<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. en-us info@decipher.sc (Amy Vazquez) Copyright 2024 3600 <![CDATA[Wendy Nather on the ‘Topics That Are Distracting CISOs’]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/wendy-nather-on-the-topics-that-are-distracting-cisos https://thebananastand.duo.com/decipher/wendy-nather-on-the-topics-that-are-distracting-cisos

Wendy Nather, distinguished cybersecurity leader and director of strategic engagements at Cisco, talks to Lindsey O’Donnell-Welch, executive editor with Decipher, at Black Hat 2024 about the biggest “topics that are distracting CISOs” including the pandemic’s lasting impacts on security programs, personal liabilities and supply-chain security.

]]>
<![CDATA[The ‘Sleeping Time Bomb’ of Third-Party Cybersecurity Risk]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/the-sleeping-time-bomb-of-third-party-cybersecurity-risk https://thebananastand.duo.com/decipher/the-sleeping-time-bomb-of-third-party-cybersecurity-risk

In the final part of this four-part video series, Decipher editor Lindsey O’Donnell-Welch talks to Merritt Baer, CISO at Reco, Neda Pitt, CISO at Belk, and Danielle Snyder, cyber and compliance lead at Raytheon, about third-party risk, why it’s a “sleeping time bomb” and how organizations can approach this complex issue.

]]>
<![CDATA[The New Age of Cloud Security and Multi-Cloud Defense]]> dennis@decipher.sc (Dennis Fisher) https://thebananastand.duo.com/decipher/the-new-age-of-cloud-security-and-multi-cloud-defense https://thebananastand.duo.com/decipher/the-new-age-of-cloud-security-and-multi-cloud-defense

Longtime cloud security educator and researcher Rich Mogull, SVP of cloud security at FireMon, joins Decipher editor Dennis Fisher to dive into the challenges of securing multi-cloud environments, how cloud security has evolved, and how enterprises are learning to handle those changes.

]]>
<![CDATA[What Impact Will AI Have on Cybersecurity Risk Management?]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/what-impact-will-ai-have-on-cybersecurity-risk-management https://thebananastand.duo.com/decipher/what-impact-will-ai-have-on-cybersecurity-risk-management

In the third part of this four-part video series, Decipher editor Lindsey O’Donnell-Welch talks to Merritt Baer, CISO at Reco, Neda Pitt, CISO at Belk, and Danielle Snyder, cyber and compliance lead at Raytheon, about how they’re seeing security teams leverage machine learning, what generative AI innovations mean for risk management and more.

]]>
<![CDATA[‘The Tidal Wave Coming At Everybody:’ The Issue of Data Sprawl and Identity]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/the-tidal-wave-coming-at-everybody-the-issue-of-data-sprawl-and-identity https://thebananastand.duo.com/decipher/the-tidal-wave-coming-at-everybody-the-issue-of-data-sprawl-and-identity

In the second part of this four-part video series, Decipher editor Lindsey O’Donnell-Welch talks to Merritt Baer, CISO at Reco, Neda Pitt, CISO at Belk, and Danielle Snyder, cyber and compliance lead at Raytheon, about how security teams are approaching the “massive sprawl” of different data and accounts across their ecosystem, especially with the proliferation of identity-related threats.

]]>
<![CDATA[The Impacts of the SEC Cyber Rules on Incident Disclosure, CISO Liability]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/the-impact-of-sec-cyber-rules-on-incident-disclosure-ciso-liability https://thebananastand.duo.com/decipher/the-impact-of-sec-cyber-rules-on-incident-disclosure-ciso-liability

In the first of this four-part video series, a panel of expert CISOs discuss the long-term impacts of the SEC’s cyber rules, which went into effect last year and have significant implications of incident disclosure processes. Decipher editor Lindsey O’Donnell-Welch talks to Merritt Baer, CISO at Reco, Neda Pitt, CISO at Belk, and Danielle Snyder, cyber and compliance lead at Raytheon, about what these rules mean for incident disclosures at a broader level, as well as CISO liability.

]]>
<![CDATA[Apache Fixes OFBiz Remote Code Execution Flaw]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/apache-fixes-ofbiz-remote-code-execution-flaw https://thebananastand.duo.com/decipher/apache-fixes-ofbiz-remote-code-execution-flaw

Apache has issued a fix in OFBiz (Open For Business) that addresses an unauthenticated remote code execution bug.

The high-severity direct request flaw (CVE-2024-45195) impacts Apache OFBiz versions below 18.12.16 for Linux and Windows. The vulnerability could allow attackers with no valid credentials to exploit missing view authorization checks in the web application and ultimately execute arbitrary code. Users can upgrade to version 18.12.16, which fixes the issue.

The vulnerability disclosed this week is a patch bypass that elaborates on three previous disclosures, according to Ryan Emmons, lead security researcher with Rapid7. The three Apache OFBiz vulnerabilities were published over the course of 2024, including CVE-2024-32113, which was disclosed in May, CVE-2024-36104, which was disclosed in June and CVE-2024-38856, which was published in August. Emmons said that all three of the previous flaws stemmed from the same underlying issue: The ability to desynchronize the controller and view map state.

“Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause,” said Emmons in a Thursday post. “Exploitation is facilitated by bypassing previous patches for CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856; this patch bypass vulnerability is tracked as CVE-2024-45195.”

Some of these vulnerabilities, including CVE-2024-38856 and CVE-2024-32113, have been actively targeted by threat actors and in August, and the Cybersecurity and Infrastructure Security Agency added them to its Known Exploited Vulnerabilities catalog.

Emmons said that remediating the underlying causes behind vulnerabilities can be hard for companies. It is sometimes difficult to determine whether a patch is going to be effective until multiple researchers attempt to bypass it.

“There’s no one-size-fits-all solution; some vulnerabilities can be fixed with small bespoke patches, others require more holistic fixes and patching of reusable techniques,” said Emmons. “When a researcher discloses a vulnerability to an organization, the most apparent aspect is often the documented steps and techniques they used to achieve exploitation. Patching these specific techniques is an important means of remediating vulnerabilities. However, many roads can often lead to the same destination. Since exploitation involves a lot of creativity, different researchers can find very different ways of achieving a similar result.”

The most important thing that companies can do when developing patches to address these issues is to openly communicate with researchers, said Emmons.

“It can be difficult for software producers to be certain that a patch will be 100 percent effective,” said Emmons. “Prompt and open communication with users and researchers creates the best circumstances for successful outcomes.”

Apache OFBiz is an open-source enterprise resource planning and customer relationship management suite. Because the tool is utilized by multiple organizations and houses enterprise data, it is a lucrative target for attackers, and previous vulnerabilities in Apache OFBiz have been exploited.

]]>
<![CDATA[Russian GRU Unit Linked to Critical Infrastructure Attacks]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/russian-gru-unit-linked-to-critical-infrastructure-attacks https://thebananastand.duo.com/decipher/russian-gru-unit-linked-to-critical-infrastructure-attacks

Several U.S. government agencies issued a new advisory Thursday warning of global cyber operations by threat actors that they affiliated with Unit 29155 of the Russian Main Intelligence Directorate (GRU).

The threat group is categorized under several titles, including UNC2589, Cadet Blizzard, Ember Bear and Frozenvista. In the new advisory, the FBI, CISA and NSA said that the group is linked to the infamous WhisperGate malware campaign that targeted several Ukrainian organizations starting in January 2022. The threat actors have also conducted operations against numerous North Atlantic Treaty Organization (NATO) members in Europe and North America, as well as countries across Europe, Latin America and Central Asia.

“FBI, NSA, and CISA assess Unit 29155 is responsible for attempted coups, sabotage and influence operations, and assassination attempts throughout Europe. Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020,” according to the Thursday advisory. “Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes, reputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the destruction of data.”

Unit 29155 has been linked to several overseas operations by Bellingcat’s investigation team, including involvement in the annexation of Crimea in 2014, a failed coup in Montenegro in 2016 and an assassination attempt on former Russian spy Sergei Skripal in the UK in 2018. The threat actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit 74455, according to the U.S. government advisory.

The FBI said that it believes Unit 29155 cyber actors to be junior, active-duty GRU officers, which “appear to be gaining cyber experience and enhancing their technical skills” through conducting cyber operations and intrusions. The actors also appear to sometimes rely on non-GRU cybercriminals to conduct their operations, said the FBI.

Both the U.S. government, and the security research community, have been tracking cyber activity related to this threat group for some time. In 2022, for instance, CISA outlined the destructive activity associated with the WhisperGate campaign and the U.S. Cyber Command disclosed indicators of compromise linked to the group’s operations.

In addition to espionage and destructive campaigns, the group has defaced victim websites and used public domains to post exfiltrated victim data, and on Thursday, the FBI revealed it has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several EU countries to date.

The advisory is part of an international effort, called Operation Toy Soldier, to combat the malicious cyber activity by Unit 29155 of the GRU. As part of this effort, the Department of Justice on Thursday also unsealed an indictment against five Russian GRU officers and one civilian, alleging that the hackers conspired to hack, exfiltrate and leak data from the Ukrainian government before the Russian invasion of Ukraine. The individuals indicted are Vladislav Borovkov, Denis Denisenko, Dmitriy Goloshubov, Nikolay Korchagin and Amin Sitgal. The State Department is concurrently offering rewards of up to $10 million for information related to any of these individuals.

In the U.S. government advisory, CISA, the FBI and the NSA stressed that organizations can take a number of measures to protect against the several campaigns linked to the threat group, including prioritizing system updates and patch management, segmenting networks and enabling measures like multi-factor authentication (MFA).

]]>
<![CDATA[New Backdoor Linked to Earth Lusca Threat Group]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/new-backdoor-linked-to-chinese-threat-group https://thebananastand.duo.com/decipher/new-backdoor-linked-to-chinese-threat-group

Researchers have uncovered a new backdoor called KTLVdoor, which targets both Windows and Linux systems and is linked back to Chinese-speaking threat actor Earth Lusca.

Earth Lusca is group that has been active since at least April 2019 and has targeted organizations from various sectors globally, including the U.S., France, Germany and more. The group was observed leveraging the new Go language-based KTLVdoor, which has the capabilities to run commands, manipulate (as well as download or upload) files, provide attackers with system and network data, scan remote ports and use proxies.

“This previously unreported malware is more complex than the usual tools used by the threat actor,” said Cedric Pernet and Jaromir Horejsi with Trend Micro in a Wednesday analysis. “It is highly obfuscated and is being spread in the wild impersonating various system utilities names or similar tools, such as sshd, java, sqlite, bash, edr-agent, and more.”

Researchers didn’t have detailed insights into the campaign that leveraged the backdoor. For example, they couldn’t identify the full number of victims targeted with the backdoor, but said that one victim found is an unnamed trading company based in China. Researchers found that the backdoor is typically distributed as a library (either as SO or DLL). Horejsi said that researchers found a Windows sample of the malware in a malicious archive that was likely sent to victims via email.

The size of the infrastructure behind the malware is “very unusual,” said researchers. They found malware variants communicating with more than 50 command-and-control (C2) servers.

“In APT campaigns, we generally see less C2 servers. During APT operations that run for several months, or even a year, we see about a dozen C2 servers, sometimes a bit more,” said Horejsi. “Seeing [more than] 50 C2 [servers] in such a short period of time is very rare. Yet that is for cyberespionage. For usual cybercrime, we often see much more C2 servers, as they are generally quickly discovered and replaced by attackers. It is not rare to see more than a hundred different C2 servers in some cybercrime campaigns.”

Researchers tied some of the malware samples to Earth Lusca with “high confidence,” but the number of C2 servers could indicate that the infrastructure is being shared with other Chinese-speaking threat actors. Chinese threat actors have previously been seen sharing infrastructure or malware builders, such as the PlugX malware.

“Seeing that all C&C servers were on IP addresses from China-based provider Alibaba, we wonder if the whole appearance of this new malware and the C&C server could not be some early stage of testing new tooling,” said researchers.

]]>
<![CDATA[New North Korean Campaigns Target Cryptocurrency Industry]]> dennis@decipher.sc (Dennis Fisher) https://thebananastand.duo.com/decipher/new-north-korean-campaigns-target-cryptocurrency-industry https://thebananastand.duo.com/decipher/new-north-korean-campaigns-target-cryptocurrency-industry

Multiple North Korean threat actors are specifically targeting organizations and individuals in the cryptocurrency industry with both social engineering and exploitation of vulnerabilities, according to new warnings by Microsoft and the FBI.

Government-backed actors in North Korea have been focusing on cryptocurrency theft and laundering for many years and U.S. government officials have laid the blame for many large-scale intrusions at their feet, including the 2014 Sony hack, the Bangladesh Bank heist, and others. Those operations help finance the country’s military and other programs, and recently, some North Korean attackers have been running well-researched social engineering campaigns against people in the cryptocurrency field. In a new advisory, the FBI’s Internet Crime Complaint Center said those campaigns often take the form of fake job offers or investments.

“Teams of North Korean malicious cyber actors identify specific DeFi or cryptocurrency-related businesses to target and attempt to socially engineer dozens of these companies' employees to gain unauthorized access to the company's network. Before initiating contact, the actors scout prospective victims by reviewing social media activity, particularly on professional networking or employment-related platforms,” the advisory says.

“North Korean malicious cyber actors incorporate personal details regarding an intended victim’s background, skills, employment, or business interests to craft customized fictional scenarios designed to be uniquely appealing to the targeted person. North Korean fake scenarios often include offers of new employment or corporate investment. The actors may reference personal information, interests, affiliations, events, personal relationships, professional connections, or details a victim may believe are known to few others.”

These campaigns often involve the use of fake personas or impersonation of real people, along with realistic-looking websites and social media content.

In addition to using social engineering, one North Korean actor has been exploiting a zero day in Chromium to target cryptocurrency organizations and install a rootkit on compromised systems. The flaw that the group, known by Microsoft as Citrine Sleet, targeted is CVE-2024-7971, which is a type confusion bug.

“The observed zero-day exploit attack by Citrine Sleet used the typical stages seen in browser exploit chains. First, the targets were directed to the Citrine Sleet-controlled exploit domain voyagorclub[.]space. While we cannot confirm at this time how the targets were directed, social engineering is a common tactic used by Citrine Sleet. Once a target connected to the domain, the zero-day RCE exploit for CVE-2024-7971 was served,” Microsoft said in an analysis of the attacks.

“After the RCE exploit achieved code execution in the sandboxed Chromium renderer process, shellcode containing a Windows sandbox escape exploit and the FudModule rootkit was downloaded, and then loaded into memory. The sandbox escape exploited CVE-2024-38106, a vulnerability in the Windows kernel that Microsoft fixed on August 13, 2024, before Microsoft discovered this North Korean threat actor activity.”

The FudModule rootkit has been used by other North Korean actors as well, specifically Diamond Sleet.

]]>
<![CDATA[FTC: Verkada Must Create Security Program After Breaches]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/ftc-verkada-must-create-security-program-after-breaches https://thebananastand.duo.com/decipher/ftc-verkada-must-create-security-program-after-breaches

The Federal Trade Commission (FTC) is requiring security camera firm Verkada to implement a security program after the company was hit with two security incidents between December 2020 and March 2021.

The mandate against the Calif.-based company is part of a settlement for allegations that Verkada failed to use appropriate information security practices leading to the breaches. It’s a mandate that the FTC has previously ordered for companies with complaints related to lax security practices, such as Drizly. In addition to this requirement, the FTC last week also hit Verkada with a $2.95 million fine for violating the CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing) by flooding potential customers with emails that didn’t include an option to unsubscribe.

“When customers invite companies into private spaces to monitor consumers by using their security cameras and other products, they expect those companies to provide basic levels of security, which Verkada failed to do,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement in the FTC’s announcement last week. “Companies that fail to secure and protect consumer data can expect to be held responsible.”

Verkada Security Incidents

The complaint stems from two separate security incidents at Verkada. In the first incident in December 2020, a threat actor leveraged a security flaw in a legacy firmware build server (after an employee did not restore original security settings for the server), installed the Mirai malware on the server, and used it to launch denial-of-service attacks against other third-party internet addresses. Verkada did not know that the server was compromised until AWS security uncovered the activity two weeks later, according to the DoJ.

Verkada hired a third-party consulting firm to conduct a security assessment of the company, and that firm flagged several issues, however, the DoJ said that Verkada did not address these known security gaps. Then, in a March 2021 incident that was widely publicized in news reports, a hacker was able to access a Verkada support level account with administrative privileges, and then used a security flaw in the customer support server to gain Super Admin privileges. The hacker was then able to view sensitive video footage from over 150,000 internet-connected cameras, including ones that revealed patients in psychiatric hospitals and women’s health clinics, and access other data like physical addresses, audio recording and customer Wi-Fi credentials.

“This breach occurred as a direct result of Defendant’s failure to take proper precautions during a scheduled server update and allowed the intruder to have unfettered access to Defendant’s entire network,” said the DoJ.

According to the complaint by the Department of Justice, Verkada failed to encrypt customer data and did not have an adequate security policy. It also did not set up “reasonable access management controls” like requiring unique and complex passwords, enforcing controls like MFA and issuing alerts for things like unsuccessful login to administrative accounts. The company also lacked various data protection controls, centralized logging and alerting capabilities, secure network controls and vulnerability management policies.

The complaint also alleged that Verkada was not compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the EU-U.S. Privacy Shield framework, and the Swiss-U.S. Privacy Shield framework, and that the company misled its customers about being compliant with these frameworks. The FTC said that Verkada also misled consumers by not disclosing that certain ratings and reviews for its products were written by employees and a venture capitalist investor.

Verkada’s Response

The FTC has hit several companies with various fines over the years for their security failures that led to breaches, including a $60 million fine against Morgan Stanley, and a $500,000 penalty for online retailer CafePress.

In a post about the settlement, Verkada argued it has strengthened its security posture by achieving SOC 2 Type 1 compliance in 2021 and SOC 2 Type 2 compliance in 2022, and ISO 27001, ISO 27017 and 27018 certifications in 2024. The company said it will comply with the FTC’s mandate to create a security program, which will be assessed in biennial reviews by a third-party company.

“There was no fine imposed related to the security incident, but we have agreed to pay $2.95 million to resolve the FTC’s claims about our past email marketing practices,” according to Verkada’s statement. “We do not agree with the FTC's allegations, but we have accepted the terms of this settlement so that we can move forward with our mission and focus on protecting people and places in a privacy-sensitive way.”

]]>
<![CDATA[The Lasting Repercussions of the Sony Hack]]> dennis@decipher.sc (Dennis Fisher) https://thebananastand.duo.com/decipher/the-lasting-repercussions-of-the-sony-hack https://thebananastand.duo.com/decipher/the-lasting-repercussions-of-the-sony-hack

The Sony Pictures hack in 2014 by the North Korean Lazarus Group was a seminal event both in Hollywood and in the security community, bringing to light the capabilities and ambitions of North Korean attackers and showing the damage a leak of sensitive data can be. Brian Raftery joins Dennis Fisher to discuss his new Ringer podcast, The Hollywood Hack, that digs deep into the incident, its repercussions in Hollywood, and how it helped set the tone for how companies handle public data leaks.

CC by-SA image from Gnaphron on Flickr.

]]>
<![CDATA[APT29 Watering Hole Attacks Used Spyware Exploits]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/apt29-watering-hole-attacks-used-spyware-exploits https://thebananastand.duo.com/decipher/apt29-watering-hole-attacks-used-spyware-exploits

The Russian-based APT29 group was seen using the same iOS and Google Chrome exploits as commercial surveillanceware vendors NSO Group and Intellexa, in an espionage campaign that targeted the Mongolian government.

Researchers that discovered the campaign do not know how the APT attackers acquired the exploit. The exploits were observed in three separate attacks that researchers linked “with moderate confidence” to APT29 in November 2023, February 2024 and July 2024. These campaigns stemmed from watering hole attacks impacting Mongolian government websites, where threat actors compromised the sites and loaded a hidden iframe from an attacker-controlled website.

“In each iteration of the watering hole campaigns, the attackers used exploits that were identical or strikingly similar to exploits previously used by commercial surveillance vendors (CSVs) Intellexa and NSO Group,” according to researchers with Google’s Threat Analysis Group (TAG) in a Thursday analysis. “Although the underlying vulnerabilities had already been addressed, we notified both Apple and our partners at Android and Google Chrome about the campaigns at the time of discovery. We also notified the Mongolian CERT to remediate the infected websites.”

The watering hole iframe in the November 2023 and February 2024 attacks included an exploit for iPhone users running iOS versions 16.6.1 and older, which targeted a WebKit arbitrary code execution bug (CVE-2023-41993). Researchers said that the exploit in the watering hole attack utilized the same trigger code as an exploit used by Intellexa, “strongly suggesting the authors and/or providers are the same.” Intellexa had first exploited this flaw in September 2023 as a zero day.

Then in July 2024, the APT group used an iframe with a Google Chrome exploit chain targeting a type confusion bug (CVE-2024-5274) in V8 and a use after free (CVE-2024-4671) in Google’s Visuals component, in order to deploy an information stealing payload. Again, the trigger code for CVE-2024-5274 used in this campaign was the same as the code used by the NSO Group in a zero-day campaign in May 2024.

Both Intellexa and NSO Group are known for providing law enforcement and intelligence agencies with spyware - the Predator spyware for Intellexa and Pegasus for NSO Group - that have various information stealing, surveillance and remote-access capabilities.

Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, said there are several scenarios that could have played out here.

“One option is that APT29 found the vulnerability themselves, and decided to exploit it,” said Galperin. “The other is that they purchased the vulnerability on the open market. And the third is that they didn’t write an exploit until after the vulnerability had been reported, and therefore didn’t even have to go find it, they just had to write an exploit for it and were able to exploit unpatched systems, which is probably the most likely scenario.”

Overall, researchers with Google’s TAG team said that the activity shows how exploits developed by the commercial surveillance industry are eventually spread to and used by threat actors.

“We do not know how the attackers acquired these exploits,” said Google TAG researchers. “What is clear is that APT actors are using n-day exploits that were originally used as 0-days by CSVs. It should be noted that outside of common exploit usage, the recent watering hole campaigns otherwise differed in their approaches to delivery and second-stage objectives.”

]]>
<![CDATA[Zero Day Exploit Reuse and A Busy Week for Iranian APTs]]> dennis@decipher.sc (Dennis Fisher) https://thebananastand.duo.com/decipher/zero-day-exploit-reuse-and-a-busy-week-for-iranian-apts https://thebananastand.duo.com/decipher/zero-day-exploit-reuse-and-a-busy-week-for-iranian-apts

The focus was on Iranian APTs this week, both from private threat intelligence teams and CISA, exposing new operations from UNC757 and other groups targeting government, higher education, and private industry. We also check in on a new report from Google's Threat Analysis Group on APTs using the same exploits for zero days that were developed by private commercial surveillance vendors NSO Group and Intellexa.

]]>
<![CDATA[CISA: RansomHub Ransomware Has Hit 210 Victims]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/cisa-ransomhub-ransomware-has-hit-210-victims https://thebananastand.duo.com/decipher/cisa-ransomhub-ransomware-has-hit-210-victims

A new advisory by CISA and the FBI warned of recent attacks by RansomHub and said that the group and its affiliates have successfully hit over 210 victims since its inception in February.

In the advisory, which disseminated several tactics and known Indicators of Compromise (IoCs) linked to the group, the U.S. government said that RansomHub attacks have impacted entities across many different industries, including the healthcare, water and wastewater, IT, government services, emergency services, food and agriculture, financial services, commercial facilities, critical manufacturing, transportation and communication sectors. These attacks have been observed as recently as this month, said CISA.

“RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful service model (recently attracting high-profile affiliates from other prominent variants such as LockBit and ALPHV),” according to CISA and the FBI in their Thursday advisory.

RansomHub's affiliate model means that various tactics and techniques are used in different attacks. RansomHub affiliates use several different initial access methods, including phishing and password spraying. They have also exploited known vulnerabilities, including ones in Citrix ADC (CVE-2023-3519), Fortinet FortiOS (CVE-2023-27997), Apache ActiveMQ’s OpenWire protocol (CVE-2023-46604), Atlassian Confluence (CVE-2023-22515), Microsoft Windows (CVE-2017-0144) and more.

The U.S. government observed a variety of other tactics, including the use of Windows Management Instrumentation for disabling antivirus products, and in some cases the use of RansomHub specific tools, like one called EDRKillShifter, for disabling endpoint detection and response tools. Affiliates have also used a number of tools like Mimikatz for gathering credentials, as well as Cobalt Strike, Metasploit and more.

The affiliates use a double-extortion model, first encrypting systems and then exfiltrating the data and leaving a ransom demand for victims. After the encryption occurs, a ransom note drops that does not typically include an initial ransom demand. The victim is provided with a client ID and instructed to contact the group through a unique .onion URL, and then given between three to 90 days to pay a ransom.

“Data exfiltration methods depend heavily on the affiliate conducting the network compromise,” said the advisory. “The ransomware binary does not normally include any mechanism for data exfiltration. Data exfiltration has been observed through the usage of tools such as PuTTY, Amazon AWS S3 buckets/tools, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, Metasploit, and other methods.”

The ransomware group, though only six months old, has already claimed to have targeted several high-profile victims. RansomHub in April claimed to be selling sensitive data stolen from Change Healthcare, after the healthcare giant was hit by the BlackCat ransomware group in February.

CISA and the FBI urged network defenders to take a number of steps to mitigate against RansomHub, such as installing updates as soon as they are released, enabling MFA and training employees to recognize and report phishing attempts.

]]>
<![CDATA[New Backdoor Used By Iranian State-Sponsored Group]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/new-backdoor-used-by-iranian-state-sponsored-group https://thebananastand.duo.com/decipher/new-backdoor-used-by-iranian-state-sponsored-group

Over the last few months, an Iranian state-sponsored threat actor has been deploying a new custom backdoor in attacks against various entities in the U.S. and United Arab Emirates, including organizations in the government, communications equipment, oil and gas and satellite sectors.

The threat actor, which is called Peach Sandstorm and was first uncovered last year, targets victims in many countries in order to collect intelligence, using password spraying as an initial access vector. Now, researchers with Microsoft said that between April and July, the group has been leveraging the novel backdoor that they call “Tickler” in attacks against several unnamed organizations.

“This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations,” said researchers on Wednesday. “Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group’s victimology and operational focus. Microsoft further assesses that Peach Sandstorm’s operations are designed to facilitate intelligence collection in support of Iranian state interests.”

Though it was discovered last year, the threat group's activities go back for years. In 2024, it has continued to target victims with password spraying, where a list of passwords is leveraged against a large number of targeted accounts.

Researchers also observed attackers in the group pretending to be students, developers or talent acquisition managers on LinkedIn, sending targets messages with the goal of gathering intelligence to then use for social engineering attacks against the higher eduction or satellite sectors. These LinkedIn profiles were since taken down from the platform.

After gaining initial access, the threat group was seen signing in to compromised accounts from commercial VPN infrastructure, moving laterally via SMB and, in some cases, taking snapshots via Active Directory, which is a legitimate functionality for taking a read-only copy of the AD database that can be abused for malicious purposes.

Researchers found two samples of the backdoor used in attacks as recently as July, indicating that it is under active development. The malware enables attackers to download additional payloads from the C2 and set up persistence.

For its command-and-control (C2) server, the threat actor uses attacker-controlled Azure subscriptions, which are sometimes created using compromised accounts. Researchers said that they observed multiple other Iranian groups using similar tactics in recent months.

“Microsoft continuously monitors Azure, along with all Microsoft products and services, to ensure compliance with our terms of service,” according to Microsoft. “Microsoft has notified affected organizations and disrupted the fraudulent Azure infrastructure and accounts associated with this activity.”

Iranian threat groups were recently uncovered both behind espionage and ransomware attacks. In a separate advisory released this week, several U.S. government agencies warned of recent activity by UNC757, an Iran-based group that has been linked to ransomware activity and separately associated with the government of Iran.

]]>
<![CDATA[Attacks Target Recent Apache OFBiz Bug]]> dennis@decipher.sc (Dennis Fisher) https://thebananastand.duo.com/decipher/attacks-target-recent-apache-ofbiz-bug https://thebananastand.duo.com/decipher/attacks-target-recent-apache-ofbiz-bug

CISA is warning federal agencies and enterprises that attackers are exploiting a known vulnerability in the Apache OFBiz ERP suite, a bug that Apache released a fix for three weeks ago.

The vulnerability (CVE-2024-38856) affects every version of OFBiz through 18.12.14 and successful exploitation would allow an attacker to execute screen rendering code on affected endpoints. The Apache Software Foundation released an update to address the bug on Aug. 5, but on Tuesday the Cybersecurity and Infrastructure Security Agency issued an advisory and added the flaw to its Known Exploited Vulnerabilities catalog.

CISA did not provide any information on the group or groups exploiting the vulnerability, but the urgency to apply the patch is even greater, given that the bug can be exploited without authentication.

“Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker,” the CISA advisory says.

OFBiz is an open-source ERP framework that is Java-based. The framework is embedded in some third-party apps, including JIRA. In January, researchers at SonicWall discovered that attackers were exploiting a separate OFBiz vulnerability that had been disclosed in December 2023. That flaw was related to an even earlier vulnerability and attackers began attempting to exploit quickie after its disclosure.

CISA is encouraging organizations to upgrade to version 18.12.15 of OFBiz, which contains the patch for CVE-2024-38856.

]]>
<![CDATA[U.S. Government Warns of Iran-Based UNC757 Attacks]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/u-s-government-warns-of-iran-based-unc757-attacks https://thebananastand.duo.com/decipher/u-s-government-warns-of-iran-based-unc757-attacks

Several U.S. government agencies are warning of recent attacks by UNC757, an Iran-based group that has been linked to ransomware activity and separately associated with the government of Iran.

UNC757 (also known as Pioneer Kitten) has been around since 2017 and is known for targeting U.S.-based schools, municipal governments, financial institutions and healthcare facilities. A significant percentage of the operations by UNC757 against U.S. firms aim to obtain initial network access, and then collaborate with ransomware affiliates, including BlackCat, RansomHouse and NoEscape, to deploy ransomware or enable encryption operations in exchange for a percentage of the ransom payments.

However, in the Wednesday cybersecurity advisory for network defenders, the FBI, CISA and Department of Defense Cyber Crime Center warned that the group has also been targeting organizations like U.S. defense sector networks in separate campaigns that are “consistent with Iranian state interests,” rather than the interests of its ransomware affiliate contacts. This link to the Iranian government has previously been reported by threat intelligence teams.

“The FBI further assesses these Iran-based cyber actors are associated with the Government of Iran (GOI) and—separate from the ransomware activity—conduct computer network exploitation activity in support of the GOI (such as intrusions enabling the theft of sensitive technical data against organizations in Israel and Azerbaijan),” according to the advisory.

The advisory disclosed several recent Indicators of Compromise linked to UNC757 activity. Many of UNC757’s techniques are similar to those described by an advisory released four years ago by CISA. The group still gains initial access primarily through vulnerabilities in devices like Citrix Netscaler, Ivanti Pulse Secure and F5 BIG-IP. As of July, CISA said the group has scanned for IP addresses hosting Check Point Security Gateways (likely in an attempt to exploit CVE-2024-24919, which was disclosed in May). Attackers also appear to be targeting a vulnerability in Palo Alto Network's PAN-OS software for firewalls (CVE-2024-3400).

After initial exploitation, the group sets up persistence in various ways, including creating local accounts on victim networks, capturing login credentials for compromised (primarily Netscaler) devices, and implementing the daily creation of a Windows service task. The actor also uses administrator credentials to disable security software and lower PowerShell policies to a less secure level.

While the group provides ransomware affiliates with initial access to victim networks, CISA said its involvement goes beyond this purpose, and the actor works closely with affiliates to lock networks and develop extortion strategies for the victims. The actor has also historically conducted hack-and-leak campaigns, including the 2020 Pay2Key campaign, for instance.

“While this technique has traditionally been used to influence victims to pay ransoms, the FBI does not believe the objective of Pay2Key was to obtain ransom payments,” according to CISA’s advisory. “Rather, the FBI assesses Pay2Key was an information operation aimed at undermining the security of Israel-based cyber infrastructure.”

UNC757 also steals sensitive information from victim networks, suggesting its association with the government of Iran, “however, the group’s ransomware activities are likely not sanctioned by the [government of Iran], as the actors have expressed concern for government monitoring of cryptocurrency movement associated with their malicious activity,” according to CISA. This is one of several dual-purpose groups that have emerged over the years, supporting both ransomware and espionage activities, including North Korean Moonstone Sleet.

Organizations can protect themselves by patching the CVEs targeted by the group, including CVE-2024-3400, CVE-2022-1388, CVE-2019-19781, and CVE-2023-3519, as well as validating their security controls against the techniques in the advisory, said CISA.

]]>
<![CDATA[Chinese APT Exploits Versa Networks Zero-Day Flaw]]> lindsey@decipher.sc (Lindsey O’Donnell-Welch) https://thebananastand.duo.com/decipher/chinese-apt-exploits-versa-networks-zero-day-flaw https://thebananastand.duo.com/decipher/chinese-apt-exploits-versa-networks-zero-day-flaw

Researchers have discovered Chinese state-sponsored actors exploiting a zero-day vulnerability in Versa Networks’ virtualization and service creation Director platform, in a highly targeted campaign impacting several U.S.-based victims.

The vulnerability, categorized as high severity by the National Vulnerability Database, was found in Versa Director servers (CVE-2024–39717), and was publicly disclosed Aug. 22. The bug stems from the GUI interface for Versa Director, a key component for managing SD-WAN networks, which is used by internet service providers (ISPs) and managed service providers (MSPs). In an Aug. 26 advisory, Versa Networks said the GUI flaw could allow potentially malicious files to be uploaded by users with Provider-Data-Center-Admin or Provider-Data-Center-System-Admin privileges.

Researchers with Lumen Technologies’ Black Lotus Labs first uncovered exploitation activity for the flaw between June 12 and mid-July 2024, impacting five organizations across the ISP, MSP and IT sectors. They assessed with moderate confidence that the threat actor behind the attack is Volt Typhoon, a known sophisticated Chinese APT behind several campaigns this year on U.S. critical infrastructure.

“Given the severity of the vulnerability, the sophistication of the threat actors, the critical role of Versa Director servers in the network, and the potential consequences of a successful compromise, Black Lotus Labs considers this exploitation campaign to be highly significant,” said researchers in a Tuesday analysis.

Versa Networks customers were first warned of the activity in private security advisories sent on July 26 and Aug. 8, which contained a hotfix.

After exploitation of the flaw, threat actors deployed a unique custom webshell called “VersaMem,” which allowed them to inject malicious code on the Tomcat web server. These webshell functionalities occurred in-memory only, making the actor’s activities stealthier, said researchers.

“The VersaMem shell, both in name (“Director_tomcat_memShell”) and in functionality, is custom-tailored to interact with Versa Directors,” said researchers. “On execution, the web shell attaches to the primary Apache Tomcat (Java servlet and web server) process and takes advantage of the Java Instrumentation API and Javassist (Java bytecode manipulation toolkit) to dynamically modify Java code in-memory.”

The malware also had the ability to harvest plaintext user credentials, which could give attackers access to downstream customer networks as an authenticated user, said researchers. For MSPs, which manage platform, software, IT infrastructure and security services, and support functions for customers, this type of access is significant. Because these companies store customer data and support sensitive processes, they are in a unique position where they have trusted network connectivity and privileged access to customer systems, and government agencies like CISA have previously warned that these organizations are considered valuable targets for threat actors.

The vulnerability impacts versions of Versa Director prior to 22.1.4, and Versa Networks recommended that impacted users update to the fixed version, 22.1.4, as soon as possible. The flaw has been flagged in CISA's Known Exploited Vulnerability catalog, and federal agencies have until Sept. 13 to apply patches.

Versa Networks also urged customers to adhere to several guidelines it had published years ago, which recommended best practices for securing various ports, protocols and components for its products.

“Impacted customers failed to implement system hardening and firewall guidelines… leaving a management port exposed on the internet that provided the threat actors with initial access,” according to Versa Networks’ advisory about the vulnerability in its product. “Although the vulnerability is difficult to exploit, it’s rated ‘High’ and affects all Versa SD-WAN customers using Versa Director, that have not implemented the system hardening and firewall guidelines.”

]]>
<![CDATA[Decipher Podcast: Reddit's Matt Johansen on Identity Attacks, Enterprise Security, and Burnout]]> dennis@decipher.sc (Dennis Fisher) https://thebananastand.duo.com/decipher/decipher-podcast-reddit-s-matt-johansen-on-identity-attacks-enterprise-security-and-burnout https://thebananastand.duo.com/decipher/decipher-podcast-reddit-s-matt-johansen-on-identity-attacks-enterprise-security-and-burnout

]]>