A re-implementation of Cobalt Strike has been “written from scratch” to attack Linux systems.

Dubbed Vermilion Strike, Intezer said on Tuesday that the new variation leans on Cobalt Strike functionality, including its command-and-control (C2) protocol, its remote access functionality, and its ability to run shell instructions.  Cobalt Strike is a legitimate penetration testing tool for Windows systems. Released in 2012, the tool has been constantly abused by threat actors including advanced persistent threat (APT) groups such as Cozy Bear and campaigns designed to spread Trickbot and the Qbot/Qakbot banking Trojan.  Cobalt Strike’s source code for version 4.0 was allegedly leaked online, however, most threat actors tracked by cybersecurity teams appear to rely on pirate and cracked copies of the software. Until now, at least. In August, Intezer uncovered the new ELF implementation of Cobalt Strike’s beacon, which appears to have originated from Malaysia.  When the researchers reported Vermilion Strike, it went undetected on VirusTotal as malicious software. (However, as of the time of writing, 24 antivirus vendors have now registered the threat.)

Built on a Red Hat Linux distribution, the malware is capable of launching beacons, listing files, changing and pulling working directories, appending and writing to files, uploading data to its C2, executing commands via the popen function, and analyzing disk partitions.  While capable of attacking Linux builds, Windows samples have also been found that use the same C2 server and contain the same functionality. The researchers worked with McAfee Enterprise ATR to examine the software and have come to the conclusion that Vermilion Strike is being used in targeted attacks against telecoms, government, IT, advisory, and financial organizations worldwide. “The sophistication of this threat, its intent to conduct espionage, and the fact that the code hasn’t been seen before in other attacks, together with the fact that it targets specific entities in the wild, leads us to believe that this threat was developed by a skilled threat actor,” Intezer says.  This is not the only unofficial port of Cobalt Strike, however. There is also geacon, an open source project based on the Golang programming language. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

<!–> marchmeena29/Getty Images Nations will need to beef up security of their critical information infrastructures (CII) and operational technology (OT) systems as a move toward common standards gives hackers greater ability to scale up their attacks.  Increased digitalization and connectivity have fuelled automation in OT sectors, such as power, oil and gas, water, and manufacturing. […] More

Cybercriminals began searching the web for vulnerable Exchange Servers within five minutes of Microsoft’s security advisory going public, researchers say. 

According to a review of threat data from enterprise companies gathered between January and March this year, compiled in Palo Alto Networks’ 2021 Cortex Xpanse Attack Surface threat report and published on Wednesday, threat actors were quick-off-the-mark to scan for servers ripe to exploit.  When critical vulnerabilities in widely adopted software are made public, this may trigger a race between attackers and IT admins: one to find suitable targets — especially when proof-of-concept (PoC) code is available or a bug is trivial to exploit — and IT staff to perform risk assessments and implement necessary patches.  The report says that in particular, zero-day vulnerabilities can prompt attacker scans within as little as 15 minutes following public disclosure. Palo Alto researchers say that attackers “worked faster” when it came to Microsoft Exchange, however, and scans were detected within no more than five minutes.  On March 2, Microsoft disclosed the existence of four zero-day vulnerabilities in Exchange Server. The four security issues, collectively impacting on-prem Exchange Server 2013, 2016, and 2019, were exploited by the Chinese advanced persistent threat (APT) group Hafnium — and other APTs, including LuckyMouse, Tick, and Winnti Group, quickly followed suit.The security disclosure triggered a wave of attacks, and three weeks later, they were still ongoing. At the time, F-Secure researchers said vulnerable servers were “being hacked faster than we can count.”

Read on: Everything you need to know about the Microsoft Exchange Server hackIt is possible that the general availability of cheap cloud services has helped not only APTs but also smaller cybercriminals groups and individuals to take advantage of new vulnerabilities as they surface.”Computing has become so inexpensive that a would-be attacker need only spend about $10 to rent cloud computing power to do an imprecise scan of the entire internet for vulnerable systems,” the report says. “We know from the surge in successful attacks that adversaries are regularly winning races to patch new vulnerabilities.” The research also highlights Remote Desktop Protocol (RDP) as the most common cause of security weakness among enterprise networks, accounting for 32% of overall security issues, an especially problematic area as many companies made a rapid shift to cloud over the past year in order to allow their employees to work remotely.  “This is troubling because RDP can provide direct admin access to servers, making it one of the most common gateways for ransomware attacks,” the report notes. “They represent low-hanging fruit for attackers, but there is reason for optimism: most of the vulnerabilities we discovered can be easily patched.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware is becoming more successful than ever before because of a combination of factors which allow cyber criminals to easily gain access to corporate networks – and they’re finding success because a significant number of organisations which fall victim to attacks are willing to pay the ransom.A report by defence think tank, the Royal United Services Institute (RUSI) and cybersecurity company BAE Systems warns that the ‘perfect storm’ of conditions have come together and allowed ransomware attacks to run rampant against organisations around the world.Those elements range from how easy it is for cyber criminals to acquire and distribute ransomware, and the frequency of ransomware payouts, to the way the Covid-19 pandemic has made it simpler for malicious hackers to gain entry to networks.But it’s the way in which enough victims of ransomware are paying ransoms which ultimately helps encourage cyber criminals to pursue this line of attack – and normalises the act of giving into the ransom demand.”The more organisations that pay a ransom, the more acceptable the notion of paying a ransom to solve the problem becomes,” the paper warns, adding that the ability to claim ransom payments back via cyber insurance may further encourage payments to criminals.And with the rise of ransomware-as-a-service, it’s relatively simple for even low-skilled cyber criminals to get involved with ransomware. The attackers pay a fee or a subscription for pre-packaged ransomware which they can then use as part of their attacks.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

Some of these as-a-service offerings are relatively small-time, while others such as REvil result in attacks where victims pay out hundreds of thousands of dollars – with the authors of the ransomware getting a part of the fee. Keen to make as much money as possible, many ransomware operators will publicise their offerings on underground forums to attract as many users as possible, complete with customer service.”Recent evidence suggesting that ransomware operators are on active recruitment drives for new talent are a concerning sign that the scale of the threat is still increasing,” warns the research paper.Ransomware groups are always evolving and this has also helped contribute to the success of the attacks. Ransomware attacks were already proving effective, but the attackers behind Maze added another weapon to force victims to pay up – threatening to leak stolen data if the ransom isn’t paid.The success of this “double extortion” technique has been adopted by a number of other ransomware groups who are using it as an additional method to coerce victims into paying the bitcoin ransom. The range of ways which cyber criminals can gain access to networks is also adding to the success of ransomware. Attack methods like phishing, brute-force attacks looking to crack weak passwords on remote desktop protocol services or abusing technical vulnerabilities are all playing a part in allowing ransomware attackers to gain the access to systems they require.Something which has helped cyber criminals gain a foothold in networks for ransomware attacks is the boom in remote working. With employees working from home and relying on email and remote services more than ever before, cyber criminals have been taking advantage by exploiting the reduced security of remote employees as a stepping stone to installing ransomware on corporate systems.Ultimately, the report concludes, ransomware attacks will only stop if ransomware becomes unprofitable – and that relies on organisations becoming secure enough to not fall victim to attacks in the first place, so never having to even consider paying a ransom due to an attack.Recommendations on securing networks include ensuring the timely patching of critical vulnerabilities and the use of multi-factor authentication wherever possible, along with reinforcing phishing awareness training.MORE ON CYBERSECURITY More

NordSec’s Tomas Okman is working on a proof-of-concept that “might render antivirus systems useless.”  The company behind NordVPN has big plans to offer a threat protection suite, a “different kind of antivirus system,” and protect your privacy at the edge of a network. But before that vision becomes reality, NordSec, the company that counts NordVPN […] More