Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.

_By Joey Chen, Chetan Raghuprasad and Alex Karkins._ 

*   Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys.
*   Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.
*   This campaign uses the Content Delivery Network (CDN) cache domain as a download server, hosting the malicious HTA file and payload. 
*   Talos assesses with moderate confidence that the threat actor CoralRaider operates the campaign. We observed several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider’s Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine.  

**Victimology and actor infrastructure**

The campaign affects victims across multiple countries, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria and Turkey, based on our telemetry data and OSINT information. Our telemetry also disclosed that some affected users were from Japan’s computer service call center organizations and civil defense service organizations in Syria. The affected users were downloading files masquerading as movie files through the browser, indicating the possibility of a widespread attack on users across various business verticals and geographies.

We observe that this threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoiding request delay. The actor is using the CDN cache as a download server to deceive network defenders. 

CDN edge URLs 

Information Stealer

hxxps\[://\]techsheck\[.\]b-cdn\[.\]net/Zen90

Cryptbot

hxxps\[://\]zexodown-2\[.\]b-cdn\[.\]net/Peta12

Cryptbot

hxxps\[://\]denv-2\[.\]b-cdn\[.\]net/FebL5

Cryptbot, Rhadamanthys

hxxps\[://\]download-main5\[.\]b-cdn\[.\]net/BSR\_v7IDcc

Rhadamanthys

hxxps\[://\]dashdisk-2\[.\]b-cdn\[.\]net/XFeb18

Cryptbot

hxxps\[://\]metrodown-3\[.\]b-cdn\[.\]net/MebL1

Cryptbot

hxxps\[://\]metrodown-2\[.\]b-cdn\[.\]net/MebL1

Cryptbot, LummaC2

hxxps\[://\]metrodown-2\[.\]b-cdn\[.\]net/SAq2

LummaC2

Talos discovered that the actor is using multiple C2 domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing. 

**Tactics, techniques and procedures overlap with other campaigns **

Talos assesses with moderate confidence that threat actor CoralRaider is likely operating this campaign based on several overlaps in the TTPs used and the targeted victims’ geography of this campaign with that of the CoralRaider’s Rotbot campaign. We spotted that the PowerShell scripts used in the attack chain of this campaign to decrypt the PowerShell scripts of further stages and the downloader PowerShell script are similar to those employed in the Rotbot’s campaign.

PowerShell decryptor script of Rotbot campaign (left) and new unknown campaign (right).

String decrypt and download routine of Rotbot campaign (Left) and new unknown campaign (right).

The Powershell script did not appear in any public repository or article, indicating the threat actor likely developed these PowerShell scripts. Pivoting on the PowerShell argument embedded in the LNK file showed us that such arguments are not popular and likely specific to the actor and the campaign.  

.(gp -pa 'HKLM:\\SOF\*\\Clas\*\\Applications\\msh\*e').('PSChildName')

**Multi-stage infection chain to deliver the payload **

The infection chain starts when a victim opens the malicious shortcut file from a ZIP file downloaded using the drive-by download technique, according to our telemetry. The threat actor is likely delivering malicious links to victims through phishing emails.

The Windows shortcut file has an embedded PowerShell command running a malicious HTA file on attacker-controlled CDN domains. HTA file executes an embedded Javascript, which decodes and runs a PowerShell decrypter script. PowerShell decrypter script decrypts the embedded PowerShell Loader script and runs it in the victim’s memory. The PowerShell Loader executes multiple functions to evade the detections and bypass UAC, and finally, it downloads and runs one of the payloads, Cryptbot, LummaC2 or Rhadamanthys information stealer.

**Windows Shortcut file to execute the malicious HTA file**

Windows shortcut file runs a PowerShell command to download and run an HTML application file on the victim’s machine. The threat actor has used “gp,” a PowerShell command alias for Get-ItemProperty, to read the registry contents of the application classes registry key and gets the executable name “mshta.exe.” Using mshta.exe, the PowerShell instance executes the remotely hosted malicious HTA file on the victim’s machine. 

**Obfuscated HTA runs embedded PowerShell decrypter  **

The malicious HTML application file is heavily obfuscated and has a Javascript that decodes and executes a function using the String fromCharCode method. The decoded function then executes an embedded PowerShell decryptor script. 

The decryptor PowerShell script has a block of AES-encrypted string. Using the AES decryptor function, it generates an AES key of 256 bytes from a base64 encoded string “RVRVd2h4RUJHUWNiTEZpbkN5SXhzUWRHeFN4V053THQ=” and the IV “AAAAAAAAAAAAAAAA.” With the key and IV, it decrypts and executes the next stage of the PowerShell Loader script. 

**PowerShell loader downloads and runs the payload**

The PowerShell loader script is modular and has multiple functions to perform a sequence of activities on the victim’s machine. Initially, it executes a function that drops a batch script in the victim machine’s temporary folder and writes its contents, which includes the PowerShell command to add the folder “ProgramData” of the victim machine to the Windows Defender exclusion list. 

The dropped bath script is executed through a living-off-the-land binary (LoLBin) “FoDHelper.exe” and a Programmatic Identifiers (ProgIDs) registry key to bypass the User Access Controls (UAC) in the victim’s machine. Fodhelper is a Windows feature, an on-demand helper binary that runs by default with high integrity. Usually, when the FodHelper is run, it checks for the presence of the registry keys listed below. If the registry keys have commands assigned, the FodHelper will execute them in an elevated context without prompting the user. 

HKCU:\Software\Classes\ms-settings\shell\open\command

HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute

HKCU:\Software\Classes\ms-settings\shell\open\command\(default)

Windows Defender, by default, detects if there are attempts to write to the registry keysHKCU:\Software\Classes\ms-settings\shell\open\command and to evade this detection, the threat actor uses the programmatic identifier (ProgID). In Windows machines, a programmatic identifier (ProgID ) is a registry entry that can be associated with a Class ID (CLSID ), which is a globally unique serial number that identifies a COM (Component Object Model) class object. The Windows Shell uses a default ProgID registry key called CurVer, which is used to set the default version of a COM application. 

In this campaign, the threat actor abuses the “CurVer” registry key feature by creating a custom ProgID “ServiceHostXGRT” registry key in the software classes registry and assigns the Windows shell to execute a command to run the batch script. 

Registry Key

"HKCU\\Software\\Classes\\ServiceHostXGRT\\Shell\\Open\\command"

Value

%temp%\\r.bat 

The script configures the ProgID ServiceHostXGRT in the CurVer registry subkey of HKCU\Software\Classes\ms-settings\CurVer, which will get translated to HKCU:\Software\Classes\ms-settings\shell\open\command. After modifying the registry settings, the PowerShell script runs FoDHelper.exe, executing the command assigned to the registry key HKCU:\Software\Classes\ms-settings\shell\open\command and executing the dropped batch script. Finally, it deletes the configured registry keys to evade detection. 

The batch script adds the folder “C:\\ProgramData” to the Windows Defender exclusion list. The PowerShell loader script downloads the payload and saves it in the “C:\\ProgramData” folder as “X1xDd.exe.”

After downloading the payload to the victim’s machine, the PowerShell loader executes another function that overwrites the previously dropped batch file with the new instructions to run the downloaded payload information stealer through the Windows start command. It again uses the same FoDHelper technique to run the batch script’s second version, which we explained earlier in this section.  

**Actor’s choice of three payloads in the same campaign **

Talos discovered that the threat actor delivered three famous information stealer malware as payloads in this campaign, including CryptBot, LummaC2 and Rhadamanthys. These information stealers target victims’ information, such as system and browser data, credentials, cryptocurrency wallets and financial information. 

**CryptBot**

CryptBot is a typical infostealer targeting Windows systems discovered in the wild in 2019 by GDATA. It is designed to steal sensitive information from infected computers, such as credentials from browsers, cryptocurrency wallets, browser cookies and credit cards, and creates screenshots of the infected system. 

Talos has discovered a new CryptBot variant distributed in the wild since January 2024. The goal of the new CryptBot is the same, with some new innovative functionalities. The new CryptBot is packed with different techniques to obstruct malware analysis. A few new CryptBot variants are packed with VMProtect V2.0.3-2.13; others also have VMProtect, but with unknown versions. The new CryptBot attempts to steal sensitive information from infected machines and modifies the configuration changes of the stolen applications. The list of targeted browsers, applications and cryptocurrency wallets by the new variant of CryptBot is shown below.

We observed the new CryptBot variant also includes password manager application databases and authenticator application information in its stealing list to steal the cryptocurrency wallets that have two-factor authentication enabled. 

CryptBot is aware that the target applications in the victim’s environment will have different versions, and their database files will have different file extensions. It scans the victim’s machine for database files’ extensions of the targeted applications for harvesting credentials. 

**LummaC2 **

Talos discovered that the actor is delivering a new variant of LummaC2 malware as an alternative payload in this campaign. LummaC2 is a notorious information stealer that attempts to harvest information from victims’ machines. Based on the report posted by outpost24 and other external security reports, LummaC2 has already been confirmed to be sold on the underground market for years. 

The threat actor has modified LummaC2’s information stealer capability and obfuscated the malware with a custom algorithm. The obfuscation algorithm is saved in another section inside the malware shown below.

The new version of LummaC2 also presents the same signature of the alert message displayed to the user during its execution. 

The C2 domains are encrypted with a symmetric algorithm, and we found that the actor has nine C2 servers that the malware will attempt to connect to one by one. Analyzing various samples of the new LummaC2 variant, we spotted that each will use a different key to encrypt the C2.   

Talos has compiled the list of nine C2 domains the new LummaC2 variant attempts to connect in this campaign. 

Encrypted strings

Decrypted Strings

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB+VXagKwrRr7BjLA71GNEZ8E8/0K2otQ==

peasanthovecapspll\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBpVXqwOAHAo75nPQT3Hc4I6EZ+x+u0rVjB

gemcreedarticulateod\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB9VXShLxDMqLFmPATgC8Ma+U14zKy0oBnC/kf0

secretionsuitcasenioise\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBtXHa6JwfKqbxwOh79B8wb+UF0jbavqkc=

claimconcessionrebe\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBiWXaxIwjMs6Z0Ox/1BsUM8UZ/2qyz60TZ+Vg=

liabilityarrangemenyit\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBjX3O2ORDAtKx0MAjiDcwE9U9mxq7ptl/e5g==

modestessayevenmilwek\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB6Qn6yJAPJoqxwKB77BsAM8kB51K/ptl/e5g==

triangleseasonbenchwj\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBtRXunPxbAtLRwPQ78DssH/U1yyqSrqRnC/kf0

culturesketchfinanciall\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB9X3GyIhHLs7Z7Lh74AcYM+Ep/xuu0rVjB

sofahuntingslidedine\[.\]shop

LummaC2’s first step in its exfiltration phase is its connection to the C2 server. The malware will exit the process if it does not receive the “OK” message as a response from any of the nine C2 servers. The second step will be exfiltrating information from infected machines. The basic stealing functionality is the same as the previous version, with the addition of victims’ discord credentials to exfiltrate. 

**Rhadamanthys**

The last payload we found in this campaign is Rhadamanthys malware, a famous infostealer appearing in the underground forum advertisement in September 2022. The Rhadamanthys malware has been evolving till now, and its authors have released a new version, V0.6.0, on Feb. 15, 2024. However, the Rhadamanthys variant we found in this campaign is still v0.5.0.

The threat actor uses a Python executable file as a loader to execute the Rhadamanthys malware into memory. After decompiling the Python executable file, Python scripts load the Rhadamanthys malware in two stages. The first stage is a simple Python script that replaces the binary code from 0 to 9 and decodes the second stage. 

In the second stage, the Python script uses the Windows API to allocate a memory block and inject Rhadamanthys malware into the process. We spotted that the threat actor is developing the Python script with the intention of including the functionality of executing a shellcode. 

Analyzing the final executable file showed us that the malware unpacks the loader module with the custom format having the magic header “XS” and performs the process injection. The custom loader module in XS format is similar to that of a Rhadamanthys sample analyzed by the researcher at Check Point. The malware selects one of the listed processes as the target process for process injection from a hardcoded list in the binary:

*   "%Systemroot%\\\\system32\\\\dialer.exe"
*   "%Systemroot%\\\\system32\\\\openwith.exe"

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63218 - 63225 and 300867 - 300870.

ClamAV detections are also available for this threat:

Lnk.Downloader.CoralRaider-10027128-0

Txt.Tool.CoralRaider-10027140-0

Html.Downloader.CoralRaider-10027220-0

Win.Infostealer.Lumma-10027222-0

Win.Infostealer.Rhadamanthys-10027293-0

Win.Infostealer.Rhadamanthys-10027294-0

Win.Infostealer.Cryptbot-10027295-0

Win.Infostealer.Cryptbot-10027296-0

Win.Infostealer.Cryptbot-10027297-0

Win.Infostealer.Cryptbot-10027298-0

Win.Infostealer.Cryptbot-10027299-0

Win.Infostealer.Cryptbot-10027300-0

Win.Infostealer.Cryptbot-10027301-0

Win.Infostealer.Cryptbot-10027302-0

Win.Infostealer.Cryptbot-10027303-0

Win.Infostealer.Cryptbot-10027305-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Suspected CoralRaider continues to expand victimology using three information stealers

SecOps highlights this week include the executive role in "cyber readiness;" Cisco's Hypershield promise; and Middle East cyber ops heat up.

Source: Panther Media GmbH via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we'll offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In This Issue of CISO Corner:**

*   GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories
    
*   Break Security Burnout: Combining Leadership With Neuroscience
    
*   Global: Cyber Operations Intensify in Middle East, With Israel the Main Target
    
*   Cisco's Complex Road to Deliver on Its Hypershield Promise
    
*   Rebalancing NIST: Why 'Recovery' Can't Stand Alone
    
*   3 Steps Executives and Boards Should Take to Ensure Cyber Readiness
    
*   Rethinking How You Work With Detection and Response Metrics
    

**GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories**

By Nate Nelson, Contributing Writer, Dark Reading

A slicker phishing lure and some basic malware was about all threat actors have been able to squeeze out of artificial intelligence (AI) and large language model (LLM) tools so far — but that's about to change, according to a team of academics.

Researchers at the University of Illinois Urbana-Champaign have demonstrated that by using GPT-4 they can automate the process of gathering threat advisories and exploiting vulnerabilities as soon as they are made public. In fact, GPT-4 was able to exploit 87% of vulnerabilities it was tested against, according to the research. Other models weren't as effective.

Although the AI technology is new, the report advises that in response, organizations should tighten up tried-and-true best security practices, particularly patching, to defend against automated exploits enabled by AI. Moving forward, as adversaries adopt more sophisticated AI and LLM tools, security teams might consider using the same technologies to defend their systems, the researchers added. The report pointed to automating malware analysis a promising use-case example.

Read more: GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories

Related: First Step in Securing AI/ML Tools Is Locating Them

**Break Security Burnout: Combining Leadership With Neuroscience**

By Elizabeth Montalbano, Contributing Writer, Dark Reading

Widely reported burnout among cybersecurity professionals is only getting worse. It starts at the top with pressure on CISOs mounting from all sides — regulators, boards, shareholders, and customers — to assume all the responsibility for an entire organization's security, without much control of budgeting or priorities. Wider enterprise cybersecurity teams are wearing down too under the weight of putting in long, stressful hours to prevent seemingly inevitable cyberattacks.

Certainly awareness of the stress and strain driving talent away from the cybersecurity profession is widely acknowledged, but workable solutions have been elusive.

Now two professionals looking to break what they call the "security fatigue cycle" say leaning on neuroscience can help. Peter Coroneros, founder of Cybermindz and Kayla Williams, CISO of Devo, have come together to advocate for more empathetic leadership informed by a better understanding of mental health, and will be presenting their ideas in more detail at this year's RSA Conference.

For example, they found tools like iRest (Integrative Restoration) attention training techniques, which have been used for 40 years by US and Australian militaries help people under chronic stress get out of the "flight-or-flight" state and relax. iRest could also be a useful tool for frazzled cybersecurity teams, they said.

Read more: Break Security Burnout: Combining Leadership With Neuroscience

**Global: Cyber Operations Intensify in Middle East, With Israel the Main Target**

By Robert Lemos, Contributing Writer, Dark Reading

The unraveling crisis in the Middle East continues to produce historic volumes of cyberattacks to support military operations.

There are two categories of adversary groups at work, according to experts — nation-state threat actors working as an arm of a military operation and hacktivist groups attacking willy-nilly based on opportunity and a victim's perceived proximity to the group's enemies.

Israel's National Cyber Directive boss said Iranian- and Hezbollah-affiliated groups have been trying to take down the country's networks "around the clock."

Cybersecurity experts warns Israel should prepare for destructive cyberattacks to continue as the Iran-Israel cyber conflict escalates.

Read more: Cyber Operations Intensify in Middle East, With Israel the Main Target

Related: Iran-Backed Hackers Blast Out Threatening Texts to Israelis

**Cisco's Complex Road to Deliver on Its Hypershield Promise**

By Robert Lemos, Contributing Writer

Cisco's big reveal of its AI-powered cloud security platform Hypershield was big on buzzwords and left industry watchers with questions about how the tool is going to deliver on its pitch.

Automated patching, anomalous behavior detection and blocking, AI-agents maintaining real-time security controls around every workload, and a new "digital twin" approach are all touted as Hypershield features.

The modern approach would be a major step forward "If they pull it off," David Holmes, a principal analyst with Forrester Research said.

Jon Oltisk, analyst emeritus at Enterprise Strategy Group, compared Hypershield's ambitions to the development of driver-assist features in cars, "The trick is how it comes together."

Cisco Hypershield is scheduled for release in August.

Read more: Cisco's Complex Road to Deliver on Its Hypershield Promise

Related: First Wave of Vulnerability-Fixing AIs Available for Developers

**Rebalancing NIST: Why 'Recovery' Can't Stand Alone**

Commentary By Alex Janas, Field Chief Technology Officer, Commvault

Although NIST's new guidance on data security is an important basic overview, but falls short on offering best practices for how to recover from a cyberattack once it's already happened.

Today, organizations need to assume they have been, or will be, breached and plan accordingly. That advice is perhaps even more important than the other elements of the new NIST framework, this commentary argues.

Companies should immediately work to address any gaps in cybersecurity preparedness and response playbooks.

Read more: Rebalancing NIST: Why 'Recovery' Can't Stand Alone

Related: NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

**3 Steps Executives and Boards Should Take to Ensure Cyber Readiness**

Commentary By Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

Working to develop an effective and tested incident response plan is the best thing executives can do to prepare their organization for a cyber incident. Most major mistakes happen in the first "golden hour" of a cyber incident response, the commentary explains. That means ensuring every member of the team has a well-defined role and can get to work quickly on finding the best path forward, and crucially, not making remediation errors that can upend recovery timelines.

Read more: 3 Steps Executives and Boards Should Take to Ensure Cyber Readiness

Related: 7 Things Your Ransomware Response Playbook Is Likely Missing

**Rethinking How You Work With Detection and Response Metrics**

By Jeffrey Schwartz, Contributing Writer, Dark Reading

During the recent Black Hat Asia conference Allyn Stott, senior staff engineer with Airbnb challenged every security professional to rethink the role metrics play in their organization's threat detection and response.

Metrics drive better performance and help cybersecurity managers demonstrate how detection and response program investment translates into less business risk to leadership.

The single most important security operations center metric: alert volume, Stott explained. He added looking back over his past work, he regrets how much he leaned on the MITRE ATT&CK framework. He recommends incorporating others including SANS SABRE framework and Hunting Maturity Model.

Read more: Rethinking How You Work With Detection and Response Metrics

Related: SANS Institute Research Shows What Frameworks, Benchmarks, and Techniques Organizations Use on their Path to Security Maturity

CISO Corner: Breaking Staff Burnout, GPT-4 Exploits, Rebalancing NIST

Given the state of the NVD and vulnerability management, we felt it was worth looking at the current state of the NVD, how we got to this point, what it means for security teams, and where we go from here.

Friday, April 19, 2024 08:00

The National Vulnerability Database is usually the single source of truth for all things related to security vulnerabilities.  

But now, they’re facing an uphill battle against a massive backlog of vulnerabilities, some of which are still waiting to be analyzed, and others that still have an inaccurate or altogether missing severity score.  

As of April 9, 5,799 CVEs that have been published since Feb. 15, 2024, remain unanalyzed. 

As the backlog piles up, it’s unclear how, or when, the NVD is going to get back to its regular cadence of processing, scoring and analyzing vulnerabilities that are submitted to the U.S. government repository. At its current pace, the NVD is analyzing about 2.9 percent of all published CVEs it's been sent, well behind its pace in previous years. If there were no new CVEs submitted today, it could take the NVD more than 91 days to empty that backlog and get caught up. 

Given the state of the NVD and vulnerability management, we felt it was worth looking at the current state of the NVD, how we got to this point, what it means for security teams, and where we go from here. 

**What is the NVD? **

The U.S.’s National Vulnerability Database provides the most comprehensive list of CVEs anywhere. This tracks security vulnerabilities in hardware and software and distributes that list to the public for anyone to use.  

This data enables organizations and large networks to automate vulnerability management, take appropriate security steps when a new vulnerability is discovered, important references and metrics that indicate how serious a particular vulnerability is.  

The U.S. National Institute of Standards and Technology (NIST) has managed the NVD since 2000, when it was started as the Internet Category of Attack toolkit. It eventually morphed into the NVD, which passed the 150,000-vulnerability mark in 2021.  

In addition to simply listing the CVEs that are regularly disclosed, the NVD scores vulnerabilities using the CVSS system, which often differ from the initial severity score that’s assigned by the researcher that discovers the vulnerability, or the company or organization behind the affected product or software. 

Since the creation of I-CAT, no other organization or private company has as comprehensive of a list of vulnerabilities as the NVD, nor do they offer it for free like NIST does.  

**Why is the backlog a problem? **

On the surface, it may seem like the fact that the NVD has been slow to analyze CVEs isn’t all that bad, considering security issues are still being disclosed and patched every day (think: Microsoft Patch Tuesday). 

However, the lack of a single source of CVEs augmented information is detrimental to administrators, security researchers and users, and security experts are warning that the issue needs to be addressed quickly, or an alternative needs to be adopted.  

With the NVD being a collection of all this information, it’s up to the individual vendors to responsibly disclose and release vulnerabilities discovered in their products, which puts the onus on administrators to track that information down. If someone who handles patch management for a network was relying on the NVD for their information, that list is likely outdated at this point, and instead, they need to visit each individual vendor to find out what vulnerabilities were recently disclosed in their products, and how large of a risk they present.  

On any given network, that could be dozens to even hundreds of vendors, and while massive companies like Apple and Microsoft have easy-to-access security and vulnerability information, smaller open-source projects may not have the same resources that administrators need.  

The NVD is also the most trusted source for severity scores. Their calculations are generally what most users see when they read a security advisory. But without their input, it’s on the researcher or vendor to assign a score, instead. Under that system, there is no guarantee that a company may not want to score their vulnerability higher so it does not seem as serious, while researchers may want to bump up the severity of the issue they find so they are credited with discovering a higher-severity issue.  

As Talos has discussed before, a CVSS score is not the only metric worth relying on when patching, but it does play a major role in how the public views vulnerabilities and whether they’re likely to be exploited in the wild. According to Talos’ 2023 Year in Review report, eight of the 10 most-exploited CVEs last year received a severity score of 9.3 or higher. Any sense of uncertainty around CVSS scores can leave administrators scratching their heads and without a “north star” for patch management. 

The recent xz Utility vulnerability that was luckily prevented before any attackers could exploit it still does not have a Common Weakness Enumeration (CWE) assigned to it as of April 10 because of the backlog. Had an exploit for this been used, defenders would be missing crucial context and information for defending against this backdoor. 

**How did this backlog develop? **

NIST has been relatively vague about why the agency has been slow to process new vulnerabilities. The first sign of trouble came in February, when NIST released a statement that a “growing backlog of vulnerabilities” had developed because of “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.” 

NIST’s budget was cut by about 12 percent after the recent package of funding bills passed by U.S. Congress, as well. 

The agency also said in February that additional NIST staff were being shifted around to address the backlog, and at the recent VulnCon and Annual CNA Summit, the NVD program director promised that NIST was developing a consortium to help address the issues with the NVD.  

The total number of vulnerabilities disclosed continues to increase every year, driven by larger amounts of software on the market and increased visibility into security concerns and research. Last year, there were 28,961 CVEs disclosed, according to the CVE Program, an increase of 15 percent from 2022. The last time there were fewer CVEs assigned in a year compared to the year prior was in 2016. 

**What are some potential solutions? **

NIST has continued to publicly support the NVD and says it's preparing to revitalize the database. But it’s unclear what short- or long-term solutions or alternatives exist. 

Jerry Gamblin, a principal threat detection and response engineer for Cisco Vulnerability Management, said there has yet to be a company or organization willing to take on the monstrous task of tracking and scoring \*every\* CVE, especially for free.  

Other vulnerability catalogs exist like the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, but the KEV only lists vulnerabilities that have actively been exploited in the wild. 

In short — all the potential alternatives are imperfect. 

“We can get the data from anywhere, and AI data could even help, but people just need to decide,” Gamblin said. “Is there going to be just one source of data? And who is the source of truth for this data? Who owns this data?” 

A private company like MITRE could step up to create its own solution, but it’d likely want to charge for access to that database. Any non-profit organization who also wants to step up would also likely need a massive influx of money and manpower to address the sheer volume of CVEs that come in every day. 

And while NIST says the consortium is in the works, there’s no timetable for how long it could take for that to be established, and which private companies would be involved.  

For now, it’s best to stick to tried-and-true patching strategies that have worked for years. Software, like Cisco Vulnerability Management, which has not been affected by the NVD backlog, can also assist in automating the patching process and prioritizing which vulnerabilities to patch first.

What’s the deal with the massive backlog of vulnerabilities at the NVD?

The tech giant tosses together a word salad of today's business drivers — AI, cloud-native, digital twins — and describes a comprehensive security strategy for the future, but can the company build the promised platform?

Source: Peach Shutterstock via Shutterstock

The cybersecurity industry has no shortage of problems: Attackers are using automation to shorten their time to exploit, patching software is burdensome, establishing defenses such as segmentation remains difficult, and a shortage of cybersecurity-skilled workers holds back efforts in all of these areas.

No wonder, then, that Cisco has decided to launch an AI-powered, distributed security platform for protecting cloud workloads and artificial intelligence (AI) systems from cybersecurity threats. Dubbed Hypershield, the platform will push security out to the edge, using AI-augmented agents to maintain security controls around every workload in the data center and even distributed, connected devices. Cisco says the platform will be able to patch environments automatically, test software updates within the environment using simulated systems known as digital twins, and block attacks by detecting anomalous behavior.

Hyperbole was not in short supply, and "reimagined" seemed to be the word of the day.

Jeetu Patel, executive vice president and general manager of Cisco's security and collaboration division, called it "one of the largest platform shifts that we've experienced during our lifetimes."

"For the past gazillion years, when we've looked at security, the advantage has always been on the side of the adversary," Patel said during a press conference announcing Hypershield. "We are now approaching an era ... where ... because \[of this platform\], you might have a world where you might have an advantage as a defender, and wouldn't that be a wonderful world to live in."

Cybersecurity is certainly a field that could benefit from using AI for augmentation or as an assistant, and pushing security to the distributed edge — closer to the devices to be secured — can help simplify some aspects of vast networks that need to be secured.

The company's choice of technologies makes sense, says David Holmes, a principal analyst with Forrester Research. By using eBPF, a technology that allows sandboxed programs to run in a privileged context, pieces of the workload can be instrumented, and data processing units (DPUs) allow efficient processing of data using high-bandwidth network interfaces.

"They are describing a more modern approach to building a private cloud data center architecture, and that’s good," Holmes says. "eBPF for automation \[and\] security, container-like workloads — their DPUs — overall, this is good for the industry if they pull it off."

**Digital Twins Allow Automated Patching**

Craig Connors, chief technology officer of Cisco's security business group, demonstrated how a workload or application could be automatically patched and run in parallel using digital-twin technology to test the stability and correctness of the updated software. Digital twins are simulations — originally used in product development and manufacturing — that allow software engineers to test and observe a version of a device or application.

If patched code passes all tests and satisfies policies, then it can be promoted to production, Connors said during the demonstration.

"What we've done is we've essentially introduced the digital twin into every enforcement point that we deploy," Connors stated. "So we're actually bringing CI/CD \[continuous integration and continuous delivery\] to the embedded world by running the end-of-the-promotion pipeline as a digital twin on every single enforcement point for every single customer in the world in a transparent way. That allows us to test every possible combination that could happen in your real environment everywhere."

While the company will start with Linux environments, Cisco hinted at future plans to support other operating systems.

The same digital-twin approach can be applied to developing segmentation policies for networks of devices and workloads, according to Connors. The AI assistant built into the Hypershield platform could recommend microsegmentation policies and give a confidence score that each policy would behave well inside a given environment.

"Imagine if AI wasn't just recommending microsegmentation policies, but it was modeling them in a digital twin of your environment, and telling you exactly how it tested those policies to make sure they were correct before it recommended them to you," Connors said. "So we're really trying to bring that trust aspect in and not just 'AI bomb' you with recommendations."

**Distributed Exploit Protection**

Cisco says the platform will also protect against exploits in real time by using threat intelligence to inform anomaly detection and response. Because companies never know which vulnerabilities will be picked up by an attacker, the system allows all high-impact vulnerabilities to be treated the same.

This approach benefits companies with legacy hardware and software that has reached end of life and is no longer receiving updates, according to Connors.

"There are cases where we can never patch. ... Let's say the software's end of life, but my business still relies on it and a critical vulnerability exists," Connors said. "So while these are intended to be short-lived patches to bridge that gap between that availability and patch deployment and then we'll automatically pull back these distributed shields, it is potentially feasible that you may want to run this for the life of the application to continue protecting you against \[exploitation\]."

Having the vision and individual technologies is a good first step, but like the platform managing driver-assist features in cars, the trick is how it all comes together, says Jon Oltsik, analyst emeritus at Enterprise Strategy Group. Coordinating the pieces across multiple systems, rather than looking at each one in isolation — as well as figuring out "normal" activity — and then responding will be tricky.

"It's a good goal, but a lot of things need to come together to make it happen, including user buy-in," he says. "AI-based security must go through rigorous testing and be proven in the field before security professionals will trust it."

Cisco has promised the platform will be generally available by August.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Cisco's Complex Road to Deliver on Its Hypershield Promise

Attackers are indiscriminately targeting VPNs from Cisco and several other vendors in what may be a reconnaissance effort, the vendor says.

Source: Wright Studio via Shutterstock

Cisco Talos this week warned of a massive increase in brute-force attacks targeting VPN services, SSH services, and Web application authentication interfaces.

In its advisory, the company described the attacks as involving the use of generic and valid usernames to try and gain initial access to victim environments. The targets of these attacks appear to be random and indiscriminate and not restricted to any industry sector or geography, Cisco said.

The company identified the attacks as impacting organizations using Cisco Secure Firewall VPN devices and technologies from several other vendors, including Checkpoint VPN, Fortinet VPN, SonicWall VPN, Mikrotik, and Draytek.

**Attack Volumes Might Increase**

"Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions," a Cisco Talos statement explained. The vendor noted the surge in attacks began around March 28 and warned of a likely increase in attack volumes in the coming days.

Cisco did not immediately respond to a Dark Reading inquiry regarding the sudden explosion in attack volumes and whether they're the work of a single threat actor or multiple threat actors. Its advisory identified the source IP addresses for the attack traffic as proxy services associated with Tor, Nexus Proxy, Space Proxies, and BigMama Proxy.

Cisco's advisory linked to indicators of compromise — including IP addresses and credentials associated with the attacks — while also noting the potential for these IP addresses to change over time.

The new wave of attacks is consistent with the surging interest among threat actors in the VPNs and other technologies that organizations have deployed in recent years to support remote access requirements for employees. Attackers — including nation-state actors — have ferociously targeted vulnerabilities in these products to try and break into enterprise networks, prompting multiple advisories from the likes of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency (NSA), and others.

**VPN Vulnerabilities Explode in Number**

A study by Securin showed the number of vulnerabilities that researchers, threat actors, and vendors themselves have discovered in VPN products increased 875% between 2020 and 2024. They noted how 147 flaws across eight different vendors' products grew to nearly 1,800 flaws across 78 products. Securin also found that attackers weaponized 204 of the total disclosed vulnerabilities so far. Of this, advanced persistent threat (APT) groups such as Sandworm, APT32, APT33, and Fox Kitten had exploited 26 flaws, while ransomware groups like REvil and Sodinokibi had exploits for another 16.

Cisco's latest advisory appears to have stemmed from multiple reports the company received about password-spraying attacks targeting remote access VPN services involving Cisco's products and those from multiple other vendors. In a password-spraying attack, an adversary basically attempts to gain brute-force access to multiple accounts by trying default and common passwords across all of them.

**Reconnaissance Effort?**

"This activity appears to be related to reconnaissance efforts," Cisco said in a separate April 15 advisory that offered recommendations for organizations against password-spraying attacks. The advisory highlighted three symptoms of an attack that users of Cisco VPNs might observe: VPN connection failures, HostScan token failures, and an unusual number of authentication requests.

The company recommended that organizations enable logging on their devices, secure default remote access VPN profiles, and block connection attempts from malicious sources via access control lists and other mechanisms.

"What is important here is that this attack is not against a software or hardware vulnerability, which usually requires patches," Jason Soroko, senior vice president of product at Sectigo, said in an emailed statement. The attackers in this instance are attempting to take advantage of weak password management practices, he said, so the focus should be on implementing strong passwords or implementing passwordless mechanisms to protect access.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs

At most, someone who intentionally or repeatedly shares information on their social platform that’s misleading or downright false may have their account blocked, suspended or deleted.

Thursday, April 18, 2024 14:00

If you’re a regular reader of this newsletter, you already know about how strongly I feel about the dangers of spreading fake news, disinformation and misinformation. 

And honestly, if you’re reading this newsletter, I probably shouldn’t have to tell you about that either. But one of the things that always frustrates me about this seemingly never-ending battle against disinformation on the internet, is that there aren’t any real consequences for the worst offenders. 

At most, someone who intentionally or repeatedly shares information on their social platform that’s misleading or downright false may have their account blocked, suspended or deleted, or just that one individual post might be removed.  

Twitter, which has become one of the worst offenders for spreading disinformation, has gotten even worse about this over the past few years and at this point doesn’t do anything to these accounts, and in fact, even promotes them in many ways and gives them a larger platform. 

Meta, for its part, is now hiding more political posts on its platforms in some countries, but at most, an account that shares fake news is only going to be restricted if enough people report it to Meta’s team and they choose to take action.  

Now, I’m hoping that Brazil’s Supreme Court may start imposing some real-world consequences on individuals and companies that support, endorse or sit idly by while disinformation spreads. Specifically, I’m talking about a newly launched investigation by the court into Twitter/X and its owner, Elon Musk.  

Brazil’s Supreme Court says users on the platform are part of a massive misinformation campaign against the court’s justices, sharing intentionally false or harmful information about them. Musk is also facing a related investigation into alleged obstruction.  

The court had previously asked Twitter to block certain far-right accounts that were spreading fake news on Twitter, seemingly one of the only true permanent bans on a social media platform targeting the worst misinformation offenders. Recently, Twitter has declined to block those accounts. 

This isn’t some new initiative, though. Brazil’s government has long looked for concrete ways to implement real-world punishments for spreading disinformation. In 2022, the Supreme Court signed an agreement with the equivalent of Brazil’s national election commission “to combat fake news involving the judiciary and to disseminate information about the 2022 general elections.” 

Brazil’s president (much like the U.S.) has been battling fake news and disinformation for years now, making any political conversation there incredibly divisive, and in many ways, physically dangerous. I’m certainly not an authority enough on the subject to comment on that and the ways in which the term “fake news” has been weaponized to literally challenge what is “fact” in our modern society.  

And I could certainly see a world in which a high court uses the term “fake news” to charge and prosecute people who are, in fact, spreading \*correct\* and verifiable information.  

But, even just forcing Musk or anyone at Twitter to answer questions about their blocking policies could bring an additional layer of transparency to this process. Suppose we want to really get people to stop sharing misleading information on social media. In that case, it needs to eventually come with real consequences, not just a simple block when they can launch a new account two seconds later using a different email address. 

**The one big thing **

Talos recently discovered a new threat actor we're calling “Starry Addax” targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause. Starry Addax primarily uses a new mobile malware that it infects users with via phishing attack, tricking their targets into installing malicious Android applications we’re calling “FlexStarling.” The malicious mobile application (APK), “FlexStarling,” analyzed by Talos recently masquerades as a variant of the Sahara Press Service (SPSRASD) App. 

**Why do I care? **

The targets in this campaign's case are considered high-risk individuals, advocating for human rights in the Western Sahara. While that is a highly focused particular demographic, FlexStarling is still a highly capable implant that could be dangerous if used in other campaigns. Once infected, Starry Addax can use their malware to steal important login credentials, execute remote code or infect the device with other malware.  

**So now what? **

This campaign's infection chain begins with a spear-phishing email sent to targets, consisting of individuals of interest to the attackers, especially human rights activists in Morocco and the Western Sahara region. If you are a user who feels you could be targeted by these emails, please pay close attention to any URLs or attachments used in emails with these themes and ensure you’re only visiting trusted sites. The timelines connected to various artifacts used in the attacks indicate that this campaign is just starting and may be in its nascent stages with more infrastructure and Starry Addax working on additional malware variants. 

**Top security headlines of the week **

**A threat actor with ties to Russia is suspected of infecting the network belonging to a rural water facility in Texas earlier this year.** The hack in the small town of Muleshoe, Texas in January caused a water tower to overflow. The suspect attack coincided with network intrusions against networks belonging to two other nearby towns. While the attack did not disrupt drinking water in the town, it would mark an escalation in Russian APTs’ efforts to spy on and disrupt American critical infrastructure. Security researchers this week linked a Telegram channel that took credit for the activity with a group connected to Russia’s GRU military intelligence agency. The adversaries broke into a remote login system used in ICS, which allowed the actors to interact with the water tank. It overflowed for about 30 to 45 minutes before officials took the machine offline and switched to manual operations. According to reporting from CNN, a nearby town called Lockney detected “suspicious activity” on the town’s SCADA system. And in Hale Center, adversaries also tried to breach the town network’s firewall, which prompted them to disable remote access to its SCADA system. (CNN, Wired) 

**Meanwhile, Russia’s Sandworm APT is also accused of being the primary threat actor carrying out Russia’s goals in Ukraine.** New research indicates that the group is responsible for nearly all disruptive and destructive cyberattacks in Ukraine since Russia's invasion in February 2022. One attack involved Sandworm, aka APT44, disrupting a Ukrainian power facility during Russia’s winter offensive and a series of drone strikes targeting Ukraine’s energy grid. Recently, the group’s attacks have increasingly focused on espionage activity to gather information for Russia’s military to use to its advantage on the battlefield. The U.S. indicated several individuals for their roles with Sandworm in 2020, but the group has been active for more than 10 years. Researchers also unmasked a Telegram channel the group appears to be using, called “CyberArmyofRussia\_Reborn.” They typically use the channel to post evidence from their sabotage activities. (Dark Reading, Recorded Future) 

**Security experts and government officials are bracing for an uptick in offensive cyber attacks between Israel and Iran** after Iran launched a barrage of drones and missiles at Israel. Both countries have dealt with increased tensions recently, eventually leading to the attack Saturday night. Israel’s leaders have already been considering various responses to the attack, among which could be cyber attacks targeting Iran in addition to any new kinetic warfare. Israel and Iran have long had a tense relationship that included covert operations and destructive cyberattacks. Experts say both countries have the ability to launch wiper malware, ransomware and cyber attacks against each other, some of which could interrupt critical infrastructure or military operations. The increased tensions have also opened the door to many threat actors taking claims for various cyber attacks or intrusions that didn’t happen. (Axios, Foreign Policy) 

**Can’t get enough Talos? **

*   Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services 
*   Decade-old malware haunts Ukrainian police 
*   Attackers are pummeling networks around the world with millions of login attempts 
*   OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal 
*   Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials 
*   Talos Takes Ep. #179: Why we need to stop calling as-a-service group takedowns "takedowns" 

**Upcoming events where you can find Talos **

 **Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015.
Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform.
"The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'"

OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

Industry leaders aim to solve the threat to both the mental health of workers and security of organizations with solutions that recognize the enormous pressures facing cybersecurity professionals.

Source: Roman Samborskyi via Alamy Stock Photo

It's no secret that burnout is an epidemic among cybersecurity professionals that threatens not only the mental health of workers in the field, but also the security of organizations. But how to solve the growing crisis is still something with which the industry is grappling.

Peter Coroneos, founder of Cybermindz, and Kayla Williams, CISO of Devo, have different perspectives on cybersecurity burnout given their distinct roles and perspectives as industry leaders, but together they have a shared vision to find solutions to help break the current cycle of burnout that faces the cybersecurity profession.

Coroneos is founder of Cybermindz, a not-for-profit that offers resilience training for cyber teams, among others; and Williams is chief information security officer (CISO) of Devo, a cloud-native security analytics company.

The two — whose companies already are partners in fighting burnout — will come together at the upcoming RSA Conference to host a session called "Burnout in Cyber: The Intersection of Neuroscience, Gender, and Wellbeing." Their session will present some reasons why cybersecurity burnout has become a vicious cycle, as well as how a combination of empathetic leadership and neuroscience-based training can help break it.

**Security Staff Burnout: A Wake-Up Call**

The "wake-up call" for Coroneos on how serious the burnout problem came when a survey of 200 cybersecurity professionals conducted by Wakefield Research on behalf of Devo released its results last September. The study found that a hefty 83% of those surveyed admit that stress has led them and peers to make errors that have caused data breaches.   

The COVID-19 pandemic-related workplace changes as well as the increased cyberattacks taking advantage of organizations' hasty and often insecure shift to accommodate a remote workforce really threw cybersecurity burnout into high gear, he said.

"COVID brought together a number of factors that have been brewing in the background for a number of years," Coroneos says in a recent interview.

Working remotely, cybersecurity professionals felt even less of a separation between their work and home lives and felt as if they quite literally always took their work home with them. And with cyberattackers exploiting the vulnerable security situation with which many companies were faced at the time, there was even more work for them to do, and thus more pressure than ever, he says.

It was a "perfect storm" of conditions to foster burnout, Coroneos says. "We started to see many more reports of the degradation in the mental health status of cybersecurity teams," he says. "They feel this relentless pressure with no end in sight."

**The Blame Game**

Some of that pressure comes with the often-unfair burden of blame that CISOs and chief security officers (CSOs) in particular shoulder when a data breach or attack goes horribly wrong for a company, says Williams, who in her position as CISO knows all too well.

A key source of stress these executives experience is that they often don't control their budgets and the overall security roadmap at their respective organizations, and thus don't typically get the sufficient funding to execute their vision for a company's security. However, they still will be held accountable if something goes wrong, Williams says.

She cited notable high-profile lawsuits brought against top security executives from Uber and SolarWinds in which they took the brunt of the blame for security incidents at their respective companies as scenarios that are scaring top professionals out of the industry.

"From what I'm seeing and hearing, turnover is incredibly high," Williams says. "Speaking to my peers, they don't want to be CSOs anymore."

Indeed, the Devo survey found that 85% of professionals surveys will leave their role in the next year, while 25% will leave the industry entirely.

The current situation that many security professionals find themselves in is a burnout cycle that keeps those who stay in the profession feeling stressed out and hopeless about their jobs, while creating unprecedented numbers of turnover in a position that already faces job shortages. This circular cycle creates even more burnout for those who stay in cybersecurity roles, Coroneos and Williams say.

**Breaking the Security Fatigue Cycle**

To break this cycle, the two professionals pose a combination of empathetic leadership strategies and a neuroscience-based solution to help retrain people's minds to deal with high levels of stress.

As a CISO herself, Williams says she knows how important it is to communicate effectively with people in various cybersecurity roles within the organization to ensure that their individual needs both professionally and emotionally are being met. This is especially true as a new generation of cyber professionals with different emotional needs is entering the workforce, she says.

"As a people leader, it is my responsibility to ensure that I am communicating to my teams in a way that resonates with them," Williams says. It's important for leaders to take time to understand the needs of individuals on a team and to check in with them as they would with family or friends to ensure they are not feeling overwhelmed by stress or the demands of their responsibilities, she says.

Meanwhile, Cybermindz is taking a page out of the playbook of international armed forces with a training solution called Integrative Restoration (iRest) that has been implemented by the US and Australian military since 2006 and 2016, respectively.

iRest — the result of more than 40 years of observation, research and development by clinical psychologist Richard Miller and his team at an institute of the same name California — is an attention-training technique to help the brain's limbic system return to a restful state after an intense period of high stress.

The problem for cybersecurity pros is that they often get stuck in a constant state of psychological fight-or-flight response pattern due to the constant stress cycle of their jobs, Coroneos explains. iRest is a training that helps them switch out of this cycle to bring them to a deeper state of relaxation to reset that fight-or-flight response. This will help the brain switch off, so it is not constantly creating stress not only in the workplace but throughout their everyday lives, thus creating burnout, he says.

"We need to get them into a position where they can come into a proper relationship into their subconscious," Coroneos says, adding that so far cybersecurity professionals who have experienced the training — which Cybermindz is currently piloting— report they are sleeping better and making clearer decisions after only a few sessions of the program.

Indeed, while burnout remains a serious problem, the message Coroneos and Williams ultimately want to convey is one of hope that there are solutions to solve the burnout problem currently facing cybersecurity professionals, and that the enormous pressures these dedicated professionals face is not being overlooked.

"We want to show them that their mental health need not be the price of their career," Coroneos says.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Break Security Burnout: Combining Leadership With Neuroscience

Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.

Source: Stuart Miles via Alamy Stock Photo

A number of botnets are pummeling a nearly year-old command-injection vulnerability in TP-Link routers to compromise the devices for IoT-driven distributed denial of service (DDoS) attacks.

There already is a patch for the flaw, tracked as CVE-2023-1389, found in the Web management interface of the TP-Link Archer AX21 (AX1800) Wi-Fi router and affecting devices Version 1.1.4 Build 20230219 or prior.

However, threat actors are taking advantage of unpatched devices to dispatch various botnets — include Moobot, Miori, AGoent, a Gafgyt variant, and variants of the infamous Mirai botnet — that can compromise the devices for DDoS and further nefarious activity, according to a blog post from Fortiguard Labs Threat Research.

"Recently, we observed multiple attacks focusing on this year-old vulnerability," which already was previously exploited by the in Mirai botnet, according to the post by Fortiguard researchers Cara Lin and Vincent Li. Fortiguard's IPS telemetry has detected significant traffic peaks, which alerted the researchers to the malicious activity, they said.

**Exploiting the TP-Link Flaw**

The flaw creates a scenario in which there is no sanitization of the "Country" field of the router's management interface, "so an attacker can exploit it for malicious activities and gain foothold," according to TP-Link's security advisory for the flaw.

"This is an unauthenticated command-injection vulnerability in the 'locale' API available via the web management interface," Lin and Li explained.

To exploit it, users can query the specified form "country" and conduct a "write" operation, which is handled by the "set\_country" function, the researchers explained. That function calls the "merge\_config\_by\_country" function and concatenates the argument of the specified form "country" into a command string. This string is then executed by the "popen" function.

"Since the 'country' field won't be emptied, the attacker can achieve command injection," the researchers wrote.

**Botnets to the Siege**

TP-Link's advisory when the flaw was revealed last year included acknowledgement of exploitation by the Mirai botnet. But since then other botnets as well as various Mirai variants also have taken siege against vulnerable devices.

One is Agoent, a Golang-based agent bot that attacks by first fetching the script file "exec.sh" from an attacker-controlled website, which then retrieves the Executable and Linkable Format (ELF) files of different Linux-based architectures.

The bot then executes two primary behaviors: the first is to create the host username and password using random characters, and the second is to establish connection with command and control (C2) to pass on the credentials just created by the malware for device takeover, the researchers said.

A botnet that creates denial of service (DoS) in Linux architectures called the Gafgyt variant also is attacking the TP-Link flaw by downloading and executing a script file and then retrieving Linux architecture execution files with the prefix filename "rebirth." The botnet then gets the compromised target IP and architecture information, which it concatenates into a string that is part of its initial connection message, the researchers explained.

"After establishing a connection with its C2 server, the malware receives a continuous 'PING' command from the server to ensure persistence on the compromised target," the researchers wrote. It then waits for various C2 commands to create DoS attacks.

The botnet called Moobot also is attacking the flaw to conduct DDoS attacks on remote IPs via a command from the attacker's C2 server, the researchers said. While the botnet targets various IoT hardware architectures, Fortiguard researchers analyzed the botnet's execution file designed for the "x86\_64" architecture to determine its exploitation activity, they said.

A variant of Mirai also is conducting DDoS attacks in its exploitation of the flaw by sending a packet from the C&C server to direct the endpoint to initiate the attack, the researchers noted.

"The command specified is 0x01 for a Valve Source Engine (VSE) flood, with a duration of 60 seconds (0x3C), targeting a randomly selected victim's IP address and the port number 30129," they explained.

Miori, another Mirai variant, also has joined the fray to conduct brute-force attacks on compromised devices, the researchers noted. And they also observed attacks by Condi that remains consistent with a version of the botnet that was active last year.

The attack retains the function to prevent reboots by deleting binaries responsible for shutting down or rebooting the system, and scans active processes and cross-references with predefined strings to terminate processes with matching names, the researchers said.

**Patch & Protect to Avoid DDoS**

Botnet attacks that exploit device flaws to target IoT environments are "relentless," and thus users should be vigilant against DDoS botnets," the researchers noted. Indeed, IoT adversaries are advancing their attacks by pouncing on unpatched device flaws to further their sophisticated attack agendas.

Attacks against TP-Link devices can be mitigated by applying the available patch for affected devices, and this practice should be followed for any other IoT devices "to safeguard their network environments from infection, preventing them from becoming bots for malicious threat actors," the researchers wrote.

Fortiguard also included in its post various indicators of compromise (IoCs) for the different botnet attacks, including C2 servers, URLs, and files that can help server administrators identify an attack.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Various Botnets Pummel Year-Old TP-Link Flaw in IoT Attacks

The documents contained malicious VBA code, indicating they may be used as lures to infect organizations.

*   During a threat-hunting exercise, Cisco Talos discovered documents with potentially confidential information originating from Ukraine. The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. 
*   The results of the investigation have shown that the presence of the malicious code is due to the activity of a rare multi-module virus that's delivered via the .NET interop functionality to infect Word documents. 
*   The virus, named OfflRouter, has been active in Ukraine since 2015 and remains active on some Ukrainian organizations’ networks, based on over 100 original infected documents uploaded to VirusTotal from Ukraine and the documents’ upload dates. 
*   We assess that OfflRouter is the work of an inventive but relatively inexperienced developer, based on the unusual choice of the infection mechanism, the apparent lack of testing and mistakes in the code. 
*   The author’s design choices may have limited the spread of the virus to very few organizations while allowing it to remain active and undetected for a long period of time. 

As a part of a regular threat hunting exercise, Cisco Talos monitors files uploaded to open-source repositories for potential lures that may target government and military organizations. Lures are created from legitimate documents by adding content that will trigger malicious behavior and are often used by threat actors. 

For example, malicious document lures with externally referenced templates written in Ukrainian language are used by the Gamaredon group as an initial infection vector. Talos has previously discovered military theme lures in Ukrainian and Polish, mimicking the official PowerPoint and Excel files, to launch the so-called “Picasso loader,” which installs remote access trojans (RATs) onto victims' systems. 

In July 2023, threat actors attempted to use lures related to the NATO summit in Vilnius to install the Romcom remote access trojan. These are just some of the reasons why hunting for document lures is vital to any threat intelligence operation.  

In February 2024, Talos discovered several documents with content that seems to originate from Ukrainian local government organizations and the Ukrainian National Police uploaded to VirusTotal. The documents contained VBA code to drop and run an executable with the name \`ctrlpanel.exe\`, which raised our suspicion and prompted us to investigate further.   

Eventually, we discovered over 100 uploaded documents with potentially confidential information about government and police activities in Ukraine. The analysis of the code showed unexpected results – instead of lures used by advanced actors, the uploaded documents were infected with a multi-component VBA macro virus OfflRouter, created in 2015. The virus is still active in Ukraine and is causing potentially confidential documents to be uploaded to publicly accessible document repositories.   

**Attribution **

Although the virus is active in Ukraine, there are no indications that it was created by an author from that region. Even the debugging database string used to name the virus “E:\\Projects\\OfflRouter2\\OfflRouter2\\obj\\Release\\ctrlpanel.pdb” present in the ctrlpanel.exe does not point to a non-English speaker. 

From the choice of the infection mechanism, VBA code generation, several mistakes in the code, and the apparent lack of testing, we estimate that the author is an inexperienced but inventive programmer.  

The choices made during the development limited the virus to a specific geographic location and allowed it to remain active for almost 10 years. 

**OfflRouter has been confined to Ukraine **

According to earlier research by the Slovakian government CSIRT (Computer Security Incident Response Team) team, some infected documents were already publicly available on the Ukrainian National Police website in 2018.  

The newly discovered infected documents are written in Ukrainian, which may have contributed to the fact that the virus is rarely seen outside Ukraine. Since the malware has no capabilities to spread by email, it can only be spread by sharing documents and removable media, such as USB memory sticks with infected documents. The inability to spread by email and the initial documents in Ukrainian are additional likely reasons the virus stayed confined to Ukraine.  

One of the documents was recently uploaded to VirusTotal from Ukraine. 

The virus targets only documents with the filename extension .doc, the default extension for the OLE2 documents, and it will not try to infect other filename extensions. The default Word document filename extension for the more recent Word versions is .docx, so few documents will be infected as a result.  

This is a possible mistake by the author, although there is a small probability that the malware was specifically created to target a few organizations in Ukraine that still use the .doc extension, even if the documents are internally structured as Office Open XML documents.  

Other issues prevented the virus from spreading more successfully and most of them are found in the executable module, ctrlpanel.exe, dropped and executed by the VBA part of the code.  

When the virus is run, it attempts to set the value Ctrlpanel of the registry key HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run so that it runs on the Windows boot. An internal global string \_RootDir is used as the value, however, the string only contains the folder where the ctrlpanel.exe is found and not its full path, which makes this auto-start measure fail.  

One interesting concept in the .NET module is the entire process of infecting documents. As a part of the infection process, the VBA code is generated by combining the code taken from the hard-coded strings in the module with the encoded bytes of the ctrlpanel.exe binary. This makes the generated code the same for every infection cycle and rather easy to detect. Having a VBA code generator in the .NET code has more potential to make the infected documents more difficult to detect.  

Once launched, the executable module stays active in memory and uses threading timers to execute two background worker objects, the first one tasked with the infection of documents and the second one with checking for the existence of the potential plugin modules for the .NET module.  

The infection background worker enumerates the mounted drives and attempts to find documents to infect by using the Directory.Getfiles function with the string search pattern “\*.doc” as a parameter.  

One of the parameters of the function is the SearchOption parameter which specifies the option to search in subdirectories or only the in the root folder. For fixed drives, the module chooses to search only the root folder, which is an unusual choice, as it is quite unlikely that the root folder will hold any documents to infect.  

For removable drives, the module also searches all subfolders, which likely makes it more successful. Finally, it checks the list of recent documents in Word and attempts to infect them, which contributes to the success of the virus spreading to other documents on fixed drives.  

__The choice of document filename extensions is limited to .doc.__

**OfflRouter VBA code drops and executes the main executable module **

The VBA part of the virus runs when a document is opened, provided macros are enabled, and it contains code to drop and run the executable module ctrlpanel.exe.

__The VBA part creates and executes the executable module of the virus.__

 The beginning of the macro code defines a function that checks if the file already exists and if it does not, it opens it for writing and calls functions CheckHashX, which at first glance looks like containing junk code to reset the value of the variable \`Y\`. However, the variable Y is defined as a private property with an overridden setter function, which converts the variable value assignment into appending the supplied value to the end of the opened executable module C:\\Users\\Public\\ctrlpanel.exe. Every code line that looks like an assignment appends the assigned value to the end of the file, and that is how the executable module is written.  

This technique is likely implemented to make the detection of the embedded module a bit more difficult, as the executable mode is not stored as a contiguous block, but as a sequence of integer values that look like being assigned to a variable.  

To a more experienced analyst, this code looks like garbage code generated by polymorphic engines, and it raises the question of why the author has not extended the code generation to pseudo-randomize the code.  

__Infected Word documents drop the .NET component that infects other documents__. 

The virus is unique, as it consists of VBA and executable modules with the infection logic contained in the PE executable .NET module.  

__The property Y has an overridden setter function to write into a file.__

**Ctrlpanel.exe .NET module **

The unique infection method used by ctrlpanel.exe is through the Office Interop classes of .NET VBProject interface Microsoft.Vbe.Interop and the Microsoft.Office.Interop.Word class that exposes the functionality of the Word application.  

The Interop.Word class is used to instantiate a Document class which allows access to the VBA macro code and the addition of the code to the target document file using the standard Word VBA functions.  

When the .NET module ctrlpanel.exe is launched, it attempts to open a mutex ctrlpanelapppppp to check if another module instance is already running on the system. If the mutex already exists, the process will terminate.  

Suppose no other module instances are running. In that case, ctrlpanel.exe creates the mutex named “ctrlpanelapppppp”, attempts to set the registry run key so the module runs on system startup, and finally initializes two timers to run associated background timer callbacks – VBAClass\_Timer\_Callback and PluginClass\_TimerCallback, implemented to start the Run function of the classes VBAClass and PluginClass, respectively. 

__Ctrlpanel.exe has two threads of execution.__

The VBAClass\_Timer\_Callback will be called one second after the creation of VBAClass\_Timer timer and the PluginClass\_Timer\_Callback three seconds after the creation of the PluginClass\_Timer.  

The full functionality of the executable module is implemented by two classes, VBAClass and PluginClass, specifically within their respective functions Backgroundworker\_DoWork. 

**_VBAClass is tasked with generating VBA code and infecting other Word documents_ **

 The background worker function runs in an infinite loop and contains two major parts, the first is tasked with the document infection and the second with finding the documents to infect, the logic we already described above.  

The infection iterates through a list of the document candidates to infect and uses an innovative method to check the document infection marker to avoid multiple infection processes – the function checks the document creation metadata, adds the creation times, and checks the value of the sum. If the sum is zero, the document is considered already infected.  

__The file system time of creation is used as an infection marker.__

If the document to be infected is created in the Word 97-2003 binary format (OLE2), the document will be saved with the same name in Microsoft Office Open XML format with enabled macros (DOCX).  

The infection uses the traditional VBA class infection routine. It accesses the Visual Basic code module of the first VBComponent and then adds the code generated by the function MyScript to the document’s code module. After that, the infected document is saved.  

__The target document is converted to .docx and then infected.__

The code generation function MyScript contains static strings and instructions to dynamically generate code that will be added to infected documents. It opens its own executable ctrlpanel.exe for reading and reads the file 32-bit by 32-bit value which gets converted to decimal strings that can be saved as VBA code. For every repeating 32-bit value, most commonly for zero, the function creates a for loop to write the repeating value to the dropped file. The purpose is unclear, but it is likely to achieve a small saving in the size of the code and compress it.  

__Repeating 32-bit values are “compressed.”__

For every 4,096 bytes, the code generates a new CheckHashX subroutine to break the code into chunks. The purpose of this is not clear.  

__The VBA code infecting files is dynamically created.__

 After the file is infected, the background worker adds the infection marker file by setting the values of hour, minute, second, and millisecond creation times to zero.

__The infection market is set after the infected file has been copied to its original location.__

**_PluginClass is tasked with discovering and loading plugins_ **

Ctrlpanel.exe can also search for potential plugins present on removable media, which is very unusual for simple viruses that infect documents. This may indicate that the author’s aims were a bit more ambitious than the simple VBA infection. 

Searching for the plugins in removable drives is unusual as it requires the plugins to be delivered to the system on a physical media, such as a USB drive or a CD-ROM. The plugin loader searches for any files with the filename extension .orp, decodes its name using Base64 decoding function, decodes the file content using Base64 decoding, copies the file into the c:\\users\\public\\tools folder with the previously decoded name and the extension .exe and finally executes the plugin. 

__Any plugins found on a removable drive are decoded, copied to drive C: and launched.__

If the plugins are already present on an infected machine, ctrlpanel.exe will try to encode them using Base64 encoding, copy them to the root of the attached removable media with the filename extension “.orp” and set the newly created file attributes to the values system and hidden so that they are not displayed by default by Windows File Explorer. 

**It is unclear if the initial vector is a document or the executable module ctrlpanel.exe **

The advantage of the two-module virus is that it can be spread as a standalone executable or as an infected document. It may even be advantageous to initially spread as an executable as the module can run standalone and set the registry keys to allow execution of the VBA code and changing of the default saved file formats to doc before infecting documents. That way, the infection may be a bit stealthier.  

The following registry keys are set: 
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\AccessVBOM (to allow access to Visual Basic Object Model by the external applications) 
  
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Security\\VBAWarnings (to disable warnings about potential Macro code in the infected documents) 
  
HKEY\_CURRENT\_USER\\Software\\Microsoft\\Office\\14.0\\Word\\Options\\DefaultFormat (to set the default format to DOC) 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.  

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.  

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are  

The following ClamAV signatures detect malware artifacts related to this threat: 

Doc.Malware.Valyria-6714124-0 

Win.Virus.OfflRouter-10025942-0 

**IOCs **

IOCs for this research can also be found at our GitHub repository here. 

10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8 - .NET module ctrlpanel.exe  

**Infected documents  **

2260989b5b723b0ccd1293e1ffcc7c0173c171963dfc03e9f6cd2649da8d0d2c 

2b0927de637d11d957610dd9a60d11d46eaa3f15770fb474067fb86d93a41912 

802342de0448d5c3b3aa6256e1650240ea53c77f8f762968c1abd8c967f9efd0 

016d90f337bd55dfcfbba8465a50e2261f0369cd448b4f020215f952a2a06bce 

**Mutex **

ctrlpanelapppppp

Tag

#cisco