FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Tech Giant HP Enterprise Hacked by Russian Hackers Linked to DNC Breach

By Newsroom
Hackers with links to the Kremlin are suspected to have infiltrated information technology company Hewlett Packard Enterprise's (HPE) cloud email environment to exfiltrate mailbox data. "The threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,"

The Definitive Enterprise Browser Buyer's Guide

By The Hacker News
Security stakeholders have come to realize that the prominent role the browser has in the modern corporate environment requires a re-evaluation of how it is managed and protected. While not long-ago web-borne risks were still addressed by a patchwork of endpoint, network, and cloud solutions, it is now clear that the partial protection these solutions provided is no longer sufficient. Therefore,

AI Solutions Are the New Shadow IT

By The Hacker News
Ambitious Employees Tout New AI Tools, Ignore Serious SaaS Security RisksLike the SaaS shadow IT of the past, AI is placing CISOs and cybersecurity teams in a tough but familiar spot.  Employees are covertly using AI with little regard for established IT and cybersecurity review procedures. Considering ChatGPT’s meteoric rise to 100 million users within 60 days of launch, especially with little

Microsoft Patch Tuesday, March 2023 Edition

By BrianKrebs

Microsoft on Tuesday released updates to quash at least 74 security bugs in its Windows operating systems and software. Two of those flaws are already being actively attacked, including an especially severe weakness in Microsoft Outlook that can be exploited without any user interaction.

The Outlook vulnerability (CVE-2023-23397) affects all versions of Microsoft Outlook from 2013 to the newest. Microsoft said it has seen evidence that attackers are exploiting this flaw, which can be done without any user interaction by sending a booby-trapped email that triggers automatically when retrieved by the email server — before the email is even viewed in the Preview Pane.

While CVE-2023-23397 is labeled as an “Elevation of Privilege” vulnerability, that label doesn’t accurately reflect its severity, said Kevin Breen, director of cyber threat research at Immersive Labs.

Known as an NTLM relay attack, it allows an attacker to get someone’s NTLM hash [Windows account password] and use it in an attack commonly referred to as “Pass The Hash.”

“The vulnerability effectively lets the attacker authenticate as a trusted individual without having to know the person’s password,” Breen said. “This is on par with an attacker having a valid password with access to an organization’s systems.”

Security firm Rapid7 points out that this bug affects self-hosted versions of Outlook like Microsoft 365 Apps for Enterprise, but Microsoft-hosted online services like Microsoft 365 are not vulnerable.

The other zero-day flaw being actively exploited in the wild — CVE-2023-24880 — is a “Security Feature Bypass” in Windows SmartScreen, part of Microsoft’s slate of endpoint protection tools.

Patch management vendor Action1 notes that the exploit for this bug is low in complexity and requires no special privileges. But it does require some user interaction, and can’t be used to gain access to private information or privileges. However, the flaw can allow other malicious code to run without being detected by SmartScreen reputation checks.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said CVE-2023-24880 allows attackers to create files that would bypass Mark of the Web (MOTW) defenses.

“Protective measures like SmartScreen and Protected View in Microsoft Office rely on MOTW, so bypassing these makes it easier for threat actors to spread malware via crafted documents and other infected files that would otherwise be stopped by SmartScreen,” Childs said.

Seven other vulnerabilities Microsoft patched this week earned its most-dire “critical” severity label, meaning the updates address security holes that could be exploited to give the attacker full, remote control over a Windows host with little or no interaction from the user.

Also this week, Adobe released eight patches addressing a whopping 105 security holes across a variety of products, including Adobe Photoshop, Cold Fusion, Experience Manager, Dimension, Commerce, Magento, Substance 3D Stager, Cloud Desktop Application, and Illustrator.

For a more granular rundown on the updates released today, see the SANS Internet Storm Center roundup. If today’s updates cause any stability or usability issues in Windows, AskWoody.com will likely have the lowdown on that.

Please consider backing up your data and/or imaging your system before applying any updates. And feel free to sound off in the comments if you experience any problems as a result of these patches.

Syxsense Platform: Unified Security and Endpoint Management

By The Hacker News
As threats grow and attack surfaces get more complex, companies continue to struggle with the multitude of tools they utilize to handle endpoint security and management. This can leave gaps in an enterprise's ability to identify devices that are accessing the network and in ensuring that those devices are compliant with security policies. These gaps are often seen in outdated spreadsheets that

New Flaws in TPM 2.0 Library Pose Threat to Billions of IoT and Enterprise Devices

By Ravie Lakshmanan
A pair of serious security defects has been disclosed in the Trusted Platform Module (TPM) 2.0 reference library specification that could potentially lead to information disclosure or privilege escalation. One of the vulnerabilities, CVE-2023-1017, concerns an out-of-bounds write, while the other, CVE-2023-1018, is described as an out-of-bounds read. Credited with discovering and reporting the

New Wave of Ransomware Attacks Exploiting VMware Bug to Target ESXi Servers

By Ravie Lakshmanan
VMware ESXi hypervisors are the target of a new wave of attacks designed to deploy ransomware on compromised systems. "These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021," the Computer Emergency Response Team (CERT) of France said in an advisory on Friday. VMware, in its own alert released at the time, described the issue as an 

Hackers Abused Microsoft's "Verified Publisher" OAuth Apps to Breach Corporate Email Accounts

By Ravie Lakshmanan
Microsoft on Tuesday said it took steps to disable fake Microsoft Partner Network (MPN) accounts that were used for creating malicious OAuth applications as part of a phishing campaign designed to breach organizations' cloud environments and steal email. "The applications created by these fraudulent actors were then used in a consent phishing campaign, which tricked users into granting

A Holiday Gift of Savings with Cisco Secure Choice EAs

By Kathy Miller

Give the gift of security resilience and receive instant savings from a secure choice enterprise agreement.

When it comes to the holidays, most thoughts turn towards shopping and spending time with friends and loved ones. In the business world, the holiday season often lands at the end of the quarter / fiscal year, and businesses start to make lists of things that need to be purchased in the coming years, and sometimes they find themselves wanting to purchase a gift – so to speak – for themselves.

The problem that many organizations face is that when it comes to purchasing products and services, balancing today’s needs and budget isn’t as easy as it sounds. Add to this the concern of unclear future security needs which can be stressful. But what if you could get exactly what you need, protect the budget and future-proof your investment at the same time?

We want to give a gift to you. That is right, you read that correctly. We want to make your holidays a little bit more special with the gift of security resilience. And we can offer that to you with instant savings.

Build Out Your Security Resilience

Here are a few examples of how you can build the gift of security resilience that best fits your organization’s security needs today and is ready to grow with your tomorrow.

User and Device Security

Provide edge to edge protection. Hold the first line of defense against cyberthreats for branch offices and remote users. Maintain the last line of defense, by protecting your endpoint devices with rapid incident detection, response, and remediation of advanced threats.

Provide protection for your users and devices with these essential Cisco Secure products.

Cloud and Application Security

Protect what matters, get cloud and application protection that secures internet access, safeguards cloud app usage, and identifies public cloud threats. Build out your cloud and application security with these essential Cisco Secure products.

Zero Trust Secure Access

Cisco Secure Zero Trust helps you transform your business with continuous verification of users and devices for secure access. These Cisco Secure products are part of the essential architecture towards building zero trust secure access.

Your Gift Starts with Two

Choose any of the two Cisco Secure products that you want to buy towards building out user and device security, cloud and application security, zero trust secure access, or any of our security solutions. You do not have to stop with two, you have the freedom to grow; add more, save more.

Cisco Secure products you can choose from:

  • Cisco Secure Endpoint offers advanced endpoint protection across control points, enabling your business to stay resilient.
  • Cisco Umbrella offers the gift of flexible, cloud delivered security. It combines multiple security functions into one solution, so you can extend data protection to devices, remote users, and distributed locations anywhere.
  • Cisco Secure Firewall helps you plan, prioritize, close gaps, and recover from disaster stronger.
  • Secure Access by Duo helps you adapt to the changing threat landscapes faster with full scale visibility and unmatched reliability, all from an interface so simple that anyone can use it.
  • Cisco Secure Email helps you rapidly detect, quarantine, investigate, and remediate cyberattacks that target your email.
  • Cisco Secure Network Analytics analyzes your existing network data to help detect threats that may have found a way to bypass your existing controls, before they can do serious damage.
  • Cisco Kenna Security manages vulnerability by cutting costs, saving time, and keeping your teams focused on reducing the biggest risks to your business.
  • Cisco Identity Services Engine (ISE) enables an automated approach to discover, profile, authenticate, and authorize trusted endpoints and end users connecting to the self-managed network infrastructure, regardless of access medium.
  • Cisco Cloudlock is a cloud-native cloud access security broker (CASB) that helps you move to the cloud safely. It protects your cloud users, data, and apps. Cloudlock’s simple, open, and automated approach uses APIs to manage the risks in your cloud app ecosystem. With Cloudlock you can more easily combat data breaches while meeting compliance regulations.
  • Cisco Secure Workload seamlessly delivers a zero-trust approach to securing your application workloads across any cloud and on-premises data center environments by reducing the attack surface, preventing lateral movement, identifying workload behavior anomalies, and remediating threats quickly.

Give the Gift of Security with a Cisco Secure Choice Enterprise Agreement

Choose, buy, and deploy Cisco Secure products through one easy-to-manage Cisco Secure Choice Enterprise Agreement; save more as you buy more for all of those on your holiday list. Protect your end users working remotely, in office only, or in a hybrid environment as with more devices on and off the network, cybersecurity risks are not slowing down anytime soon. Build the solution that best fits your organization through a single, flexible agreement that lets you pay annually, as you go, over 3 or 5 years, with 0% financing.

With Cisco’s Secure Choice Enterprise Agreements, you can add security resilience in 2023 and beyond, with exactly the security products and services you need, right when you need them the most.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Critical Flaws Disclosed in Device42 IT Asset Management Software

By Ravie Lakshmanan
Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems. "By exploiting these issues, an attacker could impersonate other users, obtain admin-level access in the application (by leaking session with an LFI) or obtain full access to the

Critical FileWave MDM Flaws Open Organization-Managed Devices to Remote Hackers

By Ravie Lakshmanan
FileWave's mobile device management (MDM) system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it. "The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices," Claroty

A Deep Dive Into the Residential Proxy Service ‘911’

By BrianKrebs

The 911 service as it exists today.

For the past seven years, an online service known as 911 has sold access to hundreds of thousands of Microsoft Windows computers daily, allowing customers to route their Internet traffic through PCs in virtually any country or city around the globe — but predominantly in the United States. 911 says its network is made up entirely of users who voluntarily install its “free VPN” software. But new research shows the proxy service has a long history of purchasing installations via shady “pay-per-install” affiliate marketing schemes, some of which 911 operated on its own.

911[.]re is one of the original “residential proxy” networks, which allow someone to rent a residential IP address to use as a relay for his/her Internet communications, providing anonymity and the advantage of being perceived as a residential user surfing the web.

From a website’s perspective, the IP traffic of a residential proxy network user appears to originate from the rented residential IP address, not from the proxy service customer. These services can be used in a legitimate manner for several business purposes — such as price comparisons or sales intelligence — but they are massively abused for hiding cybercrime activity because they can make it difficult to trace malicious traffic to its original source.

Residential proxy services are often marketed to people seeking the ability to evade country-specific blocking by the major movie and media streaming providers. But some of them — like 911 — build their networks in part by offering “free VPN” or “free proxy” services that are powered by software which turns the user’s PC into a traffic relay for other users. In this scenario, users indeed get to use a free VPN service, but they are often unaware that doing so will turn their computer into a proxy that lets others use their Internet address to transact online.

The current prices for 911’s proxies.

Researchers at the University of Sherbrooke in Canada recently published an analysis of 911, and found there were roughly 120,000 PCs for rent via the service, with the largest number of them located in the United States.

“The 911[.]re network uses at least two free VPN services to lure its users to install a malware-like software that achieves persistence on the user’s computer,” the researchers wrote. “During the research we identified two free VPN services that [use] a subterfuge to lure users to install software that looks legitimate but makes them part of the network. These two software are currently unknown to most if not all antivirus companies.”

A depiction of the Proxygate service. Image: University of Sherbrooke.

The researchers concluded that 911 is supported by a “mid scale botnet-like infrastructure that operates in several networks, such as corporate, government and critical infrastructure.” The Canadian team said they found many of the 911 nodes available for rent were situated within several major US-based universities and colleges, critical infrastructures such as clean water, defense contractors, law enforcement and government networks.

Highlighting the risk that 911 nodes could pose to internal corporate networks, they observed that “the infection of a node enables the 911.re user to access shared resources on the network such as local intranet portals or other services.”

“It also enables the end user to probe the LAN network of the infected node,” the paper continues. “Using the internal router, it would be possible to poison the DNS cache of the LAN router of the infected node, enabling further attacks.”

The 911 user interface, as it existed when the service first launched in 2016.

THE INTERNET NEVER FORGETS

A review of the clues left behind by 911’s early days on the Internet paint a more complete picture of this long-running proxy network. The domain names used by 911 over the years have a few common elements in their original WHOIS registration records, including the address ustraffic@qq.com and a Yunhe Wang from Beijing.

That ustraffic email is tied to a small number of interesting domains, including browsingguard[.]com, cleantraffic[.]net, execlean[.]net, proxygate[.]net, and flashupdate[.]net.

A cached copy of flashupdate[.]net available at the Wayback Machine shows that in 2016 this domain was used for the “ExE Bucks” affiliate program, a pay-per-install business which catered to people already running large collections of hacked computers or compromised websites. Affiliates were paid a set amount for each installation of the software, with higher commissions for installs in more desirable nations, particularly Europe, Canada and the United States.

“We load only one software — it’s a Socks5 proxy program,” read the message to ExE Bucks affiliates. The website said affiliates were free to spread the proxy software by any means available (i.e. “all promotion methods allowed”). The website’s copyright suggests the ExE Bucks affiliate program dates back to 2012.

A cached copy of flashupdate[.]net circa 2016, which shows it was the home of a pay-per-install affiliate program that incentivized the silent installation of its software. “FUD” in the ad above refers to software and download links that are “Fully UnDetectable” as suspicious or malicious by all antivirus software.

Another domain tied to the ustraffic@qq.com email in 2016 was ExeClean[.]net, a service that advertised to cybercriminals seeking to obfuscate their malicious software so that it goes undetected by all or at least most of the major antivirus products on the market.

“Our technology ensures the maximum security from reverse engineering and antivirus detections,” ExEClean promised.

The Exe Clean service made malware look like goodware to antivirus products.

Yet another domain connected to the ustraffic email is p2pshare[.]net, which advertised “free unlimited internet file-sharing platform” for those who agreed to install their software.

p2pshare.net, which bundled 911 proxy with an application that promised access to free unlimited internet file-sharing.

Still more domains associated with ustraffic@qq.com suggest 911’s proxy has been disguised as security updates for video player plugins, including flashplayerupdate[.]xyz, mediaplayerupdate[.]xyz, and videoplayerupdate[.]xyz.

The earliest version of the 911 website available from the Wayback Machine is from 2016. A sister service called proxygate[.]net launched roughly a year prior to 911 as a “free” public test of the budding new residential proxy service. “Basically using clients to route for everyone,” was how Proxygate described itself in 2016.

For more than a year after its founding, the 911 website was written entirely in Simplified Chinese. The service has only ever accepted payment via virtual currencies such as Bitcoin and Monero, as well as Alipay and China UnionPay, both payment platforms based in China.

Initially, the terms and conditions of 911’s “End User License Agreement (EULA) named a company called Wugaa Enterprises LLC, which was registered in California in 2016. Records from the California Secretary of State office show that in November 2016, Wugaa Enterprises said it was in the Internet advertising business, and had named as its CEO as one Nicolae Aurelian Mazgarean of Brasov, Romania.

A search of European VAT numbers shows the same Brasov, RO address tied to an enterprise called PPC Leads SRL (in the context of affiliate-based marketing, “PPC” generally refers to the term “pay-per-click”).

911’s EULA would later change its company name and address in 2017, to International Media Ltd. in the British Virgin Islands. That is the same information currently displayed on the 911 website.

The EULA attached to 911 software downloaded from browsingguard[.]com (tied to the same ustraffic@qq email that registered 911) references a company called Gold Click Limited. According to the UK Companies House, Gold Click Limited was registered in 2016 to a 34-year-old Yunhe Wang from Beijing City. Many of the WHOIS records for the above mentioned domains also include the name Yunhe Wang, or some variation thereof.

In a response to questions from KrebsOnSecurity, 911 said the researchers were wrong, and that 911 has nothing to do with any of the other domains mentioned above.

“We have 911 SDK link and how it works described clearly in the “Terms of use” of affiliated partners products, and we have details of how the community powered network works on our webpages,” read an email response.

“Besides that, for protecting the end users, we banned many domains’ access and blocked the vulnerable ports, e.g. spamming emails, and torrent is not possible from the 911 network,” the reply continued. “Same as scanning and many others…Accessing to the Lan network and router is also blocked. We are monitoring 911 user’s account closely, once any abnormal behavior detected, we suspend the user’s account right away.”

FORUM ACTIVITY?

911 has remained one of the most popular services among denizens of the cybercrime underground for years, becoming almost shorthand for connecting to that “last mile” of cybercrime. Namely, the ability to route one’s malicious traffic through a computer that is geographically close to the consumer whose credit card they’re about to charge at some website, or whose bank account they’re about to empty.

Given the frequency with which 911 has been praised by cybercrooks on the top forums, it was odd to find the proprietors of 911 do not appear to have created any official support account for the service on any of several dozen forums reviewed by this author going back a decade. However there are two cybercriminal identities on the forums that have responded to individual 911 help requests, and who promoted the sale of 911 accounts via their handles.

Both of these identities were active on the crime forum fl.l33t[.]su between 2016 and 2019. The user “Transfer” advertised and sold access to 911 from 2016 to 2018, amid many sales threads where they advertised expensive electronics and other consumer goods that were bought online with stolen credit cards.

In a 2017 discussion on fl.l33t[.]su, the user who picked the handle “527865713” could be seen answering private messages in response to help inquiries seeking someone at 911. That identity is tied to an individual who for years advertised the ability to receive and relay large wire transfers from China.

One ad from this user in 2016 offered a “China wire service” focusing on Western Union payments, where “all transfers are accepted in China.” The service charged 20 percent of all “scam wires,” unauthorized wire transfers resulting from bank account takeovers or scams like CEO impersonation schemes.

911 TODAY

In August 2021, 911’s biggest competitor — a 15-year-old proxy network built on malware-compromised PCs called VIP72abruptly closed up shop. Almost overnight, an overwhelming number of former VIP72 customers began shifting their proxy activities to 911.

The login page for VIP72, until recently 911’s largest competitor.

That’s according to Riley Kilmer, co-founder of Spur.us — a security company that monitors anonymity services. Kilmer said 911 also gained an influx of new customers after the Jan. 2022 closure of LuxSocks, another malware-based proxy network.

“911’s user base skyrocketed after VIP72 and then LuxSocks went away,” Kilmer said. “And it’s not hard to see why. 911 and VIP72 are both Windows-based apps that operate in a similar way, where you buy private access to IPs.”

Kilmer said 911 is interesting because it appears to be based in China, while nearly all of the other major proxy networks are Russian-backed or Russian-based.

“They have two basic methods to get new IPs,” Kilmer said. “The free VPN apps, and the other is trojanized torrents. They’ll re-upload Photoshop and stuff like that so that it’s backdoored with the 911 proxy. They claim the proxy is bundled with legitimate software and that users all agree to their Terms of Service, meanwhile they can hide behind the claim that it was some affiliate who installed the software, not them.”

Kilmer said at last count, 911 had nearly 200,000 proxy nodes for sale, spanning more than 200 countries: The largest geographic concentration is the United States, where more than 42,000 proxies are currently for rent by the service.

PARTING THOUGHTS

Beware of “free” or super low-cost VPN services. Proper VPN services are not cheap to operate, so the revenue for the service has to come from somewhere. And there are countless “free” VPN services that are anything but, as we’ve seen with 911.

In general, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others. Many free VPN services will enlist users as VPN nodes for others to use, and some even offset costs by collecting and reselling data from their users.

All VPN providers claim to prioritize the privacy of their users, but many then go on to collect and store all manner of personal and financial data from those customers. Others are fairly opaque about their data collection and retention policies.

I’ve largely avoided wading into the fray about which VPN services are best, but there are so many shady and just plain bad ones out there that I’d be remiss if I didn’t mention one VPN provider whose business practices and transparency of operation consistently distinguish them from the rest. If maintaining your privacy and anonymity are primary concerns for you as a VPN user, check out Mullvad.net.

Let me make clear that KrebsOnSecurity does not have any financial or business ties to this company (for the avoidance of doubt, this post doesn’t even link to them). I mention it only because I’ve long been impressed with their candor and openness, and because Mullvad goes out of its way to discourage customers from sharing personal or financial data.

To that end, Mullvad will even accept mailed payments of cash to fund accounts, quite a rarity these days. More importantly, the service doesn’t ask users to share phone numbers, email addresses or any other personal information. Nor does it require customers to create passwords: Each subscription can be activated just by entering a Mullvad account number (woe to those who lose their account number).

I wish more companies would observe this remarkably economical security practice, which boils down to the mantra, “You don’t have to protect what you don’t collect.”

Update, July 24, 11:15 a.m. ET: 911’s homepage now includes a banner saying the service has halted new registrations and payments. “We are reviewing our network and adding a series of security measures to prevent misuse of our services,” the message reads. “Proxy balance top-up and new user registration are closed. We are reviewing every existing user, to ensure their usage is legit and [in] compliance with our Terms of Service.”

Update, July 30, 10:07 a.m. ET: 911 announced on July 28 that it is permanently closing down, following a series of data breaches this month that 911 says resulted in the deletion of customer data.

Get More from Your Cybersecurity Spend When Inflation Rates Climb

By Ankur Chadda

Find out how you can stretch your organization’s security budget amidst inflation and its economic impacts.

No one could have predicted the lasting effects of the pandemic on our economy. A strain has been put on the overall supply chain, causing the value of the dollar, or any other local currency, to not go as far as it once did. Consumers are experiencing skyrocketing energy, gas, and food prices, and businesses are facing delays in deliveries of goods and services to their customers.

According to the Consumer Price Index (CPI), the U.S. economy has seen an uptick as high as 8.5% over the past twelve months, which is the largest spike since the early 1980s. Ideally, the economy should be in a balance of about 2% inflation.

When inflation rates go up, there is a steady rise in costs, putting a heavy burden on individuals and businesses.

Price Protection for your Cybersecurity Spend

Even with the rise in inflation, the need for products and services are still there to keep organizations operational. Cybersecurity attacks do not fall under the radar with inflation. If anything, cost increases mean you might get less protection for the same amount of spend, making cyber threats against your organization riskier. Businesses are forced to make budget adjustments, but cybersecurity spend is crucial to maintain the integrity of customer data and finances. Many businesses will be forced to have to raise prices for goods and services, passing the higher cost on to their customers. The solutions needed to maintain security should be simple and flexible to buy in a complex world. Cisco believes in price protection, not passing on the burdens of inflation to our customer.

Instant Savings with Cisco Secure Choice Enterprise Agreement

Cisco can help you with instant savings, avoiding inflation hikes with our price protection guarantee when it comes to buying security solutions to meet the security needs of your organization. With the significant shift in the way we work – remote work, office only, or hybrid, there are more devices on and off the network, leading to an increase in cybersecurity risks. Threats are not slowing down any time soon. Security needs to work together in a simple way to help you stay ahead of these threats to protect users everywhere, working from anywhere. Cisco Secure takes an integrated platform approach to radically simplify your security, applying intelligence to anticipate the changing needs of your business and provide the robust protection you need.

Whatever your organizational security needs may be, buying through the Cisco Secure Choice Enterprise Agreement allows you the flexibility to access two or more security products. Choose from network security, user & endpoint protection, cloud edge, or app security line of products.

Secure Choice Enterprise Agreements lets budgets go further and offers predictable billing over time so you can move faster in responding to security needs. Get a built-in security platform, SecureX, at no extra cost!

Cisco Secure products have never been simpler to buy. Add products, based on your specific security business goals, and receive additional discounts, up to 20% savings off list price. Start saving now with a Cisco Secure Enterprise Agreement.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Technical Analysis of CVE-2021-1732

By Eoin Carroll

Introduction

In February 2021, the company Dbappsecurity discovered a sample in the wild that exploited a zero-day vulnerability on Windows 10 x64.

The vulnerability, CVE-2021-1732, is a win32k window object type confusion leading to an OOB (out-of-bounds) write which can be used to create arbitrary memory read and write capabilities within the Windows kernel (local Elevation of Privilege (EoP)). Memory exploitation generally requires a read, write, and execute primitive to bypass modern exploit mitigations such as DEP, ASLR and CFG on hardened operating systems such as Windows 10. A data-only attack requires only a read and write primitive as it does not seek to execute malicious code in memory, but rather manipulates data structures used by the operating system to its advantage (i.e., to achieve elevated privileges).

Kernel exploits are usually the most sophisticated attack as they interact directly with the Windows kernel. When such attacks are successful, they are critical because they provide high privileges to the attacker, which can be used to increase the impact of the overall exploit chain. In this case the exploit is a Local Privilege Escalation (LPE) that targets 64-bit Windows 10 version 1909. The original sample discovered was compiled in May 2020 and reported to Microsoft in December 2020. While searching for additional findings we went through a public exploit published in March of 2021 by a researcher. Having this code publicly available may raise the potential for additional threat attackers. While we have not found clear evidence demonstrating malicious use of the proof-of-concept (POC), we did discover some variants being tested and uploaded to VirusTotal.

In this blog post, McAfee Advanced Threat Research (ATR) performed a deep dive into the analysis of the vulnerability, to identify the primitives for detection and protection. The exploit is novel in its use of a new win32k arbitrary kernel memory read primitive using the GetMenuBarInfo API, which to the best of our knowledge had not been previously known publicly.

CVE-2021-1732 Deep Dive

Exploitation of CVE-2021-1732 can be divided into six stages with the end goal of escalating a process’ privileges to System. The following diagram shows the stages.

Figure 1 – Six stages of CVE-2021-1732

Before we dive into the details, we must give some background to win32k exploitation primitives which are used in the exploitation of CVE-2021-1732.

Win32K Background

Win32k is a Graphical (GUI) component of the Microsoft Windows Subsystem, most of which exists in the kernel for performance reasons. It is used for graphical print of the Windows OS desktop. However, due to the win32k architecture, the kernel component of win32k still needs to be able to make calls to user mode through user-mode callback functions to facilitate window creation and management.

Kernel user-mode callbacks have been well researched as far back as 2008 and 2010, with a very comprehensive analysis in 2011 by Mandt. A win32k kernel function such as xxxCreateWindowEx will make a callback function such as xxxClientAllocWindowClassExtraBytes through the user process PEB KernelCallbackTable.

When the user-mode callback has completed, NtCallbackReturn executes and passes the expected return parameter back to the kernel. Due to the stateless nature of these callbacks, many vulnerabilities have been discovered related to the locking mechanisms on the objects leading to use-after-free (UAF) exploitation.

Win32k has been one of the most exploited components in the Windows kernel accounting for 63% of vulnerabilities from 2010 to 2018, due to its large attack surface of syscalls relative to ntdll syscalls. Win32k vulnerabilities are generally turned into data-only attacks using a read/write kernel primitive by using a desktop object known as a tagWND data structure.

There are two aspects to data-only attacks:

  1. Discovering a vulnerability.
  2. Leveraging existing or new read/write primitives using specific OS APIs on object fields such as tagWND.cbWndExtra.

The tagWND data structure has two fields which make it a prime target for reading/writing within kernel memory; tagWND.cbWndExtra and tagWND.ExtraBytes. When a window is created using CreateWindowEx, it is possible to request additional bytes of memory directly after the tagWND object in memory through the cbWndExtra field in the WNDCLASSEXA structure when registering the window class.

The number of extra bytes is controlled by the cbWndExtra field, and the allocated additional memory address is located at the ExtraBytes field. The read/write primitive is created as follows:

  1. Discover a vulnerability such as a UAF, which will allow you to write to a tagWND object in memory called WND0.
  2. Allocate another tagWND object called WND1 near the previously corrupted WND0 in memory.
  3. Overwrite WND0.cbWndExtra to a large value such as 0xFFFFFFF.
  4. Call an API such as SetWindowLongPtr on WND0 which will write OOB to fields within WND1.

Win32k kernel user-mode callbacks have been exploited many times by leveraging tagWND read/write capabilities within the Windows kernel for escalation of privileges such as CVE-2014-4113, CVE-2015-0057, MS15-061, CVE-2016-7255 and CVE-2019-0808.

Win32k Exploit Primitives

Several primitives have been observed in the CVE-2021-1732 exploit used by the attackers; additionally, it is worth mentioning that some of them are new and not previously seen in the wild.

Prior to Windows RS4 it was trivial to leak tagWND kernel addresses using multiple techniques, such as calling HMValidateHandle to copy tagWND objects from the kernel to user desktop heap. The latest version of Windows 10 has been hardened against such trivial techniques.

However, using the spmenu kernel address leak technique and relative tagWND desktop heap offsets, once a vulnerability is discovered to overwrite a tagWND.cbWndExtra field, it is possible to achieve kernel read/write capabilities without leaking the actual tagWND kernel addresses. The spmenu technique in this exploit was used here and here, but we are not aware of the GetMenuBarInfo API ever being used before in a win32k exploit.

The following diagram shows the primitives used in CVE-2021-1732.

Figure 2 – CVE-2021-1732 Primitives

Existing Windows OS Mitigations

Great work has been done to harden the security of win32k against EoP attacks with new and improved mitigations by the Microsoft OSR team, Mandt, Google Project Zero, Schenk and Dabah.  These mitigations include:

  1. Type isolation (all same type objects tagWND being used).
  2. Win32k filtering (limited to Edge browser and not process wide but since this research there have been many improvements on win32k API filtering capabilities such as the addition of _stub_UserSetWindowLong and _stub_UserSetWindowLongPtr _stub_UserGetMenuBarInfo in win32k.sys).
  3. Fragmenting kernel desktop heap and removal of kernel addresses in the user desktop heap (can use relative offsets within user and desktop heaps described later in the blog).
  4. Removal of data type symbols from win32k drivers (obfuscation rather than mitigation).

In the context of a malicious process exploiting CVE-2021-1732, the above mitigations provide no protection. However, it does not impact Google Chrome as it disallows win32k calls (Windows 8 and higher), or Microsoft Edge as it applies win32k filtering on the relevant APIs.

Triggering the Vulnerability and Patch Analysis

When a window is created using CreateWindowEx API, a tagWND object is created by the Windows operating system. This window, as explained above, can be created with a parameter to allocate extra memory using cbWndExtra.

During the windows creation process (CreateWindowEx API) a callback named xxxClientAllocWindowClassExtraBytes is triggered to allocate space in the user mode desktop heap for the tagWND.ExtraBytes (offset 0x128) per the tagWND.cbWndExtra (offset 0xc8) value size (see figure 3 and 4 below for WND1).

Figure 3 – WND1 Kernel tagWND – User mode copy located at offset 0x28
Figure 4 – WND1 User Mode tagWND

The location of this memory is stored as a user mode memory pointer to the desktop heap and placed at tagWND.ExtraBytes. It is then possible to convert the normal window to a console window using NtUserConsoleControl which will convert that user mode pointer at tagWND.ExtraBytes to an offset value which points into the kernel desktop heap (see figure 5 below for WND0). It is this change in value at tagWND.ExtraBytes (window type confusion) that can be exploited for an OOB write during the xxxClientAllocWindowClassExtraBytes callback window.

Figure 5 – WND0 User Mode tagWND
Figure 6 – Triggering the type confusion vulnerability within win32kfull!xxxCreateWindowEx

Per figure 6 above the following steps are required to trigger the vulnerability:

  1. Get a pointer to the HMValidateHandle inline function within user32.dll.
  2. Hook xxxClientAllocWindowClassExtraBytes within the PEB KernelCallBack table.
  3. Create multiple windows (we will just use the first two WND0 and WND1 created), using the CreateWindowEx API, so that two windows are created in close memory proximity.
  4. Call HMValidateHandle on WND0 and WND1 which will copy their objects from the kernel desktop heap to user desktop heap. At tagWND+0x8 an offset is stored into the desktop heap; this offset is the same for the user and kernel desktop heaps. The exploit uses these offset values to calculate the relative distance between WND0 and WND1 in the kernel desktop heap which is needed later for reading and writing OOB. Per table 1 below, by using these offsets there is no requirement to leak the actual WND0 and WND1 kernel addresses since read and writes can be done relative to the offsets (user and kernel desktop heaps have the same offsets).
Table 1 – User and Kernel Desktop heaps have the same offsets

5. WND0 is then converted to a console window by calling NtUserConsoleControl which converts WND0.ExtraBytes from a user desktop heap pointer to an offset within the kernel desktop heap. This is needed later so that WND0 can write OOB to WND1.

6. Create malicious window WND_Malicious using the CreateWindowEx API

    • During the window creation the callback xxxClientAllocWindowClassExtraBytes API is executed to request user mode to allocate memory for WND_Malicious.cbWndExtra and pass the user desktop heap pointer back to the kernel function win32kfull!xxxCreateWindowEx.
    • xxxClientAllocWindowClassExtraBytes has now been hooked and we do the following before returning to win32kfull!xxxCreateWindowEx:
      • Call NtUserConsoleControl to convert WND_Malicious to a console window so converting its WND_Malicious.cbWndExtra from a user desktop heap pointer to an offset within the kernel desktop heap.
      • Finally call NtCallbackReturn which completes the callback and returns a single value to xxxClientAllocWindowClassExtraBytes. Instead of passing the user desktop heap pointer as expected by xxxClientAllocWindowClassExtraBytes back to the kernel we pass the value at WND0+0x08 which is the kernel desktop heap offset to WND0 per figure 7 below. Now anytime we call SetWindowLongW on WND_Malicious we will be writing to WND0.
Figure 7 – WND_Malicious

Patch Analysis

The vulnerability lies in the fact that win32kfull!xxxCreateWindowEx does not check whether the window type has changed between the time it initiates the xxxClientAllocWindowClassExtraBytes and gets the response from NtCallbackReturn.

When we call NtUserConsoleControl with WND_Malicious in the hook above, xxxConsoleControl checks if tagWND+0xE8 flag has been set to 0x800 to indicate a console window per figure  below. As WND_Malicious was created as a normal window, xxxConsoleControl allocates memory at an offset within the kernel desktop heap and then frees the user desktop heap pointer existing at WND_Malicious.ExtraBytes (0ffset 0x128). It then places the offset to this new allocation in the kernel heap at WND_Malicious.ExtraBytes (0ffset 0x128) and sets the tagWND+0xE8 flag to 0x800 to indicate it’s a console window.

After returning from the callback when we issued NtCallbackReturn above, xxxCreateWindowEx does not check that the window type has changed and places the WND0+0x08 at WND_Malicious.ExtraBytes per figure 9 below. The RedirectFieldpExtraBytes checks the WND_Malicious.ExtraBytes initialized value but it is too late as WND0+0x08 has already been written to WND_Malicious.ExtraBytes (offset 0x128).

Figure 9 – win32kfull!xxxCreateWindowEx (vulnerable version)

The patched win32kfull.sys has updated xxxCreateWindowEx to now check the ExtraBytes initialized value before writing the returned value from user mode to tagWND. ExtraBytes (offset 0x128) per figure 10 below.

Figure 10 – win32kfull!xxxCreateWindowEx (patched version)

Figure 11 below shows that tagWND. ExtraBytes is initialized to zero within xxxCreateWindowEx during normal window creation.

Figure 11 – tagWND. ExtraBytes initialization for normal window

Figure 12 below shows that tagWND. ExtraBytes is initialized to the new offset value in the kernel desktop heap within xxxConsoleControl during console window creation. RedirectFieldpExtraBytes simply checks this initialized value to determine if the window type has changed. In addition, Microsoft have also added telemetry for detecting changes to the window type flag in the patched version.

Figure 12 – tagWND. ExtraBytes initialization for console window

tagWND OOB Write

The vulnerability within the xxxCreateWindowEx API allowed the WND_Malicious.ExtraBytes field be to set to a value of WND0 offset within the kernel desktop heap. Now any time SetWindowLongW is called on WND_Malicious it will write to WND0. By supplying an offset of 0xc8, the function will overwrite the WND0.cbWndExtra field to a large value of 0XFFFFFFF per figures 13 and 14 below.

This means it can write beyond its tagWND structure and ExtraBytes in kernel memory to fields within WND1. In addition, WND0.ExtraBytes is also overwritten with the offset to itself so calls to SetWindowLongPtrA on WND0 will write to an offset in kernel desktop heap relative to the start of WND0.

Figure 13 – OOB Write from WND_Malicious to WND0
Figure 14 – WND0 cbWndExtra overwritten with 0xFFFFFFF by WND_Malicious OOB write

Kernel Address Leak

Now that the WND0.cbWndExtra field has been set to a very large value (0xFFFFFFF), anytime SetWindowLongPtrA is called on WND0 it will write into the adjacent WND1 in kernel memory per figure 15 below. By writing to specific fields in WND1 we can create a kernel address memory leak as follows:

  1. Write a value of 0x400000000000000 to WND1 style field to temporarily change it to a child window per figures 15 and 16 below.
  2. Calling SetWindowLongPtrA API on WND0 with a value of -12 (GWLP_ID) now allows the spmenu field (type tagMENU) of WND1 to be overwritten with a fake spmenu data structure since we have changed it to be a child window per figure 15 and 17 below.
  3. Per SetWindowLongPtrA API documentation, the return value will give us the original value at the offset overwritten, i.e., the spmenu data structure pointer which is a kernel memory address. So, we now have leaked a pointer to a spmenu (type tagMENU) data structure in kernel memory and replaced the pointer in WND1.spmenu with a fake spmenu data structure within user desktop heap per figure 17 below.
Figure 15 – OOB Write from WND0 to WND1 to Leak Kernel Address
Figure 16 – WND1 Style field before and after writing 0x4000000000000000
Figure 17 – spmenu kernel memory address pointer leaked and subsequently replaced by a user mode address pointing to a fake spmenu data structure

Kernel Arbitrary Read

Using the spmenu data structure kernel pointer leaked previously we can use the layout of this data structure and the GetMenuBarInfo API logic to turn it into an arbitrary kernel memory read per figures 18,19 and 20 below.

Figure 18 – Kernel Arbitrary Read using fake spmenu and GetMenuBarInfo
Figure 19 – Fake spmenu data structure in user desktop heap with original spmenu leaked kernel pointer at crafted location to enable arbitrary read using GetMenuBarInfo API
Figure 20 – WinDbg command to show location within spmneu data structure that is deferenced by xxGetMenuBarInfo

As you can see from the xxxGetMenuBarInfo function in figures 21 and 22 below, by placing our leaked kernel address at the right location in our fake spmenu data structure we can create an arbitrary kernel memory read when calling GetMenuBarInfo.

Figure 21 – win32kfull!xxxGetMenuBarInfo
Figure 22 – GetMenuBarInfo data structure populated return values per normal spmenu and fake spmenu (leaks kernel address)

Kernel Arbitrary Write

An arbitrary kernel write primitive can be easily achieved now by writing our destination address to WND1.ExtraBytes field by calling SetWindowLongPtrA on WND0 which will write OOB to WND1 relative to the offset we specify per figure 23 below

In this case the offset is 0x128 which is ExtraBytes. Then simply calling SetWindowLongPtrA on WND1 will write a specified value at the address placed in the WND1.ExtraBytes field. The arbitrary write is achieved because WND1 is a normal window (has not been converted to a console window like WND0 and WND_Malicious) and so will write to whatever address we place in WND1.ExtraBytes.

Figure 23– Kernel Arbitrary Write for What-Write-Where (WWW)

Data Only Attack

The arbitrary kernel read and write primitives can be combined to perform a data-only attack to overwrite a malicious process EPROCESS token with that of PID 4 which is System for an escalation of privilege (EoP).

The original spmenu kernel address leaked previously has a pointer to WND1 at offset 0x50 per figures 24 and 25 below. Through multiple arbitrary reads using the GetMenuBarInfo on our fake spmenu data structure with this WND1 kernel address we can eventually read the PID 4 System EPROCESS token.

Figure 24 – Combining fake spmenu with GetMenuBarInfo arbitrary read to get PID 4 token
Figure 25– Original spmenu with WND1 kernel address pointer at offset 0x50

By placing the destination address (malicious process EPROCESS token) at WND1.ExtraBytes then the subsequent call to SetWindowLongPtrA will write the value (PID 4 – System EPROCESS token) to that address per figures 26 and 27 below.

Figure 26 – EPROCESS Token swap
Figure 27 – Overwriting WND1.ExtraBytes with address of EPROCESS token

The exploit then restores overwritten data structure values once the EoP is complete to prevent a BSOD (Blue Screen of Death).

Conclusion

In this report, we undertook a deep analysis of CVE-2021-1732 which is a Local Privilege Escalation on Windows 10. Windows kernel data-only attacks are difficult to defend against, as once a vulnerability is discovered they use legitimate and trusted code through specific APIs to manipulate data structures in kernel memory.

The win32k component has been hardened through great work by Microsoft against read/write primitives, but there are still opportunities for exploitation due to its large attack surface (syscalls and callbacks) and lack of win32k filtering on a process-wide basis. It would also be great to see a system wide win32k filtering policy capability within Windows 10.

Patching is always the best solution for vulnerabilities, but a strong defense strategy such as threat hunting is also required where patching may not be possible, and to detect variants of vulnerabilities/exploits being used by campaigns.

The post Technical Analysis of CVE-2021-1732 appeared first on McAfee Blog.

The Bug Report – December 2021

By Philippe Laulheret

Your Cybersecurity Comic Relief 

Why am I here? 

If you’re reading these words, CONGRATULATIONS! You’ve made it to 2022! And even better, you found your way to ATR’s monthly security digest where we discuss our favorite vulnerabilities of the last 30 days. Feel free to pat yourself on the back, get yourself a nice cup of coffee, tea, LaCroix (you fancy!) or if you’d rather choose violence, you can go straight for the energy drink. And now that we are comfortable and energized, let’s get rolling!  

CVE-2021-43798: Grafana path traversal

What is it? 

Per its Wikipedia entry, Grafana is a multi-platform open-source analytics and interactive visualization web application that is widely used in the industry, with paying customers such as Bloomberg, eBay, PayPal, etc. It was revealed in early December that a path traversal vulnerability allowed an attacker to access local files due to an improper sanitization of “../../../” in its plugin path.  

It also showcases one of the tightest disclosure timelines known to man:  

Who cares? 

Ok, we can hardly blame you for hearing about ANY vulnerabilities except for Log4Shell in the last 30 days.  However, if your organization is using this software, you probably should have followed the disclosure last month, lest your “/etc/passwd” files are now known to the whole internet. Beyond that, there are two interesting points you can ponder while swirling your eggnog in its glass (side-rant on the disgustingness of eggnog redacted). Given how easy it is to exploit, the mere fact of the vendor fixing the bug via their public GitHub seems to have been enough to bring attention to it and get public working POCs for this vulnerability in less than 3 days following the fix. If you’re curious about how more mature open-source code bases deal with this risk, projects like Chromium rely on a separate bug tracking infrastructure that can restrict who can access the bug reports (that will spell out the security risks and test cases) combined with public commit messages with simple phrasing meant to avoid attracting the attention on the security commits.  

Another interesting tidbit, the root cause of this bug is the misuse of a Go API to sanitize paths as discussed in this Twitter thread. It turns out the filepath.Clean function used to sanitize the input processed by the vulnerable code only removes excessive “../../” if the path is absolute. This is a common case of an API behaving as expected but leading to dangerous consequences. Do you know for sure the codebase of your organization is free of these problems? The impact of unpatched vulnerabilities here could be the accessing or leaking of extremely sensitive data.  *pondering becomes frantic*  

What can I do? 

Obviously update the software if you’re using it, and you can also use Sigma rules to detect attack attempts. In an ideal world, your analytics platform should not be exposed to the wide internetunlike these 87k instances, among whose 16k are still vulnerable according to Shodan. At minimum make sure your Grafana instance is behind a .htaccess prompt or similar. From a development perspective, security testing and unit tests should be leveraged to ensure the filtering you are putting in place is working the way it is intended to. And in the grand scheme of things, if you are going to process untrusted user input, don’t wing the filtering and apply thoroughly audited code patterns rather than disabling the warnings of your security tool…  

 

The Gold standard 

Does the walker choose the path, or the path the walker?” may have mused Garth Nix in his novel Sabriel. One thing is certain though, the path described above won’t be “walked” nor traversed by an attacker for the McAfee Network Security Platform (NSP) customers. These lucky fellows are already protected against path traversal attacks via a generic rule and can even be bestowed further protection with the creation of “custom attack” rules.  

CVE 2021-44228: Log4Shell 

What is it? 

Who could have known that parsing—and sometimes even executing—untrusted input was a bad idea™? Well it turns out that Apache’s log4j logging code does exactly that, and if the logged string contains the magic characters $(jdni:…) it may even fetch and execute untrusted Java code. Iterations on this attack have also highlighted the possibility to leak local secrets stored in environment variables—such as AWS keys—and given the recursiveness of the processing, it also offers many ways to evade pattern-matching detection. 

Who cares? 

Pretty much everyone. You write Java and are into logging things? Yep, you should be on top of this. You use Java based applications/servlets? Well, there’s probably some logging of untrusted user input in there. Your corporate employer uses Java based appliances or services? Pour one for your SOC and IT folks who are probably having a blast over their holiday “break”. You get it, this problem impacts the whole industry, and in all likelihood, its effects will probably keep rippling out for the years to come. To make things worse, the bug is really easy to exploit. From pen testers to SOC analysts, “script-kiddies” to nation state actors, nearly everyone has begun to explore this attack vector and we have observed massive on-going attacks with a wide gamut of payloads, ranging from cryptominers to “rm -rf /* payloads and even a broken attempt to spread the Mirai worm. The worst is likely yet to come.  

What can I do? 

“Stranger Things” taught us that “You can’t spell America without Erica.” Similarly, you can’t spell Apache without Patch. Sort of.  Upgrade! Micro-patch. Monitor traffic. Hint: if you’re internal-only application suddenly makes LDAP requests towards a remote server in a country you have no operations in, maybe something fishy is going on…  

If you like chaos and and/or you are having a hard time convincing IT of the importance of this bug, get permission to demonstrate it for them! Then, set strings you can control (user-agent, twitter name, wifi SSID, …) to this $(jdni:ldap…) magic value and make it point to an IP:Port you control (or a third party service like Canarytoken if you trust them). If you detect hits on that address, you can start having a fun conversation about the necessity of upgrading their tech stack with the owners of the incoming addresses. This is where asking for permission first becomes extremely important, as if you indiscriminately put the magic string all over the places to see what happens (as you may have seen on various social media platforms), it’s likely that eventually someone will reach out to have a “fun” conversation with you and ask about that funky user-agent of yours. Obviously, before pulling a stunt like this consider that the last thing you want for Christmas is a CFAA (Computer Fraud and Abuse Act) complaint delivered right to your doorstep.  

The Gold standard 

McAfee Enterprise customers are protected from many different angles (for the specifics, please visit this Knowledge Base article):  

  • Expert Rules on Endpoint Security (ENS) can pick-up dangerous patterns in memory as described in this blog 
  • Endpoint Security (ENS), VirusScan Enterprise (VSE), McAfee Web Gateway (MWG) can provide generic detection under the tile Exploit-CVE-2021-44228.C via a “Potentially Unwanted Software” detection. This detection is also augmented by a list of hashes of samples related to in-the-wild campaigns exploiting this vulnerability.   
  • Network Security Platform (NSP) can also detect the attack via User-Defined signature (provided in the KB article linked previously) 
  • MVISION Endpoint Detection and Response (EDR), McAfee Active Response (MAR) can also be used to look for vulnerable systems with Real-Time Search (RTS) queries 
  • McAfee SIEM got an update (Exploit Content Pack version 4.1.0) that will raise an alarm on potential exploit attempts. MVISION Insights is also providing valuable information under the Threat Campaign “Log4Shell – A Log4j Vulnerability – CVE-2021-44228”. See Insight Preview. 

CVE-2021-43527: Big Sig 

What is it? 

Big Sig sounds like the nickname Freud’s mother gave him. This bug is no less compelling. Early this December, Google Project Zero blogged about a vulnerability they found in Mozilla’s Network Security Services (NSS) with a CVSS score of 9.8, according to NIST’s National vulnerability database page. There is a heap overflow in the processing of certain signatures (DER-encoded DSA and RSA-PSS signatures). To put it simply, the NSS is a collection of cryptographic libraries that enable developers to use safer/heavily tested implementations of cryptographic primitives and standards (for encryption of communication, verification of the authenticity of data, and so on). The feature where the bug was found is responsible for the verification of signatures that prove the authenticity of data using various public cryptography schemes. This type of function is typically used to sign emails or documents to confirm their actual authors. Something really interesting about this bug is its relative simplicity but also its long existence; according to Project Zero’s blog, this bug was exploitable going all the back to 2012. The vulnerable code path just happened to fall between the cracks where various fuzzers used by Mozilla overlap. 

Who cares? 

If you like your signatures to be verified, and rely on the NSS library to do so, you should definitely have a look at the advisory and use the latest version of the software (NSS version 3.73/3.681 ESR or later). Firefox seems unaffected, but other software that parses signatures might be impacted (Thunderbird, LibreOffice, Evolution, Evince and more).  

What can I do? 

As usual, you want to make sure any software you are using that might be vulnerable is updated to its latest version. The patch was released on December 1st so, for starters, you’d want to make sure potential vulnerable software received an update after this date. It would also help to know which software relies on this library; while there is no magic bullet, references to files such as nss3.dll on Windows or libnss3.so on Linux are a good starting point. Beyond that, the best call is to look at release notes and potential list of third-party libraries used in any given application you may use. If you use the vulnerable library in in your own product, update the code or backport the patch. 

The Gold standard 

Have you checked out our bulletins? They’re a great source of information for the critical vulnerabilities you may have missed! This may include applications that will be deploying fixes for CVE-2021-43527. 

The post The Bug Report – December 2021 appeared first on McAfee Blog.

Threat Intelligence and Protections Update Log4Shell CVE-2021-44228

By Mo Cashman

Threat Summary

Log4j/Log4shell is a remote code execution vulnerability (RCE) in Apache software allowing attackers unauthenticated access into the remote system. It is found in a heavily utilized java open-source logging framework known as log4j. The framework is widely used across millions of enterprise applications and therefore a lucrative target for threat actors to exploit. The availability of the POC exploit and ease of exploitation triggered the widespread exploitation attempts that we are now witnessing.

CVE-2021-44228 – Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation.

Should the vulnerability be present, an attacker might run arbitrary code by forcing the application or server to log a specific string. This string can force the vulnerable system to download and run a malicious script from the attacker-controlled system, which would allow them to effectively take over the vulnerable application or server.

A full technical analysis can be found here:

McAfee Advanced Threat Research: Log4Shell Vulnerability is the Coal in our Stocking for 2021

In this blog, we present an overview of how you can mitigate the risk of this vulnerability exploitation with McAfee Enterprise solutions. Due to the severity of this vulnerability and the observed exploitation attempts already taking place, the KB article linked below will be continually updated to communicate detailed actions to mitigate risk with McAfee Enterprise products. Subscribe to this KB article to receive updates pertaining to related coverage and countermeasures.

KB95091: McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution

Attack Chain and Defensive Architecture

Organisations preparing to defend against this threat needs to think beyond the initial access vector. What the vulnerability allows a threat actor to do is initially only connect to a remote endpoint and establish a beachhead. The attacker only gets a return on investment when they can exploit that initial foothold either to move laterally, execute additional payloads on the endpoint or attack other organisations as part of a botnet. Instead of just focusing on the initial access vector, let’s look at the entire defensive kill chain.

The impact on organisations varies between resource takeover, denial of service or data theft. Therefore, making visibility in attack patterns and trend via threat intelligence extremely critical. In addition, other attack vectors have been discovered which allows for local exploitation of the log4j library over WebSocket.

Let’s walk through the defense lifecycle in more details

Getting the Latest Threat Intelligence

Threat Intelligence is critical to adapt security controls and gain an understanding of attacker techniques and active campaigns exploiting the vulnerability

 

The MVISION Insights platform reports threat intelligence related to the Log4j attacks under the campaign name Log4Shell – A Log4j Vulnerability – CVE-2021-44228.

The Global Prevalence map snapshots captured on the 10th and 16th December 2021 demonstrates how impactful has being the vulnerability so far and how fast activity, both defender and attack, is increasing and spreading worldwide.

MITRE Techniques Observed:

  • Exploit Public-Facing Application – T1190 (Initial Access)
  • Exploitation of Remote Services – T1210 (Lateral Movement)
  • External Remote Services – T1133 (Initial Access, Persistence)
  • Resource Hijacking – T1496 (impact)
  • Web Shell – T1505.003 (Persistence)

As we are writing this blog, on MVISION Insights there are 1,813 IOCs including MD5, SHA256, URL, IP, DOMAIN, HOSTNAME. In terms of Determinism, 1,632 are unique and 30 are commodity.

The top MD5 detected so far has been related to Kinsing (MD5: 648effa354b3cbaad87b45f48d59c616), a crypto miner with backdooring features. The file runs on Linux machines and has been uploaded on Virus Total for the first time in December 2020.  Its detection increased by 161% between the 11th and the 15th of December 2021 and it is currently observed in 19 different countries. The log4j vulnerability is helping threat actors to push Kinsing malware via encoded payloads to vulnerable services exposed to the internet. And this is just the tip of the iceberg. We are actively monitoring for and analyzing new payloads.

The same unique indicator is also reported as part of other two threat campaign on MVISION Insights:

  • Kinsing Malware Adds Windows to Its Target List
  • Misconfigured Apache Hadoop YARN Exploited

Since April 2020, when the Kinsing crypto miner was discovered, further developments of the malware have occurred including a rootkit component and other features that make detection harder. Kinsing comes with multiple shell scripts that download and install the backdoor, miner, and rootkit alter the system itself.

The IP address 45.155.205[.]233 included within the MVISION Insights IOCs and used by threat actor as a log4j callback attack server has been detected 6,884 times by December 4th topping 15,106 detections by December 7th. Most detected countries included the United States, Turkey, Thailand, UK, Taiwan, and Italy.

MVISION Insights also includes indicators related to unique variants of MIRAI botnet that McAfee observed being leveraged by threat actors to exploit the log4j vulnerability.

Shell scripts are using wget and curl tools for external communication as part of the attack chains analyzed.

Latest updates highlighted Conti ransomware group actively leveraging the Log4Shell exploit to gain access to internal corporate resources and lunch their malicious payloads. But also, Khonsari group and state sponsored APT35 have been reported by researchers.

Determining your Asset Exposure

In this case, you should detect and prioritise internet facing applications running java-based web servers such as Apache Tomcat, either isolate or patch these resources. Run vulnerability scans for both monolithic and containerized workloads to build an inventory of assets that might be impacted.

MVISION Cloud

Continuously discovers your cloud resources and can run vulnerability scans for Virtual Machines and Containerized workloads in the cloud. MVISION Cloud has the ability to build an inventory of running processes within workloads as part of it application control capabilities. If log4j is used as a separate package we will detect the vulnerability in both runtime and container registry. If the log4j is included in the java binary we will not be able to scan it.

Ensure you run configuration audits for cloud assets that allow unrestricted outbound access and does not use firewalls or NAT GW’s for outbound connections. Run configuration audits for secondary misconfigurations that might allow the attacker to exploit IAM to elevate privileges, gain persistence or takeover other resources. 

MVISION Insights

Compares the available defensive capabilities on the endpoint to the attacker techniques, tools and IOC’s and highlights exposed endpoints.

MVISION EDR

You can perform real time searches in MVISION EDR to identify endpoints with Log4j binaries.

Blocking Exploitation Attempts

The attacker only succeeds if they can get to this stage so blocking outbound suspicious connections, preventing execution of additional payloads, and protecting credentials/auth tokens theft are things that could prove to be critical in defeating the attack. As part of the available threat intelligence attackers are using several post exploit methodologies to pivot from the original log4j injection vulnerability. This varies from misuse of resources with crypto miners, deploying malware, or exfiltrating sensitive information.

MVISION Cloud – Cloud Native Application Protection Platform (CNAPP)

Use Application Control (VM and Containers) to kill unverified server processes and payloads from executing.

OS Hardening (VM) – ensure that SE Linux state is enforcing

MVISION UCE

Use UCE URL filtering and Remote Browser Isolation to prevent browser-based exploit attempts over WebSocket and C2 attempts.

McAfee Endpoint Protection Platform

Use signature-based protection in ENS 10.7 to block known hashes of second stage malicious payloads. On December 12, 2021, McAfee Enterprise released V3 AMCore content 4648 (ENS) and V2 DAT 10196 (VSE). Generic detections are provided under the title Exploit-CVE-2021-44228.C.

In ENS (Endpoint Security) 10.7 update 4 and above, there is a powerful security feature available to every defender, which is the ability to trigger a memory scan from an Expert Rule. For more details on this capability, please see this blog post from our AC3 team

https://www.mcafee.com/blogs/enterprise/log4j-and-the-memory-that-knew-too-much

Additionally, it is recommended to enable the ENS ATP rules that prevent or detect post exploitation techniques such of second stage payload execution, credential dumping or encryption activity from ransomware, use of malicious tools or lateral movement.

Network Security Platform

An Emergency User Defined Signature has been written and tested by McAfee Enterprise to provide immediate protection against the Apache Log4j2 Remote Code Execution Vulnerability.

For details on latest signatures, please follow the KB…KB95091: McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution

Detecting and Hunting for Exploitation Activities

Assuming breach is critical especially if you know that you had exposed assets and therefore, build forensics and post exploitation detection techniques this includes exploitation of living of the land binaries (LOLBINS), credential dumping as well as using information such as known file hashes / hunting queries to query web server / reverse proxy/ Network IPS logs.

MVISION Insights

In addition to an Intelligence Summary, Insights provides exportable YARA rules to find additional Indicators of Compromise.

MVISION EDR

As mentioned above, you can leverage Real Time and Historical Search functionality to proactively identify vulnerable systems or post exploit activity such as…

  • historical process execution spawning from Java as this could be a clear indicator that the parent java process was used to spawn additional malicious processes.
  • monitoring for detection of threats emanating from assets running Java
  • identify outbound communication attempts to known C2 domains through DNS or Web traffic

Identify Indicators of Compromise associated with exploit payloads

Data Exfiltration Visibility and Control with Cloud Security

Along with control on the endpoint, visibility into attacks and where data is being uploaded is also critical to stopping Data Exfiltration. Mapping threats to the MITRE ATT&CK Framework will provide visibility into ongoing attacks happening in the cloud and where security controls can be improved to stop future attacks.

Another critical method to stopping the exfiltration of data is putting restrictions against data uploads to non-sanctioned cloud storage. Limiting data uploads to only sanctioned Cloud Service Providers can stop external and insider threats from transferring data to Cloud Services that are questionable or not sanctioned. The Cloud Registry within MVISION Cloud/Unified Cloud Edge will provide ratings for well over 25,000 Cloud Service Providers so restrictions can be placed on CSPs with high risks or attributes that put company data at risk.

Summary

The current situation is dynamic and our resources to help you understand the attack and mitigations available are also evolving. For the latest updates on McAfee Enterprise threat intelligence and defender resources please continue to follow these sites

MCFE Log4Shell Vulnerability KB: https://kc.mcafee.com/corporate/index?page=content&id=KB95091

MCFE Log4Shell Security Bulletin: https://kc.mcafee.com/corporate/index?page=content&id=SB10377

MCFE Log4Shell Vulnerability Blog: https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/log4shell-vulnerability-is-the-coal-in-our-stocking-for-2021/

MCFE Log4Shell Exploit Demonstration by McAfee ATR: https://www.linkedin.com/posts/mcafeeenterprise_cve-2021-44228-log4shell-exploitation-activity-6876241150219485184-URLE

MCFE LinkedIn Live Customer Briefing: https://www.linkedin.com/posts/mcafeeenterprise_mcafee-enterprise-atr-explore-the-internet-breaking-activity-6876614287197122560-wNuD

FEYE Log4Shell Vulnerability KB: https://community.fireeye.com/s/article/000003827

The post Threat Intelligence and Protections Update Log4Shell CVE-2021-44228 appeared first on McAfee Blog.

Log4J and The Memory That Knew Too Much

By McAfee Enterprise

By Guilherme Venere, Ismael Valenzuela, Carlos Diaz, Cesar Vargas, Leandro Costantino, Juan Olle, Jose Luis Sanchez Martinez, AC3 Team

Collaborators: ATR Team (Steve Povolny, Douglas McKee, Mark Bereza), Frederick House (FireEye), Dileep Kumar Jallepalli (FireEye)

In this post we want to show how an endpoint solution with performant memory scanning capabilities can effectively detect active exploitation scenarios and complement network security capabilities your company has implemented.

Background

As it is becoming the norm lately, a new vulnerability affecting a widely used library was recently released just in time for the Holidays. As detailed in our ATR blog, CVE-2021-44228 reported a vulnerability in the Log4J Java library affecting applications and web sites using the library to perform logging.

This vulnerability allows an attacker to coerce the vulnerable site or application to load and execute a malicious Java code from an untrusted remote location. Attack vectors are varied but the most common is associated with the attacker sending crafted strings as part of a network protocol to the target machine, like for example a modified HTTP Header sent as part of a POST request.

That is the reason many defenders are focusing their efforts on detecting the malicious strings through the network traffic. However, network signatures can be bypassed and there are reports confirming threat actors are adapting their network attacks with various forms of obfuscation to defeat network scanning.  The following image shows some of the current obfuscation techniques that have been observed or reported related to this attack.

Source: https://github.com/mcb2Eexe/Log4j2-Obfucation

This doesn’t mean that network protection solutions are not useful against this attack. Network security platforms provide a first layer of defense and should be used as part of a defensible security architecture (security risk treatment strategy), augmented by additional layers of protection, detection, visibility, and response. Modern endpoint solutions are uniquely positioned to complement network-based capabilities with in-depth host-based visibility of system processes, like in-memory scanning and rapid response orchestration. This combination results in a robust defense against threats like Log4Shell.

‘I See You’: Memory Scanning #FTW

To understand how memory scanning can help complement the network security platforms after a connection arrives to the endpoint and defeating the obfuscation layers, let’s take a look at the diagram below, describing the flow of execution for a common web based Log4J attack.

Let’s outline what happens:

In Step 1, an attacker sends a specially crafted string to the web server hosting the vulnerable application. This string, as we have seen, can be obfuscated to bypass network-based signatures.

In Step 2, the application proceeds to de-obfuscate this string to load it in memory. Once loaded into memory, the application initiates a LDAP connection to request the address of where the malicious class is located.

In Step 3, the attacker-controlled LDAP server responds with the location of the malicious Class file by indicating the HTTP URL address of where it is hosted.

In Step 4, the vulnerable application will proceed to initiate a download for that malicious class file.

In Step 5, the vulnerable application will load and run the malicious class file from step 4.

At this moment, the attacker achieves code execution on the target, leaving traces that may provide visibility on this activity for the defender. For example, spawning additional processes or touching files and registry keys after an exploitation

With this in mind, let’s imagine we could trigger a memory scan at some point in this execution flow to detect the presence of the malicious code. In general, scanning the memory of an endpoint is expensive from a processing perspective, therefore it’s not something that can be done continuously or even very often, but under specific circumstances it can be achieved with precision.

So, suppose we could trigger a memory scan at any point after step (2). We would have a high probability to find the de-obfuscated string used within the process memory at that time. If the memory is scanned after the malicious class file is downloaded, that content would also be available for scanning in its de-obfuscated form.

Such possibilities make the memory signature performant, and efficient, given the timing of the detection mainly depends on the trigger used to start the memory scan.

These technical capabilities are possible in ENS, let us show you how to do that!

Endpoint Security Expert Rules meets Memory Scan

In ENS (Endpoint Security) 10.7 update 4 and above, there is a powerful security feature available to every defender, and WE absolutely love it, which is the ability to trigger a memory scan from an Expert Rule.

We have talked about Expert Rules before, these are customizable access control rules which the end-user uses to detect suspicious activity not commonly seen by other scanners. McAfee Enterprise also provides community Expert Rules mapped to the MITRE ATT&CK Matrix through our public GitHub.

The feature we are interested in now is the ability to trigger a memory scan when an Expert Rule fires. That would allow us to target the applications vulnerable to Log4J and identify the moment they are being exploited.

Consider the following rule:

In the example rule above, we see a section defining ACTORS (inside the Process {…} section) and TARGETS (inside the Target {…} section). We define as actors any process that may be vulnerable to the Log4J exploit. In this case JAVA.EXE for standalone Java applications and TOMCAT?.EXE for Apache web-based applications. Either of these processes need to load both JAVA.DLL and JVM.DLL to ensure the Java runtime is active.

In the target section we add any potential payload of the attack. As Expert Rules are not focused on network traffic, we need to focus on the last step of the execution flow, which is when the payload is executed. Additional triggers like files or registry keys accessed can be added as more information about exploits become available. We may also have in this section any exclusion of valid behavior as shown in the example above with the “Exclude” on command line parameter. This exclusion is something customers can tailor to their environment to avoid false positives.

This expert rule will trigger when any ACTOR process spawns any of the TARGET payloads. If the rule were just that, one could see it would not be too effective in detecting the exploit and would probably cause many false positives.

But notice this line at the beginning of the rule:

This instruction tells ENS 10.7 to initiate a memory scan against the ACTOR process which caused the expert rule to trigger, and only that process. Now we have a reliable trigger for a performant memory scan, avoiding the performance issues of a blind memory scan, and it is done at a time very close to the initial exploitation attempt, which guarantees the de-obfuscated string will be in memory.

The second part of this solution is executed by the AV DAT Engine when it scans the memory of the process which triggered the Expert Rule. Once this string is found, a detection will occur on the affected process, and the action configured in the Expert Rule REACTION line will be applied. More information about available actions are described in KB95901 – McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution. Note we recommend customers to use the REPORT action initially until they have sorted out what processes they need to monitor.

The first event highlighted above is the Expert Rule triggering for a suspicious process spawning from JAVA.EXE, and the second shows the AV DAT detection indicating the memory of that process had signatures of the exploit.

Note:

IF only the Expert Rule detection was present and NOT the JNDI/Log4J-Exploit event, it would indicate a program has executed children processes considered suspicious, and customers are advised to review the event and improve the Expert Rule accordingly.

However, IF, both the Expert Rule and JNDI/Log4j-Exploit events are triggered for the same program, we have confidently detected the presence of the process being exploited.

McAfee Enterprise provides more information about our current coverage for Log4J vulnerability in KB95901 – McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution. This article contain links to download the Expert Rule and the associated EXTRA.DAT, as well as details on how to set up ePO to use them in your environment.

Customers who want to implement this solution are invited to review the instructions in the KB and associated documentation. It is highly recommended to review the Expert Rule and customize it to your environment.

Conclusion

To protect an environment against attacks like LOG4J, a layered strategy comprised of network security coupled by targeted endpoint memory scans allows defenders to effectively detect and prevent the attack execution flow against vulnerable systems exposed via network vectors.

Our ENS Expert Rules and Custom Scan reactions are designed to enable defenders with such capabilities so they can apply precise countermeasures against these emerging threats.

The post Log4J and The Memory That Knew Too Much appeared first on McAfee Blog.

Log4Shell Vulnerability is the Coal in our Stocking for 2021

By Steve Povolny

Overview:

On December 9th, a vulnerability (CVE-2021-44228) was released on Twitter along with a POC on Github for the Apache Log4J logging library. The bug was originally disclosed to Apache on November 24th by Chen Zhaojun of Alibaba Cloud Security Team. The impact of this vulnerability has the potential to be massive due to its effect on any product which has integrated the log4j library into its applications. This includes products from internet giants such as Apple iCloud, Steam, Samsung Cloud storage, but thousands of additional products and services will likely be vulnerable. This is just the beginning as Java is heavily used in applications spanning nearly every industry.

What is it?

The vulnerability exists in the way the Java Naming and Directory Interface (JNDI) feature resolves variables.  When a JNDI reference is being written to a log, JNDI will fetch all requirements to resolve the variable. To complete this process, it will download and execute any remote classes required. This applies to both server-side and client-side applications since the main requirements for the vulnerability are any attacker-controlled input field and this input being passed to the log.

To orchestrate this attack, an attacker can use several different JNDI lookups. The most popular lookup currently being seen in both PoCs and active exploitation is utilizing LDAP; however, other lookups such as RMI and DNS are also viable attack vectors.  It’s worth noting that the simplistic LDAP/RMI attack vectors only work with older JDK versions. There are publications that have demonstrated methods to circumvent this limitation to achieve code execution, albeit with added complexity to the attack.

Java object deserialization vulnerabilities are not a new breed of vulnerabilities or attacks. Previous offensive research such as “marshalsec” can be applied to this vulnerability making code execution simplistic.

**Update 12/20/2021** 

On December 18th, a new denial of service (DOS) vulnerability, CVE-2021-45105 was discovered affecting versions 2.0-alpha1 through 2.16.0 of Log4j.  To mitigate the original Log4j vulnerability, Apache completely disabled JNDI lookups in version 2.16, however self-referential lookups remained a possibility under non-default configurations.  When a nested variable is substituted by the StrSubstitutor class, it recursively calls the substitute() class. When this nested variable recursively references the variable being replaced, it leads to an infinite recursion and a DoS condition on the server.  Current research shows this does not lead to code execution, like the previous vulnerabilities.  

**** 

**Update 12/14/2021**

It has been confirmed that Log4j version 1.2 is vulnerable to similar attacks through the JMSAppender component and has been issued CVE-2021-4104. It is important to note this is not as easily exploitable as version 2.x. For exploitation to occur, JMSAppender must be enabled, and set with TopicBindingName or TopicConnectionFactoryBindingName configurations allowing JMSAppender to perform JNDI requests. This is not the default configuration.

****

What can be done about this?

**Update 12/20/2021** 

Apache has released a new version of Log4j, version 2.17.0 to address the latest DOS vulnerability.  Two additional classes were created that inherit from StrSubstitutor to deal with parsing strings that may contain user input.  These additions do not allow recursive evaluation.  Due to exploitation of this vulnerability leading to a DOS, it is considered less critical than the previously reported Log4j vulnerabilities which can lead to remote code execution. It is important to note, for exploitation to be successful there are several non-standard conditions that need to be met.  As the Log4j situation is continuing to evolve, we recommend upgrading to version 2.17.0, where possible. 

*****

**Update 12/14/2021**

Apache has released a new version of Log4j, version 2.16.0. This update disables JDNI by default requiring a user to explicitly turn the JNDI feature on and completely removes support for message lookups. When considering mitigations strategies for the Log4Shell vulnerabilities this should be considered the preferred method of mitigation.

****

There is a lot of information about different ways to mitigate this vulnerability. The most important and complete mitigation is to update log4j to the stable release version 2.17.0. Some sources are reporting that Java versions 6u211, 7u201, 8u191, and 11.0.1 are not vulnerable to this attack. This is not entirely the case. These versions are more resilient to the LDAP attack vector; however, they do not completely mitigate the vulnerability and are still susceptible to attack. To determine if a Java application is running a vulnerable version, a list of the impacted JAR files can be determined based on the hashes linked here.

The McAfee Enterprise ATR (Advanced Threat Research) team has been closely tracking this vulnerability since it became known. Our initial goal was to determine the ease of exploitation using the public PoC, which we have reproduced and confirmed. This was done using the public Docker container, and a client/server architecture leveraging both LDAP and RMI, along with marshalsec to exploit log4j version 2.14.1. We have posted a short video to demonstrate the reproduction for anyone who is struggling with this.

Going forward we plan to test variations of the exploit delivered using additional services such as DNS. We may update this document accordingly with results.

In the meantime, McAfee Enterprise has released a network signature KB95088 for customers leveraging NSP (Network Security Platform). The signature detects attempts to exploit CVE-2021-44228 over LDAP. This signature may be expanded to include other protocols or services, and additional signatures may be released to complement coverage.

Full coverage for this vulnerability can be tracked from our Security Bulletin here.

What’s out there?

Resources for the issue continue to evolve and expand rapidly. A growing list of PoCs and tools can be found here:

https://github.com/tangxiaofeng7/apache-log4j-poc

https://github.com/christophetd/log4shell-vulnerable-app

https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b

https://www.greynoise.io/viz/query/?gnql=tags%3A%22Apache%20Log4j%20RCE%20Attempt%22

https://rules.emergingthreatspro.com/open/

https://github.com/mubix/CVE-2021-44228-Log4Shell-Hashes

https://github.com/corretto/hotpatch-for-apache-log4j2

https://github.com/nccgroup/log4j-jndi-be-gone

The post Log4Shell Vulnerability is the Coal in our Stocking for 2021 appeared first on McAfee Blog.

The Bug Report – November Edition

By Mark Bereza

Your Cybersecurity Comic Relief 

CVE-2021-20322: Of all the words of mice and men, the saddest are, “it was DNS again.” 

Why am I here? 

For all our newcomers, welcome to the Advanced Threat Research team’s monthly bug report – a digest of all the latest and greatest vulnerabilities from the last 30-ish days based on merits just a tad more nuanced than sorting NVD by “CVSS > 9.0.” Instead, we focus on qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. 

To those who are returning after having read last month’s issue, I would like to congratulate you for being a Bug Report fan before it was cool – which it now most assuredly is, thanks in no small part to a litany of fascinating vulnerabilities. We encourage our veterans to stick around as long as possible, so that a year from now you can complain about how we’re washed up and how much better our early editions were. 

PAN GlobalProtect VPN: CVE-2021-3064 

What is it? 

Palo Alto Networks (PAN) firewalls that use its GlobalProtect Portal VPN running PAN-OS versions older than 8.1.17 are vulnerable to a cutting-edge, state-of-the-art style of vulnerability known as a “stack-based buffer overflow.” Although the vulnerable code is normally not reachable, when combined with an HTTP smuggling vulnerability, CVE-2021-3064 can be used to gain remote code execution, a remote shell, and even access to sensitive configuration data according to Randori Attack Team researchers. Randori discovered the vulnerability over a year ago but chose not to disclose it to PAN until September of this year, using it as part of its “continuous and automated red team platform” during the interim – I suppose we should be thankful that PAN has claimed in its security advisory that no evidence of exploitation of this vuln has been discovered, despite its age. 

Who cares? 

Absence of “in-the-wild” exploitation aside, we should also be grateful that the number of people who should care is rapidly dwindling (an ever-present theme of 2021). Randori initially reported over 70,000 internet-accessible PAN firewalls running vulnerable versions of PAN-OS according to Shodan, which it later amended to 10,000. As of this writing, that number has fallen to around 7,000. Even so, 7,000 vulnerable firewalls mean an even larger number of vulnerable clients at risk of an over-the-internet attack vector requiring zero authentication. Those connecting to PAN firewalls running on VMs have even greater cause for concern as these lack ASLR, a factoid I have chosen to add to my ever-growing “why is that a thing” list, right next to the Ghostbusters remake. 

What can I do? 

We suggest an experiment: open the Shodan search linked above and note the total number of devices running a vulnerable version of PAN-OS. Next, call up whoever manages your firewall and demand they power it down immediately – use threats if you must. Check the Shodan scan again: has the number gone down? If so, it’s probably time to update. If you’re an Arch user and the prospect of updating terrifies you, Palo Alto has also indicated that its signatures for Unique Threat IDs 91820 and 91855 should block exploitation of CVE-2021-3064. 

The Gold Standard 

Be sure to stay up to date on the latest CVEs – our security bulletins are a great resource for finding product information for all kinds of critical vulnerabilities. 

Linux Kernel: CVE-2021-20322 

What is it? 

Researchers at the University of California, Riverside have discovered a flaw in the way the Linux kernel handles “ICMP fragment needed” and “ICMP redirect” errors, allowing an attacker to quickly learn the randomized port number assigned to a UDP socket. What this description fails to convey is the big picture impact of this vulnerability, which is its use as a side-channel for the now-prehistoric DNS cache poisoning attack, in which an off-path malicious actor ‘poisons’ a DNS resolver’s cache with a false record, mapping a known domain (google.com) to an IP address of their choosing (98.136.144.138). Truly nefarious. 

Who cares? 

To be frank, just about everyone should be at least raising an eyebrow at this one. Although the researchers have indicated in their whitepaper that this particular side-channel only affects about 13.85% of open resolvers on the internet, it’s important to note that various security services rely on proof of domain ownership, including even the issuing of certificates, making the impact tremendous. Users of popular DNS service Quad9 have particular cause for concern, as the paper claims it falls under the vulnerable 13.85%. Linux users should also be concerned, and not just because their drivers refuse to work – DNS software such as BIND, Unbound, and dnsmasq running on their platform of choice are also vulnerable. 

What can I do? 

This is where things get tricky. DNS extensions that were standardized over two decades ago, such as DNSSEC and DNS cookies, should successfully mitigate this and all other DNS cache poisoning attack side channels. The unfortunate reality is that these features see very limited adoption due to backwards-compatibility concerns. While we wait for these dinosaurs holding back progress to die out, the authors of the aforementioned whitepaper have suggested some alternative mitigations, including enabling the IP_PMTUDISC_OMIT socket option, introducing additional randomization to the structure of the DNS exception cache, and configuring DNS servers with a singular default gateway to outright reject ICMP redirects. Further details can be found in section 8.4 of their paper. 

The Gold Standard 

Unfortunately, not every vulnerability can be adequately addressed by network security products, and this vulnerability happens to be one of those cases. Your best bet is to follow the mitigations mentioned above and keep your servers up to date. 

Just About All DRAM: CVE-2021-42114 aka Blacksmith 

What is it? 

Blacksmith, a name referring to both the vulnerability and the fuzzer created to exercise it, is a new implementation of the Rowhammer DRAM hardware vulnerability from 2014. The crux of Rowhammer is the use of high frequency read operations to induce bit flips in neighboring regions of physical memory, which can lead to the crossing of any security barrier if the attacker can massage memory so that critical data is stored in a vulnerable physical page. Modern DRAM hardware uses a technology called Target Row Refresh (TRR) to prematurely refresh regions of physical memory targeted by common Rowhammer attacks. Researchers at ETH Zurich and their associates discovered that TRR exploits the uniform nature of memory accesses used by existing Rowhammer attacks to “catch” them, and so devised a Rowhammer attack that used non-uniform accesses, arriving at CVE-2021-42114, which bypasses TRR and all other modern Rowhammer mitigations. 

Who cares? 

Everyone. Just about every common electronic device you can think of uses DRAM and of the DIMMs (RAM sticks) testedthe researchers did not find a single one that was completely safe. It might be easy to presume that hardware vulnerabilities such as this are academically fascinating but have little real-world impact, but research published since 2014 has shown Rowhammer attacks successfully escape JavaScript containers in the browsercross VM boundaries in the cloud, and even achieve RCE across networks with high enough throughput. Perhaps the greatest tragedy of Blacksmith is that it arrived a month too late – it would have fit in perfectly with Halloween monsters like Freddy Krueger or Jason Voorhees who also see new iterations every few years and refuse to stay dead. 

What can I do? 

Hide your PC, hide your tablet, and hide your phone, ‘cause they’re hammerin’ everybody out there. Beyond that, there’s not much to be done besides wait for JEDEC to develop a fix and for DRAM manufacturers to begin supplying hardware with the new standard. 

The Gold Standard 

We at McAfee Enterprise are doing everything in our power to address this critical vulnerability. In other words, we’ll be waiting for that JEDEC fix right along with you. 

The post The Bug Report – November Edition appeared first on McAfee Blog.

Fighting Supply Chain Threats Is Complicated

By Adam Philpott

Relying on the kindness of strangers is not an ideal strategy for CISOs and CIOs. And yet that is the precise position where most find themselves today while trying to battle cybersecurity issues across their supply chain. While these supply chains have plenty of their own challenges, such as global disruptions of distribution, our recent research shows that it’s the cybersecurity problems that will long survive for the long term.

It’s not as though enterprises rely on their partners any more today than they did ten years ago. Their needs have not changed and are unlikely to change, except those rare instances where an enterprise will choose to manufacture their own supplies rather than rely on partners. Consider, for example, Costco creating its own gigantic chicken farm. Other than outlier examples like this, partner reliance is relatively stable.

What is changing with the supply chain is how much system access is being granted to these partners. They are getting access they didn’t always get and are getting far deeper access as well. As technology has advanced to allow such access, enterprises have accepted.

Given the wide range of partners–suppliers, distributors, contractors, outsourced sales, cloud platforms, geographical specialists, and sometimes your own largest customers–the cybersecurity complexities are growing by orders of magnitude. In addition, the more integrations that enterprises accept, the higher the level that their risk is. To be more precise, the risk doesn’t necessarily grow with the number of partners as much as the risk grows with the number of partners whose cybersecurity environments are less secure than the enterprise’s own environment.

To even begin to craft a cybersecurity strategy to manage partners and a global supply chain, the enterprise CISO needs to have a candid understanding of what their partners’ security level truly is. That is tricky, given that many of those partners themselves do not have a good sense of how secure or insecure they are.

One suggestion is to revise contracts to make it a requirement for all partners to maintain a security level equal to the enterprise customer. The contract must not only specify penalties for non-compliance–and those penalties must be sufficiently costly that it makes no sense for a partner to take that chance–but it must specify means to determine and re-verify that security level. Surprise inspections and the sharing of extensive log files would be a start.

Otherwise, even the strictest security environment such as Zero Trust may be unable to plug supply chain holes due to sloppier partner security practices. Let’s say that a large enterprise retailer is working with a large consumer goods manufacturer as a partner. A good environment will start with strict authentication, making sure that the user from the partner is really that authorized user. The enterprise environment must also watch the user throughout the session to make sure the user doesn’t do anything suspicious. But if the partner has been breached, malware could sneak in through the secure tunnel and, if it’s not caught by the enterprise, there’s a problem and now they can be breached.

This is not hypothetical. Since the beginning of the pandemic, our research found that a vast majority of global enterprises (81 percent) said that they are seeing far more attacks since the beginning of COVID-19.

Almost every business is dependent on the supply chain, making it a prime target for cybercriminals looking to cause disruption and breach wider networks. As the holiday season approaches, we are already seeing a spike in consumer and business activity across the supply chain, making it a prime target for cybercriminals looking to target essential and lucrative services.

Attackers are going to continue to leverage the global supply chain as an initial entry vector, accessing the network through a trusted connection, system, or user. The fact that these attacks exploit trusted channels makes them very difficult to prevent or detect. As organisations continue their digital transformation, including ever-more cloud services, managed services and endpoint modernization, the risks of supply chain threats will increase as its prevalence as a vector does so.

 

The post Fighting Supply Chain Threats Is Complicated appeared first on McAfee Blog.

McAfee Enterprise Defender Blog | Windows Zero-Day – CVE-2021-41379

By Taylor Mullins

Threat Summary

This month it was disclosed that a Microsoft vulnerability that allows for local privilege elevation, previously patched in the November 2021 Patch Tuesday, is still exploitable and was not patched correctly. Using this vulnerability, threat actors with limited access to a compromised device can easily elevate their privileges to help spread laterally within the network.

Figure 1. MITRE ATT&CK Matrix for Windows Zero-Day in MVISION Insights

The vulnerability affects all supported versions of Windows, including Windows 10, Windows 11, and Windows Server 2022. At the time of writing, Microsoft has not released any updates or out-of-band patches to resolve it.

CVE-2021-41379 – Microsoft Windows Installer Elevation of Privilege Vulnerability

Bleeping Computer: New Windows zero-day with public exploit lets you become an admin

Bleeping Computer: Malware now trying to exploit new Windows Installer zero-day

McAfee Enterprise Protections and Global Detections

McAfee Enterprise Global Threat Intelligence is currently detecting all known proof of concept exploits for this zero-day vulnerability as malicious.

Blocking Exploitation Attempts with McAfee Enterprise ENS

McAfee Enterprise Endpoint Security (ENS) is currently detecting exploitation attempts and will quarantine the tools utilized to exploit this vulnerability as shown below.

Figure 2. Story Graph summary of exploitation detection by McAfee Enterprise ENS shown in MVISION ePO

Detecting Exploitation Activity with MVISION EDR

MVISION Endpoint Detection and Response (EDR) is currently alerting to the activity of this exploitation as malicious and will note the MITRE techniques and any suspicious indicators related to the exploit attempts.

Figure 3. Detection of zero-day exploitation activity and techniques in MVISION EDR

Threat Intelligence for Exploitation IOCS with MVISION Insights

MVISION Insights will provide the current threat intelligence and known indicators for exploitation of this vulnerability. MVISION Insights will also alert to detections that have been observed, and systems that require additional attention, to prevent widespread infection. MVISION Insights will also include Hunting Rules and Campaign Connections for threat hunting and further intelligence gathering of the threat activity and adversary.

MVISION Insights Campaign: New Windows Zero-Day CVE-2021-41379 With Public Exploit Lets You Become an Admin

Figure 4. Global Prevalence of zero-day exploitation activity in MVISION Insights

Figure 5. Exploitation IOCs and Detections in MVISION Insights

McAfee Enterprise offers Threat Intelligence Briefings along with Cloud Security and Data Protection workshops to provide customers with best practice recommendations on how to utilize their existing security controls to protect against adversarial and insider threats; please reach out if you would like to schedule a workshop with your organization.

The post McAfee Enterprise Defender Blog | Windows Zero-Day – CVE-2021-41379 appeared first on McAfee Blog.

McAfee Enterprise Defender Blog | CISA Alert: MS Exchange & Fortinet Vulnerabilities

By Nicolas Stricher

Threat Summary

On November 17, 2021, The US Cybersecurity & Infrastructure Security Agency (CISA) pushed an Alert entitled “Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities” which you need to pay attention to if you use Microsoft Exchange or Fortinet appliances. It highlights one Microsoft Exchange CVE (Common Vulnerability & Exposure), three Fortinet CVEs and a list of malicious and legitimate tools associated with this activity.

Threat Intelligence Update from McAfee Enterprise

A few hours later our Advanced Threat Research (ATR) team published a new campaign in MVISION Insights under the name “Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities”. Immediately after, MVISION Insights started to provide near real-time statistics on the prevalence of the tools associated to this threat campaign by country and by sector.

Figure 1. MVISION Insights Global prevalence statistics for this campaign on Nov 19, 2021

In this blog I want to show you how you can operationalize the data linked to this alert in MVISION Insights together with your investigation and protection capabilities to better protect your organization against this threat.

Tracking New Campaigns and Threat Profiles, Including This Alert

MVISION Insights combines Campaigns and Threat Profiles in the same list, and you can change the order from “Last Detected” to “Last Added” as shown below.

Figure 2. List of MVISION Insights campaigns last added, with a selection of this campaign

On the left of figure 2, a color code shows you the severity assigned by the McAfee ATR team (Medium for this campaign), in the middle you can see whether we have seen detections of the analysed IOCs in your country or in your sector

If you are a McAfee Endpoint Security or IPS customer, on the right of figure 2 you can see whether you have had any detection of these IOCs by your McAfee Endpoint Security or IPS, or whether Endpoint Security has found exposed devices, or devices with insufficient Endpoint Security protection

As shown in figure 2, you can also click the campaign’s preview to read a short description, and the labels given by MVISION Insights:

  • APT
  • Ransomware
  • Tool
  • Vulnerability

In this case, you can see that CISA suspects this campaign to be associated with an APT threat group. It includes Ransomware behaviors. The labels also highlight the use of hacking tools and vulnerabilities which you can then view in the Campaign details. Last September we hosted a webinar focused on threat intelligence and protection against hacking tools.

The campaign description highlights the usual use of “devices encrypted with the Microsoft Windows BitLocker encryption feature”.

The campaign’s details also provide links to other sources, such as the CISA alert in this case.

Figure 3. Original CISA Alert used for this campaign

Evaluating the Risk and Whether you Could be Exposed

Once you have identified campaigns which could potentially hit you, you can evaluate your risk and whether you could be exposed because you could have:

        • Vulnerabilities listed
          In figure 4, you can see that in this campaign there is 1 CVE for Microsoft Exchange, and 3 CVEs for Fortinet FortiOS
        • Exposed devices
          In figure 2, there are none
        • Insufficient Endpoint Security protection
          In Figure 2, there are none

Figure 4. List of Common Vulnerabilities and Exposures (CVEs) in this campaign’s details

If you are a McAfee Enterprise customer, the MVISION Insights Endpoint Security Posture checks whether you have enabled the necessary Endpoint Security features to have the best level of protection across your estate.

In the example below:

  • 3 Endpoint Security devices have an insufficient AMcore content to detect all campaigns
  • The warning sign shows that some devices have been excluded from this assessment by the MVISION Insights administrator
  • 1 Endpoint Security device is missing Real Protect Client and Cloud
  • 1 Endpoint Security device is missing Adaptive Threat Protection (ATP)
  • 1 Endpoint Security device has an unresolved detection for a Medium Severity Campaign

As seen previously, this lab environment has sufficient protection to detect the “Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities” campaign IOCs. However, to have full Endpoint protection, GTI, On-Access scan, Exploit Prevention, Real Protect and ATP must be enabled.

Figure 5. McAfee Endpoint Security Detection across all MVISION Insights campaigns

Hunting for Detections and IOCs in Your Environment

If you are a McAfee Endpoint Security or IPS customer, the detections related to the campaign’s IOCs are automatically mapped by MVISION Insights as shown in Figure 6.

Figure 6: McAfee Endpoint Security Detection across all MVISION Insights campaigns

You can also use your Endpoint Detection and Response (EDR) or SIEM solution to search for the presence of IOCs. As you can see below in Figure 7, we have categorized the IOCs, and in this instance:

  • 4 File Hashes have been analyzed by our Threat Research experts and 3 File Hashes have NOT been fully analyzed at this time
  • 2 File Hashes are dual use, and therefore are non-Deterministic
  • 5 File Hashes are partially unique (2 Malicious and 2 Probable Malicious)

If you are an MVISION EDR customer, you can automatically search for the presence of these IOCs across your estate from MVISION insights

Otherwise, you can export the IOCs and hunt them in your EDR, and SIEM, to examine the evidence of a potential compromise and escalate the case to a level2 or level3 analyst to run a full investigation.

Additionally, you can also use the MVISION APIs with a third-party Threat Intelligence Platform such as ThreatQ, ThreatConnect or MISP to orchestrate this threat hunting capability.

Figure 7: MVISION Insights IOCs for this campaign

You can also leverage the new Campaign Connections feature (Figure 8) to check whether these IOCs are also listed in other campaigns or threat profiles. Campaign collection uses graphs to connect all the MVISION campaigns, and threat profile data such as:

  • IOCs
  • MITRE techniques
  • MITRE and McAfee Tools
  • Threat actors and groups
  • Labels
  • Prevalent countries and sectors
  • Detections

Figure 8: MVISION Insights Campaign connection using the IOCs of this campaign

Hunting TTPs in Your Environment

Beyond the IOCs, your Threat Analysts can also leverage the MITRE Techniques and Tools related to this campaign and documented in MVISION Insights.

Figure 9: MITRE Techniques and Tools observed in MVISION Insights for this campaign

For example, here you could use MVISION EDR to look for the presence of:

  • Unusual Scheduled Tasks
  • Unusual WinRAR archives
  • Unusual local and domain account usage
  • Mimikatz behavior

Then you can quarantine suspected devices before running a full remediation. You can also check that your Endpoint Security solution has credential theft protection capabilities such as ENS credential theft protection.

Vulnerability Management

If your organization hosts Microsoft Exchange or Fortinet appliances you will need to apply the recommended patching and upgrade recommendations. If you find indicators of compromise you might want to increase the priority of the tickets, asking the Fortinet and Microsoft Exchange administrators to fix these CVEs due to these suspicious activities.

Summary

To better assess your risk and exposure against this campaign you should review your current capabilities to:

  • Be informed about the latest relevant CISA alerts and other new campaigns and threat actors
  • Hunt the IOCs, Tools and Techniques associated
  • Identify Common Vulnerabilities and Exposures
  • Review your level of Endpoint Protection against these threats

McAfee Enterprise offers Threat Intelligence, and Security Operations workshops to provide customers with best practice recommendations on how to utilize their existing security controls to protect against adversarial and insider threats; please reach out if you would like to schedule a workshop with your organization.

The post McAfee Enterprise Defender Blog | CISA Alert: MS Exchange & Fortinet Vulnerabilities appeared first on McAfee Blog.

Zero Care About Zero Days

By Fred House

The time to repurpose vulnerabilities into working exploits will be measured in hours and there’s nothing you can do about it… except patch

By Fred House

2021 is already being touted as one of the worst years on record with respect to the volume of zero-day vulnerabilities exploited in the wild. Some cite this as evidence of better detection by the industry while others credit improved disclosure by victims. Others will simply conclude that as the “upside” grows (e.g., REvil demanding $70M or Zerodium paying $2.5M for exploits) so too will the quantity and quality of players. But the scope of these exploitations, the diversity of targeted applications, and ultimately the consequences to organizations were notable as well. As we look to 2022, we expect these factors to drive an increase in the speed at which organizations respond.

If we look back at the past 12 months, we have seen notable breaches that highlight the need for organizations to improve response times:

ProxyLogon. When we first learned in 2020 that roughly 17,000 SolarWinds customers were affected, many reacted in shock at the pure scope of the compromise (it should be noted that a small subset of these customers are believed to have been compromised by follow-on activity). Unfortunately, 2021 brought its own notable increase in volume. Two weeks after Microsoft released a patch for ProxyLogon they reported that 30K Exchange servers were still vulnerable (less conservative estimates had the number at 60K).

ProxyShell. ProxyShell, a collection of three separate vulnerabilities (CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523), was Exchange’s second major event of the year after ProxyLogon. In August, a Black Hat presentation outlining Exchange Server vulnerabilities was followed the next day by the release of an exploit POC, all of which had been patched by Microsoft months earlier in April/May. This analysis of data captured by Shodan one week after the exploit POC was released concluded that over 30K Exchange servers were still vulnerable, noting that the data may have underrepresented the full scope (i.e., Shodan hadn’t had time to scan the full Internet). In summary: patched in the Spring, exploited in the Fall. So, what happened in the interim you ask? The vulnerabilities in the Microsoft Client Access Service were exploited by threat actors who deployed web shells to execute arbitrary code on compromised mobile devices and web browsers.

vCenter Server. Another notable example occurred in May when VMWare released a patch for a remote code execution vulnerability in vCenter Server. This subsequent analysis concluded that over 4,000 systems remained vulnerable one week after the patch was released. Much like Exchange servers, where a typical company will only host a handful of servers, 4,000 vulnerable vCenter servers likely represents thousands of distinct companies.

Kaseya VSA. One bright spot may in fact be the Kaseya VSA breach. On July 2, REvil launched an unprecedented (anyone else tired of that word?) ransomware campaign against public facing VSA servers. Within two days the DIVD CSIRT reported that the number of exposed VSA servers had dropped from 2,200 to 140. Some estimates suggested that around 50 MSPs were compromised, affecting between 800 and 1500 business. While this doesn’t sound like much of a bright spot, patching 94% of the affected systems in two days surely helped reduce the success of REvil copycats.

So, what can we take away from all of this? Well, attackers and security researchers alike will continue to hone their craft until weaponized exploits and POCs are expected within hours of vulnerability disclosure. In turn however, and largely driven by the increased consequences of compromise, we can also expect renewed diligence around asset and patch management. From identifying public facing assets to quickly deploying patches despite potential business disruption, companies will have a renewed focus on reducing their “time to patch.”

Still not convinced? Well, the US government is. Checkout Binding Operational Directive 22-01 published on November 3rd which compels all federal agencies to remediate known exploited vulnerabilities in two weeks or sooner “in the case of grave risk to the Federal Enterprise”. It’s no coincidence that CISA’s known exploited vulnerabilities catalog, which catalogues the vulnerabilities that must be remediated, includes every one of our examples above with a two-week remediation deadline. If the US government can do it, you can too!

The post Zero Care About Zero Days appeared first on McAfee Blog.

Ransomware Threats Affecting the Public Sector

By Nicolas Stricher

In the October 2021 Threat Report, McAfee Enterprise ATR provides a global view of the top threats, especially those ransomware attacks that affected most countries and sectors in Q2 2021, especially in the Public Sector (Government).


In June 2021 the G7 economies urged countries that may harbor criminal ransomware groups to take accountability for tracking them down and disrupting their operations. Let’s review the high severity campaigns and threat profiles added to MVISION Insights recently.

Threat Profile Conti Ransomware & BazarLoader to Conti Ransomware in 32hrs

Conti has been one of the top Ransomware groups in 2021, including a new campaign reported in September 2021. As mentioned earlier in this report, the public sector seems to be the sector most affected by Ransomware attacks. McAfee Enterprise provides regular publications on the strategies to defend against ransomware, such as this blog.

Other Recent Threats Affecting the Public Sector

CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability

This is a serious Microsoft Office vulnerability reported in September 2021 by Microsoft, McAfee Enterprise and other sources. The MVISION Insights heat map shows the prevalence of the Indicators of Compromise (IOCs) associated with this threat in the first half of October 2021.

Although Microsoft has provided guidance on a workaround, it can be challenging for many public sector organizations to deploy these patches quickly. To help you be more agile, McAfee Enterprise has released its own guidance leveraging ENS, EDR and NSP.

Microsoft Office vulnerabilities are commonly exploited in the early phases of the attack lifecycle. BazarLoader, mentioned earlier with the Conti Ransomware, has also been used with Word and Excel documents. In the MITRE Enterprise ATT&CK framework this technique is known as T1203, which we can find in 177 campaigns and threat profiles in MVISION Insights.

Threat Profile APT41 & APT41 Malware Identified Doing the ChaCha at SAS21

APT41 is a state sponsored threat group linked to China and associated with multiple campaigns, including a new campaign reported in September 2021. Although Ransomware is currently the main cyber threat type which hits the news, state sponsored threat groups are equally concerning, especially in the public sector for organizations with sensitive government and citizen data, which could be potentially exploited by a foreign nation like China.

In the second part of this report, we highlight how you can leverage the data from MVISION Insights to find traces of these attacks to enhance your level of protection.

Cloud Threats Affecting the Public Sector

In the October 2021 Threat Report, McAfee Enterprise ATR also assessed the prevalence of Cloud Threats, identifying the US Government sector as one of the top 10 verticals affected.

Many governments are moving quickly to adopt cloud technologies to bring services for their citizens, for collaboration and cost savings.

Inadequate readiness to address cloud security has been the primary contributor of these threats. Several cloud-native controls exist to protect sensitive data from loss or theft in real time, such as:

Operationalize Threat Intelligence

In the second part of this report, we want to give you some guidance on how you can operationalize this threat intelligence data to better protect your networks. MVISION Insights can help operationalize McAfee Enterprise Threat Intelligence data by providing risk assessment against threats affecting you, protective guidance and integrating with other tools to share threat data.

Let’s take the previous example of the Conti Ransomware Threat Profile. Below you can see how MVISION Insights provides:

1. A short description with the list of CVEs linked to this threat profile, the minimum version of McAfee Enterprise ENS AMcore content to be correctly protected against this threat, detections in your environment and on which device.

2. The list of related campaigns, the devices with unresolved detections related to these campaigns or those with insufficient protections.

3. The list of MITRE techniques and tools, which provide a universal and agnostic overlay of the threats, as well as details on the observables specific to this threat profile for each MITRE technique.

4. The list of IOCs with filters, IOC attributes, and IOC export features which you can use to share them with your other solutions, such as your SIEM, and which you can also share with other public sector entities. We also provide a direct integration with MVISION EDR. Alternatively, you can leverage the APIs to automate the exchange of IOCs.

If you find devices with these IOCs in MVISION EDR you can take immediate remote actions such as quarantine the device, kill the process, remove the files, or run custom scripts.

You can also use MVISION EDR for more advanced threat hunting such as searching for specific MITRE techniques in all MVISION EDR alerts …

… or in the MVISION EDR monitoring view which automatically groups the alerts.

5. MVISION Insights also provides hunting rules created by McAfee Enterprise Threat Intelligence experts using Yara, Sigma and McAfee Enterprise ENS expert rules.

6. A proactive assessment of your Endpoint and Cloud security posture score with guidance on the configuration changes which you should follow to ensure that your McAfee Enterprise Endpoint and Cloud solutions are protecting you with their full capabilities.

7. And all this, with more than 1,200 threat campaigns and threat profiles

MVISION APIs give you the ability to integrate and to exchange this extensive Threat Intelligence data with your SOC tools, including Threat Intelligence Platforms (TIPs) and Security Orchestration Automation and Response (SOAR).

These integrations can be used both in Internet-facing and closed networks. For advanced Threat Intelligence teams, our Advanced Program Group (APG) provides “Threat Intelligence as a Service” (INTAAS) including:

  • Access to the unaggregated raw data behind MVISION Insights
  • Access to McAfee Private Global Threat Intelligence (GTI)
  • Threat Assessments
  • Adversary Monitoring and Attribution
  • IOC enrichment
  • Reverse Engineering

Summary

To conclude, here is a summary of the use cases you can achieve with MVISION Insights in the public sector:

  1. Start your threat intelligence program despite a lack of time and expertise
  2. Improve your existing Threat Intelligence program
  3. Check whether you have been breached by leveraging McAfee Enterprise ENS and NPS
  4. Predict threats, including ransomwares, that are most likely going to hit you
  5. Prioritize threat hunting using the most relevant indicators
  6. Enrich investigations with MVISION EDR/XDR
  7. Integrate with your other SOC solutions
  8. Deliver on-premise Threat Intelligence for restricted networks
  9. Proactively assess your protection status with McAfee Enterprise ENS and MVISION Cloud
  10. Improve Zero Trust with Threat Intelligence

If you want to learn more on our Threat Intelligence capabilities and participate in Architecture or Incident Response Workshops, contact your local McAfee Enterprise representative.

The post Ransomware Threats Affecting the Public Sector appeared first on McAfee Blog.

Digital Transformation Needs to (Re)Start with Security

By Adam Philpott

In life, regret tends to take on many shapes and forms. We often do not heed the guidance of the common anecdotes we hear throughout our days and years. From “look before you leap” to “an apple a day keeps the doctor away” – we take these sayings in stride, especially when we cannot necessarily provide proof of their veracity!

One particular trope that may incite ire, frustration, or regret when applied to enterprise security is – “once bitten, twice shy.”

In its very literal sense, we’re taught that if we’re bitten by something once – whether that be dog or security breach – we’re innately cautious or fearful of falling into a similar scenario. With dogs or any animal, we may pivot our behavior to avoid sharp teeth. However, with security breaches, many enterprises continue to be blindsided by “bites” – despite believing they’ve taken the utmost of caution to protect against them.

There is a clear disconnect between enterprise-preparedness and the severity of today’s threat landscape. We continue to see that no enterprise is immune to threats and breaches, with ransomware campaigns continuing to get more sophisticated and prevalent. We’re also seeing cyber criminals work together, banding as an enterprise themselves sharing common tools and knowledge. This means, as cyber criminals become more business-savvy, operational, and efficient – the enterprises they look to attack need to consistently be one step ahead to anticipate and prevent breaches.

Safety First, Now More Than Ever

The term digital transformation is not new by any means, but it needs to be newly approached through a security-first lens. For successful digital transformation to occur today, major industries need to focus on superior prevention against threats.

It’s time for business leaders to stop focusing on the “breach of the month” and more on building security into the fabric of their organizations so they’re not the next victims. For this to happen, it is imperative to break down silos of threat and information intelligence across the organization, enabling a collaborative, holistic, and strategic approach to securing the business.

Additionally, as we’re seeing more prevalent and sophisticated attacks, enterprises need to lean into the transformative technologies that can keep up with evolving techniques. AI provides for personalization of security – a key advantage as it can prioritize detection and response to allow organizations to focus on growth outcomes instead of spending time recouping lost data, customers, revenue, efficiencies, or more that can come at the expense of a threat or breach.

Placing security at the forefront of strategies can unleash the full potential of what digital transformation can make possible. With this approach and a mindset focused on prevention and cyber-readiness as the catalyst aiding true digital and business transformation, we have the power to turn the headlines around. It is time for enterprises to bite back, and the criminals to shy away.

The post Digital Transformation Needs to (Re)Start with Security appeared first on McAfee Blog.

Cloud API Services, Apps and Containers Will Be Targeted in 2022

By Mo Cashman

McAfee Enterprise and FireEye recently teamed to release their 2022 Threat Predictions. In this blog, we take a deeper dive into cloud security topics from these predictions focusing on the targeting of API services and apps exploitation of containers in 2022.

5G and IoT Traffic Between API Services and Apps Will Make Them Increasingly Lucrative Targets

Recent statistics suggest that more than 80% of all internet traffic belongs to API-based services. It’s the type of increased usage that grabs the attention of threat developers hunting for rewarding targets.

Feature-rich APIs have moved from being just a middleware to applications and have evolved to become the backbone of most modern applications that we consume today. Examples include:

  • 5G mobile applications – 5G connectivity and deployment of IoT endpoints have increased dramatically providing higher capacity for broader connectivity needs.
  • Internet of Things – More than 30.9 billion IoT devices are expected to be in use worldwide by 2025. The industrial IoT market was predicted to reach $124 billion in 2021
  • Dynamic web-based productivity suites – Global cloud-based office productivity software market is expected to reach $50.7 billion by 2026

In most cases, attacks targeting APIs go undetected as they are generally considered as trusted paths and lack the same level of governance and security controls.

The following are some of the key risks that we see evolving in the future:

  1. Misconfiguration of APIs resulting in unwanted exposure of information.
  2. Exploitation of modern authentication mechanisms such as Oauth/Golden SAML to obtain access to APIs and persist within targeted environments.
  3. Evolution of traditional malware attacks to use more of the cloud APIs, such as the Microsoft Graph API, to land and expand. We have already seen evidence of this in the SolarWinds attack as well as other threat actors such as APT40/ GADOLINIUM.
  4. Potential misuse of the APIs to launch attacks on enterprise data, such as ransomware on cloud storage services like OneDrive, etc.
  5. The usage of APIs for software-defined infrastructure also means potential misuse leading to complete infrastructure takeover or shadow infrastructure being created for malicious purposes.

Gaining visibility into application usage with the ability to look at consumed APIs should be a priority for organizations, with the goal of ultimately having a risk-based inventory of accessed APIs and a governance policy to control access to such services. Having visibility of non-user-based entities within the infrastructure such as service accounts and application principles that integrate APIs with the wider enterprise eco-system is also critical.

For developers, developing an effective threat model for their APIs and having a Zero Trust access control mechanism should be a priority alongside effective security logging and telemetry for better incident response and detection of malicious misuse.

Expanded Exploitation of Containers Will Lead to Endpoint Resource Takeovers

Containers have become the de facto platform of modern cloud applications. Organizations see benefits such as portability, efficiency and speed which can decrease time to deploy and manage applications that power innovation for the business. However, the accelerated use of containers increases the attack surface for an organization. Which techniques should you look out for, and which container risk groups will be targeted? Exploitation of public-facing applications (MITRE T1190) is a technique often used by APT and Ransomware groups. MITRE T1190 has become a common entry vector given that cyber criminals are often avid consumers of security news and are always on the lookout for a good exploit. There are numerous past examples in which vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point.

The Cloud Security Alliance (CSA) identified multiple container risk groups including:

  • Image risks
    • vulnerabilities
    • configuration defects
    • embedded malware
    • embedded clear text secrets
    • use of untrusted secrets
  • Orchestrator
    • unbounded administrative access
    • unauthorized access
    • poorly separated inter-container network traffic
    • mixing of workload sensitivity levels
    • orchestrator node trust
  • Registry
    • insecure connections to registries
    • stale images in registries
    • insufficient authentication and authorization restrictions
  • Container
    • vulnerabilities within the runtime software
    • unbounded network access from containers
    • insecure container runtime configurations
    • app vulnerabilities
    • rogue containers
  • Host OS Component
    • large attack surface
    • shared kernel
    • improper user access rights
    • host file system tampering
  • Hardware

How do you protect yourself? Recommended mitigations include bringing security into the DevOps process through continuous posture assessment for misconfigurations, checks for integrity of images, and controlling administrative privileges. Use the Mitre ATT&CK Matrix for Containers to identify gaps in your cloud security architecture.

The post Cloud API Services, Apps and Containers Will Be Targeted in 2022 appeared first on McAfee Blog.

Veterans Day & Remembrance Day 2021

By Melissa Gaffney

November 11 marks Veterans Day in the United States and Remembrance Day across Europe and beyond. Wherever you may be on this 11th day of the 11th month, on the 11th hour, please be thankful to all our Veterans for their service and sacrifice. We would like to take a moment to reflect and honor some of our McAfee Enterprise employees who served.

When were you drafted or when did you enlist/join? What branch of the military did you serve and in what rank?

Shannon Clancy joined October 5, 2003 and was a Major in the United States Marine Corps

Kevin Benton enlisted ten days after high school (mid 1980’s) and was in the US Army as an E4/Specialist

Kevin Suares enlisted in the US Air Force on November 1, 1994, after four year’s he was a Senior Airman (E-4)

Why did you join and why did you pick the service branch you selected?

Clancy: I had always had a niggling in the back of my mind that I wanted to be a Marine (My father served as a Marine in Vietnam), and then September 11, 2001 happened and it solidified my choice. I wanted to be the best, and everyone knows Marines are the best.

Benton: The world was bigger than my little hometown and I wanted to travel the world. Plus, I was clearly the smartest person in my house at 18 years old, so I showed my parents how smart I was.

Suares: I needed money for college and needed some direction in life. Initially I considered the Navy, as I am a former Sea Scout. I spoke to a Navy recruiter and was ready to sign up. He sent me across the hall to “get a different perspective” from the Air Force recruiter (which I was also considering) and after a 20-minute conversation where we talked about options in the Air Force, Air Force training, how the Air Force encourages higher education and AF ethos, I changed my mind. Biggest regret of that Navy recruiter’s career! The next week I scored 97 out of 99 in the Armed Services Vocational Aptitude Battery (ASVAB) making me eligible for almost any job.

What do you remember about your first day in service? What do you remember about your last day in service?

Clancy: I remember my first day being total chaos. Not knowing the (now) simplest things like how to wear your cover (hat), blouse your trousers, align your belt, etc. Things that seem small and silly but were in fact critical lessons in attention to detail that have carried with me throughout service and life.

Benton: On the first day, I was tired and nervous about not having any idea of what was happening or what to do. The last day was filled with wildly mixed emotions! I made some great friends from all walks of life, and I was ready to get on with my life by attending college on the GI Bill, but I hadn’t yet lived on my own. I recall driving off the base and wondering if I should drive north or south on the Pacific Coast Highway; ultimately, I drove North and have never regretted the decision.

Suares: I remember on my first full day being woken up at 4:30 AM after going to bed around 1:30 AM, in a new environment to a metal trash can being hit repeatedly with a baton and words I can’t repeat here. On my last day, my supervisor still made me work the whole day, ending in a small ceremony where I was presented with a few token gifts (which I still have.) I wrote my flight a quick email saying goodbye then left for home. Not going to lie – I had tears in my eyes as I left the building.

What would you describe as your most memorable experience? What is something you miss about your days of service?

Clancy: My most memorable experience was my deployment to Iraq. There was a pause in operations on Thanksgiving and I got to play soccer with some of the Marines. It was a very “normal” thing in a place where there wasn’t much normal. I don’t miss much (because there is a lot of nonsense that also goes on), but what I do miss is the camaraderie and sense of belonging. You don’t question who you are or what your purpose is while you serve.

Benton: Being in the infantry, I recall experiencing some of the toughest, most physically demanding moments in my life, then experiencing shear exhaustion when reaching the end of a march or landing in a hot zone, only to have a few laughs with the guys to your left and right, toggling thru each other’s life stories.  No one cared where you were from or the color of our skin or whether you had any money. I’ll never forget the laughs and storytelling as we were all experiencing the same things at the same time. Come to find out, we were forming bonds for life.

Suares: My most pleasant memory wastaking my grandfather out to dinner in uniform for his 70th birthday. He was so proud that he was speechless for once. If you knew him, that was a really big deal. But my saddest memory was hearing the rifle salute at a friend’s funeral. Each volley cut me to the bone.

How do you honor Veterans/Remembrance Day for yourself, with family or friends?

Clancy: I usually call my dad. Veterans day buddies right up to the Marine Corps Birthday, so there is no shortage of celebrations or drinks to be shared among Marines. This year has been extremely difficult on veterans; so, I think I’ll text a few friends I haven’t heard from in a while. I encourage everyone to reach out to one you know, just to check in and say hi. It goes a lot further than you might think.

Benton: Our little town holds a ceremony at our local cemetery. I’ve attended with my family for years, afterwards nearly always telling my kids stories of my service to my country and the pride I feel when seeing our flag and all that it stands for. ​​​​​​​

Suares: Usually with service to others. Occasionally I may go out to dinner with family, but most times I used to be involved in giving talks to youth groups, schools, etc. or donating time to other Veterans causes. I proudly served my country – and would do it again if asked – but I feel that I am not owed anything. The day should be about recognizing the living service member (past or present) and honoring us all.

The post Veterans Day & Remembrance Day 2021 appeared first on McAfee Blog.

Windows RDP Client Porting Critical Vulnerabilities to Hyper-V Manager

By Sam Quinn

This month brings us yet another critical RCE (Remote Code Execution) bug found in the RDP (Remote Desktop Protocol) Client which has also been ported to the Hyper-V Manager “Enhanced Session Mode” feature. User interaction is a prerequisite since the vulnerability lies within the RDP client, requiring a victim to connect to a malicious RDP server.

Vulnerability Analysis: CVE-2021-38666

This RCE bug is very closely related to CVE-2021-34535 and to CVE-2020-1374 , where there is a heap-based buffer overflow in mstscax.dll due to an attacker-controlled payload size field. The vulnerability can be triggered via the RDP Smart Card Virtual Channel Extension feature [MS-RDPESC], by leveraging the existing local RDPDR static virtual channel setup between the client and server. The RDP Smart Card Virtual Channel Extension feature [MS-RDPESC] functionality was leveraged in the “EsteemAudit” Exploit released by the “Shadow Brokers,” but that vulnerability targeted the RDP server and not the client. The functionality being exploited here is the ability to share a smart card reader between the client and server. The destination buffer intended for the IOCTL (I/O control) call to locate each host smart card reader is a fixed size, but the user-controlled size field can be altered to cause the client to perform an OOB (Out of Bounds) write. Seeing how simple it is to trigger this vulnerability, our team decided to mutate the test case to verify whether any other IOCTLs within the [MS-RDPESC] specification are vulnerable. Enumerating through the 60 other IOCTL calls tied to the smart card reader, we were able to find two additional unique crashes. All vulnerabilities discovered have been patched in the latest version of the mstscax.dll, which shows that the fix for this bug has mitigated other potentially vulnerable functions. The patched mstscax.dll now simply verifies that the bytes received over the wire do not exceed the user-supplied size field; it does this at the IOCTL dispatch table level before any IOCTL functions are called, so the single validation is applied to all IOCTLs.

This vulnerability has a CVSS (Common Vulnerability Scoring Standard) score of 8.8, dropped down from 9.8 because it requires user interaction in that a victim RDP client must connect to a malicious server.

Attack Scenario

This bug has the same attack scenario as that of CVE-2021-34535, which we also analyzed in depth:

  1. It is a client-side vulnerability so not wormable
  2. Requires a user to connect to a malicious RDP server
  3. It impacts both the traditional RDP client over the network and the local Hyper-V Manager “Enhanced Session Mode” since they both use the vulnerable mstscax.dll
  4. The vulnerability could be used for a guest-to-host escape on Hyper-V Windows 10

Looking Forward

We have seen a regular cadence of critical RDP vulnerabilities since BlueKeep (CVE-2019-0708), but what distinguishes the two vulnerabilities CVE-2021-38666 and CVE-2021-34535 is that they impact Hyper-V Manager “Enhanced Session Mode” and can thus be leveraged for guest-to-host escapes. While we do not rate these vulnerabilities as critical in the same manner as past RDP server-side RCE vulnerabilities, we are now clearly starting to see a trend of vulnerabilities emerging which impact Hyper-V Manager due to the porting of RDP. We recommend patching as a top priority as threat actors will potentially look to weaponize this common protocol for guest-to-host escapes on Windows 10 Hyper-V.

Microsoft has published a Knowledge Base article for this issue here with information regarding patching this vulnerability. As always, we recommend patching as a first course of action and we will continue to monitor this vulnerability for any exploitation in the wild.

For RDP security best practices please see: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/

The post Windows RDP Client Porting Critical Vulnerabilities to Hyper-V Manager appeared first on McAfee Blog.

‘Tis The Season for Holiday Cyber Threats Targeting Enterprises in a Pandemic World

By Raj Samani

The holiday season is upon us, and many are preparing to celebrate with family and friends both near and far. While we tend to look at consumer tendencies during the holidays, the season also presents a significant challenge to industries coping with the increase in consumer demands. McAfee Enterprise and FireEye recently conducted a global survey of IT professionals to better understand their cyber readiness, especially during peak times like the holiday season, and the impact the pandemic has had on their business. Most notably, 86% of organizations are anticipating a moderate-to-substantial increase in demand during the 2021 holiday season. The question is: Are they ready for that demand?

This year, the “everything shortage” is real – from a drop in available workforce to limited supplies to lack of delivery services. This creates an urgency for organizations to have actionable security plans and to effectively contain and respond to threats. Supply chain and logistics, e-commerce and retail, and the travel industry traditionally experience holiday seasonal increases in consumer and business activity, making them more vulnerable to cyber threats and leaving business, employee, and consumer data at risk. Here’s a statistical snapshot of these affected industries and how they can prepare for the anticipated increase in seasonal risks:

Supply Chain and Logistics

According to BCI’s Supply Chain Resilience Report 2021, 27.8% of organizations reported more than 20 supply chain disruptions during 2020, up from just 4.8% reporting the same number in 2019. The loss of manufacturing and logistics capacity, and employee-power in 2021 are expected to increase demand for goods, creating the perfect attack vector for cybercriminals: a potentially weak and vulnerable infrastructure to break through. Supply chain managers must identify risks, understand the potential downstream effects of a security breach or cyberattack, and prepare response plans so they can act quickly in the event of an incident.

E-Commerce and Retail

According to Adobe’s 2021 Digital Economy Index, global online spending is expected to increase by 11% in 2021 to $910 billion during the holiday season. With store closures and increases in online shopping, along with limited product availability and concerns about shipping, this industry is faced with more threats than before. According to McAfee Enterprise COVID-19 dashboard, the global retail industry accounts for 5.2% of the total detected cyber threats. Such threats include compromised payment credentials and cloud storage, as well as other forms of retail fraud and theft.

Travel

Cyber threats aren’t new to the travel industry with airports, airlines, travel sites and ride-sharing apps having been victims in years past. However, what sets this year apart is the travel industry enduring a holding pattern caused by pandemic-related health concerns and travel restrictions. According to the International Air Transport Association (IATA), coronavirus-related loss estimates for 2020 total $137.7 billion—with total industry losses in 2020-2022 expected to reach $201 billion. As demand for holiday travel is expected to increase over the coming months, cyber criminals are watching closely for vulnerabilities as the industry battles new related challenges – labor shortages, supply chain issues, travel bans, and vaccination requirements.

What Organizations Need to Know

McAfee Enterprise and FireEye threat findings unwrap the imminently crucial need for organizations to prioritize and strengthen their cybersecurity architecture through the holidays and end of 2021. Our research indicates that 81% of global organizations experienced increased cyber threats and 79% experienced downtime in the wake of previous cyberattacks.

While IT professionals know cyber threats have intensified, the findings prove that many organizations have not effectively prioritized security during COVID-19:

  • 94% percent of IT professionals want their organization to improve its overall cyber readiness
  • 60% saw an increase in online/web activity
  • 33% have had their technology and security budgets reduced
  • 56% have suffered from downtime due to a cyber concern, costing some over $100,000 USD
  • 76% find maintaining a fully staffed security team/SOC even more challenging during peak periods

Proactively Guarding Against Emerging Holiday Threats

Organizations can be proactive in defending their networks, data, customers, and employees against the anticipated increase in holiday cybercrime by implementing security measures including, but not limited to:

  1. Adopt industry-wide cybersecurity requirements designed to protect against the latest iterations of cyber threats, especially those known to target specific industries.
  2. Provide cybersecurity awareness training for employees, especially when encountering holiday phishing emails or texts and suspicious URL campaigns designed to breach organizational databases
  3. Develop an incident response plan capable of responding and remedying a security breach in minutes rather than hours

In addition, enterprises and commercial businesses can implement cloud-delivered security with MVISION Unified Cloud Edge (UCE) and FireEye Extended Detection and Response (XDR).

 Note: The research was conducted between September- October 2021 by MSI-ACI via an online questionnaire to 1,451 IT Security Professionals from nine countries.

The post ‘Tis The Season for Holiday Cyber Threats Targeting Enterprises in a Pandemic World appeared first on McAfee Blog.

Who Will Bend the Knee in RaaS Game of Thrones in 2022?

By John Fokker

McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into a Game of Thrones power struggle among Ransomware-as-a-Service bad actors in 2022.

Prediction: Self-reliant cybercrime groups will shift the balance of power within the RaaS eco-kingdom. 

For several years, ransomware attacks have dominated the headlines as arguably the most impactful cyber threats. The Ransomware-as-a-Service (RaaS) model at the time opened the cybercrime career path to lesser skilled criminals which eventually led to more breaches and higher criminal profits.

For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals, eventually with a mind of their own.

In a response to the Colonial Pipeline attack, the popular cybercrime forums have banned ransomware actors from advertising. Now, the RaaS groups no longer have a third-party platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.

These events have undermined their trusted position. Ransomware has generated billions of dollars in recent years and it’s only a matter of time before more individuals who believe they aren’t getting their fair share become unhappy.

The first signs of this happening are already visible as described in our blog on the Groove Gang, a cyber-criminal gang that branched off from classic RaaS to specialize in computer network exploitation (CNE), exfiltrate sensitive data and, if lucrative, partner with a ransomware team to encrypt the organization’s network. McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.

Trust in a few things remains important even among cybercriminals underground, such as keeping your word and paying people what they deserve. Cybercriminals aren’t immune from feeling like employees whose contributions aren’t being adequately rewarded. When this happens, these bad actors cause problems within the organization. Ransomware has been generating billions of dollars in recent years and with revenue like that, it was inevitable that some individuals who believe they aren’t getting their fair share become unhappy and let the cybercrime world know it.

Recently, a former Conti affiliate was unhappy with their financial portion and decided to disclose the complete Conti attack playbook and their Cobalt Strike infrastructure online. In the past, McAfee ATR has been approached by individuals affiliated with certain RaaS groups expressing grudges with other RaaS members and admins, claiming they haven’t been paid in time or that their share wasn’t proportionate to the amount of work they put in.

In 2022, expect more self-reliant cybercrime groups to rise and shift the balance of power within the RaaS eco-climate from those who control the ransomware to those who control the victim’s networks.

Less-skilled Operators Won’t Have to Bend the Knee in RaaS Model Power Shift

The Ransomware-as-a-Service eco system has evolved with the use of affiliates, the middlemen and women that work with the developers for a share of the profits. While this structure was honed during the growth of GandCrab, we are witnessing potential chasms in what is becoming a not-so-perfect union.

Historically, the ransomware developers, held the cards, thanks to their ability to selectively determine the affiliates in their operations, even holding “job interviews” to establish technical expertise. Using CTB locker as an example, prominence was placed on affiliates generating sufficient installs via a botnet, exploit kits or stolen credentials. But affiliates recently taking on the role and displaying the ability to penetrate and compromise a complete network using a variety of malicious and non-malicious tools essentially changed the typical affiliate profile towards a highly skilled pen-tester/sysadmin.

The hierarchy of a conventional organized crime group often is described as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs were organized in such a fashion. However, due to further professionalization and specialization of the logistics involved with committing crime, groups have evolved into more opportunistic network-based groups that will work together more fluidly, according to their current needs.

While criminals collaborating in the world of cybercrime isn’t new, a RaaS group’s hierarchy has been more rigid compared to other forms of cybercrime, due to the power imbalance between the group’s developers/admins and affiliates. But things are changing. RaaS admins and developers were prioritized as the top targets, but often neglected the affiliates who they perceived to be less-skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals.

As more ransomware players have entered the market, we suspect that the most talented affiliates are now able to auction their services for a bigger part of the profits, and maybe demand a broader say in operations. For example, the introduction of Active Directory enumeration within DarkSide ransomware could be intended to remove the dependency on the technical expertise of affiliates. These shifts signal a potential migration back to the early days of ransomware, with less-skilled operators increasing in demand using the expertise encoded by the ransomware developers.

Will this work? Frankly, it will be challenging to replicate the technical expertise of a skilled penetration tester, and maybe – just maybe – the impact will not be as severe as recent cases.

The post Who Will Bend the Knee in RaaS Game of Thrones in 2022? appeared first on McAfee Blog.

The Bug Report – October Edition

By Douglas McKee

Your Cyber Security Comic Relief

Apache server version 2.4.50 (CVE-2021-42013)

Why am I here?

Regardless of the origins, you’ve arrived at Advanced Threat Research team’s monthly bug digest – an overview of what we believe to be the most noteworthy vulnerabilities over the last month. We don’t rely on a single scoring system like CVSS to determine what you need to know about; this is all about qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. We look at characteristics such as wormability, ubiquity of the target, likelihood of exploitation and impact.  If you don’t agree with these picks, we encourage you to write a strongly worded letter to your local senator. In lieu of that, we present our top CVEs from the last month.

Apache: CVE-2021-41773 and CVE-2021-42013

What is it?
2 CVES / 1 Vuln – It appears Apache struggled a bit with this latest critical vulnerability, where it took two tries to fix a basic path traversal bug, which was introduced while patching last month’s SSRF mod_proxy vulnerability. As path traversal bugs do, this allows unauthorized users to access files outside the expected document root on the web server. But wait, there’s more! This can lead to remote code execution provided mod-cgi is enabled on the server.

Who cares?
A quick Shodan scan told me there are at least 111,000 server admins that should care! With Apache being the second largest market share holder of implemented webservers, there is a good chance your organization is using it somewhere. It’s always important to consider both internal and external facing assets when looking at your exposure. Apache is even commonly used as an embedded webserver to other applications and should be reviewed for use in any installed 3rd party applications. Oh yeah – and if you overlook an instance you have installed somewhere, this IS currently being actively exploited in the wild – no pressure.

What can I do?
Oh! I know, use Microsoft IIS! If you’re not ready to completely abandon your webserver implementation, I suggest updating to Apache 2.4.51. Remember to avoid version 2.4.50 as it does not patch both vulnerabilities. If you have been an astute system admin and followed the Apache documentation using the default and pretty darn secure “require all denied” directive for all files outside the document root, kudos to you! Although patching is still highly recommended, you are not immediately vulnerable.

The Gold Standard
We recognize in some special cases patching is harder than compiling gcc from source, so McAfee Enterprise has you covered; we have been detecting path traversal attacks in our Network Security Platform (NSP) like it was going out of style since 1990 (and it was).

Win32k Driver: CVE-2021-40449

What is it?
Ain’t nothin’ free anymore! Except kernel module addresses on your Windows machines, thanks to Microsoft Windows CVE-2021-40449. This vulnerability is a use-after-free in the NtGdiResetDC function of the Win32k driver and can lead to attackers being able to locally elevate their privileges.

Who cares?
Are you currently reading this from a Microsoft Windows machine? Using Microsoft Server edition in your cloud? Local attacks are often given lower priority or downplayed. However, it is important to recognize that phishing attacks are still highly successfully as an initial point of entry, facilitating a need for privilege escalation bugs to obtain higher level access. So, unless you are a hardcore Linux and Mac-only shop, you may want to patch since this is actively being exploited by cybercriminals, according to our friends at Kaspersky.

What can I do?
That boring Microsoft patch Tuesday thing still works, or you could just use a superior operating system like FreeBSD.

The Gold Standard
Have you checked out the latest version of McAfee Enterprise ENS lately? Detecting exploitation and cybercriminal activity is sort of its thing, assuming you have grabbed the latest signatures.

Apple iOS: CVE-2021-30883

What is it?
An integer overflow vulnerability in the iOS “IOMobileFrameBuffer” component can allow an application to execute arbitrary code with kernel privileges. This has additionally been confirmed to be accessible from the browser.

Who cares?
Since Apple still reportedly holds 53% market share of all smartphone users, statistically speaking your organization should care too. It only takes one bad apple to hack your entire network, and with reported active exploitation in the wild it might happen sooner than you think.

What can I do?
You should be sensing a common theme in this section – and, in this case, you actually can take action! Stop reading this, plug that mobile device into a power source, and install the latest version of Apple iOS.

The Gold Standard
Since you stopped reading and updated already, congrats!

The post The Bug Report – October Edition appeared first on McAfee Blog.

Nation States Will Weaponize Social and Recruit Bad Guys with Benefits in 2022

By Raj Samani

McAfee Enterprise and FireEye recently released its 2022 Threat Predictions. In this blog, we take a deeper dive into the continuingly aggressive role Nation States will play in 2022.

Prediction: Lazarus Wants to Add You as a Friend

By Raj Samani

We love our social media. From beefs between popstars and professional pundits, to an open channel to the best jobs in the industry.

But guess what?

The threat actors know this, and our appetite toward accepting connections from people we have never met are all part of our relentless pursuit of the next 1,000 followers.

A result of this has seen the targeting of executives with promises of job offers from specific threat groups; and why not? After all, it is the most efficient method to bypass traditional security controls and directly communicate with targets at companies that are of interest to threat groups. Equally, direct messages have been used by groups to take control over influencer accounts to promote messaging of their own.

While this approach is not new, it is nearly as ubiquitous as alternate channels. After all, it does demand a level of research to “hook” the target into interactions and establishing fake profiles are more work than simply finding an open relay somewhere on the internet. That being said, targeting individuals has proven a very successful channel, and we predict the use of this vector could grow not only through espionage groups, but other threat actors looking to infiltrate organizations for their own criminal gain.

Potential Impacts & Implications
The potential impacts and implications for an executive or company that had their social media channels targeted by threat actors are endless. We began to see some nation state groups using platforms like LinkedIn to target executives, more specifically targeting the defense and aerospace industry. For years we’ve been accepting connections on LinkedIn to expand our network and threat actors are using this to their advantage with job adverts. Threat actors will find the executive they want to target in the company they want to go after and develop profiles that look like legitimate recruiters. By getting an executive on the hook, they could potentially convince them to download a job spec that is malware. These types of espionage campaigns can be carried out by other social networks as well, including Twitter, Instagram, Reddit, etc.

Techniques & Tactics
In the past, fake social profiles were relatively easy to spot, however in the case of DPRK, the cybercriminals spent time to setting up a profile, get hooked up into the infosec scene, gain followers and connections through LinkedIn, making it more difficult than before to detect a fraudulent account. When threat actors weaponize social media, they use techniques and tactics you see in the legitimate world. They diligently do their research into what types of jobs would be of interest to you and share an offer that will require you to open a document and trick you to carry out some type of action that will have you download malicious content onto your device.

Who Can Regulate?
We live in a world where we are governed by rules, territories, and jurisdictions; to hold a threat actor accountable, we would need digital evidence. We need to use regulations for digital investigations, and the bad guys don’t. While in territories where there isn’t an extradition treaty, threat actors can continue their malicious behaviors without any consequences. Unfortunately, cybercrime has nonrepudiation and threat actors can deny all knowledge and get away with it.

Prevention
Cybercrime will always be an issue and we need to be more aware of what threat actors are doing and what they’re after. It’s important to understand the threat and what is happening. At McAfee Enterprise and FireEye we work to track malicious actors and integrate intelligence into our products and make content available for CISO, CEO etc. to know what to do and what to look for in the event they are targeted.

Prediction: Help Wanted: Bad Guys with Benefits

By Christiaan Beek

With a focus on strategic intelligence, our team is not only monitoring activity, but also investigating and monitoring open-source-intelligence from a diversity of sources to gain more insights into threat-activities around the globe – and these include an increase in the blending of cybercrime and nation-state operations.

In many cases, a start-up company is formed, and a web of front companies or existing “technology” companies are involved in operations that are directed and controlled by the countries’ intelligence ministries.

In May 2021 for example, the U.S. government charged four Chinese nationals who were working for state-owned front companies. The front-companies facilitated hackers to create malware, attack targets of interest to gain business intelligence, trade-secrets, and information about sensitive technologies.

Not only China but also other nations such as Russia, North Korea, and Iran have applied these tactics. Hire hackers for operations, do not ask questions about their other operations if they do not harm the interests of their own country.

Where in the past specific malware families were tied to nation-state groups, the blurring starts to happen when hackers are hired to write code and conduct these operations.

The initial breach with tactics and tools could be similar as “regular” cybercrime operations, however it is important to monitor what is happening next and act fast. With the predicted increase of blurring between cybercrime and nation-state actors in 2022, companies should audit their visibility and learn from tactics and operations conducted by actors targeting their sector.

Potential Impacts & Implications
With more tools at their disposal, nation state actors are reshaping the cyberthreat landscape leaving destruction and disrupted operations in their wake. There have been many accusations of “spying” which poses as a major threat to economic and national security. The main aim of these attacks is to obtain intellectual property or business intelligence. We are seeing nation states devoting a significant number of resources, time and energy toward achieving strategic cyber advantages, resulting in the implications of divulging national interests, intelligence-gathering capabilities, and military strength through espionage, disruption and theft.

Techniques & Tactics
In May 2021 incident where four Chinese nationals were charged in a global hacking campaign; the indictment stated the threat actors used a front company to hide the Chinese government’s role in the information theft. We anticipate nation states will continue to team up with cybercriminals and create front companies to hide involvement and gain access to private information, military tactics, trade secrets and more. Adversaries will leverage techniques like phishing, known vulnerabilities, malware, crimeware and more to attain their goal.

On the blending of cybercrime/nation-state; understanding the functionalities of malware becomes more important than ever. Let me give an example, when you get a Trickbot infection, a part of the code will steal credentials, they could be sold to a ransomware crew with a possible ransomware attack as result, a complete cybercrime operation. But what if the Trickbot infection was ordered by a Nation State, the credentials are used for a long time operation; started as a crime, ends as a long APT.

Who Can Regulate?
It’s important for governments to hold actors accountable for cyber incidents. Government entities and researchers can likely assist public and private sector organizations in navigating this new cyber landscape by developing standards and/or template processes to drive cyber defense and maintaining operational resiliency.

Prevention
A threat actor’s goal is to gain access to data they can sell, leverage for ransom, or gain critical knowledge so it is important to properly encrypt critical data, rendering it unusable to unauthorized users. You should also maintain regular, offline backups and have an incident response plan ready. Maintaining and testing offline backups can similarly mitigate the impact of destructive malware.

MVISION Insights Preview

Explore a preview of the only proactive solution to stay ahead of emerging threats.

Start Now

The post Nation States Will Weaponize Social and Recruit Bad Guys with Benefits in 2022 appeared first on McAfee Blog.

McAfee Enterprise & FireEye 2022 Threat Predictions

By McAfee Enterprise

What cyber security threats should enterprises look out for in 2022?

Ransomware, nation states, social media and the shifting reliance on a remote workforce made headlines in 2021. Bad actors will learn from this year’s successful tactics, retool, and pivot them into next year’s campaigns wielding the potential to wreak more havoc in all our lives.

Skilled engineers and security architects from McAfee Enterprise and FireEye offer a preview of how the threatscape might look in 2022 and how these new or evolving threats could potentially impact the security of enterprises, countries, and civilians.

“Over this past year, we have seen cybercriminals get smarter and quicker at retooling their tactics to follow new bad actor schemes – from ransomware to nation states – and we don’t anticipate that changing in 2022,” said Raj Samani, fellow and chief scientist of the combined company. “With the evolving threat landscape and continued impact of the global pandemic, it is crucial that enterprises stay aware of the cybersecurity trends so that they can be proactive and actionable in protecting their information.”

Lazarus Wants to Add You as a Friend

Nation States will weaponize social media to target more enterprise professionals

By Raj Samani

We love our social media. From beefs between popstars and professional pundits, to an open channel to the best jobs in the industry.

But guess what?

The threat actors know this, and our appetite toward accepting connections from people we have never met are all part of our relentless pursuit of the next 1,000 followers.

A result of this has seen the targeting of executives with promises of job offers from specific threat groups; and why not? After all, it is the most efficient method to bypass traditional security controls and directly communicate with targets at companies that are of interest to threat groups. Equally, direct messages have been used by groups to take control over influencer accounts to promote messaging of their own.

While this approach is not new, it is nearly as ubiquitous as alternate channels. After all, it does demand a level of research to “hook” the target into interactions and establishing fake profiles are more work than simply finding an open relay somewhere on the internet. That being said, targeting individuals has proven a very successful channel, and we predict the use of this vector could grow not only through espionage groups, but other threat actors looking to infiltrate organizations for their own criminal gain.

Help Wanted: Bad Guys with Benefits

Nation states will increase their offensive operations by leveraging cybercriminals

By Christiaan Beek

With a focus on strategic intelligence, our team is not only monitoring activity, but also investigating and monitoring open-source-intelligence from a diversity of sources to gain more insights into threat-activities around the globe – and these include an increase in the blending of cybercrime and nation-state operations.

In many cases, a start-up company is formed, and a web of front companies or existing “technology” companies are involved in operations that are directed and controlled by the countries’ intelligence ministries.

In May 2021 for example, the U.S. government charged four Chinese nationals who were working for state-owned front companies. The front-companies facilitated hackers to create malware, attack targets of interest to gain business intelligence, trade-secrets, and information about sensitive technologies.

Not only China but also other nations such as Russia, North Korea, and Iran have applied these tactics. Hire hackers for operations, do not ask questions about their other operations if they do not harm the interests of their own country.
Where in the past specific malware families were tied to nation-state groups, the blurring starts to happen when hackers are hired to write code and conduct these operations.

The initial breach with tactics and tools could be similar as “regular” cybercrime operations, however it is important to monitor what is happening next and act fast. With the predicted increase of blurring between cybercrime and nation-state actors in 2022, companies should audit their visibility and learn from tactics and operations conducted by actors targeting their sector.

Game of Ransomware Thrones

Self-reliant cybercrime groups will shift the balance of power within the RaaS eco-kingdom

By John Fokker

For several years, ransomware attacks have dominated the headlines as arguably the most impactful cyber threats. The Ransomware-as-a-Service (RaaS) model at the time opened the cybercrime career path to lesser skilled criminals which eventually led to more breaches and higher criminal profits.

For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals, eventually with a mind of their own.

In a response to the Colonial Pipeline attack, the popular cybercrime forums have banned ransomware actors from advertising. Now, the RaaS groups no longer have a third-party platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.

These events undermine their trusted position. Ransomware has generated billions of dollars in recent years and it’s only a matter of time before some individuals who believe they aren’t getting their fair share become unhappy.

The first signs of this happening are already visible as described in our blog on the Groove Gang, a cyber-criminal gang that branched off from classic RaaS to specialize in computer network exploitation (CNE), exfiltrate sensitive data and, if lucrative, partner with a ransomware team to encrypt the organization’s network.

In 2022, expect more self-reliant cybercrime groups to rise and shift the balance of power within the RaaS eco-climate from those who control the ransomware to those who control the victim’s networks.

Ransomware For Dummies

Less-skilled operators won’t have to bend the knee in RaaS model power shift

By Raj Samani

The Ransomware-as-a-Service eco system has evolved with the use of affiliates, the middlemen and women that work with the developers for a share of the profits. While this structure was honed during the growth of GandCrab, we are witnessing potential chasms in what is becoming a not-so-perfect union.

Historically, the ransomware developers, held the cards, thanks to their ability to selectively determine the affiliates in their operations, even holding “job interviews” to establish technical expertise. As more ransomware players have entered the market, we suspect that the most talented affiliates are now able to auction their services for a bigger part of the profits, and maybe demand a broader say in operations. For example, the introduction of Active Directory enumeration within DarkSide ransomware could be intended to remove the dependency on the technical expertise of affiliates. These shifts signal a potential migration back to the early days of ransomware, with less-skilled operators increasing in demand using the expertise encoded by the ransomware developers.

Will this work? Frankly, it will be challenging to replicate the technical expertise of a skilled penetration tester, and maybe – just maybe – the impact will not be as severe as recent cases.

Keep A Close Eye on API

5G and IoT traffic between API services and apps will make them increasingly lucrative targets

By Arnab Roy

Threat actors pay attention to enterprise statistics and trends, identifying services and applications offering increased risk potential. Cloud applications, irrespective of their flavor (SaaS, PaaS, or IaaS), have transformed how APIs are designed, consumed, and leveraged by software developers, be it a B2B scenario or B2C scenario. The reach and popularity of some of these cloud applications, as well as, the treasure trove of business-critical data and capabilities that typically lie behind these APIs, make them a lucrative target for threat actors. The connected nature of APIs potentially also introduces additional risks to businesses as they become an entry vector for wider supply chain attacks.

The following are some of the key risks that we see evolving in the future:

1. Misconfiguration of APIs
2. Exploitation of modern authentication mechanisms
3. Evolution of traditional malware attacks to use more of the cloud APIs
4. Potential misuse of the APIs to launch attacks on enterprise data
5. The usage of APIs for software-defined infrastructure also means potential misuse.

For developers, developing an effective threat model for their APIs and having a Zero Trust access control mechanism should be a priority alongside effective security logging and telemetry for better incident response and detection of malicious misuse.

Hijackers Will Target Your Application Containers

Expanded exploitation of containers will lead to endpoint resource takeovers

By Mo Cashman

Containers have become the de facto platform of modern cloud applications. Organizations see benefits such as portability, efficiency and speed which can decrease time to deploy and manage applications that power innovation for the business. However, the accelerated use of containers increases the attack surface for an organization. Which techniques should you look out for, and which container risk groups will be targeted? Exploitation of public-facing applications (MITRE T1190) is a technique often used by APT and Ransomware groups. The Cloud Security Alliance (CSA) identified multiple container risk groups including Image, Orchestrator, Registry, Container, Host OS and Hardware.

The following are some of the key risks groups we anticipate will be targeted for expanded exploitation in the future:

1. Orchestrator Risks: Increasing attacks on the orchestration layer, such as Kubernetes and associated API mainly driven by misconfigurations.
2. Image or Registry Risk: Increasing use of malicious or backdoored images through insufficient vulnerability checks.
3. Container Risks: Increasing attacks targeting vulnerable applications.

Expanded exploitation of the above vulnerabilities in 2022 could lead to endpoint resource hijacking through crypto-mining malware, spinning up other resources, data theft, attacker persistence, and container-escape to host systems.

Zero Cares About Zero-days

The time to repurpose vulnerabilities into working exploits will be measured in hours and there’s nothing you can do about it… except patch

By Fred House

2021 is already being touted as one of the worst years on record with respect to the volume of zero-day vulnerabilities exploited in the wild. The scope of these exploitations, the diversity of targeted applications, and ultimately the consequences to organizations were all notable. As we look to 2022, we expect these factors to drive an increase in the speed at which organizations respond.

When we first learned in 2020 that roughly 17,000 SolarWinds customers were compromised and an estimated 40 were subsequently targeted, many reacted in shock at the pure scope of the compromise. Unfortunately, 2021 brought its own notable increase in volume along with uninspiring response times by organizations. Case in point: two weeks after Microsoft patched ProxyLogon they reported that 30K Exchange servers were still vulnerable (less conservative estimates had the number at 60K).

ProxyShell later arrived as Exchange’s second major event of the year. In August, a Blackhat presentation detailing Exchange Server vulnerabilities was followed the next day by the release of an exploit POC, all of which had been patched by Microsoft months earlier in April/May. This analysis of data captured by Shodan one week after the exploit POC was released concluded that over 30K Exchange servers were still vulnerable, noting that the data may have underrepresented the full scope (i.e., Shodan hadn’t had time to scan the full Internet). In summary: patched in the Spring, exploited in the Fall.

So, what can we take away from all of this? Well, attackers and security researchers alike will continue to hone their craft until weaponized exploits and POCs are expected within hours of vulnerability disclosure. In turn however, and largely driven by the increased consequences of compromise, we can also expect renewed diligence around asset and patch management. From identifying public facing assets to quickly deploying patches despite potential business disruption, companies will have a renewed focus on reducing their “time to patch.” While we will inevitably continue to see high-impact exploitations, the scope of these exploitations will be reduced as more organizations get back to the basics.

The post McAfee Enterprise & FireEye 2022 Threat Predictions appeared first on McAfee Blog.

Is There Really Such a Thing as a Low-Paid Ransomware Operator?

By Thibault Seret

Introduction

Going by recent headlines you could be forgiven for thinking all ransomware operators are raking in millions of ill-gotten dollars each year from their nefarious activities.

Lurking in the shadows of every large-scale attack by organized gangs of cybercriminals, however, there can be found a multitude of smaller actors who do not have access to the latest ransomware samples, the ability to be affiliates in the post-DarkSide RaaS world or the financial clout to tool up at speed.

So what is a low-paid ransomware operator to do in such circumstances?

By getting creative and looking out for the latest malware and builder leaks they can be just as devastating to their victims and, in this blog, we will track the criminal career of one such actor as they evolve from homemade ransomware to utilizing major ransomware through the use of publicly leaked builders.

The Rich Get Richer

For years, the McAfee Enterprise Advanced Threat Research (ATR) team has observed the proliferation of ransomware and the birth and (apparent) death of large organized gangs of operators. The most notorious of these gangs have extorted huge sums of money from their victims, by charging for decryption of data or by holding the data itself to ransom against the threat of publication on their ‘leak’ websites.

With the income of such tactics sometimes running into the millions of dollars, such as with the Netwalker ransomware that generated 25 million USD between 1 March and 27 July 2020, we speculate that much of those ill-gotten funds are subsequently used to build and maintain arsenals of offensive cyber tools, allowing the most successful cybercriminals to stay one step ahead of the chasing pack

Figure 1: Babuk group looking for a corporate VPN 0-Day

As seen in the image above, cybercriminals with access to underground forums and deep pockets have the means to pay top dollar for the tools they need to continually generate more income, with this particular Babuk operator offering up 50,000 USD for a 0-day targeting a corporate virtual private network (VPN) which would allow easy access to a new victim.

The Lowly-Paid Don’t Necessarily Stay That Way

For smaller ransomware operators, who do not have affiliation with a large group, the technical skills to create their own devastating malware or the financial muscle to buy what they need, the landscape looks rather different.

Unable to build equally effective attack chains, from initial access through to data exfiltration, their opportunities to make illegal profits are far slimmer in comparison to the behemoths of the ransomware market.

Away from the gaze of researchers who typically focus on the larger ransomware groups, many individuals and smaller groups are toiling in the background, attempting to evolve their own operations any way they can. One such method we have observed is through the use of leaks, such as the recent online posting of Babuk’s builder and source code.

Figure 2: Babuk builder public leak on Twitter

Figure 3: Babuk source code leak on underground forum

McAfee Enterprise ATR has seen two distinct types of cybercriminal taking advantage of leaks such as this. The first group, which we presume to be less tech-savvy, has merely copied and pasted the builder, substituting the Bitcoin address in the ransom note with their own. The second group has gone further, using the source material to iterate their own versions of Babuk, complete with additional features and new packers.

Thus, even those operators at the bottom of the ransomware food chain have the opportunity to build on others’ work, to stake their claim on a proportion of the money to be made from data exfiltration and extortion.

ATR’s Theory of Evolution

A Yara rule dedicated to Babuk ransomware triggered a new sample uploaded on VirusTotal, which brings us to our ‘lowly-paid’ ransomware actor.

From a quick glance at the sample we can deduce that it is a copied and pasted binary output from Babuk’s builder, with an edited ransom note naming the version “Delta Plus”, two recovery email addresses and a new Bitcoin address for payments:

Figure 4: Strings content of “Delta Plus” named version of Babuk

We’ve seen the two email recovery addresses before – they have been used to deliver random ransomware in the past and, by using them to pivot, we were able to delve into the actor’s resume:

The first email address, retrievedata300@gmail.com, has been used to drop a .NET ransomware mentioning “Delta Plus”:

Figure 5: Strings content of .NET ransomware related to previous Delta ransomware activities

Filename Setup.exe
Compiled Time Tue Sep  7 17:58:34 2021
FileType Win32 EXE
FileSize 22.50 KB
Sha256 94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d

The ransomware is pretty simple to analyze; all mechanisms are declared, and command lines, registry modification, etc., are hardcoded in the binary.

Figure 6: .NET analysis with command line details

In fact, the actor’s own ransomware is so poorly developed (no packing, no obfuscation, command lines embedded in the binary and the fact that the .NET language is easy to analyze) that it is hardly surprising they started using the Babuk builder instead.

By way of contrast, their new project is well developed, easy to use and efficient, no to mention painful to analyze (as it is written in the Golang language) and provides executables for Windows, Linux and network attached storage (NAS) systems.

The second email address, deltapaymentbitcoin@gmail.com, has been used to drop an earlier version of the .NET ransomware

Figure 7: Strings content from first version of .NET ransomware

Filename test2.exe
Compiled Time Mon Aug 30 19:49:54 2021
FileType Win32 EXE
FileSize 15.50 KB
Sha256 e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761

Tactics, Techniques and Procedures

By checking the relationships between “Delta ransomware”, the Babuk iteration and the domains contacted during process execution, we can observe some domains related to our sample:

suporte01928492.redirectme.net
suporte20082021.sytes.net
24.152.38.205

Thanks to a misconfiguration, files hosted on those two domains are accessible through Open Directory (OpenDir), which is a list of direct links to files stored on a server:

Figure 8: Open Directories website where samples are hosted

  • bat.rar: A PowerShell script used to perform several operations:
    • Try to disable Windows Defender
    • Bypass User Account Control (UAC)
    • Get system rights via runasti

Figure 9: Privilege escalation to get system rights

  • exe.rar: Delta Plus ransomware
  • reg.rar: Registry values used to disable Windows Defender

Figure 10: Registry value modifications to disable Windows Defender

Other domains where files are hosted contain different tools used during attack operations:

  • We’ve found two methods employed by the operator, which we assume to be used for initial access: First, a fake Flash Player installer and, secondly, a fake Anydesk remote tool installer used to drop the ransomware. Our theory about Flash Player initial access has been confirmed by checking the IP that hosts most of the domains:

Figure 11: Fake Flash website used to download fake Flash installer

When logging in, the website warns you that your Flash Player version is outdated and tries to download the Fake Flash Player installer:

Figure 12: JavaScript variables used to drop fake Flash Installer

A secondary site appears to have also been utilized in propagating the fake Flash Player, though it is currently offline :

Figure 13: JavaScript function to download the fake Flash Installer from another website

  • Portable Executable (PE) files used to launch PowerShell command lines to delete shadow copies, exclude Windows Defender and import registry keys from “Update.reg.rar” to disable Windows defender.
  • A PE file used for several purposes: Exfiltrating files from the victim, keylogging, checking if the system has already been held to ransom, getting system information, obtaining user information and to create and stop processes.

Figure 14: Functions and C2 configuration from ransomware sample

(host used for extraction)

  • In addition to the above, we also found evidence that this actor tried to leverage another ransomware builder leak, Chaos ransomware.

Infrastructure

The majority of domains used by this actor are hosted on the same IP: “24.152.38.205” (AS 270564 / MASTER DA WEB DATACENTER LTDA).

But as we saw by “analyzing” the extraction tool used by the actor, another IP is mentioned: “149.56147.236” (AS 16276 / OVH SAS). On this IP, some ports are open, such as FTP (probably used to store exfiltrated data), SSH, etc.

By looking at this IP with Shodan, we can get a dedicated hash for the SSH service, plus fingerprints to use on this IP, and then find other IPs used by the actor during their operations.

By using this hash, we were able to map the infrastructure by looking for other IPs sharing the same SSH key + fingerprintings.

At least 174 IPs are sharing the same SSH pattern (key, fingerprint, etc.); all findings are available in the IOCs section.

Some IPs are hosting different file types, maybe related to previous campaigns:

Figure 15: Open Directory website probably used by the same actor for previous campaigns

Bitcoin Interests

Most of the ransomware samples used by the actor mention different Bitcoin (BTC) addresses which we assume is an effort to obscure their activity.

By looking for transactions between those BTC addresses with CipherTrace, we can observe that all the addresses we extracted (see the circle highlighted with a yellow “1” below) from the samples we’ve found are related and eventually point to a single Bitcoin wallet, probably under control of the same threat actor.

From the three samples we researched, we were able to extract the following BTC addresses:

  • 3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs
  • 1Faiem4tYq7JQki1qeL1djjenSx3gCu1vk
  • bc1q2n23xxx2u8hqsnvezl9rewh2t8myz4rqvmdzh2

Figure 16: Follow the money with CipherTrace

Ransomware Isn’t Just About Survival of the Fittest

As we have seen above, our example threat actor has evolved over time, moving from simplistic ransomware and demands in the hundreds of dollars, to toying with at least two builder leaks and ransom amounts in the thousands of dollars range.

While their activity to date suggests a low level of technical skill, the profits of their cybercrime may well prove large enough for them to make another level jump in the future.

Even if they stick with copy-pasting builders and crafting ‘stagers’, they will have the means at their disposal to create an efficient attack chain with which to compromise a company, extort money and improve their income to the point of becoming a bigger fish in a small pond, just like the larger RaaS crews.

In the meantime, such opportunitistic actors will continue to bait their hooks and catch any fish they can as, unlike affiliated ransomware operators, they do not have to follow any rules in return for support (pentest documentation, software, infrastructure, etc.) from the gang’s operators. Thus, they have a free hand to carry out their attacks and, if a victim wants to bite, they don’t care about ethics or who they target.

The good news for everyone else, however, is the fact that global law enforcement isn’t gonna need a bigger boat, as it already casts its nets far and wide.

 

Mitre Att&ck

Technique ID Technique Description Observable
T1189 Drive By Compromise The actor is using a fake Flash website to spread fake a Flash installer.
T1059.001 Command Scripting Interpreter: PowerShell PowerShell is used to launch command lines (delete shadow copies, etc.).
T1059.007 Command and Scripting Interpreter: JavaScript JavaScript is used in the fake Flash website to download the fake Flash installer.
T1112 Modify Registry To disable Windows Defender, the actor modifies registry. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” and “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection”.
T1083 File and Directory Discovery The actor is listing files on the victim system.
T1057 Process Discovery The actor is listing running processes on the victim system.
T1012 Query Registry To perform some registry modifications, the actor is first querying registry path.
T1082 System Information Discovery Before encrypting files, the actor is listing hard drives.
T1056.001 Input Capture: Keylogging The exfiltration tool has the capability to log user keystrokes.
T1005 Data from Local System
T1571 Non-Standard Port The actor is using port “1177” to exfiltrate data.
T1048 Exfiltration Over Alternative Protocol
T1486 Data Encrypted for Impact Data encrypted by ransomware.
T1490 Inhibit System Recovery Delete Shadow Copies.

 

Detection Mechanisms

Sigma Rules

–          Shadow Copies Deletion Using Operating Systems Utilities: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml

–          Drops Script at Startup Location: https://github.com/joesecurity/sigma-rules/blob/master/rules/dropsscriptatstartuplocation.yml

–          File Created with System Process Name: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/sysmon_creation_system_file.yml

–          Suspicious Svchost Process: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_svchost.yml

–          System File Execution Location Anomaly: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_system_exe_anomaly.yml

–          Delete Shadow copy via WMIC: https://github.com/joesecurity/sigma-rules/blob/master/rules/deleteshadowcopyviawmic.yml

–          Always Install Elevated Windows Installer: https://github.com/SigmaHQ/sigma/blob/59000b993d6280d9bf063eefdcdf30ea0e83aa5e/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml

 

Yara Rules

Babuk Ransomware Windows

rule Ransom_Babuk {

meta:

description = “Rule to detect Babuk Locker”

author = “TS @ McAfee Enterprise ATR”

date = “2021-01-19”

hash = “e10713a4a5f635767dcd54d609bed977”

rule_version = “v2”

malware_family = “Ransom:Win/Babuk”

malware_type = “Ransom”

mitre_attack = “T1027, T1083, T1057, T1082, T1129, T1490, T1543.003”

 

strings:

$s1 = {005C0048006F007700200054006F00200052006500730074006F0072006500200059006F00750072002000460069006C00650073002E007400780074}

//  \ How To Restore Your Files .txt

$s2 = “delete shadows /all /quiet” fullword wide

 

$pattern1 = {006D656D74617300006D65706F63730000736F70686F730000766565616D0000006261636B7570000047785673730000004778426C7200
000047784657440000004778435644000000477843494D67720044656657617463680000000063634576744D67720000000063635365744D67720000000
0536176526F616D005254567363616E0051424643536572766963650051424944505365727669636500000000496E747569742E517569636B426F6F6B732E46435300}

$pattern2 = {004163725363683253766300004163726F6E69734167656E74000000004341534144324457656253766300000043414152435570646174655376630000730071}

$pattern3 = {FFB0154000C78584FDFFFFB8154000C78588FDFFFFC0154000C7858CFDFFFFC8154000C78590FDFFFFD0154000C78594FDFFFFD8154
000C78598FDFFFFE0154000C7859CFDFFFFE8154000C785A0FDFFFFF0154000C785A4FDFFFFF8154000C785A8FDFFFF00164000C785ACFDFFFF081640
00C785B0FDFFFF10164000C785B4FDFFFF18164000C785B8FDFFFF20164000C785BCFDFFFF28164000C785C0FDFFFF30164000C785C4FDFFFF3816400
0C785C8FDFFFF40164000C785CCFDFFFF48164000C785D0FDFFFF50164000C785D4FDFFFF581640}

$pattern4 ={400010104000181040002010400028104000301040003810400040104000481040005010400058104000601040006C104000781040008
41040008C10400094104000A0104000B0104000C8104000DC104000E8104000F01040000011400008114000181140002411400038114000501140005C
11400064114000741140008C114000A8114000C0114000E0114000F4114000101240002812400034124000441240005412400064124000741240008C1
24000A0124000B8124000D4124000EC1240000C1340002813400054134000741340008C134000A4134000C4134000E8134000FC134000141440003C14
4000501440006C144000881440009C144000B4144000CC144000E8144000FC144000141540003415400048154000601540007815}

 

condition:

filesize >= 15KB and filesize <= 90KB and

1 of ($s*) and 3 of ($pattern*)

}

 

Exfiltration Tool

rule CRIME_Exfiltration_Tool_Oct2021 {

meta:

description = “Rule to detect tool used to exfiltrate data from victim systems”

author = “TS @ McAfee Enterprise ATR”

date = “2021-10-04”

hash = “ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd”

 

strings:

$pattern1 = {79FA442F5FB140695D7ED6FC6A61F3D52F37F24B2F454960F5D4810C05D7A83D4DD8E6118ABDE2055E4D
CCFE28EBA2A11E981DB403C5A47EFB6E367C7EC48C5EC2999976B5BC80F25BEF5D2703A1E4C2E3B30CD26E92570DAF1F9BD7B48B38FB522358}

$pattern2 = {B4A6D4DD1BBEA16473940FC2DA103CD64579DD1A7EBDF30638A59E547B136E5AD113835B8294F53B8C3A
435EB2A7F649A383AA0792DD14B9C26C1BCA348920DFD37DA3EF6260C57C546CA51925F684E91239152DC05D5161A9064434}

$pattern3 = {262E476A45A14D4AFA448AF81894459F7296633644F5FD061A647C6EF1BA950FF1ED48436D1BD4976BF8
1EE84AE09D638BD2C2A01FA9E22D2015518280F6692EB976876C4045FADB71742B9579C13C7482A44A}

$pattern4 = {F2A113713CCB049AFE352DB8F99160855125E5A045C9F6AC0DCA0AB615BD34367F2CA5156DCE5CA286CC
C55E37DFCDC5AAD14ED9DAB3CDB9D15BA91DD79FF96E94588F30}

 

condition:

3 of ($pattern*)

}

 

 

IOCs

Infrastructure URLs

http://atualziarsys.serveirc.com/Update4/

http://services5500.sytes.net/Update6/Update.exe.rar

http://suporte20082021.sytes.net/Update5/

http://atualziarsys.serveirc.com/update4/update.exe.rar

http://suporte20082021.sytes.net/Update3/

http://suporte01928492.redirectme.net/

http://atualziarsys.serveirc.com/Update3/

http://services5500.sytes.net/update8/update.exe.rar

http://suporte20082021.sytes.net/update/

http://suporte20082021.sytes.net/Update5/Update.exe.rar

http://suporte01928492.redirectme.net/AppMonitorPlugIn.rar

http://suporte01928492.redirectme.net/Update5/Update.exe.rar

http://services5500.sytes.net/update7/update.exe.rar

http://services5500.sytes.net/Update8/Update.exe.rar

http://services5500.sytes.net/Update8/Update.bat.rar

http://suporte01092021.myftp.biz/update/

http://services5500.sytes.net/Update7/Update.exe.rar

http://suporte01928492.redirectme.net/Update7/Update.bat.rar

http://suporte01928492.redirectme.net/Update7/Update.exe.rar

http://services5500.sytes.net/update6/update.exe.rar

http://suporte01092021.myftp.biz/

http://services5500.sytes.net/Update6/Update.bat.rar

http://suporte01928492.redirectme.net/update6/update.exe.rar

http://suporte01928492.redirectme.net/update5/update.exe.rar

http://services5500.sytes.net/

http://suporte01928492.redirectme.net/Update6/Update.exe.rar

http://atualziarsys.serveirc.com/Update3

http://atualziarsys.serveirc.com/update3/update.reg.rar

http://24.152.38.205/pt/flashplayer28_install.zip

http://suporte01928492.redirectme.net/Update7

http://atualziarsys.serveirc.com/

http://atualziarsys.serveirc.com/update3/mylink.vbs.rar

http://suporte01928492.redirectme.net/update7/update.exe.rar

http://atualziarsys.serveirc.com/Update4/Update.exe.rar

http://suporte01928492.redirectme.net/appmonitorplugin.rar

http://atualziarsys.serveirc.com/update3/update.exe.rar

http://suporte20082021.sytes.net/

http://suporte20082021.sytes.net/update3/update.exe.rar

http://atualziarsys.serveirc.com/Update4/Update.exe2.rar

http://suporte20082021.sytes.net/Update3/Update.exe.rar

http://suporte20082021.sytes.net/Update5/Update.reg.rar

http://atualziarsys.serveirc.com/Update4/Update.exe2.rar/

http://atualziarsys.serveirc.com/Update4

http://suporte01092021.myftp.biz/update/WindowsUpdate2.rar

http://suporte01092021.myftp.biz/update

http://atualziarsys.serveirc.com/Update3/Update.reg.rar/

http://atualziarsys.serveirc.com/Update3/Update.exe.rar

http://suporte20082021.sytes.net/Update3/Update.exe.rar/

http://suporte01092021.myftp.biz/update/WindowsUpdate2.rar/

http://atualziarsys.serveirc.com/Update4/Update.exe.rar/

http://atualziarsys.serveirc.com/Update3/mylink.vbs.rar

http://atualziarsys.serveirc.com/update4

http://atualziarsys.serveirc.com/update3

http://suporte01092021.myftp.biz/update/Update.rar

http://suporte01928492.redirectme.net/AppMonitorPlugIn.rar/

http://suporte20082021.sytes.net/update5/update.exe.rar

http://suporte01092021.myftp.biz/update5/update.exe.rar

http://atualziarsys.serveirc.com/update4/update.exe2.rar

http://suporte01092021.myftp.biz/update/windowsupdate2.rar

http://suporte20082021.sytes.net/update2/update.exe.rar

http://suporte20082021.sytes.net/update/windowsupdate2.rar

http://atualziarsys.serveirc.com/Update4/mylink.vbs.rar

http://atualziarsys.serveirc.com/favicon.ico

http://24.152.38.205/1.rar

http://24.152.38.205/1.exe

http://appmonitorplugin.sytes.net/appmonitorplugin.rar

http://suporte20082021.sytes.net/update/WindowsUpdate2.rar

http://appmonitorplugin.sytes.net/

http://suporte20082021.sytes.net/appmonitorplugin.rar

http://suportmicrowin.sytes.net/appmonitorplugin.rar

http://suportmicrowin.sytes.net/

http://suportmicrowin.sytes.net/AppMonitorPlugIn.rar

http://appmonitorplugin.sytes.net/AppMonitorPlugIn.rar

http://24.152.38.205/pt/setup.zip

 

Infrastructure Domains

services5500.sytes.net

atualziarsys.serveirc.com

suporte01092021.myftp.biz

suporte20082021.sytes.net

suporte01928492.redirectme.net

suportmicrowin.sytes.net

appmonitorplugin.sytes.net

 

Infrastructure IPs

149.56.147.236

24.152.38.205

54.38.122.66

149.56.38.168

149.56.38.170

24.152.36.48

66.70.170.191

66.70.209.174

142.44.129.70

51.79.107.245

46.105.36.189

178.33.108.239

54.39.193.37

24.152.37.115

144.217.139.134

24.152.36.58

51.38.19.201

51.222.97.177

51.222.53.150

144.217.45.69

87.98.137.173

144.217.199.24

24.152.37.19

144.217.29.23

198.50.246.8

54.39.163.60

54.39.84.55

24.152.36.30

46.105.38.67

24.152.37.96

51.79.63.229

178.33.107.134

164.132.77.246

54.39.163.58

149.56.113.76

51.161.120.193

24.152.36.210

176.31.37.238

176.31.37.237

24.152.36.83

24.152.37.8

51.161.76.193

24.152.36.117

137.74.246.224

51.79.107.134

51.79.44.49

51.222.173.152

51.79.124.129

51.79.107.242

51.222.173.148

144.217.117.172

54.36.82.187

54.39.152.91

54.36.82.177

142.44.146.178

54.39.221.163

51.79.44.57

149.56.38.173

24.152.36.46

51.38.19.198

51.79.44.59

198.50.246.11

24.152.36.35

24.152.36.239

144.217.17.186

66.70.209.169

24.152.36.158

54.39.84.50

51.38.19.200

144.217.45.68

144.217.111.5

54.38.164.134

87.98.171.7

51.79.124.130

66.70.148.142

51.255.119.19

66.70.209.168

54.39.239.81

24.152.36.98

51.38.192.225

144.217.117.10

144.217.189.108

66.70.148.136

51.255.55.134

54.39.137.73

66.70.148.137

54.36.146.230

51.79.107.254

54.39.84.52

144.217.61.176

24.152.36.150

149.56.147.236

51.38.19.196

54.39.163.57

46.105.36.133

149.56.68.191

24.152.36.107

158.69.99.10

51.255.55.136

54.39.247.244

149.56.147.204

158.69.99.15

144.217.32.24

149.56.147.205

144.217.32.213

54.39.84.53

79.137.115.160

144.217.233.98

51.79.44.56

24.152.36.195

142.44.146.190

144.217.139.13

54.36.82.180

198.50.246.14

137.74.246.223

24.152.36.176

51.79.107.250

51.161.76.196

198.50.246.12

66.70.209.170

66.70.148.139

51.222.97.189

54.39.84.49

144.217.17.185

142.44.129.73

144.217.45.67

24.152.36.28

144.217.45.64

24.152.37.39

198.27.105.3

51.38.8.75

198.50.204.38

54.39.221.11

51.161.76.197

54.38.122.64

91.134.217.71

24.152.36.100

144.217.32.26

198.50.246.13

54.36.82.188

54.39.84.25

66.70.209.171

51.38.218.215

54.39.8.92

51.38.19.205

54.39.247.228

24.152.36.103

24.152.36.104

51.79.44.43

54.39.152.202

66.70.134.218

24.152.36.25

149.56.113.79

178.32.243.48

144.217.45.66

66.70.173.72

176.31.37.239

54.38.225.81

158.69.4.173

24.152.37.189

54.36.146.129

198.50.246.15

51.222.102.30

51.79.105.91

51.79.9.91

51.222.173.151

51.79.107.124

51.222.173.142

144.217.17.187

149.56.85.98

51.79.107.244

144.217.158.195

24.152.36.178

192.95.20.74

51.79.117.250

 

Ransomware Hashes

106118444e0a7405c13531f8cd70191f36356581d58789dfc5df3da7ba0f9223

e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761

ae6020a06d2a95cbe91b439f4433e87d198547dec629ab0900ccfe17e729cff1

c3776649d9c0006caba5e654fa26d3f2c603e14463443ad4a5a08e4cf6a81994

63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85

94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d

c8d97269690d3b043fd6a47725a61c00b57e3ad8511430a0c6254f32d05f76d6

67bc70d4141d3f6aaf8f17963d56df5cee3727a81bc54407e90fdf1a6dc8fe2a

98a3ef26b346c4f47e5dfdba4e3e26d1ef6a4f15969f83272b918f53d456d099

c3c306b2d51e7e4f963a6b1905b564ba0114c8ae7e4bb4656c49d358c0f2b169

 

Bitcoin Addresses

3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs

1Faiem4tYq7JQki1qeL1djjenSx3gCu1vk

bc1q2n23xxx2u8hqsnvezl9rewh2t8myz4rqvmdzh2

 

PDB

C:\Users\workdreams\Desktop\Testes\Crypt_FInal\Crazy_Crypt\Crazy\obj\Debug\AppMonitorPlugIn.pdb

C:\Users\workdreams\Desktop\test\Nopyfy-Ransomware-master\Nopyfy-Ransomware\Nopyfy-Ransomware\obj\Debug\Nopyfy-Ransomware.pdb

 

PowerShell Script

a8d7b402e78721443d268b682f8c8313e69be945b12fd71e2f795ac0bcadb353

 

Exfiltration Tool

ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd

c3323fbd0d075bc376869b0ee26be5c5f2cd4e53c5efca8ecb565afa8828fb53

 

Fake Flash Player installer

d6c35e23b90a7720bbe9609fe3c42b67d198bf8426a247cd3bb41d22d2de6a1f

 

Fake Anydesk Installer

e911c5934288567b57a6aa4f9344ed0f618ffa4f7dd3ba1221e0c42f17dd1390

 

 

The post Is There Really Such a Thing as a Low-Paid Ransomware Operator? appeared first on McAfee Blog.

China Personal Information Protection Law (PIPL): A New Take on GDPR?

By Graham Clarke

Many people have heard of the GDPR (General Data Protection Regulation), legislation that became law across the EU in May 2018.  It was designed to regulate how businesses protect personal data, notably how personal data is processed, and granted rights to individuals to exercise more control over their personal data.

GDPR is a framework which requires businesses to implement processes to enable them to understand where data is held, how it is used, how long it is kept for, how this can be reported to individuals, and how they may request its correction or deletion.

A critical – and often misunderstood – aspect of GDPR is that it doesn’t just apply to EU businesses.  Any company in the world that stores information on EU citizens must adhere to the regulations; serious breaches can result in significant fines.  Even just the top five companies that were penalized since GDPR’s introduction run into the hundreds of millions of US dollars!  These regulations have teeth, so people pay attention to them.

Beyond GDPR’s own impact in protecting the rights of EU residents, perhaps its greatest legacy has been to increase expectations for how organizations handle personal data the world over. GDPR has set a new global standard, and we are seeing it serve as the model for a number of similar laws being mooted or passed by governments all over the world. With that in mind, how many businesses have heard of the PIPL (Personal Information Protection Law)?  In August 2021, the Standing Committee of the National People’s Congress, the top legislative body in the People’s Republic of China, voted for this law to take effect on Nov. 1, 2021.  It has many similarities to GDPR, a key one being that it also applies world-wide with respect to data held on Chinese citizens.  If your company is a multi-national corporation that deals with Chinese individuals then it applies to you, no matter where your business is incorporated or headquartered.

Likely many of the processes you have in place for GDPR can be repurposed for PIPL, however you will be looking for different data.  McAfee’s Data Protection products (MVISION Unified Cloud Edge, MVISION Cloud, Endpoint DLP, and Network DLP) will help you identify where PIPL-relevant data is held and how it is being used.  Data classifications/data identifiers for the Chinese Resident Identity Card, passport numbers, mobile phones etc can be identified in data stored in the cloud and on premise.  McAfee’s unique multi-vector data exfiltration protection (more on that here) can also assist in ensuring that sensitive PII data doesn’t end up somewhere it shouldn’t.  Here’s a view of our management console showing how we can identify Chinese PII:

No individual product can claim to make a business “PIPL compliant”, but products such as McAfee’s Data Protection suites should be considered a key part of a toolbox to aid in this goal. The fact that we’ve had this capability within our products for an extended time, well before the introduction of PIPL, is yet another datapoint as to why Gartner named MVISION Cloud THE market leader in the CASB Magic Quadrant and why Forrester named us a leader in their Forrester Wave ™ Unstructured Data Security Platforms.

November is barely a month away and if you’re not already considering how to handle PIPL, you now need to make this a priority.  Consider testing and enabling our Chinese PII classifications.  If you’re running another vendor’s product that doesn’t offer such capability then take a look at how our MVISION Unified Cloud Edge solution can help solve this along with the digital transformation to cloud first that most companies have already undertaken.

The post China Personal Information Protection Law (PIPL): A New Take on GDPR? appeared first on McAfee Blog.

2021 Hispanic Heritage Month Pt. 5: A Celebration of Hispanic Heritage and Hope

By Melissa Gaffney

We’re closing McAfee Enterprise’s Hispanic Heritage Month with Solutions Architect, Gus Arias. Read the full interview below to see how his heritage impacted his life and career in technology.

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

I love the food and music.  To this day I never get tired of eating Arepas, a staple of my Venezuelan heritage.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

I’ve always liked technology and I took a leap into IT from the Mortgage Industry. I stayed hungry for knowledge and am always eager to learn which transformed my cybersecurity career to where it is today.

What do you hope to pass on to future generations?

I want future generations to know that it is never too late to learn something new, and you should strive to learn something new every day.

What are the three most important things that people should know about your culture?

  1. Family oriented (Family takes care of family)
  2. We are very festive (any chance we get we will throw a party)
  3. A night of having family and friends over will turn out into a cookout and game night of playing dominos

What types of foods were cooked for special occasions when you were growing up?

Arepas, Mandocas, Hayacas, and Paella

Is there a tradition or celebration that you hope that your descendants maintain?

I would have to say our Christmas celebrations throughout the month of December.

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

Do not let anything hold you back and when it comes to change, have an open and positive view. Learn from those changes to improve, also work on soft skills. From a technology perspective – keep up with the times. Meaning, stay informed on the evolution of technology and threats.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

Educate and promote early by engaging with local schools. Also, provide internships at the High School/College levels as a summer program.

The post 2021 Hispanic Heritage Month Pt. 5: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blog.

2021 Hispanic Heritage Month Pt. 4: A Celebration of Hispanic Heritage and Hope

By Melissa Gaffney

Although Hispanic Heritage Month is coming to an end on October 15th, it doesn’t mean we have to stop celebrating our employee’s and learning about their heritage and what led them to their career in cybersecurity. Take a look at the conversation below with McAfee Enterprise, Joyce Moros-Nahim, LTAM Legal Director

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

What I enjoy the most about being Hispanic is that we are very amiable. We are always exited to meet new people and have new experiences. One of my favorite memories growing up is all the time I spent with my family. It was never something my parents had to force my brother and I to do. We were always happy to hang out with our cousins, have lunch with our “abuelitos” (grandparents), and celebrate with our very large family.

How have Hispanic/LatinX individuals helped contribute to where you are today in life and career?

I have met and worked closely with many Hispanic and LatinX individuals and their enthusiasm and dedication for their chosen career along with their zest for life has taken them very far in both their home country and around the world. This has inspired me to keep pushing and take on every day with positivity and joy.

Why were you interested in a career in technology and how has your heritage played a role in where you are today?

I have always been interested in the technology industry because it changes every day and will be more prevalent as we move into the future. Having been born in a Latin American country (Venezuela), I was always intrigued in seeing how other countries evolved in this industry.

What do you hope to pass on to future generations?

I hope that future generations will continue to appreciate and partake in their cultural traditions. No matter which country a Latinx individual is from, they’re typically very family oriented, respectful, hardworking, and loving; which I hope will continue in future generations.  

What family traditions did you have growing up?

Visiting my grandmothers almost every day and having a Cafecito.  On Sundays, we would also go to church in our Sunday best and have lunch with the whole family. I always enjoyed this time because I would see my whole family and hear about their week. It kept us spiritually and physically united.

What are the three most important things that people should know about your culture?

Venezuelans are extremely hospitable, hardworking, and love to befriend people with different nationalities.

Define and describe the most important (or most celebrated) holiday of your culture.

The most celebrated holiday in my culture is New Year’s Eve. The families get together and have “hallacas” and pan de jamon, two traditional Venezuelan meals. As it is about to strike 12 AM, we each eat 12 grapes, symbolizing 12 wishes or resolutions we have for the upcoming year. Once it’s 12 AM, we all embrace and celebrate what is to come!

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

My advice to a young Hispanic/Latinx individual would be to gain experience in the field and to find a mentor with a similar heritage to guide and inspire you.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

A great way to attract more Hispanic/LatinX people to cybersecurity is to have programs in Latin American countries that will teach children about technology and how it’s key in our everyday life.

The post 2021 Hispanic Heritage Month Pt. 4: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blog.

Shaping the Future of Cybersecurity

By Bryan Palma

Today marks a significant and exciting step forward for the combined McAfee Enterprise and FireEye businesses as we create a pure play, cybersecurity market leader.

I’m incredibly proud to be writing this as the newly appointed CEO of this combined business. Keeping nations and large enterprises safe is – I believe – one of the most important challenges facing the world today. We have already started working together to bring together the best of McAfee Enterprise and FireEye. Together, we see vast opportunities to develop an integrated security platform powered by artificial intelligence, machine learning, and automation that will offer an unbeatable security portfolio to protect customers across endpoints, infrastructure, applications, and in the cloud. With our combined energies, we will be able to bring these solutions to market faster, and with greater innovation than before.

And we will do this because of our incredibly talented team. Together, we have 5,000 of the best security professionals who have already been working tirelessly to protect our customers. I am energized about bringing together these two teams to relentlessly protect the world from cyberattacks. Our new company culture will be focused on continuing to deliver on this vision, particularly for our customers.

As a combined business, we have over 40,000 customers, including many of the most well-known businesses in the world. And supporting our customers to be more resilient and stay one step ahead of adversaries has always been a priority – that’s why the majority of our enterprise and government customers have worked with our companies for over 16 years. We are committed to continuing to deliver excellence to our customers through this integration.

Today is a monumental day for everyone in this team. It is also a monumental day for the future of threat detection, protection, and response. Together, we will deliver a new model that creates solutions that work together, in a continuous fashion, to secure our customers across the full attack continuum. We are already seen as market leaders, now our story keeps getting better.

The post Shaping the Future of Cybersecurity appeared first on McAfee Blog.

2021 Hispanic Heritage Month Pt. 3: A Celebration of Hispanic Heritage and Hope

By Melissa Gaffney

Did you know, the timing of Hispanic Heritage Month coincides with the Independence Day celebrations of several Latin American nations?

At McAfee Enterprise, we’re celebrating Hispanic Heritage Month by recognizing some of our amazing employees and asking them about their heritage and the impact it had on their career and journey to cybersecurity. Read my conversation with Zuly Gonzalez below on how her family and culture have impacted her career.

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

My parents moved to mainland US when I was young. During the summers, we’d go on vacation to Puerto Rico and one of my fondest memories growing up are the plane flights to/from Puerto Rico. This was before 9/11, when flying wasn’t what it is today. My sisters and I would keep ourselves entertained playing games. It was an adventure for us and the highlight was always a warm chicken or pasta meal.

What family traditions did you have growing up?

We had two Christmas celebrations, which as a kid, you can’t ask for anything better! We celebrated Christmas on the 25th, which was the big event where we got most of our presents. Then on January 6 we’d celebrate “Día de Reyes” (Three Kings Day) where we would get a few more presents.

What are the three most important things that people should know about your culture?

I’d say three things that are central to Puerto Rican culture are: family, God, and passion/hard work. Puerto Ricans believe in traditional family values. Religion plays an important part in our culture. And the Puerto Rican passion is hard to understate. I have to be careful, because a lot of times my passion leads me to speak very loudly, which can sometimes be misinterpreted by non-Hispanics as anger or aggression, when in fact, it’s just excitement. I saw a T-shirt recently that said, “I’m not yelling. I’m Puerto Rican.” This is so true!

Describe your favorite traditional dish, and how it was prepared. Who usually prepared it for family meals?

One of my favorite dishes growing up, because we didn’t have it often, was sancocho. It’s a rich, comfort soup made with root vegetables and other starchy vegetables common in Puerto Rico. Ingredients include ñame, yautia, pana, papas, platanos, guineos, maiz, and batatas, among other things. A few of the ingredients are hard to find in the US, and when you do find them, are expensive, so we didn’t have it often growing up. But when my mom did make it, it was always a treat!

How have Hispanic individuals helped contribute to where you are today in life and career?

My parents were by far the biggest influence in my life. They taught me that I could be and do anything I wanted in life. They didn’t set limits for what I could achieve and taught me that with hard work anything is possible.

I followed my father’s footsteps by pursuing a career in STEM and attending the same university he attended. In fact, thinking about it now as I answer this question, I think that even more so than my mom, my dad had the biggest influence on who I am today as an individual. He shaped a lot of my personality, my beliefs, and a lot of the decisions I’ve made in my life, both personally and professionally.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

Family values are very important in Puerto Rican culture. My dad was a math teacher and growing up he was always ready to help me with my homework. During the summer trip to Puerto Rico before I graduated high school, we took a tour of the university my dad went to. I ended up going to that university, which set me on the path to where I am today in my career. I obtained a degree in Computer Engineering and a co-op opportunity (similar to an internship) at NSA. NSA led me to a career in cybersecurity. At NSA I met Beau Adkins, who later turned into my partner in life and in business. Beau and I founded Light Point Security, which ultimately led us to McAfee Enterprise. But it all started with my parents. Without my parents’ motivation, support, and ultimate push to attend the University of Puerto Rico, I wouldn’t be where I am today.

As the country continues to grow more diverse, what advice would you give to young Hispanic individuals interested in starting a career in cybersecurity?

Same advice I’d give any young person interested in any career path. That is – look for ways to learn outside of a traditional school setting. Getting a hands on experience is so important. First, it shows initiative and passion. Second, to use an analogy: Reading and memorizing a cooking recipe, and even knowing the history behind each ingredient, isn’t necessarily going to translate into a delicious meal, it takes practice. Practice with the equipment, practice with the ingredients, and sprinkle in your own creativity to make an expert dish. One that people will pay money for!

The post 2021 Hispanic Heritage Month Pt. 3: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blog.

Executive Spotlight: Q&A with Vice President, Global Commercial, Britt Norwood

By Melissa Gaffney

Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise to hear their takes on today’s security trends, challenges, and opportunities for enterprises across the globe. Dive into the conversation below with Vice President, Global Commercial, Britt Norwood.

Q: What’s the first career you dreamed of having as a kid?

My first career was as a paper boy from 5th through 8th grade, but I always wanted to be a professional golfer. However, when I realized I was not that good at golf, I decided to pursue a career in business and technology.

Q: What do you think about talent in the technology and security industry? 

The talent we have in this industry is amazing, people are working so hard every day, but our foes are relentless, and we will always need talent who can look at problems with diverse viewpoints.

Q: Which emerging technology do you think holds the most promise once it matures?

I’m interested in seeing the continued progress around the unification of threat hunting (EDR, XDR, MDR), as we better understand the power of machine learning, automated detection, and AI as it pertains to quickly identifying malicious code and non-conforming behaviors. This is a world where the surface is just being scratched. As this technology matures and develops, there is power for good, but it will always need to be balanced in a way that makes sure the uses are ethical and moral. This will be a true new frontier as it unfolds.

Q: What are some of the trends you are currently noticing within the privacy and cybersecurity space? 

Everyone knows that a layered model is necessary to protect valuable data against attacks, but there is fatigue within many IT departments about the number of tools they need and that need to be connected to each other to work properly. Most CIOs and CISOs are looking for platforms that simplify management and streamline threat research to consolidate and reduce complexities.

On the attack front, both the cryptocurrency phenomenon is allowing bad actors to be more aggressive, as they have a way to anonymously launder ransoms, which is why there are so many ransomware attacks happening now. Cryptocurrency needs to be examined from a regulatory standpoint to protect innocent consumers and businesses who are vulnerable to such attacks. Until that time, it falls back to security platforms to assist them.

 

The post Executive Spotlight: Q&A with Vice President, Global Commercial, Britt Norwood appeared first on McAfee Blog.

2021 Hispanic Heritage Month Pt. 2: A Celebration of Hispanic Heritage and Hope

By Melissa Gaffney

The nationally recognized Hispanic Heritage Month grew out of a desire to educate people all over the country about the many contributions the Hispanic community has made to U.S. culture.

Here at McAfee Enterprise, we’re taking this year’s Hispanic Heritage Month to spotlight members of the LatinX community who are using their platforms to make their voices heard and contribute to the cybersecurity community. I spoke with Arnie Lopez, Vice President Worldwide Systems Engineering, about his heritage and journey to cybersecurity. 

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

I love our food and music.  I remember my mom cooking up some great dishes while we danced around the house listening to fun music.

How have Hispanic/LatinX individuals helped contribute to where you are today in life and career?

I had two great LatinX mentors/role models, Carlos Dominguez and Guillermo Diaz that helped tremendously early in my career.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

Our culture is hard working and sometimes very stubborn. Early in my career I was very interested in technology and asked people to teach me different types of technologies and would not take no for an answer. I started early on with learning computers, then servers, networking, security, then cloud and applications. All of this helped my career and had a huge impact.

What do you hope to pass on to future generations?

Embrace your LatinX culture, use it as a differentiator when competing for new roles.

What are the three most important things that people should know about your culture?

1) Our passion makes us great team members

2) We love to have fun… Work hard and play hard

3) We come in many different colors and sub-cultures but have common core values

Is there a tradition or celebration that you hope that your descendants maintain?

I hope my kids and nephews keep up the celebration of Bolivian Independence Day (Seis de Agosto).  It’s a big national party on August 6 every year with music, food and dancing.

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

Don’t be intimated by the lack of LatinX in Cyber, it’s up to us to change the demographics and we will do it. Find a LatinX mentor or coach that already works in Cyber to provide you candid and honest feedback and guidance.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

Get involved, participate, and give back. Get involved in LatinX youth, corporate and University panels and events and tell your story.  “If they can SEE it, They can BE it!”

The post 2021 Hispanic Heritage Month Pt. 2: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blog.

McAfee Enterprise Is Ready for Windows 11, Are You?

By McAfee Enterprise

McAfee Enterprise is prepared to protect our customers from day 1 of their journey with the new Windows 11 release.

This summer Microsoft announced planned changes to its Windows platform with the release of Windows 11. McAfee Enterprise is proud to announce that we have delivered day 1 support for the benefit of our current and future customers. We know that today’s hybrid workspaces call for flexibility and ease of use without compromising security, so now that Windows 11 is here, we want to address a few important topics regarding what to expect from your trusted security vendor, McAfee Enterprise:

What does McAfee Enterprise day 1 support of Windows 11 mean to you?

Customers can rely on McAfee Enterprise products to already have the most important Windows 11 box checked—ensuring your systems are secure and protected against threats from day 1.

McAfee Enterprise is committed to continue this same level of support for Microsoft’s future release cadence of Windows 11. We work closely with Microsoft to make sure that McAfee Enterprise security software and hardware products are fully compatible with Windows operating systems.

What if my organization is not ready to upgrade to Windows 11?

We recognize that not every environment will be ready to upgrade on day 1, or even at the start of the new year. Regardless of the date of your transition, McAfee Enterprise is here to ensure you remain protected across your devices and OS versions.

Our ongoing commitment is to continue to support our customers and the release cadence of the Windows 10 platform. We keep apprised of Microsoft OS support cycles and ensure that our customers remain covered throughout their lifecycles. For more information, see KB85784 – Windows 10 compatibility with McAfee Enterprise products

That said, having a plan outlined in advance is a key ingredient to any successful environment upgrade or transition. McAfee Enterprise Technical Support and your Enterprise Customer Success teams are available to support and partner with you on your journey and to answer any product questions along the way.

Related resources:

What is an ideal security environment for McAfee Enterprise customers utilizing the new Windows 11 OS?

With McAfee Enterprise’s security platform, you can command a centrally managed solution that protects your environment across varied devices and operating systems. A combination of fully enabled Endpoint Security Adaptive Threat Protection (ENS ATP),  EDR, and MVISION Insights delivers proactive threat intelligence and defenses across the entire attack lifecycle. Our security teams work around the clock to anticipate future security needs and drive home industry-leading innovation. More on the McAfee Enterprise Endpoint Protection Platform here.

Additional product resources:

Where can I find documentation regarding McAfee Enterprise product support for the new Windows 11 release?

Our product teams have outlined our portfolio’s support in KB94901 – Windows 11 compatibility with McAfee Enterprise products.

To ensure a quality experience, each McAfee Enterprise product team is required to complete validations of all new releases that Microsoft publishes for Windows 11. The McAfee Enterprise goal is to add same-day support for all Windows 11 releases over time, for those products that don’t currently offer this cadence.

For general upgrade guidance or questions, customers may contact Enterprise Technical Support or visit our Support Portal here.

Take advantage of our latest Endpoint Security offering by visiting us here.

The post McAfee Enterprise Is Ready for Windows 11, Are You? appeared first on McAfee Blog.

2021 Hispanic Heritage Month Pt. 1: A Celebration of Hispanic Heritage and Hope

By Melissa Gaffney

Each year, Americans observe National Hispanic Heritage Month from September 15th to October 15th, by celebrating the contributions and importance of Hispanics and Latinos to the United States.

The 2021 Hispanic Heritage Month theme invites us to celebrate Hispanic Heritage and to reflect on how great our tomorrow can be if we hold onto our resilience and hope. This year’s theme also encourages us to reflect on the contributions Hispanics have made in the past and will continue to make in the future.

I spoke with Sr. Principal Engineer, Ismael Valenzuela about how his heritage played a role in who he is today, advice for future generations and more. Read our conversation below.

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

I was born and raised in Malaga, Spain, and spent a good part of my professional career in my home country until I moved to the US in 2014. My favorite memories are those shared with my family and friends, enjoying some of the amazing food we have in Malaga, and the beautiful warm weather we have all year long. Enjoying a football game (we call it soccer here in the US, but it’s really football, since it’s played with the foot!) with the friends on a Friday evening or simply a walk by the beach to enjoy the fresh breeze of the Mediterranean sea. Those are some of my favorite memories.

How have Hispanic/LatinX individuals helped contribute to where you are today in life and career?

I was very fortunate to have a business angel at a very young age, who happened to be an experienced Argentinian businessman. He recognized my passion for infosec (it wasn’t called cyber back then) and provided me with the support needed to make my ideas and projects a reality. Thanks to him I was able to co-found one of the first infosec consulting businesses in Spain in 2000, and I’m still very grateful for that opportunity. My experience in the US has not been very different. Since 2014 I’ve had the pleasure to work very closely with super talented colleagues from our McAfee Enterprise teams in Argentina and Chile. Some of them were a tremendous help when I established myself in the NY area, and they continue to be great co-workers and friends, who I admire and look up to.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

I think that Hispanic/LatinX are curious by nature. And curiosity is the basis for the ‘hacker’ culture. And yes, I call it hacker culture, referring to the original meaning and roots of the word ‘hacker’, which connoted technical virtuosity and playfulness (from Walter Isaacson, The Innovators. Great book by the way!). I think I’ve always had that curiosity, especially since I was a kid and had my very first computer, a PCS 286 with just plain old MS-DOS. From that moment on, I knew what I wanted to work with, for the rest of my life. By the time I was in high school I was already programming in several languages, most self-taught, including BASIC, Assembly, and Pascal, and was already doing little applications for some family and friends with tools like DBase III and Clipper. It was a lot of fun! It wasn’t until I started college that I started to dig deeper into operating systems, networking, and lower-level languages like C. When I was introduced to Linux, I immediately fell in love with it, and this increased my curiosity. I started to learn more about how the Internet worked and one thing led to the other. Before I knew it, I was reading guidelines on security, hacking, protocols, asking questions on IRC channels (Slack is essentially IRC for millennials, for those that didn’t know), and setting up my labs at home to play more with the tools I was learning about. Shortly after I landed my first job, as both a web programmer and a system administrator, I found some serious security vulnerabilities in a government network, that happened to make the news, which led me to setup my own consulting business in 2000 with my Argentinian partner. And the rest is history from there! (it’s on LinkedIn too)

What are the three most important things that people should know about your culture?

If I must pick three, I’ll go with these:

1) we love food!

2) we love having long meals with friends and family!

3) we love having food outdoors!

Is there a tradition or celebration that you hope that your descendants maintain?

Yes, I’m working on making sure my kids learn to eat a wide variety of healthy and fresh food, instead of processed and refined stuff. And I hope their kids do the same! Did I say I like food?

What do you hope to pass on to future generations?

My hope is that current and new generations realize that true success is more than just a title, a professional achievement, or a prestigious career, whether it is in IT, or anything else. We live in a world that puts too much emphasis in personal egos, competitiveness, and social status. However, most often those pursuing these goals end up with anxiety, health issues, and disappointment. So, we need to start taking some of that pressure off the young ones and emphasize more the values and principles that can make you happy in the long term, things like a good work ethic, resilience to deal with setbacks, patience to acquire the right training and work through problems, empathy for others, balance to take care of yourself and those you love, and respect for everyone’s opinions and ideas. It’s not all about cyber!

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

Don’t be afraid to ask for help or to ask for a mentor. I was very fortunate to have an amazing mentor that taught me the fundamentals of business and a good work ethic. Having technical skills is important, but it’s equally important to develop other soft skills, like the ability to communicate clearly, to think strategically, to follow through with your projects, and of course the importance to stick to your values and your principles, and to care about the people you interact with. Try to grow your network, and don’t limit yourself to a certain age group, background, or ethnicity. Embrace diversity and realize that there’s always something new to learn from everyone you work with. Stay humble, and never think you’re the smartest in the room. Not only will you be wrong, but you’ll be missing the opportunity to learn and grow. If you want to start a career in cybersecurity specifically, see what classes you can take in your area, and what local groups or conferences are available. One of the few positive things we have with COVID is that most of the conferences have moved to an online format. Many like SANS Summits allow you to join Slack or Discord channels where you can interact with practitioners and security professionals. Also the SANS Institute (from which I’m part of the faculty), have initiatives like the CyberStart America that is a free national program for high school students to learn and master cybersecurity. These can be a gateway to the industry and can lead to college scholarships. And if you need more help or advice, don’t hesitate to contact me on my Twitter account: @aboutsecurity. I can help to point you in the right direction.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

I think one of the things we need to do as professionals is to demystify what we do in this field. We need to start admitting that this is not rocket science. It is true that it’s a fast-paced field, and that it can seem overwhelming at times, but nothing that we do is too hard that anyone should feel intimidated to try to break in. We all learned over time, and in many cases through a succession of failures and recoveries. We all have a responsibility, from corporations to professionals, to lower the entry barriers and give more opportunities. One way to do this is to make more information available in Spanish. In fact, I’ll be chairing a talk track in Spanish at the 2021 SANS Threat Hunting Summit on October 7th and I’ll be hosting breakout spaces for the attendees to network with and to continue the conversation in Spanish as well. So, if you’re reading this, you have no excuses!

The post 2021 Hispanic Heritage Month Pt. 1: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blog.

McAfee Enterprise Advanced Threat Research Report: Ransomware’s Increasing Prevalence

By Raj Samani

The increasing prevalence of ransomware tops the findings of the McAfee Enterprise Advanced Threat Research Report: October 2021 released today.

While ransomware continues to hold cybersecurity headlines hostage, so much has changed since our last threat report. After shutting down the Colonial Pipeline, DarkSide created the appearance of walking away after attracting government scrutiny, thinking we would miss the (alleged) connection to BlackMatter.

Our Advanced Threat Research team also made a move to McAfee Enterprise, a newly dedicated Enterprise Cybersecurity company. While we will no longer publish our work under McAfee Labs, you can still find and follow our research on our new McAfee Enterprise ATR Twitter feed: @McAfee_ATR.

We’ve shifted the primary focus of our new Threat Report from frequency to prevalence. Our team is now paying attention to how often we see the threat around the globe and, more importantly, who it targets.

While DarkSide attempted to step out of the spotlight, other ransomware families including REvil/Sodinokibi, Ryuk, and Babuk wreaked havoc from among DarkSide’s shadow. In response, this threat report offers a deep dive into ransomware’s increasing prevalence including ransomware family detections and the delta of data between open-source intelligence and telemetry.

Our McAfee Enterprise team also offers research and analysis on relevant threat topics including:

  • Cloud Threats – Continuing threat trends targeting a remote workforce
  • B Braun – Our team’s uncovering of healthcare vulnerabilities in a globally used infusion pump
  • MITRE ATT&CK Techniques – Top techniques used in Q2 2021
  • How to Defend – Resources designed to help your enterprise defend itself from the latest threats

Once you’ve consumed the research and findings in this report, don’t forget our MVISION Insights preview dashboard which updates and profiles the most prevalent threats, offering a knowledge base that includes targeted countries and sectors along with proactive solutions to help your enterprise stay ahead of emerging threats.

We welcome your feedback about this threat report and what you would like to see in the next report.

Executive Spotlight: Q&A with VP of Products and Marketing, Anand Ramanathan

By Melissa Gaffney

I spoke with Anand Ramanathan, VP of Products and Marketing who brings over 20 years of enterprise SaaS product experience ranging from high growth startups to established market leaders. Read the interview below to understand his thoughts on McAfee Enterprise and where he see’s the company going in the coming years.

Q: What is your ideal way to spend a Sunday?

Every ideal Sunday has 3 components:

  1. Starts with keeping the body fit – a game of tennis with close friends.
  2. Spending time with family – making and eating lunch together.
  3. Preparing for the week ahead – planning out my work schedule and prioritizing the actions.

Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise in the coming years?

The adversarial landscape has always been a digital cat and mouse game. McAfee Enterprise’s investment in AI over the years has allowed its solution to stay ahead of adversaries and provide industry-best protection for its customers. With adversaries pivoting their techniques at a more rapid pace, it has become imperative for security solutions to leverage the cloud and AI capabilities.

Q: Can you talk about McAfee Enterprise’s history of Insights and how it is used to improve cybersecurity capabilities, including protecting against cyber threats?

Insights was born out of two very simple questions that CISOs get asked: Were we impacted by a given threat? Will our defenses protect us from the threat?

With an increase in security breaches being covered by popular press; board and executive management are becoming more attune with the threat landscape. We are seeing them start to ask the important questions to their security teams.

At McAfee Enterprise, we saw the gap in knowledge within security teams to give quick and efficient answers to the two pivotal questions. And given our depth in threat research and data analytics capabilities, innovated with the industry’s first proactive security solution in MVISION Insights, we feel we can answer the above questions, placing crucial information in the hands of the security teams. The feedback from our customers has been tremendously positive.

Q: What goals and initiatives are you focusing on to drive the company for the rest of 2021 and beyond? What IT capabilities do you have your eye on?

McAfee Enterprise is at the center of three key buzzwords of 2021 – SASE, ZTNA, and XDR. We have been at the forefront of innovating in these areas with the release of MVISION Insights, MVISION Private Access, and MVISION UCE with integrated Remote Browser Isolation. We also have leadership in MITRE based attack detection for endpoint and cloud and MVISION marketplace for security ecosystem integration. We will be continuing this innovation velocity and lead the market with new capabilities on Zero Trust and XDR integration with the security ecosystem. Stay tuned, more to come!

The post Executive Spotlight: Q&A with VP of Products and Marketing, Anand Ramanathan appeared first on McAfee Blog.

Why Can’t We Automate Everything?

By Mark Mastrangeli

You can’t automate every business process. While I love automation and promote the concept, I know its limitations. This viewpoint needs to be recognized and observed as more security officials implement automation within their organizations.

I’d estimate that for most enterprises, the first 80 percent of migrating and integrating processes to automation is easy to do. The last 20 percent is hard to accomplish.

This breakdown helps you set realistic expectations about automation. I enjoy how automation saves time by generating useful data through repetition. But right now, data compiled from some activities still require a human being to examine the results and make a decision. You will still need a critical eye from your security operations team or managed security services provider when looking at the useful data or anomalies.

We still need to address the 20 percent and realize that the situation may not be as much of a challenge as we think initially. Here are some examples of what I mean.

Where Automation Needs a Human Touch

Your automation detects and notes that one of your executives is connecting to your network from Russia. How do you know whether that executive is actually in Russia or if someone there is impersonating that executive? For optimal security, there needs to be human interaction to review the information and determine whether to let that person should be allowed to connect.

Or consider when IT officials at a hospital used the McAfee Enterprise ePolicy Orchestrator (ePO) console to automate a deeper level scan of physicians’ laptops. This scan occurred before the physicians began their daily scans by sending over someone from the hospital’s operations department to clean the laptop and comply with HIPAA regulations. To collect the events compiled from the laptops, the IT officials used IBM® QRadar® Device Support Module (DSM) for McAfee Enterprise ePO. This platform integrated from IBM Security™ uses analytics for insights into potential threats to data.

With this setup, whenever an anomaly appeared in QRadar, such as some unusual behavior at the network level, an IT official at the hospital would right-click and add the IP address to a different scan group in ePO through the application programming interfaces (APIs). Automating that initial first pass of scanning the laptop finds these discrepancies quickly. But ultimately humans like IT officials must review the notification and send a message to McAfee Enterprise expert to clean the anomaly from the laptop themselves and confirm the anomaly was removed.

So, it’s hard to automate the 20 percent done by humans in your organization as shown here. But what the 80 percent of easy automation does for the rest of your business processes can outweigh that perceived drawback.

How and Why the 80 Percent Easy Automation Matters More

You can easily find yourself at work engulfed in an ocean of data. Indicators from your automation help you find out what’s important. Activity from the endpoints of your network gives you or an MSSP a view of what’s happening with your data.

Most systems today have everything connected to the internet. The endpoints interact with your network. Having broad visibility and detection across your network — whether it’s looking at DNS logs, proxy logs, traffic and so on — allows you to correlate information and identify what’s taking place right now.

The real-time aspect of automation for data on your network is vital important. Threats to your network depends both on how much time they require to activate and how long before they are detected and remediated. Automation that’s easy to implement helps find attacks quickly with a real-time detection engine that can minimize the damage that takes place.

Experts at McAfee Enterprise and our partners at IBM Security can help with troubleshooting by providing support for the 20 percent automation you can’t fulfill. You can investigate a full lifecycle of endpoint events using McAfee Enterprise MVISION and IBM QRadar integrated together. And you can automate remediation with the IBM Security SOAR (security orchestration, automation and response) platform.

With these tools, you can integrate the data available from threat feeds in one platform for better visibility and context. IBM’s managed security services experts can help you answer questions around how to best configure, administrate and manage endpoint security incidents based on that data collected by automation.

We can also help you learn about other technologies and trends that are happening that our experts deal with every day. Consultants can help you identify how to lower or minimize costs of attacks and breaches as well as work proactively to address these issues. Automation can’t provide you with these resources, but we can.

What to Expect for the Future

We have researchers at work looking how to merge that last hard 20 percent of automation implementation into the 80 percent of easy migration and conversion. For now, accept the notion that automation can handle most tasks for your organization and save you time and costs in the process. And what automation can’t do in those areas, we at McAfee Enterprise and IBM Security can help fill in the gaps.

Learn more about what automation with expert support can do for you by reviewing the features of MVISION Endpoint Security and IBM Managed Security Services. Or schedule a free 30-minute consultation with IBM Security by clicking the “Let’s talk” button on the IBM Managed Security Services homepage.

 

The post Why Can’t We Automate Everything? appeared first on McAfee Blog.

Finding 0-days with Jackalope

By Douglas McKee

Overview

On March 21st, 2021, the McAfee Enterprise Advanced Threat Research (ATR) team released several vulnerabilities it discovered in the Netop Vision Pro Education software, a popular schooling software used by more than 9,000 school systems around the world. Netop was very responsive and released several updates to address many of the critical findings, creating a more secure product for our educators and children to use. During any vulnerability research project, as we continue to gain a deeper understanding on how a product works, additional threat vectors become apparent which may lead to additional findings; this proved once again true during the Netop research. In this blog we will highlight an additional finding: CVE-2021-36134, a vulnerability in the processing of JPEG images, on the Netop Vison Pro version 9.7.2 software. The main emphasis will focus on the process and techniques used during blackbox fuzzing of a Windows DLL.

Background

Fuzzing can be a challenging exercise and just knowing where to start can be cause for confusion. There are many different fuzzers on the market, many of them primarily designed to handle open-source projects on Linux. In late 2020 Google’s Project Zero team released a new fuzzer named Jackalope. Jackalope is a coverage-guided fuzzer, meaning it keeps track of code paths during testing and uses that information to guide its future mutations. Jackalope leverages a library called TinyInst for its code coverage and allows for command line parameters related to code coverage to be passed directly to TinyInst. What caught my attention about Jackalope was that it was designed with a blackbox, Windows and MacOS first mentality. It was built to fill a gap in Windows blackbox fuzzing, which has existed for some time and therefore warranted further investigation. During the time of Jackalope’s release, we were working on the Netop Vision Pro research which runs primarily on Windows, so it was logical to test Jackalope to see if we could discover any new vulnerabilities on Netop Vision Pro.

Setup

The Jackalope documentation does a great job of explaining the setup and build process to get started. For this setup we set up shop on a Windows 10 fully patched system and compiled Jackalope from the GitHub repo using Visual Studio 2019. In a short amount of time, it was time to test the setup. The repo provides a test binary which can be built with the source and therefore is the best place to understand how the fuzzer works. There are just under a few hundred lines of code, but how it works can be summed up in just a few lines, as seen in Figure 1.

Figure 1 test.cpp

Examining the test code, it becomes apparent the test binary simply crashes if it finds the word “test” in memory. It causes a crash by attempting to write the value “1” at an invalid memory address, “NULL”.  Therefore, to ensure the fuzzer is working properly we need to create a small input corpus. This can be done by creating an “in” directory and placing a couple of text files within it, one containing the word “test”. We are not looking for crashes or new vulnerabilities during this test, but simply making sure our setup is functioning as expected. The test run can be seen in Figure 2, where the command to execute the test case was taken from the Jackalope documentation.

Figure 2 Testing fuzzer

Target Selection

When selecting an overall target function, it’s first important to look at how an application takes input alongside with how the fuzzer can tailor that input. Jackalope is designed to provide either a file or a chunk of shared memory to the target. This gives a lot of flexibility since almost anything can be set up as shared memory including network packet payloads. The trick becomes how to pass the file or shared memory to the target. In larger applications on Windows, a typical approach is to determine what functionality you want to fuzz, find a DLL that exports a function within the target code path, and pass that function the input. The closer the exported function is to the end of the desired code path to fuzz, the less headaches, and better results you will have trying to exercise the desired code.

Through the research done on Netop, we had a deep insight into how the system functions and the very large number of DLLs that it contains along with the numerous amounts of exported functions. After review, the function MeImgLoadJpeg which is exported in MeImg.dll stuck out as a good place to get started.

Figure 3 MeImgLoadJpeg Header

What makes this a good candidate for fuzzing? First, how, and when this function is executed is important. This function gets executed on both the student and teacher machines whenever a JPEG image is loaded into the system. For students this is when an image is pushed over the network to them; for example: when a teacher uses the blank screen feature on a student. On the teacher’s machine this function is called when a teacher loads an image to send to the student. The key components here are that it is potentially executed often, input can come from a local file or a network file and it affects both components of our system.

Second, when investigating this function further, the parameters are fuzzing friendly. Through light reversing, it can easily be seen that it takes a file path and opens the file directly within the function. This makes fuzzing it with Jackalope very simple since it supports file fuzzing and we won’t need to open or manipulate the test file in memory. Also, very few parameters are passed, one of which (BITMAPINFOHEADER), is well documented by Microsoft, making it simpler to construct valid calls. This also is true for the return parameter, HBITMAP. This will make it easy to determine success and failure conditions. Lastly, the fuzzable component of this function is a JPEG file. JPEG is a well-documented format and a well-fuzzed format, making test corpus generation and potentially crash analysis simpler.

Writing the Test Harness

In most fuzzing setups, a custom program is necessary to setup the required structure and complete any initialization required by the target function. This is commonly referred to as the test harness. It is required any time your target for fuzzing is not the main binary or executable, which tends to be the case most of the time. For example, if you want to fuzz a small executable like the “file” command on Linux, you don’t always require a test harness, since the binary takes its input (a file) directly from the command line and there is little to no setup required to get to your desired state. However, in many cases, especially on Windows, it is common to be looking to fuzz part of the code that is often not as directly accessible or requires setup before it can be passed the fuzzed data. This is where a test harness comes into play. Using the Jackalope “test.cpp” file provided in the GitHub repo, it is easy to see an example of what is needed when writing a test harness. The harness needs to configure the incoming test case as ether a file or shared memory input, set up parameters for the target function, call the function, and, if needed, create a crash to indicate a found crash to Jackalope.

To get started we first must load the DLL which contains our target function. In Windows this is usually performed with a call to “LoadLibrary”. Since our entire purpose is to fuzz a function within this DLL, if it fails to load, we should just exit.

Figure 4 LoadLibrary

Now that the DLL is loaded into memory, we need to obtain the address of our target function. This is commonly done through “GetProcAddress”.

Figure 5 GetProcAddress

The next step, setting up the parameters for the target function, is arguably the most crucial and can be the most difficult step in building a test harness. The best trick to get this right is to find examples of your target function being called in the real application and then mimic this setup in your test harness.  In Netop, this function is only called by one other function. Figure 6 shows a slightly cleaned up version of a portion of the IDA decompilation of the function which calls MeImgLoadJpeg.

Figure 6 IDA Pro Decomplication of call to MeImgLoadJpeg

We can learn some key points from this call that are important to keep consistent if we want to find a useful crash. We know the first parameter (a2) is simply a file path. In our code, we do need to ensure our file path is in the format of a wide-character, since this is the typical format for a Windows file path. The second parameter (v8) is a Windows BITMAPINFOHEADER object. We can see from this code all the members of the BITMAPHEADER object are being set to 0 using a “memset”, except the “biSize”, which is being set to “40”. Since this is the only time this function is called in the Netop application, if we want to find a bug that has a chance to be leveraged through Netop, we need to follow this format. Why the value is set to 40 is less relevant for our purposes within the test harness; however, it may require investigation depending on any crashes found. The same principle holds true for the 3rd and final parameter. We see here it is hardcoded to zero, so we want to do the same. Could we test other values? Of course, but if Netop is hardcoded to zero we would never actually be able to pass anything else outside of our exercise. Using our additional understanding from Figure 6, we put the below code in Figure 7 into our harness.

Figure 7 Target Function Setup

With our parameters configured, we now need to simply call the function we want to fuzz. Where is the fuzzed data? In this case, our fuzzed data will be the jpeg file. The fuzzer will be passing a file path of a mutated jpeg file.

Figure 8 Calling MeImgLoadJpeg

This next step is highly dependent on the target function. If the target function will not fail in a manner that will crash your harness (throw an unhandled exception), then you need to create a crash for a failed test case. This can be seen in Figure 1 test.cpp. In this case, the target function has error handling and we are interested in any case which causes an unhandled exception within our DLL. If the DLL throws an unhandled exception, it will crash our test harness. As a result, we only need to check the return value for our own purposes to confirm things are working properly. This is good for initially testing, but we will want to remove any unnecessary code for our actual fuzz run. A non-null return value means the jpeg image was parsed and null means a handled error occurred, which is uninteresting for our case.

Figure 9 Checking the return value

With all this framework in place, we can run our harness with a valid image and confirm we get the expected result.

Figure 10 Test run

Performance Considerations

Although the above test harness code will successfully execute the target function and fully function within our fuzzer, we can make a few targeted changes to increase performance and results. One of the slowest operations in an application is printing to the screen, and this is true when fuzzing. Error checking is extremely helpful for development; however, printing “Result was not null” or the inverse every time will reduce our executions per second and doesn’t add anything to our fuzzer. Additionally, it is important not to introduce any extra code in our “fuzz” function which could potentially introduce additional code paths. This could cause the mutators to think that it found a new path of interesting code, when in fact it’s only the harness. As a result, you want your “fuzz” function to be the absolute bare minimum required to execute your code and perform other setup actions outside this function.

Selecting a Test Corpus

Now that we have a working test harness, we need to create a test corpus or input files for the fuzzer. The importance of this step for fuzzing cannot be overstated. The test cases produced by a fuzzer or only as good as the ones provided. In most cases, you are looking to create a set of minimal test inputs (and minimal size) that generate maximal code coverage.

Selecting or building a test corpus can be a complicated process. One of the advantages to using a known and popular format like JPEG is that there are many open-source corpora. Strongcourage’s corpus on GitHub is a great repo since it is many corpora combined and is the testing corpus that was used to find CVE-2021-36134. Jackalope does not recursively traverse directories when reading the input directory and does not throw an error in this regard, therefore it is important to make sure your corpus directory is only one level deep.

Results

Using this basic outlined method and running Jackalope in the same fashion as the example test binary, a write access violation crash is found in the MeImgLoadJpeg in just a few minutes. This write access violation bug is filed as CVE-2021-36134.

This violation occurs because of memory being allocated for the destination of a memory copy based on the default three color components of a JPEG image, instead of using the value provided in the input file’s JPEG header. The copy is using the values provided by the file to determine the address of where to copy the image in memory. A write access violation occurs when a malformed image reports having four color components instead of the default three and the memory allocated is not the same size as the actual image.

Given the extensive prior reports and full system vulnerabilities we submitted to NetOp before, we decided not to take the analysis further and determine if the bug was truly exploitable. The code path can be leveraged over the network, by utilizing the teacher’s blank student screen feature. It is worth noting this code runs on both the student and the teacher, so the teacher would be unable to load this image to send to a student without crashing their own system. An attacker could leverage the previously discovered and disclosed vulnerabilities to emulate a teacher and send this image to a student regardless.  Since the destination of the memory copy is being calculated based on image width and number of color components, it is plausible for an attacker to control where the “write” takes place; however, they would need to use an address space that could be calculated without invalidating the image further. In addition, the code is writing pixels from the image which is also under the attacker’s control. As a result, this could lead to a partial arbitrary write.

Conclusion

Fuzzing can be a fantastic tool for discovering new vulnerabilities in software. Although having source code can enhance fuzzing, it should not be considered a barrier of entry. Many tools and techniques exist which can be used to successfully fuzz blackbox targets and in turn help enhance the security of the industry.

One goal of the McAfee Enterprise Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. Leveraging Google Project Zero team’s Jackalope and blackbox fuzzing techniques a JPEG parsing vulnerability, CVE-2021-36134 was discovered in Netop Vision Pro version 9.7.2. As per McAfee Enterprise’s vulnerability public disclosure policy, the ATR team informed Netop on June 25th, 2021, and worked directly with the Netop team. This partnership resulted in the vendor working towards effective mitigations of the vulnerability detailed in this blog.

The post Finding 0-days with Jackalope appeared first on McAfee Blog.

Detecting Credential Stealing Attacks Through Active In-Network Defense

By Chintan Shah

Executive Summary

Today, enterprises tend to use multiple layers of security defenses, ranging from perimeter defense on network entry points to host based security solutions deployed at the end user’s machines to counter the ever-increasing threats. This includes inline traffic filtering and management security solutions deployed at access and distribution layers in the network, as well as out of band solutions like NAC, SIEM or User Behavior Analysis to provide identity-based network access and gain more visibility into the user’s access to critical network resources. However, layered security defenses face the major and recurring challenge of detecting newer exploitation techniques as they heavily rely on known behaviors. Additionally, yet another significant challenge facing the enterprise network is detecting post-exploitation activities, after perimeter security is compromised.

Post initial compromise, to be able to execute meaningful attacks, attackers would need to steal credentials to move laterally inside the network, access critical network assets and eventually exfiltrate data. They will use several sophisticated techniques to perform internal reconnaissance and remote code execution on critical resources, which range from using legitimate operating system tools to discover network assets to using novel code execution techniques on the target. Consequently, differentiating between the legitimate and malicious use of Windows’ internal tools and services becomes a high priority for enterprise networks.

To tackle this long-standing problem of detecting lateral movement, enterprise networks must formulate active in-network defense strategies to effectively prevent attackers from accessing critical network resources. Network Deception is one such defensive approach which could potentially prove to be an effective solution to detect credential theft attacks. Detecting credential stealing attacks with deception essentially requires building the necessary infrastructure by placing the decoy systems within the same network as production assets and configuring them with decoy contents to lure the attackers towards the decoy machines and services. Accurately configuring and tuning the deceptive network can deflect the attacker’s lateral movement path towards the deceptive services, consequently allowing the attackers to engage with the deceptive network, helping enterprises protect production assets.

MITRE Shield, a knowledge base maintained by MITRE for active defense techniques highlights many of the methods in adversary engagement. Some of the techniques described by MITRE Shield Matrix with respect to network deception are as below:

MITRE Shield Description ATT&CK Technique
Decoy Account – DTE0010 A decoy account is created for defensive or deceptive purposes. The decoy account can be used to make a system, service, or software look more realistic or to entice an action Account Discovery, Reconnaissance
Decoy Credentials – DTE0012 Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) Credential Access, Privilege Escalation
Decoy Diversity – DTE0013 deployment of decoy systems with varying Operating Systems and software configurations Reconnaissance
Decoy Network – DTE0014 Multiple computing resources that can be used for defensive or deceptive purposes Initial Access
Decoy Personna – DTE0015  Used to establish background information about a user. In order to have the adversary believe they are operating against real targets Initial Access, Discovery, Reconnaissance
Decoy System – DTE0017 Computing resources presented to the adversary in support of active defense Reconnaissance

 

Over the course of this paper, we will discuss some of the widely adapted credential theft attacks executed by adversaries after the initial compromise and then move on to discuss defense techniques against the above MITRE Shield attacks and how to use them effectively to detect deceptive credential usage in the network.

Network Deception – An Active in-network defensive approach

  • Most of the targeted attacks involve stealing credentials from the system at a certain point in time as attackers would use them to pivot to other systems in the network. Some of the credential stealing techniques like Golden Ticket attacks have been found to be used in multiple ransomwares armed with lateral movement capabilities.
  • Active in-network defense strategies described by the MITRE Shield matrix are significant and play a critical role in detecting credential abuse in the network.
  • Network Deception uses these active defense techniques to build the deceptive network infrastructure which could potentially lead to redirecting an attacker’s lateral movement path and engaging them to the decoy services without touching the critical production systems.
  • It involves placing decoy systems, decoy credentials and decoy contents all throughout the production network essentially converting it into a trap, playing a crucial role in mitigating the attacks.

McAfee Protection

  • McAfee MVISION Endpoint Security has the capabilities to protect against credential theft attacks like credential extraction from LSASS process memory via ATP rule 511. More details on configuring policies and a demo are available here.
  • McAfee MVISION Endpoint Detection and Response (EDR) has the capabilities to detect credential access from tools like Mimikatz.
  • With McAfee MVISION EDR and ENS integration with Attivo’s network and endpoint deception sensor, McAfee can manage its agents and receive alerts for detections in ePO and EDR.

Lateral Movement – Introduction

Lateral movement refers to the tools and techniques used by attackers to progressively expand their foothold within an enterprise network after gaining initial access. As shown in the figure below, lateral movement activity comprises of several stages starting from credential theft, target enumeration and discovery, privilege escalation, gaining access to network resources and eventually remote code execution on the target before exfiltrating data to accomplish a successful attack. Once inside the network, attackers will deploy a range of techniques at each stage of lateral movement to achieve their end goal. One of the primary challenges an attacker will face while moving laterally inside a network is to hide their activities in plain sight by generating a minimum volume of legitimate looking logs to be able to remain undetected. To achieve this, an attacker might choose to embed the tool within a malicious executable or use the operating system’s internal legitimate tools and services to perform its lateral movement operations, consequently making this network traffic harder to distinguish.

As per the Verizon DBIR report 2020, over 80% of data breaches involve credential theft attacks. Credential theft is one of the primary tasks attackers need to perform post-exploitation and after gaining initial control of the target machine. It will usually be the first step towards lateral movement strategies which will allow attackers to elevate their privileges and acquire access to other network resources. As indicated earlier, attackers have long been abusing Windows legitimate features like SMB, RPC over SMB, Windows Management Instrumentation, Windows Remote Management, and many other features to perform lateral movement activities. Figure 1 below highlights where lateral movement falls within the attack chain and its different stages. To remain stealthier, these activities would span a period ranging from many weeks to months.

Figure 1 – Stages of Lateral movement

To be able to distinguish between the admissible and malicious use of these inbuilt services, it is extremely critical for organizations to deploy advanced Threat Detection solutions. Over the course of this blog, we will discuss various credential theft techniques used by adversaries during lateral movement. We will also discuss an approach that can be used to effectively detect these techniques inside the network.

Credential Theft Attacks

Attackers use a variety of tools and techniques to execute credential theft attacks. Many of these tools are open source and readily available on the internet. Operating systems like Windows implement Single Sign On (SSO) functionality, which require the user’s credentials to be stored in memory, thereby allowing the OS to seamlessly access network resource without repeatedly asking the user to re-enter those credentials. Additionally, user credentials are stored in memory in a variety of formats like NTLM hashes, reversibly encrypted plaintext, Kerberos tickets, PINs, etc., which can be used to authenticate to services depending upon the supported authentication mechanism. These credentials can be acquired by attackers from memory by parsing appropriate credential storage structures or using the Windows credential enumeration APIs.  Consequently, these attacks pose major security concerns, especially in the domain environment if the attacker gains access to privileged credentials which can then be reused to access critical network resources. In the following sections, we discuss some of the widely adapted credential stealing techniques used by malware, with respect to the Windows operating system. Similar credential stealing techniques can also be used with other operating systems as well.

Stealing Credentials from LSASS Process Memory

The Local Security Authority Subsystem Service (LSASS) process manages and stores the credentials of all the users with active Windows sessions. These credentials stored in the LSASS process memory will allow users to access other network resource such as files shares, email servers and other remote services without asking them for the credentials again. LSASS process memory stores the credentials in many formats including reversibly encrypted plaintext, NTLM hashes, Kerberos Tickets (Ticket Granting Tickets, etc.). These credentials are generated and stored in the memory of the LSASS process when a user initiates the interactive logon to the machine such as console logon or RDP, runs a scheduled task or uses remote administration tools. The encryption and decryption of credentials is done using LsaProtectMemory and LsaUnProtectMemory respectively and hence a decryption tool using these APIs will be able to decrypt LSASS memory buffers and extract them. However, malware would need to execute with local administrator privileges and enable “SeDebugPrivilege” on the current process to be able access the LSASS process memory.

Below is a code snapshot from one of the famous credential harvesting tools, Mimikatz, enabling the required privileges on the calling thread before dumping the credentials.

Figure 2 – Checking for required privileges

We can see that the NTLM hash of the user’s credentials is revealed, and this can be brute forced offline as shown below. Many Windows services, such as SMB, support NTLM authentication and NTLM hashes can be used directly for authentication eliminating the need for the clear text passwords.

Figure 3 – Cracking NTLM Hashes offline

Attackers avoid using freely available tools like Mimikatz directly on the target machine to harvest credentials since they are easily detected by AVs. Instead, they use recompiled clones of it with minimal functionality to avoid noise. Below is one such instance where malware embeds recompiled Mimikatz code with the minimal required functionality.

Figure 4 – Credential extraction tool embedded inside malicious executable

Detection can also be avoided by using several “living off the land’ mechanisms, available in many post-exploitation frameworks, to execute the credential harvesting tools directly from memory using Reflective PE injection, where the binary is never written to the disk. Yet another approach is to dump the LSASS process memory using process dumping tools, exfiltrate the dump and extract the credentials offline. Microsoft has documented multiple ways to configure additional LSASS process protection which can prevent credentials being compromised.

Stealing Credentials from Security Accounts Manager (SAM) Database

The SAM database is a file on a local hard drive that stores the credentials for all local accounts on the Windows computer. NT hashes for all the accounts on the local machine, including the local administrator credential hash, are stored in the SAM database. The SAM database file is in %SystemRoot%system32/config and the hashes of the credentials are within the registry HKLM\SAM. Attackers need to acquire elevated privileges to be able to access the credentials from the SAM database. The example below demonstrates how the credentials from the SAM database can be revealed through a simple Meterpreter session.

Figure 5 – Dumping SAM database

Stealing Credentials from Windows Credential Manager (CredMan)

Windows Credential Manager stores the Web and SMB/RDP credentials of users if they choose to save them on the Windows machine, thereby preventing the authentication mechanism from asking for those passwords again on subsequent logins. These credentials are encrypted with Windows Data Protection APIs (DPAPI) CryptProtectData, either using the current user’s logon session or a generated master key, and then saved on the local hard drive. Consequently, any process running in the context of the logged in user will be able to decrypt the credentials using CryptUnProtectData DPAPI. In the domain environment, these credentials can be used by attackers to pivot to other systems in the network. Data Protection APIs provide the cryptographic functionalities that can be used to securely store credentials and keys. These APIs are used by several other Windows components like browsers (IE/Chrome), certificates and many other applications as well. Below is one example of how credential dumping tools like Mimikatz can be used to dump stored Chrome credentials.

Figure 6 – Dumping browser credentials

DPAPI can be abused in multiple ways. In the Active Directory domain joined environment, if other users have logged into the compromised machine, provided a malware is running with escalated privileges, it can extract other user’s master keys from the LSASS memory which can then be used to decrypt their secrets. Below is a screenshot of how the master key can be extracted by using the credential dumping tool.

Figure 7 – Extracting DPAPI Master Key

Malware also tends to use multiple variants of credential enumeration APIs available within Windows. These APIs can extract credentials from Windows Credential Manager. Below is one instance of the malware using CredEnumerateW API to retrieve credentials and then search for terminal services passwords which It would use to pivot to other systems.

Figure 8 – Extracting credentials using Windows API

Stealing Service Account Credentials Through Kerberoasting

In the domain joined environment, the Kerberos protocol has a significant role to play with respect to authentication and requesting access to services and applications. It provides Single-Sign-On functionality for accessing multiple shared resources within the enterprise network. The Kerberos authentication mechanism in Active Directory involves multiple requests and responses like Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) supported by a Key Distribution Server (KDC), usually a Domain Controller. Upon successful authentication, a user will be able to access the respective services.

Attackers gaining access to a system joined in the domain would usually look for high value assets like Active Directory Controller, Database server, SharePoint server, Web Server, etc., and these services are registered in the domain with the specific Service Principal Name (SPN) values, which is a unique identifier of the Service Account in the domain. These SPN values are used by Kerberos to map the instance with the logon account allowing the client to authenticate to the respective service. Well known SPN values are listed out here. Once the attacker is authenticated with any domain user credentials and has information about the SPN values of the services within the domain, they can initiate the Kerberos Ticket Granting Service request (TGS – REQ) to the Key Distribution Server with the specified SPN value. Details on how the SPN values are registered and used in Kerberos authentication is documented here. TGS response from the KDC will have the Kerberos Ticket encrypted with the hash of the service account. This ticket can be extracted from the memory and can be brute forced offline to acquire service account credentials, allowing a domain user to gain admin level access to the service.

Kerberoasting is a well-documented attack technique listed in MITRE ATT&CK and it essentially abuses the Kerberos authentication allowing adversaries to request the TGS Tickets for the valid service accounts and brute force the ticket offline to extract the plain text credentials of the service accounts, consequently enabling them to elevate their privileges from domain user to domain admin. As an initial step to this lateral movement technique, the attacker would perform an internal reconnaissance to gain information about the services registered in the domain and get SPN values. A simple PowerShell command after importing the Active Directory PowerShell module, as shown below, can initiate the LDAP query to get information about all the user accounts from the Domain Controller with the SPN value set.

Figure 9 – PowerShell command to generate LDAP query

Attackers can specifically choose to scan the domain for MSSQL service with the registered SPN value used for Kerberos authentication. PowerShell scripts like GetUserSPNs can scan all the user SPNs in the domain or MSSQL service registered in the domain with Discover-PSMSSQLServers or Invoke-Kerberoast scripts.  Following is an example output from the script:

Figure 10 – Kerberoasting PowerShell script output

Once an attacker has the SPN value of the SQL service, a Kerberos Ticket Granting Service Ticket request (TGS-REQ) can be initiated to the domain controller with the SPN value. This can be done by a couple of PowerShell commands generating KRB-TGS-REQ as shown below:

Figure 11 – Kerberos TGS request

Consequently, the Domain Controller sends the TGS-RESP with the ticket of the service account which will be cached in the memory and can be extracted by dumping tools like Mimikatz as a .kirbi document. This can be brute forced offline by tgsrespcrack, allowing the attacker to gain unrestricted access to the service with elevated privileges.

Stealing Credentials from Active Directory Domain Service (ntdis.dit) File

As indicted earlier, once an attacker has penetrated the domain network, it will be natural to progress towards targeting critical assets, such as the Active Directory controller. The Active Directory Database Services AD DS Ntds.dit file is one of the most overlooked attack vectors in the domain environment but can have significant impact if the attacker is able to gain the domain administrative rights leading to complete domain compromise.

The Ntds.dit file is the authoritative store of credentials for all the users in the domain joined environment, storing all the information about the users, groups and memberships, including credentials (NT Hashes) of all the users in the domain with historical passwords and user’s DPAPI backup master keys. An Attacker with domain admin rights can gain access to the Domain Controller’s file system and acquire credentials like hashes, Kerberos tickets and other reversibly encrypted passwords of all the users joined in the domain by dumping and exfiltrating the Ntds.dit file. These credentials can then be used by the attacker to further access resources by using attack techniques like PTH within the network since the credentials used across other shared resource could be same.

Multiple techniques can be used to dump the Ntds.dit file from the Domain Controller locally as well as remotely and extract the NTLM hashes/DPAPI backup keys for all the domain joined users. One of the techniques is to use the Volume Shadow Copy Service using the vssadmin command line utility and then extract the Ntds.dit file from the volume shadow copy as shown below.

Figure 12 – Dumping Volume shadow copy for C drive

Sensitive data on Active Directory is encrypted with the Boot Key (Syskey) stored in the SYSTEM registry hive and dumping the SYSTEM registry hive is a prerequisite as well to be able to extract all the credentials.

Publicly available Active Directory auditing frameworks like DSInternals provide PowerShell cmdlets to extract the Syskey from the SYSTEM registry hive and extract all the credentials from the Ntds.dit file.

Ntds.dit can also give access to the powerful service account within the Active Directory Domain, KRBTGT (Key Distribution Centre Service account). Acquiring the NTLM hash of this account can enable the attacker to execute a Golden Ticket attack leading to complete domain compromise with unrestricted access to any service on the domain joined system.

Stealing Credentials Through a DCSync Attack – From Domain user to Domain Admin

A DCSync attack is a method of credential acquisition which allows an attacker to impersonate the Domain Controller and can consequently replicate all the Active Directory objects to the impersonating client remotely, without requiring the user to logon to the DC or dumping the Ntds.dit file. By impersonating the Domain Controller, the attacker could acquire the NTLM hash of the KRBTGT service account, enabling them to gain access to all the shared resources and applications in the domain joined environment. To be able to execute this credential stealing technique, an attacker would have to compromise the user account with the required permissions, specifically DS-Replication-Get-Changes and DS-Replication-Get-Changes-All, as shown below.

Figure 13 – User with privileges

Once the attacker compromises the user account with the required privileges, Pass-The-Hash attacks can be executed to spawn a command shell with the forged logon session. Credential dumping tools like Mimikatz do this by enumerating all the user logon sessions and replacing the user credentials with the stolen usernames and NTLM hashes provided, in the current logon session. Behind the scenes, this is executed by duplicating the current process’s access token, replacing the user credentials pointed by duplicated access token and subsequently using the modified access token to start a new process with the stolen credentials which will be used for network authentication. This is as shown below for example user “DCPrivUser”.

Figure 14 – Pass-the-Hash attack

Further, as indicated below, any subsequent NTLM authentication from the logon session will use the stolen credentials to authenticate to domain joined systems like the Active Directory Controller.

Attackers can now initiate the AD user objects Replication request to the Domain Controller using Directory Replication Services Remote Protocol (DRSUAPI). DRSUAPI is the RPC protocol used for replication of AD objects. With DCERPC bind request to DRSUAPI, an RPC call to DSGetNCChanges will replicate all the user AD objects to the impersonating client. Attackers would usually target the KRBTGT account since acquiring the NTLM hash of this account will enable them to execute a Golden Ticket attack resulting in unrestricted access to domain services and applications.

Figure 15 – DCSync Attack

As indicated earlier, with the NTLM hash of the KRBTGT account, adversaries can initiate a Golden Ticket attack (Pass-the-Ticket) by injecting the forged Kerberos tickets into the current session which can be used to authenticate to any service with the client that supports pass the ticket (for instance, sqlcmd.exe connection to DB server, PsExec, etc.)

Figure 16 – Golden ticket with forged Kerberos ticket

Detecting Credential Stealing Attacks with Network Deception

The credential theft techniques we discussed in the previous sections are just the tip of the iceberg. Adversaries can use many other sophisticated credential stealing techniques to take advantage of system misconfigurations and legitimate administrative tools and protocols and, at the same time, remain undetected for a longer period. With many other event management solutions with SIEMs, used in conjunction with other network security solutions, it becomes a challenge for administrators to distinguish malicious use of legitimate tools and services from lateral movement. Perimeter solutions have their limitations in terms of visibility once the attacker crosses the network boundary and is inside the domain environment. It is extremely critical for organizations to protect and monitor critical network assets like the Domain Controller, Database server, Exchange Servers, build systems and other applications or services, as compromising these systems will result in significant damages. Therefore, enterprise networks must deploy a solution to detect credential stealing attacks as they can be used to pivot to other systems on the network and move laterally once an attacker establishes an attack path to a high value target. If the deployment of a solution within the critical zones of the network can detect the use of stolen credentials before adversaries can reach their target, the critical assets could still be prevented from being compromised.

Network Deception is one such deployment within the domain environment where, using the MITRE Shield techniques like decoy systems and network, decoy credentials, decoy accounts, decoy contents, could potentially help detect lateral movement early in the adversary’s attack path to the target asset and at the same time, report significantly low false detection rates. The idea of deception originates from the decades old honeypot systems but, unlike those, relies more on forging trust and giving adversaries what they are looking for. With its inbuilt proactiveness it is configured to lure attackers towards deceptive systems. As shown in the figure below, Network Deception consists of authentic looking decoy systems placed within the domain network, specifically in the network where the critical assets are placed. These decoy systems (could be virtual machines) are the full-fledged OS with configured applications or services and could be replicating the crucial services like Domain Controller, Exchange or DB server and other decoy machines that could lead to those systems. The image below highlights the key foundational aspects of the Network Deception

Figure 17 – Network Deception

Key Aspects of Network Deception

As visualized in the figure above, Network Deception comprises the following key basic facts with respect to the deployment in the domain joined environment:

  • As a part of deployment, decoy/deceptive machines are planted within the network alongside production systems and critical assets. These decoy systems could be real systems or virtual systems with production grade operating systems with the required setup to make them blend well with real systems.
  • As one of the key aspects, deceptive machines are configured to lure attackers towards the decoy services instead of the production services, thereby deflecting or misleading the attacker’s lateral movement path to the target asset.
  • Many of the decoy machines could replicate critical services like Domain Controller, DB servers, Exchange/SharePoint servers and other critical services or applications within the data center.
  • Any legitimate domain user should not be generating traffic to or communicating with the configured decoy machines unless there are some misconfigurations in the network, which need to be corrected.

Basic Decoy Network Setup

Since credential theft plays an important role in a successful targeted attack, deception essentially focuses on planting fake credentials on the production and decoy endpoints at multiple places within the OS and monitoring the use of these credentials to pivot to other systems. With respect to the network setup, the following are the key aspects, however this list is not exhaustive, and much more could be added:

  • Replicating critical network assets and services with decoy machines: Replicating critical network services like Active Directory, DB services, etc., will make more sense since these are the most targeted systems in the network. The decoy Active Directory should be configured with deceptive AD objects (users, groups, SPNs, etc.). with deceptive contents for other replicated services.
  • Planting authentic looking decoy machines in the production network: As indicated earlier, these decoy machines could be real or virtual machines with the production grade OS placed alongside production systems in the critical infrastructure to blend in well. These decoy machines should be joined to the decoy AD and configured with deceptive user accounts to monitor successful logon attempts to the systems.
  • Injecting deceptive credentials on production endpoints: Production endpoints should be injected with deceptive credentials at multiple places like LSASS process memory, Credential Manager, browser credentials, etc., to increase the possibility of these credentials being picked up and used to pivot to decoy systems in the network. These endpoints could be public facing machines or their replicas as well.
  • Decoy Machine runs client applications pointing to decoy services: Decoy machines may run the client with deceptive credentials and configured to point to the decoy services. These could be DB/FTP/Email clients and any other replicated decoy services.
  • Mark decoy systems as “NO LANDING ZONE”: One of the key deployment aspects of deception is to mark all the decoy systems and services as “NO LANDING ZONE”, essentially meaning no legitimate domain users should be accessing decoys and any attempts to access these systems should be closely monitored.

Some of the other setup required for effective deployment of deception is as summarized below:

Figure 18 – Deceptive network setup – Basic requirements

Basic Decoy Systems Setup

To detect the use of deceptive credentials, setting up decoy machines is an essential part of the solution as well. Primarily, decoy machines should enable the access attackers are looking to have during the lateral movement phase. Decoys should also be configured to enable relevant auditing services to be able to generate events. For instance, the following enables the account logon events to be audited:

Decoy machines must be setup to run the log collector agent that can collect the access logs generated and forward them to the correlation server. However, in the domain joined environment, it is also essential to tune the decoy machines to forward only the relevant logs to the correlation server to minimize false positives.

The below highlights some of the auditing required to be enabled on the decoy systems for effective correlation.

Figure 19 – Basic decoy setup

Illustrating and Achieving Network Deception

The following sections describe some examples of how deception can be achieved in the domain network, along with a visualization of how credential theft can be detected.

Network Deception – Example 1: Injecting NETONLY credentials into LSASS process memory

LSASS process memory is one of the prime targets for attackers, as well as malware armed with lateral movement capabilities since it caches a variety of credentials. Credential extraction from the LSASS process requires opening a read handle to the process itself which is closely monitored by EDR products but there are stealthier ways around it.

One of the primary tasks towards achieving credential-based deception is to stage the deceptive credentials in LSASS process memory. This can be accomplished on the production and decoy systems by executing a trivial credential injection code which uses the CreateProcessWithLogonW Windows API with the specified crafted credentials. CreateProcessWithLogonW creates the new logon session using the caller process access token and spawns the process specified as a parameter in the security context of the specified deceptive credentials and it will be staged in the LSASS memory until the process runs in the background. The below shows the example code calling the API with the specified credentials which is also visible when credentials are extracted with Mimikatz.

Figure 20 – Injecting credentials into LSASS memory

One of the parameters to CreateProcessWithLogonW is “dwLogonFlags” which should be specified as LOGON_NETCREDENTIALS_ONLY as shown in the code above. This ensures the specified credentials are used only on the network and not for local logons. Additionally, NETONLY credentials used to create a logon session are not validated by the system. Below is a code snapshot from credential extraction tool Mimikatz, using a similar approach to forge a logon session and replacing the credentials with the supplied ones while executing Pass-the-Hash attacks.

Figure 21 – Mimikatz code for PTH attack

Network Deception – Example 2: Configure deceptive hostnames for decoy VMs

Attackers or malware moving laterally inside the network might do a recon for interesting hostnames via nbtstat/nbtscan. To deflect the lateral movement path, decoy systems can be configured with real looking hostnames that match the production systems. These hostnames will then be visible on NetBIOS scans as shown below.

Figure 22 – Deceptive host names pointing to decoy machines

These decoy systems can also run the relevant client applications pointing to the decoy services, with authentication directed to the decoy Domain Controller in the network. Detection of this attack path happens much earlier, however the decoy network setup keeps the adversaries engaged, helping admins to study their Tools and Techniques.

Figure 23 – Decoy machines running clients pointing to decoy services

A similar deception setup can also be done for the browsers where saved credentials can point to the decoy applications and services within the domain. For instance, Chrome saves the credentials in the SQLite format on the disk which can be decrypted using DPAPI as discussed earlier sections. The below examples demonstrate deceptive browser credentials which can lure adversaries towards the decoy services.

Figure 24 – Inserting deceptive browser credentials

In addition to some of the techniques discussed above, and many others highlighted in the previous sections, setting up deception involves much more advanced configuration of decoy systems to minimize false positives and needs to be tuned to the environment to accurately identify malicious activities. Deception can also be configured to address multiple other phases of lateral movement activity including reconnaissance and target discovery, essentially redirecting the adversaries and giving them a path to the target. Below is a high-level visualization of how the decoy network can look like the domain environment.

Figure 25 – Deception network setup

On the occasion where one of the domain-joined or public facing systems is compromised, authentication would be attempted to other domain joined systems in the network. If an authentication is attempted and any of the decoy systems are accessed and logged on, the use of these planted deceptive credentials should be a red flag and something which must be investigated. The visualization below shows the flow and an event being sent to an administrator on accessing one of the decoy systems.

Figure 26 – Deceptive credentials usage for authentication in the domain

One such example event of successfully logging on to the decoy system is as shown below:

Figure 27 – Alert send to administrator on using deceptive credentials

MITRE ATT&CK Techniques:

Credential theft attacks discussed here are mapped by MITRE as below:

Technique ID Technique Name Description
T1003.001 LSASS Process Memory Attackers may attempt to access LSASS process memory to extract credentials as it stores a variety of credentials. Administrative privileges are required to access the process memory.
T1003.002 SAM Database Accessing credentials from SAM database requires SYSTEM level privileges. Stores credentials for all the local user accounts on the machine.
T1003.003 NTDS.dit file Contains credentials for all the domain users. File is present on the DC and domain admin privileges are required to access this file.
T1003.006 DCSync Attacker can extract the credentials from the DC by impersonating the domain controller and use DRSUAPI protocol to replicate credentials from DC.
T1558.001 Golden Ticket Attackers acquiring credentials for KRBTGT account can forge the Kerberos ticket called Golden Ticket, allowing them to get unrestricted access to any system in the domain
T1558.002 Silver Ticket Allows attacker to get admin level access to the service accounts by abusing Kerberos authentication
T1558.003 Kerberoasting Allows attackers to extract the Kerberos tickets for service accounts from memory and brute force offline to get credentials

Conclusion

As credential theft attacks play a significant role in an attacker’s lateral movement, so as in-network defense for the defenders. With attackers’ lateral movement tactics evolving and getting more stealthier, defenders will have to adapt to innovative ways of defending the critical network assets. In–network defense strategies like Deception could prove to be a promising and forward-looking approach towards detecting and mitigating data theft attacks. Strategic planting of decoy systems within the production network, inserting decoy credentials and decoy contents on calculative selection of endpoints and decoy systems and accurately setting up the logging and correlation via SIEMs for monitoring the use of decoy contents, could certainly detect and mitigate the attacks early in the lateral movement life cycle.

Endpoint solutions like User Entity Behavior Analytics (UEBA) and Endpoint Detection and Response (EDR) could also play a significant role in building the deception infrastructure. For instance, one of the ways UEBA solutions could prove useful is to baseline user behavior and monitor access to credential stores on the system. UEBA/EDR could raise the red flag on injection of forged Kerberos tickets in the memory. This can provide user level visibility to a greater extent when integrated with SIEM, playing a crucial role in mitigating credential theft attacks.

The post Detecting Credential Stealing Attacks Through Active In-Network Defense appeared first on McAfee Blog.

McAfee Enterprise Defender Blog | OMIGOD Vulnerability Opening the Door to Mirai Botnet

By Taylor Mullins

This month Microsoft released patches for 86 vulnerabilities. While many of these vulnerabilities are important and should be patched as soon as possible, there is one critical vulnerability that McAfee Enterprise wants to immediately bring to your attention due to the simplicity of what is required to exploit, and evidence that possible exploitation is already being attempted.

The list of flaws, collectively called OMIGOD, impact a software agent called Open Management Infrastructure that’s automatically deployed in many Azure services –

CVE-2021-38647 (CVSS score: 9.8) – Open Management Infrastructure Remote Code Execution Vulnerability

CVE-2021-38648 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability

CVE-2021-38645 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability

CVE-2021-38649 (CVSS score: 7.0) – Open Management Infrastructure Elevation of Privilege Vulnerability

Azure customers on Linux machines, including users of Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics, are at risk of potential exploitation. OMI can also be installed outside of Azure on any on-premises Linux system.

The Remote Code Execution is extremely simple and all that is required is to remove the auth header and root access is available remotely on all machines. With this vulnerability the attackers can obtain initial access to the target Azure environment and then move laterally within it.

Campaign: Multiple CVE’s Affecting the Azure OMI Agent Dubbed OMIGOD

Source: MVISION Insights

Multiple security researchers shared proof of concept attacks on the exploitation of the vulnerabilities and, soon thereafter, actors mimicked the efforts and have recently been seen actively exploiting CVE-2021-38647 via botnet activities.

Background on the Mirai Botnet and related campaigns

Source: MVISION Insights

One such botnet is Mirai, which is actively scanning for vulnerabilities, including those identified as OMIGOD, that will allow the operators to infect a system and spread to connected devices. If the Mirai botnet exploits a vulnerable machine, the operators will drop one of the Mirai DDoS botnet versions and close port 5896 on the internet to prevent other attackers from exploiting the same box. Reports of successful exploitation of OMIGOD have reported cryptominers being deployed on the impacted systems.

McAfee Enterprise Coverage and Recommended Mitigations

Microsoft does not have an auto update mechanism; a manual upgrade of the agents is required to prevent exploitation. Microsoft has released a patched OMI version (1.6.8.1), suggested steps by Microsoft are provided in the below link.

CVE-2021-38647 – Open Management Infrastructure Remote Code Execution Vulnerability

McAfee Enterprise will continue to update the following KB document with product coverage of CVE-2021-38647; please subscribe to the KB to be notified of updates.

McAfee Enterprise coverage for CVE-2021-38647 Remote Code Execution Vulnerability

Identifying Vulnerable Systems with the OMI Agent

To identify vulnerable systems in your environment, McAfee Enterprise recommends scanning for systems listening on Ports 5986. Port 5986 is the typical port leveraged by the OMI agent. Industry intelligence from the Wiz Research group is also noting vulnerable systems listening on non–default ports 5985 and 1270. It is recommended to limit network access to those ports immediately to protect from the RCE vulnerability.

Detecting Threat Activity with MVISION Insights

MVISION Insights provides regularly updated threat intelligence for the ongoing attempts to exploit OMIGOD. The “Multiple CVE’s Affecting the Azure OMI Agent Dubbed OMIGOD” campaign will have up to date Global Prevalence, IOCs, and MITRE techniques being observed in the wild. The IOCs within MVISION Insights can be utilized by the Real-time Search function of MVISION Endpoint Detection & Response (EDR) to proactively search your entire Linux endpoint environment for detection.

Global Prevalence of OMIGOD Exploitation Source: MVISION Insights

Indicators of Compromise related to exploitation of OMIGOD Source: MVISION Insights

Blocking Ports with McAfee ENS Firewall

The McAfee ENS Firewall Rules will allow for the creation of custom rules to block specific ports until the OMI agent can be updated to the resolved version; please see the below screenshot for a sample rule to block the ports associated with the OMI agent.

Creation of Block Rule for OMI Agent Ports in McAfee ENS Firewall

Locating Systems Running OMI with MVISION EDR

The Real-time search feature in MVISION EDR with allow for the searching of your entire Linux environment utilizing several different parameters to identify systems that could be potential targets.

The below pre-built queries can be executed to locate systems listening on the noted ports for the OMI Agent and to verify the version of the OMI agent installed on your endpoint.

Processes and CurrentFlow and HostInfo hostname where Processes name equals omiengine

Software and HostInfo hostname where Software displayname contains om

Locating Installed Software Versions of OMI on Linux endpoints in MVISION EDR

Monitoring the traffic and user information of OMI in MVISION EDR

Discovery of Vulnerabilities and Configuration Audits with MVISION CNAPP

Another method to identify vulnerable systems in your cloud infrastructure is run an on-demand vulnerability scan and create security configuration audits with MVISION Cloud Native Application Protection Platform (CNAPP). Please see below several examples of using the CWPP and CSPM features to locate vulnerable systems by CVE number and detect usage of the “root” account in Microsoft Azure.

Running Vulnerability Scans to Identify Vulnerable Systems by CVE

Setting Security Configuration Audits to be alerted of Root Access in Microsoft Azure

The post McAfee Enterprise Defender Blog | OMIGOD Vulnerability Opening the Door to Mirai Botnet appeared first on McAfee Blog.

Executive Spotlight: Q&A with Lead Scientist & Sr. Principal Engineer, Christiaan Beek

By Melissa Gaffney

Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise and the Advanced Threat Research Team to hear their takes on today’s security trends, challenges, and opportunities for companies across the globe.

Q: What got you interested in technology and threat research?

As a little kid, I was always fascinated by technology. I would wrench open devices to study the inner workings, and try to assemble again. At age 12 I worked for three years to assemble my first computer-setup: a Commodore 64, disk-drive, and printer followed by an Amiga with modem. From that point, it was a journey from sysadmin to ethical hacking into specializing in digital forensics and joining FoundStone to setup their EMEA Incident Response team. As I witnessed multiple malware incidents and later some of the largest cyber-attacks ever, I got fascinated by all the mechanics around threat research. From this, I made a move to lead and envision new ways (threat) research can assist both responders and customers.

Q: If you could relive any moment of your life, which would it be?

Good question. There are so many moments to be thankful for that I cannot choose one but will mention a few that might sound obvious: My baptism, marrying my wife, and the birth of my kids.

Q: What are some of the trends you are currently noticing across the threat landscape?

Of course, we still have ransomware around as an ongoing issue that keeps evolving and impacting not only companies around the world, but also our lives more and more when fuel is not available, supermarkets are closed, and delivery of goods cannot be executed. Secondly, I would say the volume and number of attacks that happen have increased dramatically over the years. The moment a vulnerability is announced, within days, a proof-of-concept is available and within a week it is used by adversaries (either cybercrime or nation-state motivated). The feedback from our customers has been tremendously positive.

Q: How do you react to constantly changing threats in the market?

The only way to respond to the constant changing threats is to be flexible and willing to change. What works today might not work tomorrow, which should be part of your strategy when it comes to threat hunting, threat detection, and protection. My team is eager to learn and we are committed to protect our customers, innovate new research techniques, and adapt that into our technology.

The post Executive Spotlight: Q&A with Lead Scientist & Sr. Principal Engineer, Christiaan Beek appeared first on McAfee Blog.

BlackMatter Ransomware Analysis; The Dark Side Returns

By Alexandre Mundo

BlackMatter is a new ransomware threat discovered at the end of July 2021.

This malware started with a strong group of attacks and some advertising from its developers that claims they take the best parts of other malware, such as GandCrab, LockBit and DarkSide, despite also saying they are a new group of developers. We at McAfee Enterprise Advanced Threat Research (ATR), have serious doubts about this last statement as analysis shows the malware has a great deal in common with DarkSide, the malware associated with the Colonial Pipeline attack which caught the attention of the US government and law enforcement agencies around the world.

The main goal of BlackMatter is to encrypt files in the infected computer and demand a ransom for decrypting them. As with previous ransomware, the operators steal files and private information from compromised servers and request an additional ransom to not publish on the internet.

COVERAGE AND PROTECTION ADVICE

McAfee’s EPP solution covers BlackMatter ransomware with an array of prevention and detection techniques.

ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections. For DAT based detections, the family will be reported as Ransom-BlackMatter!<hash>. ENS ATP adds 2 additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.

Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.

TECHNICAL DETAILS

BlackMatter is typically seen as an EXE program and, in special cases, as a DLL (Dynamic Library) for Windows. Linux machines can be affected with special versions of it too but in this report, we will only be covering the Windows version.

This report will focus on version 1.2 of BlackMatter while also noting the important changes in the current version, 2.0.

BlackMatter is programmed in C++ and has a size of 67Kb.

FIGURE 1. Information about the malware

The compile date of this sample is the 23rd of July 2021. While these dates can be altered, we think it is correct; version 1.9 has a compile time of 12 August 2021 and the latest version, 2.0, has a date four days later, on the 16th of August 2021. Is clear that the malware developers are actively improving the code and making detection and analysis harder.

The first action performed by BlackMatter is preparation of some modules that will be needed later to get the required functions of Windows.

FIGURE 2. BlackMatter searching for functions

BlackMatter uses some tricks to try and make analysis harder and avoid debuggers. Instead of searching for module names it will check for hashes precalculated with a ROT13 algorithm. The modules needed are “kernel32.dll” and “ntdll.dll”. Both modules will try to get functions to reserve memory in the process heap. The APIs are searched using a combination of the PEB (Process Environment Block) of the module and the EAT (Export Table Address) and enumerating all function names. With these names it will calculate the custom hash and check against the target hashes.

FIGURE 3. BlackMatter detecting a debugger

At this point BlackMatter will make a special code to detect debuggers, checking the last 2 “DWORDS” after the memory is reserved, searching for the bytes “0xABABABAB”. These bytes always exist when a process reserves memory in the heap and, if the heap has one special flag (that by default is set when a process is in a debugger), the malware will avoid saving the pointer to the memory reserved so, in this case, the variables will keep a null pointer.

In Windows operating systems the memory has different conditions based on whether a program is running in normal mode (as usual) or in debugging mode (a mode used by programmers, for example). In this case, when the memory is reserved to keep information, if it is in debugging mode, Windows will mark the end of this memory with a special value, “0xABABABAB”. BlackMatter checks for this value and, if found, the debugger is detected. To avoid having it run normally it will destroy the function address that it gets before, meaning it will crash, thus avoiding the execution.

FIGURE 4. Preparing the protection stub function

After this check it will create a special stub in the reserved memory which is very simple but effective in making analysis harder as the stub will need to be executed to see which function is called and executed.

This procedure will be done with all functions that will be needed; the hashes are saved hardcoded in the middle of the “.text” section in little structs as data. The end of each struct will be recognized by a check against the “0xCCCCCCCC” value.

FIGURE 5. Hashes of the functions needed

This behavior highlights that the BlackMatter developers know some tricks to make analysis harder, though it is simple to defeat both by patching the binary.

After this, the ransomware will use another trick to avoid the use of debuggers. BlackMatter will call the function “ZwSetInformationThread” with the class argument of 0x11 which will hide the calling thread from the debuggers.

If the malware executes it correctly and a debugger is attached, the debugging session will finish immediately. This code is executed later in the threads that will be used to encrypt files.

FIGURE 6. Another way to detect a debugger

The next action is to check if the user that launched the process belongs to the local group of Administrators in the machine using the function “SHTestTokenMembership”. In the case that the user belongs to the administrator group the code will continue normally but in other cases it will get the operating system version using the PEB (to avoid using API functions that can alter the version) and, if it is available, will open the process and check the token to see if that belongs to the Administrators group.

FIGURE 7. BlackMatter checking if it has administrator rights

In the case that the user does not belong to the Administrator group the process token will use a clever trick to escalate privileges.

The first action is to prepare the string “dllhost.exe” and enumerate all modules loaded. For each module it will check one field in the initial structure that all executables have that keeps the base memory address where it will be loaded (for example, kernel32.dll in 0x7fff0000) and will compare with its own base address. If it is equal, it will change its name in the PEB fields and the path and arguments path to “dllhost.exe” (in the case of the path and argument path to the SYSTEM32 folder, where the legitimate “dllhost.exe” exists). This trick is used to try and mislead the user. For each module found it will check the base address of the module with its own base address and, at that moment, will change the name of the module loaded, the path, and arguments to mislead the user.

FIGURE 8. Decryption of the string “dllhost.exe”

The process name will be “dllhost.exe” and the path will be the system directory of the victim machine. This trick, besides not changing the name of the process in the TaskManager, can make a debugger “think” that another binary is loaded and remove all breakpoints (depending on the debugger used).

FIGURE 9. Changing the name and path in the PEB

The second action is to use one exploit using COM (Component Object Model) objects to try to elevate privileges before finishing its own instance using the “Terminate Process” function.

For detection, the module uses an undocumented function from NTDLL.DLL, “LoadedModulesLdrCallback” that lets the programmer set a function as a callback where it can get the arguments and check the PEB. In this callback the malware will set the new Unicode strings using “RtlInitUnicodeString”; the strings are the path to “dllhost.exe” in the system folder and “dllhost.exe” as the image name.

The exploit used to bypass the UAC (User Access Control), which is public, uses the COM interface of CMSTPLUA and the COM Elevation Moniker.

In the case that it has administrator rights or uses the exploit with success, it will continue making the new extension that will be used with the encrypted files. For this task it will read the registry key of “Machine Guid” in the cryptographic key (HKEY LOCAL MACHINE).

This entry and value exist in all versions of Windows and is unique for the machine; with this value it will make a custom hash and get the final string of nine characters.

FIGURE 10. Creating the new extension for the encrypted files

Next, the malware will create the ransom note name and calculate the integrity hash of it. The ransom note text is stored encrypted in the malware data. Usually the ransom note name is “%s.README.txt”, where the wildcard is filled with the new extension generated previously.

The next step is to get privileges that will be needed later; BlackMatter tries to get many privileges:

·         SE_BACKUP_PRIVILEGE

·         SE_DEBUG_PRIVILEGE, SE_IMPERSONATE_PRIVILEGE

·         SE_INC_BASE_PRIORITY_PRIVILEGE

·         SE_INCREASE_QUOTA_PRIVILEGE

·         SE_INC_WORKING_SET_PRIVILEGE

·         SE_MANAGE_VOLUME_PRIVILEGE

·         SE_PROF_SINGLE_PROCESS_PRIVILEGE

·         SE_RESTORE_PRIVILEGE

·         SE_SECURITY_PRIVILEGE

·         SE_SYSTEM_PROFILE_PRIVILEGE

·         SE_TAKE_OWNERSHIP_PRIVILEGE

·         SE_SHUTDOWN_PRIVILEGE

 

FIGURE 11. Setting special privileges

After getting the privileges it will check if it has SYSTEM privileges, checking the token of its own process. If it is SYSTEM, it will get the appropriate user for logon with the function “WTSQueryUserToken”. This function only can be used if the caller has “SeTcbPrivilege” that, by default, only SYSTEM has.

FIGURE 12. Obtaining the token of the logged on user

After getting the token of the logged on user the malware will open the Windows station and desktop.

In the case that it does not have SYSTEM permissions it will enumerate all processes in the system and try to duplicate the token from “explorer.exe” (the name is checked using a hardcoded hash), if it has rights it will continue normally, otherwise it will check again if the token that was duplicated has administrator rights.

In this case it will continue normally but in other cases it will check the operating system version and the CPU (Central Processing Unit) mode (32- or 64- bits). This check is done using the function “ZwQueryInformationProcess” with the class 0x1A (ProcessWow64Information).

FIGURE 13. Checking if the operating system is 32- or 64-bits

In the case that the system is 32-bits it will decrypt one little shellcode that will inject in one process that will enumerate using the typical “CreateRemoteThread” function. This shellcode will be used to get the token of the process and elevate privileges.

In the case that the system is 64-bits it will decrypt two different shellcodes and will execute the first one that gets the second shellcode as an argument.

FIGURE 14. BlackMatter preparing shellcodes to steal system token

These shellcodes will allow BlackMatter to elevate privileges in a clean way.

Is important to understand that to get the SYSTEM token BlackMatter will enumerate the processes and get “svchost.exe”, but not only will it check the name of the process, it will also check that the process has the privilege “SeTcbPrivilege”. As only SYSTEM has it by default (and it is one permission that cannot be removed from this “user”) it will be that this process is running under SYSTEM and so it becomes the perfect target to attack with the shellcodes and steal the token that will be duplicated and set for BlackMatter.

FIGURE 15. Checking if the target process is SYSTEM

After this it will decrypt the configuration that it has embedded in one section. BlackMatter has this configuration encrypted and encoded in base64.

This configuration has a remarkably similar structure to Darkside, offering another clear hint that the developers are one and the same, despite their claims to the contrary.

After decryption, the configuration can get this information:

  • RSA Key used to protect the Salsa20 keys used to encrypt the files.
  • A 16-byte hex value that remarks the victim id.
  • A 16-byte hex value that is the AES key that will be used to encrypt the information that will be sent to the C2.
  • An 8/9-byte array with the behavior flags to control the ransomware behavior.
  • A special array of DWORDs (values of 4 bytes each one) that keep the values to reach the critical points in the configuration.
  • Different blocks encoded and, sometimes, encrypted again to offer the field more protection.

 

After getting the configuration and parsing it, BlackMatter will start checking if it needs to make a login with some user that is in the configuration. In this case it will use the function “LogonUser” with the information of the user(s) that are kept in the configuration; this information has one user and one password: “test@enterprise.com:12345” where “test” is the user, “@enterprise.com” is the domain and “12345” the password.

The next action will be to check with the flag to see if a mutex needs to be created to avoid having multiple instances.

This mutex is unique per machine and is based in the registry entry “MachineGuid” in the key “Cryptography”. If the system has this mutex already the malware will finish itself.

Making a vaccine with a mutex can sometimes be useful but not in this case as the developers change the algorithm and only need to set the flag to false to avoid creating it.

FIGURE 16. Creation of the mutex to avoid multiple instances

After, it will check if it needs to send information to the C2. If it does (usually, but not always) it will get information of the victim machine, such as username, computer name, size of the hard disks, and other information that is useful to the malware developers to know how many machines are infected.

This information is encoded with base64 and encrypted with AES using the key in the configuration.

FIGURE 17. Encrypted information sent to the C2

The C2 addresses are in the configuration (but not all samples have them, in this case the flag to send is false). The malware will try to connect to the C2 using a normal protocol or will use SSL checking the initial “http” of the string.

FIGURE 18. Get information of the victim machine and user

The information is prepared in some strings decrypted from the malware and sent in a POST message.

FIGURE 19. Choose to send by HTTP or HTTPS

The message has values to mislead checks and to try and hide the true information as garbage. This “fake” data is calculated randomly.

The C2 returns garbage data but the malware will check if it starts and ends with the characters “{“  and “}”; if it does the malware will ignore sending the information to another C2.

FIGURE 20. Checking for a reply from the C2 after sending

BlackMatter is a multithread application and the procedure to send data to the C2 is done by a secondary thread.

After that, BlackMatter will enumerate all units that are FIXED and REMOVABLE to destroy the recycle bin contents. The malware makes it for each unit that has it and are the correct type. One difference with DarkSide is that it has a flag for this behavior while  BlackMatter does not.

The next action is to delete the shadow volumes using COM to try and avoid detection using the normal programs to manage the shadow volumes. This differs with DarkSide that has a flag for this purpose.

FIGURE 21. Destruction of the shadow volumes using COM

BlackMatter will check another flag and will enumerate all services based on one list in the configuration and will stop target services and delete them.

This behavior is the same as DarkSide.

FIGURE 22. Stopping services and deleting them

Processes will be checked and terminated as with DarkSide, based on other configuration flags.

After terminating the processes BlackMatter will stop the threads from entering suspension or hibernating if someone is using the computer to prevent either of those outcomes occurring when it is encrypting files. This is done using the function “ZwSetThreadExecutionState”.

FIGURE 23. Preventing the machine being suspended or hibernated

The next action will be to enumerate all units, fixed and on the network, and create threads to encrypt the files. BlackMatter uses Salsa20 to encrypt some part of the file and will save a new block in the end of the file, protected with the RSA key embedded in the configuration with the Salsa20 keys used to encrypt it. This makes BlackMatter slower than many other ransomwares.

After the encryption it will send to the C2 all information about the encryption process, how many files were crypted, how many files failed, and so on. This information is sent in the manner previously described, but only if the config is set to true.

FIGURE 24. Release of the mutex

If one mutex was created in this moment it will be released. Later it will check the way that the machine boots with the function “GetSystemMetrics”. If the boot was done in Safe Mode BlackMatter will set some keys for persistence in the registry for the next reboot and then attack the system, changing the desktop wallpaper.

FIGURE 25. Determining whether the system boots in safe mode or normal mode

Of course, it will disable the safeboot options in the machine and reboot it (it is one of the reasons why it needs the privilege of shutdown).

To ensure it can launch in safe mode, the persistence key value with the path of the malware will start with a ‘*’.

FIGURE 26. Setting the persistance registry key

If the machine starts in the normal way, it will change the desktop wallpaper with an alternative generated in runtime with some text about the ransom note.

FIGURE 27. BlackMatter makes the new wallpaper in runtime

VERSIONS 1.9 AND 2.0

The new versions have some differences compared with versions 1.2 to 1.6:

  • Changes in the stub generation code. Previously only one type of stub was used, but in more recent versions several types of stubs are employed, with one chosen randomly per function. Anyways the stubs can be removed without any problem by patching the binary.
  • A new byte flag in the configuration that remarks if it needs to print the ransom note using the available printer in the system. Very similar to Ryuk but instead BlackMatter uses APIs from “winspool.drv”.
  • Removed one C2 domain that was shut down by the provider.

Additional changes in version 2.0:

  • This version changes the crypto algorithm to protect the configuration making it more complex to decrypt it.
  • Removed the last C2 that was shut down by the provider.
  • Added a new C2 domain.

These changes suggest the developers are active on social media, with an interest in malware and security researchers.

VACCINE

Unlike some ransomware we’ve seen in the past, such as GandCrab , BlackMatter has good code, but it does have some design flaws that can be used in some cases to avoid having the malware encrypt the files.

This vaccine is not intended to be used in the normal way, rather only in special cases as, while it works, other programs can be affected (we obviously cannot test all third party programs but potential issues are likely to include data corruption and unpredictable behavior), and the fix is not permanent.

Steps to make the vaccine (proceed at your own risk):

  • Open regedit (or another registry editor) and go to the key in HKEY_LOCAL_MACHINE> Cryptography.
  • In this key can be seen a string value named “MachineGuid” with a special value. This value is unique for the machine and is used for some applications to identify the machine. BlackMatter uses it to make the mutex and, very importantly, the new extension for the encrypted files.
  • Make a new value of type string with a random name and put the same value as seen in “MachineGuid” to have a backup of it.
  • Remove the “MachineGuid” value, and then make it again but with the binary type Instead of string type, with the same name, “MachineGuid”.
  • Close the registry editor.

In this moment BlackMatter cannot affect the machine as it needs the registry key to make the ransom extension, and the most important thing is, if it cannot make it, it will return the function WITHOUT decrypting the config that is needed too. In this case it will destroy the recycle bin and shadow volumes anyways but later it will finish as it does not have any behavior to do, RSA Key to protect the files, or anything to send to the C2 as the flag was never read from the config (and the default values are false for all of them).

Though the behavior of other programs may be unpredictable, the vaccine is easy to make, and the system will boot, showing that the BlackMatter programmers made a mistake in the design of the code.

This vaccine works for all versions, including 2.0.

MITRE ATT&CK

The sample uses the following MITRE ATT&CK™ techniques:

Technique ID Technique Description Observable
T1134 Access Token Manipulation BlackMatter accesses and manipulates different process tokens.
T1486 Data Encrypted for Impact BlackMatter encrypts files using a custom Salsa20 algorithm and RSA.
T1083 File and Directory Discovery

 

BlackMatter uses native functions to enumerate files and directories searching for targets to encrypt.
T1222.001 Windows File and Directory Permissions Modification BlackMatter executes the command icacls “<DriveLetter>:\*” /grant Everyone: F /T /C /Q to grant full access to the drive.
T1562.001 Disable or Modify Tools BlackMatter stops services related to endpoint security software.
T1106 Native API BlackMatter uses native API functions in all code.
T1057 Process Discovery BlackMatter enumerates all processes to try to discover security programs and terminate them.
T1489 Service Stop BlackMatter stops services.
T1497.001 System Checks BlackMatter tries to detect debuggers, checking the memory reserved in the heap.
T1135 Network Share Discovery BlackMatter will attempt to discover network shares by building a UNC path in the following format for each driver letter, from A to Z: \\<IP>\<drive letter>$
T1082 System Information Discovery BlackMatter uses functions to retrieve information about the target system.
T1592 Gather Victim Host Information BlackMatter retrieves information about the user and machine.
T1070 Valid Accounts BlackMatter uses valid accounts to logon to the victim network.
T1547 Boot or Logon Autostart Execution BlackMatter installs persistence in the registry.
T1102 Query Registry BlackMatter queries the registry for information.
T1018 Remote System Discovery BlackMatter enumerates remote machines in the domain.
T1112 Modify Registry BlackMatter changes registry keys and values and sets new ones.

CONCLUSION

BlackMatter is a new threat in the ransomware field and its developers know full well how to use it to attack their targets. The coding style is remarkably similar to DarkSide and, in our opinion, the people behind it are either the same or have a very close relationship.

BlackMatter shares a lot of ideas, and to some degree code, with DarkSide:

  • Configurations are remarkably similar, especially with the last version of Darkside, besides the change in the algorithm to protect it which, despite having less options, remains with the same structure. We do not think that the developers of BlackMatter achieved this similarity by reversing DarkSide as that level of coding skill would have allowed them to create an entirely new ransomware from the ground up. Also, the idea that the DarkSide developers gave or sold the original code to them does not make any sense as it is an old product.
  • Dynamic functions are used in a similar way to DarkSide.
  • It uses the same compression algorithm for the configuration.
  • The victim id is kept in the same way as DarkSide.

It is important to keep your McAfee Enterprise products updated to the latest detections and avoid insecure remote desktop connections, maintain secure passwords that are changed on a regular basis, take precautions against phishing emails, and do not connect unnecessary devices to the enterprise network.

Despite some effective coding, mistakes have been made by the developers, allowing the program to be read, and a vaccine to be created, though we will stress again that it can affect other programs and is not a permanent solution and should be employed only if you accept the risks associated with it.

The post BlackMatter Ransomware Analysis; The Dark Side Returns appeared first on McAfee Blog.

European Telecom Company Expands Its Footprint to Better Protect Users and Customers

By McAfee Enterprise

Hyper-growth and a determination to stand above the crowd compelled a popular Eastern European telecom to upgrade its trusty McAfee Enterprise security infrastructure, which they relied on for many years to protect their 8,000 corporate endpoints. Competitive pressure to keep costs low and cybercriminals at bay for both their internal users and their customers spurred the mobile and fixed telephony company to enhance their existing security architecture with the latest endpoint and cloud-based protections from McAfee Enterprise.

The integrated McAfee Enterprise approach—with ePolicy Orchestrator ( ePO™) at the helm as the single-pane-of-glass management hub—enabled the security architect to build out a strong security foundation, with McAfee Enterprise endpoint and data protection solutions and Microsoft Defender as the mainstays of the telecom’s line of defense.

With ransomware and other advanced threats grabbing headlines, the telecom company felt a pressing need to upgrade its McAfee Enterprise infrastructure and expand its on-premises endpoint protection to cloud-based McAfee Enterprise Endpoint Security. The organization also added MVISION™ Endpoint Threat Detection and Response (MVISION® EDR) and deployed two McAfee Enterprise Advanced Threat Defense appliances for dynamic and static sandboxing. These deployments were easily integrated into the telecom’s existing security architecture—with all solutions managed by McAfee Enterprise ePO software. 

Faster time to detection, investigation, and remediation

McAfee Enterprise Endpoint Security was instrumental in both simplifying and boosting endpoint protection, as multiple technologies—Threat Protection, Firewall, Web Control, and Adaptive Threat Prevention—are consolidated into a single agent. Leveraging threat data from local endpoints and McAfee Enterprise Global Threat Intelligence in the cloud, the telecom’s security team is also empowered to detect zero-day threats in near real time. When a threat is identified on a given endpoint, that information is automatically shared with all the other endpoints. And when an unknown or suspicious file is detected, it is immediately quarantined for analysis by MVISION EDR or the McAfee Endpoint Advanced Threat Defense sandbox.

Investigation had once been a lengthy and laborious manual process, often taking days or weeks. Sometimes detections of malicious activity were even ignored due to time constraints. But, after implementing MVISION EDR, things changed dramatically. Investigations and remediations now take as little as 10 to 15 minutes. The security team is catching more threats than ever before, their workflows are streamlined, and investigations are faster. Best of all, thanks to MVISION EDR, team members have expanded their threat-hunting capacity—without augmenting their staff.

Alerts coordinate with action

Because McAfee Enterprise Advanced Threat Defense appliances and MVISION EDR are integrated with McAfee Enterprise SIEM solutions and McAfee Enterprise ePO software, suspicious activity at an endpoint automatically triggers an investigation. Advanced analytics and artificial intelligence (AI) in MVISION enable administrators to understand the alert, sort out the facts, and remediate any threat. MVISION EDR does all the preparatory work, gathering and distilling relevant data, such as IP addresses and information about devices and users. Graphic visualizations and AI-guided investigations help analysts quickly get a grasp on what’s happening. The security team can also run real-time queries to see if something similar has occurred anywhere else, and they can conduct historical searches for greater context.

“The volume of malware we have to deal with has definitely shrunk since implementing McAfee Enterprise Endpoint Security. But the addition of MVISION EDR has made an even bigger impact on security posture. When our endpoints do encounter malware, we can now respond many times faster and more effectively than ever before,” points out the security architect.

Achieving a proactive stance

The enhanced McAfee Enterprise security architecture has transformed the telecom company’s approach to maintaining a more resilient security posture. The company is now taking a more proactive defense as a result of the new, fully coordinated McAfee Enterprise toolset.

In addition to advanced threat-hunting capabilities, the ability to share threat information across the organization via the Data Exchange Layer (DXL) has also contributed to a more proactive stance. For example, whenever a malicious file is identified, that information is automatically added to the McAfee Enterprise Threat Intelligence Exchange threat reputation database and shared with all DXL-connected systems: endpoints, SIEM, Advanced Threat Defense sandboxes, MVISION EDR software, and even the company’s Cisco pxGrid infrastructure, a multivendor, cross-platform network system that pulls together different parts of an IT infrastructure.

The European telecom company has plans to migrate to the cloud, beginning with Microsoft Office 365 and Microsoft Azure. For the time being, the organization plans to keep the McAfee Enterprise ePO management console on premises, but, in the very near future, the plan is to protect internet-only users with cloud-based MVISION ePO™.

“Taking measured steps to augment our security infrastructure has helped us succeed at keeping our company and customers secure,” say the security architect. “It’s nice to know that McAfee Enterprise can support us wherever we are in our journey and can extend our integrated security infrastructure from device to cloud when we’re ready.”

 

The post European Telecom Company Expands Its Footprint to Better Protect Users and Customers appeared first on McAfee Blog.

McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444

By Taylor Mullins

Threat Summary

Microsoft is warning its users of a zero-day vulnerability in Windows 10 and versions of Windows Server that is being leveraged by remote, unauthenticated attackers to execute code on the target system using specifically crafted office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents. This vulnerability is being actively exploited and protections should be put into place to prevent that. Microsoft has released guidance on a workaround, as well as updates to prevent exploitation, but below are additional McAfee Enterprise countermeasures you can use to protect your business.

MVISION Insights Campaign – “CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability”

Since originally reported, vulnerability exploitation has grown worldwide.

Figure 1. Latest MITRE ATT&CK framework for Exploitation of CVE-2021-40444. Source: MVISION Insights

Additional MITRE ATT&CK techniques have been identified since our original report. MVISION Insights will be regularly updated with the latest IOCs and hunting rules for proactive detection in your environment.

Figure 2. Latest MITRE ATT&CK framework for Exploitation of CVE-2021-40444. Source: MVISION Insights

McAfee Enterprise Product Protections

The following McAfee Enterprise products can protect you against this threat.

Figure 3. Protection by ENS Module

For ENS, it’s important to have both Threat Protection (TP) and Adaptive Threat Protection (ATP) with GTI enabled. We are seeing 50% of detections based on ATP behavior analysis rules.

Figure 4. Protection by ENS Module

More details on Endpoint protection including MVISION EDR are included below.

Preventing Exploit with McAfee ENS

McAfee Global Threat Intelligence (GTI) is currently detecting the analyzed IOCs for this exploitation. GTI will be continually updated as new indicators are observed in the wild.

ENS Threat Prevention module can provide added protections against exploitation of CVE-2021-40444 until a patch is deployed. The following signature in Exploit Prevention has shown coverage in testing of observed exploits; this signature could cause false positives, so it is highly advised to test in Report Mode or in sandbox environments before blocking in production environments.

Signature 2844: Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability

Several custom Expert Rules can be implemented to prevent or detect potential exploitation attempts. As with all Expert Rules, please test them in your environment before deploying widely to all endpoints. Recommended to implement this rule in a log only mode to start.

Figure 5. Expert Rule to block or log exploitation attempts

Figure 6. Expert Rule to block or log exploitation attempts

ATP Rules

Adaptive Threat Protection module provides behavior-blocking capability through threat intelligence, rules destined to detect abnormal application activity or system changes and cloud-based machine-learning. To exploit this vulnerability, the attacker must gain access to a vulnerable system, most likely through Spearphishing with malicious attachments. These rules may also be effective in preventing initial access and execution. It is recommended to have the following rules in Observe mode at least and monitor for threat events in ePO.

  • Rule 2: Use Enterprise Reputations to identify malicious files.
  • Rule 4: Use GTI file reputation to identify trusted or malicious files
  • Rule 5: Use GTI file reputation to identify trusted or malicious URLs
  • Rule 300: Prevent office applications from being abused to deliver malicious payloads
  • Rule 309: Prevent office applications from being abused to deliver malicious payloads
  • Rule 312: Prevent email applications from spawning potentially malicious tools

As with all ATP Rules, please test them in your environment before deploying widely to all endpoints or turning on blocking mode.

Utilizing MVISION EDR for Hunting of Threat Activity

The Real-Time Search feature in MVISION EDR provides the ability to search across your environment for behavior associated with the exploitation of this Microsoft vulnerability. Please see the queries to locate the “mshtml” loaded module associated with various application processes.

EDR Query One

Processes where Processes parentimagepath matches “winword|excel|powerpnt” and Processes cmdline matches “AppData\/Local\/Temp\/|\.inf|\.dll” and Processes imagepath ends with “\control.exe”

EDR Query Two

HostInfo hostname and LoadedModules where LoadedModules process_name matches “winword|excel|powerpnt” and LoadedModules module_name contains “mshtml” and LoadedModules module_name contains “urlmon” and LoadedModules module_name contains “wininet

Additionally, the Historical Search feature within MVISION EDR will allow for the searching of IOCs even if a system is currently offline.

Figure 7. Using Historical Search to locate IOCs across all devices. Source: MVISION EDR

McAfee Enterprise has published the following KB article that will be updated as more information and coverage is released.

McAfee Enterprise coverage for CVE-2021-40444 – MSHTML Remote Code Execution

Further Protection for Threat Actor Behavior After Exploitation

Since public disclosure of the vulnerability, it has been observed from successful exploitation of CVE-2021-40444 in the wild that threat actors are utilizing a Cobalt Strike payload to then drop ransomware later in the compromised environment. The association between this vulnerability and ransomware point to the possibility that the exploit has been added to the tools utilized in the ransomware-as-a-service (RaaS) ecosystem.

Figure 8. CVE-2021-40444-attack-chain (Microsoft)​​

The Ransomware Gangs that have been observed in these attacks have in the past been known to utilize the Ryuk and Conti variants of ransomware.

Please see below additional mitigations that can be utilized in the event your environment is compromised and added protections are needed to prevent further TTPs.

Cobalt Strike BEACON

MVISION Insights Campaign – Threat Profile: CobaltStrike C2s

 

Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 517: Prevent actor process with unknown reputations from launching processes in common system folders

 

Ryuk Ransomware Protection

MVISION Insights Campaign – Threat Profile: Ryuk Ransomware

 

Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 5: Use GTI file reputation to identify trusted or malicious URLs

 

Endpoint Security – Access Protection:

Rule: 1

Executables (Include):

*

Subrules:

Subrule Type: Files

Operations:

Create

Targets (Include):

*.ryk

 

Endpoint Security – Exploit Prevention

Signature 6153: Malware Behavior: Ryuk Ransomware activity detected

 

Conti Ransomware Protection

MVISION Insights Campaign – Threat Profile: Conti Ransomware

 

Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 5: Use GTI file reputation to identify trusted or malicious URLs

 

Endpoint Security – Access Protection Custom Rules:

Rule: 1

Executables (Include):

*

Subrules:

Subrule Type: Files

Operations:

create

Targets (Include):

*conti_readme.txt

 

Endpoint Security – Exploit Prevention

Signature 344: New Startup Program Creation

The post McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 appeared first on McAfee Blog.

The Bug Report | September 2021: CVE-2021-40444

By Kevin McGrath
How to check for viruses

Why am I here?

There’s a lot of information out there on critical vulnerabilities; this short bug report contains an overview of what we believe to be the most news and noteworthy vulnerabilities. We don’t rely on a single scoring system like CVSS to determine what you need to know about; this is all about qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. We look at characteristics such as wormability, ubiquity of the target, likelihood of exploitation and impact. Today, we’ll be focusing on CVE-2021-40444.

CrossView: CVE-2021-40444

What is it?

CVE-2021-40444 is a vulnerability in Office applications which use protected view such as Word, PowerPoint and Excel which allows an attacker to achieve remote code execution (RCE). CVE-2021-40444 is a vulnerability which allows a carefully crafted ActiveX control and a malicious MS Cabinet (.cab) file to be launched from an Office document

Most importantly, this vulnerability impacts the applications themselves, as well as the Windows Explorer preview pane.

Who cares?

This is a great question! Pretty much anyone who uses any Microsoft Office applications, or has them installed, should be concerned.

Office is one of the most widely-used applications on the planet. Odds are good you have it open right now. While many companies have disabled macros within Office documents at the Group Policy level, it is unlikely ActiveX is treated similarly. This means that without proper data hygiene, a large proportion of Office users will be vulnerable to this exploit.

Fortunately, “spray and pray” style email campaigns are unlikely to gain traction with this exploit, as mail providers have started flagging malicious files (or at least known PoCs) as potential malware and removing them as attachments.

What can I do?

Good news! You aren’t necessarily completely helpless. By default, Windows uses a flag known as the “Mark of the Web” (MoTW) to enable Protected Mode in Office. Email attachments, web downloads, and similar all have this MoTW flag set, and Protected Mode prevents network operations, ActiveX controls, and macros embedded within a document from being executed, which effectively disables exploitation attempts for this vulnerability.

That said, users have become so inured to the Protected View message, they often dismiss it without considering the consequences. Much like “confirmation fatigue” can lead to installing malicious software, attackers can leverage this common human response to compromise the target machine.

Even more so, while exploitation can occur via the Office applications themselves and via the Explorer preview pane, the Outlook preview pane operates in a completely different manner which does not trigger the exploit. Exactly why this distinction exists only MS can explain, but the upshot is that Outlook users have to explicitly open malicious files to be exploited – the more hoops users have to jump through to open a malicious, the less likely they are to be pwned.

If I’m protected by default, why does this matter?

It depends entirely on how the file gets delivered and where the user saves it.

There are many ways of getting files beyond email and web downloads – flash cards for cameras, thumb drives, external hard drives, etc. Files opened from these sources (and many common applications[1]) don’t have MoTW flag set, meaning that attackers could bypass the protection entirely by sending a malicious file in a .7z archive, or as part of a disk image, or dropping a USB flash drive in your driveway. Convincing users to open such files is no harder than any other social engineering strategy, after all.

Another fun workaround for bypassing default protections is to make use of an RTF file – emailed, downloaded, or otherwise. From our testing, an RTF file saved from an email attachment does not bear the MoTW but can still be used as a vector of exploitation. Whether RTF files become the preferred option for this exploit remains to be seen.

TL;DR

Ha! We put the tl;dr near the end, which only makes sense when the information above is so important it’s worth reading. But if all you care about is what you can actively do to ensure you’re not vulnerable, this section is for you.

Mitigations:

  • Apply the Patch! Available via Windows Update as of 9/14/2021, this is your best solution.
  • Enable registry workaround to disable ActiveX – details can be found on Microsoft’s bulletin page and should effectively disable exploitation attempts until a formal patch can be applied.
  • Confirm that Windows Explorer “Preview” pane is disabled (this is true by default). This only protects against the Preview pane exploitation in Explorer. Opening the file outside of Protected Mode (such as an RTF file) or explicitly disabling Protected Mode will still allow for exploitation.

The Gold Standard

In case you simply can’t apply the patch or have a “production patch cycle” or whatever, McAfee Enterprise has you covered. Per our KB we provide comprehensive coverage for this attack across our protection and detection technology stack of endpoint (ENS Expert Rules), network (NSP) and EDR.

https://kc.mcafee.com/corporate/index?page=content&id=KB94876

[1] 7zip, files from disk images or other container formats, FAT formatted volumes, etc.

The post The Bug Report | September 2021: CVE-2021-40444 appeared first on McAfee Blog.

Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry

By Melissa Gaffney

For this week’s executive spotlight, I’m highlighting Kathleen Curry, senior vice president, Global Enterprise Channels at McAfee Enterprise. Curry was named one of CRN’s 2021 Channel Chiefs. Joining the company in April 2020, she was acknowledged for her contributions expanding our partner program initiatives to reward partners for servicing customers in line with their modern needs and consumption preferences. This includes spearheading McAfee Enterprises’ “channel first” initiative and ethos, aimed to better empower our channel partner community and increase their profitability, while at the same time optimizing the end customer experience by scaling through McAfee Enterprise’s channels and partners. Read below for more.

Q: Who has been the most influential person in your life?

My father instilled in me, from as far back as I can remember, that I can do whatever I set my mind to and that I am the owner of my life story. This helped create a positive, empowered mindset when facing challenges and opportunities throughout my life. And my father always kept our world big. Whether it was traveling to see other cultures, sharing his never-ending love of history, or getting involved in our community, his actions showed me the importance of taking time to connect with others, understand the context of things, and have compassion. While he is no longer with us, I still feel like I get advice from him every day.

Q: What are the most significant problems influencing cybersecurity professionals today?

The ever-changing threat landscape is a real challenge. Finding the time to keep up on trends, proactively secure an environment, and address unexpected issues has become increasingly difficult. Together with our partners, we can help solve these problems.

Q: How do you separate hype from genuine innovation?

Execution. True innovation delivers real outcomes. It can be big or small, but mostly, it must be realized and validated.

Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise and our partners in the coming years?

There is tremendous opportunity ahead for us and our partners. With the complexity of the cybersecurity landscape, continuing threats, and talent gaps, our customers need our collective solutions, expertise, and services more than ever. We are charging ahead to optimize our channel program with partner profitability and growth at the forefront. Our dedication to a Channel First strategy coupled with best-in-class solutions positions us extremely well to win and best benefit the customers we serve together.

The post Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry appeared first on McAfee Blog.

Operation ‘Harvest’: A Deep Dive into a Long-term Campaign

By Christiaan Beek

A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco for malware analysis support.

Executive Summary

Following a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack.

From a cyber-intelligence perspective, one of the biggest challenges is having information on the tactics, techniques, and procedures (TTPs) an adversary is using and then keeping them up to date. Within ATR we typically monitor many adversaries for years and collect and store data, ranging from indicators of compromise (IOCs) to the TTPs.

In this report, ATR provides a deep insight into this long-term campaign where we will map out our findings against the Enterprise MITRE ATT&CK model. There will be parts that are censored since we respect the confidentiality of the victim. We will also zoom in and look at how the translation to the MITRE Techniques, historical context, and evidence artifacts like PlugX and Winnti malware led to a link with another campaign, which we highly trust to be executed by the same adversary.

IOCs that could be shared are at the end of this document.

McAfee customers are protected from the malware/tools described in this blog. MVISION Insights customers will have the full details, IOCs and TTPs shared via their dashboard. MVISION Endpoint, EDR and UCE platforms provide signature and behavior-based prevention and detection capability for many of the techniques used  in this attack. A more detailed blog with specific recommendations on using the McAfee portfolio and integrated partner solutions to defend against this attack can be found here.

Technical Analysis

Initial Infection Vectors [TA0001]

Forensic investigations identified that the actor established initial access by compromising the victim’s web server [T1190]. On the webserver, software was installed to maintain the presence and storage of tools [T1105] that would be used to gather information about the victim’s network [T1083] and lateral movement/execution of files [T1570] [T1569.002]. Examples of the tools discovered are PSexec, Procdump, and Mimikatz.

Privilege Escalation and Persistence [TA0004TA0003]

The adversary has been observed using multiple privilege escalation and persistence techniques during the period of investigation and presence in the network. We will highlight a few in each category.

Besides the use of Mimikatz to dump credentials, the adversaries used two tools for privilege escalations [T1068]. One of the tools was “RottenPotato”. This is an open-source tool that is used to get a handle to a privileged token, for example, “NT AUTHORITY\SYSTEM”, to be able to execute tasks with System rights.

Example of RottenPotato on elevating these rights:

Figure 1 RottenPotato

The second tool discovered, “BadPotato”, is another open-source tool that can be used to elevate user rights towards System rights.

Figure 2 BadPotato

The BadPotato code can be found on GitHub where it is offered as a Visual Studio project. We inspected the adversary’s compiled version using DotPeek and hunted for artifacts in the code. Inspecting the File (COFF) header, we observed the file’s compilation timestamp:

TimeDateStamp: 05/12/2020 08:23:47  – Date and time the image was created

PlugX

Another major and characteristic privilege escalation technique the adversary used in this long-term campaign was the malware PlugX as a backdoor. PlugX makes use of the technique “DLL Sideloading” [T1574.002]. PlugX was observed as usual where a single (RAR) executable contained the three parts:

  • Valid executable.
  • Associated DLL with the hook towards the payload.
  • Payload file with the config to communicate with Command & Control Server (C2).

The adversary used either the standalone version or distributed three files on different assets in the network to gain remote control of those assets. The samples discovered and analyzed were communicating towards two domains. Both domains were registered during the time of the campaign.

One of the PlugX samples consisted of the following three parts:

Filename Hashes
HPCustPartic.exe SHA256: 8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6
HPCustPartUI.dll SHA256: 0ee5b19ea38bb52d8ba4c7f05fa1ddf95a4f9c2c93b05aa887c5854653248560
HPCustPartic.bin SHA256: 008f7b98c2453507c45dacd4a7a7c1b372b5fafc9945db214c622c8d21d29775

The .exe file is a valid and signed executable and, in this case, an executable from HP (HP Customer participation). We also observed other valid executables being used, ranging from AV vendors to video software. When the executable is run, the DLL next to it is loaded. The DLL is valid but contains a small hook towards the payload which, in our case, is the .bin file. The DLL loads the PlugX config and injects it into a process.

We executed the samples in a test setup and dumped the memory of the machine to conduct memory analysis with volatility. After the basic forensically sound steps, we ran the malfind plugin to detect possible injected code in a process. From the redacted output of the plugin, we observed the following values for the process with possible injected code:

Process: svchost.exe Pid: 860 Address: 0xb50000

Process: explorer.exe Pid: 2752 Address: 0x56a000

Process: svchost.exe Pid: 1176 Address: 0x80000

Process: svchost.exe Pid: 1176 Address: 0x190000

Process: rundll32.exe Pid: 3784 Address: 0xd0000

Process: rundll32.exe Pid: 3784 Address: 0x220000

One observation is the mention of the SVCHOST process with a ProcessID value of 1176 that is mentioned twice but with different addresses. This is similar to the RUNDLL32.exe that is mentioned twice with PID 3785 and different addresses. One way to identify what malware may have been used is to dump these processes with the relevant PID using the procdump module, upload them to an online analysis service and wait for the results. Since this is a very sensitive case, we took a different approach. Using the best of both worlds (volatility and Yara) we used a ruleset that consists of malware patterns observed in memory over time. Running this ruleset over the data in the memory dump revealed the following (redacted for the sake of readability) output:

Figure 3 Output Yarascan memory dump

The output of the Yara rule scan (and there was way more output) confirmed the presence of PlugX module code in PID 1176 of the SVCHOST service. Also, the rule was triggered on PID 3784, which belonged to RUNDLL32.exe.

Investigating the dumps after dynamic analysis, we observed two domain names used for C2 traffic:

  • sery.brushupdata.com
  • dnssery.brushupdata.com

In particular, we saw the following hardcoded value that might be another payload being downloaded:

sery.brushupdata.com/CE1BC21B4340FEC2B8663B69

The PlugX families we observed used DNS [T1071.001] [T1071.004] as the transport channel for C2 traffic, in particular TXT queries. Investigating the traffic from our samples, we observed the check-in-signature (“20 2A 2F 2A 0D”) that is typical for PlugX network traffic:

00000000:            47 45 54 20 2F 42 34 42 42 44 43 43 30 32 39 45

00000010:            31 31 39 37 31 39 46 30 36 35 36 32 32 20 48 54

00000020:            54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20

00000030:            2A 2F 2A 0D 0A 43 6F 6F 6B 69 65 3A 20 44 36 43

00000040:            57 50 2B 56 5A 47 6D 59 6B 6D 64 6D 64 64 58 55

00000050:            71 58 4D 31 71 31 6A 41 3D 0D 0A 55 73 65 72 2D

During our analysis of the different PlugX samples discovered, the domain names as mentioned above stayed the same, though the payload values were different. For example:

  • hxxp://sery.brushupdata.com/B4BBDCC029E119719F065622
  • hxxp://sery.brushupdata.com/07FDB1B97D22EE6AF2482B1B
  • hxxp://sery.brushupdata.com/273CDC0B9C6218BC1187556D

Other PlugX samples we observed injected themselves into Windows Media Player and started a connection with the following two domains:

  • center.asmlbigip.com
  • sec.asmlbigip.com

Hello Winnti

Another mechanism observed was to start a program as a service [T1543.003] on the Operating System with the acquired System rights by using the *Potato tools. The file the adversary was using seemed to be a backdoor that was using the DLL file format (2458562ca2f6fabddae8385cb817c172).

The DLL is used to create a malicious service and its name is service.dll”. The name of the created service, “SysmainUpdate”, is usurping the name of the legitimate service “SysMain” which is related to the legitimate DLL sysmain.dll and also to the Superfetch service. The dll is run using the command “rundll32.exe SuperFrtch.dll, #1”. The export function has the name “WwanSvcMain”.

The model uses the persistence technique utilizing svchost.exe with service.dll to install a rogue service. It appears that the dll employs several mechanisms to fingerprint the targeted system and avoid analysis in the sandbox, making analysis more difficult. The DLL embeds several obfuscated strings decoded when running. Once the fingerprinting has been done, the malware will install the malicious service using the API RegisterServiceHandlerA then SetServiceStatus, and finally CreateEventA. A description of the technique can be found here.

The malware also decrypts and injects the payload in memory. The following screenshot shows the decryption routine.

Figure 4 Decryption routine

When we analyzed this unique routine, we discovered similarities and the mention of it in a publication that can be read here. The malware described in the article is attributed to the Winnti malware family. The operating method and the code used in the DLL described in the article are very similar to our analysis and observations.

The process dump also revealed further indicators. Firstly, it revealed artifacts related to the DLL analyzed, “C:\ProgramData\Microsoft\Windows\SuperfRtch\SuperfRtch.dat”. We believe that this dat file might be the loaded payload.

Secondly, while investigating the process dump, we observed activities from the backdoor that are part of the data exfiltration attempts which we will describe in more detail in this analysis report.

A redacted snippet of the code would look like this:

Creating archive ***.rar

Adding   [data from location]

  0%

  OK

Another indicator of discovering Winnti malware was the following execution path we discovered in the command line dump of the memory:

cmd /c klcsngtgui.exe 1560413F7E <abbreviation-victim>.dat

What we observed here was the use of a valid executable, the AES 256 decryption key of the payload (.dat file). In this case, the payload file was named using an abbreviation of the victim company’s name. Unfortunately, the adversary had removed the payload file from the system. File carving did not work since the disk/unallocated space was overwritten. However, reconstructing traces from memory revealed that we were dealing with the Winnti 4.0 malware. The malware was injected into a SVCHOST process where a driver location pointed to the config file. We observed in the process dump the exfiltration of data on the system, such as OS, Processor (architecture), Domain, Username, etc.

Another clue that helped us was the use of DNS tunneling by Winnti which we discovered traces of in memory. The hardcoded 208.67.222.222 resolves to a legitimate OpenDNS DNS server. The IP is pushed into the list generated by the malware at runtime. At the start of the malware, it populates the list with the system’s DNS, and the OpenDNS server is only used as a backup to ensure that the C2 domain is resolved.

Another indicator in the process dump was the setup of the C2 connection including the User-Agent that has been observed being used by Winnti 4.0 malware:

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Other Persistence Activities

WMI activity [T1546.003] was also observed to execute commands on the systems.

From a persistence point of view, scheduled tasks [T1053.005] and the use of valid accounts [T1078] acquired through the use of Mimikatz, or creating LSASS dumps, were observed being employed during the length of the campaign.

Lateral Movement

From a lateral movement perspective, the adversary used the obtained credentials to hop from asset to asset. In one particular case, we observed a familiar filename: “PsExec.exe”. This SysInternals tool is often observed being used in lateral movement by adversaries, however, it can also be used by the sysadmins of the network. In our case, the PsExec executable had a file size of 9.6 MB where the original PsExec (depending on 32- or 64-bit version) had a maximum file size of 1.3 MB. An initial static inspection of the file resulted in a blob of code that was present in the executable which had a very high entropy score (7.99). When running the file from the command line, the following output was observed:

Figure 5 PsExec output

The error notification and the ‘Impacket’ keyword tipped us off and, after digging around, we found more. The fake PsExec is an open-source Python script that is a PsExec alternative with shell/backdoor capability. It uses a script from this location: hxxps://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.pyi. The file is large since it incorporates a low-level protocol interaction from Impacket. The Python library combined with the script code is compiled with py2exe. The file was compiled during the time of the latest attack activities and signed with an expired certificate.

Data Exfiltration

From what we observed, the adversary had a long-term intention to stay present in the victim’s network. With high confidence, we believe that the adversary was interested in stealing proprietary intelligence that could be used for military or intellectual property/manufacturing purposes.

The adversary used several techniques to exfiltrate the data. In some cases, batch (.bat) scripts were created to gather information from certain network shares/folders and use the ‘rar’ tool to compress them to a certain size [T1020] [T1030]. Example of content in a batch script:

C:\Windows\web\rar.exe a -[redacted] -r -v50000 [Target-directory]

On other occasions, manual variants of the above command were discovered after using the custom backdoor as described earlier.

When the data was gathered on a local system using the backdoor, the files were exfiltrated over the backdoor and the rar files were deleted [T1070.004]. Where external facing assets were used, like a web server, the data was stored in a location in the Internet Information Services (IIS) web server and exfiltrated over HTTP using GET requests towards the exact file paths [T1041] [T1567] [T1071].

An example of the [redacted] web traffic in the IIS logfiles:

Date /Time Request TCP Src port Source IP User-Agent
Redacted GET /****/[redacted].rar 80 180.50.*.* MINIXL
redacted GET /****/[redacted].rar 80 209.58.*.* MINIXL

The source IP addresses discovered belonged to two different ISP/VPN providers based in Hong-Kong.

The User-Agent value is an interesting one, “MINIXL”. When we researched that value, we discovered a blog from Dell SecureWorks from 2015 that mentions the same User-Agent, but also a lot of the artifacts mentioned from the blog overlapped with the observations and TTPs of Operation Harvest [link].

What we could retrieve from open-source databases is that the use of this particular User-Agent is very limited and seems to originate from the APAC region.

Who did it?

That seems to be the one-million-dollar question to be asked. Within McAfee, attribution is not our main focus, protecting our customers is our priority. What we do care about is that if we learn about these techniques during an investigation, can we map them out and support our IR team on the ground, or a customer’s IR team, with the knowledge that can help determine which phase of the attack the evidence is pointing to and based on historical data and intelligence, assist in blocking the next phase and discover more evidence?

We started by mapping out all MITRE ATT&CK Enterprise techniques and sub-techniques, added the tools used, and did a comparison against historical technique data from the industry. We ended up with four groups that shared techniques and sub-techniques. The Winnti group was added by us since we discovered the unique encryption function in the custom backdoor and indicators of the use of the Winnti malware.

Figure 6 ATT&CK technique comparison

The diagram reflecting our outcome insinuated that APT27 and APT41 are the most likely candidates that overlap with the (sub-)techniques we observed.

Since all these groups are in a certain time zone, we extracted all timestamps from the forensic investigation with regards to:

  • Registration of domain
  • Compile timestamps of malware (considering deception)
  • Timestamps of command-line activity
  • Timestamps of data exfiltration
  • Timestamps of malware interaction such as creation, deletion, etc.

When we converted all these timestamps from UTC to the aforementioned groups’ time zones, we ended up with the below scheme on activity:

Figure 7 Adversary’s time of operation

In this campaign, we observed how the adversary mostly seems to work from Monday to Thursday and typically during office hours, albeit with the occasional exception.

Correlating ATT&CK (sub-)techniques, timestamps, and tools like PlugX and Mimikatz are not the only evidence indicators that can help to identify a possible adversary. Command-line syntax, specific code similarity, actor capability over time versus other groups, and unique identifiers are at the top of the ‘pyramid of pain’ in threat intelligence. The bottom part of the pyramid is about hashes, URLs, and domains, areas that are very volatile and easy to change by an adversary.

Figure 8 Pyramid of Pain

Beyond investigating those artifacts, we also took possible geopolitical interests and potential deception into consideration when building our hypothesis. When we mapped out all of these, we believed that one of the two previously mentioned groups were responsible for the campaign we investigated.

Our focus was not about attribution though, but more around where the flow of the attack is, matches against previous attack flows from groups, and what techniques/tools they are using to block next steps, or where to locate them. The more details we can gather at the top of ‘the pyramid of pain’, the better we can determine the likely adversary and its TTP’s.

That’s all Folks!

Well, not really. While correlating the observed (sub-)techniques, the malware families and code, we discovered another targeted attack against a similar target in the same nation with the major motivation of gathering intelligence. In the following diagram we conducted a high-level comparison of the tools being used by the adversary:

Figure 9 Tools comparison

Although some of the tools are unique to each campaign, if taken into consideration over time with when they were used, it makes sense. It demonstrates the development of the actor and use of newer tools to conduct lateral movement and to obtain the required level of user rights on systems.

Overall, we observed the same modus operandi. Once an initial foothold was established, the adversary would deploy PlugX initially to create a few backdoors in the victim’s network in case they were discovered early on. After that, using Mimikatz and dumping lsass, they were looking to get valid accounts. Once valid accounts were acquired, several tools including some of their own tools were used to gain information about the victim’s network. From there, several shares/servers were accessed, and information gathered. That information was exfiltrated as rar files and placed on an internet-facing server to hide in the ‘normal’ traffic. We represent that in the following graphic:

Figure 10 Attack flow

In the 2019/2020 case we also observed the use of a malware sample that we would classify as part of the Winnti malware family. We discovered a couple of files that were executed by the following command:

Start Ins64.exe E370AA8DA0 Jumper64.dat

The Winnti loader ‘Ins64.exe’ uses the value ‘E370AA8DA0’ to decrypt the payload from the .dat file using the AES-256-CTR decryption algorithm and starts to execute.

After executing this command and analyzing the memory, we observed a process injection in one of the svchost processes whereby one particular file was loaded from the following path:

C:\programdata\microsoft\windows\caches\ieupdate.dll

Figure 11 Memory capture

The malware started to open up both UDP and TCP ports to connect with a C2 server.

UDP Port 20502

TCP Port  20501

Figure 12 Network connections to C2

Capturing the traffic from the malware we observed the following as an example:

Figure 13 Winnti HTTP traffic to C2

The packet data was customized and sent through a POST request with several headers towards the C2. In the above screenshot the numbers after “POST /” were randomly generated.

The User-Agent is a good network indicator to identify the Winnti malware since it is used in multiple variants:

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

Indeed, the same User Agent value was discovered in the Winnti sample in Operation Harvest and seems to be typical for this malware family.

The cookie value consists of four Dword hex values that contain information about the customized packet size using a XOR value.

We learned more about the packet structure of Winnti from this link.

Applying what we learned about the handshake, we observed the following in our traffic sample:

Dword value 0 = 52 54 00 36

Dword value 1 = 3e ff 06 b2

Dword value 2 = 99 6d 78 fe

Dword value 3 = 08 00 45 00

Dword value 4 = 00 34 00 47

Initial handshake order:

Based on our cross-correlation with samples and other OSINT resources, we believe with a high confidence that this was a Winnti 4.0 sample that connects with a confirmed Winnti C2 server.

The identified C2 server was 185.161.211.97 TCP/80.

Timeline of Events

When analyzing the timestamps from this investigation, like we did for operation Harvest, we came to the below overview:

Figure 14 Beijing working hours case 2019/2020

Again, we observed that the adversary was operating Monday to Friday during office hours in the Beijing time-zone.

Conclusion

Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data. The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families. Combining all forensic artifacts and cross-correlation with historical and geopolitical data, we have high confidence that this operation was executed by an experienced APT actor.

After mapping out all data, TTP’s etc., we discovered a very strong overlap with a campaign observed in 2019/2020. A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.

On a separate note, we observed the use of the Winnti malware. We deliberately mention the term ‘malware’ instead of group. The Winnti malware is known to be used by several actors. Within every nation-state cyber-offensive activity, there will be a department/unit responsible for the creation of the tools/malware, etc. We strongly believe that is exactly what we observe here as well. PlugX, Winnti and some other custom tools all point to a group that had access to the same tools. Whether we put name ‘X’ or ‘Y’ on the adversary, we strongly believe that we are dealing with a Chinese actor whose long-term objectives are persistence in their victims’ networks and the acquisition of the intelligence needed to make political/strategic or manufacturing decisions.

 

MITRE ATT&CK Techniques

Technique ID Technique Title Context Campaign
T1190 Exploit Public-facing application Adversary exploited a web-facing server with application
T1105 Ingress Tool transfer Tools were transferred to a compromised web-facing server
T1083 File & Directory Discovery Adversary browsed several locations to search for the data they were after.
T1570 Lateral Tool Transfer Adversary transferred tools/backdoors to maintain persistence
T1569.002 System Services: Service Execution Adversary installed custom backdoor as a service
T1068 The exploitation of Privilege Escalation Adversary used Rotten/Bad Potato to elevate user rights by abusing API calls in the Operating System.
T1574.002 Hijack Execution Flow: DLL Side-Loading Adversary used PlugX malware that is famous for DLL-Side-Loading using a valid executable, a DLL with the hook towards a payload file.
T1543.003 Create or Modify System Process: Windows Service Adversary launched backdoor and some tools as a Windows Service including adding of registry keys
T1546.003 Event-Triggered Execution: WMI Event Subscription WMI was used for running commands on remote systems
T1053.005 Scheduled task Adversary ran scheduled tasks for persistence of certain malware samples
T1078 Valid accounts Using Mimikatz and dumping of lsass, the adversary gained credentials in the network
T1020 Automated exfiltration The PlugX malware exfiltrated data towards a C2 and received commands to gather more information about the victim’s compromised host.
T1030 Data transfer size limits Adversary limited the size of rar files for exfiltration
T1070.004 Indicator removal on host Where in the beginning of the campaign the adversary was sloppy, during the last months of activity they became more careful and started to remove evidence
T1041 Exfiltration over C2 channel Adversary used several C2 domains to interact with compromised hosts.
T1567 Exfiltration over Web Service Gathered information was stored as ‘rar’ files on the internet-facing server, whereafter they were downloaded by a specific ip range.
T1071.004 Application layer protocol: DNS Using DNS tunneling for the C2 traffic of the PlugX malware

 

Indicators of Compromise (IOCs)

Note: the indicators shared are to be used in a historical and timeline-based context, ranging from 2016 to March 2021.

Operation Harvest:

PlugX C2:

sery(.)brushupdata(.)com
Dnssery(.)brushupdata(.)com
Center(.)asmlbigip(.)com

 

Tools:

Mimikatz

PsExec

RottenPotato

BadPotato

 

Operation 2019/2020

PlugX malware:

f50de0fae860a5fd780d953a8af07450661458646293bfd0fed81a1ff9eb4498

26e448fe1105b5dadae9b7607e3cca366c6ba8eccf5b6efe67b87c312651db01

e9033a5db456af922a82e1d44afc3e8e4a5732efde3e9461c1d8f7629aa55caf

3124fcb79da0bdf9d0d1995e37b06f7929d83c1c4b60e38c104743be71170efe

 

Winnti:

800238bc27ca94279c7562f1f70241ef3a37937c15d051894472e97852ebe9f4

c3c8f6befa32edd09de3018a7be7f0b7144702cb7c626f9d8d8d9a77e201d104

df951bf75770b0f597f0296a644d96fbe9a3a8c556f4d2a2479a7bad39e7ad5f

 

Winnti C2: 185.161.211.97

 

Tools:

PSW64                  6e983477f72c8575f8f3ff5731b74e20877b3971fa2d47683aff11cfd71b48c6

NTDSDumpEx  6db8336794a351888636cb26ebefb52aeaa4b7f90dbb3e6440c2a28e4f13ef96

NBTSCAN             c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e

NetSess                ddeeedc8ab9ab3b90c2e36340d4674fda3b458c0afd7514735b2857f26b14c6d

Smbexec              e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee

Wmiexec              14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8

Mimikatz

RAR command-line

TCPdump

The post Operation ‘Harvest’: A Deep Dive into a Long-term Campaign appeared first on McAfee Blog.

McAfee Enterprise Defender’s Blog: Operation Harvest

By Mo Cashman

Summary

McAfee Enterprise’s Advanced Threat Research (ATR) team provided deep insight into a long-term campaign Operation Harvest. In the blog, they detail the MITRE Tactics and Techniques the actors used in the attack. In this blog, our Pre-Sales network defenders describe how you can defend against a campaign like Operation Harvest with McAfee Enterprise’s MVISION Security Platform and security architecture best practices.

Defending Against Operation Harvest with McAfee

Operation Harvest, like other targeted attack campaigns, leverages multiple techniques to access the network and capture credentials before exfiltrating data. Therefore, as a Network Defender you have multiple opportunities to prevent, disrupt, or detect the malicious activity. Early prevention, identification and response to potentially malicious activity is critical for business resilience. Below is an overview of how you can defend against attacks like Operation Harvest with McAfee’s MVISION Security Architecture.

Throughout this blog, we will provide some examples of where MVISION Security Platform could help defend against this type of attack.

Get Prepared with the Latest Threat Intelligence

As Network Defenders our goal is to prevent, detect and contain the threat as early as possible in the attack chain. That starts with using threat intelligence, from blogs or solutions like MVISION Insights to get prepared and using tools like MITRE Attack Navigator to assess your defensive coverage. The ATR blog details the techniques, indicators and tools used by the attackers. Many of the tools used in Operation Harvest are common across other threat actors and detection details for PlugX, and Winnti are already documented in MVISION INSIGHTS.

Get a quick overview of the PlugX tool:

Easily search for or export PlugX IOCs right from MVISION Insights:

Get a quick overview of the Winnti tool:

Easily search for or export Winnti IOCs right from MVISION Insights:

Cross Platform Hunting Rules for Winnti:

MVISION Insights is also updated with the latest technical intelligence on Operation Harvest including a summary of the threat, prevalence, indicators of compromise and recommended defensive countermeasures.

Defending Against Initial Access

In this attack, the initial access involved a compromised web server. Over the last year we have seen attackers increasingly use initial access vectors beyond spear-phishing, such as compromising remote access systems or supply chains. The exploiting of public-facing vulnerabilities for Initial Access is a technique associated with Operation Harvest and other APT groups to gain entry. Detecting this activity and stopping it is critical to limiting the abilities of the threat actor to further their execution strategy. Along with detecting the ongoing activity, it is also imperative to verify critical vulnerabilities are patched and configurations are security best practice to prevent exploitation. MVISION UCE provides visibility into threats, vulnerabilities, and configuration audits mapped to the MITRE ATT&CK Framework for protection against suspicious activity.

Many customer-facing applications and web servers are hosted on cloud infrastructure. As a Network Defender, gaining visibility and monitoring for misconfigurations on the infrastructure platforms is critical as this is increasingly the entry point for an attacker. MVISION Cloud Native Application Protection Platform (CNAPP) provides a continuous assessment capability for multiple cloud platforms in a single console so you can quickly correct misconfigurations and harden the security posture across AWS, AZURE or Google Cloud Platforms.

Harden the Server or Endpoint Against Malicious Tool use

The attackers uploaded several known or potentially malicious tools to compromised systems. Many of these tools were detected on installation or execution by ENS Threat Prevention or Adaptative Threat Prevention Module. The following is a sample of the Threat Event log from ePolicy Orchestrator (ePO) from our testing.

You can easily search for these events in ePO and investigate any systems with detections.

For best protection turn on Global Threat Intelligence (GTI) for both Threat Prevention and Adaptive Threat Protection modules. Ensure ATP Rules 4 (GTI File Reputation) and 5 (URL Reputation) are enabled in ATP. Global Threat Intelligence is updated with the latest indicators for this attack as well.

Additionally, based on other observables in this attack, we believe there are several other Adaptive Threat Prevention Rules that could prevent or identify potentially malicious activity on the endpoint or server. Monitor especially for these ATP events in the ePO threat event logs:

Rule 269: Detects potentially malicious usage of WMI service to achieve persistence

Rule 329: Identify suspicious use of Scheduled Tasks

Rule 336: Detect suspicious payloads targeting network-related services or applications via dual use tools

Rule 500: Block lateral movement using utilities such as Psexec from an infected client to other machines in the network

Rule 511: Detect attempts to dump sensitive information related to credentials via lsaas

Analysis will continue and additional ATP rules we think relate will be added to mitigation guidance in MVISION Insights.

ENS with Expert Rules

Expert Rules are a powerful, customizable signature language within ENS Threat Prevention Module. For this attack, you could use Expert Rules to identify potential misuse of Psexec or prevent execution or creation of certain file types used such as .rar files.

Additional guidance on creating your own Expert Rules and link to our repository are here:

How to Use Expert Rules in ENS to Prevent Malicious Exploits

ATR Expert Rule Repository

Per standard practice, we recommend that customers test this rule in report mode before applying in block mode.

Preventing or Detecting Command and Control

Like other attacks exploiting critical vulnerabilities, attackers may gain command and control over exploited systems to deliver payloads or other actions. MVISION EDR can both identify many command-and-control techniques such as Cobalt Strike beacons. In this case, MVISION EDR would have logged the DNS and HTTP connection requests to the suspicious domains and an SOC analysts could use Real Time and Historical search to hunt proactively for compromised machines.

Additionally, Unified Cloud Edge (UCE – SWG) can prevent access to risky web sites using threat intelligence, URL reputation, behaviour analysis and remote browser isolation. Ensure you have a strong web security policy in place and are monitoring logs. This is a great control to identify potentially malicious C2 activity.

Monitoring for Privilege Escalation

The adversary used several techniques and tools to elevate privileges and run Mimikatz to steal credentials. In our simulation, MVISION EDR proactively identified the attempt to download and execute in memory a Mimikatz PowerShell script.

We simulated the attacker malicious attempt using potato tools reproducing a generic privilege escalation. From the EDR monitoring process tree we could observe the sequence of events with a change in terms of user name from a user account to SYSTEM.”

We started a guided investigation on the affected system. Analytics on the data identified anomalies in user behavior. Guided investigations make easier to visualize complex data sets and interconnections between artifacts and systems.

Identifying Commonly used Tools for Lateral Movement

The attackers used a common dual use system utility, in this case Psexec.exe, to move laterally. In many cases, the malicious use of legitimate system tools is difficult to detect with signature-based detection only. MVISION EDR uses a combination of behaviour analytics and threat intelligence to proactively identify and flag a high severity alert on malicious use of Psexec for lateral movement.

Psexec.exe used for lateral movement:

Mapping User and Data Anomalies to Detect Exfiltration

The threat actors behind Operation Harvest utilized various tools to elevate privileges and exfiltrate data out of the impacted environment. Visualizing anomalies in user activity and data movement can be used to detect out of the ordinary behavior that can point to malicious activity going on in your environment. MVISION UCE will monitor user behavior and provide anomalies for the security team to pinpoint areas of concern for insider or external adversarial threats.

Identifying User Access Anomalies with UCE:

Identifying Data Transfer Anomalies with UCE:

Summary

MVISION Security Platform provides defense in depth to prevent, disrupt or detect many of the techniques used in Operation Harvest. As a network defender, focus on early prevention or detection of the techniques to better protect your organization against cyber-attacks.

The post McAfee Enterprise Defender’s Blog: Operation Harvest appeared first on McAfee Blog.

How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates

By Max Kersten

Co-authored with Intel471 and McAfee Enterprise Advanced Threat Research (ATR) would also like to thank Coveware for its contribution.

Executive Summary

McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.

Introduction

For many years the world of Ransomware-as-a-Service (RaaS) was perceived as a somewhat hierarchical and structured organization. Ransomware developers would advertise their RaaS program on forums and gracefully open up slots for affiliates to join their team to commit crime. The RaaS admins would conduct interviews with potential affiliates to make sure they were skilled enough to participate. Historically, i.e., with CTB locker, the emphasis was on affiliates generating enough installs via a botnet, exploit kits or stolen credentials, but it has shifted in recent years to being able to penetrate and compromise a complete network using a variety of malicious and non-malicious tools. This essentially changed the typical affiliate profile towards a highly-skilled pen-tester/sysadmin.

Figure 1. Recruitment posting for CTB locker from 2014

Figure 2. Recruitment posting for REvil from 2020

Experts often describe the hierarchy of a conventional organized crime group as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs were organized in such a fashion. However, due to further professionalization and specialization of the logistics involved with committing crime, groups have evolved into more opportunistic network-based groups that will work together more fluidly, according to their current needs.

While criminals collaborating in the world of cybercrime isn’t a novel concept, a RaaS group’s hierarchy is more rigid compared to other forms of cybercrime, due to the power imbalance between the group’s developers/admins and affiliates.

For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less-skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals.

However, this growth isn’t without consequences. Recently we have observed certain events that might be the beginning of a new chapter in the RaaS ecosystem.

Cracks in the RaaS model

Trust in the cybercriminal underground is based on a few things, such as keeping your word and paying people what they deserve. Just like with legitimate jobs, when employees feel their contributions aren’t adequately rewarded, those people start causing friction within the organization. Ransomware has been generating billions of dollars in recent years and with revenue like that, it’s only a matter of time before some individuals who believe they aren’t getting their fair share become unhappy.

Recently, a former Conti affiliate was unhappy with their financial portion and decided to disclose the complete Conti attack playbook and their Cobalt Strike infrastructure online, as shown in the screenshot below.

Figure 3. Disgruntled Conti affiliate

In the past, ATR has been approached by individuals affiliated with certain RaaS groups expressing grudges with other RaaS members and admins, claiming they haven’t been paid in time or that their share wasn’t proportionate to the amount of work they put in.

Recently, security researcher Fabian Wosar opened a dedicated Jabber account for disgruntled cybercriminals to reach out anonymously and he stated that there was a high level of response.

Figure 4. Jabber group for unhappy threat actors

Moreover, the popular cybercrime forums have banned ransomware actors from advertising since the Colonial Pipeline attack. Now, the groups no longer have a platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.

Paying respects…. RAMP Forum and Orange

After a turbulent shutdown of Babuk and the fallout from the Colonial Pipeline and Kaseya attacks, it seems that some of the ransomware-affiliated cybercriminals have found a home in a forum known as RAMP.

Figure 5. RAMP posting by Orange, introducing Groove and explaining relationships

Translated Posting

When analyzing RAMP and looking at the posting above from the main admin Orange, it’s hard to ignore numerous references that are made: From the names chosen, to the avatar of Orange’s profile, which happens to be a picture of a legitimate cyber threat intelligence professional.

Orange

Hello, friends! I am happy to announce the first contest on Ramp.

Let’s make it clear that we don’t do anything without a reason, so at the end of the day, it’s us who will benefit most from this contest 🙂

Here’s the thing: besides my new projects and old, I have always had this unit called

GROOVE — I’ve never revealed its name before and it’s never been mentioned directly in the media, but it does exist — we’re like Mossad (we are few and aren’t hiring). It’s Groove whom the babuk ransomware needs to thank for its fame.

Groove rocks, and babuk stinks 🙂

Challenge: Using a PHP stack+MYSQL+Bootstrap, code a standard ransomware operators’ blog in THE RUSSIAN LANGUAGE with the following pages:

1) About us

The description of a group, which must be editable from the admin panel and use the same visual editor as our forum.

2) Leaks.

No hidden blogs, just leaks.

Use standard display, just like other ransomware operators’ blogs do.

3) News

A news page; it must be possible to add and edit news via the admin panel.

We’ll be accepting your submissions up to and including August 30.

Who will rate the entries and how?

There will be only one winner. I, Orange, will rate the usability and design of blogs. MRT will rate each entry’s source code and its security. In addition to USD 1k, the winner will most likely get a job in the RAMP team!

Now, for those of you who are interested in entirely different things:

1) No, we are not with the Kazakh intelligence agency.

https://www.fr.sogeti.com/globalassets/france/avis-dexperts–livres-blancs/cybersecchronicles_-_babuk.pdf

2) Groove has never had a ransomware product, nor will that ever change.

3) The babuk team doesn’t exist. We rented the ransomware from a coder who could not shoulder the responsibility, got too scared and decided to leave an error in the ESX builder — naturally, to give us a reason to chuck him out (his motives? Fxxx if I know)

babuk 2.0, which hit the headlines, is not to be taken seriously and must be regarded as nothing but a very stupid joke

4) GROOVE is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years. RANSOMWARE is no more than an additional source of income. We don’t care who we work with and how. You’ve got money? We’re in

RAMP Ransom Anon Mark[et] Place

RAMP was created in July 2021 by a threat actor TetyaSluha, who later changed their moniker to ‘Orange.’ This actor claimed the forum would specifically cater to other ransomware-related threat actors after they were ousted from major cybercrime forums for being too toxic, following the high-profile ransomware attacks against the Colonial Pipeline and Washington D.C.’s Metropolitan Police Department in the spring of 2021.

At the time of the initial launch, Orange claimed the forum’s name was a tribute to a now-defunct Russian-language underground drug marketplace, “Russian Anonymous Marketplace,” which was taken down by Russian law enforcement agencies in 2017.  The re-launched cybercrime forum’s name now supposedly stands for “Ransom Anon Mark[et] Place”.

The forum was initially launched on the same TOR-based resource that previously hosted a name-and-shame blog operated by the Babuk ransomware gang and the Payload.bin marketplace of leaked corporate data. The forum was later moved to a dedicated TOR-based resource and relaunched with a new layout and a revamped administrative team, where Orange acted as the admin, with other known actors MRT, 999 and KAJIT serving as moderators.

Why the name Orange?

Why the admin changed handles from TetyaSluha to Orange isn’t 100 percent clear. However, looking back, the early days of RAMP provides us some evidence on who this person has been affiliated with. We found a posting from  where the names Orange and Darkside are mentioned as potential monikers. Very shortly after that, TetyaSluha changed their handle to Orange. While the initial message has been removed from the forum itself, the content was saved thanks to Intel 471.

July 12th 2021 by Mnemo

Congratulations on the successful beginning of struggle for the right to choose and not to be evicted. I hope, the community will soon fill with reasonable individuals.

Oh yeah, you’ve unexpectedly reminded everyone about the wonderful RAMP forum. Are the handles Orange and Darkside still free?

The name Darkside might sound more familiar than Orange but, as we saw with the naming of RAMP, TetyaSluha is one for cybercrime sentiment, so there is almost certainly some hidden meaning behind it.

Based on ATR’s previous research, we believe the name Orange was chosen as a tribute to REvil/GandCrab. People familiar with those campaigns have likely heard of the actor UNKN’. However, there was a less well known REvil affiliate admin named Orange. A tribute seems fitting if Tetyasluha isn’t the notorious Orange as that moniker is tied to some successful ransomware families, GandCrab and REvilthat shaped the RaaS ecosystem as we know it today. 

In the past, UNKN was linked to several other monikers, however Orange was hardly mentioned since there wasn’t a matching public handle used on any particular cybercrime forum.  However, REvil insiders will recognize the name Orange as one of their admins.

Based on ATR’s closed-source underground research, we believe with a high level of confidence, that UNKN was indeed linked to the aforementioned accounts, as well as the infamous “Crab”handle used by GandCrab. Crab was one of the two affiliate-facing accounts that the GandCrab team had (The other being Funnycrab). We believe with a high level of confidence that after the closure of GandCrab, the individual behind the Funnycrab account changed to the account name to Orange and continued operations with REvil, with only a subset of skilled GandCrab affiliates, (as described in our Virus Bulletin 2019 whitepaper) since GandCrab grew too big and needed to shed some weight.

The posting in figure 5 is also shedding some light on the start of the Groove Gang, their relationship to Babuk and, subsequently, BlackMatter.

Groove Gang

In the post from Figure 5, “Orange” also claims to have always had a small group of people that the group collaborates with. Additionally, the actor claims that the name has not been mentioned in the media before, comparing the group to the Israeli secret service group Mossad. The group’s comparison to Mossad is extremely doubtful at best, given the drama that has publicly played out. Groove claims several of Babuk’s victims, including the Metropolitan Police Department, brought them a lot of attention. The several mentions to Babuk isn’t by mistake: we have evidence the two groups also have connections, which we’ve pieced together from examining the behavior of — and particularly the fallout between — the two groups.

Babuk’s Fallout

Originally, the Babuk gang paid affiliates by each victim they attacked. Yet on April 30, it was reported that the gang suddenly had stopped working with affiliates, including the act of encrypting a victim’s system. Instead, their focus shifted to data exfiltration and extortion of targeted organizations. That was followed by the group releasing the builder for the old versions of its ransomware as it pivoted to a new one for themselves.

The attention that Babuk drew by hacking and extorting the Metropolitan Police Department meant their brand name became widely known. It also meant that more firms and agencies were interested in finding out who was behind it. This kind of heat is unwanted by most gangs, as any loose ends that are out there can come back to bite them.

Then, on September 3, the threat actor with the handle ‘dyadka0220’ stated that they were the principal developer of Babuk ransomware and posted what they claimed was the Babuk ransomware source code. They claimed the reason they were sharing everything was due to being terminally ill with lung cancer.

Figure 6. Dyadka0220 was possibly the developer that Orange hinted at in the posting (Figure 5) mentioned above.

On September 7, the Groove gang responded with a blog on their own website, titled “Thoughts about the meaning”, which rhymes in Russian. In this blog, the gang (allegedly) provides information on several recent happenings. Per their statement, the illness of ‘dyadka0220’ is a lie. Additionally, their response alleges that the Groove gang never created the Babuk ransomware themselves, but worked with someone else to produce it.

The validity of the claims in Groove’s latest blog is hard to determine, although this does not matter too much: the Babuk group, including affiliates, had a fallout that caused the group to break up, causing the retaliation of several (ex-)members.

Observed Behavior

The ATR team has covered Babuk multiple times. The first blog, published last February, covers the initial observations of the group’s malware. The second blog, published last July, dives into the ESXi version of the ransomware and its issues. The group’s tactics, techniques, and procedures (TTPs) are in-line with commonly observed techniques from ransomware actors. The deployment of dual-use tools, which can be used for both benign and malicious purposes, is difficult to defend against, as intent is an unknown term for a machine. Together with other vendors we have narrowed down some of the TTPs observed by the Groove gang.

Initial Access

The actor needs to get a foothold within the targeted environment. The access can be bought, in terms of stolen (yet valid) credentials, or direct access in the form of a live backdoor on one or more of the victim’s systems. Alternatively, the actor can exploit publicly facing infrastructure using a known or unknown exploit. To ATR’s understanding, the latter has been used several times by exploiting vulnerable VPN servers.

Lateral Movement, Discovery and Privilege Escalation

Moving around within the network is an important step for the actor, for two reasons. Firstly, it allows the attacker to find as much data as possible, which is then exfiltrated. Secondly, access to all machines is required in order to deploy the ransomware at a later stage. By encrypting numerous devices at once, it becomes even harder to control the damage from a defender’s point of view. The actor uses commonly known tools, such as Ad-Find and NetScan, to gather information on the network. Based on the gathered information, the actor will move laterally through the network. One of the most frequently observed methods by this actor to do so, is by using RDP.

To work with more than user-level privileges, the actor has a variety of options to escalate their privilege to a domain administrator. Brute forcing RDP accounts, the dumping of credentials, and the use of legacy exploits such as EternalBlue (CVE-2017-0144), are ways to quickly obtain access to one or more privileged accounts. Once access to these systems is established, the next phase of the attack begins.

Data Exfiltration and Ransomware Deployment

The actor navigates through the machines on the network using the earlier obtained access. To exfiltrate the collected data, the attacker uses WinSCP. Note that other, similar, tools can also be used. Once all relevant data has been stolen, the attacker will execute the ransomware in bulk. This can be done in a variety of ways, ranging from manually starting the ransomware on the targeted machines, scheduling a task per machine, or using PsExec to launch the ransomware.

Linking Groove to Babuk and BlackMatter

As discussed above, there was a fallout within Babuk. From that fallout, a part of the group stayed together to form Groove. The server that Babuk used, which we will refer to as the “wyyad” server due to the ending of the onion URL, rebranded in late August 2021. The similarities can be seen in the two screenshots below.

Figure 7. The changes to the landing page from Babuk to Groove

Aside from this, data from old Babuk victims is still hosted on this server. The ATR team found, among others, leaks that belong to:

  • a major US sports team,
  • a British IT service provider,
  • an Italian pharmaceutical company,
  • a major US police department,
  • a US based interior shop.

All these victims have previously been claimed by (and attributed to) Babuk.

Another gang, known as BlackMatter, uses a variety of locations to host their extorted files, which can be done out of convenience or to avoid a single notice and takedown to remove all offending files. Additionally, the ATR team assumes, with medium confidence, that different affiliates use different hosting locations.

The data of one of the BlackMatter gang’s victims, a Thai IT service provider, is stored on the “wyyad” server. As such, it can mean that the Groove gang worked as an affiliate for the BlackMatter gang. This is in line with their claim to work with anybody, as long as they profit from it. The image below shows the BlackMatter leak website linking to the “wyyad” server.

Figure 8. screenshot of BlackMatter, where the data is stored on the Groove server

The Groove gang’s website contains, at the time of writing, a single leak: data from a German printing company. Even though the website is accessible via a different address, the leaked data is stored on the “wyyad” server.

Figure 9. Another Groove victim but stored on their own page

The affected company does not meet BlackMatter’s “requirements,” the group has said it only goes after companies that make more than $US 100 million. This company’s annual revenue is estimated at $US 75 million, as seen in the below screenshot.

Figure 10. Posting on the Exploit forum by BlackMatter

At the end of Orange’s announcement comes a call to action and collaboration: “GROOVE is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years. RANSOMWARE is no more than an additional source of income. We don’t care who we work with and how. You’ve got money? We’re in”.

The group’s primary goal, making money, is not limited to ransomware. Inversely, ransomware would be the cherry on top. This is yet another indication of the ransomware group’s shift to a less hierarchical set-up and a more fluid and opportunistic network-based way of working.

In the Groove gang’s blog on September 7, a reference is made with regards to BlackMatter, and its links to DarkSide. If true, these insights show that the Groove gang has insider knowledge of the BlackMatter gang. This makes the collaboration between Groove and BlackMatter more likely. If these claims are false, it makes one wonder as to why the Groove gang felt the need to talk about other gangs, since they seem to want to make a name for themselves.

Due to the above outlined actions ATR believes, with high confidence, that the Groove gang is a former affiliate or subgroup of the Babuk gang, who are willing to collaborate with other parties, as long as there is financial gain for them. Thus, an affiliation with the BlackMatter gang is likely.

Conclusion

Ever since Ransomware-as-a-Service became a viable, and highly profitable, business model for cybercriminals, it has operated in much the same way with affiliates being the sometimes underpaid workhorses at the bottom of a rigid pyramid shaped hierarchy.

For some affiliates there was an opportunity to become competent cybercriminals while, for many others, the lack of recompense and appreciation for their efforts led to ill-feeling. Combined with underground forums banning ransomware actors, this created the perfect opportunity for the threat actor known as Orange to emerge, with the Groove gang in tow, with the offer of new ways of working where an associate’s worth was based entirely on their ability to earn money.

Time will tell if this approach enhances the reputation of the Groove gang to the level of the cybercriminals they seem to admire. One thing is clear though; with the manifestation of more self-reliant cybercrime groups the power balance within the RaaS eco-climate will change from he who controls the ransomware to he who controls the victim’s networks.

MITRE TTPs

We have compiled a list of TTPs based on older Babuk cases and some recent cases linked to Groove:

  • T1190: Exploit Public-Facing Application (VPN services)
  • T1003: OS Credential Dumping
  • 002: Valid Accounts: Domain Accounts
  • T1059: Command and Scripting Interpreter
  • T1021:002: SMB/Windows Admin Shares
  • T1210: Exploitation of Remote Services
  • T1087: Account Discovery
  • T1482: Domain Trust Discovery
  • T1562: Impair Defense
  • T1537: Transfer Data to Cloud Account
  • T1567: Exfiltration Over Web Service

If a partnership is achieved with a Ransomware family:

  • T1486 Data Encrypted for Impact

The post How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates appeared first on McAfee Blog.

Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann

By Melissa Gaffney

I’m back at it again with another round of our executive blog series. This week I had the privilege to speak with Tom Gann, our Chief Public Policy officer and he had some interesting things to say on the cyber security issues that are shaping public policy dialogue in Washington DC and other capitals around the world, and much much more.

Q: What is one event in your life that made you who you are today?

Teaching tennis. I know that teaching tennis is not an event, it’s a sport. For me it was a business at a young age that helped to change my life.

I grew up in Palo Alto, CA, when the town was middle-class. I went to Gunn High School when the school was very good at tennis – they had 10 undefeated seasons. My parents were kind enough to pay for tennis lessons and while I was only a so-so tennis player, my tennis coach thought that I would be a good teacher. And so, starting in the 11th grade, I began teaching tennis for a tennis shop in Menlo Park called the Better Backhand. Then later, when I was at Stanford, I started my own business teaching lessons on private tennis courts which helped me pay for school and a car.

Through this experience, I learned how to become a professional and most importantly, how to relate to people while helping them learn something valuable. I am amazed that many of the things I learned from teaching tennis still guide me today: treating people well, empowering them, and striving to get things done that matter.

Q: What are the biggest cyber security issues shaping the public policy dialogue in Washington DC and other capitals around the world?

The reality today, and likely in the future, is that the bad guys have and will continue to have the advantage. Bad guys need to be right one time to get into a government or company environment. The good guys, playing defense, need to be right every time. This reality is made more challenging by the fact that today’s typical new, best-in-class cyber security solution is often out of date in two years because the bad guys are great at innovating. At the same time, unfortunately, many organizations are too slow or too distracted to ensure all their cyber security solutions work effectively together.

The threats from nation states, criminal organizations, and terrorist groups is only getting bigger as time goes on – meaning our challenge continually grows, shifts, and evolves. Today, these actors are perfecting a wide range of ransomware strategies to blackmail all types of organizations in the public and private sectors.

Responsible governments and citizens need to demand real change, they need to push non-compliant nation states to commit to a basic level of fair play. The public and private sectors also need to work together to create a firewall against these bad actors who use ransomware to achieve such strategic objectives as profit and intimidation.

Q: What is the true value cloud security has brought to the government contracting and federal sectors? Why is there so much hype around this technology?

Everyone is moving to the cloud – private and public sector organizations as well as folks at home. This trend makes sense because the cloud is cost effective, reliable, and highly secure. However, the key in this shift is to make sure that government agencies have the flexibility to rapidly work with private sector experts – the data center, the enterprise software, and the cyber security leaders – to ensure long term success. Too often, I have seen government agencies use outdated procurement rules and processes that bog down progress. This often results in cloud and data center deployments, particularly when government agencies host these infrastructures, being completed with last generation solutions.

At the same time, outdated contracting rules can limit the ability of agencies to field the most up to date cyber security solutions. This challenge is becoming a bigger deal as agencies deploy multiple cloud solutions. These many cloud implementations create targets of opportunity for hackers who exploit security gaps between and among clouds, meaning agencies need to be proactive to ensure that their move to the cloud is safe and effective. Policymakers need to step up to the plate and modernize procurement rules and processes. Such support will help government agencies work quicker and more effectively to serve our citizens who demand first-class service from their government.

Q: How can our organization be the best partner to government agencies moving forward?

It is all about trust. Without trust you have noting. Working with the government, a company, or your neighbor down the street is the same – it all depends on trust. This means doing what you say you will do and working to overdeliver on your commitments.

 

The post Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann appeared first on McAfee Blog.

❌