It is commonly believed that Macs are immune to viruses. However, although they are less vulnerable than Windows computers, the reality is that MacBooks, iMacs, and Mac minis are still susceptible to malware and other security vulnerabilities — and there are some worrying ones out there, too.
Below are the top 5 macOS malware programs, security flaws, and vulnerabilities that you need to be aware of!
Silver Sparrow
Disclosed by Red Canary researchers, Silver Sparrow is a unique macOS malware program that was created to target Apple’s new M1 processors.
Silver Sparrow is a PUA (potentially unwanted application) that can serve as a delivery mechanism for malware. Once your device is infected it will contact a server every hour. It is still currently unknown how much of a threat Silver Sparrow truly poses, but in theory, it could act as a catalyst for significant attacks.
Apple quickly released an update to macOS that stopped Silver Sparrow from being able to be installed. Therefore, if you have a fully updated version of macOS, you are safe from Silver Sparrow.
XLoader
It was all but guaranteed that one of the most common pieces of Windows malware would make its way to macOS. Initially reported by Check Point security researchers in July 2021, it was confirmed that a Mac version of the XLoader malware had actually been around for some time.
XLoader is a new variant of the infamous Formbook, a program used to steal login credentials, record keystrokes, and download and execute files.
Once a device is infected with XLoader, it transfers a hidden application bundle containing a copy of itself to the user’s home folder, and what is particularly dangerous about it is the fact that it can run completely undetected by macOS.
XCSSET
Initially reported by Trend Micro in August 2020, XCSSET primarily targets macOS users in Asia. Many experts believe that XCSSET mainly targets Chinese gambling sites and their users.
XCSSET replaces users’ web browser icons with fake versions that launch malware whenever opened. XCSSET can bypass macOS’s privacy protections by hijacking the privileges of legitimate apps, allowing it to take screen captures.
XCSSET seeks to access information via the Safari browser, including login details for various Apple, Google, PayPal, and Yandex services. Other types of information it can collect include notes and messages sent via Skype, Telegram, QQ, and WeChat.
macOS Big Sur IOMobileFrameBuffer
This vulnerability can allow attackers to take over an affected system. It is a critical memory corruption issue found in internal component extensions in macOS. This security flaw allows the installation of malicious applications and enables them to execute commands with system administrator privileges — bypassing macOS’s built-in security measures.
The issue was addressed immediately by Apple, with a fix released in the macOS Big Sur 11.5.1 July 26, 2021 update.
Log4Shell
Log4Shell is a vulnerability in the widely used Java library Apache Log4j — software used by an innumerable number of large companies including Google, Apple, Netflix, Twitter, and many more. It enables attackers to perform remote code execution and gain control over affected servers.
Log4j is an open-source logging tool used by a huge number of websites and apps. Because it is so widely used, the number of services at risk of exploitation is incredibly concerning.
Although macOS is not directly affected by Log4Shell, according to security researchers, the vulnerability has been found to affect Apple’s iCloud platform. Luckily, Apple was quick to patch the vulnerability — releasing a fix shortly after it was discovered.
It was estimated that around 850,000 attacks were attempted within just 72 hours of the initial outbreak. It is not clear if Apple’s iCloud was among the services targeted.
Apache has already released an update fixing the vulnerability, although because of Log4j’s widespread worldwide use, the prospect of all the apps that use it receiving the fix is simply not realistic.
However, even if you use one of the compromised apps, your Mac will not be at risk. When exploited, the bug affects the server running Log4j, not the computer itself. Although in theory the exploit could be used to plant a malicious app on a server that then affects connected machines.
Stay protected at all times
Malware creators will always seek out undiscovered vulnerabilities that they can exploit, and Macs are certainly not immune. Fortunately, security researchers are often exceptionally quick at discovering these vulnerabilities, and fixes are almost always released timely.
However, it is best practice to always use a trusted antivirus app to ensure you are as protected as possible against all types of threats.
Trend Micro’s Antivirus One — the best option for complete peace of mind
Antivirus One can protect your Mac from viruses, malware, and adware, block potential web threats and safeguard against vulnerabilities.
Some key features include:
Fast Thorough Scans — Scan your Mac for hidden threats in less than a minute.
Web Threat Protection — Avoid online fraud, malicious software embedded in websites, and other threats lurking on the web.
Data Privacy Sweeps — Clear personal information out of Safari, Google Chrome, and Mozilla Firefox before it leaks online.
Even with email-based phishing attacks proving to be more successful than ever, cyberattackers are ramping up their efforts to target employees on additional platforms, such as Microsoft Teams and Slack.
One advantage is that in those applications, most employees still assume that they’re actually talking to their boss or coworker when they receive a message.
“The scary part is that we trust these programs implicitly — unlike our email inboxes, where we’ve learned to be suspicious of messages where we don’t recognize the sender’s address,” said Armen Najarian, chief identity officer at anti-fraud technology firm Outseer.
Notably, traditional phishing has seen no slowdown: Proofpoint reported that 83% of organizations experienced a successful email-based phishing attack in 2021 — a massive jump from 57% in 2020. And outside of email, SMS attacks (smishing) and voice-based attacks (vishing) both grew in 2021, as well, according to the email security vendor.
However, it appears that attackers now view widely used collaboration platforms, such as Microsoft Teams and Slack, as another growing opportunity for targeting workers, security researchers and executives say. For some threat actors, it’s also a chance to leverage the additional capabilities of collaboration apps as part of the trickery.
Sophisticated Teams attacks
Patrick Harr, CEO of phishing protection vendor SlashNext, told VentureBeat that a highly sophisticated phishing attack recently struck a customer on Microsoft Teams.
It happened, Harr said, while the CEO of the customer company was traveling to China. Posing as the CEO, an attacker sent a WhatsApp message to several of the company’s employees, asking them to join a Teams meeting.
Once in the meeting, the employees saw a video feed of the CEO, which they didn’t realize had been scraped from a past TV interview. As part of the trick, the attackers had added a fake background to the video to make it appear the CEO was in China, Harr said.
But since there was no audio, the “CEO” said that there “must be a bad connection” — and then dropped a SharePoint link into the chat.
Posing as the CEO, the attacker told the employees that “‘since I can’t can’t make this work, send me the information on this SharePoint link,’” Harr said.
An employee did end up clicking on the malicious SharePoint link — but they were blocked from accessing the page.
Ultimately, the incident demonstrates that “these bad actors are nesting themselves in legitimate services,” Harr said. “They’re getting very creative. They’re staying ahead of the curve.”
A big target
Microsoft Teams is massively widespread in the enterprise, with 270 million monthly active users, and that’s led attackers to take notice.
Threat actors have spotted a few of other things about Teams, too: If you can acquire an account’s Microsoft Office 365 password, that can potentially get you into Teams as well. And while more workers may be savvy about email phishing techniques at this point, they’re less likely to be suspicious about a Teams message, according to researchers.
Attackers are seizing the opportunity: In January, email security platform Avanan saw thousands of attacks involving malware dropped into Teams conversations, researchers at the Check Point-owned organization reported.
By attaching a malicious executable file in a Microsoft Teams conversation, “hackers have found a new way to easily target millions of users,” the Avanan researchers wrote in a blog post. When clicked, the .exe file installs a Trojan on a user’s Windows PC, and the Trojan then installs malware.
The attacks are having success because with Microsoft Teams, unlike with email, “end-users have an inherent trust of the platform,” the researchers wrote.
Ultimately, the incidents reported by Avanan show that “hackers are beginning to understand and better utilize Teams as a potential attack vector,” the researchers said.
In other words, as they are known to do, cyberattackers are evolving once again.
‘The new BEC’
Referring to the Microsoft Teams attacks cited by Avanan, “this is the new business email compromise / legitimate service abuse,” said Sean Gallagher, a senior threat researcher at Sophos Labs, in a tweet. “It follows the trend we’ve seen with Slack and Discord.”
Business email compromise (BEC) describes a type of phishing attack in which an attacker targets a certain individual in a company, and attempts to persuade the individual to perform a wire transfer of funds to their account.
BEC attacks “are not losing their effectiveness,” Gallagher said in an email to VentureBeat. Indeed, 77% of organizations faced business email compromise attacks last year, up from 65% in 2020, according to Proofpoint data.
But with the arrival of BEC-like attacks on collaboration platforms such as Microsoft Teams, “malicious actors are expanding their attack surface and finding new ways to get a foothold into organizations,” Gallagher said.
“As more businesses move toward the cloud and software-as-a-service [SaaS] models, legitimate hosted services – like Microsoft Teams and Slack – will be an attractive avenue for attackers,” Gallagher said.
Najarian agreed that BEC attacks “are still very effective for criminal hacker groups.”
“But expanding their tactics into Microsoft Teams, Slack, Discord and other chat apps presents another revenue driver for them,” Najarian said in an email.
Combining tactics
Notably, the types of Microsoft Teams attacks reported by SlashNext and Avanan involve a combination of social engineering and credential harvesting.
“If malicious actors secure credentials and can access a Microsoft 365 environment in the cloud, they can act as a trusted team member,” Gallagher said. “As such, victims assume the files and links shared in the legitimate service are trusted, since they do not display the tell-tale signs of a malicious URL once uploaded or shared in the trusted environment.”
Adversaries can “get into all sorts of places in the enterprise that they otherwise wouldn’t be able to access without compromising the network,” he said.
All in all, legitimate service abuse is an emerging vector for malicious actors to target the enterprise, he said — and it will only continue to grow “as the enterprise becomes more detached from traditional infrastructure.”
The privacy of our data has always been important. However, because we’re sharing more of it than ever before, being aware of data privacy and taking the necessary steps to protect it has never been more crucial. In this article, in celebration of Data Privacy Week, we cover why data privacy is so important, what can happen if your data were to fall into the wrong hands, and what you can do to protect your personal data.
Find out if your email address appeared in any data leaks
What is data privacy and why is it important?
Data privacy often refers to the practice of handling sensitive data in line with regulatory requirements. In most developed countries, there are specific data privacy laws in place that regulate how companies can collect, store, and share customer data.
While the EU has a comprehensive data privacy law, the General Data Protection Regulation (GDPR), which covers all different types of data, only three US states currently have similar, all-encompassing data privacy laws (California, Virginia, and Colorado). Instead, the US has many different laws designed to target specific types of data. For example, the Fair Credit Reporting Act (FCRA) protects information in your credit report, and the Family Educational Rights and Privacy Act (FERPA) protects students’ education reports from being freely accessible.
However, because of how much time we spend online nowadays, we’re putting more of our personal data out there for others to see than ever before. As a result, it is not only important to understand how protected your data is when you share it with a company, but also how private it is when you share it online.
How to protect your data privacy
Here are some of our top tips for data privacy protection:
Only give your data to trustworthy companies and websites — Perhaps you’ve come across a new online clothing store or seen an app on the app store that takes your fancy, but you’re unsure if you can trust the company. If you’ve never heard of the company before, it’s best to do some quick research to learn whether or not you can trust it with your data.
Think twice before sharing — With social media being such a big part of our everyday lives, it’s easy to forget that what we post online, stays online forever. Always think twice before sharing something online. Don’t publicly share personal information such as your address, phone number, or social security number.
Take advantage of privacy settings — On every website, app, and game that you use, make sure you’re taking advantage of the built-in privacy settings. By doing so, you’ll ensure that only people you know can view your information.
Use strong passwords and enable 2FA — When you create an online account, you almost always need to share lots of personal data — your full name, email address, and date of birth, for example. Although this data isn’t publicly accessible, if a hacker were to gain access to one of your accounts, they would be able to see all this information. To avoid this happening, make sure to use only strong, tough-to-hack passwords and that all your accounts have two-factor authentication (2FA) enabled.
Use a VPN on public Wi-Fi — Unprotected Wi-Fi networks are notoriously unsecure. Because no password is required to access them, nearby hackers can steal any data transferred over them. To protect yourself, always use a VPN on public Wi-Fi networks.
Data leaks in 2021 — T-Mobile, LinkedIn, Moncler & CoinMarketCap
The truth is, no matter how well a company abides by data privacy laws and how thoroughly it protects its customers’ data, it can never be 100% data leak-proof. In 2021 alone, a shocking number of companies suffered high-profile data leaks, including T-Mobile, LinkedIn, Moncler, and CoinMarketCap. Those leaks resulted in hundreds of millions of people having their sensitive personal data leaked, which is used by criminals to commit all sorts of crimes — with the most concerning of them all being identity theft.
According to the Federal Trade Commission, there were over 1 million reports of identity theft in 2021. Below are some of the things the FTC says criminals can do with your data:
Get new credit cards in your name.
Open a phone, electricity, or gas account in your name.
Steal your tax refund.
Get medical care under your name (and leave you with a huge bill!).
Pretend to be you if they get arrested.
Cybercriminals often put stolen data up for sale on underground forums on the regular internet, as well as the dark web. And as you can imagine, personal information that is particularly valuable to them can fetch a high price. On average, on the dark web, a driver’s license will go for $205, an ID card for $213, and a passport sells for a whopping $684!
How to stay protected from data leaks
You might be thinking that staying protected from data leaks is an impossible task, but the answer is easy: Trend Micro™ ID Security . Available for Android and iOS, Trend Micro™ ID Security can scan the internet and the dark web 24/7 for your personal information. If your data is leaked, the app notifies you immediately so you can take action to avoid people stealing your identity. If your information is out there, you’ll be the first to know!
Here are some of the features offered by Trend Micro™ ID Security :
Personal Data Protection Score — See exactly how safe your online personal data is with your customized Protection Score.
24/7 Comprehensive Personal Data Monitoring — ID Security can scan the internet and the dark web for all your personal information including up to 5 email addresses and bank account numbers, 10 credit card numbers, your Social Security number, and lots more.
Social Media Account Protection — Strengthen the security of your social media accounts. Be instantly alerted if your Facebook or Twitter account’s data is leaked by cybercriminals.
If you value your security and privacy, then a VPN is an absolute necessity. A VPN, or virtual private network, stops others (even your internet service provider) from snooping on your online activity by routing all your internet traffic through a secure, encrypted tunnel. VPNs work especially well for guaranteeing that you’re protected even when using unsecured public Wi-Fi networks, too.
And nowadays, with all of us using our mobile devices more than ever before to get online, it is essential that our cell phones are equipped with a VPN so we can be fully protected on the go.
How can I set up a VPN on my iPhone?
There are two ways to accomplish this. The first method — and the one that will be most suitable for the majority of people — is to choose a VPN provider and then download and install its app from the Apple App Store. In general, the process will be super easy and the installer will guide you through any settings that you may need to configure.
Take VPN Proxy One Pro for example. The setup process simply couldn’t be any easier. Within minutes of downloading the app from the App Store (click here to do this, by the way), your iPhone will be protected by world-leading encryption and you’ll be free to connect to the internet safely, even on public Wi-Fi networks.
The second method, which is outlined below, is only recommended for those who are a little more tech-savvy. This option is perfect for people who want more control over their VPN experience and don’t mind putting in the extra time and effort to get it. This method allows you to choose which protocol you use as well as customize other settings, but it does require some additional knowledge.
But before we explain the second method, we need to quickly talk about VPN protocols…
What are the VPN protocols natively supported by iOS?
Before you can manually set up a VPN on your iPhone, you’ll need to select which VPN protocol you wish to use. Here are the ones that natively work with iOS:
L2TP
L2TP (Layer 2 Tunneling Protocol) is a type of tunneling protocol. Because L2TP does not offer any encryption on its own, it is normally paired with IPSec (see below). The two technologies form an excellent partnership and together provide great security. It is not as fast as some other options, however.
IKEv2
Just like L2TP, IKEv2 (Internet Key Exchange version 2) also doesn’t offer any encryption of its own, so must also be paired with IPSec. It is faster than L2TP and works particularly well with mobile devices because it can easily move between connection types (Wi-Fi to a cellular network, for example). Although it was jointly developed by Microsoft and Cisco, it is still natively supported by iOS.
IPSec
IPSec (Internet Protocol Security) is also natively supported by iOS and can be used on its own as a VPN protocol.
How to manually set up a VPN on iPhone
Once you’ve decided on which protocol to use, to manually configure a VPN on iOS, go to Settings > General > VPN > Add VPN Configuration > Type. From here, you can select either IKEv2, IPSec, or L2TP (which actually comes with IPSec, even though it isn’t made clear).
After selecting the VPN protocol type, you will need to fill out the other details. Most of the additional information should be available on the VPN provider’s website, either in your account settings or in the online documentation, but if you are unsure of where to find anything, it is best to contact them directly.
Once you’ve filled in all the required information, click Done in the right-hand corner and you’re good to go!
Stay connected, stay secure
If you, like most of us, rely on your mobile device to stay connected, then the value that a VPN offers simply cannot be understated. With everyone using their mobile devices for so much these days — email, social media, online shopping, etc. —when it comes to protecting our sensitive data and safeguarding our privacy, VPNs are effectively essential.
Regardless of how you go about setting up your VPN on your iPhone — whether you choose to just quickly download and install the app or configure each of the settings individually, VPN Proxy One Pro is a truly excellent choice. Click the button below to read more about it.
This web-based tool can help identify server applications that may be affected by the Log4Shell (CVE-2021-44228, CVE-2021-45046) vulnerability.
It allows you to generate a request that you can run in your environment and test if the server is vulnerable.
There are three options for using this tool:
Use the generated JNDI snapshot and add that entry to any of the form fields on the site or add this to the HTTP Header for User-Agent.
Your unique JNDI snapshot is ${jndi:ldap://log4j-tester.trendmicro.com:1389/b64c656f-ffcb-4fda-a06b-a4b8753e03cb}
For Internal Server: Generate a quick curl command to test your servers.
For Public Facing Server: Just provide the address of the server and we will try to create a simulated query. Make sure you are hitting some API endpoint/form which eventually does an action in the backend. If the unique ID provided here shows up in the results section below, the server may be vulnerable and should be investigated further. If it does not show up, it does not guarantee that the server is not vulnerable.
Use the following tool to test your application endpoints. GET POST with User-Agent HTTP Headerwith X-Api-Version Headerwith URL Parameterswith Form Datawith custom HTTP HeaderObfuscate data
System environment variables
System properties
Lower/Upper
Lower special
Send request
You can use the generated cURL command below for testing:URL
curl...
Windows Mac/Linux
Results
If you submit and see results here, that means the server may be vulnerable and should be investigated further. If there are no results, it does not guarantee that the server is not vulnerable. This table will be refreshed every 10 seconds.
Next refresh in 4 seconds.
Unique ID
Timestamp
Information
CVE-2021-44228
“Log4Shell” and “Logjam.” Apache Log4j2 <=2.14.1 is vulnerable to remote code execution by downloading code from LDAP server using JNDI.Read more
CVE-2021-45046
Apache Log4j 2.15.0 is vulnerable to a denial of service (DOS) attack when using ThreadContext values and context lookups.Read more
Protection and Investigation
Analysis and Advisory – From Trend Micro Threat ResearchRead more
Credits
Trend Micro’s vulnerability scanner is based on the following projects:
On December 9, 2021, a new critical 0-day vulnerability impacting multiple versions of the popular Apache Log4j 2 logging library was publicly disclosed that, if exploited, could result in Remote Code Execution (RCE) by logging a certain string on affected installations.
On December 14, 2021, information about a related vulnerability CVE-2021-45046 was released that recommended that users upgrade to at least version 2.16.0+ of Log4j 2.
Based on our analysis, the rules and protections listed below for CVE-2021-44228 are also effective against CVE-2021-45046.
On December 28th, yet another RCE (CVE-2021-44832) was discovered and disclosed. Although not as critical as the initial vulnerabilities (CVSS 6.6), it is still recommended that administrators do their due diligence to update to the latest version available (2.17.1).
Background
Log4j is an open-open source, Java-based logging utility that is widely deployed and used across a variety of enterprise applications, including many cloud services that utilize Apache web servers.
The vulnerability (assigned as CVE-2021-44228) is a Java Naming and Directory InterfaceTM (JNDI) injection vulnerability in the affected versions of Log4j listed above. It can be triggered when a system using an affected version of Log4j 2 includes untrusted data in the logged message – which if this data includes a crafted malicious payload, a JNDI lookup is made to a malicious server. Depending on the information sent back (response) a malicious Java object may be loaded, which could eventually lead to RCE. In addition, attackers who can control log messages or their parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.
The challenge with this vulnerability is widespread use of this particular logging utility in many enterprise and cloud applications. JDNI lookups support multiple protocols, but based on analysis so far, exploitability depends on the Java versions and configurations. From a practical standpoint, just because a server has implemented an affected version of Log4j 2, it does not automatically mean it is vulnerable depending on its configuration.
Trend Micro Research is continuing to analyze this vulnerability and its exploits and will update this article as more information becomes available. A comprehensive blog with more background information can be found here .DETAILS
Protection Against Exploitation
First and foremost, it is always highly recommended that users apply the vendor’s patches when they become available.
A new version of Log4j 2 has been released which reportedly resolves the issue: Version 2.17.1 is now availableand is the suggested update. Users with affected installations should consider updating this library at the earliest possible time.
Note: due to additional waves of new exploits, the previous manual mitigation steps published have proven not to be sufficient and have been removed.
Trend Micro Protection and Investigation
In addition to the vendor patch(s) that should be applied, Trend Micro has released some supplementary rules, filters and detection protection that may help provide additional protection and detection of malicious components associated with this attack servers that have not already been compromised or against further attempted attacks.
Trend Micro Log4j Vulnerability ScannerTrend Micro Research has created a quick web-based scanning tool that can help users and administrators identify server applications that may be affected but the Log4Shell vulnerability.The tool can be found at: https://log4j-tester.trendmicro.com/ and a demo video can be found at: https://youtu.be/7uix6nDoLBs.
Trend Micro Log4Shell Vulnerability Assessment ToolTrend Micro also has created a free assessment tool that can quickly identify endpoints and server applications that may have Log4j using the power of Trend Micro Vision One.This quick and easy self-serve security assessment tool leverages complimentary access to the Trend Micro Vision One threat defense platform, so you can identify endpoints and server applications that may be affected by Log4Shell. The assessment instantly provides a detailed view of your attack surface and shares next steps to mitigate risks.
Please note, if you are already a Trend Micro Vision One customer, you do not need to complete the form. Simply log into your console and you will be provided instructions to complete the assessment of your exposure.
Trend Micro Vision One™
Trend Micro Vision One customers benefit from XDR detection capabilities of the underlying products such as Apex One. In addition, depending on their data collection time range, Trend Micro Vision One customers may be able to sweep for IOCs retrospectively to identify if there was potential activity in this range to help in investigation.
Vision One Threat Intelligence Sweeping
Indicators for exploits associated with this vulnerability are now included in the Threat Intelligence Sweeping function of Trend Micro Vision One. Customers who have this enabled will now have the presence of the IOCs related to these threats added to their daily telemetry scans.
The first sweep, “Vulnerable version of log4j….” is slightly different than the others in that instead of specific IOCs, it is looking for specific instances of log4j libraries on systems which can help a customer narrow down or give additional insights on potentially vulnerable systems.
The results of the intelligence scans will populate in the WorkBench section of Vision One (as well as the sweep history of each unfolded threat intelligence report).
Please note that customers may also manually initiate a scan at any time by clicking the 3 dots at the right of a rule and selecting the “Start Sweeping” option.
Vision One Search Queries for Deep Security Deep Packet Inspection
Customers who have Trend Micro Cloud One – Workload Security or Deep Security may utilize the following search query to identify hosts and then additional queries can be made with a narrowed timeframe on those hosts as additional information is learned about exploits.
eventName:DEEP_PACKET_INSPECTION_EVENT AND (ruleId:1008610 OR ruleId:1011242 OR ruleId:1005177) AND ("${" AND ("lower:" OR "upper:" OR "sys:" OR "env:" OR "java:" OR "jndi:"))
Trend Micro Cloud One™ – Conformity
Trend Micro Cloud One – Conformity allows gives customers central visibility and real-time monitoring of their cloud infrastructure by enabling administrators to auto-check against nearly 1000 cloud service configuration best practices across 90+ services and avoid cloud service misconfigurations.
The following rules are available to all Trend Micro Cloud One – Conformity customers that may help provide more insight to customers looking to isolate affected machines (more information can be found here for rule configuration):
Lambda-001 : identifies all Lambdas that are running Java which may be vulnerable.
Unrestricted Security Group Egress (EC2-033) : identifies security groups that may be associated with, for example, an EC2 that may be compromised and then has the ability to communicated externally.
Preventative Rules, Filters & Detection
A demo video of how Trend Micro Cloud One can help with this vulnerability can be found at: https://youtu.be/CorEsXv3Trc.
Trend Micro Cloud One – Workload Security and Deep Security IPS Rules
Rule 1008610 – Block Object-Graph Navigation Language (OGNL) Expressions Initiation In Apache Struts HTTP Request
Rule 1008610 is a SMART rule that can be manually assigned to assist in protection/detection against suspicious activity that may be associated with this threat. This is not a comprehensive replacement for the vendor’s patch.
Please also note that rule 1008610 is shipped in DETECT, and must be manually changed to PREVENT if the administrator wishes to apply this. Also, please be aware that due to the nature of this rule, there may be False Positives in certain environments, so environment-specific testing is recommended.
Rule 1011249 – Apache Log4j Denial of Service Vulnerability (protects against CVE-2021-45105)
Trend Micro Cloud One – Workload Security and Deep Security Log Inspection
Rule 4643: POSSIBLE HTTP BODY OGNL EXPRESSION EXPLOIT – HTTP (REQUEST) – Variant 2
Trend Micro Cloud One – Network Security and TippingPoint Recommended Actions
Filter 40627 : HTTP: JNDI Injection in HTTP Header or URI
This was released in Digital Vaccine #9621 and has replaced CSW C1000001 that was previously released.
Trend Micro recommends customers enable this filter in a block and notify posture for optimal coverage. Starting with Digital Vaccines released on 12/21/2021, it will be enabled by default. Since it may not be enabled in your environment, Trend Micro strongly recommends you confirm the filter is enabled in your policy.
What other controls can be used to disrupt the attack?
This attack is successful when the exploit is used to initiate a transfer of a malicious attack payload. In addition to the filter above, these techniques can help disrupt that chain:
Geolocation filtering can be used to reduce possible attack vectors. Geolocation filtering can block inbound and outbound connections to any specified country, which may limit the ability for attackers to exploit the environment. In cases where a business only operates in certain regions of the globe, proactively blocking other countries may be advisable.
For TippingPoint IPS, TPS, and vTPS products Trend Micro also recommends enabling DNS and URL reputation as a proactive means of securing an environment from this vulnerability. Leveraging Trend Micro’s rapidly evolving threat intelligence, TippingPoint appliances can help disrupt the chain of attack destined to known malicious hosts.
Additionally, Reputation filtering can be leveraged to block Anonymous proxies that are commonly used in exploit attempts. Any inbound or outbound connections to/from an anonymous proxy or anonymizer service can be blocked by configuring a reputation filter with “Reputation DV Exploit Type” set to “Tor Exit” to a Block action.
For Cloud One – Network Security Anonymous proxies are also an independent, configurable “region” that can be selected as part of Geolocation filtering. This will block any inbound or outbound connection to/from an anonymous proxy or anonymizer service, which can be commonly used as part of exploit attempts.
Domain filtering can also be used to limit the attack vectors and disrupt the attack chain used to exploit this vulnerability. In this case, any outbound connection over TCP is dropped unless the domain being accessed is on a permit list. If the attacker’s domain, e.g. http://attacker.com, is not on the permit list, then it would be blocked by default, regardless of IPS filter policy.
Trend Micro Malware Detection Patterns (VSAPI, Predictive Learning, Behavioral Monitoring and WRS) for Endpoint, Servers, Mail & Gateway (e.g. Apex One, Worry-Free Business Security Services, Worry-Free Business Security Standard/Advanced, Deep Security w/Anti-malware, etc.)
Web Reputation (WRS): Trend Micro has added over 1700 URLs (and growing) to its WRS database to block that are linked to malicious reporting and communication vectors associated with observed exploits against this vulnerability.
Ransomware Detection – there have been observations about a major ransomware campaign (Khonsari) being utilized in attacks and Trend Micro detects components related to this as Ransom.MSIL.KHONSARI.YXBLN.
VSAPI (Pattern) Detections: the following detections have been released in the latest OPR for malicious code associated with exploits –
Trojan.Linux.MIRAI.SEMR
HS_MIRAI.SMF
HS_MIRAI.SME
Trojan.SH.CVE20207961.SM
Backdoor.Linux.MIRAI.SEMR
Trojan.SH.MIRAI.MKF
Coinminer.Linux.KINSING.D
Trojan.FRS.VSNTLB21
Trojan.SH.MALXMR.UWELI
Backdoor.SH.KIRABASH.YXBLL
Backdoor.Linux.MIRAI.SMMR1
Coinminer.SH.MALXMR.UWEKG
Coinminer.Linux.MALXMR.SMDSL64
Backdoor.Linux.GAFGYT.SMMR3
Coinminer.Win64.MALXMR.TIAOODGY
Rootkit.Linux.PROCHID.B
ELF_SETAG.SM
Backdoor.Linux.TSUNAMI.AMZ
Coinminer.PS1.MALXMR.PFAIQ
Trojan.SH.TSUNAMI.A
Trojan.PS1.METERPRETER.E
Coinminer.Linux.MALXRMR.PUWENN
Trend Micro Cloud One – Application Security
Trend Micro Cloud One – Application Security can monitor a running application and stop unexpected shell commands from executing. The product’s RCE configuration can be adjusted to help protect against certain exploits associated with this vulnerability using the following steps:
Log into Trend Micro Cloud One and navigate to Application Security.
Select “Group;s Policy” in the left-hand menu and find your application’s Group.
Enable “Remote Command Execution” if not already enabled.
Click the hamburger icon for “Configure Policy” and then click the ” < INSERT RULE > ” icon.
Input (?s).*in the “Enter a pattern to match” field and hit “Submit” and “Save Changes.”
Double-check that “Mitigate” is selected in your “Remote Command Execution” line item.
Trend Micro Cloud One – Open Source Security by Snyk
Trend Micro Cloud One – Open Source Security by Snyk can identify vulnerable versions of the log4j library across all organization source code repositories with very little integration effort. Once installed, it can also monitor progress on updating to non-vulnerable versions.
Trend Micro is continuing to actively research the potential exploits and behavior around this vulnerability and is actively looking for malicious code that may be associated with any exploit attempts against the vulnerability and will be adding additional detection and/or protection as they become available.
–
Impact on Trend Micro Products
Trend Micro is currently doing a product/service-wide assessment to see if any products or services may be affected by this vulnerability. Products will be added to the lists below as they are validated.
Products Confirmed Not Affected (Including SaaS Solutions that have been patched):
5G Mobile Network Security
Not Affected
ActiveUpdate
Not Affected
Apex Central (including as a Service)
Not Affected
Apex One (all versions including SaaS, Mac, and Edge Relay))
A keylogger, which is also known as a keystroke logger or a keyboard capturer, is a piece of software or hardware developed to monitor and record everything you type on a keyboard. In this article, we dive into everything you need to know about them and teach you how to protect yourself from them!
Is a keystroke logger a virus?
It depends. Keyloggers were designed for legitimate purposes. They were originally used for computer troubleshooting, employee activity monitoring, and as a way to discover how users interact with programs so their user experience could be enhanced. However, they’ve since been used by hackers and criminals as a tool for stealing sensitive data such as usernames, passwords, bank account information, and other confidential information.
Generally, a keylogger is insidiously installed alongside an otherwise legitimate program. As a result, users are almost always unaware that their keystrokes a being monitored. Oftentimes, when a user’s computer is infected with a keylogger trojan, the malicious software will keep track of their keystrokes and save the information to their computer’s local drive. Later the hacker will retrieve the stored data. For this reason, keyloggers pose a serious threat to computer security and data privacy.
Keyloggers are separated into the following categories, based on how they work:
API-based
These keyloggers Application programming interfaces (APIs) allow software to communicate with hardware. API-based keyloggers intercept every keyboard input sent to the program you’re typing into.. This type of keylogger registers keystroke events as if it was a normal aspect of the application instead of malware. Each time a user presses or releases a key it is recorded.
Form grabbing-based
Form grabbing-based keyloggers log web form submissions by recording the inputted data when they are submitted. When a user submits a completed form, usually by clicking a button or pressing enter, their data is recorded even before it is passed over the Internet.
Kernel-based
These keyloggers work their way into a system’s core, allowing them access to admin-level permissions. These loggers have unrestricted access to everything entered into a computer system.
Javascript-based
A malicious script tag is injected into a targeted web page and it listens for keyboard events. Scripts can be injected using a variety of methods, including cross-site scripting, man-in-the-browser, and man-in-the-middle attacks, or when a website’s security is compromised.
How do keyloggers get on computers?
Most of the time, they infect computers with outdated antivirus software and ones without any antivirus software at all.
There are several scenarios that you need to be aware of:
Keyloggers can be installed through web page scripts. Hackers utilize web browser vulnerabilities and embed malicious code on a webpage that silently executes the installation or data hijacking.
Phishing. Keyloggers can be installed after users click on a nefarious link or open a malicious attachment in a phishing email.
Social engineering. Some criminals use psychological manipulation to fool unsuspecting people into installing a keylogger by invoking urgency, fear, or anxiety in them.
Unidentified software downloaded from the internet. Sometimes cracked software or applications from unidentified developers will secretly install a keylogger on a computer system.
How to detect a keylogger on my computer?
At this point, you might be interested in learning how you can detect a keylogger on your computer. The truth is, keyloggers are not easy to detect without the help of security software. Running a virus scan is necessary to detect them.
Trend Micro Housecall is an online security scanner that detects and removes viruses, worms, spyware, and other malicious threats such as keyloggers for free.
How to prevent keystroke logging malware?
Keyloggers are dangerous. Preventing them from ever being installed on your computer is a top priority. It is necessary to be proactive in protecting your computer to ensure that your data doesn’t get stolen.
Here are several tips to follow:
Carefully inspect user agreements for software before agreeing to them. There should always be a section covering how your data is used.
Install a trusted antivirus app such as TrendMicro Maximum Security. Always keep your antivirus on and regularly run scheduled scans of your device.
Make sure your security software is up to date.
Make sure your operating system is up to date and all the security patches are installed.
Avoid visiting suspicious websites and don’t click on any unusual links or e-mail attachments from unknown senders.
Only download and install software from trusted developers and sources.
Modern technology has made managing large IT environments much less daunting compared to the past, when each endpoint had to be manually configured and maintained. Many organizations now use tools and IT solutions that allow centralized management of endpoints, making it possible to update, troubleshoot, and deploy applications from a remote location.
However, this convenience comes at a price — just as IT staff can access machines from a single location, the centralized nature of modern tech infrastructure also means that malicious actors can target the primary hub to gain access to the whole system. Even more concerning, cybercriminals no longer even have to launch a direct attack against an organization — they can bypass security measures by focusing on their target’s supply chain. For example, instead of trying to find weak points in the system of a large organization that will likely have strong defenses, an attacker can instead target smaller companies that develop software for larger enterprises.
In this blog entry, we will take a look at two examples of supply chain attacks that our Managed Detection and Response (MDR) team encountered in the past couple of months.
Incident #1: Attack on the Kaseya platform
On July 2, during the peak of the Kaseya ransomware incident, we alerted one of our customers, notifying them about ransomware detections in their system.
Figure 1. The timeline of the incident
Our investigation found suspicious activity when the file AgentMon.exe, which is part of the Kaseya Agent, spawned another file, cmd.exe, that is responsible for creating the payload agent.exe, which in turn dropped MsMpEng.exe
By expanding our root cause analysis (RCA) and checking the argument for cmd.exe, we were able to see a few items before the execution of the ransomware. These initial set of indicators of compromise (IoCs) are similar to the ones discussed in another blog post.
Figure 2. Vision One console showing the attack’s infection chain
We found that the malware attempted to disable the anti-malware and anti-ransomware features of Windows Defender via PowerShell commands. It also created a copy of the Windows command line program Certutil.exe to “C:\Windows\cert.exe”, which is used to decode the payload file agent.crt, with the output given the name agent.exe. Agent.exe is then used to create the file MsMpEng.exe, a version of Windows Defender that is vulnerable to DLL side-loading.
Figure 3. Details of the threat
Machine learning detection capabilities managed to block and detect the ransomware, however, the protection module was not activated in all the security agents of Trend Micro Apex One™ — so the organization’s support requested the team to check their product settings. Because the process chain showed that the ransomware came from a Kaseya agent, we requested our customer to isolate the Kaseya servers to contain the threat.
A few hours later, Kaseya released a notice to their users to immediately shut down their Virtual System/Server Administrator (VSA) server until further notice.
Incident #2: Credential dumping attack on the Active Directory
The second supply chain incident handled by our MDR team starts with an alert to a customer that notified them of a credential dump occurring in their active directory (AD). The Incident View in Trend Micro Vision One™️ aggregated other detections into a single view, providing additional information on the scope of the threat. From there, we were able to see a server, an endpoint, and a user related to the threat.
Figure 4. Vision One’s incident view showing the threat’s details
Our threat hunting team also noted suspicious behavior related to WmiExec. Further investigation of the affected hosts’ Ownership Alignment Tools (OATs) show a related entry for persistence:
Figure 5. OAT flagging a suspicious creation of a scheduled task
We found scheduled tasks being utilized as a persistence mechanism for the file System.exe. Further analysis of this file shows that it is related to GO simple tunnel, which is used to forward network traffic to an IP address depending on the argument.
Checking the initial alert revealed a file common in the two hosts, which prompted us to check the IOC list to determine the other affected hosts in the environment.
Figure 6. Discovery commands and access to a malicious domain evident in the process chain
Expanding the nodes from the RCA allowed us to gather additional IOCs that showed setup0.exe creating the file elevateutils.exe. In addition, elevateutils.exe was seen querying the domain vmware[.]center, which is possibly the threat’s command-and-control (C&C) server. We also discovered the earliest instance of setup0.exe in one of the hosts.
The samples setup0.exe is an installer for elevateutils.exe which seems to be a Cobalt Strike Beacon Malleable C&C stager based on our analysis. The installer may have been used to masquerade as a normal file installation.
Figure 7. The presence of EICAR strings is an indicator of it being of elevateutils.exe being a Cobalt Strike Beacon
The stager elevateutils.exe: will try to load the DLL chartdir60.dll, which will in turn read the contents of manual.pdf (these are also dropped by the installer in the same directory as elevateutil.exe). It will then decrypt, load, and execute a shell code in memory that will access the URL vmware[.]center/mV6c.
It makes use of VirtualAlloc, VirtualProtect, CreateThread, and a function to decrypt the shellcode to load and execute in memory. It also uses indirect API calls after decryption in a separate function, then uses JMP EAX to call the function as needed, which is not a routine or behavior that a normal file should have.
Since it’s possible that this is a Cobalt Strike Malleable C&C stager, further behaviors may be dependent on what is downloaded from the accessed URL. However, due to being inaccessible at the time of writing this blog post, we were unable to observe and/or verify other behaviors.
Use of the Progressive RCA of Vision One allowed us to see how elevateutils.exe was created, as well as its behaviors. The malicious file was deployed via a Desktop Central agent.
Figure 8. Viewing the behaviors of elevateutils.exeFigure 9. The console showing the attack’s infection chain
Based on these findings, our recommendation to the customer was to check the logon logs of the affected application to verify any suspicious usage of accounts during the time the threat was deployed.
By closely monitoring the environment, the threat was stopped after the credential dump. Furthermore, the IOCs (IP addresses and hashes) were added to the suspicious objects list to block them while waiting for detections. Further monitoring was done and no other suspicious behavior were seen.
Defending against supply chain attacks
As businesses become more interconnected, a successful supply chain attack has the potential to cause a significant amount of damage to affected organizations. We can expect to see more of these in the future, as they often lead to the same results as a direct attack while providing a wider attack surface for malicious actors to exploit.
Supply chain attacks are difficult to track because the targeted organizations often do not have full access to what’s going on security-wise with their supply chain partners. This can often be exacerbated by security lapses within the company itself. For example, products and software may have configurations — such as folder exclusions and suboptimal implementation of detection modules — that make threats more difficult to notice.
Security audits are also a very important step in securing the supply chain. Even if third party vendors are known to be trustworthy, security precautions should still be deployed in case there are compromised accounts or even insider threats.
Using Vision One to contain the threat
Trend Micro Vision One provides offers organizations the ability to detect and respond to threats across multiple security layers. It provides enterprises options to deal with threats such as the ones discussed in this blog entry:
It can Isolate endpoints, which are often the source of infection, until they are fully cleaned or the investigation is done.
It can block IOCs related to the threat, this includes hashes, IP addresses, or domains found during analysis.
Malicious actors taking advantage of important events is not a new trend. For example, a large number of tax-related scams pops up every tax season in the US, with threats ranging from simple phishing emails to the use of scare tactics that lead to ransomware. More recently, Covid-19 has led to a surge in pandemic-related malicious campaigns, mostly arriving via email.
For many people, major online shopping events such as the annual Amazon Prime day — which falls on June 21 this year — presents a unique opportunity to purchase goods at heavily discounted prices. However, shoppers are not the only ones looking to benefit — cybercriminals are also looking to prey on unsuspecting victims via social engineering and other kinds of scams. Amazon Prime has experienced tremendous growth over the past two years. According to estimates, there were 150 million Prime members at the end of the fourth quarter of 2019, a number which grew to 200 million by the first quarter of 2021 — with around 105 million users in the US alone. This makes Amazon Prime customers a particularly lucrative target for malicious actors.
As Amazon Prime day approaches, we’d like to build awareness among the shopping public by showing some of the related scams we’ve observed over the past few months.
Amazon Prime Scams
In 2020, Amazon Prime day, which is usually held in June or July, was postponed to October due to Covid-19. That same month, the Australian Communications and Media Authority (ACMA) issued an alert warning the public that they had been receiving reports of scammers — impersonating Amazon Prime staff — calling their targets, claiming that they owed money to Amazon. They also warned the victim that funds would be taken from their bank account if they did not act immediately. Often, the goal of these scammers is to retrieve Amazon account details and personal data from their victims by asking them to go online and enter the relevant information.
A variation of this scam involves swindlers calling their targets and presenting them with a recorded message, allegedly from Amazon, notifying call recipients of an issue with their order — such as a lost package or an unfulfilled order. The victims would then be invited to either press the number “1” button on their phone or provided a number that they would need to call. As with the first scam, the goals are the same: gaining personal information.
Aside from phone call scams, malicious actors also use tried-and-tested email-based phishing tactics. One method uses fake order invoices with corresponding phony order numbers and even a bogus hotline number, which, once called, will prompt the recipient to enter their personal details.
Another technique involves the scammer notifying an Amazon Prime user of problems with their account: For example, a Twitter post from user VZ NRW – Phishing shows fake Amazon Prime message warning the recipient that their Prime benefits have allegedly been suspended due to a problem with the payment. The message also contains a fake phishing link that the user would have to click to resolve the issue.
Figure 1. An example of an email scam, coming from “Amazon Prime” complete with a fake order ID and hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”
hotline number. Note the suspicious email address used by the sender containing a misspelled “Amazon.”
Malicious actors will also make use of fake websites and online forms — many of which are painstakingly crafted to match the official sites as much as possible. One phishing website asks users to confirm payment details by filling out certain information. However, despite looking authentic, the page contains plenty of red flags — for example, none of the outbound links actually work, and the forms used in the page requests more data than usual, including personal information that companies typically never ask users to provide.
A precursory search in VirusTotal using the strings “Amazon” and “Prime” reveal over a hundred PDF files, many of which contain movie names (membership in Amazon Prime also makes users eligible for Prime Video). These PDF files are hosted on various cloud services, with the link to these files typically distributed via malicious emails.
Figure 2. VirusTotal results using “Amazon” and “Prime” search strings
Upon opening some of these files, a Captcha button appears, which will activate a malicious redirection chain when clicked.
Figure 3. Captcha button that appears when clicking some of the VirusTotal samples.
While it’s easy to assume that most of these scammers are single individuals or small groups looking for a quick buck, there are certain threat actor groups that use sophisticated social engineering techniques for their campaigns, which includes Amazon users as a primary target.
The Heatstroke phishing campaign
We first encountered the phishing campaign known as Heatstroke back in 2019, noting that the group behind the campaign utilized complex techniques for both researching about and luring in their victims, which were primarily Amazon and Paypal users.
For example, compared to the webpage from the previous section, Heatstroke makes use of a phishing website with multiple working screens and subpages to try and mimic a legitimate website as much as possible. In addition, Heatstroke implements various obfuscation techniques such as forwarding the phishing kit content from another location or changing the landing page to bypass content filters.
Figure 4. Heatstroke’s infection chain, which they have been using since 2019
The threat actor has implemented some improvements over the past two years — such as expanded IP ranges and improvements to user agents and the kit’s “self-defense” mechanisms (coverage of scams, anti-bot, and IP protection services), as well as the addition of an API and kill date, after which the kit won’t work anymore.
Heatstroke remains active with a well-maintained infrastructure in 2021. The threat actor largely uses the same techniques from the past. However, it might be a case of not fixing what isn’t broken, given how effective the previous campaigns proved to be.
Defending against scams
As exciting as Amazon Prime Day (and other similar shopping extravaganzas like Black Friday and Cyber Monday) is, the public should remain vigilant against potential scams, as cybercriminals are looking to capitalize on these types of events.
The following best practices and recommendations can help individuals avoid these kinds of scams:
Most reputable organizations will never ask for sensitive financial information over the phone. If a caller allegedly coming from Amazon or another company asks for strangely specific information such as credit card or bank account numbers, this is an automatic red flag.
Be wary of out-of-context emails. If you receive an email referencing an item you did not purchase, then it is highly likely that the email is a phishing attempt. Refrain from downloading attachments or clicking links in suspicious emails, as these can lead to malware infections.
Scan emails for typographical or grammatical mistakes. Legitimate emails will always be thoroughly checked and edited before being sent, therefore even small errors are possible signs of a malicious email.
Always double check the URL of a website to see if it matches up with the real one. For example, Amazon websites and subpages will always have a dot before “amazon.com” (for example, “support.amazon.com” versus “support-amazon.com”), therefore, even if a website copies the design of the legitimate one, a sketchy URL will often give it away as being malicious. In the same vein, email addresses should be scrutinized to see if they look suspicious or have any unusual elements.
Organizations are also encouraged to regularly check the awareness of employees on the latest cyberthreats via Trend Micro Phish Insight, a cloud-based security awareness service that is designed to empower employees to protect themselves and their organization from social engineering-based attacks.
Updated May 17, 2021, 3:25 a.m. Eastern Time: This article has been updated to add references to the DarkSide victim data.
On May 7, a ransomware attack forced Colonial Pipeline, a company responsible for nearly half the fuel supply for the US East Coast, to proactively shut down operations. Stores of gasoline, diesel, home heating oil, jet fuel, and military supplies had been so heavily affected that the Federal Motor Carrier Safety Administration (FMCSA) declared a state of emergency in 18 states to help with the shortages.
It has been five days since the shutdown prompted by the attack, but Colonial Pipeline is still unable to resume full operations. Outages have already started affecting motorists. In metro Atlanta, 30% of gas stations are without gasoline, and other cities are reporting similar numbers. To keep supplies intact for essential services, the US government has issued advisories against hoarding.
Apart from locking Colonial Pipeline’s computer systems, DarkSide also stole over 100 GB of corporate data. This data theft is all the more relevant in light of the fact that the group has a history of doubly extorting its victims — not only asking for money to unlock the affected computers and demanding payment for the captured data, but also threatening to leak the stolen data if the victims do not pay. As we will cover later, DarkSide shows a level of innovation that sets it apart from its competition, being one of the first to offer what we call “quadruple extortion services.”
The group announced on May 12 that it had three more victims: a construction company based in Scotland, a renewable energy product reseller in Brazil, and a technology services reseller in the US. The DarkSide actors claimed to have stolen a total of 1.9 GB of data from these companies, including sensitive information such as client data, financial data, employee passports, and contracts.
Trend Micro Research found dozens of DarkSide ransomware samples in the wild and investigated how the ransomware group operates and what organizations it typically targets.
The DarkSide ransomware
DarkSide offers its RaaS to affiliates for a percentage of the profits. The group presents a prime example of modern ransomware, operating with a more advanced business model. Modern ransomware identifies high-value targets and involves more precise monetization of compromised assets (with double extortion as an example). Modern ransomware attacks are also typically done by several groups who collaborate and split profits. These attacks may look more like advanced persistent threat (APT) attacks than traditional ransomware events.
Here is a short timeline of DarkSide activity compiled from publicly available reports:
August 2020: DarkSide introduces its ransomware.
October 2020: DarkSide donates US$20,000 stolen from victims to charity.
November 2020: DarkSide establishes its RaaS model. The group invites other criminals to use its service. A DarkSide data leak site is later discovered.
November 2020: DarkSide launches its content delivery network (CDN) for storing and delivering compromised data.
December 2020: A DarkSide actor invites media outlets and data recovery organizations to follow the group’s press center on the public leak site.
March 2021: DarkSide releases version 2.0 of its ransomware with several updates.
May 2021: DarkSide launches the Colonial Pipeline attack. After the attack, Darkside announces it is apolitical and will start vetting its targets (possibly to avoid raising attention to future attacks).
Initial access
In our analysis of DarkSide samples, we saw that phishing, remote desktop protocol (RDP) abuse, and exploiting known vulnerabilities are the tactics used by the group to gain initial access. The group also uses common, legitimate tools throughout the attack process to remain undetected and obfuscate its attack.
Throughout the reconnaissance and gaining-entry phases, we saw these legitimate tools used for specific purposes:
PowerShell: for reconnaissance and persistence
Metasploit Framework: for reconnaissance
Mimikatz: for reconnaissance
BloodHound: for reconnaissance
Cobalt Strike: for installation
For modern ransomware like DarkSide, gaining initial access no longer immediately leads to ransomware being dropped. There are now several steps in between that are manually executed by an attacker.
Lateral movement and privilege escalation
Lateral movement is a key discovery phase in the modern ransomware process. In general, the goal is to identify all critical data within the victim organization, including the target files and locations for the upcoming exfiltration and encryption steps.
In the case of DarkSide, we confirmed reports that the goal of lateral movement is to gain Domain Controller (DC) or Active Directory access, which will be used to steal credentials, escalate privileges, and acquire other valuable assets for data exfiltration. The group then continues its lateral movement through the system, eventually using the DC network share to deploy the ransomware to connected machines. Some of the known lateral movement methods deployed by DarkSide use PSExec and RDP. But as we previously noted, a modern ransomware group behaves with methods more commonly associated with APT groups — it adapts its tooling and methods to the victim’s network defenses.
Exfiltration
As is common practice with double extortion ransomware, critical files are exfiltrated prior to the ransomware being launched. This is the riskiest step so far in the ransomware execution process, as data exfiltration is more likely to be noticed by the victim organization’s security team. It is the last step before the ransomware is dropped, and the attack often speeds up at this point to complete the process before it is stopped.
For exfiltration, we saw the following tools being used:
7-Zip: a utility used for archiving files in preparation for exfiltration
Rclone and Mega client: tools used for exfiltrating files to cloud storage
PuTTy: an alternative application used for network file transfer
DarkSide uses several Tor-based leak sites to host stolen data. The file-sharing services used by the group for data exfiltration include Mega and PrivatLab.
Execution and impact
The execution of the actual ransomware occurs next. The DarkSide ransomware shares many similarities with REvil in this step of the process, including the structure of ransom notes and the use of PowerShell to execute a command that deletes shadow copies from the network. It also uses the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.
In addition to PowerShell, which is used to install and operate the malware itself, the group reportedly uses Certutil and Bitsadmin to download the ransomware. It uses two encryption methods, depending on whether the target operating system is Windows or Linux: A ChaCha20 stream cipher with RSA-4096 is used on Linux, and Salsa20 with RSA-1024 is used on Windows.
The following figure shows a sample ransom note from DarkSide.
Figure 1. A Darkside ransom note
It is interesting to note that DarkSide’s ransom note is similar to that of Babuk, which might indicate that these two families share a link.
DarkSide ransomware targets
Based on the group’s Tor leak sites, DarkSide determines whether to pursue targeting a potential victim organization by primarily looking at that organization’s financial records. It also uses this information to determine the amount of ransom to demand, with a typical ransom demand amounting to anywhere between US$200,000 and US$2 million.
Reports say that, based on the leak sites, there are at least 90 victims affected by DarkSide. In total, more than 2 TB of stolen data is currently being hosted on DarkSide sites, and 100% of victims’ stolen files are leaked.
The actors behind Darkside have stated that they avoid targeting companies in certain industries, including healthcare, education, the public sector, and the nonprofit sector. Organizations in manufacturing, finance, and critical infrastructure have been identified in Trend Micro data as targets.
Based on Trend Micro data, the US is by far DarkSide’s most targeted country, at more than 500 detections, followed by France, Belgium, and Canada. As previously mentioned, DarkSide avoids victimizing companies in CIS countries. Part of the ransomware execution code checks for the geolocation of potential victims to avoid companies in these countries, although the group would likely be aware of the location of a target organization long before the ransomware is executed. That the group admittedly spares companies in CIS countries could be a clue to where DarkSide actors are residing. It is possible that they do this to avoid law enforcement action from these countries, since the governments of some of these countries do not persecute criminal acts such as DarkSide’s if they are done on foreign targets.
After the Colonial Pipeline attack, DarkSide released a statement on one of its leak sites clarifying that the group did not wish to create problems for society and that its goal was simply to make money. There is no way to verify this statement, but we know that the group is still quite active. As previously mentioned, DarkSide actors announced that they had stolen data from three more victims since the Colonial Pipeline attack.
MITRE ATT&CK tactics and techniques
The following are the MITRE ATT&CK tactics and techniques associated with DarkSide.
Conclusion
Ransomware is an old but persistently evolving threat. As demonstrated by the recent activities of DarkSide, modern ransomware has changed in many aspects: bigger targets, more advanced extortion techniques, and farther-reaching consequences beyond the victims themselves.
Ransomware actors are no longer content with simply locking companies out of their computers and asking for ransom. Now they are digging deeper into their victims’ networks and looking for new ways to monetize their activities. For example, a compromised cloud server can go through a complete attack life cycle, from the initial compromise to data exfiltration to resale or use for further monetization. Compromised enterprise assets are a lucrative commodity on underground markets; cybercriminals are well aware of how to make money from attacking company servers.
In the Colonial Pipeline attack, DarkSide used double extortion. But some ransomware actors have gone even further. Jon Clay, Director of Global Threat Communications at Trend Micro, outlines the phases of ransomware:
Phase 1: Just ransomware. Encrypt the files, drop the ransom note, and wait for the payment.
Phase 2: Double extortion. Phase 1 + data exfiltration and threatening data release. Maze was one of the first documented cases of this.
Phase 3: Triple extortion. Phase 1 + Phase 2 + threatening DDoS. SunCrypt, RagnarLocker, and Avaddon were among the first groups documented doing this.
Phase 4: Quadruple extortion. Phase 1 (+ possibly Phase 2 or Phase 3) + directly emailing the victim’s customer base or having contracted call centers contact customers.
In fact, as detailed in security reports, DarkSide offers both the DDoS and call center options. The group is making quadruple extortion available to its affiliates and showing a clear sign of innovation. In cybercrime, there are no copyright or patent laws for tools and techniques. Innovation is as much about quickly and completely copying others’ best practices as it is about coming up with new approaches.
Ransomware will only continue to evolve. Organizations therefore need to take the time to put in place an incident response plan focused on the new model of ransomware attacks. Unfortunately, some organizations may be putting cybersecurity on the back burner. For example, some security experts noted that Colonial Pipeline was using a previously exploited vulnerable version of Microsoft Exchange, among other cybersecurity lapses. A successful attack on a company providing critical services will have rippling effects that will harm multiple sectors of society, which is why protecting these services should be a top priority.
In a US Senate hearing on cybersecurity threats, Senator Rob Portman of Ohio described the strike on Colonial Pipeline as “potentially the most substantial and damaging attack on US critical infrastructure ever.” This attack is a call to action for all organizations to harden their networks against attacks and improve their network visibility.
Trend Micro has a multilayered cybersecurity platform that can help improve your organization’s detection and response against the latest ransomware attacks and improve your organization’s visibility. Visit the Trend Micro Vision One™ website for more information. Detailed solutions can be found in our knowledge base article on DarkSide ransomware.
