Search This Blog

Showing posts with label Cisco Talos. Show all posts

Cobalt Strike Beacon Using Job Lures to Deploy Malware

Cisco Talos researchers have detected a new malware campaign that is using job lures to deploy malware. The threat actors are weaponizing a year-old remote code execution flaw in Microsoft Office, infecting victims with leaked versions of Cobalt Strike beacons. 

According to the researchers, the attacks were discovered in August 2022. It begins with phishing emails regarding the U.S. Government's job details or a New Zealand trade union. The emails comprise of a multistage and modular infection chain with fileless, malicious scripts. 

On opening the attached malicious Word file, the victim was infected with an exploit for CVE-2017-0199, a remote code execution vulnerability in MS Office, that allows the threat actor to control the infected systems. As a result, the attacker deploys a chain of attack scripts that leads up to the Cobalt Strike beacon installation. 

"The payload discovered is a leaked version of a Cobalt Strike beacon[...]The beacon configuration contains commands to perform targeted process injection of arbitrary binaries and has a high reputation domain configured, exhibiting the redirection technique to masquerade the beacon's traffic" states Cisco Talos researchers Chetan Raghuprasad and Vanja Svajcer in a new analysis published on Wednesday. 

In addition to discovering the Cobalt Strike beacon as the payload in this campaign, the researchers have also observed the usage of the Redline information-stealer and Amadey botnet executables as the payloads. 

The Modus Operandi has been called “highly modularized” by the experts, the attack stands out for it leverages Bitbucket repositories to deploy malicious content that serves as a kickoff for downloading a Window executable, responsible for the installation of Cobalt Strike DLL beacon, says the Cybersecurity researchers. 

"This campaign is a typical example of a threat actor using the technique of generating and executing malicious scripts in the victim's system memory[...]Organizations should be constantly vigilant on the Cobalt Strike beacons and implement layered defense capabilities to thwart the attacker's attempts in the earlier stage of the attack's infection chain." states the researchers. 

Considering the growing phishing and malware attacks, the Cisco Talos team suggested users protect themselves with measures, such as updating their software and not opening any attachments in unsolicited messages. Besides, the team also suggests that administrators monitor their network security. 

AWS, and Alibaba Cloud was Attacked by Crypto Miners

 

An intel source recently provided Cisco Talos with modified versions of the TeamTNT cybercrime team's infected shell scripts, an earlier version of which was documented by Trend Micro. The malware creator modified these tools after learning that security experts had disclosed the prior version of its scripts. These scripts are intended primarily for Amazon Web Services (AWS), but they might also be used on-premise, in containers, or in other Linux instances. 

There are multiple TeamTNT payloads focusing on bitcoin mining, persistence, and lateral movement employing tactics like identifying and installing on with all Kubernetes pods in a local network, in addition to the primary credential stealer scripts. A script containing user credentials for the distribution system server and another with an API key which may allow remote access to a tmate shared login session is also included. Defense evasion functions aimed at defeating Alibaba cloud security technologies are included in some TeamTNT scripts.

When it comes to decision making obtaining credentials, the script looks for them in the following places and APIs: 

  • It attempts to obtain the string 'AWS' from /proc/*/environ from the Linux system environment variables. 
  • Obtaining the string 'AWS' from Docker environment variables with the command $(docker inspect $) (docker ps -q).
  • /home/.aws/credentials and /root/.aws/credentials are the default AWS CLI credential file locations.
While the query itself will not be caught by Cisco Secure Cloud Analytics, the alert "AWS Temporary Token Persistence" will detect later use of these credentials to generate further temporary credentials. Finally, the virus saves any credentials acquired by the preceding functions to the file "/var/tmp/TeamTNT AWS STEALER.txt" and uses cURL to transfer it to the URL http://chimaera[.]cc/in/AWS.php before deleting it. 

No CloudTrail, GuardDuty, or SCA events were generated when the script ran on the target EC2 instance for all network traffic was restricted by the VPC Security Group such as the script could not access TeamTNT's servers. 

The core of the defense impairment functions is directed against Alibaba Cloud Security's numerous agents, how, they also target Tencent Cloud Monitor and third-party BMC Helix Cloud Security, agents. While the bulk of malicious scripts targets AWS Elastic Compute Cloud (EC2) virtual machines, these bots are most typically detected running inside Alibaba Cloud Elastic Compute Service (ECS) or a Tencent Cloud VM. They could theoretically be put on a VM operating on AWS or any other service, but it would be unusual. TeamTNT makes no attempt to disable AWS CloudWatch, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other popular cloud security tools in the United States. 

The Alibaba defense damage routines have been retrieved and saved here from the script Kubernetes root payload 2.sh. Since static analysis of the defense impairment functions is problematic due to the presence of multiple Base64 encoded strings, those functions have been decrypted and placed back into the file ali-defense-impairment-base64-decoded.sh.txt. 

"Cybercriminals who have been exposed by security researchers should update those tools to keep functioning successfully," stated Darin Smith of Talos. 

The serious remote code execution problem in Spring Framework (CVE-2022-22965) has been leveraged to deploy cryptocurrency miners, in yet another example of how threat actors quickly co-opt recently revealed flaws into existing attacks. To deploy the cryptocurrency miners, the exploitation efforts employ a unique web shell, but not before switching off the firewall and disabling other virtual currency miner processes.

 Iran's MuddyWater Hacker Group is Exploiting New Malware

 

According to a notice issued by US security and law enforcement authorities, Iran-linked cyber activities are targeting a variety of government and private organizations in several areas across Asia, Africa, Europe, and North America.

"MuddyWater actors are poised to deliver stolen data and access to the Iranian government, as well as to share them with other cybercriminal actors," the agencies stated. The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the National Cyber Security Centre of the United Kingdom have issued a combined advisory (NCSC) in the regard.

This year, the cyber-espionage actor was revealed to be working for Iran's Ministry of Intelligence and Security (MOIS), conducting malicious operations against a wide range of state and private organisations in Asia, Africa, Europe, and North America, including telecommunications, defence, local government, and the oil and natural gas sectors. 

MuddyWater is also known by the aliases Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP. Aside from publicly disclosed vulnerabilities, the hacker group has already been seen using open-source tools to get access to sensitive information, deliver ransomware, and maintain resilience on victim networks. 

Late last month, Cisco Talos conducted a follow-up analysis and discovered a previously unknown malware campaign focused on Turkish private and governmental entities with the purpose of delivering a PowerShell-based backdoor. In harmful operations, MuddyWater actors use new variations of PowGoop malware as its main loader, which consists of a DLL loader and an Operating system downloader. The malicious programme poses as a valid Google Update executable file and is signed as such. 

A surveying script to identify and send data about target PCs back to the remote C2 server rounds out MuddyWater's arsenal of weapons. A newly discovered PowerShell backdoor was also installed, which is used to perform actions obtained from the attacker. 

The agencies advise enterprises to utilise multi-factor authentication whenever possible, limit the usage of administrator credentials, deploy phishing defences, and prioritise correcting known exploited vulnerabilities to provide barriers against potential attacks.

BEC Attacks have Stolen $1.8 Billion from Businesses

 

Business email compromise (BEC) attacks increased drastically in 2020, with more than $1.8 billion stolen from businesses in just one year. BEC attacks are carried out by hackers who impersonate someone inside a company or pose as a partner or vendor in order to defraud the company. 

The tactics of some of the most dangerous BEC attacks observed in the wild in 2020 were examined in a new report from Cisco's Talos Intelligence, which reminded the security community that smart users armed with a healthy skepticism of outside communications and the right questions to ask are the best line of defense, in addition to technology. 

According to the FBI, BEC assaults are getting more dangerous. They discovered a 136 % increase in the number of successful BEC attacks (reported) around the world between December 2016 and May 2018. Between October 2013 and May 2018, it is estimated that Business Email Compromise cost businesses over $12 billion. Analysts predict that these attacks will grow more regular and that the financial costs connected with them will continue to rise. 

The report stated, “The reality is, these types of emails and requests happen legitimately all over the world every day, which is what makes this such a challenge to stop.” It's tempting to get hooked up on huge global corporations' high-profile data breaches. The genuine revenue, however, is made via smaller BEC attacks, according to the report. 

“Although a lot of attention gets paid to more destructive and aggressive threats like big-game hunting, it’s BEC that generates astronomical revenue without much of the law-enforcement attention these other groups have to contend with,” the report explained. “If anything, the likelihood of this has only increased in the pandemic, with people relying more and more on digital communication." 

According to Cisco Talos, gift card lures are by far the most popular in BEC assaults. Most of the time, these emails will appear to be from someone prominent within the organization and will come from a free provider like Gmail, Yahoo, or Outlook. The solicitations will frequently include a sad narrative of hardship and will attempt to persuade the victim to purchase an Amazon, Google Play, iTunes, PlayStation, or other common types of gift card. 

“The amount of and types of businesses that get targeted with these attacks is truly staggering, ranging from huge multinational corporations down to small mom-and-pop restaurants in U.S. cities,” Talos said. “We found examples of small restaurants that are being targeted by impersonating the owners since the information was available on their website.”

Slack and Discord are Being Hijacked by Hackers to Distribute Malware

 

A few famous online collaboration tools, including the likes of Slack and Discord, are being hijacked by hackers to disperse malware, experts have cautioned.

Cisco's security division, Talos, published new research on Wednesday featuring how, throughout the span of the Covid-19 pandemic, collaboration tools like Slack and, considerably more generally, Discord have become convenient mechanisms for cybercriminals. With developing frequency, they're being utilized to serve up malware to victims in the form of a link that looks reliable. In different cases, hackers have integrated Discord into their malware to remotely control their code running on tainted machines, and even to steal information from victims. 

Cisco's researchers caution that none of the methods they found really exploits a clear hackable vulnerability in Slack or Discord, or even requires Slack or Discord to be installed on the victims' machine. All things considered, they essentially exploit some little-analyzed features of those collaboration platforms, alongside their ubiquity and the trust that both clients and systems administrators have come to place in them. 

"People are way more likely to do things like click a Discord link than they would have been in the past, because they’re used to seeing their friends and colleagues posting files to Discord and sending them a link," says Cisco Talos security researcher Nick Biasini. "Everybody’s using collaboration apps, everybody has some familiarity with them, and bad guys have noticed that they can abuse them." 

With regards to information exfiltration, the Discord API, for instance, has demonstrated to be quite an effective tool. As the webhook functionality (originally intended to send automated alerts) was intended to have the option to convey any kind of information, and malware oftentimes uses it to ensure stolen information arrives at its intended destination. 

“Webhooks are essentially a URL that a client can send a message to, which in turn posts that message to the specified channel — all without using the actual Discord application,” the researchers say. “The Discord domain helps attackers disguise the exfiltration of data by making it look like any other traffic coming across the network.”

As texting applications grow in popularity, the threats will develop with them. Organizations should know about the dangers, and cautiously pick which platform to utilize, the researchers concluded.

Masslogger Campaigns Exfiltrates Clients Credentials

 

Assailants are continually reinventing approaches to monetize their tools. Cisco Talos as of late found an intriguing campaign affecting Windows systems and focusing on clients in Turkey, Latvia, and Italy, albeit similar campaigns by the same actor have likewise been focusing on clients in Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain in September, October and November 2020. The threat actor utilizes a multi-modular approach that begins with the underlying phishing email and carries through to the final payload. The adversaries behind this campaign likely do this to evade detection. However, it can likewise be a shortcoming, as there are a lot of chances for defenders to break the kill chain. 

Conveyed through phishing emails, the Masslogger trojan's most recent variation is contained inside a multi-volume RAR archive using the .chm file format and .r00 extensions, said Switchzilla's security research arm. Cisco Talos added: “Masslogger is a credential stealer and keylogger with the ability to exfiltrate data through SMTP, FTP or HTTP protocols. For the first two, no additional server-side components are required, while the exfiltration over HTTP is done through the Masslogger control panel web application.” 

CHM is an arranged HTML file that contains an embedded HTML file with JavaScript code to start the active infection process. Each phase of the infection is obfuscated to avoid detection using simple signatures. The subsequent stage is a PowerShell script that eventually deobfuscates into a downloader and downloads and loads the main PowerShell loader. The Masslogger loaders appear to be facilitated on undermined authentic hosts with a filename containing one letter and one number linked with the filename extension .jpg. For instance, "D9.jpg". 

Masslogger is not an entirely new creation of the malware industry: Talos highlighted research by infosec chap Fred HK. He ascribed it to a malware underground persona who goes by the handle of NYANxCAT. Costs for Masslogger were apparently $30 for three months or $50 for a lifetime license. Cisco's analysis showed that Masslogger “is almost entirely executed and present only in memory” with just the email attachment and the HTML help file.

Cisco Talos Researchers Discovered Multiple Susceptibilities in SoftMaker Office TextMaker

 

Cisco Talos researchers exposed multiple vulnerabilities in SoftMaker Office TextMaker that can be exploited by cyber attackers. These vulnerabilities in SoftMaker office can be exploited for arbitrary code execution by generating malicious documents and deceiving victims into opening them. 

SoftMaker Office TextMaker is a German-based software developer; it has various suites like a spreadsheet, word processing, presentation, and database software components, and all these well-liked software suites are presented to individuals and enterprises. The common and internal document file formats also acquire the support of the SoftMaker office suite. 

The foremost issue is a sign extension bug, CVE-2020-13544 which influences the document-analyzing functionality of SoftMaker Office TextMaker 2021 and the subsequent vulnerability has been traced as CVE-2020-13545 which is a sign altering flaw in the same document-analyzing of the application. 

Cisco Talos researchers illustrated that “a specially crafted document can cause the document parser to sign-extend a length used to terminate a loop, which can later result in the loop’s index being used to write outside the bounds of a heap buffer during the reading of file data”. A heap-based memory can be corrupted by an attacker who can adeptly design a document which can lead to the document analyzer. 

The document analyzer can misjudge the length while assigning a buffer which will lead the application to be written outside the bounds of the buffer. Traced as CVE-2020-13546, the flaw is detected to affect the SoftMaker Office 2021 by integer overflow susceptibility. 

SoftMaker office 2021 was evaluated with a Common Vulnerability Scoring System (CVSS) of 8.8 and now all three vulnerabilities are secured. The most threatening issue was that the attacker can exploit the loophole in the SoftMaker office in 2021 from any remote location.