarily to ensure that they were not blocked by Gatekeeper. Aside from replacing the original code signature, the threat actor had modified the application bundles with a malicious dylib in the .app/Contents/Frameworks/ folder called libcrypto.2.dylib. Analysis of this file revealed functionality for surveilling the local environment, reaching out to a C2 server and executing remote commands via a backdoor.
The selection of trojanized apps was interesting and suggests the threat actor was targeting backend users of tools used for remote connections and business database management.
More recently, Chinese-linked threat actors have been found distributing trojanized versions of EAAClient and SecureLink that deliver a Sliver payload. These trojan’s are delivered without a code signature and the threat actors use techniques described above (See: The Lure of Free Content) to persuade victims to override local security settings through the Terminal.
Researchers have also recently found malicious versions of an open-source tool that are designed to steal the victim’s password and keychain – effectively giving the actor full access to all the user’s passwords in macOS. In this case, the tool in question, Resign Tool, is used by developers to resign apps and bundle them into ipa files for installation on iOS devices – indicating the threat actor’s clear interest in infecting developers.
How To Prevent Attacks via Trojan Applications
Mitigations for threats distributed through this vector include:
Verifying that all code is signed and that code signatures correspond to the appropriate known developer signature
Restricting or preventing the execution of unsigned code with a security product
Using endpoint protection software to prevent and detect suspicious or malicious code execution
6. Exploits and Watering Hole Attacks
A less common infection vector and one that requires some skill to pull off is using browser exploits to infect visitors to a poisoned website. Zero day exploits in browsers are a regular focus area for hacker competitions, including China’s annual Tianfu Cup. Even after being patched, these vulnerabilities can still be used as N-Days against organizations or users that fail to keep their browsers up to date.
In the most recent security update for macOS Ventura and Safari released on December 13, 2022, more than 30 bugs were patched, including the following browser-related vulnerabilities:
CVE-2022-42856: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
CVE-2022-42867: Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2022-46691: Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2022-46695: Visiting a website that frames malicious content may lead to UI spoofing.
CVE-2022-46696: Processing maliciously crafted web content may lead to arbitrary code execution.
CVE-2022-46705: Visiting a malicious website may lead to address bar spoofing.
Threat actors that have recently exploited vulnerabilities in macOS and used them in watering hole attacks include the Chinese-related APT responsible for Macma and DazzleSpy.
According to researchers at Google’s TAG, Macma combined an N-day remote code execution vulnerability in WebKit (CVE-2021-1789) and a zero day local privilege escalation in XNU (CVE-2021-30869). The chained exploits were used to load and execute a Mach-O binary in memory. The malware was able to escape the Safari sandbox, elevate privileges, and download a second stage payload from a C2.
Firefox zero days have also been used in attacks on macOS users. Coinbase reported targeted attacks via what later became known as CVE-2019-11707 in 2019, which delivered variants of Netwire and Mokes malware.
How To Prevent Attacks via Exploits and Watering Holes
Mitigations for threats distributed through this vector include:
Ensuring system and application software is up-to-date to prevent attacks leveraging N-day vulnerabilities
Deploying a behavioral AI security solution that can detect suspicious behavior used in zero day infection chains
Deploying a security solution that allows for threat hunting over extended periods
7. Supply Chain Attacks
Some of the infection vectors we have covered already can and have been used in attempted supply-chain attacks, particularly those involving trojan applications, shared developer code and package repositories. However, those cases all involved fake or imitation versions of legitimate code, packages and applications.
Supply chain attacks in which a threat actor compromises the legitimate code distributed by a vendor to other clients is rarer but not unheard of. Back in 2016, popular macOS torrent client Transmission was infected with a rare example of macOS ransomware. Threat actors compromised the developer’s servers and added KeRanger malware to the disk image containing the software.
More recently, in 2022, researchers discovered that APT 27 (aka Iron Tiger, LuckyMouse) had compromised the servers belonging to the MiMi chat application. A compromised MiMi installer was seen retrieving a Mach-O backdoor named ‘rshell’. Malicious JavaScript had been added to the disk image used to install the chat application. When users ran the installer, the malicious code reached out to a remote IP to retrieve the rshell binary. The malware functioned as a backdoor with the ability to fingerprint the victim device, exfiltrate data and run remote commands.
rshell contains a hardcoded IP address for its C2
How To Prevent Supply Chain Attacks
Supply chain attacks can occur through many of the vectors discussed above and can occur anywhere in the supply chain, including directly within the organization’s own development and production cycles. For this reason, defending against such a compromise requires an overall security strategy that includes most of the recommendations given above, but focuses in particular on:
Performing due diligence on all suppliers and partners to ensure that they have good security practices in place
Regularly auditing and reviewing the security of the supply chain, including keeping up to date records of changes in suppliers and partners
Implementing robust security controls throughout the organization, including using modern endpoint, cloud and identity management security controls
Regularly updating software systems and patching vulnerabilities
Other Means of Compromising macOS
Notable among the absences above are two commonly used infection vectors seen, particularly, in attacks against Windows users: emails containing phishing links, and RCEs through publicly exposed internet connections.
Malicious links and attachments represent an opportunity for threat actors targeting any system, including macOS. Maldocs that determine the host system and have specific logic for macOS have been known, but they are not widely reported. Sandbox escapes for MS Office for Mac are also not unheard of.
As noted in the introduction to this post, many malware infections’ initial means of compromise remain unknown to researchers, and given the prevalence of phishing emails in compromises in general, it’s certainly a vector that defenders must consider.
Remote attacks involving unauthorized code execution tend to be common on Windows as a result of weaknesses in Microsoft software, particularly the RDP protocol. Having said that, a review of Apple’s security updates does reveal that zero day RCE vulnerabilities in macOS are possible.
Organizations can defend against the possibility of compromise through both these vectors by implementing security controls previously outlined, with an emphasis on endpoint protection and timely software updates to protect against malware executed via phishing attempts and RCEs through software and OS vulnerabilities.
Conclusion
Preventing attacks at the first stage of infection reduces the impact on both the security team and the organization. Unfortunately, there is still a widespread perception that macOS controls like codesigning, Gatekeeper and Apple’s notarization service are enough to prevent successful malware attacks, but the evidence from malware seen and discovered in 2022 alone proves otherwise. Apple itself has come out on record stating that Macs have a malware problem.
By fortifying their defenses and understanding the main infection vectors used by in-the-wild macOS malware as discussed above, security teams can better protect the organization. To see how SentinelOne can help protect the Macs in your organization, contact us or request a free demo.
The Complete Guide to Understanding Apple Mac Security for Enterprise
Learn more about the challenges and threats facing security and IT teams running macOS devices in the enterprise.
Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.
The vulnerability in Experian’s website was exploitable after one applied to see their credit file via annualcreditreport.com.
In December, KrebsOnSecurity heard from Jenya Kushnir, a security researcher living in Ukraine who said he discovered the method being used by identity thieves after spending time on Telegram chat channels dedicated to the cashing out of compromised identities.
“I want to try and help to put a stop to it and make it more difficult for [ID thieves] to access, since [Experian is] not doing shit and regular people struggle,” Kushnir wrote in an email to KrebsOnSecurity explaining his motivations for reaching out. “If somehow I can make small change and help to improve this, inside myself I can feel that I did something that actually matters and helped others.”
Kushnir said the crooks learned they could trick Experian into giving them access to anyone’s credit report, just by editing the address displayed in the browser URL bar at a specific point in Experian’s identity verification process.
Following Kushnir’s instructions, I sought a copy of my credit report from Experian via annualcreditreport.com — a website that is required to provide all Americans with a free copy of their credit report from each of the three major reporting bureaus, once per year.
Annualcreditreport.com begins by asking for your name, address, SSN and birthday. After I supplied that and told Annualcreditreport.com I wanted my report from Experian, I was taken to Experian.com to complete the identity verification process.
Normally at this point, Experian’s website would present four or five multiple-guess questions, such as “Which of the following addresses have you lived at?”
Kushnir told me that when the questions page loads, you simply change the last part of the URL from “/acr/oow/” to “/acr/report,” and the site would display the consumer’s full credit report.
But when I tried to get my report from Experian via annualcreditreport.com, Experian’s website said it didn’t have enough information to validate my identity. It wouldn’t even show me the four multiple-guess questions. Experian said I had three options for a free credit report at this point: Mail a request along with identity documents, call a phone number for Experian, or upload proof of identity via the website.
But that didn’t stop Experian from showing me my full credit report after I changed the Experian URL as Kushnir had instructed — modifying the error page’s trailing URL from “/acr/OcwError” to simply “/acr/report”.
Experian’s website then immediately displayed my entire credit file.
Even though Experian said it couldn’t tell that I was actually me, it still coughed up my report. And thank goodness it did. The report contains so many errors that it’s probably going to take a good deal of effort on my part to straighten out.
Now I know why Experian has NEVER let me view my own file via their website. For example, there were four phone numbers on my Experian credit file: Only one of them was mine, and that one hasn’t been mine for ages.
I was so dumbfounded by Experian’s incompetence that I asked a close friend and trusted security source to try the method on her identity file at Experian. Sure enough, when she got to the part where Experian asked questions, changing the last part of the URL in her address bar to “/report” bypassed the questions and immediately displayed her full credit report. Her report also was replete with errors.
KrebsOnSecurity shared Kushnir’s findings with Experian on Dec. 23, 2022. On Dec. 27, 2022, Experian’s PR team acknowledged receipt of my Dec. 23 notification, but the company has so far ignored multiple requests for comment or clarification.
By the time Experian confirmed receipt of my report, the “exploit” Kushnir said he learned from the identity thieves on Telegram had been patched and no longer worked. But it remains unclear how long Experian’s website was making it so easy to access anyone’s credit report.
In response to information shared by KrebsOnSecurity, Senator Ron Wyden (D-Ore.) said he was disappointed — but not at all surprised — to hear about yet another cybersecurity lapse at Experian.
“The credit bureaus are poorly regulated, act as if they are above the law and have thumbed their noses at Congressional oversight,” Wyden said in a written statement. “Just last year, Experian ignored repeated briefing requests from my office after you revealed another cybersecurity lapse the company.”
From interviews with multiple victims who contacted KrebsOnSecurity after that story, it emerged that Experian’s own customer support representatives were actually telling consumers who got locked out of their Experian accounts to recreate their accounts using their personal information and a new email address. This was Experian’s advice even for people who’d just explained that this method was what identity thieves had used to lock them in out in the first place.
Clearly, Experian found it simpler to respond this way, rather than acknowledging the problem and addressing the root causes (lazy authentication and abhorrent account recovery practices). It’s also worth mentioning that reports of hijacked Experian.com accounts persisted into late 2022. That screw-up has since prompted a class action lawsuit against Experian.
Sen. Wyden said the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) need to do much more to protect Americans from screw-ups by the credit bureaus.
“If they don’t believe they have the authority to do so, they should endorse legislation like my Mind Your Own Business Act, which gives the FTC power to set tough mandatory cybersecurity standards for companies like Experian,” Wyden said.
Sadly, none of this is terribly shocking behavior for Experian, which has shown itself a completely negligent custodian of obscene amounts of highly sensitive consumer information.
It’s bad enough that we can’t really opt out of companies like Experian making $2.6 billion each quarter collecting and selling gobs of our personal and financial information. But there has to be some meaningful accountability when these monopolistic companies engage in negligent and reckless behavior with the very same consumer data that feeds their quarterly profits. Or when security and privacy shortcuts are found to be intentional, like for cost-saving reasons.
It is easy to adopt a defeatist attitude with the credit bureaus, who often foul things up royally even for consumers who are quite diligent about watching their consumer credit files and disputing any inaccuracies.
But there are some concrete steps that everyone can take which will dramatically lower the risk that identity thieves will ruin your financial future. And happily, most of these steps have the side benefit of costing the credit bureaus money, or at least causing the data they collect about you to become less valuable over time.
The first step is awareness. Find out what these companies are saying about you behind your back. Keep in mind that — fair or not — your credit score as collectively determined by these bureaus can affect whether you get that loan, apartment, or job. In that context, even small, unintentional errors that are unrelated to identity theft can have outsized consequences for consumers down the road.
Each bureau is required to provide a free copy of your credit report every year. The easiest way to get yours is through annualcreditreport.com.
Some consumers report that this site never works for them, and that each bureau will insist they don’t have enough information to provide a report. I am definitely in this camp. Thankfully, a financial institution that I already have a relationship with offers the ability to view your credit file through them. Your mileage on this front may vary, and you may end up having to send copies of your identity documents through the mail or website.
When you get your report, look for anything that isn’t yours, and then document and file a dispute with the corresponding credit bureau. And after you’ve reviewed your report, set a calendar reminder to recur every four months, reminding you it’s time to get another free copy of your credit file.
Freezing your credit means no one who doesn’t already have a financial relationship with you can view your credit file, making it unlikely that potential creditors will grant new lines of credit in your name to identity thieves. Freezing your credit file also means Experian and its brethren can no longer sell peeks at your credit history to others.
Anytime you wish to apply for new credit or a new job, or open an account at a utility or communications provider, you can quickly thaw a freeze on your credit file, and set it to freeze automatically again after a specified length of time.
Please don’t confuse a credit freeze (a.k.a. “security freeze”) with the alternative that the bureaus will likely steer you towards when you ask for a freeze: “Credit lock” services.
The bureaus pitch these credit lock services as a way for consumers to easily toggle their credit file availability with push of a button on a mobile app, but they do little to prevent the bureaus from continuing to sell your information to others.
My advice: Ignore the lock services, and just freeze your credit files already.
One final note. Frequent readers here will have noticed that I’ve criticized these so-called “knowledge-based authentication” or KBA questions that Experian’s website failed to ask as part of its consumer verification process.
KrebsOnSecurity has long assailed KBA as weak authentication because the questions and answers are drawn largely from consumer records that are public and easily accessible to organized identity theft groups.
That said, given that these KBA questions appear to be the ONLY thing standing between me and my Experian credit report, it seems like maybe they should at least take care to ensure that those questions actually get asked.
It’s been a busy start to the new year for privacy regulators, who have hit both Meta (aka Facebook) and Apple with new fines.
Apple has been given an $8 million penalty by France’s CNIL for failing to obtain consent from iOS 14.6 users relating to identifiers used to present targeted ads. Meta, which had just received a fine of $170 million from the CNIL a few weeks ago, now faces a further whopping $410 million (€390 million) fine from Ireland’s Data Protection Commission (DPC).
The DPC fined Meta Ireland €210 million for breaches of the GDPR relating to its Facebook service and €180 million for breaches in relation to Instagram. Both relate to complaints that users were forced to consent to personalized ads in order to use the offered services.
In better news for Meta and users of the company’s WhatsApp instant messaging service, this week saw WhatsApp roll out support for proxy servers. This allows users to connect to each other and maintain end-to-end encrypted chats even if authorities block WhatsApp’s own servers, as Iranian authorities did back in September in the wake of civil unrest.
The Bad
No sooner had we noted that supply chain attacks via public code repositories were likely to be an increasingly common feature of the 2023 threat landscape than a threat actor ran a dependency confusion attack against the PyTorch package on PyPI.
Dependency confusion attacks are different from the more common typosquatting attacks that we’ve seen used against shared repos recently like CrateDepression and pymafka. The technique takes advantage of the fact that some packages have dependencies that are hosted on private servers. However, by default, package managers that handle a client’s request for dependencies search the public code registry first for instances of the dependency. That means if the dependency package’s name is available on the public registry, an attacker can upload a malicious package to the registry and essentially intercept the dependency request from the client when users build it on their local machines.
An individual, who subsequently claimed to be a ‘researcher’, uploaded a malicious public version of the privately-hosted torchtriton package used by PyTorch. Users that built PyTorch between December 25th and December 30th received the fake torchtriton dependency. The malware was almost identical to the legitimate torchtriton save for the addition of a malicious binary at ./triton/runtime/triton and code to ensure that it was executed. The triton executable collects and exfiltrates a variety of sensitive data from the victim’s machine to a remote URL including:
Nameservers from /etc/resolv.conf
Hostname from gethostname()
Current username
Current working directory
Environment variables
/etc/hosts
/etc/passwd
First 1,000 files in $HOME
$HOME/.gitconfig
$HOME/.ssh/
The malicious package has since been removed and replaced with a stub to prevent further attempts at exploiting the same trick. However, dependency confusion attacks are possible wherever private packages do not claim the same namespace in the public repository. Aside from PyPI, packages hosted on NPM and YARL are also known to be vulnerable to dependency confusion attacks.
It’s estimated that there were around 2300 malicious downloads during the time the malware was hosted on PyPI and PyTorch users are urged to uninstall and download the latest version if they think they might be affected. It is also recommended that credentials or keys stored in any of the locations noted above be rotated or reset.
The Ugly
In a different kind of dependency attack, DLL sideloading reared its ugly head again this week with news that threat actors are abusing Microsoft’s Windows Problem Reporting tool, WerFault.exe, to deploy Pupy RAT.
Victims receive an email with a malicious attachment. When double-clicked, the attachment mounts an ISO file containing a legitimate copy of WerFault.exe and a malicious version of a dependency, faultrep.dll. When users click the shortcut LNK file “recent inventory& our specialties.lnk” located in the mounted drive, it launches WerFault.exe, which in turn looks for and loads the DLL dependency located in the same directory.
The doctored DLL presents the user with a decoy XLS spreadsheet while in the background it loads an encrypted Pupy RAT payload into memory.
Pupy is an open-source, cross-platform attack framework with payloads that work on Windows, Linux, Android and macOS. Its capabilities include the ability to open a backdoor, execute arbitrary code and execute further payloads.
It is not immediately clear who is behind the campaign, but based on the XLS lure targets appear to be Chinese-speaking users. Sideloading DLLs via legitimate Microsoft software continues to be an issue defenders need to take seriously: Last year, Microsoft security tool Windows Defender was found being used to sideload Cobalt Strike during LockBit ransomware incidents.
https://phxtechsol.com/wp-content/uploads/2023/01/meta-scaled-1.jpg19742560Phoenix Technologyhttps://phxtechsol.com/wp-content/uploads/2017/02/PTS-Horiz-logo-1-1200-300x53.jpgPhoenix Technology2023-01-07 04:35:242023-01-07 04:35:34The Good, the Bad and the Ugly in Cybersecurity – Week 1
We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
Essential Website Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, refusing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.
We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
Google Analytics Cookies
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
Other external services
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
Other cookies
The following cookies are also needed - You can choose if you want to allow them:
provides protection for endpoint, identity and cloud. To learn more about how SentinelOne can protect your organization, contact us or request a free demo.
