Wednesday, November 20, 2024

Ghost Tap: Hackers Exploiting NFCGate to Steal Funds via Mobile Payments

Nov 20, 2024Ravie LakshmananPayment Security / Cybercrime

Mobile Payments

Threat actors are increasingly banking on a new technique that leverages near-field communication (NFC) to cash out victim's funds at scale.

The technique, codenamed Ghost Tap by ThreatFabric, enables cybercriminals to cash-out money from stolen credit cards linked to mobile payment services such as Google Pay or Apple Pay and relaying NFC traffic.

"Criminals can now misuse Google Pay and Apple Pay to transmit your tap-to-pay information globally within seconds," the Dutch security company told The Hacker News in a statement. "This means that even without your physical card or phone, they can make payments from your account anywhere in the world."

These attacks typically work by tricking victims into downloading mobile banking malware that can capture their banking credentials and one-time passwords using an overlay attack or a keylogger. Alternatively, it can involve a voice phishing component.

Cybersecurity

Once in possession of the card details, the threat actors move to link the card to Google Pay or Apple Pay. But in an attempt to avoid getting the cards blocked by the issuer, the tap-to-pay information is relayed to a mule, who is responsible for making fraudulent purchases at a store.

This is accomplished by means of a legitimate research tool called NFCGate, which can capture, analyze, or modify NFC traffic. It can also be used to pass the NFC traffic between two devices using a server.

"One device operates as a 'reader' reading an NFC tag, the other device emulates an NFC tag using the Host Card Emulation (HCE)," according to researchers from the Secure Mobile Networking Lab at TU Darmstadt.

While NFCGate has been previously put to use by bad actors to transmit the NFC information from victim's devices to the attacker, as documented by ESET back in August 2024 with NGate malware, the latest development marks the first time the tool is being misused to relay the data.

Mobile Payments

"Cybercriminals can establish a relay between a device with stolen card and PoS [point-of-sale] terminal at a retailer, staying anonymous and performing cash-outs on a larger scale," ThreatFabric noted.

"The cybercriminal with the stolen card can be far away from the location (even different country) where the card will be used as well as use the same card in multiple locations within a short period of time."

The tactic offers more advantages in that it can be used to purchase gift cards at offline retailers without the cybercriminals having to be physically present. Even worse, it can be used to scale the fraudulent scheme by enlisting the help of several mules at different locations within a short span of time.

Cybersecurity

Complicating the detection of Ghost Tap attacks is the fact that the transactions appear as if they are originating from the same device, thereby bypassing anti-fraud mechanisms. The device with the linked card can also be in airplane mode, which can complicate efforts to detect their actual location and that it was not actually used to make the transaction at the PoS terminal.

"We suspect that the evolution of networks with increasing speed of communication together with a lack of proper time-based detection on ATM/POS terminals made these attacks possible, where the actual devices with cards are physically located far away from the place where transaction is performed (device is not present at PoS or ATM)," ThreatFabric noted.

"With the ability to scale rapidly and operate under a cloak of anonymity, this cash-out method presents significant challenges for financial institutions and retail establishments alike."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/UZKXaB7
via IFTTT

Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity

Nov 20, 2024Ravie LakshmananEndpoint Security / AI Research

Windows Resiliency Initiative

Microsoft has announced a new Windows Resiliency Initiative as a way to improve security and reliability, as well as ensure that system integrity is not compromised.

The idea, the tech giant said, is to avoid incidents like that of CrowdStrike's earlier this July, enable more apps and users to be run without admin privileges, add controls surrounding the use of unsafe apps and drivers, and offer options to encrypt personal data.

One of the most important features is Quick Machine Recovery that's expected to be available to the Windows Insider Program community in early 2025.

"This feature will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC," David Weston, vice president of enterprise and OS security at Microsoft, said. "This remote recovery will unblock your employees from broad issues much faster than what has been possible in the past."

Cybersecurity

In another noteworthy update, Microsoft said it's introducing new capabilities that will allow security tools to be run in user mode, just like regular apps, as opposed to relying on kernel access. The feature is set to be made available as a preview in July 2025.

With this change, the intention is to offer a way for easy recovery and reduce impacts at the operating system level in the event of a crash or an error.

Redmond further said it's working with endpoint security partners to take specific steps to bolster resilience as part of what's called the Microsoft Virus Initiative (MVI). These include gradual product update rollouts and recovery procedures, leveraging deployment rings, and ensuring that there are little-to-no negative consequences from applying those updates.

Some of the other changes the company is bringing to Windows are below -

  • A hardware-backed security baseline for all new Windows 11 PC, such as TPM 2.0 and virtualization-based security (VBS) by default
  • Administrator protection, where users have the security of standard user permissions by default, but can still easily make system changes, including app installation, when needed by authenticating using Windows Hello (Currently in preview)
  • Support for passkeys in Windows Hello to facilitate phishing-resistant multi-factor authentication (MFA)
  • Windows Protected Print, which eliminates the need for third-party print drivers
  • Personal Data Encryption, an enterprise feature that secures files stored in the Desktop, Documents, and Pictures folders using Windows Hello
  • Hotpatch in Windows to allow businesses to apply critical security updates without requiring a system restart
  • Zero Trust DNS, which restricts Windows devices to approved domains and blocks outbound IPv4 and IPv6 traffic unless resolved by a Protected DNS server or allowed by IT admin
  • Config Refresh, which helps protect PCs from configuration drift by automatically returning their settings to the preferred configuration (Available now)
Cybersecurity

The updates are also in line with Microsoft's Secure Future Initiative (SFI), a multiyear commitment that aims to put security front-and-center when designing new products and counter cyber threats. It was first launched in November 2023.

The development comes as the company said it is expanding its bug bounty program with a new hacking challenge called Zero Day Quest to advance research and security in the areas of cloud and artificial intelligence (AI).

"This event is not just about finding vulnerabilities; it's about fostering new and deepening existing partnerships between the Microsoft Security Response Center (MSRC), product teams, and external researchers – raising the security bar for all," Tom Gallagher, vice president of engineering at Microsoft Security Response Center (MSRC), said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/5TwSV7t
via IFTTT

Malicious QR codes

  • QR codes are disproportionately effective at bypassing most anti-spam filters, as most filters are not designed to recognize that a QR code is present in an image and decode the QR code. According to Talos’ data, roughly 60% of all email containing a QR code is spam.  
  • Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. Users could obscure the data modules, the black and white squares within the QR code that represent the encoded data. Alternatively, users could remove one or more of the position detection patterns — large square boxes located in corners of the QR code used to initially identify the code's orientation and position. 
  • Further complicating detection, both by users and anti-spam filters, Talos found QR code images which are “QR code art”. These images blend the data points of a QR code seamlessly into an artistic image, so the result does not appear to be a QR code at all. 

Prior to 1994, most code scanning technology utilized one-dimensional barcodes. These one-dimensional barcodes consist of a series of parallel black lines of varying width and spacing. We are all familiar with these codes, like the type you might find on the back of a cereal box from the grocery store. However, as the use of barcodes spread, their limitations became problematic, especially considering that a one-dimensional barcode can only hold up to 80 alphanumeric characters of information. To eliminate this limitation, a company named Denso Wave created the very first “Quick Response“ codes (QR codes). 

QR codes are a 2-dimensional matrix bar code that can hold encode just over seven thousand numeric characters, or up to approximately four thousand three hundred alphanumeric characters. While they can represent almost any data, most frequently we encounter QR codes that are used to encode URLs. 

Quantifying the QR code problem 

Cisco Talos extracts QR codes from images inside email messages and attached PDF files for analysis. QR codes in email messages make up as little as .01% up to .2% of all email, worldwide. This equates to roughly 1 out of every 500 email messages. This is not a very big number. However, because QR codes are disproportionately effective at bypassing anti-spam filters, a significant number find their way into users’ email inboxes, skewing users’ perception of the overall problem.  

Also, of course, not all email messages with a QR code inside are spam or malicious. Many email users send QR codes as part of their email signature, or you may also find legitimate emails containing QR codes used as signups for events, and so on. However, according to Talos’ data, roughly 60% of all email containing a QR code is spam.   

Truly malicious QR codes can be found in a much smaller number of messages. These emails contain links to phishing pages, etc. The most common malicious QR codes tend to be multifactor authentication requests used for phishing user credentials. 

An example MFA phishing email utilizing a QR code.

One of the problems that defenders may encounter when dealing with users’ scanning of QR codes received via email, assuming the user’s device is not connected to the corporate Wi-Fi, is that subsequent traffic between the victim and the attacker will traverse the cellular network, largely outside the purview of corporate security devices. This can complicate defense, because few/no alerts from security devices will notify security teams that this has occurred.  

Why are malicious QR codes hard to detect? 

Because QR codes are displayed in images, it can be difficult for anti-spam systems to identify problematic codes. Identifying and filtering these messages requires the anti-spam system to recognize that a QR code is present in an image, decode the QR code, then analyze the link (or other data) present in the decoded data. As spammers are always looking for innovative ways to bypass spam filters, using QR codes has been a valuable technique for spammers to accomplish this. 

As anti-spam systems improve their capability to detect malicious QR codes in images, enterprising attackers have instead decided to craft their QR codes using Unicode characters. Below is an example of an email containing a Unicode art QR code.    

An email containing a QR code constructed from Unicode characters (defanged).

 The graphical parts of the image are contained within a PDF file. The PDF metadata indicates was created from HTML using the tool wkhtmltopdf. Converting the PDF back into HTML shows the Unicode that is being used to construct the QR code. 

HTML used to construct a malicious QR Code from Unicode characters.

Defanging QR codes 

When sharing malicious URLs, it is common to change the protocol from “http” to “hxxp”, or to add brackets [] around one of the dots in the URL. This makes it so browsers and other applications do not render the link as an active URL, ensuring that users do not inadvertently click on the malicious URL. This is a process known as “defanging”. Unfortunately, while defanging URLs is commonplace, many people do not defang malicious QR codes. For example, below is a news article from BBC about criminals who put QR code stickers on parking meters in an attempt to harvest payment credentials from unsuspecting victims. 

A news article from BBC containing a working QRcode (this has been defanged by Talos).

The problem is that these QR codes can still be scanned, taking visitors to whatever malicious link that the QR code encoded. To make malicious QR codes safe for consumption, they should be defanged. 

There are a couple of different ways to do this. One way is to obscure the data modules, the black and white squares within the QR code that represent the encoded data. This is where the data that the QR code represents is located. However, based on Talos’ own research, a far easier way to defang a QR code is to remove one or more of the position detection patterns (a.k.a. finder patterns). These are the large square boxes located in three of the four corners of the QR code, which are used by the QR code scanner to initially identify the code's orientation and position. Removing the position detection patterns renders a QR code unscannable by virtually all scanners. 

A normal QR code on the left vs.adefanged QR code on the right.

Be careful what you scan! 

For years security professionals have encouraged users not to click on unfamiliar or suspicious URLs. These URLs could potentially lead to phishing pages, malware or other harmful sites. However, many users do not exercise the same care when scanning an unknown QR code as they do when clicking on a suspicious link. To be clear, scanning an unknown/suspicious QR code is equivalent to clicking on a suspicious URL. 

To complicate the situation even more, there are QR code images which are “QR code art”. These images blend the data points of a QR code seamlessly into an artistic image, so the result does not appear to be a QR code at all. The potential danger with QR code art images is that a user could conceivably be tricked into scanning a QR code art image with their camera, and then inadvertently navigate to the linked content without realizing it. Below are some QR codes found online by Talos which illustrate a range of artistic possibilities.  

Note: these images have been created by third parties and posted online. Talos is not responsible for the artwork, nor the linked content.

How to protect yourself from malicious QR codes 

QR codes have become ubiquitous, appearing in email, on restaurant menus, at events, on retail packaging, in museums, even public parks and trails. The perfect defense is to avoid scanning *any* QR codes, however, it can be difficult to avoid scanning these entirely, so users must exercise caution. Scanning a QR code is essentially the same as clicking on an unknown hyperlink, but without the ability to see the full URL beforehand. 

There are several QR code decoders freely available online. Typically, if you can save a screenshot of the QR code, you can upload this image to one of these decoders, and the QR code decoder will tell you what data was encoded inside the QR code. This will enable you more closely inspect the link. You can also choose to navigate to that URL using an application like Cisco Secure Malware Analytics (Threat Grid). This will allow you to view the content behind the URL from a safe place, without jeopardizing the security of your desktop or mobile device. As always, never EVER enter your username and password into an unknown site. It is better to navigate directly to anywhere you wish to login, rather than clicking on a URL presented to you from an unknown third party. 



from Cisco Talos Blog https://ift.tt/XYjmwWe
via IFTTT

Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware

Executive Summary

Unit 42 researchers have observed an increase in BlackSuit ransomware activity beginning in March 2024 that suggests a ramp up of operations. This threat emerged as a rebrand of Royal ransomware, which occurred in May 2023. Unit 42 tracks the group behind this threat as Ignoble Scorpius. Since the rebrand, Unit 42 has observed at least 93 victims globally, a quarter of which were in the construction and manufacturing industries.

The group describes themselves as an “extortioner named BlackSuit” and claims to reverse file encryption for “quite a small compensation essentially.” Although the group states the compensation is small, Unit 42 has observed that, on average, the initial ransom demand is about equal to 1.6% of the victim organization’s annual revenue. As of the date of this report, the median victim revenue across all industries is roughly $19.5 million, making the ransom payout quite significant for all organizations.

This threat assessment includes details identified during routine threat research activities, incident response cases and collaboration with the Unit 42 Managed Threat Hunting team.

This report maps the group’s activity to the MITRE ATT&CK® framework in that section, which organizations can use to assess their coverage of threats posed by Ignoble Scorpius, pre- and post-compromise.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

BlackSuit Ransomware Overview

BlackSuit ransomware emerged in May 2023 as a rebrand of the Royal ransomware. Unit 42 Threat Intelligence assesses that the group behind this threat is a direct evolution of Royal, and as such we track the group under the same moniker, Ignoble Scorpius.

Much like the operations as Royal ransomware, BlackSuit operates a dark web leak site where they publish their victims’ names and stolen data to extort them into paying a ransom. Figure 1 shows an excerpt of this site.

Screenshot of the BlackSuit ransomware leak site with much of the information redacted. The user has the ability to search the site. The text on the website talks about a company facing consequences after data was disclosed.
Figure 1. Screenshot of BlackSuit leak site.

Since the rebrand, Unit 42 has observed at least 93 victims globally and an upward trend in the number of successful compromises shared on their leak site. This suggests an overall ramping up of operations. Figure 2 below details the monthly total leak site posts from Ignoble Scorpius as BlackSuit.

Bar chart of the number of leak site posts per month from May 2023 through October 2024. Activity peaks in May 2024.
Figure 2. Activity from Ignoble Scorpius under the BlackSuit name, May 2023 through October 2024.

The number of organizations truly impacted by the group is likely higher, as organizations can pay their ransom before ransomware operators post details on their leak sites to avoid reputational damage.

The median revenue of these victims was $19.5 million, which highlights the average size of organizations that the group has successfully targeted. Based on ransom negotiations observed by Unit 42, we can also estimate that the group’s initial ransom demand is equal to about 1.6% of the victim organization’s annual revenue.

Breaking down the 93 victims by sector indicates a preference for the education, construction and manufacturing sectors, as shown in Figure 3 below.

A pie chart showing the percentages by industry affected by Ignoble Scorpius. Education is the largest at 14%, then construction at 12.5%, manufacturing at 11%, and wholesale and retail at 10%.
Figure 3. Pie chart breakdown of Ignoble Scorpius victimology.

Finally, as with many ransomware groups, Ignoble Scorpius’ victims are overwhelmingly based in the United States, as shown below in Figure 4.

A column chart of the distribution of Ignoble Scorpius's victim count by country. The highest count is the United States at close to 50. The next countries at counts under 10 are the United Kingdom, Belgium, German, Italy, Australia and others.
Figure 4. Ignoble Scorpius’ geographical impact.

Attack Lifecycle

The following sections highlight tactics, techniques and procedures (TTPs) observed from Ignoble Scorpius during BlackSuit incident response investigations Unit 42 conducted. Similar findings have also been shared by researchers at ReliaQuest and The DFIR Report.

Initial Access

Initial access for Ignoble Scorpius, and ransomware groups in general, can be highly varied due to the prevalence of initial access brokers (IABs) who sell stolen credentials or other forms of access to organizations. While some threat actors obtain initial access on their own, others require the expertise of IABs to gain entry into a compromised network.

During an incident response investigation, delineating between the TTPs of a suspected IAB or the ransomware group is not always possible. Within Ignoble Scorpius’ ransomware cases, Unit 42 has observed many different initial access methods, including:

  • Phishing campaigns with malicious email attachments (T1566.001);
  • SEO poisoning with GootLoader (T1608.006);
  • Using legitimate VPN credentials (T1078), potentially obtained via social engineering and voice-based phishing (aka vishing) of executives (T1566.004)
  • A software supply chain attack (T1195.002).

Credential Access and Privilege Escalation

Unit 42 has observed Ignoble Scorpius using common credential theft tools, such as Mimikatz and NanoDump, which is “a flexible tool that creates a minidump of the LSASS process.” Techniques observed include:

  • Dumping LSASS via Taskmgr (T1003.001)
  • Performing a DCSync attack (T1003.006)
  • Using Impacket to conduct an adversary-in-the-middle (AiTM) attack (T1557)
  • Requesting Kerberos service tickets (T1558.002)

Once they have obtained sufficiently privileged accounts (i.e., domain administrator on Windows systems) Ignoble Scorpius has been observed dumping the NTDS.dit file via ntdsutil, (T1003.003) to compromise the domain controller.

Lateral Movement

Unit 42 has observed Ignoble Scorpius making use of RDP (T1021.001), SMB (T1021.002) and PsExec (T1570) to move laterally across systems.

Defense Evasion

Unit 42 has observed Ignoble Scorpius and other ransomware groups making use of a vulnerable driver and loader, which are called STONESTOP and POORTRY by Mandiant. They use these tools to disable and evade antivirus and EDR solutions (T1562.001).

Exfiltration

Ignoble Scorpius has used various commonly available software and services to exfiltrate victim data. We observed WinRAR and 7-Zip being used to compress and stage files prior to exfiltration, after which attackers used WinSCP over FTP and Rclone to exfiltrate files. In at least one instance, attackers renamed Rclone to svchost.exe prior to execution (T1048).

Unit 42 has also observed Ignoble Scorpius using a third-party project management application named Bublup to exfiltrate files (T1567, T1567.002). Threat actors often abuse, take advantage of or subvert legitimate products for malicious purposes. This does not imply that the legitimate product is flawed or malicious.

Execution and Impact

As Ignoble Scorpius' goal is to encrypt and ransom a victim’s files, the primary payload of their campaigns is the BlackSuit ransomware. During incident response investigations involving BlackSuit, Unit 42 has also observed attackers using other tools for persistent access and the execution of arbitrary commands.

These additional tools include Cobalt Strike and SystemBC. In these cases it was not possible to identify whether Ignoble Scorpius or an IAB deployed the tools.

The final ransomware payload has Windows and Linux operating system variants with specific functionality to target VMware ESXi servers in some Linux variants.

Windows Variant

Unit 42’s analysis of the Windows variant found that the execution of the malware required the command-line argument -id followed by a 32-character value. The ID identifies the victim and grants access to a private chat room on Ignoble Scorpius' dark website to negotiate the ransom. They provide the ID to the victim via the ransom note. An example ransom note is shown below:

Good whatever time of day it is!

 

Your safety service did a really poor job of protecting your files against our professionals.

 

Extortioner named BlackSuit has attacked your system.

 

As a result all your essential files were encrypted and saved at a secure server for further use and publishing on the Web into the public realm.

 

Now we have all your files like: financial reports, intellectual property, accounting, law actions and complaints, personal files and so on and so forth.

 

We are able to solve this problem in one touch.

 

We (BlackSuit) are ready to give you an opportunity to get all the things back if you agree to make a deal with us.

 

You have a chance to get rid of all possible financial, legal, insurance and many others risks and problems for a quite small compensation.

 

You can have a safety review of your systems.

 

All your files will be decrypted, your data will be reset, your systems will stay in safe.

 

Contact us through TOR browser using the link:

 

hxxp[://]weg7sdx54bevnvulapqu6bpzwztryeflq3s23tegbmnhkbpqz637f2yd[.]onion/?id=[ID]

Other command-line arguments for the Windows variant of BlackSuit malware are shown below in Table 1.

Argument Functionality
-path Specifies a target directory to encrypt
-id Victim ID
-ep Percentage of a file that should be encrypted
-localonly Encrypts only the local system
-networkonly Encrypts file shares connected to the system

Table 1. BlackSuit Windows variant command-line arguments.

Analysis of BlackSuit ransomware from TrendMicro and SentinelOne in 2023 identified more command-line flags than recent samples. This could be due to the ransomware group creating variants that target ESXi servers specifically, which we detail below, or a consolidation of functionality.

After the initial execution, the malware creates a mutual exclusion flag (aka mutex) with the value Global\WLm87eV1oNRx6P3E4Cy9 to prevent machines from being infected multiple times. As a result, the mutex chosen by Ignoble Scorpius needs to be a unique value that is not frequently changed. Unit 42 has observed attackers using this mutex as recently as June 2024, with open source highlighting its use as early as October 2023.

To ensure the encryption of as many files as possible, the ransomware enumerates and terminates a list of known processes and services (T1057). The ransomware also uses Windows Restart Manager (rstrtmgr.dll) to identify processes using files that would prevent encryption, terminating anything that isn't a critical process or the Windows File Explorer (explorer.exe). This is a technique commonly used by ransomware payloads.

The malware uses the following command to delete shadow backups (T1490):

Screenshot of code snippet that deletes versions.

To execute the ransomware payload, researchers at ReliaQuest observed Ignoble Scorpius downloading VirtualBox and creating a virtual machine (VM) (T1564.006). They copied the ransomware payload from the VM using PsExec (T1570) to “hundreds of hosts via SMB” (T1021.002). They then used Windows Management Instrumentation Command-line (WMIC) to load the ransomware as a library to execute it. This is a technique that Unit 42 has also observed from the group (T1047, T1218.010).

They then enumerate available files (T1083) and encrypt them using OpenSSL AES, adding the extension .blacksuit to the encrypted file’s name (T1486).

ESXi Variant

The ESXi variant, a Linux-based executable, targets virtual machines and introduces two more command-line flags:

  • -vmkill (shuts down virtual machines before encryption if set)
  • -crypt_all

If the -crypt_all flag is not set, the following files relating to VMware are encrypted:

  • *.vmsd
  • *.vmx
  • *.vmxf
  • *.vmdk
  • *.vmem
  • *.vmsn
  • *.nvram
  • *.vmx~
  • *.vswp
  • *.vmtx
  • *.vmss

Conclusion

Our analysis indicates that BlackSuit is a direct continuation of the activity under Royal, and as such we have opted to continue tracking the group under the same identifier as Royal – Ignoble Scorpius. The true effectiveness of rebranding is difficult to quantify. However, it can offer ransomware groups a respite from the scrutiny of researchers, law enforcement and the media.

A more subtle effect of rebranding is the perception it can have on defenders. For example, BlackSuit’s predecessor Royal and their predecessor Conti were some of the most reported and sophisticated ransomware groups while active.

As a result, organizations who were looking to assess their exposure to ransomware at the time could have looked toward the most prolific ransomware groups and attempted to cater their defensive solutions toward them. Rebranding resets this perception, and if it is accompanied with a shift in the group’s TTPs, it can place defenders on their back foot.

This is one of the primary reasons we chose to highlight Ignoble Scorpius’ BlackSuit ransomware in this report. Although the group as BlackSuit might not yet reach the top 10 list of ransomware groups by number of compromises, this group has the following qualities:

  • They conduct complex supply chain attacks
  • They exhibit a high level of sophistication compromising at least 93 organizations without a public-facing RaaS program
  • Their membership likely includes members from Conti and Royal ransomware

This report maps the group’s activity to the MITRE ATT&CK framework in the that section below. Organizations can use this information to assess their coverage of threats posed by Ignoble Scorpius, pre- and post-compromise.

Protections and Mitigations

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

MITRE ATT&CK TTPs

Table 2 below depicts the MITRE ATT&CK TTPs mapping for techniques referenced in this report.

Table 2. MITRE ATT&CK techniques.

XDR Query Language (XQL) Queries

This section documents relevant TTPs used by Ignoble Scorpius and maps them directly to Palo Alto Networks Cortex XQL queries. These queries detect renamed tools with Cortex XDR.

Like many ransomware actors, Ignoble Scorpius likes to rename their Portable Executable (PEs) files. For example, rather than execute a tool such as Rclone as rclone.exe, the actor might rename it to something else, such as svchost.exe.

In the case mentioned above, a query for action_process_image_name = “rclone.exe” in Cortex XDR’s Query Language (XQL) will fail. However, Cortex XDR can identify these files even if they’ve been renamed.

When a PE is compiled, it often includes a resource called VERSIONINFO. This resource can contain the original file name, the company that produced the software, and more. Though ransomware actors can rename executables, they rarely alter the VERSIONINFO resource.

We can extract the VERSIONINFO from PEs that run on a host using Cortex XDR with the action_process_file_info field in the ENUM.PROCESS filter set, shown in the following XQL query snippet.

config case_sensitive = false

 

| dataset = xdr_data

 

| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START

 

| alter

 

action_process_original_name = action_process_file_info -> original_name,

 

action_process_company_name = action_process_file_info -> company,

 

action_process_description = action_process_file_info -> description,

 

action_process_internal_name = action_process_file_info -> internal_name,

 

action_process_legal_copyright = action_process_file_info -> legal_copyright

Table 3 below highlights data from the VERSIONINFO resource, which is extracted for running processes by the above query.

VERSIONINFO Data Description
original_name The original name of a PE upon compilation
company The company that released the software
description A description of the compiled software
internal_name The internal name of the PE. This is often equal to or very similar to the original_name.
legal_copyright A copyright notification from the releasing company

Table 3. Ignoble Scorpius data extraction.

Once the VERSIONINFO data has been extracted, XQL can then be used to filter on known version info values from executables. The following is an example filter set that will identify renamed versions of Rclone’s default executable, rclone.exe.

| filter 

 

(action_process_image_name = "rclone.exe" or 

 

action_process_original_name ~= "rclone" or 

 

action_process_company_name ~= "https\:\/\/rclone\.org" or 

 

action_process_description ~= "rclone" or 

 

action_process_internal_name ~= "rclone" or

 

action_process_legal_copyright = "The Rclone Authors")

Some of the Cortex XDR queries we’ve included in this report use the above method for identifying renamed executables.

1. GootLoader: Wscript Making External Connection

Technique description: The query looks for wscript.exe making external connections upon executing a JavaScript (.js) file, which could be indicative of GootLoader activity. The query restricts results to user-based Downloads or Temp folders, as these are the directories most commonly associated with GootLoader infections.

MITRE ATT&CK TTP ID

  • T1059.007 Execution - Command and Scripting Interpreter: JavaScript

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data

 

| filter event_type = ENUM.STORY and agent_os_type = ENUM.AGENT_OS_WINDOWS

 

| filter actor_process_image_name  = "wscript.exe" and actor_process_command_line  contains ".js"

 

| filter actor_process_command_line contains "\Users\*\Downloads" or actor_process_command_line contains "\Users\*\Temp"

 

| filter dst_is_internal_ip = False

 

| fields _time, agent_hostname, actor_effective_username,actor_process_image_name, actor_process_command_line, action_remote_ip, dst_action_external_hostname

 

| sort desc _time

2. Dumping LSASS via Task Manager

Technique description: The query looks for LSASS being dumped via the Task Manager. To identify this activity, we focus on lsass.DMP files being created via the Taskmgr.exe process.

MITRE ATT&CK TTP ID

  • T1003.001 Credential Access - OS Credential Dumping: LSASS Memory

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data

 

| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW and agent_os_type = ENUM.AGENT_OS_WINDOWS

 

| filter action_file_name = "lsass.DMP" and actor_process_image_name = "Taskmgr.exe"

 

| fields agent_hostname, event_type, event_sub_type, action_file_name, action_file_path, action_file_sha256, action_file_md5, actor_process_image_name, actor_process_image_path, actor_process_image_command_line

 

| sort desc _time

3. Impacket Process Execution

Technique description: The query looks for signs of Impacket framework execution, especially relating to smbexec and wmiexec. It focuses on the default PowerShell string used for command execution on the remote host.

MITRE ATT&CK TTP IDs

  • T1059.001 Execution - Command and Scripting Interpreter: PowerShell
  • T1047 Execution - Windows Management Instrumentation

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data

 

| filter event_type = ENUM.PROCESS and agent_os_type = ENUM.AGENT_OS_WINDOWS

 

| filter (causality_actor_process_image_name = "wmiprvse.exe" or causality_actor_process_image_name = "services.exe") and actor_process_image_name = "powershell.exe"

 

| filter actor_process_command_line ~= "-NoP -NoL -sta -NonI -W Hidden -Exec Bypass -Enc"

 

| sort desc _time

4. Mimikatz and Rubeus Execution

Technique description: The query looks for signs of Mimiktaz or Rubeus executing within the environment. It takes into account renamed process image files by using PE metadata to identify VERSIONINFO data of executing processes.

MITRE ATT&CK TTP ID

  • T1003.001 Credential Access - OS Credential Dumping: LSASS Memory

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data 

 

| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and agent_os_type = ENUM.AGENT_OS_WINDOWS

 

| alter 

 

action_process_original_name = action_process_file_info -> original_name,

 

action_process_company_name = action_process_file_info -> company,

 

action_process_description = action_process_file_info -> description,

 

action_process_internal_name = action_process_file_info -> internal_name,

 

action_process_legal_copyright = action_process_file_info -> legal_copyright

 

| filter (action_process_image_name ~= "(mimikatz|rubeus)\.exe" or action_process_original_name ~= "(mimikatz|rubeus)" or action_process_description ~= "(mimikatz|rubeus)" or action_process_internal_name ~= "(mimikatz|rubeus)")

 

| fields _time, agent_hostname, agent_ip_addresses, actor_effective_username, action_process_image_name, action_process_image_path, action_process_image_command_line, action_process_image_sha256, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_image_sha256, os_actor_process_command_line, action_process_original_name, action_process_company_name, action_process_description, action_process_internal_name, action_process_legal_copyright, action_process_file_info

 

| sort desc _time

5. Active Directory Dumping via NTDSUTIL

Technique description: The query looks for the use of ntdsutil.exe to dump the Active Directory database (NTDS.dit).

MITRE ATT&CK TTP ID

  • Credential Access - T1003.003 OS Credential Dumping: NTDS

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data

 

| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and agent_os_type = ENUM.AGENT_OS_WINDOWS

 

| filter action_process_image_name = "ntdsutil.exe" and (action_process_image_command_line contains "ac i ntds" or action_process_image_command_line contains "activate instance ntds") and action_process_image_command_line contains "create full"

 

| fields _time, agent_hostname, agent_ip_addresses, actor_effective_username, action_process_image_name, action_process_image_path, action_process_image_command_line, action_process_image_sha256, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_image_sha256, os_actor_process_command_line, action_process_file_info

 

| sort desc _time

6. Cobalt Strike Combined Query

Technique description: The query looks for a combination of identifiers related to the Cobalt Strike post-exploitation framework. Though the tool is used legitimately by pentesting, red teaming and emulation teams alike, threat actors such as BlackSuit also like to use the tool.

MITRE ATT&CK TTP ID

  • T1071 Command and Control - Application Layer Protocol

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data 

 

| filter (event_type = ENUM.PROCESS AND event_sub_type = ENUM.PROCESS_START and actor_process_image_name = "services.exe" and action_process_image_command_line ~= ".+\\admin\$\\[a-z0-9]{7}\.exe")

 

or (event_type = ENUM.PROCESS AND event_sub_type = ENUM.PROCESS_START and (action_process_image_command_line = "c:\windows\system32\rundll32.exe" or action_process_image_command_line = "c:\windows\syswow64\rundll32.exe" and actor_process_image_name != "setup.exe" and actor_process_command_line not contains "chrome" and actor_process_command_line not contains "edge"))

 

or (event_type = ENUM.FILE and action_file_path ~= "\\device\\namedpipe\\msse-\d+-server" or action_file_path ~= "\\device\\namedpipe\\postex_[a-z0-9]{4}" or action_file_path ~= "\\device\\namedpipe\\status_[a-z0-9]{4}" or action_file_path ~= "\\device\\namedpipe\\msagent_[a-z0-9]{4}")

 

or (event_type = ENUM.PROCESS AND event_sub_type = ENUM.PROCESS_START and (action_process_image_name contains "powershell.exe" OR actor_process_image_name contains "cmd.exe") AND ((action_process_image_command_line contains "-enc jabzad0" OR action_process_image_command_line contains "-encodedcommand jabzad0")))

 

or (event_type = ENUM.STORY and dst_action_external_hostname contains "aaa.stage")

 

or (event_type = ENUM.EVENT_LOG and (action_evtlog_message ~= "\$s=New-Object IO.MemoryStream" OR action_evtlog_message ~= "\$var_code"))

 

| fields agent_hostname, agent_id, agent_ip_addresses , agent_version, actor_effective_username, actor_process_image_name, actor_process_image_path, actor_process_command_line, action_process_image_command_line, action_file_path, action_evtlog_username, action_evtlog_message, actor_process_signature_vendor

 

| filter not ((actor_process_image_path contains "Microsoft\EdgeWebView\Application" or actor_process_image_path contains "Microsoft\EdgeUpdate\Install" or actor_process_image_path contains "Microsoft\Edge\Application" or actor_process_image_path contains "Chromium" or actor_process_image_path contains "Installer\setup.exe") and (actor_process_signature_vendor = "Microsoft Corporation" or actor_process_image_name = "setup.exe"))

 

| sort desc _time

7. Rclone Exfiltration

Technique description: The query looks for data exfiltration via Rclone, a tool used by BlackSuit to exfiltrate data from victim environments. It takes into account renamed process image files by using PE metadata to identify VERSIONINFO data of executing processes.

MITRE ATT&CK TTP IDs

  • T1567 Exfiltration - Exfiltration Over Web Service

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data 

 

| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and agent_os_type = ENUM.AGENT_OS_WINDOWS

 

| alter 

 

action_process_original_name = action_process_file_info -> original_name,

 

action_process_company_name = action_process_file_info -> company,

 

action_process_description = action_process_file_info -> description,

 

action_process_internal_name = action_process_file_info -> internal_name,

 

action_process_legal_copyright = action_process_file_info -> legal_copyright

 

| filter 

 

(action_process_image_name = "rclone.exe" or 

 

action_process_original_name ~= "rclone" or 

 

action_process_company_name ~= "https\:\/\/rclone\.org" or 

 

action_process_description ~= "rclone" or 

 

action_process_internal_name ~= "rclone" or

 

action_process_legal_copyright = "The Rclone Authors") and 

 

action_process_image_command_line in ("*lsd*", "*remote:*", "*mega*", "*--config*", "*--auto-confirm*", "*or  --multi-thread-streams and copy*", "*config*", "*create*", "*user*", "*pass*", "*progress*", "*no-check-certificate*", "*ignore-existing*", "*auto-confirm*", "*multi-thread-streams*", "*transfers*", "*ftp:*")

 

| fields _time, agent_hostname, agent_ip_addresses, actor_effective_username, action_process_image_name, action_process_image_path, action_process_image_command_line, action_process_image_sha256, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_image_sha256, os_actor_process_command_line

 

| sort desc _time

8. Shadow Copy Deletion via VSSADMIN

Technique description: The query looks for deletion of shadow copies using a specific vssadmin.exe command associated with the BlackSuit encryptor.

MITRE ATT&CK TTP IDs

  • T1490 Impact - Inhibit System Recovery

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data

 

| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and agent_os_type = ENUM.AGENT_OS_WINDOWS

 

| filter action_process_image_command_line ~= "cmd.exe\s+\/c\svssadmin\sdelete\sshadows\s\/all\s\/quiet" or actor_process_image_command_line ~= "cmd.exe\s+\/c\svssadmin\sdelete\sshadows\s\/all\s\/quiet"

 

| fields _time, agent_hostname, agent_ip_addresses, actor_effective_username, action_process_image_name, action_process_image_path, action_process_image_command_line, action_process_image_sha256, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_image_sha256, os_actor_process_command_line, action_process_file_info

 

| sort desc _time

9. BlackSuit Mutex

Technique description: The query looks for the mutex created by the BlackSuit encryptor. This mutex is created and checked upon execution to ensure no more than a single encryptor runs at one time.

MITRE ATT&CK TTP ID

  • T1027 Execution - Obfuscated Files or Information

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data

 

| filter event_type = ENUM.SYSTEM_CALL and event_sub_type = ENUM.SYSTEM_CALL_NT_CREATE_MUTANT and agent_os_type = ENUM.AGENT_OS_WINDOWS

 

| fields agent_hostname, action_syscall_string_params 

 

| alter syscall_mutant_name = json_extract(action_syscall_string_params, "$.1")

 

| alter syscall_mutant_name = trim(to_string(syscall_mutant_name),"\"")

 

| filter syscall_mutant_name ~= "WLm87eV1oNRx6P3E4Cy9"

 

| sort desc _time

10. BlackSuit Encrypted Files

Technique description: The query looks for files encrypted with the .blacksuit file suffix, which indicates the BlackSuit encryptor has encrypted the file.

MITRE ATT&CK TTP ID

  • T1486 Impact - Data Encrypted for Impact

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data

 

| filter event_type = ENUM.FILE and action_file_extension ~= "blacksuit"

 

| fields agent_hostname, event_type, event_sub_type, action_file_name, action_file_path, action_file_sha256, action_file_md5, actor_process_image_name, actor_process_image_path, actor_process_image_command_line

11. BlackSuit Ransom Note

Technique description: The query looks for known names of the BlackSuit encryptor’s ransomware notes.

MITRE ATT&CK TTP ID

  • T1486 Impact - Data Encrypted for Impact

XQL Query

config case_sensitive = false timeframe = 30d

 

| dataset = xdr_data

 

| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_CREATE_NEW and action_file_name ~= "README.BlackSuit.txt"

 

| fields agent_hostname, event_type, event_sub_type, action_file_name, action_file_path, action_file_sha256, action_file_md5, actor_process_image_name, actor_process_image_path, actor_process_image_command_line



from Unit 42 https://ift.tt/hPBIpiC
via IFTTT

NHIs Are the Future of Cybersecurity: Meet NHIDR

Nov 20, 2024The Hacker NewsIdentity Security / Cyber Defense

Future of Cybersecurity

The frequency and sophistication of modern cyberattacks are surging, making it increasingly challenging for organizations to protect sensitive data and critical infrastructure. When attackers compromise a non-human identity (NHI), they can swiftly exploit it to move laterally across systems, identifying vulnerabilities and compromising additional NHIs in minutes. While organizations often take months to detect and contain such breaches, rapid detection and response can stop an attack in its tracks.

The Rise of Non-Human Identities in Cybersecurity

By 2025, non-human identities will rise to be the primary attack vector in cybersecurity. As businesses increasingly automate processes and adopt AI and IoT technologies, the number of NHIs grows exponentially. While these systems drive efficiency, they also create an expanded attack surface for cybercriminals.

NHIs differ fundamentally from human users, making traditional security tools like multi-factor authentication and user behavior analytics less effective. Attackers can impersonate NHIs, gaining unauthorized access to systems and bypassing conventional defenses. Moreover, AI models themselves are becoming targets for manipulation, enabling attackers to deceive detection mechanisms. With their scalability and efficiency, NHIs allow malicious actors to orchestrate large-scale breaches, exploit APIs, and launch sophisticated supply chain attacks.

Introducing NHIDR

Recognizing the unique challenges posed by NHIs, Entro developed Non-Human Identity Detection and Response (NHIDR) to address this critical security gap. NHIDR empowers organizations to proactively identify and mitigate risks associated with non-human identities by analyzing their behavior and detecting anomalies in real-time.

At the heart of NHIDR is its ability to establish baseline behavioral models for each NHI using historical data. This eliminates the need for "soak time" or extended observation periods, accessing the data it needs immediately. Once these baselines are established, NHIDR continuously monitors NHIs, identifying deviations that indicate misuse, abuse, or compromise. Unlike static inventory-based methods, NHIDR ensures constant vigilance with dynamic, real-time analysis.

Real-Time Detection and Automated Response

Imagine this scenario: a cybercriminal in another country attempts to access sensitive secrets stored in your system. NHIDR detects the unauthorized activity instantly, flagging the anomaly and initiating an automated response. This could involve revoking access tokens, rotating credentials, or isolating the compromised identity. Simultaneously, NHIDR alerts your security team, enabling them to take swift, informed action.

This proactive capability is vital for addressing day 0 threats—attacks that emerge before security teams have time to react. By automating the response process, NHIDR not only contains threats faster but also reduces the manual workload on security teams, allowing them to focus on strategic initiatives rather than firefighting.

Proactive Security for a New Era

NHIDR represents a paradigm shift from reactive to proactive security. By continuously monitoring and analyzing NHIs and secrets, it ensures organizations can prevent breaches before they occur. Automated remediation processes, such as revoking compromised tokens, minimize downtime and enhance overall security posture.

Conclusion

NHIDR technology is revolutionizing cybersecurity by providing real-time detection, automated responses, and a proactive approach to securing non-human identities. With NHIDR, organizations can safeguard their assets, maintain compliance, and stay ahead of the threat landscape —because when it comes to protecting critical systems, proactive defense is essential.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/dAzXIqf
via IFTTT

Decades-Old Security Vulnerabilities Found in Ubuntu's Needrestart Package

Nov 20, 2024Ravie LakshmananLinux / Vulnerability

Ubuntu Vulnerabilities

Multiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server (since version 21.04) that could allow a local attacker to gain root privileges without requiring user interaction.

The Qualys Threat Research Unit (TRU), which identified and reported the flaws early last month, said they are trivial to exploit, necessitating that users move quickly to apply the fixes. The vulnerabilities are believed to have existed since the introduction of interpreter support in needrestart 0.8, which was released on April 27, 2014.

"These needrestart exploits allow Local Privilege Escalation (LPE) which means that a local attacker is able to gain root privileges," Ubuntu said in an advisory, noting they have been addressed in version 3.8.

Needrestart is a utility that scans a system to determine the services that need to be restarted after applying shared library updates in a manner that avoids a complete system reboot.

Cybersecurity

The five flaws are listed below -

  • CVE-2024-48990 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable
  • CVE-2024-48991 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by winning a race condition and tricking needrestart into running their own, fake Python interpreter
  • CVE-2024-48992 (CVSS score: 7.8) - A vulnerability that allows local attackers to execute arbitrary code as root by tricking needrestart into running the Ruby interpreter with an attacker-controlled RUBYLIB environment variable
  • CVE-2024-11003 (CVSS score: 7.8) and CVE-2024-10224 (CVSS score: 5.3) - Two vulnerabilities that allows a local attacker to execute arbitrary shell commands as root by taking advantage of an issue in the libmodule-scandeps-perl package (before version 1.36)

Successful exploitation of the aforementioned shortcomings could allow a local attacker to set specially crafted environment variables for PYTHONPATH or RUBYLIB that could result in the execution of arbitrary code pointing to the threat actor's environment when needrestart is run.

"In CVE-2024-10224, [...] attacker-controlled input could cause the Module::ScanDeps Perl module to run arbitrary shell commands by open()ing a 'pesky pipe' (such as by passing 'commands|' as a filename) or by passing arbitrary strings to eval()," Ubuntu noted.

Cybersecurity

"On its own, this is not enough for local privilege escalation. However, in CVE-2024-11003 needrestart passes attacker-controlled input (filenames) to Module::ScanDeps and triggers CVE-2024-10224 with root privilege. The fix for CVE-2024-11003 removes needrestart's dependency on Module::ScanDeps."

While it's highly advised to download the latest patches, Ubuntu said users can disable interpreter scanners in needrestart the configuration file as a temporary mitigation and ensure that the changes are reverted after the updates are applied.

"These vulnerabilities in the needrestart utility allow local users to escalate their privileges by executing arbitrary code during package installations or upgrades, where needrestart is often run as the root user," Saeed Abbasi, product manager of TRU at Qualys, said.

"An attacker exploiting these vulnerabilities could gain root access, compromising system integrity and security."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/TK7oMhq
via IFTTT

China-Backed Hackers Leverage SIGTRAN, GSM Protocols to Infiltrate Telecom Networks

Nov 20, 2024Ravie LakshmananCyber Espionage / Telecom Security

Hacking Telecom Networks

A new China-linked cyber espionage group has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection.

Cybersecurity company CrowdStrike is tracking the adversary under the name Liminal Panda, describing it as possessing deep knowledge about telecommunications networks, the protocols that undergird telecommunications, and the various interconnections between providers.

The threat actor's malware portfolio includes bespoke tools that facilitate clandestine access, command-and-control (C2), and data exfiltration.

"Liminal Panda has used compromised telecom servers to initiate intrusions into further providers in other geographic regions," the company's Counter Adversary Operations team said in a Tuesday analysis.

"The adversary conducts elements of their intrusion activity using protocols that support mobile telecommunications, such as emulating global system for mobile communications (GSM) protocols to enable C2, and developing tooling to retrieve mobile subscriber information, call metadata, and text messages (SMS)."

Cybersecurity

It's worth noting that some aspects of the intrusion activity were documented by the cybersecurity company back in October 2021, attributing it then to a different threat cluster dubbed LightBasin (aka UNC1945), which also has a track record of targeting telecom entities since at least 2016.

CrowdStrike noted that its extensive review of the campaign revealed the presence of an entirely new threat actor, and that the misattribution three years ago was the result of multiple hacking crews conducting their malicious activities on what it said was a "highly contested compromised network."

Some of the custom tools in its arsenal are SIGTRANslator, CordScan, and PingPong, which come with the following capabilities -

  • SIGTRANslator, a Linux ELF binary designed to send and receive data using SIGTRAN protocols
  • CordScan, a network-scanning and packet-capture utility containing built-in logic to fingerprint and retrieve data relating to common telecommunication protocols from infrastructure such as the Serving GPRS Support Node (SGSN)
  • PingPong, a backdoor that listens for incoming magic ICMP echo requests and sets up a TCP reverse shell connection to an IP address and port specified within the packet

Liminal Panda attacks have been observed infiltrating external DNS (eDNS) servers using password spraying extremely weak and third-party-focused passwords, with the hacking crew using TinyShell in conjunction with a publicly available SGSN emulator called sgsnemu for C2 communications.

"TinyShell is an open-source Unix backdoor used by multiple adversaries," CrowdStrike said. "SGSNs are essentially GPRS network access points, and the emulation software allows the adversary to tunnel traffic via this telecommunications network."

The end goal of these attacks is to collect network telemetry and subscriber information or to breach other telecommunications entities by taking advantage of the industry's interoperation connection requirements.

"LIMINAL PANDA's known intrusion activity has typically abused trust relationships between telecommunications providers and gaps in security policies, allowing the adversary to access core infrastructure from external hosts," the company said.

The disclosure comes as U.S. telecom providers like AT&T, Verizon, T-Mobile, and Lumen Technologies have become the target of another China-nexus hacking group dubbed Salt Typhoon. If anything, these incidents serve to highlight how telecommunications and other critical infrastructure providers are vulnerable to compromise by state-sponsored attackers.

Cybersecurity

French cybersecurity company Sekoia has characterized the Chinese offensive cyber ecosystem as a joint enterprise that includes government-backed units such as the Ministry of State Security (MSS) and the Ministry of Public Security (MPS), civilian actors, and private entities to whom the work of vulnerability research and toolset development is outsourced.

"China-nexus APTs are likely to be a mix of private and state actors cooperating to conduct operations, rather than strictly being associated with single units," it said, pointing out the challenges in attribution.

"It ranges from the conduct of operations, the sale of stolen information or initial access to compromised devices to providing services and tools to launch attacks. The relationships between these military, institutional and civilian players are complementary and strengthened by the proximity of the individuals part of these different players and the CCP's policy."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/P4O9Asd
via IFTTT