Marketed on a cybercriminal forum, the $700 tool harvests email addresses from public GitHub profiles, priming cyberattackers for further credential theft, malware delivery, OAuth subversion, supply chain attacks, and other corporate breaches.

Source: Piotr Swat via Alamy Stock Photo

Researchers have uncovered a tool aimed at targeting GitHub users, distributed on a cybercrime forum. It offers bulk developer credential theft and the ability to conduct further malicious activities, including supply chain attacks.

The tool — called GoIssue and potentially linked to a previous GitHub repository extortion campaign called Gitloker — allows potential attackers to extract email addresses from GitHub profiles and to send bulk emails directly to user inboxes, researchers from SlashNext discovered.

"At its core, the tool systematically harvests email addresses from public GitHub profiles, using automated processes and GitHub tokens to collect data based on various criteria — from organization memberships to stargazer lists," SlashNext revealed in a blog post on Nov. 12.

GoIssue is marketed to potential attackers at $700 for a custom build or $3,000 for full source code access. The tool combines bulk email capabilities with sophisticated data collection features, and protects the operator's identity through proxy networks, according to SlashNext. 

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Citrix Issues Patches for Zero-Day Recording Manager Bugs

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

**Developers Have a Target on Their Backs**

Developers increasingly have become a top target for threat actors because they provide the keys to valuable source code that can be used to launch supply chain attacks, reaching numerous victims by merely altering or abusing lines of code. As the leading online repository for source code, GitHub already has been in the crosshairs of numerous malicious campaigns targeting its users.

"The emergence of GoIssue signals a new era where developer platforms become high-stakes battlegrounds," with attackers aiming to "exploit trusted developer environments," observes Jason Soroko, senior fellow at Sectigo, an automated certificate life-cycle management firm.

GoIssue represents an evolution in GitHub-focused attack tools, giving attackers a way to orchestrate large-scale, customized phishing campaigns that can bypass spam filters and target specific developer communities, while attackers maintain the cover of anonymity.

Related:Citrix 'Recording Manager' Zero-Day Bug Allows Unauthenticated RCE

Through these campaigns, attackers can steal developer credentials and use that stolen information in phishing attacks that can steal login credentials, spread malicious payloads to compromise a user's device, or distribute prompts for OAuth app authorization that give attackers access to private repositories and data.

In this way, threat actors can steal and/or poison source code from GitHub projects to launch supply chain and other attacks that can breach corporate networks, the researchers said. "This is a high-impact attack mechanism that specifically preys on the trust and openness of the developer community," Soroko observes.

**Cybercrime Link to Gitloker Extortion Campaign?**

When investigating GoIssue, the contact info provided to potential buyers of the tool led SlashNext researchers to a Telegram profile for "cyberluffy," which states that someone called "Cyber D' Luffy" is a member of the Gitloker team. Gitloker is an ongoing campaign uncovered in June that uses GitHub notifications to push malicious OAuth apps aimed at wiping developer repositories for extortion purposes.

Moreover, in a thread advertising GoIssue, the seller even links to high-profile security blogs that detail and validate Gitloker attack efficacy. This seems to suggest that the same attackers selling GoIssue are behind Gitloker, and the tool "could be an extension of the Gitloker campaign or an evolved version of the same tool," according to SlashNext.

Related:'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

"Both tools share a similar target audience (GitHub users) and leverage email communication to initiate attacks," according to the post. "This overlap in purpose and personnel strongly supports the theory that they are either linked or variations of one another."

No matter who is distributing the tool, it represents a dire warning to developers using GitHub that they need to remain vigilant and not engage with any anomalous email correspondence or messages that seem suspicious, the researchers noted. "This isn’t just spam; it’s a potential entry point to taking over your account or projects," according to SlashNext.

Enterprises with developers in the organization that use GitHub in particular should be especially proactive and adaptive at securing their people, notes Mika Aalto, co-founder and CEO at human risk-management firm Hoxhunt.

"As attackers leverage automation and advanced tools with increasing sophistication, we must give people the instincts to recognize a suspicious email and the skills to report threats that bypass filters," he says.

Enterprises also should integrate human threat intelligence into the security stack to facilitate accelerated detection and response to suspicious activity, Aalto adds.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'GoIssue' Cybercrime Tool Targets GitHub Developers En Masse

There is some disagreement over whether the remote code execution (RCE) security flaws allow for unauthenticated exploitation or not. Citrix says no, but researchers say the company is downplaying a "good old unauthenticated RCE."

Source: JHVEPhoto via Shutterstock

Very swiftly after their disclosure, Citrix has issued patches for two vulnerabilities in its Citrix Virtual Apps and Desktop technology that allow a remote attacker escalate privileges or execute code of their choice on vulnerable systems.

Citrix has described the remote code execution (RCE) vulnerabilities as something that only a previously authenticated attacker could abuse. However, researchers at watchTowr who discovered the flaws and developed a proof-of-concept exploit (PoC) say it's a point-and-click vulnerability that an unauthenticated attacker can exploit with relative ease.

Citrix is tracking one of the flaws as CVE-2024-8068 and the other as CVE-2024-8069.  

**Citrix Downplaying Threat Severity?**

The flaws affect the thin-client technology's Session Recording Manager component that allows admins to capture, store, and manage recordings of user sessions. They stem from a weakness in how Session Recording Manager deserializes or unpacks data that has been converted into a format that makes it easy to store and transmit, according to the researchers at watchTowr who discovered and reported the issues to Citrix in July.

Citrix initially said it was unable to reproduce the issue but later acknowledged the problem after the security vendor gave them a PoC exploit for the vulnerability.

Related:'GoIssue' Cybercrime Tool Targets GitHub Developers En Masse

In an advisory on Nov. 12, the company described CVE-2024-8068 as a privilege escalation vulnerability that allows an authenticated user in the same Windows Active Directory domain as the session recording server to gain NetworkService Account access. CVE-2024-8069, according to Citrix, is a "limited" RCE for attackers with admin level account access on vulnerable systems. "Cloud Software Group strongly urges affected customers of Citrix Session Recording to install the relevant updated versions of Citrix Session Recording as soon their upgrade schedule permits," the company cautioned.

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Even so, Citrix has assigned both vulnerabilities only medium severity scores of 5.1 of 10 on the CVSS vulnerability rating scale. It's an assignment that watchTowr has disputed.

Related:Citrix 'Recording Manager' Zero-Day Bug Allows Unauthenticated RCE

"Citrix is downplaying the severity of this vulnerability as a medium priority when it’s really point-click-full-takeover," says Benjamin Harris, CEO of watchTowr, pointing to the company's exploit code. The combination of the two vulnerabilities allows for a "good old unauthenticated RCE," Harris tells Dark Reading.

"Citrix's Virtual Apps and Desktop offering is a flagship Citrix solution, targeted at \[Fortune 500\] organizations," he notes. "Since we're dealing with a deserialization issue, a bug class that is known for being relatively stable, we \[have\] a high degree of confidence that our exploit will work reliably. There's no tricky heap manipulation or other entropy creeping in."

Many organizations use Citrix’s Virtual Apps and Desktop technology to enable users to access their applications and desktop environments from anywhere and using any device. It gives organizations a way to centrally deploy, update and secure all user apps from a single location making maintenance more efficient, consistent and cost effective. Another benefit that Citrix advertises is increased security from having applications and data on centralized servers rather than on individual endpoint devices. The technology's Session Recording feature — where watchTowr discovered the flaws — enables admins to monitor for anomalous behavior and to maintain a detailed record of user activity for future audit and troubleshooting purposes.

Related:'SteelFox' Malware Blitz Infects 11K Victims With Bundle of Pain

Demand for such technologies has increased in recent years as more companies have embraced remote and hybrid work models. Research firm MarketsandMarkets estimates the market will reach $1.7 billion in 2028 from around $1.5 billion last year. The broader desktop as a service (DaaS) market itself is expected to hit nearly $19 billion by 2030 from just over $4 billion in 2021.

**Dependence on Known Insecure Technology**

watchTowr discovered the vulnerabilities while scrutinizing Citrix's Virtual Apps and Desktop's architecture for potential security issues. The security vendor's examination showed that Citrix's app uses Microsoft's Message Queuing (MSMQ) service to receive recorded user session files and to store them in a separate storage manager component. In addition, watchTowr found Citrix using a Microsoft technology called BinaryFormatter to deserialize data in the storage manager component when needed. BinaryFormatter is technology that Microsoft itself has urged organizations to stop using as soon as possible because of security weaknesses that are no longer fixable, watchTowr said.

The vulnerabilities that watchTowr discovered involved a combination of an Internet-accessible MSMQ instance in the session recording component of Citrix's Virtual Apps and Desktop technology along with misconfigured permissions related to BinaryFormatter. "This isn't really a bug in the BinaryFormatter itself, nor a bug in MSMQ, but rather the unfortunate consequence of Citrix relying on the documented-to-be-insecure BinaryFormatter to maintain a security boundary," Harris says. "It's a 'bug' that manifested during the design phase, when Citrix decided which serialization library to use."

Harris says watchTowr reported the vulnerability as a single issue, whereas Citrix appears to have treated it as two separate issues.  

"While it is inarguable that Citrix's use of a BinaryFormatter with untrusted data is a de-facto bug, we don't have enough context to determine if exposing the MSMQ queue via HTTP is a really a bug, caused by a careless oversight, or a carefully calculated effect of some obscure business requirement."

Citrix's technologies are a frequent target for attackers because of the high-level of access the company's technology provides to enterprise applications and data. Many of the reported security flaws recently have impacted the company's NetScaler ADC and NetScaler Gateway remote access platforms.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Citrix Issues Patches for Zero-Day Recording Manager Bugs

The security vulnerability is due to an exposed Microsoft Message Queuing (MSMQ) instance and the use of the insecure BinaryFormatter.

Source: Brian Jackson via Alamy Stock PhotoSource:

\[Ed. note, Nov. 12 at 12:30 p.m. ET: Citrix has now issued patches for the issue and assigned CVE-2024-8068/CVE-2024-8069 for tracking.\]

An unpatched zero-day vulnerability in Citrix’s Session Recording Manager allows unauthenticated remote code execution (RCE, paving the way for data theft, lateral movement, and desktop takeover.

According to watchTowr research out today, the issue (which does not yet have a CVE or CVSS score) resides in Citrix's Session Recording Manager, which, as its name implies, records user activity, including keyboard and mouse inputs, websites visited, video streams of desktop activity, and more.

"Citrix advertises the feature as being really useful for monitoring (somewhat obviously), but also for compliance and troubleshooting. It can even be set up so that certain actions (like identifying sensitive data) will trigger recording, which helps meet regulatory needs and flag suspicious activities," the watchTowr researchers noted in the report.

The feature logs session recordings via Microsoft Message Queuing (MSMQ), which enables efficient data transfer from individual computers to centralized storage. However, the Citrix implementation uses BinaryFormatter for serialization and deserialization of the information for easier and more accurate transfer and storage. The utility is unfortunately well-known to be insecure.

Related:'GoIssue' Cybercrime Tool Targets GitHub Developers En Masse

BinaryFormatter is a .NET class created by Microsoft, which is in the process of deprecating it: "BinaryFormatter is insecure and can't be made secure. Applications should stop using \[it\] as soon as possible, even if they believe the data they're processing to be trustworthy," the computing giant said in August.

On top of the BinaryFormatter issue, Recording Session Manager also involves an exposed MSMQ service that can be reached from any host via HTTP. This, combined with what watchTowr says are misconfigured permissions, paves the way for unauthenticated RCE.

Dark Reading has reached out for comment and planned patching or mitigation information from both watchTowr and Citrix. There is no evidence of in-the-wild exploitation yet, but given Citrix's attractiveness as a cybercrime target, that could soon change.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 am ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larson from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

Related:Citrix Issues Patches for Zero-Day Recording Manager Bugs

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Citrix 'Recording Manager' Zero-Day Bug Allows Unauthenticated RCE

CISA should make its recommended goals mandatory and perform audits to ensure compliance.

Gary Barlet, Public Sector Chief Technology Officer, Illumio

November 12, 2024

5 Min Read

Source: Zoonar GmbH via Alamy Stock Photo

COMMENTARY  
Companies across the country are lining up to join the latest cybersecurity trend: the Cybersecurity and Infrastructure Security Agency's (CISA) Secure by Design pledge, a commitment aimed at software manufacturers that compels them to keep up with fundamental cybersecurity strategies. Companies such as Lenovo, Google, AWS, Cloudflare, and Microsoft have already signed on. 

On the face of it, the Secure by Design pledge is a good thing. Its seven goals each encourage manufacturers to adopt or increase the usage of a key cybersecurity strategy within one year. The goals, such as "implement multifactor authentication (MFA)" are worthy, if basic, and CISA encourages companies to document their progress. If they fall short, they are also encouraged to report that failure to CISA. 

The problem is that this pledge is entirely voluntary. Companies are free to sign it — or not — as they wish. And there's no regulatory compliance factored in. This means that if a company does sign the pledge and falls short of one or more goals, no one may ever know and no action will be taken. It will be as if the pledge never existed in the first place.   

Without teeth, the pledge is essentially worthless. Outside of highlighting the low-bar steps major companies should take to ensure their infrastructure is secured from the most common attacks (which, admittedly, is a good thing), it takes no steps to ensure that companies will actually do so. And it provides no repercussions if they fail.    

**Is the Honor System Good Enough?**

With data breaches up 72% in 2023 and the average cost of a breach estimated at $4.88 million, can we afford for our nation's technological infrastructure to be governed by the honor system? What happens when the next big cyberattack takes down a pillar of our society because the company responsible failed to implement MFA?  

I'd argue for a much more aggressive approach from our federal government. Given the potential for widespread disruptions inherent with any cybersecurity failure, we can't afford to take such a lax attitude toward securing our systems. The sanctity of our nation's airlines, power grids, and other critical infrastructure relies on stringent cybersecurity measures. Merely "suggesting" that companies institute basic protocols is not enough. We need to mandate it — and punish those who fail. 

**The EU's Higher Standard**

I look at the European Union's approach to setting standards for its electronic devices. In 2022,  the EU passed a law mandating electronics manufacturers move to a standardized charging port for their mobile devices. The EU's stance toward Apple, which famously used a proprietary Lightning charging port for its iPhones, was simply: Adapt or die. Apple adapted. As a result, iPhones in Europe are now sold with the standardized USB-C charging port, alongside every other mobile device. 

The EU did not fool around with vague suggestions or pledges. It saw the value to consumers of a standardized charging port and demanded that manufacturers make the change. Those that failed to comply were not allowed to sell their devices in Europe. Simple. Effective. 

You can also look closer to home, to California, for an example of this kind of confident action by the government. The government of California adopted the Zero Emissions Vehicle requirements in 1990, and has adjusted the rules over the ensuing decades as technology has evolved. The purpose was to protect the state's air from automotive pollution. The result has been a near industrywide reduction in auto emissions for the past 30 years. 

For vehicle manufacturers that want to sell cars in California, the largest economy in the United States, the equation was the same one facing Apple in the EU: Adapt or die. They could either engineer their vehicles to produce fewer emissions or simply not sell them in California. Most elected for the former option, and, as a result, automotive emission control technology has advanced further in the past 30 years than at any point since the automobile was introduced. 

**Adopting a Similar Approach**

To protect our cyber infrastructure, we need to adopt a similar approach. Instead of simply making recommendations, our nation's cybersecurity agency should be empowered to make regulations.  

CISA should begin by making its recommended goals mandatory, forcing software companies to do the following: 

●      Increase the use of MFA 

●      Reduce default passwords 

●      Enable a significant measurable reduction in the prevalence of one or more vulnerability classes 

●      Increase the installation of security patches by customers 

●      Publish a vulnerability disclosure policy 

●      Demonstrate transparency in vulnerability reporting. 

●      Increase the ability for customers to gather evidence of cybersecurity intrusions 

Next, CISA should perform audits to ensure compliance. Relying on companies to self-report is no different from giving them permission not to report. Look closely at CISA's list of pledgees and come back in a year to see how many of these vaunted companies will have willingly admitted they aren't taking the most basic steps toward protecting their users' data. 

Finally, CISA should be empowered to make a simple statement to software manufacturers that want to sell products in the US similar to what the EU said to electronics manufacturers and what California said to automobile manufacturers: Adapt or die. 

If you want to sell software in the US, you should have to follow basic principles that will ensure your software is safe. This should not be a "nice to have." It should be mandatory. The stakes are as high if not higher than with charging ports and automobile emissions. As we witnessed with the recent failure of cybersecurity software, the impact was felt across entire industries and resulted in billions of dollars in lost productivity. This is not a realm for timidity.    

Hi all -- please add this to all of your content at the bottom between now and Thursday -- I'm adding it to this week's news items now. Rashid, Fahmida Donahue, Jim Bracken, Becky Spiegelman, Karen Beek, Kristina

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Public Sector Chief Technology Officer, Illumio

Gary Barlet has nearly three decades of cloud, cybersecurity, and network experience in the US federal government leading security and IT teams in both civilian agencies and the Department of Defense (DoD). At Illumio, Gary works with government agencies, contractors, and the broader ecosystem to build in zero-trust segmentation as a strategic component of the government’s zero-trust architecture. Before joining Illumio, Gary served as the chief information officer at the Office of the Inspector General for the US Postal Service and served in the Air Force in several technology leadership capacities, retiring from his role as cyber operations officer.

The Power of the Purse: How to Ensure Security by Design

The "SANS 2024 State of ICS/OT Cybersecurity" report suggests organizations are going to shift spending from security technologies protecting industrial control systems and operational technology environments to nontechnical activities, such as training and incident response.

Source: SANS State of ICS/OT Cybersecurity 2024, Figure 18

In the "SANS 2024 State of ICS/OT Cybersecurity" report, 530 professionals working in critical infrastructure sectors were asked which technologies they have in their operational technology (OT) environments and which ones they were planning to add in the next year-and-a-half. The two lists highlight which technologies are widely deployed and what areas security teams are going to focus on next. 

The top technologies currently in use are access controls (81%); backup and recovery tools (74.4%); endpoint detection and response (EDR) tools, such as traditional antivirus (73%); segmentation between control systems and higher risk networks (66%); and secure remote access with multifactor authentication (65%). These categories have seen "massive jumps in implementation," SANS said in the report. Just 53% of respondents reported using EDR in 2019, which comes out to a 20% increase in 2024.

"We often describe ICS/OT as the 'M&M' model: hard shell, gooey center. This is why we focus a lot on IT–OT boundaries (i.e., the hard shell)," the report said. "However, security professionals need to also focus on toughening up that gooey center."

Securing that "gooey center" may be one of the reasons for a shift suggesting more nontechnology spending, such as for training, simulations, and incident response. Indeed, the five most-planned activities for the next 18 months are implementing industrial control system (ICS) specific cybersecurity metrics or dashboards (37%), deploying ICS network security monitoring and anomaly detection (33%), rolling out control system enhancements and upgrades (32%), conducting ICS-specific cybersecurity training (31%), and running ICS-specific incident response tabletops or simulations (30%). 

With the exception of cybersecurity metrics and dashboards, these planned technologies are already in use by nearly half of the respondents. The fact that another 30%-plus are making plans to use them suggests that the industry is on the brink of another jump in implementation in these areas.

It's worth noting that the three least deployed technologies for ICS defense had a "surprisingly" larger number of respondents planning to invest in them over the next year-and-a-half. Roughly a quarter of respondents have deployed the following technologies and solutions at this time: software bill of materials, or SBOM(25%), industrial cloud security (26%), and security orchestration, automation, and response, or SOAR (28%). A higher-than-average number of respondents have plans to start using SBOM (28%), industrial control security (23%), and SOAR (30%). 

The planned rates indicate these technologies may become more common across ICS security programs soon, SANS said.

**About the Author**

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

Incident Response, Anomaly Detection Rank High on Planned ICS Security Spending

Though its third-quarter earnings report confirms that the company remains on track, it's unclear how that will be affected if the threat actors commit further damage.

Source: Todd Strand via Alamy Stock Photo

Halliburton Company, a multinational corporation known for its oil and gas products and services, reported that its losses after a ransomware attack in August have added up to $35 million.

In a filing with the US Securities and Exchange Commission (SEC), Halliburton reported that it became aware of unauthorized third-party access to its systems on Aug. 21, prompting it to launch an investigation alongside its cybersecurity response plan.

In order to contain the breach, Halliburton was forced to shut down some of its systems. In an 8-K filing, the company confirmed that the threat actors were able to exfiltrate data in the attack. It also revealed that the RansomHub ransomware gang was behind the attack and stolen data.

It remains unclear the scope of the breach and what kind of information was stolen, as the investigation in ongoing. However, Halliburton reported that it was unlikely that the breach would have a material impact on its finances, with its 2024 third-quarter earnings report confirming that estimate.

"We experienced a $0.02 per share impact to our adjusted earnings from lost or delayed revenue due to the August cybersecurity event and storms in the Gulf of Mexico," stated Jeff Miller, chairman, president, and CEO at Halliburton.

The cost of mitigating the cyberattack was a small price to pay considering Halliburton's size as a company. But the threat actors may still yet decide to sell the data, exposing Halliburton even further and requiring additional damage control.

**About the Author**

Halliburton Remains Optimistic Amid $35M Data Breach Losses

Windows users are at risk for full device takeover by an emerging malicious version of the Remcos remote admin tool, which is being used in an ongoing campaign exploiting a known remote code execution (RCE) vulnerability in Microsoft Office and WordPad.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

Threat actors have given the commercially available Remcos remote access tool a new malicious makeover, wrapping its malware code in several layers of varying script languages, including JavaScript, VBScript, and PowerShell, to avoid detection and analysis and achieve full takeover of Microsoft Windows devices.

New findings from Fortinet researcher Xiaopeng Zhang warn Microsoft Windows users about a new campaign using this new-and-improved version of Remcos RAT that exploits a known remote code execution (RCE) vulnerability arising from how unpatched Microsoft Office and WordPad instances parse files.

The attack chain starts with a phishing email intended to lure users into clicking an Excel file disguised as a business order, according to the report. Once the file is activated it exploits the bug (CVE-2017-0199) and downloads the malware payload.

**Remco's New Version Is Good at Avoiding Analysis**

"Its code is wrapped in multiple layers using different script languages and encoding methods, including JavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, to protect itself from detection and analysis," according to the researcher. "Once the downloaded exe file, dllhost.exe, starts, it extracts a batch of files into the %AppData% folder. Some of the key data are hidden in these files."

From there, the host runs a piece of heavily obfuscated PowerShell code that, importantly, works only on the 32-bit PowerShell process, the report added.

Next, the malware runs self-decryption code hidden beneath a rat's nest (pun intended) of unnecessary code to avoid analysis. But that isn't the only sophisticated evasion technique utilized by the latest version of malicious Remcos RAT. According to the report, the campaign throws up several analysis road blocks throughout the attack chain, including installing a vectored exception handler, and gaining and calling system APIs in an inconsistent, hard to track way. It also uses a tool called "ZwSetInformationThread()" to check for a debugger, the report added.

"The malicious code calls API ZwSetInformationThread() with the argument ThreadHideFromDebugger (0x11) and the current thread (0xFFFFFFFE). This mechanism in Windows can conceal a thread’s existence from debuggers," explained Zhang. "If a debugger is attached to the current process, it exits immediately once the API is called."

The malware further uses an API hooking technique to avoid detection.

"The malicious code simulates executing multiple API instructions (say, two instructions) at the beginning and then jumps to the API to execute the rest of the instructions (beginning with the 3rd instruction)," according to the report. "Whenever any ... detection conditions are triggered, the current process (PowerShell.exe) can become unresponsive, crash, or exit unexpectedly."

Once ready, the threat actors download an encrypted file with the malicious version of Remcos RAT that is run in current process's memory, effectively making this latest variant fileless, the report pointed out.

**Defend With Patching, Training, and Endpoint Protection**

"Remcos collects some basic information from the victim's device," Zhang added. "It then encrypts and sends the collected data to its C2 server to register that the victim's device is online and ready to be controlled."

Anti-analysis and tricky obfuscation techniques aside, Darren Guccione, CEO and founder of Keeper Security, noted in an emailed statement that low-tech phishing and social engineering that remain among the very most dangerous enterprise cybersecurity threats.

"Preventing these attacks requires a combination of technical defenses and employee awareness," he wrote. "Recognizing red flags, such as unusual senders, urgent requests and suspicious attachments, can help reduce human error. Regular training and robust security measures empower employees to act as the first line of defense."

Robust endpoint security should also be a priority to defend against these types of attacks, as well as a basic patch management strategy, according to a statement from Stephen Kowski, field CTO for SlashNext Email Security+.

"Protection requires a multi-faceted approach: keeping Microsoft Office fully patched, implementing advanced email security to detect and block malicious attachments in real time, and deploying modern endpoint security to identify suspicious PowerShell behaviors," Kowski commented. "Most critically, since this attack relies on social engineering through phishing emails, organizations should ensure their employees receive regular security awareness training focused on identifying suspicious attachments and purchasing order-themed lures."

Revamped Remcos RAT Deployed Against Microsoft Windows Users

It's polite to listen to advice that people are willing to share, but not all of it will be useful for you. Here's how to separate the wheat from the chaff.

Source: Westend61 GmbH via Alamy Stock Photo

COMMENTARY  
As a teenager, I commented to my father that not everyone gives good advice. In fact, some people give just plain bad advice. My father told me that while I didn't have to take everyone's advice, I needed to listen to what everyone was saying to me.

Knowing whose advice to take versus whose advice to leave is a skill that most people spend a lifetime honing. One thing is for sure, though: There is no shortage of advice, information, and distraction. This is particularly true in our profession — it seems that most everyone has something to say about just about every topic in cybersecurity.

Thus, as most of us mature and grow as security professionals (and as people), we realize that knowing what to ignore is just as important as knowing what to pay attention to. If we pursued every new idea that came our way, we would spend our entire day churning away on a variety of different possibilities, most of which would bring little improvement to our organization's security posture. On the other hand, if we ignored everything new, we would miss plenty of great opportunities to improve the ways in which we defend our organizations.

**How to Organize Your Thinking About Advice**

Clearly, we need to find a happy balance. The question is, how can we know what we should ignore versus what we should act on? There is no absolute answer, but here are a few guidelines to help assess advice. To illustrate an example, we will talk about improving the state of your organization's API security.

*   So what?: When evaluating whether to pursue a suggestion, it can be helpful to ask the question: "So what?" If I were to pursue this, what impact would it have? Is there a real potential for any outcome that would be worth it, or will this merely be a time sink? If the impact is nonexistent, that is probably a sign that we can safely ignore it. In our scenario, improving API security is almost certain to yield value, so the suggestion would remain on the table.
    
*   What's my action?: It can also be helpful to think about what, if any, action is required from you. Is any action required? Will this bring tangible results? Or is this just a whirlwind of information that will not yield any material change in your day-to-day? If there is no action, you can probably look elsewhere for suggestions. Improving the state of API security would definitely involve action from me, so I'm still listening.
    
*   Practicality: Unless we are in a theoretical research position (which most of us are not), any idea we consider needs to have a practical application. It can be helpful to ask the question: "Is this an academic exercise?" If it is, it is probably safe to move along. There are many API security improvements a colleague might recommend to me that would have real-world impact, so I'm still taking notes.
    
*   Strategic fit: Most security teams have a strategic direction that includes priorities designed to steer them in that direction. If some new API solution grabs people's attention, for example, it is worth my taking a moment to slow down and assess whether it fits the team's strategy. If not, it is probably best to move along.
    
*   Detraction: When assessing a suggestion, most people will think about what it could potentially bring to the security team. What fewer people consider, unfortunately, is what the suggestion could detract from. This is an important point to consider, however. If pursuing a suggestion will take away from other, more important activities, it is likely not a good one. If this theoretical API security project took resources away from threat detection and response, we'd want to know that and weigh the pros and cons.
    
*   Source: When an idea is suggested, it can be helpful to consider the source. Some people suggest practical, actionable ideas that fit the organization's strategic direction and don't detract from other important activities. Other people suggest ideas that are more half-baked. It is worth asking: "Has this person led us astray in the past?" If they have, it is likely safe to ignore their ideas, absent any compelling evidence that the ideas are good ones. If, for example, my colleague tends to make suggestions based on their friends' social media posts, I am less inclined to get excited about any new API security ideas they bring up.
    

As security professionals, we all get a tremendous amount of advice, information, and distractions coming at us every day. Pursuing all of it would be unwise — as would be pursuing none of it. We can reach a happy medium by following some guidelines. Regardless of what methods we use to help us sort and filter what comes at us, doing so successfully is certainly an important part of remaining productive in our careers.

**About the Author**

Field CISO, F5

Josh Goldfarb is currently Field CISO at F5. Previously, Josh served as VP and CTO of Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team, where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT. In addition to Josh's blogging and public speaking appearances, he is also a regular contributor to Dark Reading and SecurityWeek.

What Listening to My Father Taught Me About Cybersecurity

Attackers abuse concatenation, a method that involves appending multiple zip archives into a single file, to deliver a variant of the SmokeLoader Trojan hidden in malicious attachments delivered via phishing

Source: Rawpixel.com via Shutterstock

Threat actors are exploiting the various ways that zip files combine multiple archives into one file as an anti-detection tactic in phishing attacks that deliver various Trojan malware strains, including SmokeLoader.

Attackers are abusing the structural flexibility of zip files through a technique known as concatenation, a method that involves appending multiple zip archives into a single file, new research from Perception Point has found. In this method, the combined file appears as one archive that actually contains multiple central directories, each pointing to different sets of file entries.

However, "this discrepancy in handling concatenated zips allows attackers to evade detection tools by hiding malicious payloads in parts of the archive that some zip readers cannot or do not access," Arthur Vaiselbuh, Windows internals engineer, and Peleg Cabra, product marketing manager from Perception Point, wrote in a recent blog post.

Abusing concatenation allows attackers to hide malware in zip files that even readers aimed at parsing the files for in-depth analysis, including 7.zip or OS-native tools, may not detect, according to Perception Point.

"Threat actors know these tools will often miss or overlook the malicious content hidden within concatenated archives, allowing them to deliver their payload undetected and target users who use a specific program to work with archives," Vaiselbuh and Cabra noted in the post.

**How to Exploit Zip Files**

To illustrate how zip files can be misused, the post breaks down the different ways that three popular zip archive readers — 7.zip, Windows File Explorer, and WinRAR — handle concatenated zip files.

7.zip, for example, will only display the contents of the first archive and then may display a warning that "there are some data after the end of the archive." However, this message often is overlooked and thus malicious files may not be detected, the researchers noted.

Windows File Explorer demonstrates different potential for malicious use as it "may fail to open the file altogether or, if renamed to .rar, will display only the 'malicious' second archive’s contents," according to the post. "In both cases, its handling of such files leaves gaps if used in a security context," Vaiselbuh and Cabra wrote.

WinRAR takes a different tack in that it actually reads the second central directory and displays the contents of the second and potentially malicious archive, making it "a unique tool in revealing the hidden payload," they added.

Ultimately, though sometimes these readers detect the malicious activity, the different ways that each reader handle concatenated files leaves room for exploit, leading to varying outcomes and potential security implications, according to Perception Point.

**Phishing Attack Vector**

The phishing attack that exploits concatenation observed by Perception Point starts with an email that purports to come from a shipping company and uses urgency to bait users. The email is marked with "High Importance" and includes an attachment, SHIPPING\_INV\_PL\_BL\_pdf.rar, sent under the guise that it's a shipping document that must be reviewed before a shipment can be completed.

The attached file appears to be a rar archive due to its .rar extension, but is actually a concatenated zip file, deliberately disguised to confuse the user not only by exploiting trust associated with rar files, but also bypassing basic detections that might rely on file extensions for initial file assessments, according to the post.

The file contains a variant of the known Trojan malware family SmokeLoader that's designed to automate malicious tasks such as downloading and executing additional payloads, which could include other types of malware, such as banking Trojans or ransomware.

However, when tested, only two of the three tools that parse zip files actually detected that there is a potentially malicious archive in the file, according to the post. Opening the attachment using 7.zip reveals only a benign-looking PDF titled "x.pdf," which appears to be an innocent shipping document. On the other hand, both Windows File Explorer or WinRAR fully expose the hidden danger.

"Both tools display the contents of the second archive, including the malicious executable SHIPPING\_INV\_PL\_BL\_pdf.exe, which is designed to run and execute the malware," Vaiselbuh and Cabra wrote.

**Mitigation of a Persistent Issue**

Perception Point security researchers contacted the developers of 7.zip to address the behavior they observed between its reader and of concatenated zip files, according to the post. However, their response did not acknowledge that it is any kind of vulnerability.

"The developer confirmed that it is not a bug and is considered intentional functionality — meaning this behavior is unlikely to change, leaving the door open for attackers to continue exploiting it," Vaiselbuh and Cabra wrote.

Given that the risk continues to exist for the observed attack vector to abuse these files in phishing attacks, users are urged to approach any email sent from an unknown entity that requires them to take immediate action by opening an unsolicited file with caution.

Enterprises also are encouraged to use advanced security tools that detect when a zip archive (or a malformed rar archive) is concatenated and recursively extract every layer. This type of analysis can ensure "that no hidden threats are missed, regardless of how deeply they are buried — deeply nested or concealed payloads are revealed for further analysis," Vaiselbuh and Cabra wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Flexible Structure of Zip Archives Exploited to Hide Malware Undetected

Meta has maintained that Facebook did not mislead investors by not including mention of the Cambridge Analytica scandal in its forward-looking risk disclosures, but the plaintiffs say it was a glaring omission.

Souce: AlexanddraPopova via Shutterstock

The US Supreme Court will soon decide whether to allow a longstanding shareholder lawsuit against Meta's Facebook to proceed or to dismiss it as lawyers for the social media giant have asked.

The lawsuit involves a 2015 incident in which UK-based consultancy Cambridge Analytica obtained Facebook user data from a third-party firm and used it to create granular profiles for targeting users during political campaigns, on behalf of the Trump campaign. News of the data misuse surfaced in 2018 and provoked considerable concern in the US and elsewhere over privacy violations, data protection, and the role of social media in influencing politics.

**The Cambridge Analytica Fiasco**

Facebook faced intense scrutiny from US government and regulatory bodies over the incident. In July 2019, the US Federal Trade Commission (FTC) hit the company with a massive $5 billion fine in addition to new requirements for greater transparency and accountability for the company's data security and privacy practices.

Separately, a class of Facebook shareholders represented by Amalgamated Bank sued the company for, among other things, not disclosing the breach to shareholders and the public in a timely manner, thereby leading to a loss in shareholder value. The crux of their argument was that Facebook's legally obligated, forward-looking statements about risks to its business made no mention of the Cambridge Analytica breach or its impact on Facebook users. They argued that the company misled investors and others in phrasing the risks to data as hypothetical when, in fact, a breach had already happened.

The US Court of Appeals for the Ninth Circuit — the last to hear the case — allowed the Amalgamated lawsuit to proceed, overturning a District Court ruling on the matter.

**Ignoring Cambridge Analytica Scandal Not Misleading?**

In the US Supreme Court hearing on the case this week, Facebook legal counsel Kannon Shanmugam said the Ninth Circuit had got it wrong in holding that a risk disclosure can be misleading simply because it did not disclose that the stated risk had already materialized in the past.

"A risk disclosure warrants that a type of event may cause harm in the future. It usually makes no representation that the event had never previously occurred," he said in the hearing.

"Just as a statement that 'the road may be flooded if it rains' cannot be misleading simply because it rained yesterday, a typical risk disclosure cannot be misleading simply because the triggering event had occurred in the past," he argued.

Kevin Russell, representing the plaintiffs for Amalgamated Bank in the case, used similar analogies to argue for the case to proceed. "Facebook admits that if a student tells his parents that there no a risk he may fail an exam when he's already done so, that is misleading," Russell noted. "\[The statement\] implies it's impossible that he won't, when that isn't true. The same is true of many risk factor statements, including the ones at issue in this case."

In his argument, Russell conceded that companies should not be obligated to disclose every past material risk incident in their forward-looking risk disclosures. However, there is an obligation for organizations not to mislead people into thinking that a major omitted risk event had not happened, he said.

When asked how Facebook should have phrased its risk disclosure instead, Russell noted the company should have included a mention of Cambridge Analytica incident. "I think that they could have said what they said and then said something like: Such improper disclosure or misuse of user data has occurred in the past, including recently on a substantial scale." Such a disclosure would eliminate any potential misimpression that the risks Facebook was referring to in its disclosure were purely hypothetical, Russell said.

**Supreme Court Justices: Data Risk Is All About Context**

In responding to Shanmugam's argument, Justice Elena Kagan said a lot depends on the context in which a forward-looking risk statement is made. She used a hypothetical example of a fire at a production plant that damages operations substantially, and a risk statement that merely notes fire as a potential risk to the business without actually mentioning such an accident had already happened.

"The typical investor would think it's kind of misleading for you to make this statement that's framed entirely in a hypothetical if, in fact, there's no more plant and no more production capacity," she noted.

Justice Samuel Alito used the same example to echo a similar sentiment. "A statement that simply blandly says that there's a possibility of a risk can, in context, be extremely misleading if there is a high probability of the risk materializing," he noted. Depending on the context, "the fact that something has happened in the past very often sheds light on the risk of a recurrence."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Source

DARKReading