Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates.

Tuesday, July 11, 2023 13:07

*   Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the signing and loading of cross-signed kernel mode drivers with signature timestamp prior to July 29, 2015.
*   Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates.
*   We have observed over a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open source tools.
*   The majority of drivers we identified that contained a language code in their metadata have the Simplified Chinese language code, suggesting the actors using these tools are frequently used by native Chinese speakers.
*   Cisco Talos has further identified an instance of one of these open-source tools being used to re-sign cracked drivers to bypass digital rights management (DRM).
*   We have released a second blog post alongside this one demonstrating real-world abuse of this loophole by an undocumented malicious driver named RedDriver.  
    

_During the research phase for this blog post we reached out to Microsoft to notify them of our findings. In response, Microsoft has blocked all certificates discussed in this blog and has released an advisory. We would like to thank the Microsoft team for their assistance and cooperation in mitigating this threat._

**Malicious drivers pose a significant threat**

The Windows operating system (OS) is split into two layers, or “modes”: user mode, where the files and applications that users interact with reside, and the kernel mode, where kernel mode drivers and the underpinnings of Windows perform the necessary functions to run the system. Drivers can facilitate communication between these modes via the Windows API through a series of functions contained within system libraries.

Splitting the operating system into two modes creates a highly controlled logical barrier between the average user and the Windows kernel. This barrier is critical to maintaining the integrity and security of the OS, as access to the kernel provides complete access to a system. As such, leveraging a malicious driver can allow an attacker to pass through this barrier, resulting in total compromise of the target system.

_Windows kernel architecture_

Starting in Windows Vista 64-bit to combat the threat of malicious drivers, Microsoft began to require kernel-mode drivers to be digitally signed with a certificate from a verified certificate authority. Without signature enforcement, malicious drivers would be extremely difficult to defend against as they can easily evade anti-malware software and endpoint detection. Requiring signatures on drivers is the most critical component of defending against malicious kernel mode drivers.

Another issue that malicious drivers pose is the difficulty of conducting analysis of samples. Typical sandboxes used to analyze malware do not have the capability to monitor all of the behavior of a driver, meaning much of the analysis must be conducted manually. To further the difficulties posed by driver analysis, threat actors have begun to use code obfuscation on the drivers they deploy with tools such as VMProtect.

From an attacker's perspective, the advantages of leveraging a malicious driver include, but are not limited to, evasion of endpoint detection, the ability to manipulate system and user mode processes, and maintained persistence on an infected system. These advantages provide a significant incentive for attackers to discover ways to bypass the Windows driver signature policies.

Cisco Talos has observed threat actors taking advantage of a Windows policy loophole that allows the forging of signatures on kernel-mode drivers, thereby bypassing the certificate policies within Windows. As we will demonstrate below, this is facilitated by the use of open-source tooling and non-revoked certificates that either expired before or were issued prior to July 29, 2015.

**Windows driver policy loophole allows signature timestamp forging**

Starting with Windows 10 version 1607, Microsoft updated its driver signing policy to no longer allow new kernel-mode drivers that have not been submitted to, and signed by its Developer Portal. This process is intended to ensure that drivers meet Microsoft’s requirements and security standards. In an effort to maintain the functionality and compatibility of older drivers, Microsoft created exceptions for the following:

1.  ___The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.___
2.  ___Secure Boot is off in the BIOS.___
3.  ___Drivers was_ \[sic\] _signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA.___

The third exception creates a loophole that allows a newly compiled driver to be signed with non-revoked certificates issued prior to or expired before July 29, 2015, provided that the certificate chains to a supported cross-signed certificate authority. If a driver is successfully signed this way, it will not be prevented from being installed and started as a service. As a result, multiple open source tools have been developed to exploit this loophole. This is a known technique though often overlooked despite posing a serious threat to Windows systems and being relatively easy to perform due in part to the tooling being publicly available.  

Talos has observed multiple threat actors taking advantage of the aforementioned Windows policy loophole to deploy thousands of malicious, signed drivers without submitting them to Microsoft for verification. During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers. While they have gained some popularity within the game cheat development community, we have observed the use of these tools on malicious Windows drivers unrelated to game cheats. In our blog post revealing RedDriver, a driver-based browser hijacker, we demonstrate a real-world example of HookSignTool being used in a malicious context.

**HookSignTool**

HookSignTool is a driver signature forging tool that alters the signing date of a driver during the signing process through a combination of hooking into the Windows API and manually altering the import table of a legitimate code signing tool. It was originally released in 2019 on the Chinese software cracking forum “52pojie\[.\]cn” by its author “JemmyLoveJenny” and has been available on GitHub since at least 2020.

_Original release of HookSignTool on 52pojie_

In the readme file on the HookSignTool Github, the author specifically mentions the use of the Chinese code signing utility “Digital Signature Tool for Asian Integrity'' (用于亚洲诚信数字签名工具) in conjunction with HookSignTool, although HookSignTool can theoretically be used with any code signing utility. This universal compatibility is achieved through the use of Microsoft Detours, a software package used for instrumenting and monitoring Windows API calls.

Before HookSignTool can be used, several steps must be taken to render it functional. First, it must be compiled and manually added into the import table of the legitimate signing tool as “_HookSigntool.dll!attach_”. To specify the date to forge, the user can pass a date as a command line argument or create a configuration file in the same directory as the code signing tool. Upon execution of the legitimate code signing tool, HookSignTool is loaded into the process and can then intercept and alter the signing date of the target driver.

HookSignTool requires another edit of the code signing tool; the URL strings of the timestamp authorities embedded within the legitimate tool must be replaced with the string “{CustomTimestampMarker-SHA1}” in hexadecimal with 0x00 in between each character. For example, “http\[:\]//timestamp.digicert.com” would be replaced with hexadecimal shown below:

7b 00 43 00 75 00 73 00 74 00 6f 00 6d 00 54 00 69 00 6d 00 65 00 73 00 74 00 61 00 6d 00 70 00 4d 00 61 00 72 00 6b 00 65 00 72 00 2d 00 53 00 48 00 41 00 31 00 7d 00 00 00 00 00

During the signing process, HookSignTool searches for this tag and replaces it with “https://pki\[.\]jemmylovejenny\[.\]tk/”. In addition, the JemmyLoveJenny EV Root CA certificate must also be installed on the system signing the driver, available on the author's personal website as shown below:

_JemmyLoveJenny’s personal website containing the required certificates_

HookSignTool calls the Detours function “DetourAttach” with two parameters: a pointer to the Windows API function to attach to, and a pointer to the “detour” function. The implementation within HookSignTool is shown below:

_Implementation of Detours in HookSignTool._

One of the most critical Windows API functions HookSignTool and FuckCertVerifyTimeValidity attaches to, as made clear by the latter’s name, is CertVerifyTimeValidity, a function that verifies that the signing date of a given file is valid.

_CertVerifyTimeValidity prototype._

By attaching to the _CertVerifyTimeValidity_ function, HookSignTool performs a “detour” to a custom implementation of _CertVerifyTimeValidity_ named _NewCertVerifyTimeValidity._ This allows HookSignTool to pass a custom time in the “pTimeToVerify” parameter, thereby allowing an invalid time to be verified.

To change the signing timestamp during execution, HookSignTool again uses the DetourAttach function to attach to the Windows API function GetLocalTime and detours to another function named _NewGetLocalTime_. This detour replaces the local time with the date supplied by the user that is within the valid range for the certificate being used. Once both GetLocalTime and CertVerifyTimeValidity are detoured, HookSignTool can supply and verify an illegitimate timestamp for the target binary.

By default, HookSignTool leaves artifacts within the signature it forges, enabling users to identify when it has been used on a given driver. One of these artifacts, “JemmyLoveJenny”, is a reference to the author of HookSignTool. Another artifact left behind is “Fake Timestamp Responder”, a rather conspicuous name that replaces the real timestamp authority name. However, the attacker can manually change the names of these artifacts if they have the skillset to do so, increasing the difficulty of identifying when HookSignTool has been used.

**FuckCertVerifyTimeValidity  
**

Originally released on GitHub on December 13th, 2018, FuckCertVerifyTimeValidity (aka FuckCertVerify) does not have as much functionality as HookSignTool, though provides the same end result of forging a signature timestamp. The tool is likely to have been developed for signing game cheating software, and since its release has been copied and uploaded into different GitHub repositories.

FuckCertVerifyTimeValidity works in a similar fashion to HookSignTool in that it uses the Microsoft Detours package to attach to the “CertVerifyTimeValidity” API call and sets the timestamp to a chosen date. Like HookSignTool, a function must be added to the import table of the legitimate signing tool, but in this case it’s “FuckCertVerifyTimeValidity.dll!test”. Unlike HookSignTool, FuckCertVerifyTimeValidity does not leave artifacts in the binary that it signs, making it very difficult to identify when this tool has been used.

_FuckCertVerifyTimeValidity attaching to Windows API_

To successfully forge a signature, HookSignTool and FuckCertVerifyTimeValidity require a non-revoked code signing certificate that expired or was issued before July 29, 2015, along with the private key and password. During our research, we identified a PFX file hosted on GitHub in a fork of FuckCertVerifyTimeValidity that contained more than a dozen expired code signing certificates frequently used with both tools to forge signatures. Many of these certificates are non-revoked and are widely used to forge signatures on game cheating software as well as malicious drivers. Stolen certificates from the 2015 Hacking Team leaks are included within the file, as well as certificates from a leak posted on a Chinese language software cracking forum. However, it is unclear how these certificates were obtained prior to the leaks. Below is a full list of owner names contained within these certificates:

**Hacking Team Certificates:**

*   Open Source Developer, William Zoltan
*   Luca Marcone
*   HT Srl

**Other certificates:**

*   Beijing JoinHope Image Technology Ltd.
*   Shenzhen Luyoudashi Technology Co., Ltd.
*   Jiangsu innovation safety assessment Co., Ltd.
*   Baoji zhihengtaiye co.,ltd
*   Zhuhai liancheng Technology Co., Ltd.
*   Fuqing Yuntan Network Tech Co.,Ltd.
*   Beijing Chunbai Technology Development Co., Ltd
*   绍兴易游网络科技有限公司
*   善君 韦
*   NHN USA Inc.

It is worth noting that any inconsistent capitalization of names in the list above comes directly from the certificates; these errors should not be corrected when used for detection purposes.

_PFX file imported into “Digital Signature Tool for Asian Integrity”_

We identified another certificate being used in the same manner, although it is not contained within the aforementioned PFX file.  

*   北京汇聚四海商贸有限公司 (Beijing Shihai Trading Co Ltd)

**Actors using these tools predominantly Chinese speakers**

Although HookSignTool has been available since 2019, it’s popularity and usage appears to be popular with native Chinese speakers. While it is unclear as to why its popularity has not spread further, it is likely that language barriers have played a part. The authors of both HookSignTool and FuckCertVerifyTimeValidity appear to be native Chinese speakers based on the language used in their respective GitHub repositories. In a set of 300 random samples we identified that contained HookSignTool artifacts, 30% contained the “Chinese (Simplified)” language code within the metadata, 10% contained “English (US)” and 1% “English (British)”, while 51% contained no language code. Of the samples that _did_ contain a language code, “Chinese (Simplified)” accounted for 71% of the sample set.

**Resigned cracked drivers used to bypass DRM**

The signing of malicious drivers isn’t the only issue that arises from the existence of these tools. During our research, we encountered HookSignTool being used to re-sign drivers after being patched to bypass digital rights management. Specifically, in the Chinese software cracking forum “bbs\[.\]wuyou\[.\]net”, the user “Juno\_Jr.” released a cracked version of “PrimoCache” on Nov. 9, 2022.

_Release of a cracked version of PrimoCache (Translated from Chinese)_

To be cracked successfully, the PrimoCache driver needed to be re-signed after patching in order to pass integrity checks within Windows. In the cracked version released on the aforementioned forum post, the patched driver was re-signed with a certificate originally issued to “Shenzhen Luyoudashi Technology Co., Ltd.”, which is contained in the PFX file on GitHub.

_Legitimate PrimoCache driver signature_

_Resigned PrimoCache driver signature_

Despite the warning displayed in the digital signature details above, the cracked driver for PrimoCache still functions properly when installed on Windows 10. This ability to resign a cracked driver removes a significant roadblock when attempting to bypass DRM checks in a signed driver. Generally, a signed driver will not execute if it has been tampered with due to integrity checks within the Windows operating system.  

**Ramifications, risk and defense**

HookSignTool and FuckCertVerifyTimeValidity present a serious threat as the installation of malicious drivers can provide an attacker kernel-level access to a system. These tools can also be used to re-sign a cracked driver to bypass DRM, which may lead to a loss of sales for an organization through software piracy. Aside from these risks, running unverified drivers even if no malicious intent is present can cause damage to a system if the driver is not written properly.

Cisco Talos recommends blocking the certificates mentioned in this blog post, as malicious drivers are difficult to detect heuristically and are most effectively blocked based on file hashes or the certificates used to sign them. Comparing the signature timestamp to the compilation date of a driver can sometimes be an effective means of detecting instances of timestamp forging. However, it is important to note that compilation dates can be altered to match signature timestamps.

Microsoft, in response to our notification, has blocked all certificates discussed in this blog post. Please refer to the advisory published by Microsoft for further information on their response.

Microsoft implements and maintains a driver block list within Windows, although it is focused on vulnerable drivers rather than malicious ones. As such, this block list should not be solely relied upon for blocking rootkits or malicious drivers.

Cisco Talos has created coverage for the certificates discussed in this blog and will continue to monitor this threat activity to inform future protections. Additionally, we will report any future findings regarding this threat to Microsoft.

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 61805-61831 for Snort 2 and 300555-300568 for Snort 3.

**ClamAV detections are available for this threat:**

*   Revoked.CRT.HookSignTool-9999982-1
*   Revoked.CRT.HookSignTool-9999983-1
*   Revoked.CRT.HookSignTool-9999979-1
*   Revoked.CRT.HookSignTool-10000379-0
*   Revoked.CRT.HookSignTool-10000385-0
*   Revoked.CRT.HookSignTool-10000392-0
*   Revoked.CRT.HookSignTool-10000396-0
*   Revoked.CRT.HookSignTool-10000400-0
*   Revoked.CRT.HookSignTool-10000420-0
*   Revoked.CRT.HookSignTool-10000424-0
*   Revoked.CRT.HookSignTool-10000428-0

Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers

Karadzhova-Dangela's family put her on a plane to Massachusetts without a return ticket and it wasn't until the IT job gave her enough disposable income to afford plane tickets back and forth to Bulgaria that she could see her family.

Monday, July 10, 2023 08:07

Gergana Karadzhova-Dangela is used to being with users during some of their toughest moments.

Today, she spends much of her time responding to active cybersecurity incidents with Cisco Talos Incident Response, helping customers work through active attacks, many of which put personal data or sensitive information at risk.

And while admittedly less high stakes, her first job in IT at Mount Holyoke College in a small town in Massachusetts prepared her for this.

There, she had an information technology support job with the college where she would help service students’ computers — many showed up in tears worried they’d lost the entirety of an important project or paper.

“It was 2008, back then, cloud was not as prevalent,” Karadzhova-Dangela said in a recent interview. “So if your laptop crashed, you were in trouble. We’d try to save the paper if possible and help them reset and get on their way.”

A decade-plus later, she had no idea she’d be working with Talos IR, let alone living in Switzerland. She was born and raised in Bulgaria, and her first time out of the country was to attend Mount Holyoke College and take that IT support job while she completed her bachelor’s degree in German and Russian studies.

Karadzhova-Dangela's family put her on a plane to Massachusetts without a return ticket and it wasn't until the IT job gave her enough disposable income to afford plane tickets back and forth to Bulgaria that she could see her family. Still, the opportunity to attend college in the US was nothing short of a miracle in her life. Her mother worked as a babysitter in the U.S. when she was younger and told Karadzhova-Dangela stories about America, which made her want to go to school there and explore the broader world.

While in undergrad, she studied abroad for a year in Potsdam, Germany and traveled to Poland, France and England. All that travel pays off today when she’s working with a global client base — she can speak six languages, though she jokes that she can only speak “a little bit of French.”  

Back home in Bulgaria after graduation, she started considering a career in data analytics, so she returned to school in Germany. While there, she became interested in cybercrime and using data analytics and digital footprints to track bad actors, which eventually brought her to Talos IR as a consultant.

“I was 26 when I started \[the digital forensics collegiate\] program, and I remember telling my friends and they were all like, ‘Oh my God, you’re going to be 31 when you graduate,’” she said. “With the learner that I am, I knew I’d need a structure to gain these skills, so a traditional degree was the right path for me.”

Many of the interpersonal skills any IR professional needs she had to learn on the fly — but it came naturally coming from a large family in Bulgaria where she was used to having a large support system.

“You grow up empathetic with a large family,” she said. “And in college, I had to write a lot, I had to present a lot and learn to just be a communicator.”

These are all important skills when you’re in a high-pressure cybersecurity incident, she says, especially when she’s working on-call. During these stretches, she said she has no control over how her “average day” looks because she’s answering questions on the fly from the customer or working with the customers’ team in the trenches to resolve the incident as quickly as possible.

“\[Customers\] have so many projects going on at the same time, and defenders have limited resources for these projects,” she said. “So, they’re being overwhelmed by the tasks they have in front of them. There’s so much awareness of the risks involved in cybersecurity but only so many resources to dedicate to those risks.”

Karadzhova-Dangela sees first-hand how few women are in the cybersecurity and IR fields, so now that she’s established in her career, she wants to empower other women to enter the field. She spends a lot of her time outside of the office working with non-profit organizations and events that specifically cater to females and other populations with limited resources to teach them security skills.

Part of this is using Cisco’s “Time2Give” program which enables employees to take time off from work to help the various non-profits and causes they support.

In early June, Karadzhova-Dangela and Yuri Kramarz, her IR colleague, hosted a “Discover Cyber Workshop for Women” along with Cisco Qatar and the University of Doha for Science and Technology. Just a week later, a similar workshop took place in Berlin in cooperation with ReDI School of Digital Integration. Both workshops gathered several speakers from the security field to share their stories and encourage women to enter the field.

_Karadzhova-Dangela and fellow IR colleague, Harpreet Singh, at ReDI School of Digital Integration in Berlin, where they taught a month-long class in networking foundations class to underprivileged students._

“Women of various backgrounds come to the Discover Cyber Workshops to hear stories from real cybersecurity professionals. The good, the bad and the ugly truth about working in the field. Then they can think about if it’s a good professional path for them,” she said.

Karadzhova-Dangela is also part of the internal Cisco Women in Cybersecurity Community where she’s leading the pillar responsible for bringing more women into the field.

“In general, I really love teaching. And so few women consider cybersecurity as a career, or they just don’t have contacts with other women in security,” Karadzhova-Dangela said. “But I try to tell them that the work is interesting, you’re surrounded by smart and cool people, and you’re always working toward a better society.”

It’s that aspect of helping people that drives Karadzhova-Dangela into the next phase of her IR career. The incident that she feels most proud of is an active attack against a public agency in Germany that “could have potentially affected millions of people.”

After spending many years studying there — and having a husband who’s German — Karadzhova-Dangela said it was personally important to her to help resolve the issue.

“Being able to be a part of this group effort to help this customer get back on their feet, and help citizens, for me it was very meaningful,” she said.

If your organization would like to work with Gergana or one of her fellow Talos IR team members, you can reach out to them here. Talos Incident Response offers a range of proactive services for security teams, including hands-on tabletop exercises, a state-of-the-art cyber range for training and much more.

Gergana Karadzhova-Dangela wants to send the ladder back down to the next generation of incident responders

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 30 and July 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 30 to July 7

The economic damage of DDoS attacks is tough to measure — who can really say how much money Blizzard missed out on by not having players in “Diablo IV” for a few hours spending money on microtransactions or choosing to buy the game?

Thursday, July 6, 2023 14:07

Welcome to this week’s edition of the Threat Source newsletter.

Distributed denial-of-service attacks (DDoS) have been around since before I even knew how to turn a computer on.

These types of attacks, I feel, have the same vibe as the term “computer virus” — something we used to talk about in the days of LAN parties and Netscape. But recently, they’ve had a major comeback with adversaries enhancing the ways in which they can launch DDoS attacks and actors targeting high-profile services and organizations that have made headlines.

“Diablo IV,” one of the biggest video games going right now, suffered a DDoS attack over the weekend of June 25, leaving players unable to access the game’s servers and affecting other games developed by Blizzard, such as “World of Warcraft” (another throwback to the days of LAN parties).

Microsoft also recently confirmed that Layer 7 DDoS attacks were responsible for outages in June affecting Azure, Outlook and OneDrive. Anonymous Sudan — a group that may or may not be related to Russia but also claims to be working in the interest of the country of Sudan — claimed responsibility for those attacks.

These recent major DDoS attempts led the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an advisory last week warning about the dangers of DDoS attacks. It advises that anyone who suspects they’re the target of a DDoS or DoS attack should “identify the source, and mitigate the situation by applying firewall rules and possibly rerouting traffic through a DoS protection service.”

There seem to be a few reasons why DDoS attacks are on the rise, despite them being looked at as “outdated” attacks.

For starters, the fact that they are simple attacks that date back to the development of the internet is the whole point — DDoS attacks are relatively easy to carry out compared to something like a sophisticated big game-hunting ransomware attack. Any actor with a base level of networking knowledge could start a DDoS attack.

Dark Utilities, which is an “as-a-service" platform Talos discovered last year, is a good example of this. Even though their C2-as-a-service and cryptocurrency mining offerings are the platform’s bread-and-butter, there is Layer 4 and Layer 7 DDoS tooling within their kit available to anyone willing to pay into their business model.

There also seems to be an uptick in funding behind these attacks, and money can frankly make any threat actor more powerful. Whether Russia directly, or Russian state-sponsored actors, are behind these attacks, the sign that these groups seem to be associated with major APTs show that there is a drive to carry out DDoS attacks and make sure they’re successful and send a message to the target.

The economic damage of DDoS attacks is tough to measure — who can really say how much money Blizzard missed out on by not having players in “Diablo IV” for a few hours spending money on microtransactions or choosing to buy the game? So it’s not as concrete of an argument as you could make for why an organization should be prepared for a ransomware attack that explicitly can cost a certain amount of time and money to recover, re-install backups or pay the requested ransom.

DDoS can be a punchline sometimes, but recent weeks have shown that it’s not to be slept on as a tool that actors with a range of motivations and resources can turn to.

**The one big thing**

Commercial spyware is still a going concern despite efforts from governments around the world to curb its use. Though the NSO Group started out as the most notorious example of a spyware creator, other “Mercenary Groups” are popping up like Intellexa, DSIRF, Variston IT, and the newly disclosed Quadream. And there are likely more companies operating covertly today.

**Why do I care?**

Although advertised as “tools” for law enforcement and government agencies strictly intended for legal use, report after report has shown commercial spyware has consistently been used against ethically questionable targets that don't fit the profile of criminals or terrorists. To avoid legal repercussions, these companies have headquarters in countries that do not have laws governing the export of their products or which classify the entities as IT service providers, effectively removing them from any product liability. These companies can therefore ultimately sell to whomever can pay without regard for who the intended targets are or what the impacts on the victims might be.

**So now what?**

For those that believe they are being or could be targeted by commercial spyware, rebooting the device before contacting a source or switching to lockdown mode might be the only options for the foreseeable future.

If you feel that you have been targeted by commercial spyware, there are also more generic habits that should be part of your daily routine:

*   Reboot your device regularly.
*   Use lockdown mode if your device is an iPhone.
*   Don’t click on links from dubious sources.
*   Don’t accept private messages from unknown persons.
*   If you have to keep a public contact, use an empty device to receive such contacts and reset it frequently.
*   Keep your devices up-to-date.

**Top security headlines of the week**

Microsoft is **denying that it was the victim of a data breach** after the alleged hacktivist group Anonymous Sudan said they stole credentials belonging to more than 30 million users. The threat actor says it’s willing to sell the stolen information for $50,000 and interested parties could engage the group’s Telegram bot to arrange the sale. However, a Microsoft representative told reporters that “our analysis of the data shows that this is not a legitimate claim and an aggregation of data. We have seen no evidence that our customer data has been accessed or compromised.” Anonymous Sudan gained notoriety over the past few months for a DDoS attack against Microsoft and recently admitted it was connected to the Russian state-sponsored actor Killnet, though its true goals and affiliations are unclear. (Bleeping Computer, TechRadar)

Representatives from the White House **publicly warned that any attempt by a U.S. entity to purchase the NSO Group or its spyware tools would prompt serious review over national security concerns**. A recent report connected a group of American financiers to being interested in acquiring the infamous NSO Group, known for the creation of the Pegasus spyware. However, it’s recently fallen on financial difficulties after international governments took steps to restrict the use and purchase of spyware. The NSO Group is already on a White House banned list, and the National Security Council said that any mergers or transactions involving the NSO Group would “prompt a review of whether the acquisition gives rise to a counterintelligence threat to the US government and its systems and information, whether other US equities may be at risk, and to what extent a foreign entity or government retains a degree of access or control.” (The Guardian)

The **Clop ransomware gang continues to be one of the top threat actors in the world** as the list of victims of the MOVEit zero-day vulnerability grows. Two U.S. colleges announced last week that they were affected by a data breach at the Teachers Insurance and Annuity Association of America that resulted from the exploitation of the it vulnerability. The mass hack has now affected about 160 different organizations and companies. Security researchers say that Clop’s recent attacks could represent a new era for threat actors who may opt to move away from the execution of ransomware while still relying on the tools they traditionally use for ransomware campaigns. The scope and success of the MOVEit attack is also likely to influence other threat actors. (TechCrunch, Dark Reading)

**Can’t get enough Talos?**

*   Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain
*   The Future of Ransomware: Inside Cisco Talos Threat Hunters
*   Talos Takes Ep. #145: The various ways attackers can mess with URLs, TLDs and DNS

**Upcoming events where you can find Talos**

**BlackHat (Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration** **(Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

DDoS attacks want to make sure you haven’t forgotten about them

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

Thursday, July 6, 2023 11:07

*   Cisco Talos discovered 17 vulnerabilities (63 CVEs) in the Milesight UR32L router and five vulnerabilities (six CVEs) in the Milesight MilesightVPN remote access solution software.
*   An attacker could exploit the vulnerabilities discovered to completely compromise the UR32L and MilesightVPN.
*   This post presents an attack scenario in which the UR32L is only reachable through the MilesightVPN remote access solution. The blog explains how an attacker could exploit the MilesightVPN and then fully compromise the UR32L.

Cisco Talos recently discovered several vulnerabilities in Milesight‘s UR32L – an ARMv7 Linux-based industrial cellular router — and Milesight’s MilesightVPN, a remote access solution for Milesight devices.

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs. Talos is disclosing these vulnerabilities despite no official fix from Milesight, in adherence to Cisco’s vulnerability disclosure policy. Milesight did not respond appropriately during the 90-day period as outlined in the policy.

The MilesightVPN is the remote access solution for Milesight devices not directly exposed to the internet. The MilesightVPN will perform this through a VPN system, making the VPN setup for the devices and the administrator easy. The MilesightVPN provides an HTTP admin page to monitor devices’ tunnel connection to the MilesightVPN itself and generate VPN configuration to join devices’ VPNs. By default, the MilesightVPN binds the HTTP server ports and the one VPN port on all interfaces. This software must be installed on a server machine reachable by the administrator and devices. Because of this, the most popular setup for administrator is to expose the MilesightVPN to the internet.

The Milesight UR32L is an industrial router that offers cellular capabilities. The router supports multiple users with different permissions. It offers a shell with restricted capabilities access. And many common industrial router features and functionalities. The Milesight UR32L does not include the ability to obtain and act with root privileges.

**Attack scenario overview**

In this blog post, Talos will present an attack scenario in which an adversary targets the Milesight UR32L, where the router is not exposed to the internet and instead uses a VPN tunnel for providing access to its internal network and the router itself. We considered the scenario where the device is managed through MilesightVPN. This software must be installed on a machine that is reachable by the UR32L router and the administrator. For the purposes of this post, we assume the MilesightVPN server is exposed to the internet.

MilesightVPN uses OpenVPN as the underlying VPN system. It is an excellent choice to use a well-established VPN system. OpenVPN is a well-known, tested VPN technology, which means it is less likely to have major security issues. But the MilesightVPN creates services around the OpenVPN tunnel like an HTTP server to monitor the connections and to generate OpenVPN configuration for joining the device’s VPN. By default, the MilesightVPN binds the HTTP server ports and the OpenVPN one on all interfaces. So, if the MilesightVPN is accessible on the internet, those services are by default accessible, too.

The UR32L has its own HTTP server; which allows users to manage the router configuration. We are also assuming the UR32L’s HTTP server is only accessible from the VPN and the MilesightVPN server is the only node that can generate a VPN configuration.

_An illustration of the proposed attack scenario._

The graphic below includes only the vulnerabilities relevant to this proposed attack scenario. This graphic shows the steps that an attacker could take to obtain root access to a Milesight UR32L:

**Attack walkthrough**

After locating the IP address of the MilesightVPN server, the attacker still cannot log in to the HTTP admin page due to the lack of valid credentials. The HTTP server login page of MilesightVPN looks like this:

From this point, an attacker could exploit TALOS-2023-1701 (CVE-2023-22319) to bypass the login and access the admin web pages on MilesightVPN. This vulnerability is a SQL injection in the _LoginAuth_ function responsible for checking the provided credentials. The check uses SQL without a prepared statement or any form of sanitization. The _LoginAuth_ code is shown below:

        function LoginAuth(res,postdata,connection){ 
            console.info('#######log.node:loginauth start'); 
            var sha512=crypto.createHash('sha512'); 
            sha512.update(postdata.pwd); 
            var pwd=sha512.digest('hex'); 
    [1]     $sql="select * from user where user='"+postdata.user+"' and passwd='"+pwd+"'"; 
    [2]     connection.query($sql).then(function(data){ 
                var result={}; 
                if(data['error']) 
                { 
                    [...] 
                } 
                else 
                { 
                    if(data['result'].length>0) 
                    { 
                        var dt=data['result']; 
                        result['status']=1; 
                        var token=generateToken(dt[0]['user']); 
                        var exp=new Date(
                            new Date().getTime()+
                                expiretime*1000).toUTCString(); 
                        res.setHeader('Set-Cookie',['token='+token]); 
                        console.info('#######log.node:loginauth success'); 
                        res.write(JSON.stringify(result)); 
                        res.end(); 
                    } 
                    else 
                    { 
                        [...] 
                    } 
                } 
            }); 
        } 
    

At _[1],_ the function composes, the SQL query for checking if the username and password provided correspond to the one of an existing user. Then, at _[2]_, the query is executed, if the resulting table is not empty a JWT, corresponding to the first matched user, is crafted and placed in the response header as the value of _Set-Cookie_. This function is vulnerable to a SQL injection vulnerability because the "preparation" of the query string is performed through string concatenation instead of a prepared statement. This SQL injection can allow an attacker to bypass the authentication of the HTTP server and gain admin access.

After bypassing the login page, an attacker would be presented with the following interface. The example below includes an interface with multiple devices registered and a single device that has an active connection.

From here, an attacker can glean information about the devices connected to the server and their IPs. Furthermore, it is possible to obtain an OpenVPN configuration file to join the VPN tunnel and communicate with the devices that were previously unreachable. The attacker can now communicate with all devices in the VPN. The following image is the HTTP server login page of the Milesight UR32L router:

From here, several attack paths are possible. TALOS-2023-1697 (CVE-2023-23902) is a pre-authentication stack-based buffer overflow that can lead to arbitrary remote code execution (RCE).

The attacker's only requirement is to be able to communicate with the router's HTTP server. This vulnerability is a pre-authentication, stack-based buffer overflow in the _decrypt_string_ function of the _uhttpd_ binary, the UR32L’s HTTP server binary. This function is responsible for decrypting the login password provided for the webpage login. The password sent from the browser is first AES-encrypted and then Base64-encoded. The _decrypt_string_ will Base64 decode and then AES decrypt the password.

The _uhttpd_ binary is not a Position Independent Executable (PIE), meaning that the binary is always loaded at the same virtual memory addresses, but the libraries are Position Independent Code (PIC). This makes it possible for an attacker to perform a code reuse attack using the binary code without any information leaks unless the attacker needs to reuse some of the libraries' code. Furthermore, the code reuse attack scenario is the path of least resistance for exploitation because no stack canary is used in this binary.

The binary is executed as root and makes use of functions such as _system_ and _popen_, as such, one of the options would be to mount an attack aiming to execute OS commands.

The following is a code snippet of the _uhttpd’ decrypt_string_:

    void decrypt_string(
        char *b64_encrypted_password,
        char *decrypted_password,
        size_t size_decrypted_password)
    { 
        [...] 
        uchar stack_decrypted_string [72]; 
        [... init the AES_key variable] 
        [... init the AES_IV variable] 
        [... calculate the __size variable value ...] 
        base64_decoded_string_start = (uchar *)malloc(__size); 
        [...] 
        memset(base64_decoded_string_start,0,__size); 
        processed_len = 0; 
        base64_decode_string_cursor = base64_decoded_string_start; 
        do { 
            // this check allow to base64 decode the string before decrypting it 
            if ((password_len_ - padding) <= processed_len) { 
                *base64_decode_string_cursor = '\0'; 
                ctx = EVP_CIPHER_CTX_new(); 
                [... check error ...] 
                cipher_type = EVP_aes_128_cbc(); 
                processed_len = EVP_DecryptInit_ex(
                    ctx,
                    cipher_type,
                    (ENGINE *)0x0,
                    AES_key,
                    AES_IV); 
                [... check error ...] 
    [1]         processed_len = EVP_DecryptUpdate(
                    ctx,
                    stack_decrypted_string,
                    &output_len,
                    base64_decoded_string_start,
                    (base64_decode_string_cursor + 
                        (-1 - base64_decoded_string_start)));                              
                [... check error ...] 
                processed_len = output_len; 
                iVar3 = EVP_DecryptFinal_ex(
                    ctx,
                    stack_decrypted_string + output_len,&output_len); 
                [... check error ...] 
                processed_len = processed_len + output_len; 
                EVP_CIPHER_CTX_free(ctx); 
                stack_decrypted_string[processed_len] = '\0'; 
                EVP_cleanup(); 
                ERR_free_strings(); 
                free(base64_decoded_string_start); 
    [2]         strncpy(
                    decrypted_password,
                    (char*)stack_decrypted_string,
                    size_decrypted_password);                 
                return; 
            } 
            [...] 
    [3]    	[... base64 decode ...]                 
        } while( true ); 
    } 
    

This function has three parameters: the _b64_encrypted_password_ parameter is the AES-encrypted and Base64-encoded password string that will be Base64 decoded and then AES decrypted; _decrypted_password_ is the destination buffer where the decoded and decrypted password will be copied;  _size_decrypted_password_ is the size of the _decrypted_password_ buffer. At _[3]_ the _b64_encrypted_password_ string is Base64 decoded and then, at _[1],_ the decoded value is AES decrypted into stack_decrypted_string, a 72-byte long stack buffer. Eventually, at _[2],_ _size_decrypted_password_ bytes will be copied from the _stack_decrypted_string_ buffer into the decrypted_password buffer.

In the _decrypted_password_ only _size_decrypted_password_ bytes will be copied, which will prevent any type of buffer overflow in the _decrypted_password_ buffer.

At _[1]_ the _OpenSSL's EVP_DecryptUpdate_ function will perform the AES decryption of the Base64 decoded user-controlled data into the _stack_decrypted_string_ stack buffer. Because the _stack_decrypted_string_ stack buffer is fixed in size and the decrypted string, provided by a user, can be greater in length than the stack buffer. This can lead to a buffer overflow in the _stack_decrypted_string_ buffer.

Essentially, the login API accepts the password as the Base64 encoding of the AES encryption of the password content. This function is used to decode the Base64 string and then AES decrypts it to obtain the actual password value.  The vulnerability is that the password can overflow a stack buffer overwriting the stack content, including the stored return address.

The exploitation of this vulnerability becomes easier because of the epilogue of this function:

      strncpy(
          decrypted_password,
          (char*)stack_decrypted_string,
          size_decrypted_password);          
      return; 
    

The _decrypted_password_ is a buffer in the function caller stack space where the decoded and decrypted password is saved. In assembly, this looks like:

    ldr r0, [sp,#0xc]  
    bl strncpy  
    add sp, sp, #0x84  
    pop {r4,r5,r6,r7,r8,r9,r10,r11,pc} 
    

The function that copies the plain text password into the _decrypted_password_ array, which is also the last function call before returning to the caller, is _strncpy_. The r0 register is used for passing the first argument of the function; in the case of _strncpy_, _r0_ points to the destination buffer. After the _strncpy_ function call r0 will point to the beginning of the plaintext password.

The fact that the vulnerability considered is a stack buffer overflow, the binary does not have a stack canary, the binary is not PIE and uses the _system_ function in combination with the fact that we control the content of what r0 points to, makes the exploitation straightforward. An attacker could overwrite the return address making the function return to the _system_ function and controlling the executed shell command by placing the command to execute at the beginning of the plaintext password payload, as shown in the gdb screenshot below.

The _pc_ is the last instruction of the _decrypt_string_ function and the return address was overwritten with the system plt entry, know because the binary is not PIE, and the _r0_ registry points to the _controllable_ string. So, the _decrypt_string_ returning will execute _system(“controllable”)_.

**Vulnerability Details**

The following vulnerabilities are command injection issues in Milesight UR32L. These vulnerabilities exist in different functionalities of the router. An attacker could exploit these vulnerabilities by sending a specially crafted network packet to a targeted device:

*   TALOS-2023-1694 (CVE-2023-23550)
*   TALOS-2023-1698 (CVE-2023-22306)
*   TALOS-2023-1699 (CVE-2023-22659)
*   TALOS-2023-1706 (CVE-2023-24519 - CVE-2023-24520)
*   TALOS-2023-1710 (CVE-2023-24582 - CVE-2023-24583)
*   TALOS-2023-1711 (CVE-2023-22365)
*   TALOS-2023-1712 (CVE-2023-22299)
*   TALOS-2023-1713 (CVE-2023-24595)
*   TALOS-2023-1714 (CVE-2023-22653)
*   TALOS-2023-1723 (CVE-2023-25582 - CVE-2023-25583)

There are also several vulnerabilities in the UR32L that could lead to a buffer overflow. An attacker could trigger these vulnerabilities by sending a specially crafted HTTP request or network request to the targeted device, depending on the specific vulnerability.

*   TALOS-2023-1697 (CVE-2023-23902)
*   TALOS-2023-1715 (CVE-2023-24018)
*   TALOS-2023-1716 (CVE-2023-25081 - CVE-2023-25124)
*   TALOS-2023-1718 (CVE-2023-24019)

TALOS-2023-1705 (CVE-2023-23546) is a misconfiguration vulnerability in the Milesight UR32L that could lead to an attacker obtaining increased privileges on the device. The adversary, in this case, would need to carry out a man-in-the-middle attack to exploit this vulnerability.

There is also an access violation vulnerability — TALOS-2023-1696 (CVE-2023-23571) — that could lead to a denial-of-service if the attacker sends the device a specially crafted network request. TALOS-2023-1695 (CVE-2023-23547) can also be exploited with a specially crafted network request, but in this case, can lead to arbitrary file read.

Talos also discovered five vulnerabilities in the MilesightVPN:

*   TALOS-2023-1700 (CVE-2023-22844): Authentication bypass vulnerability
*   TALOS-2023-1701 (CVE-2023-22319): SQL injection vulnerability
*   TALOS-2023-1702 (CVE-2023-23907): Directory traversal vulnerability
*   TALOS-2023-1703 (CVE-2023-22371): Command injection vulnerability
*   TALOS-2023-1704 (CVE-2023-24496 - CVE-2023-24497): Cross-site scripting vulnerability

**Coverage**

The following Snort rules will detect exploitation attempts against these vulnerabilities: 61206 – 61208, 61212, 61255 - 61258, 61266 - 61269, 61395 - 61397. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware.

Thursday, July 6, 2023 08:07

Attackers have long used commercial products developed by legitimate companies to compromise targeted devices. These products are known as commercial spyware. Commercial spyware operations mainly target mobile platforms with zero- or one-click zero-day exploits to deliver spyware. This threat initially came to light with the leaks of HackingTeam back in 2015, but gained new notoriety with public reporting on the NSO Group, and, in the years that have followed, the landscape has exploded.

There are now numerous companies with similar offerings, like Intellexa, DSIRF, Variston IT, and the newly disclosed Quadream representing just a small subset — there are likely more that are operating covertly today.

Commercial spyware has become so notorious that international governments are taking notice and action against it, as evidenced by the Biden administration’s recent Executive Order on commercial spyware. A recent report from the United Kingdom’s National CyberSecurity Center (NCSC) highlights the accessibility of these tools “lowers the barrier to entry to state and non-state actors in obtaining capability and intelligence.” As recently as June 2023, the European Parliament’s plenary session voted on an ongoing investigation concerning the illicit usage of NSO’s Pegasus and equivalent surveillance spyware by EU member states (PEGA report). In this session, European Parliament members argued that the illicit usage of spyware has put “democracy itself at stake” and called for legislative changes and stricter regulation of the use of commercial spyware. The full press release and report can be found here.

**Commercial spyware companies don't care who is targeted by their products**

Commercial spyware companies advertise their products simply as a means of obtaining access and deny having any knowledge of who their customers’ targets are. This tactic is possibly a means of plausible deniability in the event that illegal targeting of individuals is traced back to their spyware. To avoid legal repercussions, these companies have headquarters in countries that do not have laws governing the export of their products or which classify the entities as IT service providers, effectively removing them from any product liability. These companies can therefore ultimately sell to whomever can pay without regard for who the intended targets are or what the impacts on the victims might be.

Although advertised as “tools” for law enforcement and government agencies strictly intended for legal use, report after report has shown commercial spyware has consistently been used against ethically questionable targets that don't fit the profile of criminals or terrorists. Such targets have repeatedly been journalists, politicians and activists who the host government perceives as competitors or existential threats. While these technologies may exist to fight terrorism and organized crime, their sale and usage must be regulated and subject to scrutiny by judicial authorities at an international level to prevent their misuse and abuse.  

One such example of limited repercussions within a host state is the case where a journalist in Greece was targeted with Predator Spyware, eventually leading to the resignation of Greece’s National Intelligence Service’s director in 2022 and the subsequent ban on the use of commercial spyware in Greece. Earlier in 2022, we also saw the departure of the NSO group’s CEO from the company amid widespread public outrage over the use of their spyware by Israeli Police forces.

**The untethered future of commercial spyware**

Mobile platform developers such as Google and Apple have repeatedly introduced and implemented protections and mitigations in their operating systems. However, commercial spyware providers often use zero-day, zero-click exploits to compromise victims’ mobile devices and are so confident in their ability to repeatedly compromise phones _without getting caught_ that, in some cases, they don't even deploy persistence mechanisms — a simple device reboot is enough to remove the implant from the device. However, a device reboot simply results in the commercial spyware outfit reinfecting the device using the zero-day, zero-click combination they had used during the initial compromise indicating the aggressive nature of these campaigns.

We see no indications that these commercial spyware offerings are slowing down. If anything, they are growing along with the constant availability of exploitable, unpatched/unknown vulnerabilities. Until the international community acts to regulate the technology, very little is going to change. When exposed by researchers, some of these companies just cease to exist. But in reality, they do not shut down, they just rebrand under a different name or merge with others sharing the technology they have produced. A typical example of such a case is the commercial spyware firm Cytrox, which was on the verge of disappearing, but was subsequently “rescued” and is now part of the Intellexa conglomerate.

Private and government organizations have taken steps to legally curb the use of commercial spyware, including attempts to hold them responsible for their actions in the past. Meta, formerly Facebook, is one of the first to move against commercial spyware companies by opening a lawsuit against the NSO Group for leveraging Meta-owned WhatsApp in their infection chain. The Biden administration has also taken an important step in fighting these companies with the Executive Order putting limitations on the U.S. government's ability to use commercial spyware to “discourage the improper use of commercial spyware; and encourage the development and implementation of responsible norms regarding the use of commercial spyware that are consistent with respect for the rule of law, human rights, and democratic norms and values.”

However, limited legal and legislative actions are yet to have an _immediate_ positive effect on curbing the use of commercial spyware. Despite these steps toward limiting the operations of these spyware companies, they are likely to keep operating in any region as long as it's financially and legally feasible. Increasing scrutiny with export regulations, criminal liability and fines may be a way forward towards ensuring that their activity does not go beyond the legitimate purposes they advertise.

**Risk profile**

For almost everyone on the planet, your Apple or Android phone’s built-in security features are more than sufficient to keep you protected. However, the commercial spyware industry has proven that it is easy to compromise targets if you have access to these products and the means to use them. We've seen numerous deeply concerning reports of people being compromised and are commonly met with the news that it was a journalist or dissident. The ability of these companies to repeatedly compromise devices, regardless of patch level, makes protection difficult.

For those that believe they are being or could be targeted by commercial spyware, rebooting the device before contacting a source or switching to lockdown mode might be the only options for the foreseeable future.

If you feel that you have been targeted by commercial spyware, there are also more generic habits that should be part of your daily routine:

*   Reboot your device regularly.
*   Use lockdown mode if your device is an iPhone.
*   Don’t click on links from dubious sources.
*   Don’t accept private messages from unknown persons.
*   If you have to keep a public contact, use an empty device to receive such contacts and reset it frequently.
*   Keep your devices up-to-date.

_If readers suspect their system(s) may have been compromised by commercial spyware or hack-for-hire groups, please consider notifying Talos’ research team at talos-mercenary-spyware-help@external.cisco.com to assist in furthering the community’s knowledge of these threats._

The growth of commercial spyware based intelligence providers without legal or ethical supervision

Apple's emergency patch, AI-generated art and more security headlines from the past week.

Thursday, June 29, 2023 14:06

Welcome to this week’s edition of the Threat Source newsletter.

AI-generated art is causing drama across the internet over the past few months, from Marvel TV show opening credits scenes to predatory YouTubers who claim YOU can make millions by having AI tools create children’s books for you.

There are all sorts of ethical and legal implications that AI-generated art has that I don’t have the space here to cover, but I did think it was worth noting that these tools are already being used in cyber attacks and online scams.

These tools can create extremely convincing deepfake art that could lead to the spread of misinformation or disinformation, especially concerning major news events and political figures. I’ve written about this in the newsletter before.

There are also dozens of apps that promise to create convincing AI art or portraits of people serving another malicious purpose. As McAfee pointed out in this blog post, some Android apps offered to “zhuzh up” users’ profile pictures with AI filters but were actually trojanized apps with hidden information stealers. And at the end of the day, they were all using the same basic filters. Many of these apps could also be stealing and re-using the pictures users submitted to these apps (remember the saga of the app that showed what it would be like when you got old?).

I have more to get to this week, so I’m not going to go much deeper into the subject, but as always, be vigilant of apps’ privacy policies and do a quick background check on their creators before downloading something hoping to create a Skrull version of yourself.

I’m also excited to show off this new video featuring a behind-the-scenes interview with Talos.

This video from Cisco Secure shines a spotlight on the evolution and future of ransomware. Watch it below or over on Cisco.com here to find out how our threat hunters identify new and evolving threats in the wild, and how their research and intelligence help organizations build strong defenses.

**The one big thing**

Apple released an emergency patch last week for all its operating systems for two zero-click vulnerabilities that could allow an attacker to completely take over a targeted device. The two vulnerabilities, identified as CVE-2023-32434 and CVE-2023-32435, were used to reportedly compromise phones in Russia. The issues were part of the so-called Triangulation spyware discovered on iPhones of employees of Kaspersky, a Russia-based cybersecurity company, but the malware was removed from phones after a device reboot.

**Why do I care?**

The chances of being targeted by the Triangulation spyware is slim-to-none based on what the security community knows to this point, but either way, the existence of a zero-day vulnerability in iOS is always big news. Apple encouraged users to upgrade to iOS 16.5.1 and iPadOS 16.5.1 for users of those devices. The company also said that CVE-2023-32434 "may have been actively exploited against versions of iOS released before iOS 15.7."

**So now what?**

All Apple users should update these affected products as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency also released an advisory telling “users and administrators to review \[Apple’s\] advisories and apply the necessary updates.”

**Top security headlines of the week**

The self-identifying hacktivist group “Anonymous Sudan” is **more active than initially thought.** While researchers are still unsure as to the group’s connections to any nation-states, the group says it’s advocating on behalf of Sudan. It first came onto the scene earlier this month, taking credit for a distributed denial-of-service attack against Microsoft that affected Outlook. Now, researchers are saying their activities actually started prior to that with attacks targeting Israel, Sweden and other nations earlier this year. Microsoft confirmed last week that a Layer 7 DDoS attack was responsible for outages affecting Azure, Outlook and OneDrive, saying that, “these attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools” and that there is “no evidence that customer data has been accessed or compromised." (Bloomberg, Bleeping Computer)

**The list of companies affected by the MOVEit breach continues to grow.** Clop, the threat actor behind the attacks, added Schneider Electric and Siemens Energy — two major electric corporations — to its leak site this week. The University of California Los Angeles (UCLA) also confirmed it discovered on June 1 that it was the target of the campaign, though it quickly engaged the college’s incident response team and patched the issue. Since the attack went public, Clop’s leak site mainly called out seven U.S. state and local governments, including the nation’s largest public-employee pension fund — the California Public Employees’ Retirement System. And the New York City public school system was also affected, with more than 45,000 students having their personal data stolen, including sensitive information like Social Security numbers. (The Record by Recorded Future, CyberScoop)

**The FBI seized the domain belonging to the infamous hacking site BreachForums,** three months after arresting its creator. Users of BreachForums were known for sharing and selling stolen personal data from a variety of websites and companies. BreachForums was quiet for several weeks after the admin, known as “Pompompurin,” was arrested. However, the site’s newest admin decided to launch the site on new servers earlier this month. In addition to the usual display of the law enforcement agencies’ logos who were involved in the takedown, BreachForums’ homepage now also displays an image of the avatar Pompompurin used in handcuffs. (TechCrunch, Infosecurity Magazine)

**Can’t get enough Talos?**

*   Service overview: Talos Incident Response purple team
*   Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL
*   Video: How Talos’ open-source tools can assist anyone looking to improve their security resilience
*   Talos Takes Ep. #144: What we know so far about the MOVEit zero-day making the rounds

**Upcoming events where you can find Talos**

**BlackHat** **(Aug. 5 - 10)**

Las Vegas, Nevada

**Grace Hopper Celebration (Sept. 26 - 29)**

Orlando, Florida

> _Caitlin Huey, Susan Paskey and Alexis Merritt present a "Level Up Lab" titled "Don’t Fail Knowledge Checks: Accelerating Incident Response with Threat Intelligence." Participate in several fast-paced activities that emphasize the importance of threat intelligence in security incident investigations. Attendees will act as incident responders investigating a simulated incident that unfolds throughout this session. Periodic checkpoints will include discussions that highlight how incident response and threat intelligence complement each other during an active security investigation._

**Most prevalent malware files from Talos telemetry over the past week**

**SHA 256:** 5616b94f1a40b49096e2f8f78d646891b45c649473a5b67b8beddac46ad398e1  
**MD5:** 3e10a74a7613d1cae4b9749d7ec93515  
**Typical Filename:** IMG001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Dropper.Coinminer::1201

**SHA 256:** 59f1e69b68de4839c65b6e6d39ac7a272e2611ec1ed1bf73a4f455e2ca20eeaa  
**MD5:** df11b3105df8d7c70e7b501e210e3cc3  
**Typical Filename:** DOC001.exe  
**Claimed Product:** N/A  
**Detection Name:** Win.Worm.Coinminer::1201

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

**SHA 256:** e12b6641d7e7e4da97a0ff8e1a0d4840c882569d47b8fab8fb187ac2b475636c  
**MD5:** a087b2e6ec57b08c0d0750c60f96a74c  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** 00ab15b194cc1fc8e48e849ca9717c0700ef7ce2265511276f7015d7037d8725  
**MD5:** d47fa115154927113b05bd3c8a308201  
**Typical Filename:** mssqlsrv.exe  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.65065311

New video provides a behind-the-scenes look at Talos ransomware hunters

A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams.

Thursday, June 29, 2023 08:06

Purple Team exercises are included within the Cisco Talos Incident Response Retainer service and our experts can help your organization find security holes before the bad guys can.

As your trusted advisor, our purple team, which is a combination of both red and blue teams, emulates one joint attack scenario, executes the scenario, and records how your current incident response capabilities perform to evaluate your current gaps and inform future enhancements.

Can your organization’s current security incident response program withstand an emulated adversarial attack? Need to put your current TTPs detections to the test? Not sure where to start, what to test, or what gaps exist in your program? No fear, Talos IR can partner with you to provide Purple Team expertise and exercises, tailored for your organization to proactively test and enhance your prevention, detection and response capabilities.

During the Purple Team exercise, an external Red Team acts as an Advanced Persistence Threat (APT) actor while the Talos IR Blue Team, together with the organization’s defender team, is responsible for detecting those activities and responding to the attack in accordance with the existing security procedures.

If you want to learn more about Talos IR's Purple Team, tune into the next Talos IR On Air stream on July 27 at 12 p.m. ET. The stream will be available live on Talos' Twitter and LinkedIn, with a replay going up shortly after on our YouTube page.

Organizations of all sizes can benefit from the Purple Team exercises Cisco offers to proactively test your current cybersecurity risks and solidify your team’s TTPs and increase your overall security knowledge in advance of a cybersecurity incident.

**Purple Team value for joint teams**

Cisco can partner with you to provide Purple Team expertise and exercises, tailored for your organization, to proactively test and enhance your detection and response capabilities. A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams. The Red Team emulates adversary TTPs, while the Blue Team, which consists of seasoned Talos IR responders, works side-by-side with your organization’s defenders to detect and respond to those attacks. During the exercise, the Blue Team is challenged to use the organization’s existing internal security TTPs policies and procedures and test available security tooling. This type of dynamic emulation helps proactively identify any gaps in training and resources and increases the organization’s security awareness and preparedness for the future.

These Purple Team exercises also help organizations optimize their security investments by identifying weaknesses in their current security toolsets. Once these gaps are identified and shared your organization has more insightful data to support future cybersecurity solutions investments. Making informed decisions about where to allocate resources will mitigate the risk of wasting resources on ineffective cybersecurity solutions and can ensure your financial investments are optimized to meet your needs today and tomorrow.

Purple Team exercises also offer a valuable opportunity for knowledge exchange between members of the Blue and Red Teams.

*   The Red Team learns more from the Blue Team about the different security controls that are in place and tries to identify new ways to circumvent these controls.
*   The Blue Team, on the other hand, gains insights into the specific techniques used by the adversaries to compromise the environment, including specific tools and attack scripts.

Internal defenders, employed by the organization, use the firsthand experience from the Purple Team to update and optimize their monitoring and detection capabilities and build new processes.

**Testing approach and steps**

Purple Team exercises have been designed around the MITRE ATT&CK Framework to provide common terminology for identifying and blocking commonly used adversarial TTPs.

During the engagement, Talos Red Team and Talos Incident Response teams work together with the customer’s team to exchange knowledge about common attacks and corresponding detection. The responders from Talos IR collaborated closely with the customer security teams to properly identify all techniques executed by Talos Red Team and verify the defense’s actions. The workshop-style Purple Team engagement increases team trust among members of the internal security team and creates a base to improve the overall organization’s resilience against active threats. With clearly defined steps Talos IR collaborates with your organization’s security teams to properly identify all techniques executed by Talos Red Team and verifies the recorded activity.

The Purple Team exercise starts with the customer and Cisco Talos jointly defining and testing attack scenarios based on the organization’s existing security capabilities. An important part of this process is an evaluation of the strengths and weaknesses across different deployed security capabilities and the identification of areas of concern.

The final scenario is uniquely crafted to meet the risk concerns of the organization in terms of protecting its environment and “crown jewel” assets. A document with scenario details is agreed upon with the organization’s representatives before launching the agreed attack. Throughout the active execution of the attack, the Cisco Talos team will document the response of the security team by collecting detailed notes on topics such as the coverage of the security capabilities, availability of telemetry to detect and analyze the TTPs and, finally, the overall organization.

Integrating threat intelligence into our exercises helps organizations better understand the threats that they face and identify potential vulnerabilities in their security defenses. The intelligence data from Cisco Talos is a key differentiator of our Purple Team capabilities. The Cisco Talos team incorporates threat intelligence data from historical threats related to your organization's unique industry vertical and geography, as well as information on current adversary activity to create your tailored attack scenario. To protect your organization, Cisco Talos offers publicly available Threat Assessment Reports, which are published quarterly and yearly, and are an integral component used to build scenarios based on the latest threat intelligence. The final scenario aims to emulate as closely as possible a specific real-life threat that was analyzed by Talos in the wild, often leveraging existing research on observed threats and direct emergency response experience.

The outcome of the Purple Team exercise heavily relies on visibility into the organization's environment. The Security Operations Team within your organization relies on the existence of sufficient logs and properly configured security tools to quickly identify threats targeting the environment and stop them at an early stage. Verification of detection capabilities and visibility gives the team insights about potential gaps and better preparation for incidents.

Below is a list of standard tools that the Purple Team could use depending on the specific needs of the engagement:

*   Antivirus and Endpoint Detection and Response (EDR)
*   Traditional, Next-Generation and Web Application Firewall(s)
*   NetFlow and Network Telemetry
*   Email Server and Security Appliance Logs
*   DNS Security and Visibility Logs
*   Operating System and Application Logs
*   Auxiliary Operating System Logs
*   Proxy Network Logs
*   Application Logs
*   Data Loss Prevention Logs

**Attack scenario execution**

During the delivery of a Purple Team exercise, Talos IR team supports actively but non-intrusively the security team with detection and identification activities. As the Talos Red team executes step-by-step the pre-defined attack, compromising selected hosts or parts of the environment, Talos IR, in collaboration with the customer’s security team, works on detection across applicable security capabilities and cross-referencing logs to gain full identification of the attack.

For each TTP used by the attacker, the Talos IR team documents the following attributes of the security team’s response:

*   Logged, Alerted, and Mitigated
*   Logged and Alerted
*   Logged and Mitigated
*   Alerted and Mitigated
*   Not Detected

This type of detailed documentation builds up the foundation for the post-exercise report.

**Attack scenario results and reporting**

The Purple Team engagement concludes with a report and a debrief session. The report summarizes the overall activities during the exercise, the preparatory actions in the scenario-building phase, and the results of the detection and response verification. This engagement report serves as a foundation for future improvement of environment detection capabilities and paves the way for enhanced security resilience of the company.

Please contact your Cisco Account Team representatives or directly email Talos IR if you are interested or have questions regarding our new Purple Team service.

How Talos IR’s Purple Team can help you prepare for the worst-case scenario

TALOS-2023-1724 (CVE-2023-1531) occurs if the user opens a specially crafted web page in Chrome.

Monday, June 26, 2023 12:06

Cisco Talos recently discovered an exploitable use-after-free vulnerability in Google Chrome’s Web Graphics Library (WebGL).

Google Chrome is a cross-platform web browser — and Chromium is the open-source version of the browser that both Google and other software developers use as the basis to build their browsers. This specific vulnerability exists in WebGL, a JavaScript API that renders 2-D and 3-D graphics.

TALOS-2023-1724 (CVE-2023-1531) occurs if the user opens a specially crafted web page in Chrome. That page could trigger a use-after-free condition in the application. Adversaries often leverage use-after-free conditions to corrupt data on the targeted machine or purposefully leak data.

Cisco Talos worked with Google to ensure that this issue is resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Google Chrome, version 110.0.5481.78 (64-bit) and Chromium, version 112.0.5592.0 (64-bit). Talos tested and confirmed these versions of Chrome could be exploited by this vulnerability.

The following Snort rules will detect exploitation attempts against this vulnerability: 61412 and 61413. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall or Snort.org.

Vulnerability Spotlight: Use-after-free condition in Google Chrome WebGL

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 16 and June 23. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key