Exposed and unpatched solar power monitoring systems have been exploited by both amateurs and professionals, including Mirai botnet hackers.

Hundreds of solar power monitoring systems are vulnerable to a trio of critical remote code execution (RCE) vulnerabilities. The hackers behind the Mirai botnet and even amateurs have already started taking advantage, and others will follow, experts are predicting.

Palo Alto Networks' Unit 42 researchers previously discovered that the Mirai botnet is spreading through CVE-2022-29303, a command injection flaw in SolarView Series software developed by the manufacturer Contec. According to Contec's website, SolarView has been used in more than 30,000 solar power stations.

On Wednesday, vulnerability intelligence firm VulnCheck pointed out in a blog post that CVE-2022-29303 is one of _three_ critical vulnerabilities in SolarView, and it's more than just the Mirai hackers targeting them.

"The most likely worst-case scenario is losing visibility into the equipment that's being monitored and having something break down," explains Mike Parkin, senior technical engineer at Vulcan Cyber. It's also theoretically possible, though, that "the attacker is able to leverage control of the compromised monitoring system to do greater damage or get deeper into the environment."

**Three Ozone-Sized Holes in SolarView**

CVE-2022-29303 is borne from a particular endpoint in the SolarView Web server, confi\_mail.php, which fails to sufficiently sanitize user input data, enabling the remote malfeasance. In the month it was released, the bug received some attention from security bloggers, researchers, and one YouTuber who showed off the exploit in a still publicly accessible video demonstration. But it was hardly the only problem inside SolarView.

For one thing, there's CVE-2023-23333, an entirely similar command injection vulnerability. This one affects a different endpoint, downloader.php, and was first revealed in February. And there's CVE-2022-44354, published near the end of last year. CVE-2022-44354 is an unrestricted file upload vulnerability affecting yet a third endpoint, enabling attackers to upload PHP Web shells to targeted systems.

VulnCheck noted that these two endpoints, like confi\_mail.php, "appear to generate hits from malicious hosts on GreyNoise meaning that they too are likely under some level of active exploitation."

All three vulnerabilities were assigned "critical" 9.8 (out of 10) CVSS scores.

**How Big of a Cyber Problem Are the SolarView Bugs?**

Only Internet-exposed instances of SolarView are at risk of remote compromise. A quick Shodan search by VulnCheck revealed 615 cases connected to the open Web as of this month.

This, says Parkin, is where the unnecessary headache starts. "Most of these things are designed to be operated _within_ an environment and shouldn't need access from the open Internet under most use cases," he says. Even where remote connectivity is absolutely necessary, there are workarounds that can protect IoT systems from the scary parts of the wider Internet, he adds. "You can put them all on their own virtual local area networks (VLANs) in their own IP address spaces, and restrict access to them to a few specific gateways or applications, etc."

Operators might risk remaining online if, at least, their systems are patched. Remarkably, however, 425 of those Internet-facing SolarView systems — more than two thirds of the total — were running versions of the software lacking the necessary patch.

At least when it comes to critical systems, this may be understandable. "IoT and operational technology devices are often a lot more challenging to update compared to your typical PC or mobile device. It sometimes has management making the choice to accept the risk, rather than take their systems off-line long enough to install security patches," Parkin says.

All three CVEs were patched in SolarView version 8.00.

3 Critical RCE Bugs Threaten Industrial Solar Panels, Endangering Grid Systems

Dark Reading's latest special report looks at a missing, but necessary, ingredient to effective third-party risk management.

When it comes to enterprise risk, third-party cybersecurity risks have increased substantially in recent years. By implementing an effective third-party risk management program, organizations can mitigate much of their risk and better protect themselves from attacks that emanate from third parties. The key word here is "effective."

Dark Reading's latest special report, "How to Use Threat Intelligence to Mitigate Third-Party Risk," digs into how threat intelligence can be implemented to attain a continuous risk assessment on partners, suppliers, vendors, contractors, and other third parties.

Third-party threat intelligence helps security teams move beyond capturing a point-in-time view of security and regulatory compliance maturity and more accurately assess the risk over time. The convergence of threat intelligence and third-party risk management (TPRM) programs can ensure that third parties don't drastically increase the risk of data breaches or other cybersecurity events and, should such an incident occur, can help to minimize its impact.

**How TPRM Is Changing**

Historically, if TPRM was done at all, effective programs included identifying, categorizing, and assessing the risk of third parties, along with due-diligence questionnaires designed to gauge the maturing of their security and regulatory compliance program. Additionally, an enterprise would conduct a thorough independent investigation of vendors before signing any contract. Finally, the organization would include new partners and suppliers in their incident response planning so as to minimize any incident's impact.

"Organizations can send questionnaires, and they're going to provide some indication of the policies they have in place and their certifications," says senior research analyst at Forrester Alla Valente, who covers governance, risk, and compliance (GRC), third-party risk, and supply chain risk. "But that doesn't tell you everything happening inside their networks or systems. It also doesn't provide answers about broader risks, such as geography or if nation-states are targeting that vertical. These are all things you want to identify."

While there is scant data on how enterprises use TPRM threat intelligence to improve their third-party risk management, TPRM programs are gaining steam. In Prevalent's "2022 Third-Party Risk Management Industry Study," two-thirds of respondents reported that their TPRM programs have more visibility among executives and the board than the year before.

Read Dark Reading's "How to Use Threat Intelligence to Mitigate Third-Party Risk" for ideas on reducing third-party risks for your organization by leveraging threat intelligence.

Mitigating Risk With Threat Intelligence

70% think criminals will move from WhatsApp etc to non-regulated apps, post OSB.

**London - 4th July 2023 -** This week, the House of Lords continues to debate the Online Safety Bill (OSB), demanding every private online message sent in the UK is scanned for the potential of illegal content. A new study shows the UK public believe the new legislation will not achieve this aim.

The independent survey, conducted by Opinium for Element, polled 2,000 politically and nationally representative UK citizens. It revealed that, despite Government assurances, 70% of the UK public believes scanning our online messages will not stop criminal activity, and 44% think it will damage national security, by creating a centralised 'honeypot' for nation state hackers. 

**UK Public at Odds With Government**

Unlike the Government, some 83% of UK citizens believe personal conversations on messaging apps such as Element, WhatsApp, or Signal should have the highest level of security and privacy. However, under the Online Safety Bill, communications providers are expected to break the trust of their consumers and scan every single one of their conversations, on the off chance they are committing an egregious crime. Key findings from the research study are:

*   70% of respondents said the if the OSB insists on scanning all online messages, criminals will move to other platforms to continue illegal activities
*   44% believe it will make the UK more vulnerable to cyber attacks from nation states like Russia and China
*   43% believe UK citizens will be even more vulnerable to cyber attacks from criminals

Matthew Hodgson, CEO of Element, comments: "Technology is not responsible for criminal behaviour and it should never be touted as a catch-all solution as the OSB currently does. If the UK won't listen to security experts, perhaps it will now listen to its citizens who know very well that surveilling our online conversations will only push criminals to other platforms, while reducing security for good actors."

He notes: "This research shows UK citizens are well aware that their privacy, and that of our businesses and even our Government, will suffer if this poorly thought-out legislation comes to pass. Criminals and rogue nations will rejoice. We need to stop this Bill."

**Private Conversations for All**

No matter how you cut it, UK consumers care about retaining the privacy and security of online conversations. 44% of the British public believe citizens should have access to the best private and secure communications available, not just the government (27%). This drops down to only 7% for businesses.

**OSB Drops UK Privacy to North Korea, Russia, and China Levels**

The Online Safety Bill proposes that Ofcom can mandate an unspecified 3rd party tool to connect to private messaging systems such as Element, WhatsApp, and Signal to covertly scan messages. Brits said China, North Korea and Russia are the countries most likely to routinely scan private messages in this way today — just 12% expected Britain to adopt such widespread routine surveillance, although this is the stated intention of the Bill.

Hodgson continues: "If the Online Safety Bill goes through, every online conversation could end up being surveilled, placing us on the same stage as other governments we know monitor their citizens' conversations - China, Russia and North Korea. Meanwhile Brits will lose their strongest cyber defence, giving criminals the upper hand; criminals who will not be using regulated apps known to comply with Ofcom’s requirements."

83% of Brits Demand Messaging Apps Remain Private, Ahead of Threat From Online Safety Bill

The "TeamsPhisher" cyberattack tool gives pen testers — and adversaries — a way to deliver malicious files directly to a Teams user from an external account, or tenant.

A new tool is available on GitHub that gives attackers a way to leverage a recently disclosed vulnerability in Microsoft Teams and automatically deliver malicious files to targeted Teams users in an organization.

The tool, dubbed "TeamsPhisher," works in environments where an organization allows communications between its internal Teams users and external Teams users — or tenants. It allows attackers to deliver payloads directly into a victim's inbox without relying on a traditional phishing or social engineering scams to get it there.

"Give TeamsPhisher an attachment, a message, and a list of target Teams users," said the tool's developer Alex Reid, a member of the US Navy's Red Team, in a description of the tool on GitHub. "It will upload the attachment to the sender's Sharepoint and then iterate through the list of targets."

**Fully Automated Cyberattack Flows**

TeamsPhisher incorporates a technique that two researchers at JUMPSEC Labs recently disclosed for getting around a security feature in Microsoft Teams. While the collaboration app allows communications between Teams users from different organizations, it blocks the sharing of files between them.

JUMPSEC researchers Max Corbridge and Tom Ellson found a relatively easy way to bypass this restriction, using what is known as the Insecure Direct Object Reference (IDOR) technique. As security vendor Varonis noted in a recent blog post, "IDOR bugs allow an attacker to maliciously interact with a Web application by manipulating a 'direct object reference' such as a database key, query parameter, or filename."

Corbridge and Ellson found they could exploit an IDOR issue in Teams simply by switching the ID of the internal and external recipient when submitting a POST request. The two researchers discovered that when a payload is sent in this manner, the payload is hosted on the sender's SharePoint domain and arrives in the victim's Team's inbox. Corbridge and Ellson identified the vulnerability as affecting every organization running Teams in a default configuration and described it as something an attacker could use to bypass anti-phishing mechanisms and other security controls. Microsoft acknowledged the issue but assessed it as something not deserving of an immediate fix.

**TeamsPhisher Incorporates Multiple Attack Techniques**

Reid described his TeamsPhisher tool as incorporating JUMPSEC's techniques as well as some earlier research on how to leverage Microsoft Teams for initial access by independent researcher Andrea Santese. It also incorporates techniques of TeamsEnum, a tool for enumerating Teams users, that a researcher from Secure Systems Engineering GmbH had previously released to GitHub.

According to Reid, the way TeamsPhisher works is to first enumerate a target Teams user and verify that the user can receive external messages. TeamsPhisher then creates a new thread with the target user. It uses a technique that allows the message to arrive in the target's inbox without the usual "Someone outside your organization messaged you, are you sure you want to view it" splash screen, Reid said. 

"With the new thread created between our sender and the target, the specified message will be sent to the user along with a link to the attachment in Sharepoint," he noted. "Once this initial message has been sent, the created thread will be visible in the sender's Teams GUI and can be interacted with manually, if need be, on a case-by-case basis."

Microsoft said it is aware of TeamsPhiser and has determined that the tool relies on social engineering to be successful. "We encourage customers to practice good computing habits online, including exercising caution when clicking on links to web pages, opening unknown files, or accepting file transfers," the company said in an emailed statement.

Microsoft did not directly respond to a Dark Reading question on whether the release of TeamsPhiser had changed its stance on releasing a patch and/or guidance for affected users. Instead, the company pointed to its Microsoft Security Servicing Criteria webpage . The page describes the criteria the Microsoft Security Response Center (MSRC) uses to determine whether a reported vulnerability affecting currently supported versions of affected software might be updated/patched or addressed in the next version of the affected software.

JUMPSEC itself has urged organizations using Microsoft Teams to review whether there is any business need for enabling communications between internal Teams users and external tenants. 

"If you are not currently using Teams for regular communication with external tenants, tighten up your security controls and remove the option altogether," the company has advised.

Microsoft Teams Exploit Tool Auto-Delivers Malware

The group's mastermind was nabbed in Côte d'Ivoire for stealing up to $30 million using malware, phishing campaigns, and BEC scams, as part of international law enforcement's Operation Nervone.

The suspected top member of the cybercrime group OPERA1ER has been arrested for playing a part in the group stealing up to an estimated $30 million in a variety of scams against financial and telecommunications organizations — including malware, phishing, and business email compromise (BEC).

The group, which also operates under aliases BlueBottle, NX$M$, DESKTOP Group, and Common Raven, is allegedly behind 30 attacks across 15 countries in Africa, Asia, and Latin America, according to Interpol.

Interpol announced that the investigation, code named "Operation Nervone," followed a detailed overview of the group's activities published in November 2022 by Group-IB and Orange S.A. The arrest of the individual, who was not named, entailed extensive cooperation between Interpol, AFRIPOL, Group-IB and Côte d'Ivoire's Direction de l'Information et des Traces Technologiques (DITT), the agency said.

"We have been tracking OPERA1ER since 2019," Dmitry Volkov, CEO at Group-IB, said in a statement provided to Dark Reading. "The success of Operation Nervone exemplifies the importance of threat data exchange, and thanks to our collaboration with Interpol, Orange-CERT-CC, and private and public sector partners, we were collectively able to piece together the whole puzzle."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

OPERA1ER Cybercrime Group's Leader Arrested by Interpol

LockBit 3.0 claims responsibility for the cyberattack that shuttered the largest port in Japan, according to authorities.

Cargo containers filled with imports and exports from all over the world have been stuck at the Port of Nagoya following a ransomware attack on its networks early Tuesday morning.

The port is the largest in Japan and the central shipping hub for international carmaker Toyota. According to its operator, Nagoya Harbor Transportation, it received a ransom demand from LockBit 3.0 after a system failure on Tuesday at 6:30 a.m., the Japan Times reported.

The port authority said it expects to resume operations on Thursday morning.

"We will closely monitor any impact on production while carefully examining the parts inventory," Toyota told the Japan Times.

LockBit 3.0 is a prolific Russian-based ransomware operation used to target organizations, including the Italian Tax Agency.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Ransomware Halts Operations at Japan's Port of Nagoya

Now is the time to build safeguards into nascent AI technology.

Are we in a golden age of artificial intelligence? It's tough to make predictions — and probably ill-advised. Who wants to predict the future of such a new technology?

We can, however, say some things for certain. A great deal is being made of AI's application to creative works, from voice acting to first drafts of screenplays. But AI is likely to be most useful when dealing with drudgery. This is good news for developers, if the promise matches early experiments — first drafts of code can be easily created and ready for developers to tweak and iterate upon.

However, it's important to remember that not every coder is working for a legitimate business. Just as cybersecurity threat actors have emulated their targets in becoming more businesslike, they're also adopting new technologies and techniques. We can expect AI to help in the development of malware and other threats in the coming years, whether we're entering a golden age of AI or not.

**Drafting Code and Scams**

One trend we've seen in recent years is a rise of "as-a-service" offerings. Early hackers were tinkerers and mischief-makers, tricking phone systems or causing chaos mostly as an exercise in fun. This has fundamentally changed. Threat actors are professional and often sell their products for others to use.

AI will fit very nicely into this way of working. Able to create code to tackle specific problems, AI can amend code to target vulnerabilities or take existing code and change it, so it's not so easily detected by security measures looking for specific patterns.

But the possibilities for AI's misuse doesn't stop there. Many phishing emails are detected by effective filtering tools and end up in junk folders. Those that do make it to the inbox are often very obviously scams, written so badly they're borderline incomprehensible. But AI could break this pattern, creating thousands of plausible emails that can evade detection and be well-written enough to fool both filters and end users.

Spear-phishing, the more targeted form of this attack, could also be revolutionized by this tech. Sure, it's easy to ignore an email from your boss asking you to wire cash or urgently buy gift cards — cybersecurity training helps employees avoid this sort of scam. But what about a deep-fake phone call or video chat? AI has the potential to take broadcast appearances and podcasts and turn them into a convincing simulacrum, something far harder to ignore.

**Fighting Back Against AI Cyberattacks**

There are two main ways to fight back against the benefits that AI will confer on the enemy — better AI and better training — And both will be necessary.

The advent of this new generation of AI has started a new arms race. As cybercriminals use it to evolve their attacks so will security teams need to use it to evolve their defenses.

Without AI, defenses rely on overworked people and monitoring for certain preprogramed patterns to prevent attacks. AI defensive tools will be able to predict attack vectors and pinpoint sensitive areas of the network and systems. They'll also be able to analyze malicious code, allowing a better understanding of how new attacks work and how they can be prevented.

AI could also work, in a pinch, as an emergency stop — disabling the network upon detecting a breach and locking down the entire system. While not ideal from a business continuity perspective, this could be far less damaging than a data breach.

But fighting AI with AI is not the only answer. We also need human intelligence. No matter how smart and targeted, the best defense against a phishing attack is an employee or customer who knows what to look for and is suspicious enough not to take the bait. Implementing robust security policies and best-practice cyber hygiene will remain key to defending against attacks.

This means that training will need to be updated to include the signs of an AI attack … whatever those might be. Training will need to evolve with AI — a single training course every few years isn't going to cut it anymore when that training is quickly out of date.

While the possible signs of an AI-driven cyberattack are changing rapidly, in general, attacks are:

*   **Fast and scalable**, exploiting multiple vulnerabilities in a short time span.
*   **Adaptive and evasive**, changing tactics and techniques to avoid detection and response.
*   **Targeted and personalized**, using AI to craft convincing phishing emails or social engineering campaigns.
*   **Deceptive and manipulative**, using AI to create fake or altered content such as deepfakes, voice cloning, or text generation.
*   **Stealthy and persistent**, hiding in the network infrastructure for a long time without being noticed.

These signs aren't exhaustive, and some AI-driven attacks may not exhibit all of them. However, they indicate the level of threat that AI poses to cybersecurity.

To effectively fight AI-driven cyberattacks, businesses must think beyond individual bad actors and prepare for coordinated attacks by state-sponsored actors or criminal organizations that may use AI to launch sophisticated campaigns using a risk-based approach. They should also have a proactive strategy that includes regular security audits, backups, encryption, and incident response plans. This is most easily accomplished by obtaining a well-known security certification such as PCI-DSS.

Finally, it's imperative that organizations improve the cybersecurity of their own AI systems by ensuring their integrity, confidentiality, and availability, and by mitigating the risks of adversarial attacks, data poisoning, and model stealing.

These strategies will help protect businesses, but they shouldn't standalone — security should be collaborative. By collaborating with other organizations, researchers, and authorities to share information, best practices, and failures that can be learned from, businesses will be better prepared for the new wave of AI security threats.

AI is both a new threat and a continuation of older threats. Businesses will have to evolve how they tackle cyber threats as these threats become more sophisticated and more numerous, but a lot of the fundamentals remain the same. Getting these right remains critical. Security teams don't need to pivot away from old ideas but build on them to keep their businesses safe.

A Golden Age of AI … or Security Threats?

The ransomware group shows an evolution of its tactics with MOVEit zero-day — potentially ushering in a new normal when it comes to extortion supply chain cyberattacks, experts say.

The MOVEit file transfer zero-day vulnerability, first discovered on June 1, was used to breach at least 160 confirmed victims by June 30. The successful mass extortion campaign represents an evolution of tactics by the Russian-backed Cl0p ransomware group, which experts say is likely to catch the attention of rival threat actors.

Threat researchers note that the MOVEit campaign has some clues about how to respond to future of supply chain cyberattacks for defenders as well.

So far, the breached organizations include a who's who of international brands, like Avast's parent company,  
British Airways, Siemens, UCLA, and more. Reports say the ransomware group pulled off the technically detailed mass exploitation after at least two years of careful development, patiently plotting and planning when and where to strike, armed with the secret flaw in the MOVEit file transfer software.

**Ransomware-Less Ransomware Attacks**

Researchers note a few innovations Cl0p has made between previous exploits and the MOVEit campaign, which are likely to influence other threat groups. For instance, Cl0p has streamlined the extortion business model by doing away with ransomware all together, John Hammond, Huntress security threat researcher explained to Dark Reading.

"From what the industry has seen in \[recent\] Cl0p breaches (namely, GoAnywhere MFT and MOVEit Transfer), they haven't executed ransomware within the target environments," Hammond says. "The operations have strictly been exfiltrating data and using that stolen information for later blackmail and extortion. It's not clear why they opted not to encrypt files."

While it's not clear why Cl0p pivoted, the end result is a ransomware business model without the overhead of trying building better ransomware, he adds.

"Perhaps other cybercrime gangs will follow suit, and the development of ransomware tooling and creating faster malware may fall to the way-side when adversaries can just focus on their real goal of making money," Hammond says.

**Third-Party Zero Day Exploit Providers**

All of that said, if making money was the primary motivation for the MOVEit cyberattacks, the group would have chosen a much simpler approach than investing the time and resources to discover and develop an exploit like the one in MOVEit.

John Fokker, head of threat intelligence with the Trellix Advanced Research Center explained to Dark Reading he thinks he has the answer: The group acquired the zero-day from a third party.

"There are several aspects and factors of this particular cyberattack and vulnerability that are really interesting," John Fokker, head of threat intelligence with the Trellix Advanced Research Center explained to Dark Reading. "The MOVEit vulnerability isn't an easy or straightforward one — it required extensive research into the MOVEit platform to discover, understand, and exploit this vulnerability. The skill set required to uncover and exploit this vulnerability isn't easily trained and is hard to come by in the industry."

He adds, devoting that level of detail to an operation isn't something Cl0p ransomware group usually does, which is another clue leading Fokker and his team to suspect Cl0p acquired the MOVEit zero-day vulnerability rather than developing it from scratch.

"It's definitely a possibility that Cl0p didn't actually discover this zero-day vulnerability and exploit but rather acquired it from a third party," Fokker adds. "We believe with moderate confidence that this was the case, based on what was mentioned above in addition to certain other elements of the attack and leak postings."

**Shoring up the Software Supply Chain Against Future Zero-Day Exploits**

Stopping more sophisticated zero-day supply chain attacks requires investment in proactive efforts, including robust, responsive bug bounty programs funded by software vendors, notes Randy Pargman, director of threat detection with Proofpoint explains.

"There's a huge discrepancy between the amount of money that software vendors are willing to pay for bug bounties versus the amount that zero-day researchers can get from governments and underground markets for their research, so vendors could do better by investing more," Pargman says. "Where software companies can still improve the most is in making it easier for bug bounty hunters to report issues, and treating researchers with respect."

But as Omkhar Arasaratnam, general manager of the Open Source Security Foundation says, what he's more concerned about are reports of panicked responses to the MOVEit exploit among cybersecurity professionals.

"The cybersecurity community should focus on making incidents boring," Arasaratnam says. "When paramedics arrive at an accident scene they do not run around frantically or in a panic. Paramedics deliberately, and stoically execute the procedures that they've learned to gain access, assess the scene, triage, and help effectively. Cybersecurity can take a lesson from paramedics."

Cl0p's MOVEit Campaign Represents a New Era in Cyberattacks

Attackers use HTML smuggling to spread the PlugX RAT in the campaign, which has been ongoing since at least December.

A Chinese threat group has adopted a sneak HTML technique long-used by its counterparts to target European policy-makers, in a campaign aimed at spreading the PlugX remote access Trojan (RAT).

Over the course of the last two months, Check Point Research (CPR) analysts have been tracking the activity, which they've dubbed SmugX because it uses an attack vector called HTML Smuggling — a technique for planting malicious payloads inside HTML documents, the researchers revealed in a report published earlier this week.

The campaign has been ongoing since at least December and appears to have a direct link to a previously reported campaign attributed to Chinese APT RedDelta, as well as the work of Chinese APT Mustang Panda (aka Camaro Dragon or Bronze President), although there is "insufficient evidence" to definitively link SmugX to either group, according to the research.

Moreover, while Check Point separates Mustang Panda and Camaro Dragon into two separate entities, other researchers refer to the two as one and the same; RedDelta, meanwhile, appears to have links to both groups, according to Check Point researchers.

SmugX represents a shift in targeting for Chinese threat actors, which in the past have primarily focused on Russia, Asia, and the US in their threat campaigns, they added. However, a recent campaign linked to Mustang Panda to use USB drives to spread self-propagating espionage malware already indicated that these groups already engaged in threat activity in Europe as part of their global intent.

SmugX targets mainly governmental ministries in Eastern European countries — including Ukraine, the Czech Republic, Slovakia, and Hungary — as well as in Sweden, France, and the UK. Document lures used to dupe victims focus on European domestic and foreign policies, typically impersonating key agencies in the respective country to appear authentic.

**SmugX Cyberattack Details**

SmugX uses as its malware-delivery mechanism HTML documents that contain diplomatic-related content. In more than one case, this content is directly related to China — including an article about two Chinese human rights lawyers sentenced to more than a decade in prison.

Other documents used in the campaign are a letter originating from the Serbian embassy in Budapest; a document stating the priorities of the Swedish Presidency of the Council of the European Union; an invitation to a diplomatic conference issued by Hungary's Ministry of Foreign Affairs.

The malware is embedded within these HTML documents, which allows them to evade network-based detection measures, according to the research.

Opening one of the malicious HTML documents results in the decoding of a JavaScript that includes the embedded payload — which in this case is PlugX, a RAT that has been used by Chinese threat actors since 2008. This sets off a chain of events that eventually leads to the deployment of the RAT, which employs a modular structure that accommodates several diverse plugins with distinct functionalities.

"This enables the attackers to carry out a range of malicious activities on compromised systems, including file theft, screen captures, keystroke logging, and command execution," according to the report.

The PlugX payload ensures its persistence in a process that first copies the legitimate program and the DLL and then stores them within a hidden directory it creates, with the encrypted payload stored in a separate hidden folder. The malware then adds the legitimate program to the Run registry key.

**Defensive Maneuvers Against PlugX, RATs**

Though neither the techniques nor the malware used in the campaign are new, SmugX does present a challenge for targeted organizations because of how it combines different tactics and its likelihood of not easily being detected. This allows "threat actors to stay under the radar for quite a while," according to Check Point.

To help organizations identify if they've been compromised, the report includes an extensive list of indicators of compromise (IoCs) that span HTML addresses, archives, JavaScript snippets, encrypted payload files, IPs and domains, and more.

Employees should always be wary of clicking on unknown links or files when using a corporate network, and check with IT departments before downloading anything new from the Internet. Moreover, a comprehensive combination of threat emulation and endpoint detection strategies also can defend against attacks such as SmugX, according to Check Point.

China's Mustang Panda Linked to SmugX Attacks on European Governments

You can't encrypt a file you can't open — Microsoft could dramatically impact ransomware by slowing it down.

Recently, I was at a private event on security by design. I explained that Microsoft could fix ransomware tomorrow, and was surprised that the otherwise well-informed people I was speaking to hadn't heard about this approach.

Ransomware works by going through files, one by one, and replacing their content with an encrypted version. (Sometimes it also sends copies elsewhere, but that turns out to be slow, and sometimes sets off alarms.) Software on Microsoft Windows uses an application programming interface (API) called "CreateFile" to access files. Somewhat confusingly, CreateFile not only creates files but is also the primary way to open them.

Microsoft should rate-limit the CreateFile() API. That is to say, it should limit how often a given program can use the API. Because you can't encrypt a file until you can open it, this would have a dramatic impact on ransomware. It would slow it down, and help defensive tools catch it in time for humans to react.

Now, I say Microsoft _should_ do this, and I hope it does.

Also, I made this suggestion to help show the complexity of maintaining compatibility. On the surface, it's very simple and elegant. In practice — and I say this as the person who drove the Autorun fix into Windows Update — there's going to be both practical complexities and concerns that we don't know what all the effects will be.

**What Rate Is Reasonable?**

The first question is, what rate is reasonable? Pick low and you break applications; pick high and you lessen the protective value. For a lot of cases, one open per second seems fine, but when we get to things like compilers, which are going to open a lot of files, we see that we may need both a general limit and allow bursts. When we get to backup software, it gets even more complicated. The backup software needs to open all the files, or at least all the changed files, which, if you think about it, is really similar to what ransomware wants to do. We can't allow an exception for read-only opens. The ransomware will open a file, encrypt the contents, write it to a new file or append it to a database, and delete the original.

So, Windows will probably need multiple rate limits. There will need to be a way to exempt programs (like compilers and backup tools), and maybe that needs to be issued globally, which means a process for software creators to get a special certificate. There needs to be logging and alerts created, tested, internationalized, etc. There'll need to be new GPOs (a tool used to administer Windows) created and documented. There needs to be a local way to allow more CreateFile calls for software that is locally developed or obscure, or whose makers are no longer around. We need to make sure that ransomware can't abuse those mechanisms. (On recent Macs, there's a complex process of reboots needed to make certain changes to the system; perhaps something similar is warranted?)

That last is tricky: The administrator has power, by design, and it's hard to limit that power. Even logging file opens would make it easier to see what software is opening lots of new files, and make it harder for ransomware to be stealthy. (And yes, there are too many alarms already.)

As long as we are not hyperfocused on the details, attackers change slowly. They still phish, through more and more channels. Over 20 years, break-ins have gone from abusing software that's listening on open ports to other problems. That was the result of a breaking change of turning the Windows Firewall on by default, in response to 2003's "summer of worms."

Hyrum's law states roughly that somebody will depend on every observable behavior of your system. And change becomes complex. The simple statement "Microsoft should rate-limit the CreateFile() API" is a can of worms.

Given the exceptional cost of ransomware today, I think that can of worms is worth opening. I think my former colleagues are up to the challenge.

Source

DARKReading