LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling

Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements

A postmortem analysis of multiple incidents in which attackers eventually launched the latest version of LockBit ransomware (known variously as LockBit 3.0 or ‘LockBit Black’), revealed the tooling used by at least one affiliate. Sophos’ Managed Detection and Response (MDR) team has observed both ransomware affiliates and legitimate penetration testers use the same collection of tooling over the past 3 months.

Leaked data about LockBit that showed the backend controls for the ransomware also seems to indicate that the creators have begun experimenting with the use of scripting that would allow the malware to “self-spread” using Windows Group Policy Objects (GPO) or the tool PSExec, potentially making it easier for the malware to laterally move and infect computers without the need for affiliates to know how to take advantage of these features for themselves, potentially speeding up the time it takes them to deploy the ransomware and encrypt targets.

A reverse-engineering analysis of the LockBit functionality shows that the ransomware has carried over most of its functionality from LockBit 2.0 and adopted new behaviors that make it more difficult to analyze by researchers. For instance, in some cases it now requires the affiliate to use a 32-character ‘password’ in the command line of the ransomware binary when launched, or else it won’t run, though not all the samples we looked at required the password.

We also observed that the ransomware runs with LocalServiceNetworkRestricted permissions, so it does not need full Administrator-level access to do its damage (supporting observations of the malware made by other researchers).

Most notably, we’ve observed (along with other researchers) that many LockBit 3.0 features and subroutines appear to have been lifted directly from BlackMatter ransomware.

Is LockBit 3.0 just ‘improved’ BlackMatter?

Other researchers previously noted that LockBit 3.0 appears to have adopted (or heavily borrowed) several concepts and techniques from the BlackMatter ransomware family.

We dug into this ourselves, and found a number of similarities which strongly suggest that LockBit 3.0 reuses code from BlackMatter.

Anti-debugging trick

Blackmatter and Lockbit 3.0 use a specific trick to conceal their internal functions calls from researchers. In both cases, the ransomware loads/resolves a Windows DLL from its hash tables, which are based on ROT13.

It will try to get pointers from the functions it needs by searching the PEB (Process Environment Block) of the module. It will then look for a specific binary data marker in the code (0xABABABAB) at the end of the heap; if it finds this marker, it means someone is debugging the code, and it doesn’t save the pointer, so the ransomware quits.

After these checks, it will create a special stub for each API it requires. There are five different types of stubs that can be created (randomly). Each stub is a small piece of shellcode that performs API hash resolution on the fly and jumps to the API address in memory. This adds some difficulties while reversing using a debugger.

Screenshot of disassembler code
LockBit’s 0xABABABAB marker

SophosLabs has put together a CyberChef recipe for decoding these stub shellcode snippets.

Output of a CyberChef recipe
The first stub, as an example (decoded with CyberChef)

Obfuscation of strings

Many strings in both LockBit 3.0 and BlackMatter are obfuscated, resolved during runtime by pushing the obfuscated strings on to the stack and decrypting with an XOR function. In both LockBit and BlackMatter, the code to achieve this is very similar.

Screenshot of disassembler code
BlackMatter’s string obfuscation (image credit: Chuong Dong)

Georgia Tech student Chuong Dong analyzed BlackMatter and showed this feature on his blog, with the screenshot above.

Screenshot of disassembler code
LockBit’s string obfuscation, in comparison

By comparison, LockBit 3.0 has adopted a string obfuscation method that looks and works in a very similar fashion to BlackMatter’s function.

API resolution

LockBit uses exactly the same implementation as BlackMatter to resolve API calls, with one exception: LockBit adds an extra step in an attempt to conceal the function from debuggers.

Screenshot of disassembler code
BlackMatter’s dynamic API resolution (image credit: Chuong Dong)

The array of calls performs precisely the same function in LockBit 3.0.

Screenshot of disassembler code
LockBit’s dynamic API resolution

Hiding threads

Both LockBit and BlackMatter hide threads using the NtSetInformationThread function, with the parameter ThreadHideFromDebugger. As you probably can guess, this means that the debugger doesn’t receive events related to this thread.

Screenshot of disassembler code
LockBit employs the same ThreadHideFromDebugger feature as an evasion technique

Printing

LockBit, like BlackMatter, sends ransom notes to available printers.

Screenshot of disassembler code
LockBit can send its ransom notes directly to printers, as BlackMatter can do

Deletion of shadow copies

Both ransomware will sabotage the infected computer’s ability to recover from file encryption by deleting the Volume Shadow Copy files.

LockBit calls the IWbemLocator::ConnectServer method to connect with the local ROOT\CIMV2 namespace and obtain the pointer to an IWbemServices object that eventually calls IWbemServices::ExecQuery to execute the WQL query.

Screenshot of disassembler code
BlackMatter code for deleting shadow copies (image credit: Chuong Dong)

LockBit’s method of doing this is identical to BlackMatter’s implementation, except that it adds a bit of string obfuscation to the subroutine.

Screenshot of disassembler code
LockBit’s deletion of shadow copies

Enumerating DNS hostnames

Both LockBit and BlackMatter enumerate hostnames on the network by calling NetShareEnum.

Screenshot of disassembler code
BlackMatter calls NetShareEnum() to enumerate hostnames… (image credit: Chuong Dong)

In the source code for LockBit, the function looks like it has been copied, verbatim, from BlackMatter.

Screenshot of disassembler code
…as does LockBit

Determining the operating system version

Both ransomware strains use identical code to check the OS version – even using the same return codes (although this is a natural choice, since the return codes are hexadecimal representations of the version number).

Screenshot of disassembler code
BlackMatter’s code for checking the OS version (image credit: Chuong Dong)
Screenshot of disassembler code
LockBit’s OS enumeration routine

Configuration

Both ransomware contain embedded configuration data inside their binary executables. We noted that LockBit decodes its config in a similar way to BlackMatter, albeit with some small differences.

For instance, BlackMatter saves its configuration in the .rsrc section, whereas LockBit stores it in .pdata

Screenshot of disassembler code
BlackMatter’s config decryption routine (image credit: Chuong Dong)

And LockBit uses a different linear congruential generator (LCG) algorithm for decoding.

Screenshot of disassembler code
LockBit’s config decryption routine

Some researchers have speculated that the close relationship between the LockBit and BlackMatter code indicates that one or more of BlackMatter’s coders were recruited by LockBit; that LockBit bought the BlackMatter codebase; or a collaboration between developers. As we noted in our white paper on multiple attackers earlier this year, it’s not uncommon for ransomware groups to interact, either inadvertently or deliberately.

Either way, these findings are further evidence that the ransomware ecosystem is complex, and fluid. Groups reuse, borrow, or steal each other’s ideas, code, and tactics as it suits them. And, as the LockBit 3.0 leak site (containing, among other things, a bug bounty and a reward for “brilliant ideas”) suggests, that gang in particular is not averse to paying for innovation.

LockBit tooling mimics what legitimate pentesters would use

Another aspect of the way LockBit 3.0’s affiliates are deploying the ransomware shows that they’re becoming very difficult to distinguish from the work of a legitimate penetration tester – aside from the fact that legitimate penetration testers, of course, have been contracted by the targeted company beforehand, and are legally allowed to perform the pentest.

The tooling we observed the attackers using included a package from GitHub called Backstab. The primary function of Backstab is, as the name implies, to sabotage the tooling that analysts in security operations centers use to monitor for suspicious activity in real time. The utility uses Microsoft’s own Process Explorer driver (signed by Microsoft) to terminate protected anti-malware processes and disable EDR utilities. Both Sophos and other researchers have observed LockBit attackers using Cobalt Strike, which has become a nearly ubiquitous attack tool among ransomware threat actors, and directly manipulating Windows Defender to evade detection.

Further complicating the parentage of LockBit 3.0 is the fact that we also encountered attackers using a password-locked variant of the ransomware, called lbb_pass.exe , which has also been used by attackers that deploy REvil ransomware. This may suggest that there are threat actors affiliated with both groups, or that threat actors not affiliated with LockBit have taken advantage of the leaked LockBit 3.0 builder. At least one group, BlooDy, has reportedly used the builder, and if history is anything to go by, more may follow suit.

LockBit 3.0 attackers also used a number of publicly-available tools and utilities that are now commonplace among ransomware threat actors, including the anti-hooking utility GMER, a tool called AV Remover published by antimalware company ESET, and a number of PowerShell scripts designed to remove Sophos products from computers where Tamper Protection has either never been enabled, or has been disabled by the attackers after they obtained the credentials to the organization’s management console.

We also saw evidence the attackers used a tool called Netscan to probe the target’s network, and of course, the ubiquitous password-sniffer Mimikatz.

Incident response makes no distinction

Because these utilities are in widespread use, MDR and Rapid Response treats them all equally – as though an attack is underway – and immediately alerts the targets when they’re detected.

We found the attackers took advantage of less-than-ideal security measures in place on the targeted networks. As we mentioned in our Active Adversaries Report on multiple ransomware attackers, the lack of multifactor authentication (MFA) on critical internal logins (such as management consoles) permits an intruder to use tooling that can sniff or keystroke-capture administrators’ passwords and then gain access to that management console.

It’s safe to assume that experienced threat actors are at least as familiar with Sophos Central and other console tools as the legitimate users of those consoles, and they know exactly where to go to weaken or disable the endpoint protection software. In fact, in at least one incident involving a LockBit threat actor, we observed them downloading files which, from their names, appeared to be intended to remove Sophos protection: sophoscentralremoval-master.zip and sophos-removal-tool-master.zip. So protecting those admin logins is among the most critically important steps admins can take to defend their networks.

For a list of IOCs associated with LockBit 3.0, please see our GitHub.

Acknowledgments

Sophos X-Ops acknowledges the collaboration of Colin Cowie, Gabor Szappanos, Alex Vermaning, and Steeve Gaudreault in producing this report.

Source :
https://news.sophos.com/en-us/2022/11/30/lockbit-3-0-black-attacks-and-leaks-reveal-wormable-capabilities-and-tooling/

Industry 4.0: CNC Machine Security Risks Part 3

In this final installation of our three-part blog series, we lay out countermeasures that enterprises can do to protect their machines. We’ll also discuss our responsible disclosure as well as the feedback we got from the vendors we evaluated.

Countermeasures

We found that only two of the four vendors analyzed support authentication. Neither of them has authentication enabled by default, which leaves the machines vulnerable to attacks by malicious users. Enabling authentication is essential for protecting Industry 4.0 features from abuse.

Resource access control systems are important for reducing the impact of attacks. Many technologies allow access to all a controller’s resources, which can be dangerous. A correct approach is to adopt resource access control systems that grant limited access. This will help to ensure that only authorized users have access to the controller’s resources and that these resources are protected from unauthorized access.

When it comes to integrators and end users, we suggest these countermeasures:

  • Context-aware industrial intrusion prevention and detection systems (IPS/IDSs): These devices, which have recently seen a surge in popularity in the catalogues of security vendors, are equipped with network engines that can capture real-time traffic associated with industrial protocols to detect attacks.
  • Network segmentation: Correct network architecting is of great importance. As our research has revealed, all the tested machines expose interfaces that could be abused by miscreants.
  • Correct patching: Modern CNC machines are equipped with full-fledged operating systems and complex software, which might inevitably contain security vulnerabilities. This was indeed the case with the machines that we tested.

Responsible Disclosure

We contacted the affected vendors while tackling controllers sequentially, with our first contact in November 2021 and the last one in March 2022. The Industrial Control Systems Cyber Emergency Response Team (ICS CERT) at Cybersecurity & Infrastructure Security Agency extended invaluable help during the discussion which we are grateful for.

disclosure-process
Table 1. A summary of our responsible disclosure process

As of this writing, all four vendors have replied to our concerns and most of them have addressed, to varying degrees, our findings in a reasonable time frame. More importantly, all of them have expressed interest in our research and have decided to improve either their documentation or their communication efforts with their machine manufacturers, with the final effort of offering end users more secure solutions.

To learn more about the security risks faced by CNC machines, download our comprehensive report here.

Source :
https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-part-3.html

Industry 4.0: CNC Machine Security Risks Part 2

In part one, we discussed what numerical control machines do and their basic concepts. These concepts are important to understand the machines better, offering a wider view of their operations. We also laid out how we evaluated the chosen vendors for our research.

For this blog, we will continue discussing our evaluated vendors and highlighting findings that we discovered during our research.

Haas

haas-simulator
Figure 1. The Haas simulator we used for preliminary testing (left) and the Haas CNC machine (Super Mini Mill 2) by Celada we used for verification (right)

Haas was the first vendor we focused on because of the fast availability of its controller. We began our analysis by conducting port scanning on the controller simulator and identifying the protocols exposed by the controller. After that, we evaluated the options with which an attacker could abuse the protocols to perform attacks aimed at the security of the machine and verified these attacks in practice on a real-world machine installation.

Okuma

okuma-simulator
Figure 2. The Okuma simulator we used for the development of the malicious application and during the initial testing

Okuma stands out in the market of CNC controllers for one interesting feature: the modularity of its controller. While the vendor offers in the device’s simplest form a tiny controller, it also provides a mechanism, called THINC API, to highly customize the functionalities of the controller. With this technology, any developer can implement a program that, once installed, runs in the context of the controller, in the form of an extension. This approach is very similar to how a mobile application, once installed, can extend a smartphone’s functionalities.

Heidenhain

the-hardford-5a-65e-machine
Figure 3. The Hartford 5A-65E machine, running on a Heidenhain TNC 640 controller, that we used in our experiments at Celada

In the spirit of the Industry 4.0 paradigm, Heidenhain offers the Heidenhain DNC interface to integrate machines on modern, digital shop floors. Among the many scenarios, Heidenhain DNC enables the automatic exchange of data with machine and production data acquisition (MDA/PDA) systems, higher level enterprise resource planning (ERP) and manufacturing execution systems (MESs), inventory management systems, computer-aided design and manufacturing (CAD/CAM) systems, production activity control systems, simulation tools, and tool management systems

In our evaluation, we had access to the library provided by Heidenhain to the integrators to develop interfaces for the controller. The manufacturer provides this library, called RemoTools SDK,35 to selected partners only.

Fanuc

the-yasuda-ymc
Figure 4. The Yasuda YMC 430 + RT10 machine, running on a Fanuc controller, that we used in our experiments at the Polytechnic University of Milan

Like Heidenhain, Fanuc offers an interface, called FOCAS,36 for the integration of CNC machines in smart network environments. Even though this technology offers a restricted set of remote-call possibilities compared with the other vendors’ (that is, a limited number of management features), our experiments showed that a miscreant could potentially conduct attacks like damage, DoS, and hijacking.

What we found

As our evaluation identified 18 different attacks (or variations), we grouped them into five classes: compromise, damage, and denial of service (DoS):

summary-of-the-attack
Table 1. A summary of the attacks we identified in our research

Controller manufacturers like Haas, Okuma, and Heidenhain have been found to have a similar number of issues, around 15. Fanuc had 10 confirmed attacks. Unfortunately, our research shows that this domain lacks awareness concerning security and privacy. This creates serious and compelling problems.

The need for automation-facing features like remote configuration of tool geometry or parametric programming with values determined by networked resources is becoming more common in manufacturing.

With these findings, we determined countermeasures that enterprises can do to mitigate such risks, which we’ll discuss in our final installation. In the last part, we’ll also discuss our responsible disclosure process.

Source :
https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-part-2.html

Industry 4.0: CNC Machine Security Risks Part 1

Computer numerical controls (CNCs) are machines used to produce products in a factory setting. They have been in use for many years, and in the last decade, their use has become more widespread due to increased connectivity. This increased connectivity has made them more software-dependent and therefore more vulnerable to attacks. This vulnerability is due to the heterogeneity of technologies used in factories and the lack of awareness among users of how to best secure these systems.

This three-part blog series explores the risks associated with CNC machines. We performed a security evaluation on four representative vendors and analyzed technological developments that satisfy the Industry 4 .0 paradigm while conducting practical attacks against real-world installations.

For our research, we picked vendors that are:

  • Are geographically distributed (that is, with headquarters and subsidiaries spread across the world) and resell on a global scale.
  • Have been on the market for decades.
  • Have a large, estimated size, for example, with a total annual revenue of at least a billion US dollars.
  • Use technologies widely adopted in the domain and present in different manufacturing sectors.

Understanding numerical control machines

A machine tool is a device that uses cutting tools to remove material from a workpiece. This process, called machining, results in the desired geometry of the workpiece. Machining is a subtractive process, meaning that the material is removed from the original geometry to create the desired shape.

Numerical control (NC) is a technology that allows machines to be controlled by computers. This technology has revolutionized machine tools, making them more accurate and allowing for greater flexibility in their use. NC machine tools are now widely used in production systems and can be used on other types of machines, such as lasers and bending machines.

Basic concepts

To facilitate the understanding of what we discovered in our research, we introduce some basic concepts related to the use of machine tools:

parts-of-a-cnc-machine
Figure 1. Parts of a CNC machine
  • Numerical control. The NC is the most critical element of the machine, as it controls the entire process. This system includes visual programming functions to speed up the setup of production cycles. Additionally, the NC is always equipped with a human-machine interface (HMI) to facilitate operator interaction with control.
  • Programming. Initially developed in the 1950s, G-code (aka RS-274) is the predominant programming language in the world of machine tools. It is presented as a series of instructions initialized by a letter address, which follow one another on successive lines separated by paragraph breaks; each of these lines is called a “block.” Each letter address specifies the type of movement or function called by the user in that part of the program.
  • Parametric programming. Parametric programming is a way to make programs that are adjustable to different values. This is done by using variables that the user can input, and then the program will change based on those values. This is used in machine tools to help with things like feedback and closed-loop controls between production systems.
  • Single step. This allows for running the work program one line of code at a time. In this way, the operator can check the correspondence of executed code to the best possible working conditions and determine if intervention by modification is necessary.
  • Feed hold. The “feed hold” function is mainly used to check the correct execution of complex features by inspecting the work area before proceeding with further steps in the process. In fact, chips coming from the removal of the material being processed could be deposited in work areas or on measuring probes, potentially invalidating the measurements, or inducing defects downstream of the machining if they are not removed.
  • Tools. The machining process is a manufacturing technique that uses an element called a tool to remove excess material from a raw piece. The tool cutting is made possible by the relative speed between the manufacturing part and the cutting tool edge, also known as the cutting speed or surface speed. In addition to this parameter, the feed rate (speed of tool moving along workpiece) also affects chip removal process. Many types of tools are available depending on the type of processing needed.

Evaluating vendors

For all vendors that we included in our research scope, we conducted an equal evaluation of their machines:

  • The “Industry 4.0–ready” technologies are interfaces and related protocols used by machines in smart environments to transmit information outwards, towards centralized systems like production data for better management or cost reduction; they also enable remote management such that an operator can change the executed program without needing local access.
  • We identified potential vulnerabilities in the exposed services using automated scanners like Nessus. These included known or misconfigurations that could pose as dangerous, which we ignored to focus on domain-specific abuse cases for CNC interfaces instead.
  • We then went deep into the CNC-specific technologies previously identified, by analyzing the risks of abuses and conducting practical attacks on the controllers. For this, we developed attack tools that exploited the weaknesses we identified in the domain-specific interfaces with the aid of proprietary APIs we got access to.
  • We collected evidence of our concerns and collaborated with vendors to suggest mitigations. All evidence came from tests we conducted on real-world installations, but we also used simulators for preliminary testing or when the machines were not immediately available.

Now that we have established a better understanding of numerical control machines and their basic concepts, we will further explore the vendors we chose for this research in part two of the series. There, we’ll discuss how we evaluated vendors and what we discovered during our research.

Source :
https://www.trendmicro.com/en_us/research/22/k/cnc-machine-security-risks-part-1.html

7 Cyber Security Tips for SMBs

When the headlines focus on breaches of large enterprises like the Optus breach, it’s easy for smaller businesses to think they’re not a target for hackers. Surely, they’re not worth the time or effort?

Unfortunately, when it comes to cyber security, size doesn’t matter.

Assuming you’re not a target leads to lax security practices in many SMBs who lack the knowledge or expertise to put simple security steps in place. Few small businesses prioritise cybersecurity, and hackers know it. According to Verizon, the number of smaller businesses being hit has climbed steadily in the last few years – 46% of cyber breaches in 2021 impacted businesses with fewer than 1,000 employees.

Cyber security doesn’t need to be difficult#

Securing any business doesn’t need to be complex or come with a hefty price tag. Here are seven simple tips to help the smaller business secure their systems, people and data.

1 — Install anti-virus software everywhere#

Every organisation has anti-virus on their systems and devices, right? Unfortunately, business systems such as web servers get overlooked all too often. It’s important for SMBs to consider all entry points into their network and have anti-virus deployed on every server, as well as on employees’ personal devices.

Hackers will find weak entry points to install malware, and anti-virus software can serve as a good last-resort backstop, but it’s not a silver bullet. Through continuous monitoring and penetration testing you can identify weaknesses and vulnerabilities before hackers do, because it’s easier to stop a burglar at the front door than once they’re in your home.

2 — Continuously monitor your perimeter#

Your perimeter is exposed to remote attacks because it’s available 24/7. Hackers constantly scan the internet looking for weaknesses, so you should scan your own perimeter too. The longer a vulnerability goes unfixed, the more likely an attack is to occur. With tools like Autosploit and Shodan readily available, it’s easier than ever for attackers to discover internet facing weaknesses and exploit them.

Even organisations that cannot afford a full-time, in-house security specialist can use online services like Intruder to run vulnerability scans to uncover weaknesses.

Intruder is a powerful vulnerability scanner that provides a continuous security review of your systems. With over 11,000 security checks, Intruder makes enterprise-grade scanning easy and accessible to SMBs.

Intruder will promptly identify high-impact flaws, changes in the attack surface, and rapidly scan your infrastructure for emerging threats.

3 — Minimise your attack surface#

Your attack surface is made up of all the systems and services exposed to the internet. The larger the attack surface, the bigger the risk. This means exposed services like Microsoft Exchange for email, or content management systems like WordPress can be vulnerable to brute-forcing or credential-stuffing, and new vulnerabilities are discovered almost daily in such software systems. By removing public access to sensitive systems and interfaces which don’t need to be accessible to the public, and ensuring 2FA is enabled where they do, you can limit your exposure and greatly reduce risk.

A simple first step in reducing your attack surface is by using a secure virtual private network (VPN). By using a VPN, you can avoid exposing sensitive systems directly to the internet whilst maintaining their availability to employees working remotely. When it comes to risk, prevention is better than cure – don’t expose anything to the internet unless it’s absolutely necessary!

4 — Keep software up to date#

New vulnerabilities are discovered daily in all kinds of software, from web browsers to business applications. Just one unpatched weakness could lead to full compromise of a system and a breach of customer data; as TalkTalk discovered when 150,000 of its private data records were stolen.

According to a Cyber Security Breaches Survey, businesses that hold electronic personal data of their customers are more likely than average to have had breaches. Patch management is an essential component of good cyber hygiene, and there are tools and services to help you check your software for any missing security patches.

5 — Back up your data #

Ransomware is on the increase. In 2021, 37% of businesses and organisations were hit by ransomware according to research by Sophos. Ransomware encrypts any data it can access, rendering it unusable, and can’t be reversed without a key to decrypt the data.

Data loss is a key risk to any business either through malicious intent or a technical mishap such as hard disk failure, so backing up data is always recommended. If you back up your data, you can counter attackers by recovering your data without needing to pay the ransom, as systems affected by ransomware can be wiped and restored from an unaffected backup without the attacker’s key.

6 — Keep your staff security aware#

Cyber attackers often rely on human error, so it’s vital that staff are trained in cyber hygiene so they recognise risks and respond appropriately. The Cyber Security Breaches Survey 2022 revealed that the most common types of breaches were staff receiving fraudulent emails or phishing attacks (73%), followed by people impersonating the organisation in emails or online (27%), viruses, spyware and malware (12%), and ransomware (4%).

Increasing awareness of the benefits of using complex passwords and training staff to spot common attacks such as phishing emails and malicious links, will ensure your people are a strength rather than a vulnerability.

— Protect yourself relative to your risk#

Cyber security measures should always be appropriate to the organisation. For example, a small business which handles banking transactions or has access to sensitive information such as healthcare data should employ far more stringent security processes and practices than a pet shop.

That’s not to say a pet shop doesn’t have a duty to protect customer data, but it’s less likely to be a target. Hackers are motivated by money, so the bigger the prize the more time and effort will be invested to achieve their gains. By identifying your threats and vulnerabilities with a tool like Intruder, you can take appropriate steps to mitigate and prioritize which risks need to be addressed and in which order.

It’s time to raise your cyber security game#

Attacks on large companies dominate the news, which feeds the perception that SMBs are safe, when the opposite is true. Attacks are increasingly automated, so SMBs are just as vulnerable targets as larger enterprises, more so if they don’t have adequate security processes in place. And hackers will always follow the path of least resistance. Fortunately, that’s the part Intruder made easy…

About Intruder#

Intruder is a cyber security company that helps organisations reduce their attack surface by providing continuous vulnerability scanning and penetration testing services. Intruder’s powerful scanner is designed to promptly identify high-impact flaws, changes in the attack surface, and rapidly scan the infrastructure for emerging threats. Running thousands of checks, which include identifying misconfigurations, missing patches, and web layer issues, Intruder makes enterprise-grade vulnerability scanning easy and accessible to everyone. Intruder’s high-quality reports are perfect to pass on to prospective customers or comply with security regulations, such as ISO 27001 and SOC 2.

Intruder offers a 14-day free trial of its vulnerability assessment platform. Visit their website today to take it for a spin!

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Source :
https://thehackernews.com/2022/11/7-cyber-security-tips-for-smbs.html

Alert (AA22-277A) Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization

Summary

Actions to Help Protect Against APT Cyber Activity:

• Enforce multifactor authentication (MFA) on all user accounts.
• Implement network segmentation to separate network segments based on role and functionality.
• Update software, including operating systems, applications, and firmware, on network assets.
• Audit account usage.

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization’s enterprise network. During incident response activities, CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.

This joint Cybersecurity Advisory (CSA) provides APT actors tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) identified during the incident response activities by CISA and a third-party incident response organization. The CSA includes detection and mitigation actions to help organizations detect and prevent related APT activity. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) recommend DIB sector and other critical infrastructure organizations implement the mitigations in this CSA to ensure they are managing and reducing the impact of cyber threats to their networks.

Download the PDF version of this report: pdf, 692 KB

For a downloadable copy of IOCs, see the following files:

Technical Details

Threat Actor Activity

NoteThis advisory uses the MITRE ATT&CK® for Enterprise framework, version 11. See the MITRE ATT&CK Tactics and Techniques section for a table of the APT cyber activity mapped to MITRE ATT&CK for Enterprise framework.

From November 2021 through January 2022, CISA conducted an incident response engagement on a DIB Sector organization’s enterprise network. The victim organization also engaged a third-party incident response organization for assistance. During incident response activities, CISA and the trusted –third-party identified APT activity on the victim’s network.

Some APT actors gained initial access to the organization’s Microsoft Exchange Server as early as mid-January 2021. The initial access vector is unknown. Based on log analysis, the actors gathered information about the exchange environment and performed mailbox searches within a four-hour period after gaining access. In the same period, these actors used a compromised administrator account (“Admin 1”) to access the EWS Application Programming Interface (API). In early February 2021, the actors returned to the network and used Admin 1 to access EWS API again. In both instances, the actors used a virtual private network (VPN).

Four days later, the APT actors used Windows Command Shell over a three-day period to interact with the victim’s network. The actors used Command Shell to learn about the organization’s environment and to collect sensitive data, including sensitive contract-related information from shared drives, for eventual exfiltration. The actors manually collected files using the command-line tool, WinRAR. These files were split into approximately 3MB chunks located on the Microsoft Exchange server within the CU2\he\debug directory. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.

During the same period, APT actors implanted Impacket, a Python toolkit for programmatically constructing and manipulating network protocols, on another system. The actors used Impacket to attempt to move laterally to another system.

In early March 2021, APT actors exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to install 17 China Chopper webshells on the Exchange Server. Later in March, APT actors installed HyperBro on the Exchange Server and two other systems. For more information on the HyperBro and webshell samples, see CISA MAR-10365227-2 and -3.

In April 2021, APT actors used Impacket for network exploitation activities. See the Use of Impacket section for additional information. From late July through mid-October 2021, APT actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate the remaining sensitive files. See the Use of Custom Exfiltration Tool: CovalentStealer section for additional information.

APT actors maintained access through mid-January 2022, likely by relying on legitimate credentials.

Use of Impacket

CISA discovered activity indicating the use of two Impacket tools: wmiexec.py and smbexec.py. These tools use Windows Management Instrumentation (WMI) and Server Message Block (SMB) protocol, respectively, for creating a semi-interactive shell with the target device. Through the Command Shell, an Impacket user with credentials can run commands on the remote device using the Windows management protocols required to support an enterprise network.

The APT cyber actors used existing, compromised credentials with Impacket to access a higher privileged service account used by the organization’s multifunctional devices. The threat actors first used the service account to remotely access the organization’s Microsoft Exchange server via Outlook Web Access (OWA) from multiple external IP addresses; shortly afterwards, the actors assigned the Application Impersonation role to the service account by running the following PowerShell command for managing Exchange:

powershell add-pssnapin *exchange*;New-ManagementRoleAssignment – name:”Journaling-Logs” -Role:ApplicationImpersonation -User:<account>

This command gave the service account the ability to access other users’ mailboxes.

The APT cyber actors used virtual private network (VPN) and virtual private server (VPS) providers, M247 and SurfShark, as part of their techniques to remotely access the Microsoft Exchange server. Use of these hosting providers, which serves to conceal interaction with victim networks, are common for these threat actors. According to CISA’s analysis of the victim’s Microsoft Exchange server Internet Information Services (IIS) logs, the actors used the account of a former employee to access the EWS. EWS enables access to mailbox items such as email messages, meetings, and contacts. The source IP address for these connections is mostly from the VPS hosting provider, M247.

Use of Custom Exfiltration Tool: CovalentStealer

The threat actors employed a custom exfiltration tool, CovalentStealer, to exfiltrate sensitive files.

CovalentStealer is designed to identify file shares on a system, categorize the files, and upload the files to a remote server. CovalentStealer includes two configurations that specifically target the victim’s documents using predetermined files paths and user credentials. CovalentStealer stores the collected files on a Microsoft OneDrive cloud folder, includes a configuration file to specify the types of files to collect at specified times and uses a 256-bit AES key for encryption. See CISA MAR-10365227-1 for additional technical details, including IOCs and detection signatures.

MITRE ATT&CK Tactics and Techniques

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. CISA uses the ATT&CK Framework as a foundation for the development of specific threat models and methodologies. Table 1 lists the ATT&CK techniques employed by the APT actors.

Initial Access
Technique TitleIDUse
Valid AccountsT1078Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Execution
Technique TitleIDUse
Windows Management InstrumentationT1047Actors used Impacket tools wmiexec.py and smbexec.py to leverage Windows Management Instrumentation and execute malicious commands.
Command and Scripting InterpreterT1059Actors abused command and script interpreters to execute commands.
Command and Scripting Interpreter: PowerShellT1059.001Actors abused PowerShell commands and scripts to map shared drives by specifying a path to one location and retrieving the items from another. See Appendix: Windows Command Shell Activity for additional information.
Command and Scripting Interpreter: Windows Command ShellT1059.003Actors abused the Windows Command Shell to learn about the organization’s environment and to collect sensitive data. See Appendix: Windows Command Shell Activity for additional information, including specific commands used.The actors used Impacket tools, which enable a user with credentials to run commands on the remote device through the Command Shell.
Command and Scripting Interpreter: PythonT1059.006The actors used two Impacket tools: wmiexec.py and smbexec.py.
Shared ModulesT1129Actors executed malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths.
System ServicesT1569Actors abused system services to execute commands or programs on the victim’s network.
Persistence
Technique TitleIDUse
Valid AccountsT1078Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Create or Modify System ProcessT1543Actors were observed creating or modifying system processes.
Privilege Escalation
Technique TitleIDUse
Valid AccountsT1078Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Defense Evasion
Technique TitleIDUse
Masquerading: Match Legitimate Name or LocationT1036.005Actors masqueraded the archive utility WinRAR.exe by renaming it VMware.exe to evade defenses and observation.
Indicator Removal on HostT1070Actors deleted or modified artifacts generated on a host system to remove evidence of their presence or hinder defenses.
Indicator Removal on Host: File DeletionT1070.004Actors used the del.exe command with the /f parameter to force the deletion of read-only files with the *.rar and tempg* wildcards.
Valid AccountsT1078Actors obtained and abused credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In this case, they exploited an organization’s multifunctional device domain account used to access the organization’s Microsoft Exchange server via OWA.
Virtualization/Sandbox Evasion: System ChecksT1497.001Actors used Windows command shell commands to detect and avoid virtualization and analysis environments. See Appendix: Windows Command Shell Activity for additional information.
Impair Defenses: Disable or Modify ToolsT1562.001Actors used the taskkill command to probably disable security features. CISA was unable to determine which application was associated with the Process ID.
Hijack Execution FlowT1574Actors were observed using hijack execution flow.
Discovery
Technique TitleIDUse
System Network Configuration DiscoveryT1016Actors used the systeminfo command to look for details about the network configurations and settings and determine if the system was a VMware virtual machine.The threat actor used route print to display the entries in the local IP routing table.
System Network Configuration Discovery: Internet Connection DiscoveryT1016.001Actors checked for internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways.
System Owner/User DiscoveryT1033Actors attempted to identify the primary user, currently logged in user, set of users that commonly use a system, or whether a user is actively using the system.
System Network Connections DiscoveryT1049Actors used the netstat command to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP.
Process DiscoveryT1057Actors used the tasklist command to get information about running processes on a system and determine if the system was a VMware virtual machine.The actors used tasklist.exe and find.exe to display a list of applications and services with their PIDs for all tasks running on the computer matching the string “powers.”
System Information DiscoveryT1082Actors used the ipconfig command to get detailed information about the operating system and hardware and determine if the system was a VMware virtual machine.
File and Directory DiscoveryT1083Actors enumerated files and directories or may search in specific locations of a host or network share for certain information within a file system.
Virtualization/Sandbox Evasion: System ChecksT1497.001Actors used Windows command shellcommands to detect and avoid virtualization and analysis environments.
Lateral Movement
Technique TitleIDUse
Remote Services: SMB/Windows Admin SharesT1021.002Actors used Valid Accounts to interact with a remote network share using Server Message Block (SMB) and then perform actions as the logged-on user.
Collection
Technique TitleIDUse
Archive Collected Data: Archive via UtilityT1560.001Actor used PowerShell commands and WinRAR to compress and/or encrypt collected data prior to exfiltration.
Data from Network Shared DriveT1039Actors likely used net share command to display information about shared resources on the local computer and decide which directories to exploit, the powershell dircommand to map shared drives to a specified path and retrieve items from another, and the ntfsinfo command to search network shares on computers they have compromised to find files of interest.The actors used dir.exe to display a list of a directory’s files and subdirectories matching a certain text string.
Data Staged: Remote Data StagingT1074.002The actors split collected files into approximately
3 MB chunks located on the Exchange server within the CU2\he\debug directory.
Command and Control
Technique TitleIDUse
Non-Application Layer ProtocolT1095Actors used a non-application layer protocol for communication between host and Command and Control (C2) server or among infected hosts within a network.
Ingress Tool TransferT1105Actors used the certutil command with three switches to test if they could download files from the internet.The actors employed CovalentStealer to exfiltrate the files.
ProxyT1090Actors are known to use VPN and VPS providers, namely M247 and SurfShark, as part of their techniques to access a network remotely.
Exfiltration
Technique TitleIDUse
Schedule TransferT1029Actors scheduled data exfiltration to be performed only at certain times of day or at certain intervals and blend traffic patterns with normal activity.
Exfiltration Over Web Service: Exfiltration to Cloud StorageT1567.002The actor’s CovalentStealer tool stores collected files on a Microsoft OneDrive cloud folder.

DETECTION

Given the actors’ demonstrated capability to maintain persistent, long-term access in compromised enterprise environments, CISA, FBI, and NSA encourage organizations to:

  • Monitor logs for connections from unusual VPSs and VPNs. Examine connection logs for access from unexpected ranges, particularly from machines hosted by SurfShark and M247.
  • Monitor for suspicious account use (e.g., inappropriate or unauthorized use of administrator accounts, service accounts, or third-party accounts). To detect use of compromised credentials in combination with a VPS, follow the steps below:
    • Review logs for “impossible logins,” such as logins with changing username, user agent strings, and IP address combinations or logins where IP addresses do not align to the expected user’s geographic location.
    • Search for “impossible travel,” which occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses in the time between logins). Note: This detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting to networks.
    • Search for one IP used across multiple accounts, excluding expected logins.
      • Take note of any M247-associated IP addresses used along with VPN providers (e.g., SurfShark). Look for successful remote logins (e.g., VPN, OWA) for IPs coming from M247- or using SurfShark-registered IP addresses.
    • Identify suspicious privileged account use after resetting passwords or applying user account mitigations.
    • Search for unusual activity in typically dormant accounts.
    • Search for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.
  • Review the YARA rules provided in MAR-10365227-1 to assist in determining whether malicious activity has been observed.
  • Monitor for the installation of unauthorized software, including Remote Server Administration Tools (e.g., psexec, RdClient, VNC, and ScreenConnect).
  • Monitor for anomalous and known malicious command-line use. See Appendix: Windows Command Shell Activity for commands used by the actors to interact with the victim’s environment.
  • Monitor for unauthorized changes to user accounts (e.g., creation, permission changes, and enabling a previously disabled account).

CONTAINMENT AND REMEDIATION

Organizations affected by active or recently active threat actors in their environment can take the following initial steps to aid in eviction efforts and prevent re-entry:

  • Report the incident. Report the incident to U.S. Government authorities and follow your organization’s incident response plan.
  • Reset all login accounts. Reset all accounts used for authentication since it is possible that the threat actors have additional stolen credentials. Password resets should also include accounts outside of Microsoft Active Directory, such as network infrastructure devices and other non-domain joined devices (e.g., IoT devices).
  • Monitor SIEM logs and build detections. Create signatures based on the threat actor TTPs and use these signatures to monitor security logs for any signs of threat actor re-entry.
  • Enforce MFA on all user accounts. Enforce phishing-resistant MFA on all accounts without exception to the greatest extent possible.
  • Follow Microsoft’s security guidance for Active DirectoryBest Practices for Securing Active Directory.
  • Audit accounts and permissions. Audit all accounts to ensure all unused accounts are disabled or removed and active accounts do not have excessive privileges. Monitor SIEM logs for any changes to accounts, such as permission changes or enabling a previously disabled account, as this might indicate a threat actor using these accounts.
  • Harden and monitor PowerShell by reviewing guidance in the joint Cybersecurity Information Sheet—Keeping PowerShell: Security Measures to Use and Embrace.

Mitigations

Mitigation recommendations are usually longer-term efforts that take place before a compromise as part of risk management efforts, or after the threat actors have been evicted from the environment and the immediate response actions are complete. While some may be tailored to the TTPs used by the threat actor, recovery recommendations are largely general best practices and industry standards aimed at bolstering overall cybersecurity posture.

Segment Networks Based on Function

  • Implement network segmentation to separate network segments based on role and functionality. Proper network segmentation significantly reduces the ability for ransomware and other threat actor lateral movement by controlling traffic flows between—and access to—various subnetworks. (See CISA’s Infographic on Layering Network Security Through Segmentation and NSA’s Segment Networks and Deploy Application-Aware Defenses.)
  • Isolate similar systems and implement micro-segmentation with granular access and policy restrictions to modernize cybersecurity and adopt Zero Trust (ZT) principles for both network perimeter and internal devices. Logical and physical segmentation are critical to limiting and preventing lateral movement, privilege escalation, and exfiltration.

Manage Vulnerabilities and Configurations

  • Update softwareincluding operating systemsapplicationsand firmwareon network assets. Prioritize patching known exploited vulnerabilities and critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.
  • Implement a configuration change control process that securely creates device configuration backups to detect unauthorized modifications. When a configuration change is needed, document the change, and include the authorization, purpose, and mission justification. Periodically verify that modifications have not been applied by comparing current device configurations with the most recent backups. If suspicious changes are observed, verify the change was authorized.

Search for Anomalous Behavior

  • Use cybersecurity visibility and analytics tools to improve detection of anomalous behavior and enable dynamic changes to policy and other response actions. Visibility tools include network monitoring tools and host-based logs and monitoring tools, such as an endpoint detection and response (EDR) tool. EDR tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host.
  • Monitor the use of scripting languages (e.g., Python, Powershell) by authorized and unauthorized users. Anomalous use by either group may be indicative of malicious activity, intentional or otherwise.

Restrict and Secure Use of Remote Admin Tools

  • Limit the number of remote access tools as well as who and what can be accessed using them. Reducing the number of remote admin tools and their allowed access will increase visibility of unauthorized use of these tools.
  • Use encrypted services to protect network communications and disable all clear text administration services(e.g., Telnet, HTTP, FTP, SNMP 1/2c). This ensures that sensitive information cannot be easily obtained by a threat actor capturing network traffic.

Implement a Mandatory Access Control Model

  • Implement stringent access controls to sensitive data and resources. Access should be restricted to those users who require access and to the minimal level of access needed.

Audit Account Usage

  • Monitor VPN logins to look for suspicious access (e.g., logins from unusual geo locations, remote logins from accounts not normally used for remote access, concurrent logins for the same account from different locations, unusual times of the day).
  • Closely monitor the use of administrative accounts. Admin accounts should be used sparingly and only when necessary, such as installing new software or patches. Any use of admin accounts should be reviewed to determine if the activity is legitimate.
  • Ensure standard user accounts do not have elevated privileges Any attempt to increase permissions on standard user accounts should be investigated as a potential compromise.

VALIDATE SECURITY CONTROLS

In addition to applying mitigations, CISA, FBI, and NSA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory. CISA, FBI, and NSA recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.

To get started:

  1. Select an ATT&CK technique described in this advisory (see Table 1).
  2. Align your security technologies against the technique.
  3. Test your technologies against the technique.
  4. Analyze the performance of your detection and prevention technologies.
  5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
  6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

CISA, FBI, and NSA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.

RESOURCES

CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See cisa.gov/cyber-hygiene-services.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov.

ACKNOWLEDGEMENTS

CISA, FBI, and NSA acknowledge Mandiant for its contributions to this CSA.

APPENDIX: WINDOWS COMMAND SHELL ACTIVITY

Over a three-day period in February 2021, APT cyber actors used Windows Command Shell to interact with the victim’s environment. When interacting with the victim’s system and executing commands, the threat actors used /q and /c parameters to turn the echo off, carry out the command specified by a string, and stop its execution once completed.

On the first day, the threat actors consecutively executed many commands within the Windows Command Shell to learn about the organization’s environment and to collect sensitive data for eventual exfiltration (see Table 2).

CommandDescription / Use
net shareUsed to create, configure, and delete network shares from the command-line.[1] The threat actor likely used this command to display information about shared resources on the local computer and decide which directories to exploit.
powershell dirAn alias (shorthand) for the PowerShell Get-ChildItem cmdlet. This command maps shared drives by specifying a path to one location and retrieving the items from another.[2] The threat actor added additional switches (aka options, parameters, or flags) to form a “one liner,” an expression to describe commonly used commands used in exploitation: powershell dir -recurse -path e:\<redacted>|select fullname,length|export-csv c:\windows\temp\temp.txt. This particular command lists subdirectories of the target environment when.
systeminfoDisplays detailed configuration information [3], tasklist – lists currently running processes [4], and ipconfig – displays all current Transmission Control Protocol (TCP)/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings, respectively [5]. The threat actor used these commands with specific switches to determine if the system was a VMware virtual machine: systeminfo > vmware & date /T, tasklist /v > vmware & date /T, and ipconfig /all >> vmware & date /.
route printUsed to display and modify the entries in the local IP routing table. [6] The threat actor used this command to display the entries in the local IP routing table.
netstatUsed to display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics, and IPv6 statistics.[7] The threat actor used this command with three switches to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP: netstat -anp tcp.
certutilUsed to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.[8] The threat actor used this command with three switches to test if they could download files from the internet: certutil -urlcache -split -f https://microsoft.com temp.html.
pingSends Internet Control Message Protocol (ICMP) echoes to verify connectivity to another TCP/IP computer.[9] The threat actor used ping -n 2 apple.com to either test their internet connection or to detect and avoid virtualization and analysis environments or network restrictions.
taskkillUsed to end tasks or processes.[10] The threat actor used taskkill /F /PID 8952 to probably disable security features. CISA was unable to determine what this process was as the process identifier (PID) numbers are dynamic.
PowerShell Compress-Archive cmdletUsed to create a compressed archive or to zip files from specified files and directories.[11] The threat actor used parameters indicating shared drives as file and folder sources and the destination archive as zipped files. Specifically, they collected sensitive contract-related information from the shared drives.

On the second day, the APT cyber actors executed the commands in Table 3 to perform discovery as well as collect and archive data.

CommandDescription / Use
ntfsinfo.exeUsed to obtain volume information from the New Technology File System (NTFS) and to print it along with a directory dump of NTFS meta-data files.[12]
WinRAR.exeUsed to compress files and subsequently masqueraded WinRAR.exe by renaming it VMware.exe.[13]

On the third day, the APT cyber actors returned to the organization’s network and executed the commands in Table 4.

CommandDescription / Use
powershell -ep bypass import-module .\vmware.ps1;export-mft -volume eThreat actors ran a PowerShell command with parameters to change the execution mode and bypass the Execution Policy to run the script from PowerShell and add a module to the current section: powershell -ep bypass import-module .\vmware.ps1;export-mft -volume e. This module appears to acquire and export the Master File Table (MFT) for volume E for further analysis by the cyber actor.[14]
set.exeUsed to display the current environment variable settings.[15] (An environment variable is a dynamic value pointing to system or user environments (folders) of the system. System environment variables are defined by the system and used globally by all users, while user environment variables are only used by the user who declared that variable and they override the system environment variables (even if the variables are named the same).
dir.exeUsed to display a list of a directory’s files and subdirectories matching the eagx* text string, likely to confirm the existence of such file.
tasklist.exe and find.exeUsed to display a list of applications and services with their PIDs for all tasks running on the computer matching the string “powers”.[16][17][18]
ping.exeUsed to send two ICMP echos to amazon.com. This could have been to detect or avoid virtualization and analysis environments, circumvent network restrictions, or test their internet connection.[19]
del.exe with the /f parameterUsed to force the deletion of read-only files with the *.rar and tempg* wildcards.[20]

References

[1] Microsoft Net Share

[2] Microsoft Get-ChildItem

[3] Microsoft systeminfo

[4] Microsoft tasklist

[5] Microsoft ipconfig

[6] Microsoft Route

[7] Microsoft netstat

[8] Microsoft certutil

[9] Microsoft ping

[10] Microsoft taskkill

[11] Microsoft Compress-Archive

[12] NTFSInfo v1.2

[13] rarlab

[14] Microsoft Import-Module

[15] Microsoft set (environment variable)

[16] Microsoft tasklist

[17] Mitre ATT&CK – Sofware: TaskList

[18] Microsoft find

[19] Microsoft ping

[20] Microsoft del

Revisions

October 4, 2022: Initial version

Source :
https://www.cisa.gov/uscert/ncas/alerts/aa22-277a

Why Continuous Security Testing is a Must for Organizations Today

The global cybersecurity market is flourishing. Experts at Gartner predict that the end-user spending for the information security and risk management market will grow from $172.5 billion in 2022 to $267.3 billion in 2026.

One big area of spending includes the art of putting cybersecurity defenses under pressure, commonly known as security testing. MarketsandMarkets forecasts the global penetration testing (pentesting) market size is expected to grow at a Compound Annual Growth Rate (CAGR) of 13.7% from 2022 to 2027. However, the costs and limitations involved in carrying out a penetration test are already hindering the market growth, and consequently, many cybersecurity professionals are making moves to find an alternative solution.

Pentests aren’t solving cybersecurity pain points

Pentesting can serve specific and important purposes for businesses. For example, prospective customers may ask for the results of one as proof of compliance. However, for certain challenges, this type of security testing methodology isn’t always the best fit.

1 — Continuously changing environments

Securing constantly changing environments within rapidly evolving threat landscapes is particularly difficult. This challenge becomes even more complicated when aligning and managing the business risk of new projects or releases. Since penetration tests focus on one moment in time, the result won’t necessarily be the same the next time you make an update.

2 — Rapid growth

It would be unusual for fast-growing businesses not to experience growing pains. For CISOs, maintaining visibility of their organization’s expanding attack surface can be particularly painful.

According to HelpNetSecurity, 45% of respondents conduct pentests only once or twice per year and 27% do it once per quarter, which is woefully insufficient given how quickly infrastructure and applications change.

3 — Cybersecurity skills shortages

As well as limitations in budgets and resources, finding the available skillsets for internal cybersecurity teams is an ongoing battle. As a result, organizations don’t have the dexterity to spot and promptly remediate specific security vulnerabilities.

While pentests can offer an outsider perspective, often it is just one person performing the test. For some organizations, there is also an issue on trust when relying on the work of just one or two people. Sándor Incze, CISO at CM.com, gives his perspective:

“Not all pentesters are equal. It’s very hard to determine if the pentester you’re hiring is good.”

4 — Cyber threats are evolving

The constant struggle to stay up to date with the latest cyberattack techniques and trends puts media organizations at risk. Hiring specialist skills for every new cyber threat type would be unrealistic and unsustainable.

HelpNetSecurity reported that it takes 71 percent of pentesters one week to one month to conduct a pentest. Then, more than 26 percent of organizations must wait between one to two weeks to get the test results, and 13 percent wait even longer than that. Given the fast pace of threat evolution, this waiting period can leave companies unaware of potential security issues and open to exploitation.

5 — Poor-fitting security testing solutions for agile environments

Continuous development lifecycles don’t align with penetration testing cycles (often performed annually.) Therefore, vulnerabilities mistakenly created during long security testing gaps can remain undiscovered for some time.

Bringing security testing into the 21st-century Impact

Cybersecurity Testing

A proven solution to these challenges is to utilize ethical hacker communities in addition to a standard penetration test. Businesses can rely on the power of these crowds to assist them in their security testing on a continuous basis. A bug bounty program is one of the most common ways to work with ethical hacker communities.

What is a bug bounty program?

Bug bounty programs allow businesses to proactively work with independent security researchers to report bugs through incentivization. Often companies will launch and manage their program through a bug bounty platform, such as Intigriti.

Organizations with high-security maturity may leave their bug bounty program open for all ethical hackers in the platform’s community to contribute to (known as a public program.) However, most businesses begin by working with a smaller pool of security talent through a private program.

How bug bounty programs support continuous security testing structures

While you’ll receive a certificate to say you’re secure at the end of a penetration test, it won’t necessarily mean that’s still the case the next time you make an update. This is where bug bounty programs work well as a follow-up to pentests and enable a continuous security testing program.

The impact of bug bounty program on cybersecurity

By launching a bug bounty program, organizations experience:

  1. More robust protection: Company data, brand, and reputation have additional protection through continuous security testing.
  2. Enabled business goals: Enhanced security posture, leading to a more secure platform for innovation and growth.
  3. Improved productivity: Increased workflow with fewer disruptions to the availability of services. More strategic IT projects that executives have prioritized, with fewer security “fires” to put out.
  4. Increased skills availability: Internal security team’s time is freed by using a community for security testing and triage.
  5. Clearer budget justification: Ability to provide more significant insights into the organization’s security posture to justify and motivate for an adequate security budget.
  6. Improved relationships: Project delays significantly decrease without the reliance on traditional pentests.

Want to know more about setting up and launching a bug bounty program?

Intigriti is the leading European-based platform for bug bounty and ethical hacking. The platform enables organizations to reduce the risk of a cyberattack by allowing Intigriti’s network of security researchers to test their digital assets for vulnerabilities continuously.

If you’re intrigued by what you’ve read and want to know about bug bounty programs, simply schedule a meeting today with one of our experts.

www.intigriti.com

Source :
https://thehackernews.com/2022/09/why-continuous-security-testing-is-must.html

Record DDoS Attack with 25.3 Billion Requests Abused HTTP/2 Multiplexing

Cybersecurity company Imperva has disclosed that it mitigated a distributed denial-of-service (DDoS) attack with a total of over 25.3 billion requests on June 27, 2022.

The “strong attack,” which targeted an unnamed Chinese telecommunications company, is said to have lasted for four hours and peaked at 3.9 million requests per second (RPS).

“Attackers used HTTP/2 multiplexing, or combining multiple packets into one, to send multiple requests at once over individual connections,” Imperva said in a report published on September 19.

The attack was launched from a botnet that comprised nearly 170,000 different IP addresses spanning routers, security cameras, and compromised servers located in more than 180 countries, primarily the U.S., Indonesia, and Brazil.

CyberSecurity

The disclosure also comes as web infrastructure provider Akamai said it fielded a new DDoS assault aimed at a customer based in Eastern Europe on September 12, with attack traffic spiking at 704.8 million packets per second (pps).

The same victim was previously targeted on July 21, 2022, in a similar fashion in which the attack volume ramped up to 853.7 gigabits per second (Gbps) and 659.6 million pps over a period of 14 hours.

Akamai’s Craig Sparling said the company has been “bombarded relentlessly with sophisticated distributed denial-of-service (DDoS) attacks,” indicating that the offensives could be politically motivated in the face of Russia’s ongoing war against Ukraine.

Both the disruptive attempts were UDP flood attacks where the attacker targets and overwhelms arbitrary ports on the target host with User Datagram Protocol (UDP) packets.

CyberSecurity

UDP, being both connectionless and session-less, makes it an ideal networking protocol for handling VoIP traffic. But these same traits can also render it more susceptible to exploitation.

“Without an initial handshake to ensure a legitimate connection, UDP channels can be used to send a large volume of traffic to any host,” NETSCOUT says.

“There are no internal protections that can limit the rate of a UDP flood. As a result, UDP flood DoS attacks are exceptionally dangerous because they can be executed with a limited amount of resources.”

Source :
https://thehackernews.com/2022/09/record-ddos-attack-with-253-billion.html

IT threat evolution in Q2 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2022:

  • 5,520,908 mobile malware, adware and riskware attacks were blocked.
  • The most common threat to mobile devices was adware: 25.28% of all threats detected.
  • 405,684 malicious installation packages were detected, of which:
    • 55,614 packages were related to mobile banking Trojans;
    • 3,821 packages were mobile ransomware Trojans.

Quarterly highlights

In the second quarter of 2022, cybercriminal activity continued to decline — if the number of attacks on mobile devices is any indication.

https://e.infogram.com/_/kUJZ2IuFyVL5rs1NUqoG?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-mobile-statistics%2F107123%2F&src=embed#async_embed

Number of attacks targeting users of Kaspersky mobile solutions, Q1 2020 — Q2 2022 (download)

As in the previous quarter, fraudulent apps occupied seven out of twenty leading positions in the malware rankings. That said, the total number of attacks by these apps started to decrease.

Interestingly enough, some fraudulent app creators were targeting users from several countries at once. For instance, J-Lightning Application purported to help users to invest into a Polish oil refinery, a Russian energy company, a Chinese cryptocurrency exchange and an American investment fund.

On the contrary, the number of attacks by the RiskTool.AndroidOS.SpyLoan riskware family (loan apps that request access to users’ text messages, contact list and photos) more than quadrupled from the first quarter. The majority of users whose devices were found to be infected with this riskware were based in Mexico: a third of the total number of those attacked. This was followed by India and Colombia. The ten most-affected countries include Kenya, Brazil, Peru, Pakistan, Nigeria, Uganda and the Philippines.

The second quarter was also noteworthy for Europol taking down the infrastructure of the FluBot mobile botnet, also known as Polph and Cabassous. This aggressively spreading banking Trojan attacked mainly users in Europe and Australia.

Mobile threat statistics

In Q2 2022, Kaspersky detected 405,684 malicious installation packages, a reduction of 110,933 from the previous quarter and a year-on-year decline of 480,421.

https://e.infogram.com/_/sggcRCeC8v5IMtDdh0MY?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-mobile-statistics%2F107123%2F&src=embed#async_embed

Number of detected malicious installation packages, Q2 2021 — Q2 2022 (download)

Distribution of detected mobile malware by type

https://e.infogram.com/_/xd4vJYpEUtvNfzYvS1xv?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-mobile-statistics%2F107123%2F&src=embed#async_embed

Distribution of newly detected mobile malware by type, Q1 and Q2 2022 (download)

Adware ranked first among all threats detected in Q2 2022 with 25.28%, exceeding the previous quarter’s figure by 8.36 percentage points. A third of all detected threats of that class were objects of the AdWare.AndroidOS.Ewind family (33.21%). This was followed by the AdWare.AndroidOS.Adlo (22.54%) and AdWare.AndroidOS.HiddenAd (8.88%) families.

The previous leader, the RiskTool riskware, moved to second place with 20.81% of all detected threats, a decline of 27.94 p.p. from the previous quarter. More than half (60.16%) of the discovered apps of that type belonged to the Robtes family.

Various Trojans came close behind with 20.49%, a rise of 5.81 p.p. on the previous quarter. The largest contribution was made by objects belonging to the Mobtes (38.75%), Boogr (21.12%) and Agent (18.98%) families.

Top 20 mobile malware programs

Note that the malware rankings below exclude riskware or PUAs, such as RiskTool or adware.

Verdict%*
1DangerousObject.Multi.Generic21.90
2Trojan-SMS.AndroidOS.Fakeapp.d10.71
3Trojan.AndroidOS.Generic10.55
4Trojan.AndroidOS.GriftHorse.ah6.07
5Trojan-Spy.AndroidOS.Agent.aas5.40
6Trojan.AndroidOS.GriftHorse.l3.43
7DangerousObject.AndroidOS.GenericML3.21
8Trojan-Dropper.AndroidOS.Agent.sl2.82
9Trojan.AndroidOS.Fakemoney.d2.33
10Trojan.AndroidOS.Fakeapp.ed1.82
11Trojan.AndroidOS.Fakeapp.dw1.68
12Trojan.AndroidOS.Fakemoney.i1.62
13Trojan.AndroidOS.Soceng.f1.59
14Trojan-Ransom.AndroidOS.Pigetrl.a1.59
15Trojan.AndroidOS.Boogr.gsh1.56
16Trojan-Downloader.AndroidOS.Necro.d1.56
17Trojan-SMS.AndroidOS.Agent.ado1.54
18Trojan-Dropper.AndroidOS.Hqwar.gen1.54
19Trojan.AndroidOS.Fakemoney.n1.52
20Trojan-Downloader.AndroidOS.Agent.kx1.45

* Unique users attacked by this malware as a percentage of all attacked users of Kaspersky mobile solutions.

First and third places went to DangerousObject.Multi.Generic (21.90%) and Trojan.AndroidOS.Generic (10.55%), respectively, which are verdicts we use for malware detected with cloud technology. Cloud technology is triggered whenever the antivirus databases lack data for detecting a piece of malware, but the antivirus company’s cloud already contains information about the object. This is essentially how the latest malware types are detected.

Trojan-SMS.AndroidOS.Fakeapp.d rose from third to second place with 10.71%. This malware is capable of sending text messages and calling predefined numbers, displaying ads and hiding its icon.

Members of the Trojan.AndroidOS.GriftHorse family took fourth and sixth places with 6.07% and 3.43%, respectively. This family includes fraudulent apps that purchase paid subscriptions on the user’s behalf.

Trojan-Spy.AndroidOS.Agent.aas (5.40%), an evil twin of WhatsApp with a spy module built in, retained fifth position.

The verdict of DangerousObject.AndroidOS.GenericML (3.21%) came seventh. These verdicts are assigned to files recognized as malicious by our machine-learning systems.

Trojan-Dropper.AndroidOS.Agent.sl (2.82%), a dropper that unpacks and runs a banking Trojan on devices, remained in eighth place. Most of the attacked users were based in Russia or Germany.

Trojan.AndroidOS.Fakemoney.d slid from second to ninth place with 2.33%. Other members of the family occupied twelfth and nineteenth places in the rankings. These are fraudulent apps that offer users to fill out fake welfare applications.

Trojan.AndroidOS.Fakeapp.ed dropped to tenth place from sixth with 1.82%; this verdict covers fraudulent apps purporting to help with investing in gas utilities and mostly targeting Russian users.

Trojan.AndroidOS.Fakeapp.dw dropped from tenth place to eleventh with 1.68%. This verdict is assigned to various scammer apps, for example, those offering to make extra income.

Trojan.AndroidOS.Soceng.f (1.59%) dropped from twelfth to thirteenth place. This Trojan sends text messages to people in your contacts list, deletes files on the user’s SD card, and overlays the interfaces of popular apps with its own window.

Trojan-Ransom.AndroidOS.Pigetrl.a dropped from eleventh to fourteenth place with 1.59%. This malware locks the screen, asking to enter an unlock code. The Trojan provides no instructions on how to obtain this code, which is embedded in the body of the malware.

The verdict of Trojan.AndroidOS.Boogr.gsh occupied fifteenth place with 1.56%. Like DangerousObject.AndroidOS.GenericML, this verdict is produced by a machine learning system.

Trojan-Downloader.AndroidOS.Necro.d (1.56%), designed for downloading and running other malware on infected devices, climbed to sixteenth place from seventeenth.

Trojan-SMS.AndroidOS.Agent.ado dropped from fifteenth to seventeenth place with 1.54%. This malware sends text messages to short codes.

Trojan-Dropper.AndroidOS.Hqwar.gen, which unpacks and runs various banking Trojans on a device, kept eighteenth place with 1.54%.

Trojan-Downloader.AndroidOS.Agent.kx (1.45%), which loads adware, dropped to the bottom of the rankings.

Geography of mobile threats

https://e.infogram.com/_/5488dBZS93CY789cAis8?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-mobile-statistics%2F107123%2F&src=embed#async_embed

Map of attempts to infect mobiles with malware, Q2 2022 (download)

TOP 10 countries and territories by share of users attacked by mobile malware

Countries and territories*%**
1Iran26,91
2Yemen17,97
3Saudi Arabia12,63
4Oman12,01
5Algeria11,49
6Egypt10,48
7Morocco7,88
8Kenya7,58
9Ecuador7,19
10Indonesia6,91

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked as a percentage of all users of Kaspersky mobile security solutions in the country.

Iran remained the leader in terms of the share of infected devices in Q2 2022 with 26.91%; the most widespread threats there as before were the annoying AdWare.AndroidOS.Notifyer and AdWare.AndroidOS.Fyben families. Yemen rose to second place with 17.97%; the Trojan-Spy.AndroidOS.Agent.aas spyware was the threat most often encountered by users in that country. Saudi Arabia came third with 12.63%, the most common malware apps in the country being the AdWare.AndroidOS.Adlo and AdWare.AndroidOS.Fyben adware families.

Mobile banking Trojans

The number of detected mobile banking Trojan installation packages increased slightly compared to the previous quarter: during the reporting period, we found 55,614 of these, an increase of 1,667 on Q1 2022 and a year-on-year increase of 31,010.

Almost half (49.28%) of the detected installation packages belonged to the Trojan-Banker.AndroidOS.Bray family. The Trojan-Banker.AndroidOS.Wroba was second with 5.54%, and Trojan-Banker.AndroidOS.Fakecalls third with 4.83%.

https://e.infogram.com/_/WmVkKmoCinRxAPQXWFha?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-mobile-statistics%2F107123%2F&src=embed#async_embed

Number of installation packages for mobile banking Trojans detected by Kaspersky, Q2 2021 — Q2 2022 (download)

Ten most common mobile bankers

Verdict%*
1Trojan-Banker.AndroidOS.Bian.h23.22
2Trojan-Banker.AndroidOS.Anubis.t10.48
3Trojan-Banker.AndroidOS.Svpeng.q7.88
4Trojan-Banker.AndroidOS.Asacub.ce4.48
5Trojan-Banker.AndroidOS.Sova.g4.32
6Trojan-Banker.AndroidOS.Gustuff.d4.04
7Trojan-Banker.AndroidOS.Ermak.a4.00
8Trojan-Banker.AndroidOS.Agent.ep3.66
9Trojan-Banker.AndroidOS.Agent.eq3.58
10Trojan-Banker.AndroidOS.Faketoken.z2.51

* Unique users attacked by this malware as a percentage of all Kaspersky mobile security solution users who encountered banking threats.

https://e.infogram.com/_/bawulAIMCMSwfujrqAJT?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-mobile-statistics%2F107123%2F&src=embed#async_embed

Geography of mobile banking threats, Q2 2022 (download)

TOP 10 countries and territories by shares of users attacked by mobile banking Trojans

Countries and territories*%**
1Spain1.04
2Turkey0.71
3Australia0.67
4Saudi Arabia0.64
5Switzerland0.38
6UAE0.23
7Japan0.14
8Colombia0.14
9Italy0.10
10Portugal0.09

* Countries and territories with relatively few users of Kaspersky mobile security solutions (under 10,000) have been excluded from the ranking.
** Unique users attacked by mobile banking Trojans as a percentage of all Kaspersky mobile security solution users in the country.

In Q2 2022, Spain still had the largest share of unique users attacked by mobile financial threats: 1.04%. Trojan-Banker.AndroidOS.Bian.h accounted for 89.95% of attacks on Spanish users. Turkey had the second-largest share (0.71%), with attacks on Turkish users dominated by Trojan-Banker.AndroidOS.Ermak.a (41.38%). Australia was third with 0.67%; most attacks in this country were attributed to Trojan-Banker.AndroidOS.Gustuff.d (96,55%).

Mobile ransomware Trojans

The number of mobile ransomware Trojan installation packages we detected in Q2 2022 (3,821) almost doubled from Q1 2022, increasing by 1,879; the figure represented a year-on-year increase of 198.

https://e.infogram.com/_/qgwrjBbIOWRSVBiw4z6r?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-mobile-statistics%2F107123%2F&src=embed#async_embed

Number of installation packages for mobile ransomware Trojans detected by Kaspersky, Q2 2021 — Q2 2022 (download)

Top 10 most common mobile ransomware

Verdict%*
1Trojan-Ransom.AndroidOS.Pigetrl.a76.81
2Trojan-Ransom.AndroidOS.Rkor.ch2.66
3Trojan-Ransom.AndroidOS.Small.as2.51
4Trojan-Ransom.AndroidOS.Rkor.br1.46
5Trojan-Ransom.AndroidOS.Rkor.bi1.40
6Trojan-Ransom.AndroidOS.Svpeng.ah1.29
7Trojan-Ransom.AndroidOS.Congur.cw1.23
8Trojan-Ransom.AndroidOS.Small.cj1.14
9Trojan-Ransom.AndroidOS.Svpeng.ac1.14
10Trojan-Ransom.AndroidOS.Congur.bf1.07

* Unique users attacked by the malware as a percentage of all Kaspersky mobile security solution users attacked by ransomware Trojans.

https://e.infogram.com/_/fLxtf6iaN8E9XJOQQUsF?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-mobile-statistics%2F107123%2F&src=embed#async_embed

Geography of mobile ransomware Trojans, Q2 2022 (download)

TOP 10 countries and territories by share of users attacked by mobile ransomware Trojans

Countries and territories*%**
1Yemen0,30
2Kazakhstan0,19
3Azerbaijan0,06
4Kyrgyzstan0,04
5Switzerland0,04
6Egypt0,03
7Saudi Arabia0,03
8Uzbekistan0,02
9Russian Federation0,02
10Morocco0,02

* Excluded from the rankings are countries and territories with relatively few (under 10,000) Kaspersky mobile security users.
** Unique users attacked by ransomware Trojans as a percentage of all Kaspersky mobile security solution users in the country or territory.

Countries leading by number of users attacked by mobile ransomware Trojans were Yemen (0.30%), Kazakhstan (0.19%) and Azerbaijan (0.06%). Users in Yemen most often encountered Trojan-Ransom.AndroidOS.Pigetrl.a, while users in Kazakhstan and Azerbaijan were attacked mainly by members of the Trojan-Ransom.AndroidOS.Rkor family.

IT threat evolution in Q2 2022. Non-mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.

Quarterly figures

According to Kaspersky Security Network, in Q2 2022:

  • Kaspersky solutions blocked 1,164,544,060 attacks from online resources across the globe.
  • Web Anti-Virus recognized 273,033,368 unique URLs as malicious. Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 100,829 unique users.
  • Ransomware attacks were defeated on the computers of 74,377 unique users.
  • Our File Anti-Virus detected 55,314,176 unique malicious and potentially unwanted objects.

Financial threats

Financial threat statistics

In Q2 2022, Kaspersky solutions blocked the launch of malware designed to steal money from bank accounts on the computers of 100,829 unique users.

https://e.infogram.com/_/xVIqEwzQRE40afesiEuD?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Number of unique users attacked by financial malware, Q2 2022 (download)

Geography of financial malware attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country and territory we calculated the share of Kaspersky users who faced this threat during the reporting period as a percentage of all users of our products in that country or territory.

https://e.infogram.com/_/VAlc8RYhTGIEk24LI7Q3?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Geography of financial malware attacks, Q2 2022 (download)

TOP 10 countries and territories by share of attacked users

Country or territory*%**
1Turkmenistan4.8
2Afghanistan4.3
3Tajikistan3.8
4Paraguay3.1
5China2.4
6Yemen2.4
7Uzbekistan2.2
8Sudan2.1
9Egypt2.0
10Mauritania1.9

* Excluded are countries and territories with relatively few Kaspersky product users (under 10,000).
** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country.

TOP 10 banking malware families

NameVerdicts%*
1Ramnit/NimnulTrojan-Banker.Win32.Ramnit35.5
2Zbot/ZeusTrojan-Banker.Win32.Zbot15.8
3CliptoShufflerTrojan-Banker.Win32.CliptoShuffler6.4
4Trickster/TrickbotTrojan-Banker.Win32.Trickster6
5RTMTrojan-Banker.Win32.RTM2.7
6SpyEyeTrojan-Spy.Win32.SpyEye2.3
7IcedIDTrojan-Banker.Win32.IcedID2.1
8DanabotTrojan-Banker.Win32.Danabot1.9
9BitStealerTrojan-Banker.Win32.BitStealer1.8
10GoziTrojan-Banker.Win32.Gozi1.3

* Unique users who encountered this malware family as a percentage of all users attacked by financial malware.

Ransomware programs

In the second quarter, the Lockbit group launched a bug bounty program. The cybercriminals are promising $1,000 to $1,000,000 for doxing of senior officials, reporting  web service, Tox messenger or ransomware Trojan algorithm vulnerabilities, as well as for ideas on improving the Lockbit website and Trojan. This was the first-ever case of ransomware groups doing a (self-promotion?) campaign like that.

Another well-known group, Conti, said it was shutting down operations. The announcement followed a high-profile attack on Costa Rica’s information systems, which prompted the government to declare a state of emergency. The Conti infrastructure was shut down in late June, but some in the infosec community believe that Conti members are either just rebranding or have split up and joined other ransomware teams, including Hive, AvosLocker and BlackCat.

While some ransomware groups are drifting into oblivion, others seem to be making a comeback. REvil’s website went back online in April, and researchers discovered a newly built specimen of their Trojan. This might have been a test build, as the sample did not encrypt any files, but these events may herald the impending return of REvil.

Kaspersky researchers found a way to recover files encrypted by the Yanluowang ransomware and released a decryptor for all victims. Yanluowang has been spotted in targeted attacks against large businesses in the US, Brazil, Turkey, and other countries.

Number of new modifications

In Q2 2022, we detected 15 new ransomware families and 2355 new modifications of this malware type.

https://e.infogram.com/_/LLQNUsWe0kQuAyykdQ9p?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Number of new ransomware modifications, Q2 2021 — Q2 2022 (download)

Number of users attacked by ransomware Trojans

In Q2 2022, Kaspersky products and technologies protected 74,377 users from ransomware attacks.

https://e.infogram.com/_/YAmZLBPilFKmsbsxFKpJ?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Number of unique users attacked by ransomware Trojans, Q2 2022 (download)

Geography of attacked users

https://e.infogram.com/_/oDrJKQvRPnVf4zT5I0kp?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Geography of attacks by ransomware Trojans, Q2 2022 (download)

TOP 10 countries and territories attacked by ransomware Trojans

Country or territory*%**
1Bangladesh1.81
2Yemen1.24
3South Korea1.11
4Mozambique0.82
5Taiwan0.70
6China0.46
7Pakistan0.40
8Angola0.37
9Venezuela0.33
10Egypt0.32

* Excluded are countries and territories with relatively few Kaspersky users (under 50,000).
** Unique users whose computers were attacked by Trojan encryptors as a percentage of all unique users of Kaspersky products in the country.

TOP 10 most common families of ransomware Trojans

NameVerdicts*Percentage of attacked users**
1Stop/DjvuTrojan-Ransom.Win32.Stop17.91
2WannaCryTrojan-Ransom.Win32.Wanna12.58
3MagniberTrojan-Ransom.Win64.Magni9.80
4(generic verdict)Trojan-Ransom.Win32.Gen7.91
5(generic verdict)Trojan-Ransom.Win32.Phny6.75
6(generic verdict)Trojan-Ransom.Win32.Encoder6.55
7(generic verdict)Trojan-Ransom.Win32.Crypren3.51
8(generic verdict)Trojan-Ransom.MSIL.Encoder3.02
9PolyRansom/VirLockTrojan-Ransom.Win32.PolyRansom / Virus.Win32.PolyRansom2.96
10(generic verdict)Trojan-Ransom.Win32.Instructions2.69

* Statistics are based on detection verdicts of Kaspersky products. The information was provided by Kaspersky product users who consented to provide statistical data.
** Unique Kaspersky users attacked by specific ransomware Trojan families as a percentage of all unique users attacked by ransomware Trojans.

Miners

Number of new miner modifications

In Q2 2022, Kaspersky solutions detected 40,788 new modifications of miners. A vast majority of these (more than 35,000) were detected in June. Thus, the spring depression — in March through May we found a total of no more than 10,000 new modifications — was followed by a record of sorts.

https://e.infogram.com/_/vZm5Z2G3sFuuIAqZGWRA?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Number of new miner modifications, Q2 2022 (download)

Number of users attacked by miners

In Q2, we detected attacks using miners on the computers of 454,385 unique users of Kaspersky products and services worldwide. We are seeing a reverse trend here: miner attacks have gradually declined since the beginning of 2022.

https://e.infogram.com/_/ibd7ASo3u4ZaWhgBgbcF?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Number of unique users attacked by miners, Q2 2022 (download)

Geography of miner attacks

https://e.infogram.com/_/e5HYDOqPpDYZ08UMSsAM?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Geography of miner attacks, Q2 2022 (download)

TOP 10 countries and territories attacked by miners

Country or territory*%**
1Rwanda2.94
2Ethiopia2.67
3Tajikistan2.35
4Tanzania1.98
5Kyrgyzstan1.94
6Uzbekistan1.88
7Kazakhstan1.84
8Venezuela1.80
9Mozambique1.68
10Ukraine1.56

* Excluded are countries and territories with relatively few users of Kaspersky products (under 50,000).
** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country.

Vulnerable applications used by criminals during cyberattacks

Quarterly highlights

During Q2 2022, a number of major vulnerabilities were discovered in the Microsoft Windows. For instance, CVE-2022-26809 critical error allows an attacker to remotely execute arbitrary code in a system using a custom RPC request. The Network File System (NFS) driver was found to contain two RCE vulnerabilities: CVE-2022-24491 and CVE-2022-24497. By sending a custom network message via the NFS protocol, an attacker can remotely execute arbitrary code in the system as well. Both vulnerabilities affect server systems with the NFS role activated. The CVE-2022-24521 vulnerability targeting the Common Log File System (CLFS) driver was found in the wild. It allows elevation of local user privileges, although that requires the attacker to have gained a foothold in the system. CVE-2022-26925, also known as LSA Spoofing, was another vulnerability found during live operation of server systems. It allows an unauthenticated attacker to call an LSARPC interface method and get authenticated by Windows domain controller via the NTLM protocol. These vulnerabilities are an enduring testament to the importance of timely OS and software updates.

Most of the network threats detected in Q2 2022 had been mentioned in previous reports. Most of those were attacks that involved brute-forcing  access to various web services. The most popular protocols and technologies susceptible to these attacks include MS SQL Server, RDP and SMB. Attacks that use the EternalBlue, EternalRomance and similar exploits are still popular. Exploitation of Log4j vulnerability (CVE-2021-44228) is also quite common, as the susceptible Java library is often used in web applications. Besides, the Spring MVC framework, used in many Java-based web applications, was found to contain a new vulnerability CVE-2022-22965 that exploits the data binding functionality and results in remote code execution. Finally, we have observed a rise in attacks that exploit insecure deserialization, which can also result in access to remote systems due to incorrect or missing validation of untrusted user data passed to various applications.

Vulnerability statistics

Exploits targeting Microsoft Office vulnerabilities grew in the second quarter to 82% of the total. Cybercriminals were spreading malicious documents that exploited CVE-2017-11882 and CVE-2018-0802, which are the best-known vulnerabilities in the Equation Editor component. Exploitation involves the component memory being damaged and a specially designed script, run on the target computer. Another vulnerability, CVE-2017-8570, allows downloading and running a malicious script when opening an infected document, to execute various operations in a vulnerable system. The emergence of CVE-2022-30190or Follina vulnerability also increased the number of exploits in this category. An attacker can use a custom malicious document with a link to an external OLE object, and a special URI scheme to have Windows run the MSDT diagnostics tool. This, in turn, combined with a special set of parameters passed to the victim’s computer, can cause an arbitrary command to be executed — even if macros are disabled and the document is opened in Protected Mode.

https://e.infogram.com/_/1dqpsnMqrH26rdzDOOht?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Distribution of exploits used by cybercriminals, by type of attacked application, Q2 2022 (download)

Attempts at exploiting vulnerabilities that affect various script engines and, specifically, browsers, dipped to 5%. In the second quarter, a number of critical RCE vulnerabilities were discovered in various Google Chrome based browsers: CVE-2022-0609CVE-2022-1096, and CVE-2022-1364. The first one was found in the animation component; it exploits a Use-After-Free error, causing memory damage, which is followed by the attacker creating custom objects to execute arbitrary code. The second and third vulnerabilities are Type Confusion errors associated with the V8 script engine; they also can result in arbitrary code being executed on a vulnerable user system. Some of the vulnerabilities discovered were found to have been exploited in targeted attacks, in the wild. Mozilla Firefox was found to contain a high-risk Use-After-Free vulnerability, CVE-2022-1097, which appears when processing NSSToken-type objects from different streams. The browser was also found to contain CVE-2022-28281, a vulnerability that affects the WebAuthn extension. A compromised Firefox content process can write data out of bounds of the parent process memory, thus potentially enabling code execution with elevated privileges. Two further vulnerabilities, CVE-2022-1802 and CVE-2022-1529, were exploited in cybercriminal attacks. The exploitation method, dubbed “prototype pollution”, allows executing arbitrary JavaScript code in the context of a privileged parent browser process.

As in the previous quarter, Android exploits ranked third in our statistics with 4%, followed by exploits of Java applications, the Flash platform, and PDF documents, each with 3%.

Attacks on macOS

The second quarter brought with it a new batch of cross-platform discoveries. For instance, a new APT group Earth Berberoka (GamblingPuppet) that specializes in hacking online casinos, uses malware for Windows, Linux, and macOS. The TraderTraitor campaign targets cryptocurrency and blockchain organizations, attacking with malicious crypto applications for both Windows and macOS.

TOP 20 threats for macOS

Verdict%*
1AdWare.OSX.Amc.e25.61
2AdWare.OSX.Agent.ai12.08
3AdWare.OSX.Pirrit.j7.84
4AdWare.OSX.Pirrit.ac7.58
5AdWare.OSX.Pirrit.o6.48
6Monitor.OSX.HistGrabber.b5.27
7AdWare.OSX.Agent.u4.27
8AdWare.OSX.Bnodlero.at3.99
9Trojan-Downloader.OSX.Shlayer.a3.87
10Downloader.OSX.Agent.k3.67
11AdWare.OSX.Pirrit.aa3.35
12AdWare.OSX.Pirrit.ae3.24
13Backdoor.OSX.Twenbc.e3.16
14AdWare.OSX.Bnodlero.ax3.06
15AdWare.OSX.Agent.q2.73
16Trojan-Downloader.OSX.Agent.h2.52
17AdWare.OSX.Bnodlero.bg2.42
18AdWare.OSX.Cimpli.m2.41
19AdWare.OSX.Pirrit.gen2.08
20AdWare.OSX.Agent.gen2.01

* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked.

As usual, the TOP 20 ranking for threats detected by Kaspersky security solutions for macOS users is dominated by various adware. AdWare.OSX.Amc.e, also known as Advanced Mac Cleaner, is a newcomer and already a leader, found with a quarter of all attacked users. Members of this family display fake system problem messages, offering to buy the full version to fix those. It was followed by members of the AdWare.OSX.Agent and AdWare.OSX.Pirrit families.

Geography of threats for macOS

https://e.infogram.com/_/sREMxK7Q3GvfvQe7t1Ql?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Geography of threats for macOS, Q2 2022 (download)

TOP 10 countries and territories by share of attacked users

Country or territory*%**
1France2.93
2Canada2.57
3Spain2.51
4United States2.45
5India2.24
6Italy2.21
7Russian Federation2.13
8United Kingdom1.97
9Mexico1.83
10Australia1.82

* Excluded from the rating are countries and territories  with relatively few users of Kaspersky security solutions for macOS (under 10,000).
** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country.

In Q2 2022, the country where the most users were attacked was again France (2.93%), followed by Canada (2.57%) and Spain (2.51%). AdWare.OSX.Amc.e was the most common adware encountered in these three countries.

IoT attacks

IoT threat statistics

In Q2 2022, most devices that attacked Kaspersky traps did so using the Telnet protocol, as before.

Telnet82,93%
SSH17,07%

Distribution of attacked services by number of unique IP addresses of attacking devices, Q2 2022

The statistics for working sessions with Kaspersky honeypots show similar Telnet dominance.

Telnet93,75%
SSH6,25%

Distribution of cybercriminal working sessions with Kaspersky traps, Q2 2022

TOP 10 threats delivered to IoT devices via Telnet

Verdict%*
1Backdoor.Linux.Mirai.b36.28
2Trojan-Downloader.Linux.NyaDrop.b14.66
3Backdoor.Linux.Mirai.ek9.15
4Backdoor.Linux.Mirai.ba8.82
5Trojan.Linux.Agent.gen4.01
6Trojan.Linux.Enemybot.a2.96
7Backdoor.Linux.Agent.bc2.58
8Trojan-Downloader.Shell.Agent.p2.36
9Trojan.Linux.Agent.mg1.72
10Backdoor.Linux.Mirai.cw1.45

* Share of each threat delivered to infected devices as a result of a successful Telnet attack out of the total number of delivered threats.

Detailed IoT-threat statistics are published in the DDoS report for Q2 2022.

Attacks via web resources

The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create these sites on purpose; they can infect hacked legitimate resources as well as web resources with user-created content, such as forums.

TOP 10 countries and territories that serve as sources of web-based attacks

The following statistics show the distribution by country or territory  of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites hosting malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographic source of web attacks, the GeoIP technique was used to match the domain name to the real IP address at which the domain is hosted.

In Q2 2022, Kaspersky solutions blocked 1,164,544,060 attacks launched from online resources across the globe. A total of 273,033,368 unique URLs were recognized as malicious by Web Anti-Virus components.

https://e.infogram.com/_/Mii35djEPWnjaHq4c2Ve?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Distribution of web-attack sources by country and territory, Q2 2022 (download)

Countries and territories where users faced the greatest risk of online infection

To assess the risk of online infection faced by users around the world, for each country or territory we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries and territories.

Note that these rankings only include attacks by malicious objects that fall under the Malware class; they do not include Web Anti-Virus detections of potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory*%**
1Taiwan26.07
2Hong Kong14.60
3Algeria14.40
4Nepal14.00
5Tunisia13.55
6Serbia12.88
7Sri Lanka12.41
8Albania12.21
9Bangladesh11.98
10Greece11.86
11Palestine11.82
12Qatar11.50
13Moldova11.47
14Yemen11.44
15Libya11.34
16Zimbabwe11.15
17Morocco11.03
18Estonia11.01
19Turkey10.75
20Mongolia10.50

* Excluded are countries and territories with relatively few Kaspersky users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky products in the country.

On average during the quarter, 8.31% of the Internet users’ computers worldwide were subjected to at least one Malware-class web attack.

https://e.infogram.com/_/ZeKtZKpRpQBrBYKAEvcg?parent_url=https%3A%2F%2Fsecurelist.com%2Fit-threat-evolution-in-q2-2022-non-mobile-statistics%2F107133%2F&src=embed#async_embed

Geography of web-based malware attacks, Q2 2022 (download)

Local threats

In this section, we analyze statistical data obtained from the OAS and ODS modules of Kaspersky products. It takes into account malicious programs that were found directly on users’ computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.).

In Q2 2022, our File Anti-Virus detected 55,314,176 malicious and potentially unwanted objects.

Countries and territories where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries and territories.

Note that these rankings only include attacks by malicious programs that fall under the Malware class; they do not include File Anti-Virus triggerings in response to potentially dangerous or unwanted programs, such as RiskTool or adware.

Country or territory*%**
1Turkmenistan47.54
2Tajikistan44.91
3Afghanistan43.19
4Yemen43.12
5Cuba42.71
6Ethiopia41.08
7Uzbekistan37.91
8Bangladesh37.90
9Myanmar36.97
10South Sudan36.60
11Syria35.60
12Burundi34.88
13Rwanda33.69
14Algeria33.61
15Benin33.60
16Tanzania32.88
17Malawi32.65
18Venezuela31.79
19Cameroon31.34
20Chad30.92

*  Excluded are countries with relatively few Kaspersky users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky products in the country.

Source :
https://securelist.com/it-threat-evolution-in-q2-2022-non-mobile-statistics/107133/