Cisco is warning about a global surge in brute-force attacks targeting various devices, including Virtual Private Network (VPN) services, web application authentication interfaces, and SSH services, since at least March 18, 2024.
"These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies," Cisco Talos said.
Successful attacks could

Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services

The scam is spreading across the US and impersonates the specific toll-collection services of each state in malicious SMS messages.

Source: Mira via Alamy Stock Photo

The FBI is warning people about widespread SMS phishing (smishing) campaign spreading "state to state" that's luring people with messages informing them that they have unpaid tolls to resolve. The scam is aimed at stealing their credentials and defrauding them.

There also is evidence that that the campaign — which has been reported by people in three states so far, according to a public service announcement by the FBI Internet Crime Complaint Center (IC3)—affected other parts of the world before it reached US shores.

The campaign, active in the US since at least early March and reported by more than 2,000 people, sends users a text message that appears to come from the road-toll collection service of their specific states, claiming they owe money for unpaid highway tolls.

"We've noticed an outstanding toll amount of $12.51 on your record," the text of one such message reads. "To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance."

**Old Social Engineering Trick Remains Effective**

While smishing scams are by no means new, they continue to be used by attackers because they still have the potential to fool users into giving up the valuable credentials that allow for cybercriminals to profit. The FBI's warning alone is a sign that the unpaid-toll campaign is likely to escalate, and is worrying enough to warrant vigilance from potential victims.

The texts "contain almost identical language" and use similar amounts for so-called outstanding tolls. What changes from state to state is that the malicious link provided within the text is created to impersonate the state's toll service name, "and phone numbers appear to change between states," according to the IC3.

The link takes users to what looks very much like the toll services' legitimate websites, asking them to enter information on the pretense of paying the toll. Instead the attackers collect the victim's payment credentials and other sensitive data that potentially could be shared with other cybercriminals and/or used in future social engineering attacks.

**Toll Scam Spreads Across US**

The FBI didn't specify which states are currently being affected by the wave of toll-related attacks, but a quick perusal of social-media platform X, formerly Twitter, found evidence that the scam has at least affected users in Pennsylvania.

The Pennsylvania Turnpike (@PA\_Turnpike), the toll road, and related services that spans the state, posted a warning on social platform X to let users know about the campaign, and encouraged them to report any scam messages to the IC3.

"Some customers have received phishing-attempt text messages claiming to be from the PA Turnpike’s toll services," according to the post. "If you receive such a text, providing you with a link to pay an outstanding toll, do not click on the link, and delete the text."

The scam may be related to a similar one that previously swept across Australia, as people in states in both the eastern and western parts of the country in 2022 and 2023, respectively, also reported on X that they received driving toll-related smishing messages.

Back in August 2022, X user Anthony Campisini posted about a toll scam associated with City Link, a toll freeway service in the southeastern Aussie city of Melbourne, that also tried to lure users in the region with a message about unpaid tolls. Less than a year later, another X user in the state of Western Australia (WA) observed in March 2023 that he had been receiving "a lot of scam" SMS messages informing him that he owes money on road tolls.

"How do I know they are scams?" the user, @EMacskasy, who goes by the X name of "Evan Stop the Killing," posted. "Over here in WA = we do not have tolls on our roads."

**Stay Vigilant**

EMacskasy's observation is a good example of how people being targeted by the scam can avoid being compromised by it — by taking a moment to rationalize if it's even possible that they owe money on tolls before having a knee-jerk reaction and immediately engaging with the message.

The IC3 is advising people to file a complaint with the IC3 on the agency's website if they receive one of the messages and include the following information: the phone number from where the text originated and the website listed within the text.

People also should check any toll-service account that they have by going separately and directly to the service's legitimate website, to ensure that their accounts are in order, and/or contact the legitimate service's customer service phone number to check the account and let them know of the scam. As previously mentioned, people also should delete the texts.

In case someone has already engaged with the link or given information, they should make an effort to secure their personal information and financial accounts, and dispute any unfamiliar charges that may show evidence of cybercriminal activity.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

FBI: Smishing Campaign Lures Victims With Unpaid-Toll Notices

Cisco Talos would like to acknowledge Brandon White of Cisco Talos and Phillip Schafer, Mike Moran, and Becca Lynch of the Duo Security Research team for their research that led to the ,identification of these attacks.
Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety

Tuesday, April 16, 2024 08:00

_Cisco Talos would like to acknowledge Brandon White of Cisco Talos and Phillip Schafer, Mike Moran, and Becca Lynch of the Duo Security Research team for their research that led to the_ ,_identification of these attacks._

Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024.  

These attacks all appear to be originating from TOR exit nodes and a range of other anonymizing tunnels and proxies.  

Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise. Known affected services are listed below. However, additional services may be impacted by these attacks. 

*   Cisco Secure Firewall VPN 
*   Checkpoint VPN  
*   Fortinet VPN  
*   SonicWall VPN  
*   RD Web Services 
*   Miktrotik 
*   Draytek 
*   Ubiquiti 

The brute-forcing attempts use generic usernames and valid usernames for specific organizations. The targeting of these attacks appears to be indiscriminate and not directed at a particular region or industry. The source IP addresses for this traffic are commonly associated with proxy services, which include, but are not limited to:  

*   TOR   
*   VPN Gate  
*   IPIDEA Proxy  
*   BigMama Proxy  
*   Space Proxies  
*   Nexus Proxy  
*   Proxy Rack 

The list provided above is non-exhaustive, as additional services may be utilized by threat actors.  

Due to the significant increase and high volume of traffic, we have added the known associated IP addresses to our blocklist. It is important to note that the source IP addresses for this traffic are likely to change.

**Guidance **

As these attacks target a variety of VPN services, mitigations will vary depending on the affected service. For Cisco remote access VPN services, guidance and recommendation can be found in a recent Cisco support blog:  

Best Practices Against Password Spray Attacks Impacting Remote Access VPN Services 

**IOCs **

We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here.

Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

A third-party telephony service provider for Cisco Duo falls prey to social engineering, and the company advises customer vigilance against subsequent phishing attacks.

Source: olga Yastremska via Alamy Stock Photo

A third-party provider that handles telephony for Cisco's Duo multifactor authentication (MFA) service has been compromised by a social engineering cyberattack. Now Cisco Duo customers have been warned to be on alert for follow-on phishing schemes.

Customers were sent a notice explaining that the company handling SMS and VOIP multifactor authentication messaging traffic for Cisco Duo was breached on April 1. The threat actors reportedly used compromised employee credentials. Once inside the service provider's systems, the unauthorized user downloaded SMS logs for specific users within a certain timeframe, the company said.

Cisco Duo did not identify the compromised telephony provider in its advisory.

"More specifically, the threat actor downloaded message logs for SMS messages that were sent to certain users under your Duo account between March 1, 2024 and March 31, 2024," Cisco said in its customer advisory. "The message logs did not contain any message content but did contain the phone number, phone carrier, country, and state to which each message was sent, as well as other metadata (e.g., date and time of the message, type of message, etc.)."

Cisco advised impacted users to notify anyone whose information was exposed, and to remain vigilant against additional phishing attacks using the stolen data.

This breach follows two specific trends, according to Jeff Margolies, chief product and strategy officer at Saviynt — social engineering cyberattack success, and a focus on identity security providers.

“There have been a number of public attacks on identity security providers, such as Okta and Microsoft, over the past few years," Margolies says. "You can also go back as far as the RSA SecurID Token attack back in 2011 to see how far back these sorts of attacks go."

In addition to the critical need for identity security providers to do more to secure their systems, Margolies adds enterprise teams need to assess what a breach of these services could mean to their own cybersecurity posture.

"It is also important for companies to understand the reliance they have on third-party identity security companies, how an attack on those companies would impact them, and what mitigating controls are in place to detect and respond to events with their Identity security providers," he explains.

Cisco Duo's Multifactor Authentication Service Breached

A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.

Source: Tada Images via Shutterstock

Palo Alto Networks (PAN) on April 14 released hotfixes to address a maximum severity zero-day bug in multiple versions of its PAN-OS software that a threat actor is using to deploy a novel Python backdoor on affected firewalls.

The flaw — tracked as CVE-2024-3400 — is present in PAN-OS 10.2, 11.0, and 11.1 firewalls when the GlobalProtect Gateway and device telemetry features are both enabled. PAN disclosed the flaw April 12 after researchers at Volexity found the bug when investigating suspicious activity on a customer's firewall.  

**Limited Attack**

PAN described the attacks targeting the flaw as limited in volume and attributed the attack activity to a single threat cluster that the company is tracking as "Operation Midnight Eclipse." However, the vendor did not rule out the potential for other attackers to exploit the flaw as well.   

When PAN disclosed the flaw last week, it recommended temporary measures that customers could take to mitigate the threat — including disabling device telemetry. On April 14, the company made available hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions. The security vendor urged customers to apply the updates and promised similar hotfixes for other maintenance releases of the software.

Reports of attackers targeting the flaw before a patch was available prompted the US Cybersecurity and Infrastructure Agency (CISA) last week to quickly add CVE-2024-3400 to its catalog of known exploited vulnerabilities. All civilian federal agencies have until April 19 to address the flaw. CISA has previously warned organizations on multiple occasions about high threat-actor interest in VPNs and other remote access technologies from vendors such as Pulse Secure, Cisco, and PAN because of the privileged access these devices provide to enterprise networks and data.

**Max Severity Command Injection Flaw**

In a blog post last week, Volexity described the flaw it discovered as a command injection vulnerability in PAN-OS GlobalProtect that gave unauthenticated remote attackers a way to execute arbitrary code on affected systems. The security vendor said it had observed an attacker — which it's tracking as UTA0218 — leveraging the flaw to create a reverse shell and download additional malware on compromised systems.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations," Volexity said.

One of the additional tools that the threat actor deployed on compromised systems was a novel Python backdoor that Volexity has named Upstyle. The security vendor said it found the threat actor using the Upstyle backdoor to execute a variety of additional commands including those for lateral movement within a target network and to steal credentials and other sensitive data from it.

"The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives," Volexity warned. Volexity said it was not able to determine the exact scale of the exploit activity but surmised it was likely limited and targeted. The company said it had found evidence of UTA0218 attempting to exploit the vulnerability at multiple organizations on March 26 and March 27.

PAN said its analysis showed the threat actor using the backdoor to run a handful of commands on vulnerable firewalls. The commands included one for copying configuration files and exfiltrating them via HTTP requests and another that set up the firewall to receive even more commands, this time from a different URL. "Lastly, the threat actor cleaned up after themselves by removing all files associated with the backdoors and clearing their cronjobs," PAN said.

**Complete Control**

Karl Sigler, senior security research manager at Trustwave's SpiderLabs, says exploiting CVE-2024-3400 would give an attacker complete control over the PAN device. "This could allow the attacker a foothold to pivot further into the organization," he says. "It could also allow the attacker to disable protections provided by the device, including disabling access control lists and VPN connections."

Sigler says the vulnerability exploit in this case works by getting an affected device to log OS commands in an error log. These commands are then processed and executed with root-level permissions, he says. "Disabling device telemetry disables the log file, short-circuiting the attack," Sigler notes. "The main risk in doing so is that network admins often rely on this telemetry to troubleshoot problems with the device. Additionally, monitoring for abnormal network behavior may be evidence of an ongoing attack. Disabling telemetry may hinder those efforts."

Palo Alto itself has recommended that organizations that are unable to immediately update their software for any reason should disable device telemetry till they are able to update. According to the company, "Once upgraded, device telemetry should be re-enabled on the device."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Palo Alto Network Issues Hotfixes for Zero-Day Bug in Its Firewall OS

By Deeba Ahmed
Firewall on fire!
This is a post from HackRead.com Read the original post: Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor

Palo Alto Networks issues critical patches for a zero-day vulnerability (CVE-2024-3400) in their PAN-OS firewalls. Exploited by attackers to deploy Python backdoors, this flaw grants root access. Update immediately!

In a race against time, Palo Alto Networks has released patches for a critical 0-day (or zero-day) vulnerability (CVE-2024-3400) that threatened to leave firewalls exposed to cyberattacks.

According to Palo Alto Networks’ security advisory, the vulnerability was found in its PAN-OS operating system’s GlobalProtect functionality, related to the way it handled device telemetry data. 

An attacker could exploit this flaw by crafting a malicious payload disguised as telemetry data.  Once processed by the firewall, the payload could execute arbitrary code with root privileges, essentially giving the attacker complete control over the device. 

****Which Devices Are Vulnerable?****

Appliances with GlobalProtect and device telemetry enabled are declared vulnerable. The Shodan search engine for exposed Internet of Things (IoT) devices reveals approximately 41,336 potentially impacted internet-exposed appliances of Palo Alto Networks.

SecurityWeek reports that several organizations have already fallen victim to targeting, with certain attackers endeavouring to deploy Upstyle, a fresh Python backdoor.

****Possible Dangers****

Like any other security vulnerability, this one also lets hackers exploit and establish backdoors, launch lateral attacks, steal sensitive data, and disrupt network operations. Threat actors can also create persistent access points, use the compromised firewall as a springboard, and gain access to confidential information.

Additionally, it may allow hackers to take full control of the firewall’s functionality, potentially leading to network outages or traffic manipulation.

****Detection and Patching:****

The good news is that the vulnerability was identified and patched relatively quickly. Security firm Volexity first detected the exploit in use in late March 2024, observing a threat actor UTA0218 remotely exploiting a firewall device.

The researchers also observed how the threat actor created a reverse shell, downloading additional tools, and exporting configuration data to use it as an entry point for lateral movement. Volexity swiftly alerted Palo Alto Networks, which issued security alerts and hotfixes to address the vulnerability for PAN-OS versions 10.2, 11.0, and 11.1.

Palo Alto Networks suggests that if customers can’t implement the Threat Prevention-based mitigation immediately, you can still reduce the impact of the vulnerability by temporarily turning off device telemetry until the device is updated to a PAN-OS version that addresses the issue.

> _“If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. If the firewalls are managed by Panorama, ensure that device telemetry is disabled in relevant templates (Panorama > Templates).”_
> 
> Palo Alto Networks

****Who Was Behind the Attacks?****

As per Volexity’s blog post, the zero-day exploit was highly sophisticated and targeted specific configurations, suggesting a well-resourced state-sponsored attacker with a clear target in mind could be involved.

Initial attribution attempts point towards Lazarus Group, a notorious hacking group believed to be affiliated with North Korea and BianLian, which targets critical infrastructure organizations. Nevertheless, Palo Alto Networks has urged all users to update their PAN-OS software immediately.

1.  Hackers dump login data of Fortinet VPN users in plain-text
2.  Private details of Palo Alto Networks employees leaked online
3.  Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws

Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor

A Russian-language cyberattack campaign impersonates legitimate game operations to spread various cross-platform infostealers.

Source: Stockphoto Graph via Shutterstock

A Russian threat actor is peppering game developers with fraudulent Web3 gaming projects that drop multiple variants of infostealers on both MacOS and Windows devices.

The ultimate goal of the campaign appears to be defrauding victims and stealing their cryptocurrency wallets, according to Recorded Future's Insikt Group, which discovered the malicious activity.

The extensive Russian-language campaign mimics legitimate projects by using slight alterations in project names and branding — even going so far as to have multiple fake social-media accounts impersonating the projects to make them seem authentic, according to a report published online.

In the attack, the main webpage of a project offers or links to installation files for the purported "game" software, ostensibly for use by developers. However, these files instead deliver either Atomic macOS Stealer for Intel- or ARM-based devices; Rhadamanthys; or RisePro, depending on the victim's operating system.

"The targeted nature of this campaign suggests that threat actors may perceive Web3 gamers as having a more acute vulnerability to social engineering, due to an assumed trade-off in cyber hygiene — meaning that Web3 gamers may have fewer protections in place against cybercrime — in the pursuit of profit," according to the report.

That profit comes in the form of cryptocurrency, as the actor is primarily targeting developers' crypto wallets with the intent of compromising those wallets. Web3 gaming refers to online games such as Axie Infinity and MixMob that are built on blockchain technology, which can result in financial gain for players who earn various cryptocurrencies.

"As wallet compromise continues to be the biggest threat in both Web3 and cryptocurrency security … we assess that wallet compromise is likely the end goal of this campaign," according to Insikt Group. Attackers also can use credentials harvested from the malicious activity "for an array of unauthorized account accesses," according to the report.

Indeed, the report outlines several social media reports of game developers falling victim to the scam and having their crypto wallets drained, including one who lost about 2.5 Ethereum, or about $8,000.

**Setting a Trap Through Impersonation**

The attack campaign comes in the form of what's called "trap phishing," whereby malicious actors duplicate and deploy Web3 project lookalikes.

Insikt researchers began investigating the malicious activity after Web3 smart contract auditor CertiK described a project in January called Astration that used fake job openings and non-fungible token NFT offerings to lure game developers into a trap-phishing campaign that spread infostealers.

The fraudulent project duplicated and recreated nearly all of the social media accounts associated with a legit project called Alteration, including reposting social-media content from legitimate accounts, establishing a direct copy of the project's Discord server, and delivering two types of malware.

Upon further research, Insikt found five additional fraudulent gaming projects, three of which were serving malicious files communicating with the same command-and-control (C2) server as those obtained from the Astration project, as well as two that were no longer active but were found to be similar to the active scams. Purported game names associated with the active projects were ArgonGame, DustFighter, and CosmicWay Reboot, while games associated with the inactive projects were Crypterium World and Myth Island.

Overall, the threat actors are delivering the campaign via "a resilient infrastructure, allowing them to quickly adapt by rebranding or shifting focus upon detection," according to Insikt.

**Maintain Vigilance to Mitigate Risk**

Insikt highlighted the necessity for both individuals and organizations to maintain continuous vigilance against threats and adopt mitigation strategies against campaigns that use phishing as an initial entry point. To that end, the group offered a number of mitigations in its report as well as included a list of indicators of compromise.

One is to provide comprehensive training to users — especially those involved in Web3 gaming or related industries — to recognize social engineering tactics associated with trap phishing. Game developers in particular should "scrutinize the legitimacy of Web3 projects advertised on social media," according to the report.

Organizations also should educate users on the well-known risks associated with downloading software from unverified sources and the importance of verifying the authenticity of project websites before installation.

Endpoint protection solutions updated with the latest threat intelligence — such as antivirus software that are capable of detecting and blocking known infostealer variants like Atomic, Stealc, Rhadamanthys, and RisePro — also can help organizations avoid compromise.

Organizations should also deploy multi-platform security measures to protect against malware infections across both macOS and Windows devices, including firewalls, intrusion detection systems, and endpoint detection and response (EDR) solutions, according to Insikt.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Web3 Game Developers Targeted in Crypto Theft Scheme

Our collection of the most relevant reporting and industry perspectives for those guiding cybersecurity strategies and focused on SecOps. Also included: facing hard truths in software security, and the latest guidance from the NSA.

Source: Chroma Craft Media Group via Alamy Stock Photo

Welcome to CISO Corner, Dark Reading's weekly digest of articles tailored specifically to security operations readers and security leaders. Every week, we offer articles gleaned from across our news operation, The Edge, DR Technology, DR Global, and our Commentary section. We're committed to bringing you a diverse set of perspectives to support the job of operationalizing cybersecurity strategies, for leaders at organizations of all shapes and sizes.

**In this issue of CISO Corner**

*   The Race for AI-Powered Security Platforms Heats Up
    
*   Why MLBOMs Are Useful for Securing the AI/ML Supply Chain
    
*   The Fight for Cybersecurity Awareness
    
*   Ambitious Training Initiative Taps Talents of Blind and Visually Impaired
    
*   Vietnamese Cybercrime Group CoralRaider Nets Financial Data
    
*   XZ Utils Scare Exposes Hard Truths About Software Security
    
*   NSA Updates Zero-Trust Advice to Reduce Attack Surfaces
    

**The Race for AI-Powered Security Platforms Heats Up**

By Robert Lemos, Contributing Writer, Dark Reading

Microsoft, Google, and Simbian each offers generative AI systems that allow security operations teams to use natural language to automate cybersecurity tasks.

Both Google and Microsoft have committed massive resources to developing generative artificial intelligence (AI) tools for cybersecurity. Security Copilot from Microsoft can find breaches, gather, and analyze data with help from generative AI. Google's Gemini in Security is a similar rival service.

Now a startup has entered the fray, Simbian, with its own system that leverages generative AI as well as large language models (LLMs) to help security teams by automating configuring event management systems (SIEM) or security orchestration, automation, and response (SOAR).

While each offering has its own set of benefits, they all strive to streamline processes for strained cybersecurity teams. The question that has yet to be answered is whether teams will ultimately trust the automated systems to operate as intended.

Read more: The Race for AI-Powered Security Platforms Heats Up

Related: How AI and Automation Can Help Bridge the Cybersecurity Talent Gap

**Why MLBOMs Are Useful for Securing the AI/ML Supply Chain**

Commentary By Diana Kelley, CISO, Protect AI

A machine learning bill of materials (MLBOM) framework can bring transparency, auditability, control, and forensic insight into AI and ML supply chains.

The software bill of materials (SBOM) has become an essential tool for identifying the code that makes up an application, but in the age of artificial intelligence (AI) the SBOM has some limitations in machine learning frameworks.

A machine learning software bill of materials, or MLBOM, could fill the gaps left in a traditional SBOM and add protections to data and assets.

Read More: Why MLBOMs Are Useful for Securing the AI/ML Supply Chain

Related: Where SBOMs Stand Today

**  
The Fight for Cybersecurity Awareness**

Commentary By Erik Gross, CISO, QAD

Investing in cybersecurity skills creates a safer digital world for everyone.

Spreading awareness of risk is the best way to mitigate cybersecurity risk, but the task of constantly training and re-training people on the latest threats can be daunting. The age of artificial intelligence is making it even more difficult.

Building a culture of security is paramount, and it can be achieved with thoughtful cybersecurity training with a focus on a personal approach, storytelling, and helping people feel comfortable talking openly about cybersecurity. Humans are unpredictable, and a cybersecurity training process that accepts that humans are complex creatures have had the most success.

Read More: The Fight for Cybersecurity Awareness

Related: Q&A: The Cybersecurity Training Gap in Industrial Networks

**Ambitious Training Initiative Taps Talents of Blind and Visually Impaired**

By Jennifer Lawinski, Contributing Writer, Dark Reading

Novacoast's Apex Program prepares individuals with visual impairments for cybersecurity careers.

Blind and visually impaired (BVI) people are an untapped talent resource for cybersecurity companies struggling to attract talent. With just a computer outfitted with a screen reader and Braille keyboard, BVI people can become valuable contributors. Two cyber CEOs have launched Apex Program, an online, on-demand course for BVI people who want to break into cybersecurity.

So far, four students have completed the course and one has already landed a job as a SOC 1 Analyst. Now the White House is getting involved, and there's even a short film in the works featuring the Apex Program.

Read More: Ambitious Training Initiative Taps Talents of Blind and Visually Impaired

Related: 3 Ways Businesses Can Overcome the Cybersecurity Skills Shortage

**Vietnamese Cybercrime Group CoralRaider Nets Financial Data**

By Robert Lemos, Contributing Writer, Dark Reading

With a complex attack chain and using Telegram for its command and control, CoralRaider targets victims in Asian countries — and appears to have accidentally infected itself as well.

A newcomer on the Vietnamese cybercrime scene, a group called CoralRaider is making moves — and rookie mistakes like infecting their own systems — along the way.

Security researchers at Cisco Talos have been tracking CoralRaider's activities and found they are motivated by profit, even though the group is having trouble getting their operation off the ground. So far, Cisco Talos analysts haven't seen any indication CoralRaider has yet successfully delivered a payload, but the group is actively working to improve their cybercrime skills.

Read More: Vietnamese Cybercrime Group CoralRaider Nets Financial Data

Related: Ransomware, Junk Bank Accounts: Cyber Threats Proliferate in Vietnam

**  
XZ Utils Scare Exposes Hard Truths About Software Security**

By Jai Vijayan, Contributing Writer, Dark Reading

Much of the open source code embedded in enterprise software stacks comes from small, under-resourced, volunteer-run projects.

The backdoor recently discovered in the XZ Utils tool should be a wake-up call for cyber teams that open source repositories are riddled with vulnerabilities.

These projects are volunteer-run, under-resourced, and unable to keep up with the latest threats. XZ Utils is itself a one-person operation. Enterprises using code from these open sources do so at their own risk.

Organizations are advised to vet their use of code from public repositories and determine whether they have appropriate security controls. Experts also recommend having engineering and cybersecurity teams define processes and roles for onboarding open source code.

Read More: XZ Utils Scare Exposes Hard Truths About Software Security

**NSA Updates Zero-Trust Advice to Reduce Attack Surfaces**

By Dark Reading Staff

Agency encourages broader use of encryption, data-loss prevention, as well as data rights management to safeguard data, networks, and users.

In its ongoing effort to provide both the public, as well as the private, sectors with support in getting on a path to zero trust, the National Security Administration has issued guidance related to data protection, or as NSA categorizes it, the "data pillar." Recommendations from the agency include the use of encryption, tagging, labeling, and more.

Prior to this data security guidance, NSA provided a detailed guide to network macro- and micro-segmentation and its role in building up a zero-trust framework.

Read More: NSA Updates Zero-Trust Advice to Reduce Attack Surfaces

Related: NSA's Zero-Trust Guidelines Focus on Segmentation

CISO Corner: Securing the AI Supply Chain; AI-Powered Security Platforms; Fighting for Cyber Awareness

Attackers have compromised an 8-year-old version of the cloud platform to distribute various malware that can take over infected systems.

Source: Age Foto Stock via Alamy Stock Photo

Attackers are using an 8-year-old version of the Redis open-source database server to maliciously use Metasploit's Meterpreter module to expose exploits within a system, potentially allowing for takeover and distribution of a host of other malware.

Researchers from AhnLab Security Intelligence Center (ASEC) said in a blog post that attackers likely are exploiting inappropriate settings or a vulnerability present in an implementation of Redis to distribute Meterpreter for nefarious use.

"Such malware strains attack Redis servers open to the public on the Internet with the authentication feature disabled," ASEC researcher Sanseo wrote in the post. "After gaining access to Redis, threat actors can install malware through known attack methods."

Meterpreter is an aspect of the legitimate Metasploit pen-testing tool that allows threat actors to fetch various Metasploit modules, or working exploits for known bugs, and then use them on the targeted system, according to ASEC. Metasploit is a tool similar to Cobalt Strike that also is oft-abused by threat actors to execute attacks.

"When Metasploit is installed, the threat actor can take control of the infected system and also dominate the internal network of an organization using the various features offered by the malware," Senseo explained.

**How It's Done**

Redis is an open source, in-memory data structure storage service that is increasingly being used in various ways in cloud environments; its primary purpose is typically for session management, message broker, and queues, according to ASEC. This increased prevalence also is making it a more popular target for attackers, who have abused vulnerable Redis servers to spread a host of malware, including Kinsing, P2PInfect, Skidmap, Migo, and HeadCrab.

By using Metasploit Meterpreter, there are two main attacks methods that actors can employ to spread malware once they've gained access to Redis. One is to register the malware-executing command as a Cron task, and the other is using the SLAVEOF command to set the command as the Slave server of the Redis server that has the malware.

ASEC witnessed an attack targeting a system that used Windows, along with version Redis 3.x, which was developed in 2016. The age of the abused platform means "it was likely vulnerable to attacks that abuse misconfiguration or attacks on known vulnerabilities," Senseo noted.

In the attack, the threat actor first downloaded PrintSpoofer, a privilege escalation tool, in the installation path for Redis. Attackers often use this tool against vulnerable services that are not managed properly or have not been patched to the recent version; in fact, ASEC has witnessed a flurry of these attacks against Redis since the second half of last year.

"The difference between the cases from the past and the cases now is that PrintSpoofer is installed using the CertUtil tool instead of PowerShell," Senseo explained.

**Meterpreter As Malicious Backdoor**

After installing PrintSpoofer, the threat actor installed Meterpreter Stager — one of two types of the module, the difference between which depends on the way it is installed. Meterpreter is to the Metasploit tool as Beacon is to Cobalt Strike.

When an attacker uses Stager, it means the installation is via the staged version, which downloads Meterpreter directly from the attacker's command-and-control (C2) server. This decreases its footprint version downloading it in a "stageless" way within a payload, according to ASEC.

Once this process is complete, Meterpreter is executed in the memory, which allows the threat actor to take control over the infected system and "also dominate the internal network of an organization using the various features offered by the malware," Senseo wrote.

**Update Now**

ASEC included a list of files, behaviors, and indicators of compromise of the attack in its post to help network administrators identify evidence of the threat on a system.

To avoid being compromised by the attack vector, ASEC advised that administrators of environments with Redis 3.x installed should, at the very least, update the server immediately with available patches to ensure that known vulnerabilities can't be exploited. The best-case scenario, however, would be to update V3 to the latest version of the server.

Administrators should also install security-protection software that restricts external access to Redis servers open to the Internet so they can't be identified and abused, ASEC advised.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Expired Redis Service Abused to Use Metasploit Meterpreter Maliciously

The security community is still reflecting on the “What If” of the XZ backdoor.

Thursday, April 11, 2024 14:00

I feel like over the past several years, the “holiday” that is April Fool’s Day has really died down. At this point, there are few headlines you can write that would be more ridiculous than something you’d find on a news site any day of the week. 

And there are so many more serious issues that are developing, too, that making a joke about a fake news story is just in bad taste, even if it’s in “celebration” of a “holiday.” 

Thankfully in the security world, I think we’ve all gotten the hint at this point that we can’t just post whatever we want on April 1 of each calendar year and expect people to get the joke. I’ve put my guard down so much at this point that I actually did legitimately fall for one April Fool’s joke from Nintendo, because I could definitely see a world in which they release a Virtual Boy box for the Switch that would allow you to play virtual reality games. 

But at least from what I saw on April 1 of this year, no one tried to “get” anyone with an April Fool’s joke about a ransomware actor requesting payment in the form of “Fortnite” in-game currency, or an internet-connected household object that in no universe needs to be connected to the internet (which, as it turns out, smart pillows exist!).  

We’re already dealing with digitally manipulated photos of “Satanic McDonalds,” Twitter’s AI generating fake news about the solar eclipse, and an upcoming presidential election that is sure to generate a slew of misinformation, AI-generated photos and more that I hesitate to even make up. 

So, all that is to say, good on you, security community, for just letting go of April Fool’s. Our lives are too stressful without bogus headlines that we, ourselves, generate.  

**The one big thing **

Talos discovered a new threat actor we’re calling “CoralRaider” that we believe is of Vietnamese origin and financially motivated. CoralRaider has been operating since at least 2023, targeting victims in several Asian and Southeast Asian countries. This group focuses on stealing victims’ credentials, financial data, and social media accounts, including business and advertisement accounts. CoralRaider appears to use RotBot, a customized variant of QuasarRAT, and XClient stealer as payloads. The actor uses the dead drop technique, abusing a legitimate service to host the C2 configuration file and uncommon living-off-the-land binaries (LoLBins), including Windows Forfiles.exe and FoDHelper.exe 

**Why do I care? **

This is a brand new actor that we believe is acting out of Vietnam, traditionally not a country who is associated with high-profile state-sponsored actors. CoralRaider appears to be after targets’ social media logins, which can later be leveraged to spread scams, misinformation, or all sorts of malicious messages using the victimized account. 

**So now what? **

CoralRaider primarily uses malicious LNK files to spread their malware, though we currently don’t know how those files are spread, exactly. Threat actors have started shifting toward using LNK files as an initial infection vector after Microsoft disabled macros by default — macros used to be a primary delivery system. For more on how the info in malicious LNK files can allow defenders to learn more about infection chains, read our previous research here. 

**Top security headlines of the week **

**The security community is still reflecting on the “What If” of the XZ backdoor** that was discovered and patched before threat actors could exploit it. A single Microsoft developer, who works on a different open-source project, found the backdoor in xz Utils for Linux distributions several weeks ago seemingly on accident, and is now being hailed as a hero by security researchers and professionals. Little is known about the user who had been building the backdoor in the open-source utility for at least two years. Had it been exploited, the vulnerability would have allowed its creator to hijack a user’s SSH connection and secretly run their own code on that user’s machine. The incident is highlighting networking’s reliance on open-source projects, which are often provided little resource and usually only maintained as a hobby, for free, by individuals who have no connection to the end users. The original creator of xz Utils worked alone for many years, before they had to open the project because of outside stressors and other work. Government officials have also been alarmed by the near-miss, and are now considering new ways to protect open-source software. (New York Times, Reuters) 

**AT&T now says that more than 51 million users were affected by a data breach** that exposed their personal information on a hacking forum. The cable, internet and cell service provider has still not said how the information was stolen. The incident dates back to 2021, when threat actor ShinyHunters initially offered the data for sale for $1 million. However, that data leaked last month on a hacking forum belonging to an actor known as “MajorNelson.” AT&T’s notification to affected customers stated that, "The \[exposed\] information varied by individual and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and AT&T passcode." The company has also started filing required formal notifications with U.S. state authorities and regulators. While AT&T initially denied that the data belonged to them, reporters and researchers soon found that the information were related to AT&T and DirecTV (a subsidiary of AT&T) accounts. (BleepingComputer, TechCrunch) 

**Another ransomware group claims they’ve stolen data from United HealthCare, though there is little evidence yet to prove their claim.** Change Health, a subsidiary of United, was recently hit with a massive data breach, pausing millions of dollars of payments to doctors and healthcare facilities to be paused for more than a month. Now, the ransomware gang RansomHub claims it has 4TB of data, requesting an extortion payment from United, or it says it will start selling the data to the highest bidder 12 days from Monday. RansomHub claims the stolen information contains the sensitive data of U.S. military personnel and patients, as well as medical records and financial information. Blackcat initially stated they had stolen the data, but the group quickly deleted the post from their leak site. A person representing RansomHub told Reuters that a disgruntled affiliate of Blackcat gave the data to RansomHub after a previous planned payment fell through. (DarkReading, Reuters) 

**Can’t get enough Talos? **

*   Talos Takes Ep. #178: Turla has been around for 20-plus years at this point, but they're still mixing things up 
*   Vulnerability in some TP-Link routers could lead to factory reset 
*   April’s Patch Tuesday includes 150 vulnerabilities, 60 which could lead to remote code execution 
*   Vietnamese Cybercrime Group CoralRaider Nets Financial Data 
*   Safeguarding Against CoralRaider: Protecting Your Data from Vietnamese Hackers 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0  
**MD5:** 8c69830a50fb85d8a794fa46643493b2  
**Typical Filename:** AAct.exe  
**Claimed Product:** N/A  
**Detection Name:** PUA.Win.Dropper.Generic::1201

**SHA 256:** abaa1b89dca9655410f61d64de25990972db95d28738fc93bb7a8a69b347a6a6  
**MD5:** 22ae85259273bc4ea419584293eda886  
**Typical Filename:** KMSAuto++ x64.exe  
**Claimed Product:** KMSAuto++  
**Detection Name:** W32.File.MalParent

**SHA 256:** 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d  
**MD5:** fd743b55d530e0468805de0e83758fe9  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Kmsauto::1201

**SHA 256:** b8aec57f7e9c193fcd9796cf22997605624b8b5f9bf5f0c6190e1090d426ee31  
**MD5:** 2fb86be791b4bb4389e55df0fec04eb7  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** W32.File.MalParent

**SHA 256:** 58d6fec4ba24c32d38c9a0c7c39df3cb0e91f500b323e841121d703c7b718681  
**MD5:** f1fe671bcefd4630e5ed8b87c9283534  
**Typical Filename:** KMSAuto Net.exe  
**Claimed Product:** KMSAuto Net  
**Detection Name:** PUA.Win.Tool.Hackkms::1201

Tag

#cisco