Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.

Thursday, April 25, 2024 08:00

Business email compromise (BEC) was the top threat observed by Cisco Talos Incident Response (Talos IR) in the first quarter of 2024, accounting for nearly half of engagements, which is more than double what was observed in the previous quarter.  

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, which accounted for 29 percent of engagements. The high number of BEC attacks likely played a significant role in valid accounts being the top attack vector this quarter. Weaknesses involving multi-factor authentication (MFA) were observed within nearly half of engagements this quarter, with the top observed weakness being users accepting unauthorized push notifications, occurring within 25 percent of engagements.  

There was a slight decrease in ransomware this quarter, accounting for 17 percent of engagements. Talos IR responded to new variants of Phobos and Akira ransomware for the first time this quarter. 

Manufacturing was the most targeted vertical this quarter, closely followed by education, a continuation from Q4 2024 where manufacturing and education were also two of the most targeted verticals. There was a 20 percent increase in manufacturing engagements from the previous quarter. 

The manufacturing sector faces unique challenges due to its inherently low tolerance for operational downtime. This quarter, Talos IR observed a wide range of threat activity targeting manufacturing organizations including financially motivated attacks, such as BEC and ransomware, and some brute force activity targeting virtual private network (VPN) infrastructure. The use of compromised credentials on valid accounts was the top observed attack vector within attacks targeting the manufacturing sector this quarter, which represents a change from the previous quarter when the top attack vector observed in these types of engagements was exploiting vulnerabilities in public-facing applications.   

**Watch discussion on the report's biggest trends**

**Surge in BEC **

Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. BEC attacks can have many motivations, often financially driven, aimed at tricking organizations into transferring funds or sensitive information to malicious actors.  

BEC offers adversaries the advantage of impersonating trusted contacts to facilitate internal spearphishing attacks that can bypass traditional external defenses and increase the likelihood of deception, widespread malware infections and data theft. 

In one engagement, adversaries performed a password-spraying attack and MFA exhaustion attacks against several employee accounts. There was a lack of proper MFA implementation across all the impacted accounts, leading to the adversaries gaining access to at least two accounts using single-factor authentication. The organization detected and disrupted the attack before adversaries could further their access or perform additional post-compromise activities.    

In another cluster of activity, several employees received spear-phishing emails that contained links that, when clicked, led to a redirection chain of web pages ultimately landing on a legitimate single sign-on (SSO) prompt that was pre-populated with each victim’s email address. The attack was unsuccessful because none of the employees interacted with the email, which was likely due to multiple red flags. For example, the email was unexpected and sent from an external email address, and there was small text within the email that referred to the email as a fax, which was all indicators of a phishing attempt. 

**Ransomware trends **

Ransomware accounted for 17 percent of engagements this quarter, an 11 percent decrease from the previous quarter. Talos IR observed new variants of Akira and Phobos ransomware for the first time this quarter. 

**Akira **

Talos IR responded to an Akira ransomware attack for the first time this quarter in an engagement where affiliates deployed the latest ESXi version, “Akira\_v2,” as well as a Windows-based variant of Akira named “Megazord.” These new Akira variants are written in the Rust programming language, which is a notable change from the previously used C++ and Crypto++ programming languages.  

Talos IR could not determine how initial access was gained, which is common because ransomware attacks often involve multi-stage attack strategies that add additional complexity during the investigation process. Once inside the network, the adversaries began collecting credentials from the memory of the Local Security Authority Subsystem Service (LSASS) and the New Technology Directory Services Directory Information Tree (NTDS.dit) database, where Active Directory data is stored, and leveraged Remote Desktop Protocol (RDP) for lateral movement. Prior to encryption, Megazord ransomware began executing several commands to disable tools and impair defenses, including “net stop” and “taskkill.” Akira\_v2 appended the file extension “.akiranew” during encryption, while Megazord ransomware appended the file extension “.powerranges”.   

First discovered in early 2023, Akira operates as a ransomware-as-a-service (RaaS) model and employs a double extortion scheme that involves exfiltrating data before encryption. Akira affiliates are known to heavily target small- to medium-sized businesses within several verticals primarily located within the U.S. but have targeted organizations within the U.K., Canada, Iceland, Australia and South Korea. Akira affiliates are notorious for leveraging compromised credentials and exploiting vulnerabilities as a means of gaining initial access, such as the SQL injection vulnerability, tracked as CVE-2021-27876, affecting certain versions of Zoho ManageEngine ADSelfService Plus, and the vulnerability, tracked as CVE-2023-27532, affecting certain versions of Veeam’s Backup & Replication (VBS) software.    

**Phobos **

Talos IR has previously observed variants of Phobos ransomware, such as “Faust,” but this quarter, Talos IR responded to an engagement with the “BackMyData” variant of Phobos ransomware. The adversaries leveraged Mimikatz to dump credentials from Active Directory. The adversary also installed several tools in the NirSoft product suite designed to recover passwords, such as PasswordFox and ChromePass, for additional credential enumeration. 

The adversaries used PsExec to access the domain controller before setting a registry key to permit remote desktop connections. Shortly after, the adversaries also modified the firewall to allow remote desktop connections using the Windows scripting utility, netsh. The remote access tool AnyDesk was downloaded to enable remote access as a means of persistence in the environment. Talos IR assessed with high confidence that Windows Secure Copy (WinSCP) and Secure Shell (SSH) were likely used to exfiltrate staged data. Adversaries also relied on PsExec to execute commands, such as deleting volume shadow copies, as a precursor to deploying the ransomware executable. After encryption, the ransomware appended the file extension “.fastbackdata”.   

A notable finding was the persistent use of the “Users/\[username\]/Music” directory as a staging area for data exfiltration to host malicious scripts, tools and malware, a common technique used by numerous ransomware affiliates to evade detection and remain persistent in the environment. Talos IR also identified a digitally signed executable, “HRSword,” developed by Beijing Huorong Network Technology. It is a tool the affiliate used during the attack for potential secure file deletion and as a defensive measure to disable endpoint protection tools, which Phobos affiliates were previously using, according to public reporting.   

Phobos ransomware first emerged in late 2018 and shared many similarities with the Crysis and Dharma ransomware families. Unlike other ransomware families, there are many variants of Phobos ransomware, such as Eking, Eight, Elbie, Devos and Faust. There is little information known about the business model leveraged by the Phobos ransomware operation. In November 2023, Cisco Talos analyzed over a thousand samples of Phobos ransomware to learn more about the affiliate structure and activity, which revealed that Phobos may operate a RaaS model due to the hundreds of contact emails and IDs associated with Phobos campaigns, indicating the malware has a dispersed affiliate base. Talos assessed with moderate confidence that the Phobos ransomware operation is actively managed by a central authority, as there is only one private key capable of decryption in all observed campaigns. 

**Other observed threats  **

Talos IR responded to an attack where adversaries were attempting to brute force several Cisco Adaptive Security Appliances (ASAs). Although the adversaries were unsuccessful in their attack, this activity is in line with the recently observed trend affecting VPN services. 

Cisco Talos has recently seen an increase in malicious activity targeting VPN services, web application authentication interfaces, and Secure Shell (SSH) globally. Since at least March 18, Cisco has observed scanning and brute force activity sourcing from The Onion Router (TOR) exit nodes and other anonymous tunnels and proxies. 

Depending on the target environment, a successful attack could result in unauthorized access to a target network, possibly leading to account lockouts and denial-of-service (DoS) conditions. The brute force attempts include a combination of generic usernames and valid usernames unique to specific organizations. The activity seems indiscriminate and has been observed across multiple industry verticals and geographic regions. 

**Initial vectors **

The most observed means of gaining initial access was the use of compromised credentials on valid accounts, accounting for 29 percent of engagements, a continuation of a trend from the previous quarter when valid accounts were also a top attack vector. 

**Security weaknesses **

For the first time, users accepting unauthorized MFA push notifications was the top observed security weakness, accounting for 25 percent of engagements this quarter. The lack of proper MFA implementation closely followed, accounting for 21 percent of engagements, a 44 percent decrease from the previous quarter. 

Users must have a clear understanding of the appropriate business response protocols when their devices are overwhelmed with an excessive volume of push notifications. Talos IR recommends organizations educate their employees about the specific channels and points of contact for reporting these incidents. Prompt and accurate reporting enables security teams to quickly identify the nature of the issue and implement the necessary measures to address the situation effectively. Organizations should also consider implementing number-matching in MFA applications to provide an additional layer of security to prevent users from accepting malicious MFA push notifications. 

Talos IR recommends implementing MFA on all critical services including all remote access and identity access management (IAM) services. MFA will be the most effective method for the prevention of remote-based compromises. It also prevents lateral movement by requiring all administrative users to provide a second form of authentication. Organizations can set up alerting for single-factor authentication to quickly identify potential gaps. 

**Top observed MITRE ATT&CK techniques **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements and includes relevant examples and the number of times seen. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic based on the way they were leveraged. Please note, this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include:  

*   Remote access software, such as SplashTop and AnyDesk, were used in 17 percent of engagements this quarter, a 20 percent decrease from the previous quarter.  
*   The use of email hiding rules was the top observed defense evasion technique, accounting for 21 percent of engagements this quarter.   
*   Scheduled tasks were leveraged by adversaries the most this quarter for persistence, accounting for 17 percent of engagements this quarter, a 33 percent increase from the previous quarter.  
*   The abuse of remote services, such as RDP, SSH, SMB and WinRM, more than doubled this quarter compared to the previous quarter, accounting for nearly 60 percent of engagements. 

Reconnaissance 

Example 

T1589.001 Gather Victim Identity Information: Credentials 

Adversaries may gather credentials that can be used during their attack.  

T1598.003 Phishing for Information: Spearphishing Link 

Adversaries may send a spearphishing email with a link to a credential harvesting page to collect credentials for their attack. 

Resource Development 

Example 

T1586.002 Compromise Accounts: Email Accounts 

Adversaries may compromise email accounts that can be used during their attack for malicious activities, such as internal spearphishing. 

T1583.001 Acquire Infrastructure: Domains 

Adversaries may acquire domains that can be used for malicious activities, such as hosting malware. 

T1608.001 Stage Capabilities: Upload Malware 

Adversaries may upload malware to compromised domains to make it accessible during their attack.  

T1583.008 Acquire Infrastructure: Malvertising 

Adversaries may purchase online advertisements, such as Google ads, that can be used distribute malware to victims. 

T1608.004 Stage Capabilities: Drive-by Target 

Adversaries may prepare a website for drive-by compromise by inserting malicious JavaScript.  

Initial Access 

Example 

T1078 Valid Accounts 

Adversaries may use compromised credentials to access valid accounts during their attack. 

T1566 Phishing 

Adversaries may send phishing messages to gain access to target systems. 

T1189 Drive-by Compromise 

Victims may infect their systems with malware over browsing, providing an adversary with access.  

T1190 Exploit in Public-Facing Application 

Adversaries may exploit a vulnerability to gain access to a target system. 

T1566.002 Phishing: Spearphishing Link 

Adversaries may send phishing emails with malicious links to lure victims into installing malware.  

Execution 

Example 

T1059.001 Command and Scripting Interpreter: PowerShell 

Adversaries may abuse PowerShell to execute commands or scripts throughout their attack. 

T1059.003 Command and Scripting Interpreter: Windows Command Shell 

Adversaries may abuse Windows Command Shell to execute commands or scripts throughout their attack. 

T1569.002 System Services: Service Execution 

Adversaries may abuse Windows service control manager to execute commands or payloads during their attack. 

Persistence 

Example 

T1053.005 Scheduled Task / Job: Scheduled Task 

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for recurring execution of malware or malicious commands. 

T1574.002 Hijack Execution: DLL Side-Loading 

Adversaries may execute their own malicious code by side-loading DLL files into legitimate programs.  

Privilege Escalation 

Example 

T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control 

Adversaries may bypass UAC mechanisms to elevate their permissions on a system. 

Defense Evasion 

Example 

T1564.008 Hide Artifacts: Email Hiding Rules 

Adversaries may create inbox rules to forward certain incoming emails to a folder to hide them from the inbox owner. 

T1070.004 Indicator Removal: File Deletion 

Adversaries may delete files to cover their tracks during the attack.  

T1218.011 System Signed Binary Proxy Execution: Rundll32 

Adversaries may abuse the Windows utility rundll32.exe to execute malware.  

T1112 Modify Registry 

Adversaries may modify the registry to maintain persistence on a target system.  

T1562.010 Impair Defenses: Downgrade Attack 

Adversaries may downgrade a program, such as PowerShell, to a version that is vulnerable to exploits. 

Credential Access 

Example 

T1621 Multi-Factor Authentication Request Generation 

Adversaries may generate MFA push notifications causing an MFA exhaustion attack. 

T1003.005 OS Credential Dumping: NTDS 

Adversaries may dump the contents of the NTDS.dit file to access credentials that can be used for lateral movement. 

T1003.001 OS Credential Dumping: LSASS 

Adversaries may dump the contents of LSASS to access credentials that can be used for lateral movement 

T1003.002 OS Credential Dumping: Service Account Manager 

Adversaries may dump the contents of the service account manager to access credentials that can be used for lateral movement. 

T1110.002 Brute Force: Password Cracking 

Adversaries may use brute force account passwords to compromise accounts. 

Discovery 

Example 

T1069.001 Permission Groups Discovery: Local Groups 

Adversaries may attempt to discover local permissions groups with commands, such as “net localgroup.”  

T1069.002 Permission Groups Discovery: Domain Groups 

Adversaries may attempt to discover domain groups with commands, such as “net group /domain.” 

T1201 Password Policy Discovery 

Adversaries may attempt to discover information about the password policy within a compromised network with commands, such as “net accounts.” 

Lateral Movement 

Example 

T1021.001 Remote Services: Remote Desktop Protocol 

Adversaries may abuse valid accounts using RDP to move laterally in a target environment.  

T1534 Internal Spearphishing 

Adversaries may abuse a compromised email account to send internal spearphishing emails to move laterally. 

T1021.002 Remote Services: SMB / Windows Admin Shares 

Adversaries may abuse valid accounts using SMB to move laterally in a target environment. 

T1021.004 Remote Services: SSH 

Adversaries may abuse valid accounts using SSH to move laterally in a target environment. 

T1021.001 Remote Services: Windows Remote Management 

Adversaries may abuse valid accounts using WinRM to move laterally in a target environment. 

Collection 

Example 

T1114.002 Email Collection: Remote Email Collection 

Adversaries may target a Microsoft Exchange server to collect information.  

T1074.001 Data Staged: Local Data Staging 

Adversaries may stage collected data in preparation for exfiltration. 

T1074 Data Staged 

Adversaries may stage collected data in preparation for exfiltration. 

Command and Control 

Example 

T1105 Ingress Tool Transfer 

Adversaries may transfer tools from an external system to a compromised system. 

T1219 Remote Access Software  

Adversaries may abuse remote access software, such as AnyDesk, to establish an interactive C2 channel during their attack.  

Exfiltration 

Example 

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage 

Adversaries may exfiltrate data to a cloud storage provider, such as Dropbox.  

Impact 

Example 

T1486 Data Encrypted for Impact 

Adversaries may use ransomware to encrypt data on a target system.  

T1490 Inhibit System Recovery 

Adversaries may disable system recovery features, such as volume shadow copies.  

T1657 Financial Theft 

Adversaries may commit financial fraud during the attack.

Talos IR trends: BEC attacks surge, while weaknesses in MFA persist

ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.

ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices

Ubuntu Security Notice 6738-1 - Fabian Bäumer, Marcus Brinkmann, and Joerg Schwenk discovered that LXD incorrectly handled the handshake phase and the use of sequence numbers in SSH Binary Packet Protocol. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to bypass integrity checks.

    ==========================================================================Ubuntu Security Notice USN-6738-1April 22, 2024lxd vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 18.04 LTS (Available with Ubuntu Pro)- Ubuntu 16.04 LTS (Available with Ubuntu Pro)Summary:LXD could be made to bypass integrity checks if it received specially craftedinput.Software Description:- lxd: Container hypervisor based on LXCDetails:Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk discovered that LXDincorrectly handled the handshake phase and the use of sequence numbers in SSHBinary Packet Protocol (BPP). If a user or an automated system were trickedinto opening a specially crafted input file, a remote attacker could possiblyuse this issue to bypass integrity checks.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 18.04 LTS (Available with Ubuntu Pro):   lxd                             3.0.3-0ubuntu1~18.04.2+esm1   lxd-client                      3.0.3-0ubuntu1~18.04.2+esm1   lxd-tools                       3.0.3-0ubuntu1~18.04.2+esm1Ubuntu 16.04 LTS (Available with Ubuntu Pro):   golang-github-lxc-lxd-dev       2.0.11-0ubuntu1~16.04.4+esm1   lxc2                            2.0.11-0ubuntu1~16.04.4+esm1   lxd                             2.0.11-0ubuntu1~16.04.4+esm1   lxd-client                      2.0.11-0ubuntu1~16.04.4+esm1   lxd-tools                       2.0.11-0ubuntu1~16.04.4+esm1In general, a standard system update will make all the necessary changes.References:   https://ubuntu.com/security/notices/USN-6738-1   CVE-2023-48795

Ubuntu Security Notice USN-6738-1

Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.

_By Joey Chen, Chetan Raghuprasad and Alex Karkins._ 

*   Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys.
*   Talos also discovered a new PowerShell command-line argument embedded in the LNK file to bypass anti-virus products and download the final payload into the victims’ host.
*   This campaign uses the Content Delivery Network (CDN) cache domain as a download server, hosting the malicious HTA file and payload. 
*   Talos assesses with moderate confidence that the threat actor CoralRaider operates the campaign. We observed several overlaps in tactics, techniques, and procedures (TTPs) of CoralRaider’s Rotbot campaign, including the initial attack vector of the Windows Shortcut file, intermediate PowerShell decryptor and payload download scripts, the FoDHelper technique used to bypass User Access Controls (UAC) of the victim machine.  

**Victimology and actor infrastructure**

The campaign affects victims across multiple countries, including the U.S., Nigeria, Pakistan, Ecuador, Germany, Egypt, the U.K., Poland, the Philippines, Norway, Japan, Syria and Turkey, based on our telemetry data and OSINT information. Our telemetry also disclosed that some affected users were from Japan’s computer service call center organizations and civil defense service organizations in Syria. The affected users were downloading files masquerading as movie files through the browser, indicating the possibility of a widespread attack on users across various business verticals and geographies.

We observe that this threat actor is using a Content Delivery Network (CDN) cache to store the malicious files on their network edge host in this campaign, avoiding request delay. The actor is using the CDN cache as a download server to deceive network defenders. 

CDN edge URLs 

Information Stealer

hxxps\[://\]techsheck\[.\]b-cdn\[.\]net/Zen90

Cryptbot

hxxps\[://\]zexodown-2\[.\]b-cdn\[.\]net/Peta12

Cryptbot

hxxps\[://\]denv-2\[.\]b-cdn\[.\]net/FebL5

Cryptbot, Rhadamanthys

hxxps\[://\]download-main5\[.\]b-cdn\[.\]net/BSR\_v7IDcc

Rhadamanthys

hxxps\[://\]dashdisk-2\[.\]b-cdn\[.\]net/XFeb18

Cryptbot

hxxps\[://\]metrodown-3\[.\]b-cdn\[.\]net/MebL1

Cryptbot

hxxps\[://\]metrodown-2\[.\]b-cdn\[.\]net/MebL1

Cryptbot, LummaC2

hxxps\[://\]metrodown-2\[.\]b-cdn\[.\]net/SAq2

LummaC2

Talos discovered that the actor is using multiple C2 domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing. 

**Tactics, techniques and procedures overlap with other campaigns **

Talos assesses with moderate confidence that threat actor CoralRaider is likely operating this campaign based on several overlaps in the TTPs used and the targeted victims’ geography of this campaign with that of the CoralRaider’s Rotbot campaign. We spotted that the PowerShell scripts used in the attack chain of this campaign to decrypt the PowerShell scripts of further stages and the downloader PowerShell script are similar to those employed in the Rotbot’s campaign.

PowerShell decryptor script of Rotbot campaign (left) and new unknown campaign (right).

String decrypt and download routine of Rotbot campaign (Left) and new unknown campaign (right).

The Powershell script did not appear in any public repository or article, indicating the threat actor likely developed these PowerShell scripts. Pivoting on the PowerShell argument embedded in the LNK file showed us that such arguments are not popular and likely specific to the actor and the campaign.  

.(gp -pa 'HKLM:\\SOF\*\\Clas\*\\Applications\\msh\*e').('PSChildName')

**Multi-stage infection chain to deliver the payload **

The infection chain starts when a victim opens the malicious shortcut file from a ZIP file downloaded using the drive-by download technique, according to our telemetry. The threat actor is likely delivering malicious links to victims through phishing emails.

The Windows shortcut file has an embedded PowerShell command running a malicious HTA file on attacker-controlled CDN domains. HTA file executes an embedded Javascript, which decodes and runs a PowerShell decrypter script. PowerShell decrypter script decrypts the embedded PowerShell Loader script and runs it in the victim’s memory. The PowerShell Loader executes multiple functions to evade the detections and bypass UAC, and finally, it downloads and runs one of the payloads, Cryptbot, LummaC2 or Rhadamanthys information stealer.

**Windows Shortcut file to execute the malicious HTA file**

Windows shortcut file runs a PowerShell command to download and run an HTML application file on the victim’s machine. The threat actor has used “gp,” a PowerShell command alias for Get-ItemProperty, to read the registry contents of the application classes registry key and gets the executable name “mshta.exe.” Using mshta.exe, the PowerShell instance executes the remotely hosted malicious HTA file on the victim’s machine. 

**Obfuscated HTA runs embedded PowerShell decrypter  **

The malicious HTML application file is heavily obfuscated and has a Javascript that decodes and executes a function using the String fromCharCode method. The decoded function then executes an embedded PowerShell decryptor script. 

The decryptor PowerShell script has a block of AES-encrypted string. Using the AES decryptor function, it generates an AES key of 256 bytes from a base64 encoded string “RVRVd2h4RUJHUWNiTEZpbkN5SXhzUWRHeFN4V053THQ=” and the IV “AAAAAAAAAAAAAAAA.” With the key and IV, it decrypts and executes the next stage of the PowerShell Loader script. 

**PowerShell loader downloads and runs the payload**

The PowerShell loader script is modular and has multiple functions to perform a sequence of activities on the victim’s machine. Initially, it executes a function that drops a batch script in the victim machine’s temporary folder and writes its contents, which includes the PowerShell command to add the folder “ProgramData” of the victim machine to the Windows Defender exclusion list. 

The dropped bath script is executed through a living-off-the-land binary (LoLBin) “FoDHelper.exe” and a Programmatic Identifiers (ProgIDs) registry key to bypass the User Access Controls (UAC) in the victim’s machine. Fodhelper is a Windows feature, an on-demand helper binary that runs by default with high integrity. Usually, when the FodHelper is run, it checks for the presence of the registry keys listed below. If the registry keys have commands assigned, the FodHelper will execute them in an elevated context without prompting the user. 

HKCU:\Software\Classes\ms-settings\shell\open\command

HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute

HKCU:\Software\Classes\ms-settings\shell\open\command\(default)

Windows Defender, by default, detects if there are attempts to write to the registry keysHKCU:\Software\Classes\ms-settings\shell\open\command and to evade this detection, the threat actor uses the programmatic identifier (ProgID). In Windows machines, a programmatic identifier (ProgID ) is a registry entry that can be associated with a Class ID (CLSID ), which is a globally unique serial number that identifies a COM (Component Object Model) class object. The Windows Shell uses a default ProgID registry key called CurVer, which is used to set the default version of a COM application. 

In this campaign, the threat actor abuses the “CurVer” registry key feature by creating a custom ProgID “ServiceHostXGRT” registry key in the software classes registry and assigns the Windows shell to execute a command to run the batch script. 

Registry Key

"HKCU\\Software\\Classes\\ServiceHostXGRT\\Shell\\Open\\command"

Value

%temp%\\r.bat 

The script configures the ProgID ServiceHostXGRT in the CurVer registry subkey of HKCU\Software\Classes\ms-settings\CurVer, which will get translated to HKCU:\Software\Classes\ms-settings\shell\open\command. After modifying the registry settings, the PowerShell script runs FoDHelper.exe, executing the command assigned to the registry key HKCU:\Software\Classes\ms-settings\shell\open\command and executing the dropped batch script. Finally, it deletes the configured registry keys to evade detection. 

The batch script adds the folder “C:\\ProgramData” to the Windows Defender exclusion list. The PowerShell loader script downloads the payload and saves it in the “C:\\ProgramData” folder as “X1xDd.exe.”

After downloading the payload to the victim’s machine, the PowerShell loader executes another function that overwrites the previously dropped batch file with the new instructions to run the downloaded payload information stealer through the Windows start command. It again uses the same FoDHelper technique to run the batch script’s second version, which we explained earlier in this section.  

**Actor’s choice of three payloads in the same campaign **

Talos discovered that the threat actor delivered three famous information stealer malware as payloads in this campaign, including CryptBot, LummaC2 and Rhadamanthys. These information stealers target victims’ information, such as system and browser data, credentials, cryptocurrency wallets and financial information. 

**CryptBot**

CryptBot is a typical infostealer targeting Windows systems discovered in the wild in 2019 by GDATA. It is designed to steal sensitive information from infected computers, such as credentials from browsers, cryptocurrency wallets, browser cookies and credit cards, and creates screenshots of the infected system. 

Talos has discovered a new CryptBot variant distributed in the wild since January 2024. The goal of the new CryptBot is the same, with some new innovative functionalities. The new CryptBot is packed with different techniques to obstruct malware analysis. A few new CryptBot variants are packed with VMProtect V2.0.3-2.13; others also have VMProtect, but with unknown versions. The new CryptBot attempts to steal sensitive information from infected machines and modifies the configuration changes of the stolen applications. The list of targeted browsers, applications and cryptocurrency wallets by the new variant of CryptBot is shown below.

We observed the new CryptBot variant also includes password manager application databases and authenticator application information in its stealing list to steal the cryptocurrency wallets that have two-factor authentication enabled. 

CryptBot is aware that the target applications in the victim’s environment will have different versions, and their database files will have different file extensions. It scans the victim’s machine for database files’ extensions of the targeted applications for harvesting credentials. 

**LummaC2 **

Talos discovered that the actor is delivering a new variant of LummaC2 malware as an alternative payload in this campaign. LummaC2 is a notorious information stealer that attempts to harvest information from victims’ machines. Based on the report posted by outpost24 and other external security reports, LummaC2 has already been confirmed to be sold on the underground market for years. 

The threat actor has modified LummaC2’s information stealer capability and obfuscated the malware with a custom algorithm. The obfuscation algorithm is saved in another section inside the malware shown below.

The new version of LummaC2 also presents the same signature of the alert message displayed to the user during its execution. 

The C2 domains are encrypted with a symmetric algorithm, and we found that the actor has nine C2 servers that the malware will attempt to connect to one by one. Analyzing various samples of the new LummaC2 variant, we spotted that each will use a different key to encrypt the C2.   

Talos has compiled the list of nine C2 domains the new LummaC2 variant attempts to connect in this campaign. 

Encrypted strings

Decrypted Strings

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB+VXagKwrRr7BjLA71GNEZ8E8/0K2otQ==

peasanthovecapspll\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBpVXqwOAHAo75nPQT3Hc4I6EZ+x+u0rVjB

gemcreedarticulateod\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB9VXShLxDMqLFmPATgC8Ma+U14zKy0oBnC/kf0

secretionsuitcasenioise\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBtXHa6JwfKqbxwOh79B8wb+UF0jbavqkc=

claimconcessionrebe\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBiWXaxIwjMs6Z0Ox/1BsUM8UZ/2qyz60TZ+Vg=

liabilityarrangemenyit\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBjX3O2ORDAtKx0MAjiDcwE9U9mxq7ptl/e5g==

modestessayevenmilwek\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB6Qn6yJAPJoqxwKB77BsAM8kB51K/ptl/e5g==

triangleseasonbenchwj\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphBtRXunPxbAtLRwPQ78DssH/U1yyqSrqRnC/kf0

culturesketchfinanciall\[.\]shop

DjAX00pkpcffFUltlGiiaZwjEaPFx8U3sZYohNNzphB9X3GyIhHLs7Z7Lh74AcYM+Ep/xuu0rVjB

sofahuntingslidedine\[.\]shop

LummaC2’s first step in its exfiltration phase is its connection to the C2 server. The malware will exit the process if it does not receive the “OK” message as a response from any of the nine C2 servers. The second step will be exfiltrating information from infected machines. The basic stealing functionality is the same as the previous version, with the addition of victims’ discord credentials to exfiltrate. 

**Rhadamanthys**

The last payload we found in this campaign is Rhadamanthys malware, a famous infostealer appearing in the underground forum advertisement in September 2022. The Rhadamanthys malware has been evolving till now, and its authors have released a new version, V0.6.0, on Feb. 15, 2024. However, the Rhadamanthys variant we found in this campaign is still v0.5.0.

The threat actor uses a Python executable file as a loader to execute the Rhadamanthys malware into memory. After decompiling the Python executable file, Python scripts load the Rhadamanthys malware in two stages. The first stage is a simple Python script that replaces the binary code from 0 to 9 and decodes the second stage. 

In the second stage, the Python script uses the Windows API to allocate a memory block and inject Rhadamanthys malware into the process. We spotted that the threat actor is developing the Python script with the intention of including the functionality of executing a shellcode. 

Analyzing the final executable file showed us that the malware unpacks the loader module with the custom format having the magic header “XS” and performs the process injection. The custom loader module in XS format is similar to that of a Rhadamanthys sample analyzed by the researcher at Check Point. The malware selects one of the listed processes as the target process for process injection from a hardcoded list in the binary:

*   "%Systemroot%\\\\system32\\\\dialer.exe"
*   "%Systemroot%\\\\system32\\\\openwith.exe"

**Coverage**

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 63218 - 63225 and 300867 - 300870.

ClamAV detections are also available for this threat:

Lnk.Downloader.CoralRaider-10027128-0

Txt.Tool.CoralRaider-10027140-0

Html.Downloader.CoralRaider-10027220-0

Win.Infostealer.Lumma-10027222-0

Win.Infostealer.Rhadamanthys-10027293-0

Win.Infostealer.Rhadamanthys-10027294-0

Win.Infostealer.Cryptbot-10027295-0

Win.Infostealer.Cryptbot-10027296-0

Win.Infostealer.Cryptbot-10027297-0

Win.Infostealer.Cryptbot-10027298-0

Win.Infostealer.Cryptbot-10027299-0

Win.Infostealer.Cryptbot-10027300-0

Win.Infostealer.Cryptbot-10027301-0

Win.Infostealer.Cryptbot-10027302-0

Win.Infostealer.Cryptbot-10027303-0

Win.Infostealer.Cryptbot-10027305-0

**Indicators of Compromise**

Indicators of Compromise associated with this threat can be found here.

Suspected CoralRaider continues to expand victimology using three information stealers

The threat actor is deploying multiple connections into victim environments to maintain persistence and steal data.

Source: RooM the Agency via Alamy Stock Photo

An advanced persistent threat (APT) group known as ToddyCat is collecting data on an industrial scale from government and defense targets in the Asia-Pacific region.

Researchers from Kaspersky tracking the campaign described the threat actor this week as using multiple simultaneous connections into victim environments to maintain persistence and to steal data from them. They also discovered a set of new tools that ToddyCat (which is a common name for the Asian palm civet) is using to enable data collection from victim systems and browsers.

**Multiple Traffic Tunnels in ToddyCat Cyberattacks**

"Having several tunnels to the infected infrastructure implemented with different tools allow \[the\] attackers to maintain access to systems even if one of the tunnels is discovered and eliminated," Kaspersky security researchers said in a blog post this week. "By securing constant access to the infrastructure, \[the\] attackers are able to perform reconnaissance and connect to remote hosts."

ToddyCat is a likely Chinese-language speaking threat actor that Kaspersky has been able to link to attacks going back to at least December 2020. In its initial stages, the group appeared focused on just a small number of organizations in Taiwan and Vietnam. But the threat actor quickly ramped up attacks following the public disclosure of the so-called ProxyLogon vulnerabilities in Microsoft Exchange Server in February 2021. Kaspersky believes ToddyCat might have been among a group of threat actors that targeted the ProxyLogon vulnerabilities even prior to February 2021, but says it has not found evidence yet to back up that conjecture.  

In 2022, Kaspersky reported finding ToddyCat actors using two sophisticated new malware tools dubbed Samurai and Ninja to distribute China Chopper — a well-known commodity Web shell used in the Microsoft Exchange Server attacks — on systems belonging to victims in Asia and Europe.

**Maintaining Persistent Access, Fresh Malware**

Kaspersky's latest investigation into ToddyCat's activities showed the threat actor's tactic to maintain persistent remote access to a compromised network is to establish multiple tunnels to it using different tools. These include using a reverse SSH tunnel to gain access to remote network services; using SoftEther VPN, an open source tool that enables VPN connections via OpenVPN, L2TP/IPSec, and other protocols; and using a lightweight agent (Ngrok) to redirect command-and-control from an attacker-controlled cloud infrastructure to target hosts in the victim environment.

In addition, Kaspersky researchers found ToddyCat actors to be using a fast reverse proxy client to enable access from the Internet to servers behind a firewall or network address translation (NAT) mechanism.

Kaspersky's investigation also showed the threat actor using at least three new tools in its data-collection campaign. One of them is malware that Kaspersky had dubbed "Cuthead" that allows ToddyCat to search for files with specific extensions or words on the victim network, and to store them in an archive.

Another new tool that Kaspersky found ToddyCat using is "WAExp." The malware's task is to search for and collect browser data from the Web version of WhatsApp. 

"For users of the WhatsApp web app, their browser local storage contains their profile details, chat data, the phone numbers of users they chat with and current session data," Kaspersky researchers said. WAExp allows the attacks to gain access to this data by copying the browser's local storage files, the security vendor noted.  

The third tool meanwhile is dubbed "TomBerBil," and allows ToddyCat actors to steal passwords from Chrome and Edge browsers.

"We looked at several tools that allow the attackers to maintain access to target infrastructures and automatically search for and collect data of interest," Kaspersky said. "The attackers are actively using techniques to bypass defenses in an attempt to mask their presence in the system."

The security vendor recommends that organizations block IP addresses of cloud services that provide traffic tunneling and limit the tools that administrators can use to access hosts remotely. Organizations also need to either remove or closely monitor any unused remote access tools in the environment and encourage users not to store passwords in their browsers, Kaspersky said.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

ToddyCat APT Is Stealing Data on 'Industrial Scale'

The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months' worth of "deep" access to one of MITRE Corp.'s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.

Dark Reading reached out to MITRE to confirm the timeline and details of the attack. MITRE did not provide further clarification.

**MITRE's ATT&CK**

Stop me if you've heard this one before: In January, after an initial reconnaissance period, a threat actor exploited one of the company's virtual private networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (ATT&CK technique T1190, Exploit Public-Facing Applications).

According to a blog post from MITRE's Center for Threat-Informed Defense, the attackers bypassed the multifactor authentication (MFA) protecting the system with some session hijacking (MITRE ATT&CK T1563, Remote Service Session Hijacking).

They attempted to leverage several different remote services (T1021, Remote Services), including the Remote Desktop Protocol (RDP) and Secure Shell (SSH), to gain access to a valid administrator account (T1078, Valid Accounts). With it, they pivoted and "dug deep" into the network's VMware virtualization infrastructure.

There, they deployed Web shells (T1505.003, Server Software Component: Web Shell) for persistence, and backdoors to run commands (T1059, Command and Scripting Interpreter) and steal credentials, exfiltrating any stolen data to a command-and-control server (T1041, Exfiltration Over C2 Channel). To hide this activity, the group created its own virtual instances to run within the environment (T1564.006, Hide Artifacts: Run Virtual Instance).

**MITRE's Defense**

"The impact of this cyberattack should not be taken lightly," says Darren Guccione, CEO and co-founder at Keeper Security, highlighting "both the foreign ties of the attackers and the ability of the attackers to exploit two serious zero-day vulnerabilities in their quest to compromise MITRE’s NERVE, which could potentially expose sensitive research data and intellectual property."

He posits, "Nation-state actors often have strategic motivations behind their cyber operations, and the targeting of a prominent research institution like MITRE, that works on behalf of the US government, could be just one component of a larger effort."

Whatever its goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

"MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system," the organization wrote on Medium, "but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient."

Editor's note: An earlier version of the story attributed the attacks to UNC5221. That attribution has not been made at this time.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MITRE ATT&amp;CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs

Attackers are indiscriminately targeting VPNs from Cisco and several other vendors in what may be a reconnaissance effort, the vendor says.

Source: Wright Studio via Shutterstock

Cisco Talos this week warned of a massive increase in brute-force attacks targeting VPN services, SSH services, and Web application authentication interfaces.

In its advisory, the company described the attacks as involving the use of generic and valid usernames to try and gain initial access to victim environments. The targets of these attacks appear to be random and indiscriminate and not restricted to any industry sector or geography, Cisco said.

The company identified the attacks as impacting organizations using Cisco Secure Firewall VPN devices and technologies from several other vendors, including Checkpoint VPN, Fortinet VPN, SonicWall VPN, Mikrotik, and Draytek.

**Attack Volumes Might Increase**

"Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions," a Cisco Talos statement explained. The vendor noted the surge in attacks began around March 28 and warned of a likely increase in attack volumes in the coming days.

Cisco did not immediately respond to a Dark Reading inquiry regarding the sudden explosion in attack volumes and whether they're the work of a single threat actor or multiple threat actors. Its advisory identified the source IP addresses for the attack traffic as proxy services associated with Tor, Nexus Proxy, Space Proxies, and BigMama Proxy.

Cisco's advisory linked to indicators of compromise — including IP addresses and credentials associated with the attacks — while also noting the potential for these IP addresses to change over time.

The new wave of attacks is consistent with the surging interest among threat actors in the VPNs and other technologies that organizations have deployed in recent years to support remote access requirements for employees. Attackers — including nation-state actors — have ferociously targeted vulnerabilities in these products to try and break into enterprise networks, prompting multiple advisories from the likes of the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency (NSA), and others.

**VPN Vulnerabilities Explode in Number**

A study by Securin showed the number of vulnerabilities that researchers, threat actors, and vendors themselves have discovered in VPN products increased 875% between 2020 and 2024. They noted how 147 flaws across eight different vendors' products grew to nearly 1,800 flaws across 78 products. Securin also found that attackers weaponized 204 of the total disclosed vulnerabilities so far. Of this, advanced persistent threat (APT) groups such as Sandworm, APT32, APT33, and Fox Kitten had exploited 26 flaws, while ransomware groups like REvil and Sodinokibi had exploits for another 16.

Cisco's latest advisory appears to have stemmed from multiple reports the company received about password-spraying attacks targeting remote access VPN services involving Cisco's products and those from multiple other vendors. In a password-spraying attack, an adversary basically attempts to gain brute-force access to multiple accounts by trying default and common passwords across all of them.

**Reconnaissance Effort?**

"This activity appears to be related to reconnaissance efforts," Cisco said in a separate April 15 advisory that offered recommendations for organizations against password-spraying attacks. The advisory highlighted three symptoms of an attack that users of Cisco VPNs might observe: VPN connection failures, HostScan token failures, and an unusual number of authentication requests.

The company recommended that organizations enable logging on their devices, secure default remote access VPN profiles, and block connection attempts from malicious sources via access control lists and other mechanisms.

"What is important here is that this attack is not against a software or hardware vulnerability, which usually requires patches," Jason Soroko, senior vice president of product at Sectigo, said in an emailed statement. The attackers in this instance are attempting to take advantage of weak password management practices, he said, so the focus should be on implementing strong passwords or implementing passwordless mechanisms to protect access.

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs

At most, someone who intentionally or repeatedly shares information on their social platform that’s misleading or downright false may have their account blocked, suspended or deleted.

Thursday, April 18, 2024 14:00

If you’re a regular reader of this newsletter, you already know about how strongly I feel about the dangers of spreading fake news, disinformation and misinformation. 

And honestly, if you’re reading this newsletter, I probably shouldn’t have to tell you about that either. But one of the things that always frustrates me about this seemingly never-ending battle against disinformation on the internet, is that there aren’t any real consequences for the worst offenders. 

At most, someone who intentionally or repeatedly shares information on their social platform that’s misleading or downright false may have their account blocked, suspended or deleted, or just that one individual post might be removed.  

Twitter, which has become one of the worst offenders for spreading disinformation, has gotten even worse about this over the past few years and at this point doesn’t do anything to these accounts, and in fact, even promotes them in many ways and gives them a larger platform. 

Meta, for its part, is now hiding more political posts on its platforms in some countries, but at most, an account that shares fake news is only going to be restricted if enough people report it to Meta’s team and they choose to take action.  

Now, I’m hoping that Brazil’s Supreme Court may start imposing some real-world consequences on individuals and companies that support, endorse or sit idly by while disinformation spreads. Specifically, I’m talking about a newly launched investigation by the court into Twitter/X and its owner, Elon Musk.  

Brazil’s Supreme Court says users on the platform are part of a massive misinformation campaign against the court’s justices, sharing intentionally false or harmful information about them. Musk is also facing a related investigation into alleged obstruction.  

The court had previously asked Twitter to block certain far-right accounts that were spreading fake news on Twitter, seemingly one of the only true permanent bans on a social media platform targeting the worst misinformation offenders. Recently, Twitter has declined to block those accounts. 

This isn’t some new initiative, though. Brazil’s government has long looked for concrete ways to implement real-world punishments for spreading disinformation. In 2022, the Supreme Court signed an agreement with the equivalent of Brazil’s national election commission “to combat fake news involving the judiciary and to disseminate information about the 2022 general elections.” 

Brazil’s president (much like the U.S.) has been battling fake news and disinformation for years now, making any political conversation there incredibly divisive, and in many ways, physically dangerous. I’m certainly not an authority enough on the subject to comment on that and the ways in which the term “fake news” has been weaponized to literally challenge what is “fact” in our modern society.  

And I could certainly see a world in which a high court uses the term “fake news” to charge and prosecute people who are, in fact, spreading \*correct\* and verifiable information.  

But, even just forcing Musk or anyone at Twitter to answer questions about their blocking policies could bring an additional layer of transparency to this process. Suppose we want to really get people to stop sharing misleading information on social media. In that case, it needs to eventually come with real consequences, not just a simple block when they can launch a new account two seconds later using a different email address. 

**The one big thing **

Talos recently discovered a new threat actor we're calling “Starry Addax” targeting mostly human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause. Starry Addax primarily uses a new mobile malware that it infects users with via phishing attack, tricking their targets into installing malicious Android applications we’re calling “FlexStarling.” The malicious mobile application (APK), “FlexStarling,” analyzed by Talos recently masquerades as a variant of the Sahara Press Service (SPSRASD) App. 

**Why do I care? **

The targets in this campaign's case are considered high-risk individuals, advocating for human rights in the Western Sahara. While that is a highly focused particular demographic, FlexStarling is still a highly capable implant that could be dangerous if used in other campaigns. Once infected, Starry Addax can use their malware to steal important login credentials, execute remote code or infect the device with other malware.  

**So now what? **

This campaign's infection chain begins with a spear-phishing email sent to targets, consisting of individuals of interest to the attackers, especially human rights activists in Morocco and the Western Sahara region. If you are a user who feels you could be targeted by these emails, please pay close attention to any URLs or attachments used in emails with these themes and ensure you’re only visiting trusted sites. The timelines connected to various artifacts used in the attacks indicate that this campaign is just starting and may be in its nascent stages with more infrastructure and Starry Addax working on additional malware variants. 

**Top security headlines of the week **

**A threat actor with ties to Russia is suspected of infecting the network belonging to a rural water facility in Texas earlier this year.** The hack in the small town of Muleshoe, Texas in January caused a water tower to overflow. The suspect attack coincided with network intrusions against networks belonging to two other nearby towns. While the attack did not disrupt drinking water in the town, it would mark an escalation in Russian APTs’ efforts to spy on and disrupt American critical infrastructure. Security researchers this week linked a Telegram channel that took credit for the activity with a group connected to Russia’s GRU military intelligence agency. The adversaries broke into a remote login system used in ICS, which allowed the actors to interact with the water tank. It overflowed for about 30 to 45 minutes before officials took the machine offline and switched to manual operations. According to reporting from CNN, a nearby town called Lockney detected “suspicious activity” on the town’s SCADA system. And in Hale Center, adversaries also tried to breach the town network’s firewall, which prompted them to disable remote access to its SCADA system. (CNN, Wired) 

**Meanwhile, Russia’s Sandworm APT is also accused of being the primary threat actor carrying out Russia’s goals in Ukraine.** New research indicates that the group is responsible for nearly all disruptive and destructive cyberattacks in Ukraine since Russia's invasion in February 2022. One attack involved Sandworm, aka APT44, disrupting a Ukrainian power facility during Russia’s winter offensive and a series of drone strikes targeting Ukraine’s energy grid. Recently, the group’s attacks have increasingly focused on espionage activity to gather information for Russia’s military to use to its advantage on the battlefield. The U.S. indicated several individuals for their roles with Sandworm in 2020, but the group has been active for more than 10 years. Researchers also unmasked a Telegram channel the group appears to be using, called “CyberArmyofRussia\_Reborn.” They typically use the channel to post evidence from their sabotage activities. (Dark Reading, Recorded Future) 

**Security experts and government officials are bracing for an uptick in offensive cyber attacks between Israel and Iran** after Iran launched a barrage of drones and missiles at Israel. Both countries have dealt with increased tensions recently, eventually leading to the attack Saturday night. Israel’s leaders have already been considering various responses to the attack, among which could be cyber attacks targeting Iran in addition to any new kinetic warfare. Israel and Iran have long had a tense relationship that included covert operations and destructive cyberattacks. Experts say both countries have the ability to launch wiper malware, ransomware and cyber attacks against each other, some of which could interrupt critical infrastructure or military operations. The increased tensions have also opened the door to many threat actors taking claims for various cyber attacks or intrusions that didn’t happen. (Axios, Foreign Policy) 

**Can’t get enough Talos? **

*   Cisco Warns of Global Surge in Brute-Force Attacks Targeting VPN and SSH Services 
*   Decade-old malware haunts Ukrainian police 
*   Attackers are pummeling networks around the world with millions of login attempts 
*   OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal 
*   Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials 
*   Talos Takes Ep. #179: Why we need to stop calling as-a-service group takedowns "takedowns" 

**Upcoming events where you can find Talos **

 **Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_    

**Most prevalent malware files from Talos telemetry over the past week **

_This section will be on a brief hiatus while we work through some technical difficulties._

Could the Brazilian Supreme Court finally hold people accountable for sharing disinformation?

Debian Linux Security Advisory 5655-2 - The update of cockpit released in DSA 5655-1 did not correctly build binary packages due to unit test failures when building against libssh 0.10.6. This update corrects that problem.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5655-2                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
April 16, 2024                        https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : cockpit  
Debian Bug     : 1069059

The update of cockpit released in DSA 5655-1 did not correctly built  
binary packages due to unit test failures when building against libssh  
0.10.6. This update corrects that problem.

For the stable distribution (bookworm), this problem has been fixed in  
version 287.1-0+deb12u2.

We recommend that you upgrade your cockpit packages.

For the detailed security status of cockpit please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/cockpit

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmYe2O9fFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0QK0RAAkGuh1qsgWCu60JxMYZjfeSyA/w+MlKlwANHCA74QbsvqOyadjrtdxRjK  
EgKRs8Gz7H8o3bpuVE/4mWkIyDjsn9yZeFlro/6wf3yGsxEL7I2MlKWa56A6hNJD  
4dCgdo9gKqcDR7YOpknemN7F8VElUINFjBHzQ6vzm+HMneg4JC3Nhh1TZfNj/trT  
em/LLoMb9VDHutpv8T0OQwt1tgUxfOfxKDFTsLzjxzYwBfAHqJPu/MZrS1kj15iU  
HK9nouDw7hYOx0FzTBhlobNnLod8kYN+McUMkiux84lv8PyYE3sxiDlTYcGeG+0n  
XQ4FHxB6wdolaGKRCwt8t3Bt1uTPvbDYwii6eDmjNLrSFnjbJlfihaVkng9fXb6R  
kfRHRWhcT15/Yv8GmJUAN7/vNlzPEAXkbXmP3O/MmrLymjsyC4p2Oo8PfKn1biK0  
K0s0BrGMd60DvrD6L07ntF0IfF7qoNvYwZLF3ELsXe/h9dlaNtqDHMG2O1OZNB/M  
VYW6S3reytzexMuqUtKPB2kAZeuiIK6iTJNLU7v1ZWPfHp2ApK3yGxTCXrNj3Ufa  
kO7Tw0g6w3xIvlxLjHPZ/V9TxBB75i2PmxQMLIk4VjAMY93I6XmESFhI4Me94oQw  
xYRGVjCCHd8J5Ky4VTgnS66Um2KUkF+nGCZLudTDVeyPzNBh9hk=  
=b5VL  
-----END PGP SIGNATURE-----

Debian Security Advisory 5655-2

Red Hat Security Advisory 2024-1859-03 - OpenShift API for Data Protection 1.3.1 is now available. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1859.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: OpenShift API for Data Protection (OADP) 1.3.1 security and bug fix update  
Advisory ID:        RHSA-2024:1859-03  
Product:            OpenShift API for Data Protection  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:1859  
Issue date:         2024-04-16  
Revision:           03  
CVE Names:          CVE-2023-39326  
====================================================================

Summary: 

OpenShift API for Data Protection (OADP) 1.3.1 is now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

OpenShift API for Data Protection (OADP) enables you to back up and restore application resources, persistent volume data, and internal container images to external backup storage. OADP enables both file system-based and snapshot-based backups for persistent volumes.

Security Fix(es) from Bugzilla:

* opentelemetry: DoS vulnerability in otelhttp (CVE-2023-45142)

* golang: crypto/tls: Timing Side Channel attack in RSA based TLS key exchanges. (CVE-2023-45287)

* golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests (CVE-2023-39326)

* ssh: Prefix truncation attack on Binary Packet Protocol (BPP) (CVE-2023-48795)

* golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON (CVE-2024-24786)

* jose-go: improper handling of highly compressed data (CVE-2024-28180)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-39326

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2245180  
https://bugzilla.redhat.com/show_bug.cgi?id=2253193  
https://bugzilla.redhat.com/show_bug.cgi?id=2253330  
https://bugzilla.redhat.com/show_bug.cgi?id=2254210  
https://bugzilla.redhat.com/show_bug.cgi?id=2268046  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://issues.redhat.com/browse/OADP-1912  
https://issues.redhat.com/browse/OADP-2866  
https://issues.redhat.com/browse/OADP-3005  
https://issues.redhat.com/browse/OADP-3038  
https://issues.redhat.com/browse/OADP-3041  
https://issues.redhat.com/browse/OADP-3044  
https://issues.redhat.com/browse/OADP-3051  
https://issues.redhat.com/browse/OADP-3055  
https://issues.redhat.com/browse/OADP-3189  
https://issues.redhat.com/browse/OADP-3326  
https://issues.redhat.com/browse/OADP-3379  
https://issues.redhat.com/browse/OADP-3390  
https://issues.redhat.com/browse/OADP-3395  
https://issues.redhat.com/browse/OADP-3486  
https://issues.redhat.com/browse/OADP-3495  
https://issues.redhat.com/browse/OADP-3598  
https://issues.redhat.com/browse/OADP-3710  
https://issues.redhat.com/browse/OADP-3821

Tag

#ssh