Information Technology

Cybersecurity researchers have uncovered a new form of malware that can create backdoors on Windows, Linux and macOS operating systems, providing hackers with full access to compromised systems. The malware has been detailed by researchers at Intezer, who have named it SysJoker. It was discovered while they were investigating an attack against a Linux-based web server at an undisclosed educational institution in December. SysJoker wasn’t the malware behind the attack being investigated – but it was already present on the servers. 

ZDNet Recommends

The nature of SysJoker and the way it’s designed to provide a backdoor into systems – with the ability to run commands, download and upload files – suggests the goal for those delivering it could be espionage, but it could also be utilised as a tool for delivering additional malware to compromised systems.SEE: A winning strategy for cybersecurity (ZDNet special report)”Based on the malware’s capabilities we assess that the goal of the attack is espionage together with lateral movement that might also lead to a ransomware attack as one of the next stages,” Avigayil Mechtinger, cybersecurity researcher at Intezer, told ZDNet. SysJoker compromises victim devices by masquerading as a system update for Linux and MacOS, while in the Windows version it masquerades as Intel drivers. It’s unclear how the phoney driver updates are delivered to victims, but the nature of the updates means that users are likely to follow the instructions to install them.  Researchers note that the names of the update names like “updateMacOs” and “updateSystem” are relatively generic, which is something that could potentially arouse suspicion. 

Based on analysis of SysJoker, the malware started being actively deployed in attacks in the second half of 2021 and the attackers behind it are paying close attention to campaigns.  Even during the period of analysis after the malware was initially discovered in December, the command and control domain behind the attacks has changed three times, indicting that those behind the campaign are actively monitoring targets. The way the attackers play close attention to compromised victims, the way in which they appear to carefully choose their targets and the way that the malware can target multiple operating systems suggests that those behind SysJoker are what researchers describe as an “advanced threat actor”. In addition to this, the fact that the attackers have written code from scratch that hasn’t been seen in previous attacks and can target three different operating systems also suggests that whoever the cyber criminals behind SysJoker are, they know what they’re doing. While the campaign isn’t widespread, the nature of SysJoker malware – and the way the attackers appear to go after specific targets and can remain hidden on compromised networks for significant periods of time – was only discovered when another attack was being investigated. It’s likely that the campaign is still active, but researchers have detailed advice on how to avoid falling victim. These include using memory scanners to detect malicious payloads that have potentially been installed. Administrators should also be on the lookout for potentially suspicious activity and investigate it if something feels amiss. MORE ON CYBERSECURITY More

A recent campaign leveraging public cloud infrastructure is deploying not one, but three commercial Remote Access Trojans (RATs).

Nanocore, Netwire, and AsyncRAT payloads are being deployed from public cloud systems in what Cisco Talos suggests is a way for cyberattackers to avoid having to own or manage their own private, paid infrastructure — such as through ‘bulletproof’ hosting which may eventually capture the interest of law enforcement. This abuse allows cybercriminals to leverage the resources of cloud services managed by vendors including Microsoft Azure and Amazon Web Services (AWS) for malicious purposes.  “These types of cloud services like Azure and AWS allow attackers to set up their infrastructure and connect to the internet with minimal time or monetary commitments,” Talos says. “It also makes it more difficult for defenders to track down the attackers’ operations.” On Wednesday, Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer said that a new campaign based on public cloud infrastructure was discovered in October 2021 and the majority of victims are based in the US, Canada, and Italy – however, a handful appear to be from Spain and South Korea.  The attack chain begins in a typical fashion: through a phishing email, often disguised as an invoice.  These messages have .ZIP files attached which, once opened, reveal an ISO image. The ISO file is equipped with a malicious loader for the Trojans through either JavaScript, a Windows batch file, or a Visual Basic script. 

If a victim attempts to load the disk image, these scripts will trigger. Designed to deploy Nanocore, Netwire, and AsyncRAT, the scripts will reach out to a download server to snag a payload — and this is where a public cloud service comes into play.  However, the downloader scripts use obfuscation techniques to hide these activities. The JavaScript contains four layers of obfuscation with each new, malicious process generated after the previous layer is peeled back; the batch file contains obfuscated commands that run PowerShell to pick up its payload, and the VBScript file also utilizes PowerShell commands. A PowerShell dropper built with HCrypt was also detected.  The attackers behind the campaign manage a variety of payload hosts, command-and-control (C2) servers, and malicious subdomains. The majority detected, so far, are hosted on Azure and AWS.    “Some of the download servers are running the Apache webserver application,” the researchers say. “The HTTP servers are configured to allow the listing of open directories that contain variants of NanocoreRATs, Netwire RAT, and AsyncRATs malware.” In addition, the operators abuse DuckDNS, a legitimate dynamic DNS service for pointing subdomains at IP addresses. The service is used to manage malware downloads via malicious DuckDNS subdomains and to mask the names of the C2 hosts, according to Talos.  Netwire, Nanocore, and AsyncRAT are popular commercial Trojan strains that are widely used by threat actors to remotely access and hijack vulnerable machines, steal user data, and conduct surveillance by means including audio and camera capture. “Defenders should monitor traffic to their organization and implement robust rules around the script execution policies on their endpoints,” the researchers commented. “It is even more important for organizations to improve email security to detect and mitigate malicious email messages and break the infection chain as early as possible.”
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Iran-backed hacking group Phosphorous or APT35 is using the Log4j vulnerability to distribute a new modular PowerShell toolkit, according to security firm Check Point. APT35 is one of several state-backed hacking groups known to have been developing tools to exploit public-facing Java applications that use vulnerable versions of the Log4j error-logging component.

more Log4j

Microsoft, which tracks the group as Phosphorous and has called it out for increasingly using ransomware in attacks, found it had operationalized a Log4j exploit for future campaigns less than a week after Log4Shell’s December 9 disclosure. SEE: Log4j zero-day flaw: What you need to know and how to protect yourselfAccording to a further analysis by Check Point, APT35’s Log4j work was sloppy and “obviously rushed”, using a basic publicly available JNDI exploit kit (now removed from GitHub) for attacks that were easy to detect and attribute. After exploiting Log4j on public-facing systems, the group uses what Check Point describes it as ‘a PowerShell-based modular backdoor’ for persistence, communication with a command and control (C&C) server, and command execution for additional modules. The main module of the attacker’s PowerShell framework validates network connections, enumerates characteristics about a compromised system, retrieves the C&C domain from a hardcoded URL, and takes, decrypts and executes subsequent modules. After receiving information about compromised systems, the C&C server either issues no command or instructs the module to execute other modules that are written as PowerShell scripts or C# code. 

Back and forth communication between target and C&C runs continuously to determine what subsequent modules should be submitted to the target, according to Check Point. Each of the additional modules are responsible for encrypting data, exfiltration via the web or an FTP server, and sending execution logs to a remote server. But each module has unique capabilities, such as one for listing installed applications, another for taking screenshots, and more for listing running processes, enumeration, and executing predefined commands from the C&C. A final “cleanup module” is dropped at the end of collection activity that removes evidence, such as running processes created by previously used modules.”The modules sent by the C&C are executed by the main module, with each one reporting data back to the server separately,” explains Check Point. “This C&C cycle continues indefinitely, which allows the threat actors to gather data on the infected machine, run arbitrary commands and possibly escalate their actions by performing a lateral movement or executing follow-up malware such as ransomware.”On the quality of the group’s work, Check Point had few compliments because, unlike most advanced persistent threats, they don’t bother changing tools and infrastructure for new attacks and are known for making operational security (OpSec) blunders.”The group is famous in the cybersecurity community for the number of OpSec mistakes in their previous operations, and they tend not to put too much effort into changing their infrastructure once exposed,” Check Point notes. The firm says there are similar coding styles between the PowerShell scripts used for Log4Shell and the ones that the group used in Android spyware detailed by Google’s Threat Analysis Group in October. Despite the US Cybersecurity and Infrastructure Security Agency’s (CISA) confirmation it had seen no major breaches arise from Log4j exploitation, Microsoft assesses the Log4Shell issue as a “high-risk” situation because it’s difficult for organizations to know which applications, devices and services are affected. CISA also warned that attackers that have exploited Log4j may be waiting for alert levels to drop before using new but undetected footholds in targets.   More

Image: Can I Phish/Sebastian Salla
You’ve done the right thing by your organisation and made sure that DMARC and SPF (sender policy framework) records are set in an effort to reduce email spoofing, but all that good work could be undone if the SPF is too permissive in the stated IP range.

Such a situation was pointed out by Can I Phish CEO Sebastian Salla who scanned 1.8 million Australian domain records in search of email security snafus. The mistake Salla was looking for was within SPF records, which handles individual IP addresses, but also IP ranges. If an organisation had entered a wide IP range, and had their email infrastructure sitting on a cloud provider, which reuse IP addresses unless an organisation pays extra for a dedicated IP address, there could be scope to take over an address covered by someone else’s SPF record. Finding 60,000 IPs pointed towards various regions within Amazon Web Services (AWS), Salla was well on his way, and able to start EC2 instances on AWS that were handed an IP address that another organisation said it had control of. This happened 264 times. Among those caught out were Australian Parliament House, the University of Sydney, Mirvac, another major property investment group, and a state government organisation. “Each of the affected 264 organisations and their downstream customers are significantly more susceptible to business email compromise and phishing-related attacks. Anyone with a credit card can sign-up for an AWS account, cycle through EC2 instances until they get a desirable IP, request AWS to remove any SMTP restrictions and begin sending SPF authenticated emails as though they are any of these organisations,” Salla wrote. “When we consider the position that some of these organisations are in, we can better understand the impact. Imagine a parliamentary staffer receiving an email that appears to come from a Minister, or a student receiving an email posing as someone from university admissions and so on… The recipients in these cases have no technical mechanism to determine the real from fake.”

Salla told ZDNet that 69 of the organisations he found have yet to fix the issue, despite being given a 30-day remediation window and working with the Australian Cyber Security Centre (ACSC) on disclosure. While small organisations might have used wide IP ranges due to dynamic address allocation, Salla said large organisations have other considerations even though they can afford to reserve address blocks. “Due to the way AWS pricing works, if you reserve an IP address and then don’t use it, you get penalised and incur an hourly cost (this is due to the nature of there being limited IPs and AWS not wanted customers to reserve IPs excessively),” he said. “So I suspect, a business unit that focuses on cost optimisation in each org, is likely releasing unused IPs which mean people such as myself can come in and take them — ultimately leading to IP takeover attacks if this activity hasn’t been communicated between business units. “The ultimate fix is to only list IP addresses that are being actively used by mail servers — in the event that redundancy/disaster recovery are necessary, there are in-built capabilities within AWS that enable this, such as use of load-balancers or NAT gateways that only use a single IP.” See also: Phishing attacks are harder to spot on your smartphone. That’s why hackers are using them moreIn response to ZDNet, the ACSC pointed to the Australian government Information Security Manual as well as its advice on email security. “Organisations can reduce the likelihood of their domains being used to support fake emails by implementing Sender Policy Framework and Domain-based Message Authentication, Reporting and Conformance (DMARC) records in their Domain Name System configuration,” an ACSC spokesperson said. “DMARC is one of a variety of controls that, when used together, is a highly effective countermeasure for preventing phishing attacks where the attacker attempts to fully impersonate the sending email domain. “It is ultimately up to each agency to implement the advice of the Australian Cyber Security Centre, based on that agency’s assessment of the cyber threats it faces.” For its part, the Department of Parliamentary Services said it had fixed the issue. “The Department of Parliamentary Services resolved the issue of an incorrect SPF configuration for the vendor and this had no impact on the network,” it said. The University of Sydney, as is typical, said it took security seriously but would not comment on details of its cyber posture. “We do continually review and improve our systems to manage such threats, and can confirm the matters raised in the blog are not a current issue,” a spokesperson said. At the start of last month, Salla found a number of sites created by local web development company Precedence, which includes a Queensland council and federal member as customers, that had used a /16 address range, covering over a million IP addresses, in the SPF record used across its client base. The range was such that Salla said almost any EC2 instance started in Sydney’s ap-southeast-2 region would get an address covered by the range. “The first EC2 instance I spun up had an authorised IP address and I was able to send myself an SPF authenticated email from this particular city council which went straight into my inbox — passing all SPF and DMARC checks,” Salla wrote. Related Coverage More

The Cybersecurity and Infrastructure Security Agency (CISA) released an alert on Tuesday detailing a variety of tactics used by Russian state-sponsored groups to attack local and tribal governments across the US between September 2020 and December 2020. When pressed on why the guide was being released now and which local governments were attacked in 2020, CISA said it was part of their “continuing cybersecurity mission” with “interagency partners to warn organizations of potential criminal or nation state cyber threats.” 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“As described in the advisory, Russian state-sponsored actors have targeted a variety of US and international critical infrastructure organizations over the years. This guidance is being released to broadly share known tactics, techniques, and procedures, and encourage network defenders to take recommended actions,” a CISA spokesperson said. The alert said Russian state-sponsored advanced persistent threat (APT) actors have generally targeted US and international critical infrastructure organizations, but it also said the “high-profile cyber activity” revolved around the attacks on state, local, tribal, and territorial (SLTT) governments and aviation networks in the fall of 2020. CISA said the groups “targeted dozens of SLTT government and aviation networks” and were able to successfully compromise networks before exfiltrating data from an unknown number of victims.The US cybersecurity agency also said APT groups conducted “multi-stage intrusion” campaigns across multiple companies in the energy sector, deploying ICS-focused malware and collecting enterprise and ICS-related data from 2011 to 2018. 
CISA
The notice includes a range of advice for organizations as they try to protect themselves and their systems. CISA, the FBI, and the NSA also released a full list of vulnerabilities that Russian state-sponsored groups typically use to gain initial access to target networks.

Rick Holland, CISO at Digital Shadows, said these groups use “common but effective tactics,” relying on low-hanging fruit as well as sophisticated capabilities.”While it isn’t sexy, effective security hygiene like patching known vulnerabilities on external services raises the advisory costs and makes their job harder. Don’t be a soft target,” Holland said, noting the recent geopolitical issues embroiling the US-Russia relationship. The US is still in the process of recovering from the SolarWinds scandal, which saw Russian government groups gain widespread access to 100 government contractors and multiple agencies including the State Department, Department of Homeland Security, National Institutes of Health, the Pentagon, the Treasury Department, the Department of Commerce, the Department of Energy and the National Nuclear Security Administration.Rep. Carolyn Maloney, chairwoman of the House Committee on Oversight and Reform, held a hearing on Tuesday about efforts to strengthen the Federal Information Security Management Act (FISMA), which would force federal agencies to improve their cybersecurity standards.  Maloney noted that FISMA hasn’t been updated since 2014 and that federal agencies reported 30,819 cybersecurity incidents in 2020 alone.The CISA release also comes as the US and Russia spar over multiple issues in Ukraine and Kazakhstan. The alert cites previously reported attacks by Russian groups on critical infrastructure in Ukraine. A US Homeland Security report from 2016 said 225,000 customers were left without power two days before Christmas because of the Russian attack on three regional electric power distribution companies. CISA explained on Tuesday that the Russian groups involved in the attack used the BlackEnergy malware to steal user credentials, and then they used its malware component KillDisk to make infected computers inoperable. “In 2016, these actors conducted a cyber-intrusion campaign against a Ukrainian electrical transmission company and deployed CrashOverride malware specifically designed to attack power grids,” the CISA alert said. Chris Krebs, the former director of CISA, tweeted about the alert, saying, “State and NSC are in Geneva right now trying to keep the Russians out of Ukraine, but in case that doesn’t work, you might want to prepare for badness…” More

Microsoft has released 96 security fixes including updates to address six zero-day vulnerabilities.In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) exploits, privilege escalation flaws, spoofing issues, and cross-site scripting (XSS) vulnerabilities. 

Products impacted by January 2022’s security update include Microsoft Exchange Server, the Office software line, Windows Defender, Windows Kernel, RDP, Cryptographic Services, Windows Certificate, and Microsoft Teams.  The zero-day vulnerabilities resolved in this update are: CVE-2021-22947: HackerOne assigned CVE: An open source Curl RCE allowing for Man-in-The-Middle (MiTM) attacks.CVE-2021-36976: MITRE assigned CVE: An open source Libarchive use-after-free bug leading to RCE.CVE-2022-21874: A local Windows Security Center API RCE vulnerability (CVSS 7.8).CVE-2022-21919: A Windows User Profile Service Elevation of Privilege security issue (CVSS 7.0), PoC exploit code recorded.CVE-2022-21839: Windows Event Tracing Discretionary Access Control List Denial-of-Service (DoS) (CVSS 6.1).CVE-2022-21836: Windows Certificate spoofing, PoC code recorded (CVSS 7.8).None of the zero-day flaws above are known to have been exploited in the wild. A total of 24 vulnerabilities were patched earlier this month in Microsoft Edge (Chromium-based). According to the Zero Day Initiative (ZDI), this volume is unusual for the month of January, with previous years often being roughly half this number. Microsoft has also announced a refreshed Security Update Guide notification system, with standard email addresses now being accepted at signup rather than only Live IDs.Last month, Microsoft published 67 security fixes in the December 2021 Patch Tuesday. Seven critical vulnerabilities were among the issues patched, alongside six zero-day security flaws. One of the zero-days tackled was CVE-2021-43890, a bug in the Windows AppX Installer that is being actively exploited in the wild to spread Emotet, Trickbot, and Bazaloader malware.

A month prior, the tech giant tackled 55 vulnerabilities during the November 2021 Patch Tuesday.In recent Microsoft news, earlier this month the company published an emergency fix for a bug impacting on-premise Exchange Servers. A date-check failure glitch prevented mail to move smoothly through the transport queues of Exchange Server 2016 and Exchange Server 2019.Alongside Microsoft’s Patch Tuesday round, other vendors, too, will publish security updates which can be accessed below.Read on: More

This week, the Cybersecurity and Infrastructure Security Agency (CISA) added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Three of the vulnerabilities need to be remediated by federal civilian agencies before January 24, while the rest have remediation dates of July 10. 

ZDNet Recommends

CISA said the list is “based on evidence that threat actors are actively exploiting the vulnerabilities” and noted that the vulnerabilities are “a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”The most urgent additions include a VMware vCenter Server Improper Access Control vulnerability, a Hikvision Improper Input Validation vulnerability and a FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability. The rest of the list includes vulnerabilities involving Google Chrome, Microsoft Win32K, Microsoft WinVerify, Elastic Kibana, Primetek Primefaces, IBM WebSphere Application Server, Exim Mail Transfer Agent, Palo Alto Networks PAN-OS, Fortinet FortiOS and FortiProxy, Synacor Zimbra and Oracle WebLogic Server. The Known Exploited Vulnerabilities Catalog was created last year through a binding directive that allowed CISA to force federal civilian agencies to address certain vulnerabilities that are being used by cyberattackers. The first version of the list included 306 vulnerabilities commonly exploited during attacks but has grown since then.Joshua Aagard, a vulnerability analyst on the Photon Research Team at Digital Shadows, told ZDNet that CISA’s additions are wide-ranging and likely to come with knock-on effects for infrastructure. “Unauthorized actions and remote execution are cited many times as the consequence of successful exploitation. So are data input via sanitization and proper logical handling,” Aagard said. 

“Those I inspected also tend to share a common theme of centralized command or encompass a single point of failure. From an attacker’s perspective, a server console or critical proxy can serve as a Jenga block that brings down all the rest of the accompanying infrastructure.”The three that stood out most to him were the VMware vCenter Server Improper Access Control vulnerability, the Hikvision Improper Input Validation vulnerability and the FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability. Aagard explained that the vulnerability in Hikvision CCTV cameras and camera systems relates to a lack of input validation, which leaves servers open to potentially malicious command injection attacks, otherwise known as RCE. “Full control of the target device can be had via nonrestricted shell at the root level, which even supersedes the designated owner level,” Aagard said. The FatPipe networks vulnerability affects their WARP, IPVPN, and MPVPN offerings and allows attackers to gain access to an unrestricted file upload function on the servlet at the URL path /fpui/uploadConfigServlet, which can then be used to drop a webshell/fpui/img/1,jsp for access to root and subsequent elevated privileges, according to Aagard. “Successful exploitation of this vulnerability could lead to pivot access with the internal network. Software versions prior to releases 10.1.2r60p93 and 10.2.2r44p1 are affected by this issue,” Aagard said. For the VMware vulnerability, a malicious actor with common network access to port 443 on vCenter Server could exploit this issue to perform a bypass and gain access to internal endpoints, Aagard explained. Netenrich principal threat hunter John Bambenek echoed Aagard’s concern about the VMWare vulnerability, noting that VMWare servers aren’t just one asset and are typically used to control many of the important assets in an organization. “This vulnerability provides a straightforward path to taking over a vCenter instance and all the assets therein,” Bambenek said. “Another observation is some of these vulnerabilities are quite old (one is from 2013). Why the federal government needs six more months to patch an 8-year-old vulnerability tells me all I need to know about how broken IT security is with the government.” More

There’s been a significant rise in distributed denial-of-service (DDoS) attacks accompanied by threats of extortion, with criminals demanding ransom payments in exchange for calling off an attack.DDoS attacks pose problems for organisations when attackers flood servers and online infrastructure which requests for access, slowing down services or taking them fully offline, thus preventing legitimate users from accessing services at all – and cutting off business for the affected organisation.While they’re not an especially advanced form of cyber attack, DDoS attacks still prove to be effective and cybersecurity researchers at Cloudflare have warned that some of the cyber criminals behind DDoS campaigns are becoming more prolific and more aggressive.This includes large rise in the number of ransom DDoS attacks – when cyber criminals demand a ransom to stop a DDoS attack or to not conduct one in the first place. According to Cloudflare, ransom DDoS attacks increased by almost a third year-on-year between 2020 and 2021 and jumped  by 175% in the final quarter of 2021 compared to the previous three months. This included large-scale ransom DDoS attacks on voice over IP (VoIP) service providers. SEE: A winning strategy for cybersecurity (ZDNet special report) According to a survey by Cloudflare, just over one in five DDoS attacks was accompanied by a ransom note from the attacker during 2021. In December – a prime time for online retailers in the run up to Christmas, one in three of the organisations surveyed said they’ve received a ransom letter relating to a DDoS attack.

Targets on the receiving end of DDoS attacks can commonly include online retailers, online local governments, cloud-based business applications, streaming services and online games.”Over the years, it has become increasingly easier for attackers to launch DDoS attacks,” researchers warned in the blog post.There are number of steps organisations can take to avoid disruption as a result of DDoS attacks; these include using cloud-based hosting providers, deploying IP stresser services to test bandwidth capabilities and employing a DDoS mitigation service.MORE ON CYBERSECURITY More