Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023.

Friday, June 21, 2024 08:00

*   Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023.  
*   In the newly discovered campaign, we observed a wider scope of targets spread across countries in EMEA and Asia, compared with previous observations that mainly targeted South Korea and Uzbekistan.   
*   SneakyChef uses lures that are scanned documents of government agencies, most of which are related to various countries’ Ministries of Foreign Affairs or embassies. 
*   Beside the two infection chains disclosed by Talos in November, we discovered an additional infection chain using SFX RAR files to deliver SugarGh0st.  
*   The language used in the SFX sample in this campaign reinforces our previous assertion that the actor is Chinese speaking.   

_Cisco Talos would like to thank the Yahoo! Paranoids Advanced Cyber Threats Team for their collaboration in this investigation._ 

**SneakyChef actor profile **

In early August 2023, Talos discovered a campaign using the SugarGh0st RAT to target users in Uzbekistan and South Korea. We continued to observe new activities using the same malware to target users in a wider geographical location. Therefore, we created an actor profile for the group and dubbed them “SneakyChef.” 

Talos assesses with medium confidence that SneakyChef operators are likely Chinese-speaking based on their language preferences, the usage of the variants of Gh0st RAT — a popular malware among various Chinese-speaking actors — and the specific targets, which includes the Ministry of Foreign affairs of various countries and other government entities. Talos also discovered another RAT dubbed “SpiceRAT” used in the campaign. Read the corresponding research here.

**Targets across EMEA and Asia **

Talos assess with low confidence that the following government agencies are the potential targets in this campaign based on the contents of the decoy documents: 

*   Ministry of Foreign affairs of Angola 
*   Ministry of Fisheries and Marine Resources of Angola  
*   Ministry of Agriculture and Forestry of Angola 
*   Ministry of Foreign affairs of Turkmenistan 
*   Ministry of Foreign affairs of Kazakhstan 
*   Ministry of Foreign affairs of India 
*   Embassy of the Kingdom of Saudi Arabia in Abu Dhabi 
*   Ministry of Foreign affairs of Latvia  

Most of the decoy documents we found in this campaign are scanned documents of government agencies, which do not appear to be available on the internet. During our research, we observed and analyzed various decoy documents with government-and research conference-themed lures in this campaign. We are sharing a few samples of the decoy documents accordingly. 

**Lures targeting Southern African countries **

The threat actor has used decoy documents impersonating the Ministry of Foreign affairs of Angola. The lure content in one of the sample documents appeared to be a circular from the Angolan Ministry of Fisheries and Marine Resources about a debt conciliation meeting between the ministry authority and a financial advisory company.  

Another document contained information about a legal decree concerning state or public assets and their disposal. This document appealed to anyone interested in legal affairs and public heritage regimes and was addressed to the Ministry of Foreign Affairs – MIREX, a centralized institution in Luanda. 

 

 

**Lures targeting Central Asian countries **

The decoy documents used in the attacks likely targeting countries in Central Asia were either impersonating the Ministry of Foreign affairs of Turkmenistan or Kazakhstan. One of the lures is related to a meeting organized with the Turkmenistan embassy in Argentina and the heads of transportation and infrastructure of the Italian Republic. Another document was a report of planned events and the government-issued list of priorities to be addressed in the year 2024 that includes a formal proclamation-signing event between the Ministry of Defense of Uzbekistan and the Ministry of Defense of Kazakhstan. 

 

 

**Lures targeting Middle Eastern countries **

A decoy document we observed in the attack likely targeting Middle Eastern countries was an official circular regarding the declaration of an official holiday for the Founding Day of the Kingdom of Saudi Arabia.  

**Lures targeting Southern Asian countries **

We found another sample that was likely used to target the Indian Ministry of Foreign Affairs. It has decoy documents, including an Indian passport application form, along with a copy of an Aadhar card, a document that serves as proof of identity in India.  

 

 

One of the decoy Word documents we observed contained lures related to India-U.S. relations, including a list of events involving interactions between India’s prime minister and the U.S. president. 

**Lures targeting European countries **

A decoy document found in a sample likely targeting the Ministry of Foreign Affairs of Latvia was a circular impersonating the Embassy of Lithuania. It contained a lure document regarding an announcement of an ambassador’s absence and their replacement. 

**Other targets **

Along with the government-themed decoy document samples we analyzed, we observed a few other samples from these campaigns. These included decoys such as an application form to register for a conference run by the Universal Research Cluster (URC) and a research paper abstract of the ICCSE international conference. We also saw a few other decoys related to other conference invitations and details, including those for the Political Science and International Relations conference.   

 

 

Recently, Proofpoint researchers reported a SugarGh0st campaign targeting an organization in the U.S. involved in artificial intelligence across academia, the private technology sector, and government services, highlighting the wider adoption of SugarGh0st RAT in targeting various business verticals. 

**Threat actor continues to leverage old and new C2 domains **

After Talos’ initial disclosure of SugarGh0st campaign in November 2023, we are attributing the past attacks to the newly named threat actor SneakyChef. Despite our disclosure, SneakyChef continued to use the C2 domain we mentioned and deployed the new samples in the following months after our blog post. Most of the samples observed in this campaign communicate with the C2 domain account\[.\]drive-google-com\[.\]tk, consistent with their previous campaign. Based on Talos’ Umbrella records, resolutions to the C2 domain were still observed until mid-May.  

DNS requests for the SugarGh0st C2 domain. 

Talos also observed the new domain account\[.\]gommask\[.\]online, reported by Proofpoint as being used by SugarGh0st. The domain was created in March 2024, and queries were observed through April 21.  

**Infection chain abuse SFX RAR as the initial attack vector **

With Talos’ first reporting of the SugarGh0st campaign in November, we disclosed two infection chains that utilized a malicious RAR with an LNK file, likely delivered via phishing email. In the newly observed campaign, in addition to the old infection chains, we discovered a different technique from a few malicious RAR samples.  

The threat actor is using an SFX RAR as the initial vector in this attack. When a victim runs the executable, the SFX script executes to drop a decoy document, DLL loader, encrypted SugarGh0st, and a malicious VB script into the victim’s user profile temporary folder and executes the malicious VB script.  

The malicious VB script establishes persistence by writing the command to the registry key UserInitMprLogonScript which executes when a user belonging to either a local workgroup or domain logs into the system. 

HKCU\\Environment\\UserInitMprLogonScript 

regsvr32.exe /s %temp%\\update.dll 

When a user logs into the system, the command runs and launches the loader DLL “update.dll” using regsvr32.exe. The loader reads the encrypted SugarGg0st RAT “authz.lib”, decrypts it and injects it into a process. This technique is same as that of the SugarGh0st campaign disclosed by the Kazakhstan government in February. 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SID for this threat is 62647. 

ClamAV detections are also available for this threat: 

Win.Trojan.SugarGh0stRAT-10014937-0 

Win.Tool.DynamicWrapperX-10014938-0 

Txt.Loader.SugarGh0st\_Bat-10014939-0 

Win.Trojan.SugarGh0stRAT-10014940-0 

Lnk.Dropper.SugarGh0stRAT-10014941-0 

Js.Trojan.SugarGh0stRAT-10014942-1 

Win.Loader.Ramnit-10014943-1 

Win.Backdoor.SugarGh0stRAT-10014944-0 

Win.Trojan.SugarGh0st-10030525-0 

Win.Trojan.SugarGh0st-10030526-0 

**Orbital Queries **

Cisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected with this specific threat. For specific OSqueries related to this threat, please follow the links: 

*   SugarGh0st RAT file detected 
*   SugarGh0st RAT Registry key  

**Indicators of Compromise **

Indicators of Compromise associated with this threat can be found here

SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques

A malvertising campaign is leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to drop a backdoor called Oyster (aka Broomstick and CleanUpLoader).
That's according to findings from Rapid7, which identified lookalike websites hosting the malicious payloads that users are redirected to after searching for them on search engines like Google and Bing.
The

A malvertising campaign is leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to drop a backdoor called Oyster (aka Broomstick and CleanUpLoader).

That's according to findings from Rapid7, which identified lookalike websites hosting the malicious payloads that users are redirected to after searching for them on search engines like Google and Bing.

The threat actors are luring unsuspecting users to fake websites purporting to contain legitimate software. But attempting to download the setup binary launches a malware infection chain instead.

Specifically, the executable serves as a pathway for a backdoor called Oyster, which is capable of gathering information about the compromised host, communicating with a hard-coded command-and-control (C2) address, and supporting remote code execution.

While Oyster has been observed in the past being delivered by means of a dedicated loader component known as Broomstick Loader (aka Oyster Installer), the latest attack chains entail the direct deployment of the backdoor. The malware is said to be associated with ITG23, a Russia-linked group behind the TrickBot malware.

The execution of the malware is followed by the installation of the legitimate Microsoft Teams software in an attempt to keep up the ruse and avoid raising red flags. Rapid7 said it also observed the malware being used to spawn a PowerShell script responsible for setting up persistence on the system.

The disclosure comes as a cybercrime group known as Rogue Raticate (aka RATicate) has been attributed as behind an email phishing campaign that employs PDF decoys to entice users into clicking on a malicious URL and deliver NetSupport RAT.

"If a user is successfully tricked into clicking on the URL, they will be led via a Traffic Distribution System (TDS) into the rest of the chain and in the end, have the NetSupport Remote Access Tool deployed on their machine," Symantec said.

It also coincides with the emergence of a new phishing-as-a-service (PhaaS) platform called the ONNX Store that allows customers to orchestrate phishing campaigns using embedded QR codes in PDF attachments that lead victims to credential harvesting pages.

ONNX Store, which also offers Bulletproof hosting and RDP services via a Telegram bot, is believed to be a rebranded version of the Caffeine phishing kit, which was first documented by Google-owned Mandiant in October 2022, with the service maintained by an Arabic-speaking threat actor named MRxC0DER.

Besides using Cloudflare's anti-bot mechanisms to evade detection by phishing website scanners, the URLs distributed via the quishing campaigns come embedded with encrypted JavaScript that's decoded during page load in order to collect victims' network metadata and relay 2FA tokens.

"ONNX Store has a two-factor authentication (2FA) bypass mechanism that intercepts \[two-factor authentication\] requests from victims," EclecticIQ researcher Arda Büyükkaya said. "The phishing pages look like real Microsoft 365 login interfaces, tricking targets into entering their authentication details."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Oyster Backdoor Spreading via Trojanized Popular Software Downloads

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users.

Skip to content

**Navigation Menu**

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   GitHub Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-38874

**events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability**

Moderate severity GitHub Reviewed Published Jun 21, 2024 to the GitHub Advisory Database • Updated Jun 21, 2024

**Package**

composer jweiland/events2 (Composer)

**Affected versions**

< 8.3.8

\>= 9.0.0, < 9.0.6

**Patched versions**

8.3.8

9.0.6

**Description**

Published to the GitHub Advisory Database

Jun 21, 2024

Last updated

Jun 21, 2024

GHSA-cchp-3rq6-69wj: events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability

A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild.
The vulnerability, tracked as CVE-2024-28995 (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine.
Affecting all versions of the software prior to and including Serv-U 15.4.2

Vulnerability / Data Protection

A recently patched high-severity flaw impacting SolarWinds Serv-U file transfer software is being actively exploited by malicious actors in the wild.

The vulnerability, tracked as **CVE-2024-28995** (CVSS score: 8.6), concerns a directory transversal bug that could allow attackers to read sensitive files on the host machine.

Affecting all versions of the software prior to and including Serv-U 15.4.2 HF 1, it was addressed by the company in version Serv-U 15.4.2 HF 2 (15.4.2.157) released earlier this month.

The list of products susceptible to CVE-2024-28995 is below -

*   Serv-U FTP Server 15.4
*   Serv-U Gateway 15.4
*   Serv-U MFT Server 15.4, and
*   Serv-U File Server 15.4

Security researcher Hussein Daher of Web Immunify has been credited with discovering and reporting the flaw. Following the public disclosure, additional technical details and a proof-of-concept (PoC) exploit have since been made available.

Cybersecurity firm Rapid7 described the vulnerability as trivial to exploit and that it allows external unauthenticated attackers to read any arbitrary file on disk, including binary files, assuming they know the path to that file and it's not locked.

"High-severity information disclosure issues like CVE-2024-28995 can be used in smash-and-grab attacks where adversaries gain access to and attempt to quickly exfiltrate data from file transfer solutions with the goal of extorting victims," it said.

"File transfer products have been targeted by a wide range of adversaries the past several years, including ransomware groups."

Indeed, according to threat intelligence firm GreyNoise, threat actors have already begun to conduct opportunistic attacks weaponizing the flaw against its honeypot servers to access sensitive files like /etc/passwd, with attempts also recorded from China.

With previous flaws in Serv-U software exploited by threat actors, it's imperative that users apply the updates as soon as possible to mitigate potential threats.

"The fact that attackers are using publicly available PoCs means the barrier to entry for malicious actors is incredibly low," Naomi Buckwalter, director of product security at Contrast Security, said in a statement shared with The Hacker News.

"Successful exploitation of this vulnerability could be a stepping stone for attackers. By gaining access to sensitive information like credentials and system files, attackers can use that information to launch further attacks, a technique called 'chaining.' This can lead to a more widespread compromise, potentially impacting other systems and applications."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately

“Immediately stop using [Kaspersky] and switch to an alternative” warned the Commerce Secretary in a new US ban of the antivirus provider.

The US government will ban the sale of Kaspersky antivirus products to new customers in the United States starting July 20, with a follow-on deadline to prohibit the cybersecurity company from providing users with software updates after September 29.

The move follows years of allegations that the cybersecurity firm served as a hacking conduit for Russian intelligence agencies—allegations that the company has consistently denied.  

While current US Kaspersky customers will see no immediate impact from the ban, the September 29 software update deadline signals a bigger change. Without available updates, any cybersecurity product becomes less secure over time, and means the company won’t be able to protect customers against the newest threats.

In a briefing call with reporters on Thursday, US Department of Commerce Secretary Gina Raimondo offered consolation and advice to current customers of the antivirus products:

> “You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”

Kaspersky rebuffed the Biden Administration’s decision in a statement shared on social media Thursday.

“Kaspersky does not engage in activities which threaten US national security and, in fact, has made significant contributions with its reporting and protection from a variety of threat actors that targeted US interested and allies,” the company said. “The company intends to purse all legally available options to preserve its current operations and relationships.”

The ban, first reported by Reuters and released Thursday, includes “AO Kaspersky Lab,” “OOO Kaspersky Group,” and “Kaspersky Labs Limited.”

According to the US Department of Commerce, all three Kaspersky entities are being banned “for their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives.”

In October 2017, The New York Times reported that Israeli intelligence officers managed to catch Russian government hackers using Kaspersky to conduct clandestine searches across the globe. That reporting followed a bombshell investigation from The Wall Street Journal that claimed that Russian hackers stole classified NSA materials from a contractor’s personal computer which had Kaspersky software installed on it.

That reported hacking incident allegedly resulted in the US government’s decision that same year to remove Kaspersky antivirus software from US government devices.

In the same Thursday briefing call, Secretary Raimondo cited the threat of Russian influence in the Department’s decision to ban Kaspersky:

> “Russia has shown it has the capacity and… the intent to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans and that is why we are compelled to take the action that we are taking today.”

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 US bans Kaspersky, warns: “Immediately stop using that software&#8221; 

IntelBroker is offering source code from major companies for sale. Are they demonstrating the value of a zero-day they are also selling?

A moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim comes from a data breach at T-Mobile.

The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com certifications, and “Siloprograms.” (We’ve not heard of siloprograms, and can’t find a reference to them anywhere, so perhaps it’s a mistranslation or typo.)

Post offereing data for sale supposedly from a T-Mobile internal breach

To prove they had the data, IntelBroker posted several screenshots showing access with administrative privileges to a Confluence server and T-Mobile’s internal Slack channels for developers.

But according to sources known to BleepingComputer, the data shared by IntelBroker actually consists of older screenshots. These screenshots show T-Mobile’s infrastructure, posted at a known—yet unnamed—third-party vendor’s servers, from where they were stolen.

When we looked at the screenshots IntelBroker attached to their post, we spotted something interesting in one of them.

Found CVE-2024-1597

This screenshot shows a search query for a critical vulnerability in Jira, a project management tool used by teams to plan, track, release and support software. It’s typically a place where you could find the source code of works in progress.

The search returns the result CVE-2024-1597, a SQL injection vulnerability. SQL injection happens when a cybercriminal injects malicious SQL code into a form on a website, such as a login page, instead of the data the form is asking for. The vulnerability affects Confluence Data Center and Server according to Atlassian’s May security bulletin.

For a better understanding, it’s important to note that Jira and Confluence are both products created by Atlassian, where Jira is the project management and issue tracking tool and Confluence is the collaboration and documentation tool. They are often used together.

If IntelBroker has a working exploit for the SQL injection vulnerability, this could also explain their claim that they have the source code of three internal tools used at Apple, including a single sign-on authentication system known as AppleConnect.

This theory is supported by the fact that IntelBroker is also offering a Jira zero-day for sale.

IntelBroker selling zero-day for JIra

> “I’m selling a zero-day RCE for Atlassian’s Jira.
> 
> Works for the latest version of the desktop app, as well as Jira with confluence.
> 
> No login is required for this, and works with Okta SSO.”

If this is true then this exploit, or its fruits, might be used for data breaches that involve personal data.

Meanwhile, T-Mobile has denied it has suffered a breach, saying it is investigating whether there has been a breach at a third-party provider.

> “We have no indication that T-Mobile customer data or source code was included and can confirm that the bad actor’s claim that T-Mobile’s infrastructure was accessed is false.”

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Was T-Mobile compromised by a zero-day in Jira? 

The U.S. Department of Commerce's Bureau of Industry and Security (BIS) on Thursday announced a "first of its kind" ban that prohibits Kaspersky Lab's U.S. subsidiary from directly or indirectly offering its security software in the country.
The blockade also extends to the cybersecurity company's affiliates, subsidiaries and parent companies, the department said, adding the action is based on

Software Security / Threat Intelligence

The U.S. Department of Commerce's Bureau of Industry and Security (BIS) on Thursday announced a "first of its kind" ban that prohibits Kaspersky Lab's U.S. subsidiary from directly or indirectly offering its security software in the country.

The blockade also extends to the cybersecurity company's affiliates, subsidiaries and parent companies, the department said, adding the action is based on the fact that its operations in the U.S. posed a national security risk. News of the ban was first reported by Reuters.

"The company's continued operations in the United States presented a national security risk — due to the Russian Government's offensive cyber capabilities and capacity to influence or direct Kaspersky's operations — that could not be addressed through mitigation measures short of a total prohibition," the BIS said.

It further said Kaspersky is subject to the jurisdiction and control of the Russian government and that its software provides Kremlin access to sensitive U.S. customer information as well as allows for installing malicious software or withholding critical updates.

"The manipulation of Kaspersky software, including in U.S. critical infrastructure, can cause significant risks of data theft, espionage, and system malfunction," it noted. "It can also risk the country's economic security and public health, resulting in injuries or loss of life."

As part of the ban, Kaspersky will be barred from selling its software to American consumers and businesses starting on July 20. However, the company can still provide software and antivirus signature updates to existing customers until September 29.

It's also urging current individual and business customers to find suitable replacements within the 100-day time period so as to ensure that there are no gaps in security protections. That said, it's worth noting that they can continue to use the products should they choose to do so.

"Russia has shown time and again they have the capability and intent to exploit Russian companies, like Kaspersky Lab, to collect and weaponize sensitive U.S. information, and we will continue to use every tool at our disposal to safeguard U.S. national security and the American people," Secretary of Commerce Gina Raimondo said.

That's not all. Kaspersky has also been added to the Entity List for their "cooperation with Russian military and intelligence authorities in support of the Russian Government's cyber intelligence objectives."

The Moscow-headquartered firm, which serves over 400 million customers and 240,000 corporate clients across 200 countries including Piaggio, Volkswagen Group Retail Spain, and the Qatar Olympic Committee, has long been in the crosshairs of the U.S. government over its ties to Russia.

In September 2017, its products were banned from being used in federal networks, citing national security concerns. Weeks after that announcement, a Wall Street Journal report alleged Russian government hackers had stolen U.S. classified hacking tools stored on a National Security Agency (NSA) contractor's home computer because it was running Kaspersky software.

The New York Times reported days later that Israeli officials notified the U.S. of the espionage operation after they hacked into Kaspersky's network in 2015. The company responded saying it came across the code in 2014 when its antivirus software flagged a 7-Zip file as malicious on a U.S.-based computer.

The tool, later attributed to the Equation Group, was deleted and no third-parties saw the code, the company said at the time following an internal investigation. Equation Group is the name assigned by Kaspersky to a hacking crew with suspected ties to the NSA's Tailored Access Operations (TAO) cyberwarfare unit.

Nearly five years later, Kaspersky was added to the Federal Communications Commission's (FCC) "Covered List" of companies that pose an "unacceptable risk to the national security" of the country. Germany and Canada have enacted similar restrictions in recent years.

Responding to the latest move from the U.S. government, Kaspersky said the Commerce Department made its decision based on the current geopolitical climate and theoretical concerns, adding it "unfairly ignores" evidence of the transparency measures implemented by the company to demonstrate integrity and trustworthiness.

"The primary impact of these measures will be the benefit they provide to cybercrime," it said. "International cooperation between cybersecurity experts is crucial in the fight against malware, and yet this will restrict those efforts."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

U.S. Bans Kaspersky Software, Citing National Security Risks

The notorious cyber espionage group has been harrying French interests for years, and isn't flagging now as the Paris Olympics approach.

Source: Paul Ward via Alamy Stock Photo

Midnight Blizzard, the Russia-backed advanced persistent threat (APT) behind the 2016 US elections interference and the 2020 SolarWinds attacks, has been taking aim at French diplomatic entities since at least 2021 — and it remains an active threat, according to French CERT.

Russia, which not coincidentally is banned from the upcoming Summer Olympics in Paris, shows no sign of easing off of its cyberattack activities, particularly against Ukraine and European friends of Ukraine, IT companies, and US critical infrastructure.

Now, CERT-FR has warned in a recent alert that Midnight Blizzard (aka Nobelium, APT29, Cozy Bear, and The Dukes) has been consistently attempting to exfiltrate strategic intelligence from embassies and diplomats, in an activity cluster it calls "Diplomatic Orbiter." The targets have included the French Ministry of Culture, the National Agency for Territorial Cohesion, the French Ministry of Foreign Affairs, the country's embassy in Ukraine, and others.

"Most of Nobelium campaigns against diplomatic entities use compromised legitimate email accounts belonging to diplomatic staff, and conduct phishing campaigns against diplomatic institutions, embassies, and consulates," according to the CERT-FR alert (PDF). "These activities are also publicly described as a campaign called 'Diplomatic Orbiter.' The lure documents used in these attacks are typically forged to target diplomatic staff."

Once gaining initial access, the operators attempt to deliver custom, first-stage loaders to execute public tools such as Cobalt Strike or Brute Ratel C4. The ultimate goal is to access the victim's network, ensure persistence, and exfiltrate data. Many of the attacks have been unsuccessful, the organization stressed.

**About the Author(s)**

Russia's Midnight Blizzard Seeks to Snow French Diplomats

The old, but newly disclosed, vulnerability is buried deep inside personal computers, servers, and mobile devices, and their supply chains, making remediation a headache.

Source: Alexander Cimbal via Alamy Stock Photo

A vast swath of computers is likely to be affected by a newly published vulnerability in Intel processors.

CVE-2024-0762, unfortunately nicknamed "UEFIcanhazbufferoverflow," is a buffer overflow issue affecting multiple versions of Phoenix Technologies' SecureCore Unified Extensible Firmware Interface (UEFI) firmware. First disclosed by the vendor in May, it has now been described in detail by Eclypsium researchers in a blog post.

They first spotted it back in November, while analyzing UEFI images in Lenovo ThinkPad X1 Carbon 7th Gen and X1 Yoga 4th Gen laptops. The problem lies in an unsafe call to the GetVariable() runtime service, used for reading the contents of a UEFI variable. A lack of adequate checks could allow an attacker to feed it too much data, thereby causing an overflow. From there, the attacker could take advantage by escalating privileges and executing code in a targeted machine during runtime.

Even worse than the severity of the bug, though, is its spread. Intel supplies the majority of PC processors sold around the world, and SecureCore firmware runs on 10 different generations of Intel chips. Eclypsium estimates it could affect hundreds of PC models across a wide spectrum of vendors.

**The Rub With UEFI**

There are few areas of a machine where malicious attacks are so effective, and so difficult to excise, as UEFI and its predecessor, BIOS. As the firmware interface that controls how a system boots, it is the first and most privileged code that runs once a user hits the power button on their device.

Its special status has attracted attackers far and wide in recent years, allowing them to nab root-level privileges, establish persistence through reboots, bypass security programs that might otherwise catch more traditional malware, and more.

"It's not not really the greatest place to hack into, but it is a really good place to set up shop," explains Nate Warfield, director of threat research and intelligence with Eclypsium.

"If you have code execution during that stage of a computer booting, you can drop something into the boot sector. Or you can use this vector to inject malware into Windows before it starts." He points to the recent CosmicStrand UEFI rootkit as a case in point. It's also what makes UEFIcanhazbufferoverflow so dangerous.

Still, it was only assigned a "high" 7.5 out of 10 in the CVSS scoring system. That, Warfield says, comes down to a couple of factors.

First, it requires that an attacker already have access to their targeted machine. 

Additionally, unlike your typical headline vulnerability, exploits in this case may need to be customized to a certain degree depending on the targeted computer model's configuration, and the permissions assigned to the problematic variable, adding a certain degree of complexity to the whole affair.

**The Good News and (More) Bad**

Unfortunately, this same complexity extends to vendors developing patches.

"The vulnerability we found affected a whole bunch of different versions of \[Phoenix's\] UEFI code. So they had to patch all of those for their customers, and now everyone has to go and pull those and package them up for all the versions of their BIOS," Warfield explains. "They may end up having to fix 10, 15, or 20 different tiny differences \[in architecture\] because this one supports this many GPUs, this one supports different hardware configurations for the motherboard. It's impossible to know."

Lenovo — which coordinated with the researchers in recent months — started releasing fixes last month, though some computers will remain exposed until later in the summer. Other, more recently informed original equipment and design manufacturers will surely take even longer. Organizations using Intel-powered computers can do little more than twiddle their thumbs in the meantime.

"This is the whole supply chain problem in a nutshell," Warfield says. "We informed the vendor. We have to wait for them to tell their customers' OEMs, who have to package their fixes and deliver it to their customers, who are the end users."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

High-Risk Overflow Bug in Intel Chips Likely Impacts 100s of PC Models

Using a Trump-era authority, the US Commerce Department has banned the sale of Kaspersky’s antivirus tools to new customers in the US, citing alleged threats to national security.

The Russian cybersecurity software firm Kaspersky’s days of operating in the United States are now officially numbered.

The Biden administration on Thursday said it’s banning the company from selling its products to new US-based customers starting on July 20, with the company only allowed to provide software updates to existing customers through September 29. The ban—the first such action under authorities given to the Commerce Department in 2019—follows years of warnings from the US intelligence community about Kaspersky being a national security threat because Moscow could allegedly commandeer its all-seeing antivirus software to spy on its customers.

“When you think about national security, you may think about guns and tanks and missiles,” Commerce secretary Gina Raimondo told reporters during a briefing Thursday. “But the truth is, increasingly, it's about technology, and it's about dual-use technology, and it's about data.”

The US conducted an “extremely thorough” investigation of Kaspersky and explored “every option” to mitigate its risks, Raimondo said, but officials settled on a full ban “given the Russian government's continued offensive cyber capabilities and capacity to influence Kasersky’s operations.”

The Kaspersky ban represents the latest rift in relations between the US and Russia as the latter country remains locked in a brutal war with Ukraine and takes other steps to threaten Western democracies, including testing a nuclear-powered anti-satellite weapon and forming a strategic alliance with North Korea. But the ban could also immediately complicate business operations for American companies using Kaspersky software, which will lose up-to-date antivirus definitions critical for blocking malware in only three months.

The Biden administration knows roughly how many customers Kaspersky has in the US, but government lawyers have determined that this information is proprietary business data and cannot be published, according to a Commerce Department official, who briefed reporters on the condition of anonymity to discuss a sensitive matter. The official did say the “significant number” of US customers includes state and local governments and organizations that supply critical infrastructure such as telecommunications, power, and health care.

Raimondo had a message for Kaspersky’s US customers on Thursday: “You have done nothing wrong, and you are not subject to any criminal or civil penalties. However, I would encourage you, in as strong as possible terms, to immediately stop using that software and switch to an alternative in order to protect yourself and your data and your family.”

Commerce will work with the departments of Homeland Security and Justice to “get this message out” and “ensure a smooth transition,” including through a website explaining the ban, Raimondo said. “We certainly don't want to disrupt the business or families of any Americans.”

DHS’s Cybersecurity and Infrastructure Security Agency will contact critical infrastructure organizations that use Kaspersky to brief them on the alleged national security risks and “help them identify alternatives,” the Commerce Department official said.

Kaspersky has consistently denied being a national security risk or an agent of the Kremlin. The company did not immediately respond to a request for comment about the new nationwide ban. But given Kaspersky’s past resort to litigation to defend itself, Thursday’s announcement could prompt another lawsuit that sets up a high-stakes legal test of Commerce’s national security powers.

The order to kick Kaspersky out of the US relies on powers that former president Donald Trump gave the Commerce Department in 2019. Trump issued an executive order that May authorizing the commerce secretary to bar US transactions of IT products and services supplied by “persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” if the transactions posed “an unacceptable risk” to national security.

Kaspersky has been in the crosshairs of US intelligence officials for decades due to its presence in Russia and reports of its possible collusion with Moscow. In 2017, the Trump administration banned federal agencies from using Kaspersky products, a decision upheld by a federal appeals court a year later.

The official order banning US transactions with Kaspersky’s three corporate entities cites “their cooperation with Russian military and intelligence authorities in support of the Russian government’s cyber intelligence objectives,” according to the Commerce Department official.

Asked why the government was only acting now to ban Kaspersky from selling its services in the US, the official said Commerce only received funding last year for a dedicated program devoted to these kinds of cases.

The official declined to say whether the US had specific intelligence proving that Moscow had directed Kaspersky’s actions.

“We fully believe that … the Russian government is either now using Kaspersky or certainly would be willing to use Kaspersky,” the official said, adding that the Commerce Department’s Trump-era authority “allows us to act proactively, even in the absence of concrete examples” of collusion.

The Commerce Department will work with law enforcement to monitor Kaspersky’s business actions after September 29 for signs that it continues to provide software updates in the US, the department official said.

“We need to get more vigilant and more sophisticated every day,” Raimondo told reporters, “because our adversaries are getting more sophisticated.”

Tag

#auth