A two-bit comedian is using a patched Microsoft vulnerability to attack the hospitality industry, and really laying it on thick along the way.

A threat actor is exploiting last year's Follina (RCE) remote code execution vulnerability to deploy the XWORM remote access trojan (RAT) and data-stealer against targets in the hospitality industry.

On May 12, researchers from Securonix broke down the campaign, which uses Follina to drop Powershell code onto target machines, which is rife with various 4Chan and meme references. Thus, the researchers refer to the campaign as "MEME#4CHAN," due to the amorphous line it draws between stealth and internet humor.

**The MEME#4CHAN Attack Flow**

MEME#4CHAN attacks begin with a phishing email, with a hospitality hook in the subject line — something like "Reservation for Room." Attached will be a Microsoft Word document furthering the theme, such as "Details for booking.docx."

Once a victim clicks on the document, they're presented with a dialogue box: "This document contains links that may refer to other files. Do you want to update this document with the data from the linked files?" But regardless of whether they click "Yes" or "No," a Word document opens, containing stolen images of a French driver's license and debit card.

The choice of a .docx file is notable. Hackers often used to use malicious macros in Office files to gain a foothold in a target machine, which isn't as effective of a tactic now that Microsoft decided to block macros from Internet files by default.

Without that option, MEME#4CHAN instead turns to Follina. Follina (CVE-2022-30190) is an RCE vulnerability that carries a "high" CVSS score of 7.8. It allows attackers to create specially-crafted Microsoft Word files that trick Microsoft's Diagnostic Support Tool into downloading and executing malicious code from an attacker-controlled server. The bug was disclosed and patched a year ago.

Through Follina, MEME#4CHAN downloads an obfuscated Powershell script once the Word document is opened. The script is notable for its labored references, memes, and uninspiring jokes. The author laments at multiple points "why my ex left me," for example, and gives directories, variables, and functions such names as "mememan," "shakalakaboomboom," and "stepsishelpme."

The jokes might be considered a unique stealth tactic, designed to instantly repel any researcher of good taste. But Securonix researchers noted that the attack uses other more traditional obfuscation as well.

In fact, the researchers found variables in the Powershell code ranging from "semi-" to "heavily" obfuscated they said, including a "heavily obfuscated" .NET binary which, once decoded, revealed itself as the XWORM RAT.

"The relative amount of effort invested into obfuscation and covertness is higher than for the similar attacks we observed," says Oleg Kolesnikov, vice president of threat research and detection at Securonix, "and it is not yet clear why."

**What Is XWORM?**

XWORM is a bit of a Swiss Army knife of a RAT.

On one hand, it does RAT things — checking for antivirus, communicating with a command-and-control (C2) server, opening a backdoor to a machine, and creating an autorun entry to ensure persistence across restarts.

At the same time, it comes replete with espionage features, including capabilities for accessing a device's microphone and camera, and keylogging; and it can instigate follow-on attacks like distributed denial of service (DDoS) or even ransomware.

That said, the malware is of dubious quality, some note.

Multiple iterations of XWORM have been leaked online in recent months, including a 3.1 version just last month. The individual who published the 3.1 code to GitHub didn't appear to hold it in high regard.

"There are so many sh\*tty Rat \[sic\], XWorm is one of them. I'm sharing it so that you don't pay for such things for nothing," the person wrote in a README file.

"Compared to some of the other similar underground attack tools for which source code was leaked recently," Kolesnikov judges, "XWORM does appear to have arguably somewhat less advanced capabilities, though \[it's usefulness\] often depends on the specific capability \[required\]. It depends on how the malicious threat actors use the tool as part of an attack."

**Which Cybercriminals Are Behind MEME#4CHAN?**

According to the researchers, it's likely the author behind MEME#4CHAN is English-speaking, due to all the 4Chan references in their code.

Dark Reading also independently observed several variables in the code referencing Indian cultural touchpoints, indicating either that the hacker is of Indian origin, or familiar enough with Indian culture to fake it.

Taking further evidence into account adds color and cloudiness to the attribution picture. "The attack methodology is similar to that of TA558, a cybercriminal gang, where phishing emails were delivered targeting the hospitality industry," the Securonix researchers explained.

He added, however, that "TA558 also typically uses a wide range of C2 campaign artifacts and payloads similar, but not positively in line with what we witnessed through the MEME#4CHAN campaign."

Whoever's behind it, it doesn't appear that this campaign is over with, as several of its associated C2 domains are still active.

The researchers recommended that to avoid becoming potential victims, organizations should avoid opening any unexpected attachments, watch out for malicious file hosting websites, and implement log anomaly detection and application whitelisting.

Microsoft Follina Bug Is Back in Meme-Themed Cyberattacks Against Travel Orgs

A predictable patch cadence is nice, but the software giant can do more.

As the 20th anniversary of Patch Tuesday approaches later this year, many are reflecting on the importance of the program that brought predictability to Microsoft security patch cycles. Patch Tuesday undoubtedly improved the security of customers, and the success of the program is reflected in the number of organizations that established their own Patch Tuesdays, including Adobe, Siemens, Schneider Electric, and more.

However, the quality of the vulnerability details published by Microsoft on Patch Tuesday has noticeably declined. Vulnerability descriptions used to be useful. Now they are reduced to being nearly meaningless. Compare, for example, the CVE descriptions in the National Vulnerability Database (NVD) for CVE-2017-0290 and CVE-2023-21554 (aka QueueJumper):

_**CVE-2017-0290 NVD Vulnerability Description**_

_The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016 does not properly scan a specially crafted file leading to memory corruption, aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability."_

_**CVE-2023-21554 Vulnerability Description**_

_Microsoft Message Queuing Remote Code Execution Vulnerability_

The first description details the affected components (Forefront and Defender), the affected versions (various Windows operating systems), the attack vector (crafted file), and a bug class (memory corruption). The second description lacks almost all of those details.

This is not an isolated case. In fact, Microsoft's CVE descriptions have been on the decline for a number of years. The following graph maps the median length of Microsoft-created CVE descriptions over the past 20 years:

    

Source: Jacob Baines

**Impact on Defenders**

The poor descriptions have a serious impact on practitioners. It's difficult to prioritize vulnerabilities when it's unclear what the problems are. How is anyone supposed to know if Microsoft Message Queuing Remote Code Execution Vulnerability is a big deal or not? How many practitioners know what Microsoft Message Queuing is, or what major pieces of software use it? Is it enabled by default? Does it listen on a network port? The practitioner is forced to go looking for all this information themselves.

To avoid that type of thing, MITRE created well-defined rules for what is required in a CVE description. These are the minimum requirements:

_8.2.1 MUST provide enough information for a reader to have a reasonable understanding of what products are affected._

_8.2.3 MUST include one of the following:_

_1\. Vulnerability Type_

_2\. Root Cause_

_3\. Impact_

**Does Microsoft Message Queuing Remote Code Execution Vulnerability Satisfy These Requirements?**

Maybe a very loose interpretation of 8.2.3 would be satisfied with Code Execution Vulnerability. But can anyone reasonably say that "Microsoft Message Queuing" describes the affected products?

At least Microsoft included a specific service for CVE-2023-21554 (Message Queuing). It didn't even do that for CVE-2023-23415. That description doesn't list any software, and instead opts to list an affected protocol:

_**CVE-2023-23415 Vulnerability Description**_

_Internet Control Message Protocol (ICMP) Remote Code Execution Vulnerability_

**CWE Assigned to Microsoft CVE**

It's unclear why MITRE allows Microsoft to ignore (or, generously, skirt) the CVE description rules. What is clear is that everyone else is worse off because of it. If appealing to the overburdened practitioner isn't enough, we can actually measure the impact of Microsoft's bad CVE descriptions on NIST's per CVE common weakness enumeration (CWE) ID assignment.

For every CVE in NIST's NVD, it attempts to assign a CWE. When the vulnerability contains insufficient information to assign any specific CWE, then NIST assigns NVD-CWE-noinfo. Basically, "this CVE has insufficient details for us to know what the weakness is."

Back in 2015, NIST assigned NVD-CWE-noinfo to only a few Microsoft CVEs. In 2022, the majority of Microsoft CVEs received the NVD-CWE-noinfo designation.

    

Source: Jacob Baines

NIST's effort to assign CWE to each CVE helps with vulnerability prioritization and makes it easier to map vulnerabilities to CAPEC and/or MITRE ATT&CK. NVD CWE are used by a host of downstream projects, including MITRE's own CWE Top 25. Recent Microsoft vulnerabilities are largely excluded from these activities, because Microsoft has chosen to provide insufficient information to even assign a CWE to its vulnerabilities.

Unfortunately, it's not as if the information can be found in the Microsoft advisory itself, either. In fact, practitioners need to refer to outside sources, because Microsoft doesn't keep its advisories up to date. For example, both CVE-2022-41080 and CVE-2019-1388 were added to the Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities Catalog in 2023. Microsoft's NVD entries correctly reflect that. But both Microsoft advisories state that the vulnerabilities haven't been "exploited." That's because its advisories only reflect exploitation at the time of publication.

**Microsoft Advisory Exploitability Table for CVE-2019-1388**

    

The result is that Microsoft's advisory is both out of date and lacks information. The NVD entry is up to date, but also lacks information. Thankfully, there are a host of third parties trying to plug the information gap. For example, Zero Day Initiative publishes a rundown of every Patch Tuesday. This is its description of CVE-2023-21554 (aka QueueJumper):

_This is a CVSS 9.8 bug and receives Microsoft's highest exploitability rating. It allows a remote, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default but is commonly used by many contact center applications. It listens to TCP port 1801 by default, so blocking this at the perimeter would prevent external attacks. However, it's not clear what impact this may have on operations. Your best option is to test and deploy the update._

This description contains important information that the CVE entry does not, such as:

1\. Message Queuing is a service.

2\. Message Queuing is disabled by default.

3\. Message Queuing listens on TCP port 1801.

4\. Exploitation may result in elevated privileges.

All of that is incredibly useful for defenders — information that should have appeared in the CVE dictionary and the NVD entry, but doesn't. This is information that belongs in the CVE catalog for context, vulnerability prioritization, and historical safekeeping. Instead, already time-constrained defenders are put at a disadvantage because they're forced to go hunting for third-party descriptions of every Microsoft vulnerability.

**Conclusion

Microsoft's Patch Tuesday is almost old enough to drink, but that isn't reflected in the maturity of the program. A predictable patch cadence is nice, but the associated information produced by Microsoft is bad and has been trending that way for years. Microsoft can do much more, and it owes the community as much. Eight-word vulnerability descriptions should not and cannot be the norm.

**

Microsoft Advisories Are Getting Worse

US Transportation Security Agency (TSA) administrator reflects on how the Colonial Pipeline incident has moved the needle in public-private cooperation.

In the wake of the ransomware attack on the Colonial Pipeline, the US Transportation Security Agency — the agency that regulates pipelines as well as air travel, railways, highways, and mass transit systems — brought together the CEOs of more than two dozen critical pipeline operators for a top-secret briefing in the White House.

The TSA planned to hand down security directives to drive pipeline operators to enhance security, and they knew those companies' CISOs would have to ask their CEOs for more resources and higher priority, David Pekoske, administrator of the Transportation Security Administration, told attendees at the Hack the Capitol conference in McLean, Va. on May 11.

During that meeting, the TSA and other administration officials outlined the threat to critical infrastructure and why the pipeline operators needed to work with the government to make pipeline operations more resilient, he said.

"We knew we were going to be asking a lot of the industry — we want the CEOs themselves to see what the threat was, or see why we were so concerned about this," Pekoske said. "I would label that as an absolute best practice, because that really paved the way for rapid implementation and really paved the way for continued top-level communications between myself and those CEOs."

The TSA took the same approach to each of its critical infrastructure sectors as well, which resulted in creating a better approach to implementing a concept to which the government has repeatedly referenced for more than a decade: The public-private partnership. Along with cybersecurity experts at the Joint Cyber Defense Collaborative (JCDC) and government officials with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the TSA worked with critical-infrastructure operators and industrial control systems partners to adapt its approach to cybersecurity, Pekoske told attendees.

"We have pivoted over the course of these two years to become, in our view, even more effective in cybersecurity with our partners in the transportation sector," he said. The goal is to "build resiliency within that infrastructure sector, so that if attacked, the services that the critical infrastructure sector provides could come back online quickly."

**Performance, Not Prescription**

Following the Colonial Pipeline attack, the TSA initially focused on prescribing specific cybersecurity measures, but quickly realized — after listening to industry feedback — that if the agency maintained that approach, the technology would change in the next 12 to 18 months, leaving their recommendations outdated.

"We can't turn the crank on the regulatory process within that time frame," he said. "So instead, we've gone into this performance-based model, which is something that the national cyber strategy calls for and is really, I think, the way to go."

The performance-based model requires that specific outcomes be achieved, including focusing on resiliency, creating a cybersecurity implementation plan, establishing regular cyber assessments, and creating a plan for response, Pekoske said.

**Cyber Resiliency Requires Collaboration**

Working with industry, meeting with cybersecurity teams and executives, and understanding their business concerns are all critical to creating a resilient cyber infrastructure, he told Hack the Capitol attendees.

"To me, success as the administrator is when something's really bothering a CEO, that person feels like they can call me and just say, 'Hey, I'm hearing this, I'm really concerned about it. Can you help me out here?'" he said. "As a taxpayer, that's kind of really what I think ought to happen in government ... you can always make 10 or 15 minutes, particularly for somebody who's running a critical piece of our national infrastructure."

TSA Official: Feds Improved Cybersecurity Response Post-Colonial Pipeline

The privilege escalation flaw is one in thousands that researchers have disclosed in recent years.

WordPress plug-ins allow organizations to quickly extend the functionality of their websites without requiring any coding or advanced technical skills. But they have also been the biggest source of risk for website operators in recent years.

The newest example is a critical privilege escalation vulnerability in a plug-in that over 1 million WordPress websites use, called Essential Addons for Elementor Plugin. The vulnerability, tracked as CVE-2023-32243, affects versions 5.4.0 through 5.7.1 of the plug-in and allows an unauthenticated attacker to escalate privileges to that of any user on the WordPress site — including that of an administrator.

**Privilege Escalation Flaw**

Researchers at Patchstack discovered the vulnerability on May 8 and disclosed it to WPDeveloper, the author of Essential Addons for Elementor. WPDeveloper on May 11 released a new version of the software (version 5.7.2) that addresses the bug. The vendor described the new version as featuring a security enhancement in the login and register form for the software.

According to Patchstack, the bug has to do with Essential Addons' code resetting passwords without validating if the associated password reset keys are present and legitimate. This offers a way for an unauthenticated attacker to reset the password of any user on an affected WordPress site and login to their account.

"This vulnerability occurs because \[the\] password reset function does not validate a password reset key and instead directly changes the password of the given user," Patchstack said in a post.

The new bug is one among thousands of vulnerabilities that researchers have uncovered in WordPress plug-ins in recent years.

Patchstack counted 4,528 new vulnerabilities in WordPress plug-ins in 2022 alone, a startling 328% increase over the 1,382 it observed in 2021. Plug-ins accounted for 93% of the reported bugs in the WordPress environment in 2022. Just 0.6% of confirmed bugs were in the core WordPress platform itself. Some 14% of the bugs were of either high or critical severity.

**A Relentless Barrage of Flaws**

The trend has continued unabated this year. iThemes, a company that tracks WordPress plug-in flaws on a weekly basis counted 160 vulnerabilities just in the one-week period ending April 26. The bugs affected some 8 million WordPress websites, and only 68 of them had patches at vulnerability disclosure time.

Just last week, Patchstack reported on another privilege escalation vulnerability in a different WordPress plug-in (Advanced Custom Fields Plugins) that affected two million websites. The vulnerability gave attackers a way to both steal sensitive data from affected sites as well as escalate privileges on them.

In April, Sucuri reported on a campaign dubbed "Balada Injector," where a threat actor, over at least the past five years, has been systematically injecting malware into WordPress sites via vulnerable plug-ins. The security vendor assessed the threat actor behind the campaign had infected at least one million WordPress sites with malware that redirected site visitors to fake tech support sites, fraudulent lottery sites, and other scam sites.

Sucuri found the threat actor using newly disclosed vulnerabilities and, in some instances, zero-day bugs to launch massive attack waves against WordPress sites.

A lot of the attacker interest in the WordPress ecosystem has to do with its widespread use. Estimates on the exact number of WordPress sites worldwide vary widely with some pegging the number at upwards of 800 million. Technology survey website W3Techs, which some consider a reliable source for WordPress-related statistics, estimates that some 43% of all websites worldwide currently use WordPress.

According to Patchstack, the growing number of vulnerabilities that are being reported in the WordPress ecosystem isn't necessarily a sign that plug-in developers are getting sloppier. What it indicates rather is that security researchers are looking harder.

"This also means that the WordPress ecosystem is becoming more secure because a lot more of these security bugs are being addressed and patched," Patchstack said.

WordPress Plug-in Used in 1M+ Websites Patched to Close Critical Bug

The deal will enhance the capabilities of both companies and provide customers with a more comprehensive way to protect their digital assets.

Industry analyst reaction was mixed after XM Cyber, a cyber threat intelligence and breach and attack simulation provider, announced its March acquisition of Confluera, which offers autonomous detection and response (ADR) solutions. By combining XM Cyber's expertise in breach and attack simulation with Confluera's cutting-edge ADR capabilities, the newly formed entity hopes to deliver an improved level of protection against cyber threats.

XM Cyber “is really a neo on-premises Breach Attack Simulation (BAS) or SOC tool with some cloudy features, such as attack path management,” says Tom Croll of Lionfish Tech Advisors. “Their core technology seems like it could be redeployed for public cloud without much effort and indeed may have been done successfully. However, I’m not convinced that they are inherently public cloud-native.”

The acquisition signifies the need for consolidation in the cybersecurity landscape, reflecting the growing importance of a multifaceted approach to defense. By combining XM Cyber's expertise in breach and attack simulation with Confluera's ADR capabilities, the newly formed entity could provide customers with a more comprehensive view of their security posture, enabling them to detect and respond to threats more effectively and efficiently.

As businesses continue to face an increasingly complex and dynamic threat environment, the need for adaptive and integrated cybersecurity solutions becomes ever more critical.

At the time the acquisition was announced, XM Cyber and Confluera executives said the advantages of the combined offering lay in the ability to provide organizations with a more holistic view of their cybersecurity posture. Confluera's ADR technology gives XM Cyber customers access to real-time threat intelligence and incident response capabilities, enabling them to more effectively prioritize and address vulnerabilities in their security infrastructure, the executives said.

Croll was cautious about XM Cyber and Confluera’s joined-up capabilities.

“The addition of Confluera gives XM Cyber a truly cloud native capability for runtime monitoring, public cloud attack path management, and cloud detection and response - they're usually CXDR \[cloud extended detection and response\],” Croll says.

However, elements were missing in the combination to really be considered “a fully-functioning CNAPP” platform, such as software composition analysis, DevSecOps integration, and extensive CIEM features, he adds.

The acquisition signals a broader trend in the cybersecurity sector, as companies look to consolidate and strengthen their offerings to meet the evolving needs of their customers. As businesses around the world grapple with the challenges of digital transformation and the growing threat of cyberattacks, more acquisitions and partnerships among smaller providers like these will be more likely.

An Analyst View of XM Cyber’s Acquisition of Confluera

Retired hardware and forgotten cloud virtual machines are a trove of insecure confidential data. Here's how to ameliorate that weakness.

The stories are both infamous and legendary. Surplus computing equipment purchased at auction contains thousands of files with private information, including employee health records, banking information, and other data covered by a multitude of state and local privacy and data laws. Long-forgotten virtual machines (VMs) with confidential data are compromised — and no one knows. Enterprise-class routers with topology data about corporate networks are sold on eBay. With so much confidential data made available to the public on a daily basis, what else are companies exposing to potential attackers?

The fact is a lot of data gets exposed regularly. Last month, for example, cybersecurity vendor ESET reported that 56% of decommissioned routers sold on the secondary market contained sensitive corporate material. This included such configuration data as router-to-router authentication keys, IPsec and VPN credentials and/or hashed passwords, credentials for connections to third-party networks, and connection details for some specific applications.

Cloud-based vulnerabilities that result in data leaks are usually the result of misconfigurations, says Greg Hatcher, a former instructor at the National Security Agency and now CEO and co-founder of White Knight Labs, a cybersecurity consultancy that specializes in offensive cyber operations. Sometimes the data is put at risk deliberately but naively, he notes, such as proprietary code finding its way into ChatGPT in the recent Samsung breach.

Confidential data, such as credentials and corporate secrets, are often stored in GitHub and other software repositories, Hatcher says. To search for multifactor authentication or bypasses for valid credentials, attackers can use MFASweep, a PowerShell script that attempts to log into various Microsoft services using a provided set of credentials that attempts to identify if MFA is enabled; Evilginx, a man-in-the-middle attack framework used for phishing login credentials along with session cookies; and other tools. These tools can find access vulnerabilities into a variety of systems and applications, bypassing existing security configurations.

Having both a hardware and software asset inventory is essential, Hatcher says. The hardware inventory should include all devices because the security team needs to know exactly what hardware is on the network for maintenance and compliance reasons. Security teams can use a software asset inventory to protect their cloud environments, since they cannot access most cloud-based hardware. (The exception is a private cloud with company-owned hardware in the service provider's data center, which would fall under the hardware asset inventory as well.)

Even when applications are deleted from retired hard disks, the unattend.xml file in the Windows operating system on the disk still holds confidential data that can lead to breaches, Hatcher says.

"If I get my hands on that and that local admin password is reused throughout the enterprise environment, I now can get an initial foothold," he explains. "I already can move laterally throughout the environment."

**Sensitive Data Might Not Stay Hidden**

Short of physically destroying disks, the next best option is overwriting the entire disk — but that option can sometimes be overcome as well.

Oren Koren, co-founder and chief product officer of Tel Aviv-based Veriti.ai, says service accounts are an often-ignored source of data that attackers can exploit, both on production servers and when databases on retired servers are left exposed. Compromised mail transfer agents, for example, can act as a man-in-the-middle attack, decrypting simple mail transfer protocol (SMTP) data as it is being sent from production servers.

Similarly, other service accounts could be compromised if the attacker is able to determine the account's primary function and find which security components are turned off to meet that goal. An example would be turning off data analysis when super-low latency is required.

Just as service accounts can be compromised when left unattended, so can orphaned VMs. Hatcher says that in popular cloud environments, VMs are often not decommissioned.

"As a red teamer and a penetration tester, we love these things because if we get access to that, we can actually create persistence within the cloud environment by popping in \[and\] popping a beacon on one of those boxes that can talk back to our \[command-and-control\] server," he says. "Then we can kind of hold onto that access indefinitely."

One file type that often gets short shrift is unstructured data. While rules are generally in place for structured data — online forms, network logs, Web server logs, or other quantitative data from relational databases — the unstructured data can be problematic, says Mark Shainman, senior director of governance products at Securiti.ai. This is data from nonrelational databases, data lakes, email, call logs, Web logs, audio and video communications, streaming environments, and multiple generic data formats often used for spreadsheets, documents, and graphics.

"Once you understand where your sensitive data exists, you can put in place specific policies that protect that data," says Shainman.

**Access Policies Can Remediate Vulnerabilities**

The thought process behind sharing data often identifies potential vulnerabilities.

Says Shainman: "If I'm sharing data with a third party, do I put specific encryption or masking policies in place, so when that data is pushed downstream, they have the ability to leverage that data, but that sensitive data that exists within that environment is not exposed?"

Access intelligence is a group of policies that allows specific individuals to access data that exists within a platform. These policies control the ability to view and process data at the permission level of the document, rather than on a cell basis on a spreadsheet, for example. The approach bolsters third-party risk management (TPRM) by allowing partners to access data approved for their consumption; data outside that permission, even if it is accessed, cannot be viewed or processed.

Documents such as NIST's Special Publication 800-80 Guidelines for Media Sanitation and the Enterprise Data Management (EDM) Council's security frameworks can help security pros define controls for identifying and remediating vulnerabilities related to decommissioning hardware and protecting data.

Making Sure Lost Data Stays Lost

Dubbed "ChattyGoblin," the China-backed actors use chatbots to scam Southeast Asian gambling companies.

A campaign dating back to October 2021 has turned its attention toward Southeast Asian gambling operations with a sneaky new tactic — targeting customer support agents with chatbots.

Researchers at ESET dubbed the campaign "ChattyGoblin" and traced it back to threat groups backed by China. ESET added that the threat actors rely primarily on Comm100 — which was first observed and documented by CrowdStrike — and LiveHelp apps.

ESET outlined one particular ChattyGoblin attack last March that used a chatbot to target a gambling company in the Philippines.

"Written in C#, the initial dropper deployed by the attackers is named agentupdate\_plugins.exe and was downloaded by the LiveHelp100 chat application," ESET noted. "The dropper deploys a second C# executable based on the SharpUnhooker tool."

The SharpUnhooker tool then downloaded the ChattyGoblin attack's second stage, stored in a password-protected ZIP archive, ESET added.

"The final payload is a Cobalt Strike beacon using duckducklive\[.\]top as its C&C server."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Malicious Chatbots Target Casinos in Southeast Asia

The Technology Innovation Institute’s year-long cryptographic challenges invite participants to assess the concrete hardness of McEliece public-key encryption scheme.

The Technology Innovation Institute (TII), a global scientific research center and the applied research pillar of Abu Dhabi’s Advanced Technology Research Council, has launched a series of cryptography challenges aimed at evaluating the McEliece cryptosystem. TII will publish multiple McEliece-based cryptanalysis problems focused on theoretical key recovery algorithms, practical key recovery, and message recovery.

The McEliece cryptosystem is an asymmetric encryption algorithm that uses randomization in the encryption process. While the algorithm is not as widely used as other asymmetric encryption schemes, it is a fourth-round candidate (Classic McEliece Submission) of the current NIST PQC standardization effort for post-quantum secure schemes because it is immune to some types of attacks.

Participants in the year-long challenges will be able to validate the security of the McEliece cryptosystem and identify possible weaknesses, TII said. The competition will focus on innovative approaches to test the McEliece cryptosystem as a leading candidate for post-quantum encryption.

"TII’s challenges aim to strengthen the understanding of cryptosystems that are used globally on a daily basis to protect the privacy of individuals and corporations and keep their conversations and data confidential," the center said.

The TII McEliece Challenges are open to individuals, students, scientists, cryptographers, researchers, and subject matter experts – pretty much anyone with an interest in cryptography. Winners are paid out of a prize pool of $75,000. Preregistration is open, and submission forms will be available online May 23.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

New Competition Focuses on Hardening Cryptosystems

One long-awaited security move caused a ripple effect in the cybercrime ecosystem.

Ever since Microsoft decided to block Office macros by default, threat actors have been forced to evolve, adopting new methods for delivering malware at an unprecedented rate.

For a long time, threat actors have used malicious Microsoft Office macros to get a hook inside of their target's computers. It was for that reason that, in 2022, Microsoft finally — though unevenly — began blocking macros by default on files downloaded from the Internet.

Now, without their favorite toy, hackers are having to come up with new ways to get their malware where they want it to go.

"In a lot of ways, they're just kind of throwing spaghetti at the wall to see what sticks," says Selena Larson, author of a new report on the trend. "The energy that they're spending to create new attack chains is really unique," and cyber defenders are going to have to keep up.

**How Attackers Have Adjusted**

Rarely has such a simple policy change made such a big difference in the cybercrime landscape. In 2021, the year of Microsoft's announcement, researchers from Proofpoint tracked well beyond a thousand malicious campaigns utilizing macros.

In 2022 — the year the policy change took effect — macro-enabled attacks plummeted 66%. Thus far in 2023, macros have all but disappeared in cyberattacks.

In their place, hackers need some other solution. Container files emerged as a popular alternative last year, allowing attackers to bypass Microsoft's "mark-of-the-Web" tag for files downloaded from the Internet. Once Microsoft addressed that workaround, however, such files went the way of the macro.

Since then, hackers have been searching for their new golden goose.

For example, in H2 2022, Proofpoint researchers observed a significant rise in HTML smuggling — slipping an encoded script through an HTML attachment. In 2023, good ol' PDFs have proven a popular file format for attackers. And last December, some malicious campaigns began utilizing Microsoft's notes-taking app OneNote as a means for delivering their malware. By January, dozens of threat actors piled onto the trend, and, in recent months, over 120 campaigns have made use of OneNote.

Nothing has stuck, though. "We haven't seen anything that has the same type of durability as the macro-enabled attachment," Larson says.

**What This Means for Security Teams**

"Attackers are having to be more creative now, which presents more opportunities for them to screw up or make mistakes," Larson says.

Still, forcing cybercriminals out of their comfort zone comes with a cost. "The speed and the rate and scope of the changes that they're making — all the different attack chains that they're experimenting with — stands out," she says.

And so, cyber defenders will have to move equally fast to keep up. "We're having to be proactive to threat actor behavior and come up with new detections and rules and such, because threat actors are trying different ways to bypass existing detections," she says.

Organizations, too, will need to keep up-to-date with the latest trends. Take security trainings: "I know that a lot of the time, people are trained on macro-enabled documents. Now you have to make your users aware of the new PDF methods and use real-world examples of potential threats to incorporate into security training," she says.

"But from an overall, holistic security viewpoint, I don't think there's anything that needs to drastically change, as long as you are ensuring that users are aware," Larson says. "Just being, like, 'Hey, look out for this type of thing!'"

How Cybercriminals Adapted to Microsoft Blocking Macros by Default

Black Hat Asia's NOC team gives a look inside what's really happening on the cyberfront during these events.

BLACK HAT ASIA – Singapore – When you're in an environment where the overwhelming majority of network traffic is classified as posing a severe cybersecurity threat, deciding what to be concerned about becomes not a needle in a haystack situation, but a needle in a needlestack problem.

That's the word this week at Black Hat Asia, where Neil Wyler, global lead of active threat assessments at IBM X-Force, and Bart Stump, senior systems engineer for NetWitness, took to the stage to give attendees a look inside the event's enterprise-grade network operations center (NOC). The duo oversaw the NOC's design and led the security team for the show, which ran from May 9-12. The multi-vendor network supported attendee Wi-Fi access; internal operations such as registration; the needs of business hall stands; and the communications requirements of technical trainings, briefings, keynotes, and vendor demonstrations.

"When we discuss the traffic, try to explain to others that at Black Hat it's bad all the time — all or most of the traffic is malicious," Wyler explained. "That sounds scary, but for this crowd that traffic is normal. There are people demoing attacks, there are red teams trainings going on, etc., and that means that we don't really block anything. We let that traffic fly because we don't want to take down a demo on stage or on the expo floor. Unless we see a direct attack on our infrastructure, say the registration system, we let it go."

So, in order to ferret out the actual bad, bad traffic, the NOC relies on a number of dashboards that allow a real-time view of everything flowing through the network, with the ability to capture stats on everything from device profiles to which cloud apps attendees are connecting to. It also captures raw packet data so NOC analysts can go back and rebuild sessions in the event something seems abnormally suspicious, to look at "every single thing someone is doing with every packet, in a way we can't using just logs," Wyler noted.

One of the more unusual dashboards put in place for the event offered a heat map of where Wi-Fi, Bluetooth, and even peer-to-peer wireless connections were being used, offering a quick look at where people were congregating and where there might be cyber issues afoot.

"It's an interesting perspective," explained Stump. "The bottom left corner of the map is actually the show floor, and after the business hall opened up, that got more red. You can see when breaks are happening and when they put the beverages out because people migrate. And overall, it's a quick visualization for us to see where potential issues might be coming from, where we should focus our attention."

    

_A heat map of where devices connected to the network._

In all, the NOC tracked 1,500 total unique devices connecting to the network across mobile phones, Internet of things (IoT) gear, and other endpoints, with DNS queries at their highest for the event since 2018. About three-quarters (72%) of that traffic was encrypted — a refreshingly high amount, the researchers noted. And interestingly, a domain called Hacking Clouds hosted the most user sessions — more even than the show's general Wi-Fi network for attendees.

In terms of the apps being used, TikTok made an appearance in the Top 10 for the first time, the team observed. Other top apps included Office 365 (no surprise there), Teams, Gmail, Facebook, and WhatsApp.

**Interesting NOC Happenings**

A few interesting incidents emerged from the data during the event, the duo noted. In one case, an individual was generating so much malicious activity that all of the NOC systems alerted at once.

"One particular person was so noisy that every NOC vendor partner saw their activity at the same time," Wyler said. "We're talking SQL injection on public-facing websites, WordPress compromises, lots and lots of scanning for vulnerabilities and open ports. It was like they learned something this week and went, 'Let me see if it works. I've heard about Log4j, let me see what's out there.' They took a training class and now they're spreading their wings and flying."

After the person moved from attacking restaurant chain websites to probing payment sites, it was clear the activity wasn't demo-related, so the team pinpointed the person and sent the individual a cease-and-desist email.

"We figured out they were sitting in the hallway looking out at the Bay, just attacking company after company after company," Wyler said. "We explained that it's still illegal to do what they're doing, so please discontinue attempting to execute vulnerabilities on public-facing websites. This is a violation of the Black Hat Code of Conduct and we will come find you if it doesn't stop — love, the NOC. They got that and everything stopped."

Other incidents involved VPN issues, including one that was transmitting the user's location information in clear text. The team captured the data, plugged it into Google Maps and generated a view of exactly where the person had been during the day.

    

_A VPN leak allowed the team to create a map of the user's location._

Yet another issue involved an endpoint detection and response (EDR) vendor that was sending all of the usage data it was collecting on the endpoints of its users in clear text back to its servers; one antivirus vendor was found sending unencrypted SMTP emails containing pricing quotes and other information in an unencrypted fashion, along with login credentials — allowing easy harvesting.

"An attacker could have pulled down quotes, changed quotes, gathered internal work information and customer information, definitely not good," said Stump. "It could be used to craft phishes or to manipulate pricing."

In all cases, the team worked with the problematic entities to resolve the issues. The NOC, quite simply, is on the case, according to Stump.

"People often say that at Black Hat, you shouldn't even get on the network because it's dangerous," said Stump. "But our goal is actually to leave attendees more secure than when they arrived. And that's why we do things like letting people know they're sending passwords in clear text, or when we see cryptomining activity, we'll alert them. We're committed to that."

Source

DARKReading